WO2023016414A1 - Credential rotation method, computing device, and storage medium - Google Patents

Credential rotation method, computing device, and storage medium Download PDF

Info

Publication number
WO2023016414A1
WO2023016414A1 PCT/CN2022/110879 CN2022110879W WO2023016414A1 WO 2023016414 A1 WO2023016414 A1 WO 2023016414A1 CN 2022110879 W CN2022110879 W CN 2022110879W WO 2023016414 A1 WO2023016414 A1 WO 2023016414A1
Authority
WO
WIPO (PCT)
Prior art keywords
credential
rotated
target
replacement
credentials
Prior art date
Application number
PCT/CN2022/110879
Other languages
French (fr)
Chinese (zh)
Inventor
李海滨
陈俊朴
王强
范煜
Original Assignee
阿里云计算有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里云计算有限公司 filed Critical 阿里云计算有限公司
Publication of WO2023016414A1 publication Critical patent/WO2023016414A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the present application relates to the field of computer technology, and in particular to a credential rotation method, computing equipment and storage media.
  • RAM Resource Access Management
  • AccessKey AccessKey
  • Various aspects of the present application provide a credential rotation method, a computing device, and a storage medium, so as to reduce the risk of credential leakage and improve its security performance.
  • An embodiment of the present application provides a credential rotation method, including: acquiring a target credential to be rotated, creating a replacement credential corresponding to the target credential to be rotated, and storing the target credential to be rotated in an acquisition area; The target credential to be rotated is replaced with the replacement credential to be acquired; the target credential to be rotated is deleted, and the replacement data in the acquisition area is used as the target credential to be rotated next time.
  • the embodiment of the present application also provides a computing device, including: a memory and a processor; the memory is used to store a computer program; the processor is used to execute the computer program to: acquire the target credential to be rotated, A replacement credential corresponding to the target credential to be rotated, the target credential to be rotated is stored in an acquisition area; replacing the target credential to be rotated in the acquisition area with the replacement credential for acquisition; deleting the target credential to be rotated The target credential, and use the replacement data in the acquisition area as the target credential to be rotated next time.
  • the embodiment of the present application also provides a computer-readable storage medium storing a computer program.
  • the computer program is executed by one or more processors, the one or more processors are caused to implement the steps in the above method.
  • the target credentials to be rotated are obtained, and the replacement credentials corresponding to the target credentials to be rotated are created, and the target credentials to be rotated are stored in the acquisition area; the target credentials to be rotated in the acquisition area are replaced with replacement credentials for the ;Delete the target credential to be rotated, and use the replacement data in the acquisition area as the target credential to be rotated next time.
  • a replacement credential corresponding to the target credential to be rotated and store the target credential to be rotated in the acquisition area; replace the target credential to be rotated in the acquisition area with a replacement credential, so as to be acquired, the rotation of the target credential can be realized, so that the target Credentials are updated to improve its security performance, reduce the risk of being attacked, and reduce the possibility of leakage.
  • the situation that requires the target credential can be supported, so that the corresponding service can be continuously accessed.
  • FIG. 1 is a schematic flowchart of a credential rotation method according to an exemplary embodiment of the present application
  • Fig. 2 is a schematic diagram of credential escrow according to an exemplary embodiment of the present application
  • FIG. 3 is a schematic diagram of a rotation cycle in an exemplary embodiment of the present application.
  • Fig. 4 is a schematic diagram of credential reading and writing in an exemplary embodiment of the present application.
  • Fig. 5 is a schematic structural diagram of a credential rotation system according to an exemplary embodiment of the present application.
  • Fig. 6 is a schematic structural diagram of a voucher rotation device provided by an exemplary embodiment of the present application.
  • Fig. 7 is a schematic structural diagram of a computing device provided by an exemplary embodiment of the present application.
  • the attack caused by leakage of RAM (Resource Access Management) credentials is one of the main problems facing cloud security. It is because the RAM credential remains unchanged, that is, once the corresponding RAM credential is generated, the RAM credential will not change again, thus greatly increasing the risk of being attacked.
  • the embodiment of the present application provides a credential rotation method, a computing device, and a storage medium, which can reduce the risk of credential leakage and improve its security performance.
  • Fig. 1 is a schematic flowchart of a credential rotation method according to an exemplary embodiment of the present application.
  • the method 100 provided by the embodiment of the present application is executed by a computing device, such as a cloud server.
  • the method 100 includes the following steps:
  • the target credentials to be rotated are stored in the acquisition area.
  • 103 Delete the target credential to be rotated, and use the replacement data in the acquisition area as the target credential to be rotated next time.
  • the execution subject of this embodiment of the application may be more specifically a service on the cloud server, such as a program or service for rotating credentials, which can also implement functions such as credential hosting, that is, the program or service It can also be a management program or service, such as providing full-lifecycle management services such as creation, retrieval, update, and deletion of credentials, so as to realize unified management of credentials, which is not limited here.
  • the program or service can run on one or more containers on the cloud server.
  • the target credentials to be rotated are stored in the acquisition area.
  • the target credential to be rotated may refer to a credential waiting to be updated, such as a RAM credential.
  • the obtaining area may refer to the location or area used by the user or other equipment to obtain the credential, for example, in the current version of the program or service corresponding to the credential, it may be the location or area used to store the current credential in the current version.
  • the replacement credential can be a newly created credential.
  • user 206 can log in to a control interface of the cloud server through a computer, and this interface can be used for hosting RAM credentials.
  • the program 207 for rotating credentials sends an authorization request or information, that is, executes step 201: authorize management of RAM credentials.
  • the user 206 can log in to another control interface of the cloud server through a computer, and create RAM data to be managed on this interface.
  • the created content may include: creating a credential type, such as a RAM credential, selecting a RAM user, and each user has at least one RAM credential. Determine the specific data of the RAM credentials under this user.
  • description information of the RAM credential may also be input, such as describing what service the RAM credential is used to access.
  • step 202 is executed: creating a credential with managed RAM.
  • Each RAM credential has a corresponding identification, such as a name.
  • the user 206 can also set the rotation cycle, or use the default cycle.
  • the program 207 for rotating credentials on the cloud server After the program 207 for rotating credentials on the cloud server receives the authorization request and the RAM credentials to be managed, it can perform rotation of the RAM credentials to be managed through the resource access control service 208 according to the authorization, that is, perform step 203: rotate RAM data .
  • the program for rotating credentials 207 determines which credentials to be hosted currently have reached the rotation period according to the specific time of the rotation cycle, such as 7 days, and the start time of hosting, and then obtains these managed RAM credentials as waiting to be rotated
  • the target credentials are rotated, and new RAM credentials corresponding to these RAM credentials are created by calling the Open API interface corresponding to the resource access control service 208.
  • the RAM credential refers to the access key (AccessKey, hereinafter referred to as AK) of the RAM user, including the AccessKey ID (account) and AccessKey Secret (password), which are used by the RAM user to complete the identity when calling the cloud service API. verify.
  • AK access key
  • Account AccessKey ID
  • password AccessKey Secret
  • obtaining the target credential to be rotated includes: querying the credential to be rotated, and obtaining a corresponding type of target credential to be rotated according to the credential type.
  • the program 207 for rotating credentials on the cloud server determines which current To-be-escrowed credentials arrive at the rotation cycle, then obtain these escrow credentials, and then determine the RAM credential as the target credential to be rotated according to the type of escrow credentials, and then hand it over to the escrow credential execution unit for RAM credential rotation, and the escrow credential execution unit finds the corresponding The executor will hand over the RAM credential to the executor for managed RAM credential rotation.
  • the executor can create new RAM credentials corresponding to these RAM credentials by calling the Open API interface corresponding to the resource access control service 208.
  • Time can be used to determine when to perform the corresponding operation action.
  • the operation action includes the operation action of creating a replacement credential, replacing the target credential to be rotated with a replacement credential, and Action to delete the target credentials to be rotated.
  • the rotation period may be the same, such as 7 days. It can also be different. As shown in FIG. 3 , the rotation period 303 of the RAM credential "AK1" 301 is 7 days.
  • the rotation period may include multiple time windows, and each time window may trigger a corresponding operation action. When the time corresponding to this time window arrives, the corresponding operation action is executed.
  • the RAM credentials "AK1" 301 starts to rotate, when it is used to trigger the creation of new
  • the newly created RMA credential can be "AK2" 302, which also has a corresponding rotation period, which can be 7 days.
  • the acquisition area may refer to the location or area used by the user or other equipment to obtain the credential, such as the current (Current) version used in the credential rotation program or service corresponding credential.
  • the user or other device Since the user or other device obtains the RAM credential from the current version, the user or other device can always obtain the available RAM credential from the current version to access the cloud service, preventing direct modification by man As a result, the available RAM credentials cannot be obtained in time, thereby hindering the access or invocation of cloud services.
  • the replacement credential may also be stored in the corresponding version, and in order to distinguish the two credentials, the replacement credential may be stored in the previous version.
  • the method 100 further includes: storing the created replacement credential in the previous (Previous) version of the credential corresponding to the credential rotation program, storing the target credential to be rotated in the current version of the credential corresponding to the credential rotation program, Use the current version of the credential for the credential rotation program as the acquisition area.
  • the credential rotation program on the cloud server stores the created “AK2" in the previous (Previous) version, and stores “AK1” in the current (Previous) version.
  • replacing the target credential to be rotated in the acquisition area with the replacement credential includes: replacing the credential to be rotated in the current version of the corresponding credential stored in the credential rotation program with replacement data, and storing the credential to be rotated in the In the previous version of the credential corresponding to the credential rotation program.
  • the program for rotating credentials on the cloud server will replace "AK1" in the current version with "AK2" in the previous version, that is, replace “AK2" in the current version and "AK1" in the previous version.
  • 103 Delete the target credential to be rotated, and use the replacement data in the acquisition area as the target credential to be rotated next time.
  • the program for rotating credentials on the cloud server is replacing “AK1" with “AK2”.
  • deleting the target credential to be rotated includes: deleting the target credential to be rotated stored in the previous version of the credential corresponding to the credential rotation program.
  • the program for credential rotation on the cloud server deletes the RAM of the previous version of the corresponding credential by calling the Open API interface corresponding to the resource access control service Credentials "AK1".
  • the "AK2" in the current version is used as the target certificate to be rotated next time.
  • the rotation will be carried out in a similar manner as described above, so I will not repeat it here.
  • the embodiment of this application adopts the method of Open API interface to process the user's RAM credentials based on the user's authorization and creation of the hosting credentials, which can avoid the security problem caused by the improper operation of the RAM credentials through the user's direct use of the Open API interface. RAM credentials used.
  • the application program 209 may access the program for rotating credentials 207 periodically or in real time, that is, execute step 204: access the program for rotating credentials. It can be accessed in the form of SDK (Software Development Kit, software development kit) or client, and obtains the corresponding target credential from the acquisition area, such as RAM credential, and the name of the credential. Then, when the application program 209 accesses the cloud service 210, it replaces the RAM credential according to the name, replaces the current RAM credential after the rotation with the RAM credential before the rotation, and then accesses the cloud service 210, that is, executes step 205 : Use the rotated RAM credentials to access cloud services.
  • the credential rotation program 207 can also be used to encrypt and manage the escrow credentials, further ensuring the security of the credentials.
  • this embodiment of the application can ensure that the SDK or the client has at least one RAM credential available during the credential rotation process, avoiding that the SDK or the client cannot obtain the RAM credential in time during the credential rotation process, resulting in the inability to call cloud product services, and at the same time reducing the user cost.
  • the embodiment of this application needs to redeploy the cloud services corresponding to the credentials, reset all corresponding access credentials of these cloud services, and prohibit old access credentials from being dropped. Credentials, which can no longer access services, so as to quickly respond to emergencies, so that cloud services can be accessed through reset access credentials. However, if the access credentials are manually reset, the corresponding application may be missed due to human effort, resulting in that the access credentials under the application are not reset, and these access credentials that have not been reset will be banned. Therefore, when the service is accessed again, the service cannot be accessed because the access credentials that have not been reset are still used for access, resulting in a system failure on the user side.
  • the embodiment of the present application also satisfies the means of centralized management of credentials required by various cloud resources, and realizes large-scale management.
  • the database db information stored in the program or service for rotating credentials is only loaded once when the program or service is started, the access frequency is low, there are special periods such as concurrent access, expansion and upgrade, etc.
  • the volume of requests has skyrocketed.
  • credential rotation will also trigger the same batch of credential rotation at the same time period, resulting in an instantaneous update peak.
  • the method 100 further includes: receiving a write request for the target credential to be rotated, creating a shared lock for the target credential to be rotated in the cache according to the write request; The data is written, so that the target credentials to be rotated are updated; after the data is written in the corresponding database, the shared lock in the cache is released to wait for the updated target credentials to be rotated to be loaded.
  • the user can call the API interface to send a write request through the computer.
  • the write request is used to write the request for the target credential to be rotated.
  • other devices may also send write requests through the API interface.
  • the global cache 401 Global Cache
  • the rotation credential program or service receives the write request, it determines the corresponding RAM credential from the request, creates a corresponding shared lock for the RAM credential in the cache, and executes step 406: receive After a write request, a shared lock is created.
  • step 407 clearing the corresponding value corresponding to the RAM credential to be rotated in the global cache.
  • step 408 write the corresponding value data
  • step 409 release the shared lock.
  • the method 100 further includes: receiving a read request for the target credential, and determining according to the read request that there is a shared lock for the target credential in the cache; if there is a shared lock, obtaining the corresponding lock from the corresponding database. target credentials.
  • the user can call the API interface to send a read request through the computer.
  • the read request is a read request for the target credential.
  • other devices may also send read requests through the API interface.
  • step 403 is executed: after receiving the read request, determine whether there is a shared lock. If there is a shared lock, according to the RAM credential indicated in the request, the value corresponding to the corresponding RAM credential is read from the database 402 . That is, step 404 is executed: if there is shared storage, obtain the RAM credential from the database.
  • the method 100 further includes: if there is no shared lock, acquiring the target credential from the cache.
  • step 405 is executed: if there is no shared lock, obtain the RAM credential from the global cache.
  • the data can be read in the following ways.
  • the method 100 further includes: if there is no target credential in the cache, loading the target credential from the corresponding database, and acquiring the target credential from the cache.
  • the value of the target RAM credential can be loaded from the database into the cache, and then the cache Read this value from .
  • the embodiment of the present application can make the operation of the global cache and the server consistent, and the cache is not actively refreshed after the database update data is completed, and the cache is loaded only when it takes time, so as to ensure consistency.
  • a global cache can support multiple machines and multiple concurrent requests, especially write requests, so it greatly improves its carrying capacity and responsiveness in scenarios such as batch expansion and sudden traffic increase. Based on this, in other disaster recovery scenarios, such as a power outage, the data in the cache and database can also be finally consistent.
  • Fig. 5 is a schematic structural diagram of a credential rotation system provided by an exemplary embodiment of the present application.
  • the system 500 may include: a first device 501 and a second device 502 .
  • the first device 501 may be a device with a certain computing capability, and may realize the function of sending data to the second device 502 , and may also receive data sent by the second device 502 .
  • the basic structure of the first device 501 may include: at least one processor. The number of processors may depend on the configuration and type of device having a certain computing power. Devices with certain computing capabilities may also include memory, which may be volatile, such as RAM, or non-volatile, such as read-only memory (Read-Only Memory, ROM), flash memory, etc., or may also be Both types are included.
  • An operating system Operating System, OS
  • one or more application programs, and program data may also be stored in the memory.
  • the first device 501 may be a smart terminal, for example, a mobile phone, a desktop computer, a notebook, a tablet computer, and the like.
  • the second device 502 refers to a device that can provide computing and processing services in a network virtual environment, and may refer to a device that uses a network to perform credential rotation.
  • the second device 502 may be any device capable of providing computing services and performing credential rotation, for example, it may be a cloud server, a cloud host, a virtual center, a regular server, and the like.
  • the composition of the second device 502 mainly includes a processor, a hard disk, a memory, a system bus, etc., and is similar to a general computer architecture.
  • the second device 502 acquires the target credential to be rotated, creates a replacement credential corresponding to the target credential to be rotated, and stores the target credential to be rotated in the acquisition area; replaces the target credential to be rotated in the acquisition area with the replacement credential for Obtain; delete the target credential to be rotated, and use the replacement data in the fetch area as the target credential to be rotated next time.
  • the first device 501 can authorize the second device 502 to manage the RAM credential and create the RAM credential to be managed. After the second device 502 receives the authorization and the RAM credentials to be escrowed, the credentials can be rotated.
  • the second device 502 after obtaining the target credential to be rotated, determines the operation action corresponding to the target credential to be rotated according to the current time; the operation action includes the operation action of creating a replacement credential, replacing the target credential to be rotated with a replacement credential action and the operation action of deleting the target credential to be rotated.
  • the second device 502 stores the created replacement credential in the previous version of the credential corresponding to the credential rotation program, and stores the target credential to be rotated in the current version of the credential corresponding to the credential rotation program, which will be used for the credential rotation
  • the program corresponds to the current version of the credential as the acquisition area.
  • the second device 502 replaces the target credential to be rotated stored in the current version of the credential corresponding to the credential rotation program with replacement data, and stores the target credential to be rotated in the previous version of the credential corresponding to the credential rotation program.
  • the second device 502 receives the write request of the target credential to be rotated, creates a shared lock for the target credential to be rotated in the cache according to the write request; clears the target credential to be rotated in the cache, and writes data to the target credential to be rotated in the corresponding database input, so that the target credentials to be rotated are updated; after data is written in the corresponding database, the shared lock in the cache is released to wait for the updated target credentials to be rotated to be loaded.
  • the second device 502 receives the read request of the target credential, and determines whether there is a shared lock for the target credential in the cache according to the read request; if there is a shared lock, obtains the corresponding target credential from the corresponding database.
  • the second device 502 if there is no shared lock, obtains the target credential from the cache.
  • the second device 502 if there is no target credential in the cache, loads the target credential from the corresponding database, and acquires the target credential from the cache.
  • the user can log in to a control interface of the cloud second device 502 (such as a server) through the first device 501 (such as a computer), and the interface can
  • the interface can For RAM credential hosting, users operate on this interface, perform credential hosting authorization, and send authorization requests or information to the credential rotation program 207 on the cloud server, that is, execute step 201: authorize management of RAM credential.
  • the user can log in to another control interface of the cloud server through a computer, and create RAM data to be hosted on this interface, that is, perform step 202: create a RAM credential to be hosted.
  • the program 207 for rotating credentials on the cloud server After the program 207 for rotating credentials on the cloud server receives the authorization request and the RAM credentials to be managed, it can perform rotation of the RAM credentials to be managed through the resource access control service 208 according to the authorization, that is, perform step 203: rotate RAM data .
  • the program for rotating credentials 207 determines which current credentials to be escrowed have reached the rotation cycle according to the specific time of the rotation cycle, such as 7 days, and the start time of the escrow, and when it is used to trigger the creation of a new RAM
  • the credential time window arrives, obtain these managed RAM credentials as the target credentials to be rotated, and create a new RAM credential "AK2" corresponding to the RAM credential "AK1" by calling the Open API interface corresponding to the resource access control service 208.
  • the credential rotation program 207 on the cloud server replaces "AK1" in the current version with "AK2" in the previous version, that is, “AK2" in the current version after the replacement is “ AK2", and "AK1" in the previous version. If the time window for triggering the target credential to be rotated arrives, the credential rotation program 207 on the cloud server deletes the RAM credential "AK1" of the previous version of the corresponding credential by calling the Open API interface corresponding to the resource access control service 208. At this point, the "AK2" in the current version will be used as the target credential to be rotated next time.
  • the user can obtain the rotated RAM credential through the SDK or client installed on the computer, that is, perform step 503: obtain the rotated RAM credential.
  • the user can call the API interface through the computer to send a write request to the cloud server.
  • the write request is used for writing the target credential to be rotated, and the RAM credential stored in the cloud server can be modified to realize the update.
  • other devices may also send write requests through the API interface.
  • the credential rotation program on the cloud server or the global cache (Global Cache) of the service receives the write request, it determines the corresponding RAM credential from the request, and creates a corresponding shared lock for the RAM credential in the cache. After the shared lock is created, the value corresponding to the corresponding RAM credential can be deleted. Then write the value corresponding to the RAM credential in the write request to the database, and release the shared lock.
  • the user can call the API interface through the computer to send a read request to the cloud server.
  • the read request is a read request for the target credential.
  • the target credential can be a credential that has been rotated or a credential to be rotated.
  • other devices may also send read requests through the API interface.
  • the credential rotation program on the cloud server or the global cache (Global Cache) of the service receives the read request, it is determined whether the corresponding RAM credential in the cache has a shared lock. If there is a shared lock, read the value corresponding to the corresponding RAM credential from the database according to the RAM credential indicated in the request. If there is no shared lock, then according to the RAM credentials indicated in the request, the value corresponding to the RAM credentials can be directly read from the global cache. If there is no shared lock, and if there is no corresponding value of the target RAM credential in the cache, the value of the target RAM credential may be loaded from the database into the cache, and then the value may be read from the cache.
  • the first device 501 and the second device 502 are connected to a network. If the first device 501 and the second device 502 are connected by communication, the network standard of the mobile network can be 2G (GSM), 2.5G (GPRS), 3G (WCDMA, TD-SCDMA, CDMA2000, UTMS), 4G (LTE) , 4G+(LTE+), WiMax, 5G, etc.
  • GSM 2G
  • GPRS 2.5G
  • 3G WCDMA, TD-SCDMA, CDMA2000, UTMS
  • 4G LTE
  • 4G+(LTE+) WiMax
  • 5G etc.
  • Fig. 6 is a schematic structural frame diagram of a credential rotation device provided by an exemplary embodiment of the present application.
  • the device 600 can be applied to a cloud server.
  • the device 600 includes: a creation module 601, a replacement module 602, and a deletion module 603; the functions of each module are described in detail below:
  • the creating module 601 is configured to acquire a target credential to be rotated, and create a replacement credential corresponding to the target credential to be rotated.
  • the target credentials to be rotated are stored in the acquisition area.
  • a replacement module 602 configured to replace the target credential to be rotated in the acquisition area with a replacement credential to be acquired.
  • the deletion module 603 is configured to delete the target credential to be rotated, and use the replacement data in the acquisition area as the target credential to be rotated next time.
  • the device 600 also includes: a determination module, configured to determine the operation action corresponding to the target credential to be rotated according to the current time after the target credential to be rotated is obtained; Replace with the action of replacing the credential and the action of deleting the target credential to be rotated.
  • a determination module configured to determine the operation action corresponding to the target credential to be rotated according to the current time after the target credential to be rotated is obtained; Replace with the action of replacing the credential and the action of deleting the target credential to be rotated.
  • the creating module 601 is specifically configured to: query the credentials to be rotated, and obtain the corresponding type of target credentials to be rotated according to the type of credentials.
  • the device 600 also includes: a storing module, configured to store the created replacement credential in the previous version of the credential corresponding to the credential rotation program, and store the target credential to be rotated in the current version of the credential corresponding to the credential rotation program , use the current version of the credential used in the credential rotation program as the acquisition area.
  • a storing module configured to store the created replacement credential in the previous version of the credential corresponding to the credential rotation program, and store the target credential to be rotated in the current version of the credential corresponding to the credential rotation program , use the current version of the credential used in the credential rotation program as the acquisition area.
  • the replacement module 602 is configured to: replace the target credential to be rotated stored in the current version of the credential corresponding to the credential rotation program with replacement data, and store the target credential to be rotated in the previous version of the credential corresponding to the credential rotation program .
  • the deletion module 603 is configured to delete the target credential to be rotated stored in the previous version of the credential corresponding to the credential rotation program.
  • the creation module 601 is also configured to: receive a write request for a target credential to be rotated, and create a shared lock for the target credential to be rotated in the cache according to the write request; the device 600 also includes: a write module, used to clear the cache to be rotated The target credential writes data in the corresponding database for the target credential to be rotated, so that the target credential to be rotated is updated; the release module is used to release the shared lock in the cache after writing data in the corresponding database to be rotated Loading of the updated target credentials to be rotated.
  • the determining module is also configured to: receive a read request of the target credential, and determine whether there is a shared lock for the target credential in the cache according to the read request; the apparatus 600 also includes an acquiring module, configured to obtain the corresponding Get the corresponding target credentials from the database.
  • the acquisition module is also used to obtain the target credentials from the cache if there is no shared lock.
  • the apparatus 600 further includes: a loading module, configured to load the target credential from the corresponding database if the cache does not have the target credential, and acquire the target credential from the cache.
  • a loading module configured to load the target credential from the corresponding database if the cache does not have the target credential, and acquire the target credential from the cache.
  • the structure of the apparatus 600 shown in FIG. 6 can be implemented as a computing device, such as a cloud server.
  • the device 700 may include: a memory 701 and a processor 702;
  • the memory 701 is used for storing computer programs.
  • the processor 702 is configured to execute a computer program for: acquiring a target credential to be rotated, creating a replacement credential corresponding to the target credential to be rotated, storing the target credential to be rotated in the acquisition area; replacing the target credential to be rotated in the acquisition area It is a replacement credential to be obtained; delete the target credential to be rotated, and use the replacement data in the acquisition area as the target credential to be rotated next time.
  • the processor 702 is also configured to: after obtaining the target credential to be rotated, determine the operation action corresponding to the target credential to be rotated according to the current time; the operation action includes creating a replacement credential, replacing the target credential to be rotated with a replacement The operation action of the credential and the operation action of deleting the target credential to be rotated.
  • the processor 702 is specifically configured to: query the credentials to be rotated, and acquire the corresponding type of target credentials to be rotated according to the type of credentials.
  • the processor 702 is also configured to: store the created replacement credential in the previous version of the credential corresponding to the credential rotation program, store the credential to be rotated in the current version of the credential corresponding to the credential rotation program, and use The current version of the credential corresponding to the credential rotation program is used as the acquisition area.
  • the processor 702 is also configured to: replace the target credential to be rotated stored in the current version of the credential corresponding to the credential rotation program with replacement data, and store the target credential to be rotated in the previous version of the credential corresponding to the credential rotation program middle.
  • the processor 702 is specifically configured to: delete the target credential to be rotated stored in the previous version of the credential corresponding to the credential rotation program.
  • the processor 702 is also configured to: receive a write request for the target credential to be rotated, and create a shared lock for the target credential to be rotated in the cache according to the write request; Write data so that the target credentials to be rotated are updated; after writing the data in the corresponding database, release the shared lock in the cache to load the updated target credentials to be rotated.
  • the processor 702 is also configured to: receive a read request of the target credential, determine whether there is a shared lock for the target credential in the cache according to the read request; if there is a shared lock, obtain the corresponding target credential from the corresponding database.
  • processor 702 is further configured to: if there is no shared lock, acquire the target credential from the cache.
  • processor 702 is further configured to: if there is no target credential in the cache, load the target credential from the corresponding database, and acquire the target credential from the cache.
  • an embodiment of the present invention provides a computer storage medium.
  • the computer program is executed by one or more processors, one or more processors are caused to implement a credential rotation method in the method embodiments shown in FIGS. 1-4 . step.
  • the device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative effort.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable multimedia data processing device to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the The instruction means implements the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable multimedia data processing device, so that a series of operation steps are performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device
  • the instructions provide steps for implementing the functions specified in the procedure or procedures of the flowchart and/or the block or blocks of the block diagram.
  • a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • Memory may include non-permanent storage in computer-readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read-only memory (ROM) or flash RAM. Memory is an example of computer readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash random access memory
  • Computer-readable media including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information.
  • Information may be computer readable instructions, data structures, modules of a program, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape magnetic disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
  • computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Embodiments of the present application provide a credential rotation method, a computing device, and a storage medium. In the embodiments of the present application, the method comprises: acquiring a target credential to be rotated, and creating a replacement credential corresponding to the target credential to be rotated, wherein the target credential to be rotated is stored in an acquisition region; replacing the target credential to be rotated in the acquisition region with the replacement credential, so as to be acquired; and deleting the target credential to be rotated, and using replacement data in the acquisition region as next target credential to be rotated. The replacement credential corresponding to the target credential to be rotated is created, and the target credential to be rotated is stored in the acquisition region; and the target credential to be rotated in the acquisition region is replaced with the replacement credential, so as to be acquired, so that the rotation of the target credential can be achieved, thereby updating the target credential, improving the security performance of the target credential, reducing the risk of being attacked, and reducing the possibility of leakage.

Description

凭据的轮转方法、计算设备及存储介质Credential rotation method, computing device and storage medium
本申请要求2021年08月12日递交的申请号为202110923482.8、发明名称为“凭据的轮转方法、计算设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202110923482.8 and the title of the invention "Credential rotation method, computing equipment and storage medium" submitted on August 12, 2021, the entire content of which is incorporated in this application by reference.
技术领域technical field
本申请涉及计算机技术领域,尤其涉及一种凭据的轮转方法、计算设备及存储介质。The present application relates to the field of computer technology, and in particular to a credential rotation method, computing equipment and storage media.
背景技术Background technique
伴随信息时代以及云服务的到来,越来越多的数据需要被保护。特别是访问凭据等数据更是重中之重。其中,针对RAM(资源访问控制,Resource Access Management)凭据(AccessKey)泄露而引发的攻击是云上安全面临的主要难题之一。而如何降低RAM凭据泄露的安全风险,是非常关键的。With the advent of the information age and cloud services, more and more data needs to be protected. In particular, data such as access credentials is a top priority. Among them, the attack caused by leakage of RAM (Resource Access Management) credentials (AccessKey) is one of the main problems faced by cloud security. How to reduce the security risk of RAM credential leakage is very critical.
发明内容Contents of the invention
本申请的多个方面提供一种凭据的轮转方法、计算设备及存储介质,用以能够降低凭据泄露的风险,提高其安全性能。Various aspects of the present application provide a credential rotation method, a computing device, and a storage medium, so as to reduce the risk of credential leakage and improve its security performance.
本申请实施例提供一种凭据的轮转方法,包括:获取待轮转目标凭据,创建所述待轮转目标凭据对应的替换凭据,所述待轮转目标凭据存放于获取区域中;将获取区域中的所述待轮转目标凭据替换为所述替换凭据,以待获取;删除所述待轮转目标凭据,并将所述获取区域中的替换数据作为下一次待轮转目标凭据。An embodiment of the present application provides a credential rotation method, including: acquiring a target credential to be rotated, creating a replacement credential corresponding to the target credential to be rotated, and storing the target credential to be rotated in an acquisition area; The target credential to be rotated is replaced with the replacement credential to be acquired; the target credential to be rotated is deleted, and the replacement data in the acquisition area is used as the target credential to be rotated next time.
本申请实施例还提供一种计算设备,包括:存储器、处理器;所述存储器,用于存储计算机程序;所述处理器,执行所述计算机程序,以用于:获取待轮转目标凭据,创建所述待轮转目标凭据对应的替换凭据,所述待轮转目标凭据存放于获取区域中;将获取区域中的所述待轮转目标凭据替换为所述替换凭据,以待获取;删除所述待轮转目标凭据,并将所述获取区域中的替换数据作为下一次待轮转目标凭据。The embodiment of the present application also provides a computing device, including: a memory and a processor; the memory is used to store a computer program; the processor is used to execute the computer program to: acquire the target credential to be rotated, A replacement credential corresponding to the target credential to be rotated, the target credential to be rotated is stored in an acquisition area; replacing the target credential to be rotated in the acquisition area with the replacement credential for acquisition; deleting the target credential to be rotated The target credential, and use the replacement data in the acquisition area as the target credential to be rotated next time.
本申请实施例还提供一种存储有计算机程序的计算机可读存储介质,计算机程序被一个或多个处理器执行时,致使所述一个或多个处理器实现上述方法中的步骤。The embodiment of the present application also provides a computer-readable storage medium storing a computer program. When the computer program is executed by one or more processors, the one or more processors are caused to implement the steps in the above method.
在本申请实施例中,获取待轮转目标凭据,创建待轮转目标凭据对应的替换凭据,待轮转目标凭据存放于获取区域中;将获取区域中的待轮转目标凭据替换为替换凭据,以待获取;删除待轮转目标凭据,并将获取区域中的替换数据作为下一次待轮转目标凭据。In the embodiment of this application, the target credentials to be rotated are obtained, and the replacement credentials corresponding to the target credentials to be rotated are created, and the target credentials to be rotated are stored in the acquisition area; the target credentials to be rotated in the acquisition area are replaced with replacement credentials for the ;Delete the target credential to be rotated, and use the replacement data in the acquisition area as the target credential to be rotated next time.
其中,创建待轮转目标凭据对应的替换凭据,待轮转目标凭据存放于获取区域中;将获取区域中的待轮转目标凭据替换为替换凭据,以待获取,可以实现目标凭据的轮转, 从而使得目标凭据进行更新,提高其安全性能,降低被攻击的风险,降低泄露的可能性。同时,由于获取区域中有目标凭据,可以使得需要该目标凭据的情况可以被支持,从而可以持续访问对应的服务。Among them, create a replacement credential corresponding to the target credential to be rotated, and store the target credential to be rotated in the acquisition area; replace the target credential to be rotated in the acquisition area with a replacement credential, so as to be acquired, the rotation of the target credential can be realized, so that the target Credentials are updated to improve its security performance, reduce the risk of being attacked, and reduce the possibility of leakage. At the same time, since there is a target credential in the acquisition area, the situation that requires the target credential can be supported, so that the corresponding service can be continuously accessed.
附图说明Description of drawings
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described here are used to provide a further understanding of the application and constitute a part of the application. The schematic embodiments and descriptions of the application are used to explain the application and do not constitute an improper limitation to the application. In the attached picture:
图1为本申请一示例性实施例的凭据的轮转方法的流程示意图;FIG. 1 is a schematic flowchart of a credential rotation method according to an exemplary embodiment of the present application;
图2为本申请一示例性实施例的凭据托管的示意图;Fig. 2 is a schematic diagram of credential escrow according to an exemplary embodiment of the present application;
图3为本申请一示例性实施例的轮转周期的示意图;FIG. 3 is a schematic diagram of a rotation cycle in an exemplary embodiment of the present application;
图4为本申请一示例性实施例的凭据读写的示意图;Fig. 4 is a schematic diagram of credential reading and writing in an exemplary embodiment of the present application;
图5为本申请一示例性实施例的凭据的轮转系统的结构示意图;Fig. 5 is a schematic structural diagram of a credential rotation system according to an exemplary embodiment of the present application;
图6为本申请一示例性实施例提供的凭据的轮转装置的结构示意图;Fig. 6 is a schematic structural diagram of a voucher rotation device provided by an exemplary embodiment of the present application;
图7为本申请一示例性实施例提供的计算设备的结构示意图。Fig. 7 is a schematic structural diagram of a computing device provided by an exemplary embodiment of the present application.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合本申请具体实施例及相应的附图对本申请技术方案进行清楚、完整地描述。显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solution and advantages of the present application clearer, the technical solution of the present application will be clearly and completely described below in conjunction with specific embodiments of the present application and corresponding drawings. Apparently, the described embodiments are only some of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.
根据前文所述,针对RAM(资源访问控制,Resource Access Management)凭据(AccessKey)泄露而引发的攻击是云上安全面临的主要难题之一。是由于RAM凭据持续不变的原因,即一旦对应的RAM凭据生成后,那么该RAM凭据就不会再变化,从而使得其被攻击的风险就大大地增加了。According to the above, the attack caused by leakage of RAM (Resource Access Management) credentials (AccessKey) is one of the main problems facing cloud security. It is because the RAM credential remains unchanged, that is, once the corresponding RAM credential is generated, the RAM credential will not change again, thus greatly increasing the risk of being attacked.
基于此,本申请实施例提供了一种凭据的轮转方法、计算设备及存储介质,可以降低凭据泄露的风险,提高其安全性能。Based on this, the embodiment of the present application provides a credential rotation method, a computing device, and a storage medium, which can reduce the risk of credential leakage and improve its security performance.
下面结合方法实施例,针对凭据的轮转过程进行详细说明。The following describes in detail the rotation process of the credential in conjunction with the method embodiment.
图1为本申请一示例性实施例的一种凭据的轮转方法的流程示意图。本申请实施例提供的该方法100由计算设备执行,如,云服务器等。该方法100包括以下步骤:Fig. 1 is a schematic flowchart of a credential rotation method according to an exemplary embodiment of the present application. The method 100 provided by the embodiment of the present application is executed by a computing device, such as a cloud server. The method 100 includes the following steps:
101:获取待轮转目标凭据,创建待轮转目标凭据对应的替换凭据。101: Obtain the target credential to be rotated, and create a replacement credential corresponding to the target credential to be rotated.
其中,待轮转目标凭据存放于获取区域中。Among them, the target credentials to be rotated are stored in the acquisition area.
102:将获取区域中的待轮转目标凭据替换为替换凭据,以待获取。102: Replace the target credential to be rotated in the acquisition area with the replacement credential to be acquired.
103:删除待轮转目标凭据,并将获取区域中的替换数据作为下一次待轮转目标凭据。103: Delete the target credential to be rotated, and use the replacement data in the acquisition area as the target credential to be rotated next time.
需要说明的是,本申请实施例的执行主体更具体的可以是云服务器上的一个服务, 如用于轮转凭据程序或服务,该程序或服务也可以实现凭据托管等功能,即该程序或服务也可以是管理程序或服务,如提供凭据的创建、检索、更新、删除等全生命周期的管理服务,实现对凭据的统一管理,此处不做过多限定。该程序或服务可以运行在云服务器上的一个或多个容器上。It should be noted that the execution subject of this embodiment of the application may be more specifically a service on the cloud server, such as a program or service for rotating credentials, which can also implement functions such as credential hosting, that is, the program or service It can also be a management program or service, such as providing full-lifecycle management services such as creation, retrieval, update, and deletion of credentials, so as to realize unified management of credentials, which is not limited here. The program or service can run on one or more containers on the cloud server.
以下针对上述步骤进行详细地阐述:The following is a detailed description of the above steps:
101:获取待轮转目标凭据,创建待轮转目标凭据对应的替换凭据。101: Obtain the target credential to be rotated, and create a replacement credential corresponding to the target credential to be rotated.
其中,待轮转目标凭据存放于获取区域中。Among them, the target credentials to be rotated are stored in the acquisition area.
其中,待轮转目标凭据可以是指等待更新的凭据,如RAM凭据。获取区域可以是指用户或其它设备用于获取凭据的位置或区域,如程序或服务对应凭据的当前版本中,可以是在当前版本中的用于存储该当前凭据的位置或区域。Wherein, the target credential to be rotated may refer to a credential waiting to be updated, such as a RAM credential. The obtaining area may refer to the location or area used by the user or other equipment to obtain the credential, for example, in the current version of the program or service corresponding to the credential, it may be the location or area used to store the current credential in the current version.
替换凭据可以是一个新创建的凭据。The replacement credential can be a newly created credential.
例如,如图2所示,用户206可以通过电脑登录云服务器的一个控制界面,该界面可以用于进行RAM凭据托管,用户206在该界面上进行操作,进行凭据托管授权,向云服务器上的用于轮转凭据程序207发送授权请求或信息,即执行步骤201:授权管理RAM凭据。授权以后,用户206可以通过电脑登录云服务器另一个控制界面,在该界面上进行创建要托管的RAM数据。创建的内容可以如下包括:创建凭据类型,如RAM凭据,选择RAM用户,每个用户具有至少一个RAM凭据。确定该用户下RAM凭据的具体数据。此外还可以输入该RAM凭据的描述信息,如描述RAM凭据用于访问什么样的服务等。然后将创建好的待托管RAM数据发送至用于轮转凭据程序207,即执行了步骤202:创建带托管RAM凭据。每个RAM凭据具有对应的标识,如名称。另,用户206还可以进行轮转周期的设置,或者也可以使用默认周期。For example, as shown in FIG. 2 , user 206 can log in to a control interface of the cloud server through a computer, and this interface can be used for hosting RAM credentials. The program 207 for rotating credentials sends an authorization request or information, that is, executes step 201: authorize management of RAM credentials. After authorization, the user 206 can log in to another control interface of the cloud server through a computer, and create RAM data to be managed on this interface. The created content may include: creating a credential type, such as a RAM credential, selecting a RAM user, and each user has at least one RAM credential. Determine the specific data of the RAM credentials under this user. In addition, description information of the RAM credential may also be input, such as describing what service the RAM credential is used to access. Then the created RAM data to be managed is sent to the credential rotation program 207, that is, step 202 is executed: creating a credential with managed RAM. Each RAM credential has a corresponding identification, such as a name. In addition, the user 206 can also set the rotation cycle, or use the default cycle.
云服务器上的用于轮转凭据程序207在接收到授权请求以及待托管RAM凭据后,就可以根据该授权来通过资源访问控制服务208进行对待托管RAM凭据的轮转,即执行步骤203:轮转RAM数据。在进行轮转数据的过程中,用于轮转凭据程序207根据轮转周期的具体时间,如7天,以及托管开始时间来确定当前哪些待托管凭据到了轮转周期,则获取这些托管的RAM凭据作为待轮转目标凭据进行轮转,通过调用资源访问控制服务208对应的Open API接口创建这些RAM凭据对应的新的RAM凭据。After the program 207 for rotating credentials on the cloud server receives the authorization request and the RAM credentials to be managed, it can perform rotation of the RAM credentials to be managed through the resource access control service 208 according to the authorization, that is, perform step 203: rotate RAM data . In the process of rotating data, the program for rotating credentials 207 determines which credentials to be hosted currently have reached the rotation period according to the specific time of the rotation cycle, such as 7 days, and the start time of hosting, and then obtains these managed RAM credentials as waiting to be rotated The target credentials are rotated, and new RAM credentials corresponding to these RAM credentials are created by calling the Open API interface corresponding to the resource access control service 208.
需要说明的是,RAM凭据是指RAM用户的访问密钥(AccessKey,以下可以简称为AK),包括AccessKey ID(账户)和AccessKey Secret(密码),用于RAM用户在调用云服务API时完成身份验证。It should be noted that the RAM credential refers to the access key (AccessKey, hereinafter referred to as AK) of the RAM user, including the AccessKey ID (account) and AccessKey Secret (password), which are used by the RAM user to complete the identity when calling the cloud service API. verify.
具体的,获取待轮转目标凭据,包括:查询待轮转凭据,根据凭据类型,获取对应类型的待轮转目标凭据。Specifically, obtaining the target credential to be rotated includes: querying the credential to be rotated, and obtaining a corresponding type of target credential to be rotated according to the credential type.
例如,根据前文所述,如图2所示,在进行轮转数据的过程中,云服务器上的用于轮转凭据程序207根据轮转周期的具体时间,如7天,以及托管开始时间来确定当前哪 些待托管凭据到了轮转周期,则获取这些托管凭据,然后根据托管凭据的类型,确定出RAM凭据作为待轮转目标凭据进行轮转,然后交于托管凭据执行单元进行RAM凭据轮转,托管凭据执行单元找到对应的执行器,将RAM凭据交于执行器进行托管的RAM凭据轮转。该执行器可以通过调用资源访问控制服务208对应的Open API接口创建这些RAM凭据对应的新的RAM凭据。For example, according to the foregoing, as shown in Figure 2, in the process of rotating data, the program 207 for rotating credentials on the cloud server determines which current To-be-escrowed credentials arrive at the rotation cycle, then obtain these escrow credentials, and then determine the RAM credential as the target credential to be rotated according to the type of escrow credentials, and then hand it over to the escrow credential execution unit for RAM credential rotation, and the escrow credential execution unit finds the corresponding The executor will hand over the RAM credential to the executor for managed RAM credential rotation. The executor can create new RAM credentials corresponding to these RAM credentials by calling the Open API interface corresponding to the resource access control service 208.
为了能够更好地确定何时进行凭据轮转中对应的操作动作,如创建替换凭据的操作动作。可以通过时间来确定何时进行对应的操作动作。In order to better determine when to perform the corresponding operation in credential rotation, such as creating a replacement credential. Time can be used to determine when to perform the corresponding operation action.
具体的,在获取到待轮转目标凭据后,根据当前时间确定待轮转目标凭据对应的操作动作;其中,操作动作包括创建替换凭据的操作动作、将待轮转目标凭据替换为替换凭据的操作动作以及删除待轮转目标凭据的操作动作。Specifically, after obtaining the target credential to be rotated, determine the operation action corresponding to the target credential to be rotated according to the current time; wherein, the operation action includes the operation action of creating a replacement credential, replacing the target credential to be rotated with a replacement credential, and Action to delete the target credentials to be rotated.
其中,由于每个待轮转目标凭据具有对应的轮转周期,轮转周期可以相同,如7天。也可以不同。如图3所示,其中RAM凭据“AK1”301的轮转周期303为7天。该轮转周期可以包括多个时间窗口,每个时间窗口可以触发一个对应的操作动作。当这个时间窗口对应的时间到来时,则执行对应的操作动作。Wherein, since each target credential to be rotated has a corresponding rotation period, the rotation period may be the same, such as 7 days. It can also be different. As shown in FIG. 3 , the rotation period 303 of the RAM credential "AK1" 301 is 7 days. The rotation period may include multiple time windows, and each time window may trigger a corresponding operation action. When the time corresponding to this time window arrives, the corresponding operation action is executed.
例如,根据前文所述,云服务器上的用于轮转凭据程序在获取到待轮转的RAM凭据后,如图3所示,RAM凭据“AK1”301开始进行轮转,当其用于触发创建新的RAM凭据的时间窗口到来后,则根据前文所述的方式进行新的RAM凭据的创建,新创建的RMA凭据可以是“AK2”302,其也具有对应的轮转周期,可以为7天。For example, according to the above, after the program for rotating credentials on the cloud server obtains the RAM credentials to be rotated, as shown in Figure 3, the RAM credentials "AK1" 301 starts to rotate, when it is used to trigger the creation of new After the time window for the RAM credential arrives, create a new RAM credential according to the method described above. The newly created RMA credential can be "AK2" 302, which also has a corresponding rotation period, which can be 7 days.
需要说明的是,在当其它时间窗口到来时则执行其它对应的操作动作,具体的操作动作可以详见下文。It should be noted that, when other time windows arrive, other corresponding operation actions are performed, and the specific operation actions can be referred to below in detail.
102:将获取区域中的待轮转目标凭据替换为替换凭据,以待获取。102: Replace the target credential to be rotated in the acquisition area with the replacement credential to be acquired.
其中,获取区域根据前文可知,可以是指用户或其它设备用于获取凭据的位置或区域,如用于轮转凭据程序或服务对应凭据的当前(Current)版本中。Wherein, according to the above, the acquisition area may refer to the location or area used by the user or other equipment to obtain the credential, such as the current (Current) version used in the credential rotation program or service corresponding credential.
例如,根据前文所述,云服务器上的用于轮转凭据程序创建了新的RAM数据“AK2”后,可以将存储在当前版本中“AK1”替换为“AK2”,以使“AK2”等待获取。For example, as mentioned above, after the credential rotation program on the cloud server creates new RAM data "AK2", it can replace "AK1" stored in the current version with "AK2", so that "AK2" is waiting to be acquired .
由于用户或其它设备在获取RAM凭据的时候,是从当前版本中获取,所以使得用户或其它设备可以始终从当前版本中拿到可用的RAM凭据,而进行云服务的访问,防止由于人为直接修改而导致无法及时拿到可用RAM凭据,从而阻碍云服务的访问或调用。Since the user or other device obtains the RAM credential from the current version, the user or other device can always obtain the available RAM credential from the current version to access the cloud service, preventing direct modification by man As a result, the available RAM credentials cannot be obtained in time, thereby hindering the access or invocation of cloud services.
同时还可以减少用户自己对凭据进行运维的技术开发成本和时间成本等,使得用户在无感知的情况下来提高凭据安全性,以及云服务的访问的安全性。At the same time, it can also reduce the technical development cost and time cost of users' own operation and maintenance of credentials, so that users can improve the security of credentials and the security of access to cloud services without awareness.
此外,为了方便替换,可以将替换凭据也存储在对应的版本中,而为了区分这两个凭据,可以将替换凭据存储至前版本中。In addition, for the convenience of replacement, the replacement credential may also be stored in the corresponding version, and in order to distinguish the two credentials, the replacement credential may be stored in the previous version.
具体的,该方法100还包括:将创建后的替换凭据存放至用于轮转凭据程序对应凭 据的前(Previous)版本中,待轮转目标凭据存放至用于轮转凭据程序对应凭据的当前版本中,将用于轮转凭据程序对应凭据的当前版本作为获取区域。Specifically, the method 100 further includes: storing the created replacement credential in the previous (Previous) version of the credential corresponding to the credential rotation program, storing the target credential to be rotated in the current version of the credential corresponding to the credential rotation program, Use the current version of the credential for the credential rotation program as the acquisition area.
例如,根据前文所述,云服务器上的用于轮转凭据程序将创建后的“AK2”存储在前(Previous)版本中,将“AK1”存储在当前(Previous)版本中。For example, according to the foregoing, the credential rotation program on the cloud server stores the created "AK2" in the previous (Previous) version, and stores "AK1" in the current (Previous) version.
具体的,将获取区域中的待轮转目标凭据替换为替换凭据,包括:将存放至用于轮转凭据程序对应凭据的当前版本中待轮转目标凭据替换为替换数据,将待轮转目标凭据存放在用于轮转凭据程序对应凭据的前版本中。Specifically, replacing the target credential to be rotated in the acquisition area with the replacement credential includes: replacing the credential to be rotated in the current version of the corresponding credential stored in the credential rotation program with replacement data, and storing the credential to be rotated in the In the previous version of the credential corresponding to the credential rotation program.
例如,根据前文所述,如果当用于触发替换凭据的时间窗口到来时,云服务器上的用于轮转凭据程序将当前版本中的“AK1”与前版本中的“AK2”进行替换,即替换后当前版本中为“AK2”,前版本中为“AK1”。For example, according to the above, if the time window for triggering the replacement of credentials arrives, the program for rotating credentials on the cloud server will replace "AK1" in the current version with "AK2" in the previous version, that is, replace "AK2" in the current version and "AK1" in the previous version.
103:删除待轮转目标凭据,并将获取区域中的替换数据作为下一次待轮转目标凭据。103: Delete the target credential to be rotated, and use the replacement data in the acquisition area as the target credential to be rotated next time.
例如,根据前文所述,云服务器上的用于轮转凭据程序在进行了将“AK1”替换为“AK2”。For example, according to the above, the program for rotating credentials on the cloud server is replacing "AK1" with "AK2".
具体的,删除待轮转目标凭据,包括:删除存放在用于轮转凭据程序对应凭据的前版本中的待轮转目标凭据。Specifically, deleting the target credential to be rotated includes: deleting the target credential to be rotated stored in the previous version of the credential corresponding to the credential rotation program.
例如,根据前文所述,如果当用于触发待轮转目标凭据的时间窗口到来时,云服务器上的用于轮转凭据程序通过调用资源访问控制服务对应的Open API接口删除对应凭据的前版本的RAM凭据“AK1”。此时,当前版本中的“AK2”作为下一次的待轮转目标凭据,等待其轮转周期的到来后,根据前文所述的相似方式进行轮转,就不再赘述。For example, according to the foregoing, if the time window for triggering the target credential rotation arrives, the program for credential rotation on the cloud server deletes the RAM of the previous version of the corresponding credential by calling the Open API interface corresponding to the resource access control service Credentials "AK1". At this time, the "AK2" in the current version is used as the target certificate to be rotated next time. After waiting for the arrival of its rotation period, the rotation will be carried out in a similar manner as described above, so I will not repeat it here.
需要说明的是,在对每个待轮转目标凭据进行轮转的时候,可以为每个待轮转目标凭据创建对应任务,在轮转结束后,同时标记任务执行状态为成功。本申请实施例采用Open API接口的方式基于用户授权托管凭据以及创建托管凭据,来处理用户RAM凭据,可以避免通过用户直接使用Open API接口操作RAM凭据不当造成的安全使用问题,如无删掉正在使用的RAM凭据。It should be noted that when rotating each target credential to be rotated, a corresponding task can be created for each target credential to be rotated, and the task execution status will be marked as successful after the rotation is completed. The embodiment of this application adopts the method of Open API interface to process the user's RAM credentials based on the user's authorization and creation of the hosting credentials, which can avoid the security problem caused by the improper operation of the RAM credentials through the user's direct use of the Open API interface. RAM credentials used.
还需要说明的是,如图2所示,应用程序209可以定时或者实时接入到用于轮转凭据程序207中,即执行步骤204:接入用于轮转凭据程序。其可以SDK(Software Development Kit,软件开发工具包)或客户端的方式进行接入,从获取区域中获取对应的目标凭据,如RAM凭据,且还有该凭据的名称。然后,应用程序209在进行云服务210访问的时候,根据名称进行RAM凭据的替换,将当前的轮转后的RAM凭据与轮转前的RAM凭据进行替换,然后再访问云服务210,即执行步骤205:使用轮转后的RAM凭据访问云服务。除此以外,还可以用于轮转凭据程序207对托管的凭据进行加密管理,进一步保证了凭据的安全性。It should also be noted that, as shown in FIG. 2 , the application program 209 may access the program for rotating credentials 207 periodically or in real time, that is, execute step 204: access the program for rotating credentials. It can be accessed in the form of SDK (Software Development Kit, software development kit) or client, and obtains the corresponding target credential from the acquisition area, such as RAM credential, and the name of the credential. Then, when the application program 209 accesses the cloud service 210, it replaces the RAM credential according to the name, replaces the current RAM credential after the rotation with the RAM credential before the rotation, and then accesses the cloud service 210, that is, executes step 205 : Use the rotated RAM credentials to access cloud services. In addition, the credential rotation program 207 can also be used to encrypt and manage the escrow credentials, further ensuring the security of the credentials.
如图2所示,由于可以通过SDK或客户端的方式,将应用程序209接入到用于轮转凭据程序207中,来获取轮转后的凭据。那么用户也可以通过该SDK或客户端的方式等 待再次访问对应云服务210的时候,通过轮转后的RAM凭据访问对应的云服务210,从而实现SDK或客户端来更新对应凭据。相应的,本申请实施例可以确保凭据在轮转的过程中SDK或客户端至少有一个RAM凭据可用,避免在轮转过程中SDK或客户端无法及时获取RAM凭据从而导致无法调用云产品服务,同时降低用户的使用成本。As shown in FIG. 2 , since the application program 209 can be connected to the program for rotating credentials 207 through the SDK or the client, the rotated credentials can be obtained. Then the user can also access the corresponding cloud service 210 through the rotated RAM credential when waiting to access the corresponding cloud service 210 again through the SDK or client, so as to implement the SDK or client to update the corresponding credential. Correspondingly, this embodiment of the application can ensure that the SDK or the client has at least one RAM credential available during the credential rotation process, avoiding that the SDK or the client cannot obtain the RAM credential in time during the credential rotation process, resulting in the inability to call cloud product services, and at the same time reducing the user cost.
另,一旦凭据被攻击导致泄露,或者因其它原因导致凭据泄露,本申请实施例需要对对应凭据的云服务进行重新部署,且重置这些云服务所有对应的访问凭据,并禁止掉旧的访问凭据,其不可以再进行服务的访问,从而快速进行应急响应,从而可以通过重置后的访问凭据进行云服务的访问。然而,如果通过人为进行重置访问凭据,那么由于人为可能会存在遗漏对应的应用,从而导致该应用下的访问凭据未被重置,而这些未被重置的访问凭据由于会被禁止掉,所以再次进行服务访问的时候,由于还是用的未被重置的访问凭据进行访问导致服务无法被访问,从而造成用户侧的系统故障。In addition, once the credentials are leaked due to an attack, or the credentials are leaked due to other reasons, the embodiment of this application needs to redeploy the cloud services corresponding to the credentials, reset all corresponding access credentials of these cloud services, and prohibit old access credentials from being dropped. Credentials, which can no longer access services, so as to quickly respond to emergencies, so that cloud services can be accessed through reset access credentials. However, if the access credentials are manually reset, the corresponding application may be missed due to human effort, resulting in that the access credentials under the application are not reset, and these access credentials that have not been reset will be banned. Therefore, when the service is accessed again, the service cannot be accessed because the access credentials that have not been reset are still used for access, resulting in a system failure on the user side.
本申请实施例还满足了对各类云资源所需凭据的中心化管理手段,实现规模化管理。The embodiment of the present application also satisfies the means of centralized management of credentials required by various cloud resources, and realizes large-scale management.
在用于轮转凭据程序或服务中存储的数据库db信息,如凭据信息等,密钥信息等重要信息只在该程序或服务启动时加载一次,访问频次低,存在并发访问,扩容升级等特殊时期请求量陡增。而且,凭据轮转也会在同一个时间段触发同一批次的凭据轮转,导致瞬时的更新高峰。针对这些问题,可以采取以下的实现方式来克服,具体的实现方式如下:The database db information stored in the program or service for rotating credentials, such as credential information, key information and other important information is only loaded once when the program or service is started, the access frequency is low, there are special periods such as concurrent access, expansion and upgrade, etc. The volume of requests has skyrocketed. Moreover, credential rotation will also trigger the same batch of credential rotation at the same time period, resulting in an instantaneous update peak. In view of these problems, the following implementation methods can be adopted to overcome them, and the specific implementation methods are as follows:
具体的,该方法100还包括:接收待轮转目标凭据的写请求,根据写请求针对缓存中待轮转目标凭据创建共享锁;清除缓存中待轮转目标凭据,在对应的数据库针对待轮转目标凭据进行数据写入,使得待轮转目标凭据进行了更新;在对应的数据库中写入数据后,解除缓存中的共享锁,以待对更新后的待轮转目标凭据的加载。Specifically, the method 100 further includes: receiving a write request for the target credential to be rotated, creating a shared lock for the target credential to be rotated in the cache according to the write request; The data is written, so that the target credentials to be rotated are updated; after the data is written in the corresponding database, the shared lock in the cache is released to wait for the updated target credentials to be rotated to be loaded.
例如,根据前文所述,如图4所示,用户可以通过电脑调用API接口发送写请求,该写请求是用于针对待轮转目标凭据的写入请求,可以将已存储RAM凭据进行修改,以实现更新。此处也可以是其它设备通过API接口发送写请求。当轮转凭据程序或服务的全局缓存401(Global Cache)接收到该写请求后,从该请求中确定对应RAM凭据,针对该缓存中的该RAM凭据创建对应的共享锁,即执行步骤406:接收到写请求后,创建共享锁。创建完共享锁后,可以删除掉对应的RAM凭据对应数值,即执行步骤407:清除全局缓存中对应的待轮转RAM凭据对应数值。然后将写请求中的RAM凭据对应的数值写入数据库402,即执行步骤408:写入对应的数值数据,然后执行步骤409:解除共享锁。For example, according to the above, as shown in Figure 4, the user can call the API interface to send a write request through the computer. The write request is used to write the request for the target credential to be rotated. Implement updates. Here, other devices may also send write requests through the API interface. When the global cache 401 (Global Cache) of the rotation credential program or service receives the write request, it determines the corresponding RAM credential from the request, creates a corresponding shared lock for the RAM credential in the cache, and executes step 406: receive After a write request, a shared lock is created. After the shared lock is created, the value corresponding to the corresponding RAM credential can be deleted, that is, step 407 is performed: clearing the corresponding value corresponding to the RAM credential to be rotated in the global cache. Then write the value corresponding to the RAM credential in the write request into the database 402, that is, perform step 408: write the corresponding value data, and then perform step 409: release the shared lock.
需要说明的是,在具有共享锁的前提下,当再有其它写请求到来的时候,可以先确定对应的RAM凭据是否具有共享锁的存在,如果存在,可以针对该缓存中的对应RAM凭据根据共享锁的可重入性再此次创建共享锁,然后根据前文所述的方式进行写入,直至解锁。从而满足全局缓存401和数据库402中的数据一致性。It should be noted that, on the premise of having a shared lock, when another write request comes, you can first determine whether the corresponding RAM credential has a shared lock. If so, you can use the corresponding RAM credential in the cache according to The reentrancy of the shared lock is to create a shared lock this time, and then write it according to the method described above until it is unlocked. Thus, the data consistency in the global cache 401 and the database 402 is satisfied.
由此,凭借上述共享锁以及其属于可重入锁,从而来实现数据的始终一致性并同时将锁对吞吐量的影响降到最低。Therefore, by virtue of the above-mentioned shared locks and their reentrant locks, data consistency can be achieved and the impact of locks on throughput can be minimized.
对于读请求而言,具体的,该方法100还包括:接收目标凭据的读请求,根据读请求确定针对缓存中目标凭据是存在共享锁;如果具有共享锁,则从对应的数据库中获取对应的目标凭据。For a read request, specifically, the method 100 further includes: receiving a read request for the target credential, and determining according to the read request that there is a shared lock for the target credential in the cache; if there is a shared lock, obtaining the corresponding lock from the corresponding database. target credentials.
例如,根据前文所述,如图4所示,用户可以通过电脑调用API接口发送读请求,该读请求是用于针对目标凭据的读取请求,该目标凭据可以是已经轮转过的凭据,也可以是待轮转凭据。此处也可以是其它设备通过API接口发送读请求。当轮转凭据程序或服务的全局缓存401(Global Cache)接收到该读请求后,确定该缓存中对应的RAM凭据是否具有共享锁。即执行步骤403:接收到读请求后,确定是否存在共享锁。如果存在共享锁,根据该请求中所指示的RAM凭据,从数据库402中读取对应的RAM凭据对应的数值。即执行步骤404:如果存在共享存储,从数据库中获取RAM凭据。For example, according to the above, as shown in Figure 4, the user can call the API interface to send a read request through the computer. The read request is a read request for the target credential. Can be a credential to be rotated. Here, other devices may also send read requests through the API interface. After the global cache 401 (Global Cache) of the credential rotation program or service receives the read request, it is determined whether the corresponding RAM credential in the cache has a shared lock. That is, step 403 is executed: after receiving the read request, determine whether there is a shared lock. If there is a shared lock, according to the RAM credential indicated in the request, the value corresponding to the corresponding RAM credential is read from the database 402 . That is, step 404 is executed: if there is shared storage, obtain the RAM credential from the database.
如果不存在共享锁,可以通过以下方式进行读取数据。具体的,该方法100还包括:如果不存在共享锁,从缓存中获取目标凭据。If there is no shared lock, you can read data in the following ways. Specifically, the method 100 further includes: if there is no shared lock, acquiring the target credential from the cache.
例如,根据前文所述,如图4所示,如果不存在共享锁,则根据该请求中所指示的RAM凭据,可以直接从全局缓存401中读取对应RAM凭据的数值。即执行步骤405:如果不存在共享锁,从全局缓存中获取RAM凭据。For example, according to the foregoing, as shown in FIG. 4 , if there is no shared lock, then according to the RAM credential indicated in the request, the value corresponding to the RAM credential can be directly read from the global cache 401 . That is, step 405 is executed: if there is no shared lock, obtain the RAM credential from the global cache.
如果该缓存中不具有对应的凭据,可以通过以下方式进行读取数据。If there is no corresponding credential in the cache, the data can be read in the following ways.
具体的,该方法100还包括:如果缓存中不具有目标凭据,则从对应的数据库中进行加载目标凭据,并从缓存中获取目标凭据。Specifically, the method 100 further includes: if there is no target credential in the cache, loading the target credential from the corresponding database, and acquiring the target credential from the cache.
例如,根据前文所述,如果不存在共享锁,且如果该缓存中不具有对应的目标RAM凭据的数值,则可以从数据库中加载该目标RAM凭据的数值至该缓存中,然后可以从该缓存中读取该数值。For example, according to the foregoing, if there is no shared lock, and if the cache does not have the corresponding value of the target RAM credential, the value of the target RAM credential can be loaded from the database into the cache, and then the cache Read this value from .
需要说明的是,本申请实施例可以使得全局缓存与服务器的操作具有一致性,数据库更新数据完成后不主动刷新缓存,需时才加载,从而保证一致性。有全局缓存相对于数据库而言可以支持多个机器、支持多个并发请求,特别是写请求,所以在批量扩容和流量陡增等场景大大提高其承载能力与响应能力。基于此,那么在其它容灾场景下,如断电的情况下,也可以使得缓存和数据库中的数据可达到最终一致。It should be noted that the embodiment of the present application can make the operation of the global cache and the server consistent, and the cache is not actively refreshed after the database update data is completed, and the cache is loaded only when it takes time, so as to ensure consistency. Compared with the database, a global cache can support multiple machines and multiple concurrent requests, especially write requests, so it greatly improves its carrying capacity and responsiveness in scenarios such as batch expansion and sudden traffic increase. Based on this, in other disaster recovery scenarios, such as a power outage, the data in the cache and database can also be finally consistent.
图5为本申请一示例性实施例提供的一种凭据的轮转系统的结构示意图。如图5所示,该系统500可以包括:第一设备501以及第二设备502。Fig. 5 is a schematic structural diagram of a credential rotation system provided by an exemplary embodiment of the present application. As shown in FIG. 5 , the system 500 may include: a first device 501 and a second device 502 .
其中,第一设备501可以是有一定计算能力的设备,可以实现向第二设备502发送数据的功能,也可以接收第二设备502发送的数据。第一设备501的基本结构可以包括:至少一个处理器。处理器的数量可以取决于具有一定计算能力装置的配置和类型。具有一定计算能力装置也可以包括存储器,该存储器可以为易失性的,例如RAM,也可以为 非易失性的,例如只读存储器(Read-Only Memory,ROM)、闪存等,或者也可以同时包括两种类型。存储器内通常存储有操作系统(Operating System,OS)、一个或多个应用程序,也可以存储有程序数据等。除了处理单元和存储器之外,具有一定计算能力装置还包括一些基本配置,例如网卡芯片、IO总线、显示组件以及一些外围设备等。可选地,一些外围设备可以包括,例如键盘、输入笔等。其它外围设备在本领域中是众所周知的,在此不做赘述。可选地,第一设备501可以为智能终端,例如,手机、台式电脑、笔记本、平板电脑等。Wherein, the first device 501 may be a device with a certain computing capability, and may realize the function of sending data to the second device 502 , and may also receive data sent by the second device 502 . The basic structure of the first device 501 may include: at least one processor. The number of processors may depend on the configuration and type of device having a certain computing power. Devices with certain computing capabilities may also include memory, which may be volatile, such as RAM, or non-volatile, such as read-only memory (Read-Only Memory, ROM), flash memory, etc., or may also be Both types are included. An operating system (Operating System, OS), one or more application programs, and program data may also be stored in the memory. In addition to processing units and memories, devices with certain computing capabilities also include some basic configurations, such as network card chips, IO buses, display components, and some peripheral devices. Optionally, some peripheral devices may include, for example, a keyboard, a stylus, and the like. Other peripheral devices are well known in the art and will not be described here. Optionally, the first device 501 may be a smart terminal, for example, a mobile phone, a desktop computer, a notebook, a tablet computer, and the like.
第二设备502是指可以在网络虚拟环境中提供计算处理服务的设备,可以是指利用网络进行凭据的轮转的设备。在物理实现上,第二设备502可以是任何能够提供计算服务,进行凭据轮转的设备,例如可以是云服务器、云主机、虚拟中心、常规服务器等等。第二设备502的构成主要包括处理器、硬盘、内存、系统总线等,和通用的计算机架构类似。The second device 502 refers to a device that can provide computing and processing services in a network virtual environment, and may refer to a device that uses a network to perform credential rotation. In terms of physical implementation, the second device 502 may be any device capable of providing computing services and performing credential rotation, for example, it may be a cloud server, a cloud host, a virtual center, a regular server, and the like. The composition of the second device 502 mainly includes a processor, a hard disk, a memory, a system bus, etc., and is similar to a general computer architecture.
具体的,第二设备502,获取待轮转目标凭据,创建待轮转目标凭据对应的替换凭据,待轮转目标凭据存放于获取区域中;将获取区域中的待轮转目标凭据替换为替换凭据,以待获取;删除待轮转目标凭据,并将获取区域中的替换数据作为下一次待轮转目标凭据。Specifically, the second device 502 acquires the target credential to be rotated, creates a replacement credential corresponding to the target credential to be rotated, and stores the target credential to be rotated in the acquisition area; replaces the target credential to be rotated in the acquisition area with the replacement credential for Obtain; delete the target credential to be rotated, and use the replacement data in the fetch area as the target credential to be rotated next time.
第一设备501,可以向第二设备502进行授权管理RAM凭据,以及创建待托管RAM凭据。第二设备502接收到授权后以及待托管RAM凭据后,可以进行凭据的轮转。The first device 501 can authorize the second device 502 to manage the RAM credential and create the RAM credential to be managed. After the second device 502 receives the authorization and the RAM credentials to be escrowed, the credentials can be rotated.
此外,第二设备502,在获取到待轮转目标凭据后,根据当前时间确定待轮转目标凭据对应的操作动作;操作动作包括创建替换凭据的操作动作、将待轮转目标凭据替换为替换凭据的操作动作以及删除待轮转目标凭据的操作动作。In addition, the second device 502, after obtaining the target credential to be rotated, determines the operation action corresponding to the target credential to be rotated according to the current time; the operation action includes the operation action of creating a replacement credential, replacing the target credential to be rotated with a replacement credential action and the operation action of deleting the target credential to be rotated.
此外,第二设备502,将创建后的替换凭据存放至用于轮转凭据程序对应凭据的前版本中,待轮转目标凭据存放至用于轮转凭据程序对应凭据的当前版本中,将用于轮转凭据程序对应凭据的当前版本作为获取区域。In addition, the second device 502 stores the created replacement credential in the previous version of the credential corresponding to the credential rotation program, and stores the target credential to be rotated in the current version of the credential corresponding to the credential rotation program, which will be used for the credential rotation The program corresponds to the current version of the credential as the acquisition area.
具体的,第二设备502,将存放至用于轮转凭据程序对应凭据的当前版本中待轮转目标凭据替换为替换数据,将待轮转目标凭据存放在用于轮转凭据程序对应凭据的前版本中。Specifically, the second device 502 replaces the target credential to be rotated stored in the current version of the credential corresponding to the credential rotation program with replacement data, and stores the target credential to be rotated in the previous version of the credential corresponding to the credential rotation program.
此外,第二设备502,接收待轮转目标凭据的写请求,根据写请求针对缓存中待轮转目标凭据创建共享锁;清除缓存中待轮转目标凭据,在对应的数据库针对待轮转目标凭据进行数据写入,使得待轮转目标凭据进行了更新;在对应的数据库中写入数据后,解除缓存中的共享锁,以待对更新后的待轮转目标凭据的加载。In addition, the second device 502 receives the write request of the target credential to be rotated, creates a shared lock for the target credential to be rotated in the cache according to the write request; clears the target credential to be rotated in the cache, and writes data to the target credential to be rotated in the corresponding database input, so that the target credentials to be rotated are updated; after data is written in the corresponding database, the shared lock in the cache is released to wait for the updated target credentials to be rotated to be loaded.
此外,第二设备502,接收目标凭据的读请求,根据读请求确定针对缓存中目标凭据是否存在共享锁;如果具有共享锁,则从对应的数据库中获取对应的目标凭据。In addition, the second device 502 receives the read request of the target credential, and determines whether there is a shared lock for the target credential in the cache according to the read request; if there is a shared lock, obtains the corresponding target credential from the corresponding database.
此外,第二设备502,如果不存在共享锁,从缓存中获取目标凭据。In addition, the second device 502, if there is no shared lock, obtains the target credential from the cache.
此外,第二设备502,如果缓存中不具有目标凭据,则从对应的数据库中进行加载目标凭据,并从缓存中获取目标凭据。In addition, the second device 502, if there is no target credential in the cache, loads the target credential from the corresponding database, and acquires the target credential from the cache.
需要说明的是,在系统500中未能完全阐述的内容请参见前文方法100中的内容,其具体的实施方式也请参见前文所述的方法100的具体实施方式,此处就不再赘述。It should be noted that, for the content that cannot be fully described in the system 500, please refer to the content in the foregoing method 100, and for the specific implementation manner, please refer to the specific implementation manner of the foregoing method 100, and details will not be repeated here.
在本申请实施例的RAM凭据轮转的场景中,如图5所示,用户可以通过第一设备501(如,电脑)登录云第二设备502(如,服务器)的一个控制界面,该界面可以用于进行RAM凭据托管,用户在该界面上进行操作,进行凭据托管授权,向云服务器上的用于轮转凭据程序207发送授权请求或信息,即执行步骤201:授权管理RAM凭据。授权以后,用户可以通过电脑登录云服务器另一个控制界面,在该界面上进行创建要托管的RAM数据,即执行步骤202:创建待托管RAM凭据。In the scenario of RAM credential rotation in the embodiment of the present application, as shown in FIG. 5 , the user can log in to a control interface of the cloud second device 502 (such as a server) through the first device 501 (such as a computer), and the interface can For RAM credential hosting, users operate on this interface, perform credential hosting authorization, and send authorization requests or information to the credential rotation program 207 on the cloud server, that is, execute step 201: authorize management of RAM credential. After authorization, the user can log in to another control interface of the cloud server through a computer, and create RAM data to be hosted on this interface, that is, perform step 202: create a RAM credential to be hosted.
云服务器上的用于轮转凭据程序207在接收到授权请求以及待托管RAM凭据后,就可以根据该授权来通过资源访问控制服务208进行对待托管RAM凭据的轮转,即执行步骤203:轮转RAM数据。在进行轮转数据的过程中,用于轮转凭据程序207根据轮转周期的具体时间,如7天,以及托管开始时间来确定当前哪些待托管凭据到了轮转周期,且当其用于触发创建新的RAM凭据的时间窗口到来后,则获取这些托管的RAM凭据作为待轮转目标凭据进行轮转,通过调用资源访问控制服务208对应的Open API接口创建RAM凭据“AK1”对应的新的RAM凭据“AK2”。如果当用于触发替换凭据的时间窗口到来时,云服务器上的用于轮转凭据程序207将当前版本中的“AK1”与前版本中的“AK2”进行替换,即替换后当前版本中为“AK2”,前版本中为“AK1”。如果当用于触发待轮转目标凭据的时间窗口到来时,云服务器上的用于轮转凭据程序207通过调用资源访问控制服务208对应的Open API接口删除对应凭据的前版本的RAM凭据“AK1”。此时,当前版本中的“AK2”作为下一次的待轮转目标凭据。After the program 207 for rotating credentials on the cloud server receives the authorization request and the RAM credentials to be managed, it can perform rotation of the RAM credentials to be managed through the resource access control service 208 according to the authorization, that is, perform step 203: rotate RAM data . In the process of rotating data, the program for rotating credentials 207 determines which current credentials to be escrowed have reached the rotation cycle according to the specific time of the rotation cycle, such as 7 days, and the start time of the escrow, and when it is used to trigger the creation of a new RAM After the credential time window arrives, obtain these managed RAM credentials as the target credentials to be rotated, and create a new RAM credential "AK2" corresponding to the RAM credential "AK1" by calling the Open API interface corresponding to the resource access control service 208. If the time window for triggering the replacement of credentials arrives, the credential rotation program 207 on the cloud server replaces "AK1" in the current version with "AK2" in the previous version, that is, "AK2" in the current version after the replacement is " AK2", and "AK1" in the previous version. If the time window for triggering the target credential to be rotated arrives, the credential rotation program 207 on the cloud server deletes the RAM credential "AK1" of the previous version of the corresponding credential by calling the Open API interface corresponding to the resource access control service 208. At this point, the "AK2" in the current version will be used as the target credential to be rotated next time.
用户可以通过电脑上安装的SDK或客户端的方式,来获取轮转后的RAM凭据,即执行步骤503:获取轮转后的RAM凭据。由此用户在等待再次访问对应云服务的时候,通过轮转后的RAM凭据访问对应的云服务。The user can obtain the rotated RAM credential through the SDK or client installed on the computer, that is, perform step 503: obtain the rotated RAM credential. Thus, when the user is waiting to access the corresponding cloud service again, he can access the corresponding cloud service through the rotated RAM credentials.
此外,用户可以通过电脑调用API接口发送写请求至云服务器,该写请求是用于针对待轮转目标凭据的写入请求,可以将云服务器中已存储RAM凭据进行修改,以实现更新。此处也可以是其它设备通过API接口发送写请求。当云服务器上的轮转凭据程序或服务的全局缓存(Global Cache)接收到该写请求后,从该请求中确定对应RAM凭据,针对该缓存中的该RAM凭据创建对应的共享锁。创建完共享锁后,可以删除掉对应的RAM凭据对应数值。然后将写请求中的RAM凭据对应的数值写入数据库,然后解除共享锁。用户可以通过电脑调用API接口发送读请求至云服务器,该读请求是用于针对目标凭据的读取请求,该目标凭据可以是已经轮转过的凭据,也可以是待轮转凭据。此处也可以是其它设备通过API接口发送读请求。当云服务器上的轮转凭据程序或服务的全 局缓存(Global Cache)接收到该读请求后,确定该缓存中对应的RAM凭据是否具有共享锁。如果存在共享锁,根据该请求中所指示的RAM凭据,从数据库中读取对应的RAM凭据对应的数值。如果不存在共享锁,则根据该请求中所指示的RAM凭据,可以直接从全局缓存中读取对应RAM凭据的数值。如果不存在共享锁,且如果该缓存中不具有对应的目标RAM凭据的数值,则可以从数据库中加载该目标RAM凭据的数值至该缓存中,然后可以从该缓存中读取该数值。In addition, the user can call the API interface through the computer to send a write request to the cloud server. The write request is used for writing the target credential to be rotated, and the RAM credential stored in the cloud server can be modified to realize the update. Here, other devices may also send write requests through the API interface. When the credential rotation program on the cloud server or the global cache (Global Cache) of the service receives the write request, it determines the corresponding RAM credential from the request, and creates a corresponding shared lock for the RAM credential in the cache. After the shared lock is created, the value corresponding to the corresponding RAM credential can be deleted. Then write the value corresponding to the RAM credential in the write request to the database, and release the shared lock. The user can call the API interface through the computer to send a read request to the cloud server. The read request is a read request for the target credential. The target credential can be a credential that has been rotated or a credential to be rotated. Here, other devices may also send read requests through the API interface. When the credential rotation program on the cloud server or the global cache (Global Cache) of the service receives the read request, it is determined whether the corresponding RAM credential in the cache has a shared lock. If there is a shared lock, read the value corresponding to the corresponding RAM credential from the database according to the RAM credential indicated in the request. If there is no shared lock, then according to the RAM credentials indicated in the request, the value corresponding to the RAM credentials can be directly read from the global cache. If there is no shared lock, and if there is no corresponding value of the target RAM credential in the cache, the value of the target RAM credential may be loaded from the database into the cache, and then the value may be read from the cache.
需要说明的是,此处未能详细阐述的内容请参考前文所述的实施方式,就不再赘述。It should be noted that, for the content that cannot be described in detail here, please refer to the above-mentioned implementation manners, and details will not be repeated here.
在上述本实施例中,第一设备501、第二设备502进行网络连接。若第一设备501、第二设备502是通信连接,该移动网络的网络制式可以为2G(GSM)、2.5G(GPRS)、3G(WCDMA、TD-SCDMA、CDMA2000、UTMS)、4G(LTE)、4G+(LTE+)、WiMax、5G等中的任意一种。In the present embodiment above, the first device 501 and the second device 502 are connected to a network. If the first device 501 and the second device 502 are connected by communication, the network standard of the mobile network can be 2G (GSM), 2.5G (GPRS), 3G (WCDMA, TD-SCDMA, CDMA2000, UTMS), 4G (LTE) , 4G+(LTE+), WiMax, 5G, etc.
图6为本申请一示例性实施例提供的一种凭据的轮转装置的结构框架示意图。该装置600可以应用于云服务器。该装置600包括:创建模块601、替换模块602以及删除模块603;以下针对各个模块的功能进行详细的阐述:Fig. 6 is a schematic structural frame diagram of a credential rotation device provided by an exemplary embodiment of the present application. The device 600 can be applied to a cloud server. The device 600 includes: a creation module 601, a replacement module 602, and a deletion module 603; the functions of each module are described in detail below:
创建模块601,用于获取待轮转目标凭据,创建待轮转目标凭据对应的替换凭据。The creating module 601 is configured to acquire a target credential to be rotated, and create a replacement credential corresponding to the target credential to be rotated.
其中,待轮转目标凭据存放于获取区域中。Among them, the target credentials to be rotated are stored in the acquisition area.
替换模块602,用于将获取区域中的待轮转目标凭据替换为替换凭据,以待获取。A replacement module 602, configured to replace the target credential to be rotated in the acquisition area with a replacement credential to be acquired.
删除模块603,用于删除待轮转目标凭据,并将获取区域中的替换数据作为下一次待轮转目标凭据。The deletion module 603 is configured to delete the target credential to be rotated, and use the replacement data in the acquisition area as the target credential to be rotated next time.
此外,该装置600还包括:确定模块,用于在获取到待轮转目标凭据后,根据当前时间确定待轮转目标凭据对应的操作动作;操作动作包括创建替换凭据的操作动作、将待轮转目标凭据替换为替换凭据的操作动作以及删除待轮转目标凭据的操作动作。In addition, the device 600 also includes: a determination module, configured to determine the operation action corresponding to the target credential to be rotated according to the current time after the target credential to be rotated is obtained; Replace with the action of replacing the credential and the action of deleting the target credential to be rotated.
具体的,创建模块601,具体用于:查询待轮转凭据,根据凭据类型,获取对应类型的所述待轮转目标凭据。Specifically, the creating module 601 is specifically configured to: query the credentials to be rotated, and obtain the corresponding type of target credentials to be rotated according to the type of credentials.
此外,该装置600还包括:存放模块,用于将创建后的替换凭据存放至用于轮转凭据程序对应凭据的前版本中,待轮转目标凭据存放至用于轮转凭据程序对应凭据的当前版本中,将用于轮转凭据程序对应凭据的当前版本作为获取区域。In addition, the device 600 also includes: a storing module, configured to store the created replacement credential in the previous version of the credential corresponding to the credential rotation program, and store the target credential to be rotated in the current version of the credential corresponding to the credential rotation program , use the current version of the credential used in the credential rotation program as the acquisition area.
此外,替换模块602,用于:将存放至用于轮转凭据程序对应凭据的当前版本中待轮转目标凭据替换为替换数据,将待轮转目标凭据存放在用于轮转凭据程序对应凭据的前版本中。In addition, the replacement module 602 is configured to: replace the target credential to be rotated stored in the current version of the credential corresponding to the credential rotation program with replacement data, and store the target credential to be rotated in the previous version of the credential corresponding to the credential rotation program .
具体的,删除模块603,用于删除存放在用于轮转凭据程序对应凭据的前版本中的待轮转目标凭据。Specifically, the deletion module 603 is configured to delete the target credential to be rotated stored in the previous version of the credential corresponding to the credential rotation program.
此外,创建模块601,还用于:接收待轮转目标凭据的写请求,根据写请求针对缓存中待轮转目标凭据创建共享锁;该装置600还包括:写入模块,用于清除缓存中待轮 转目标凭据,在对应的数据库针对待轮转目标凭据进行数据写入,使得待轮转目标凭据进行了更新;解除模块,用于在对应的数据库中写入数据后,解除缓存中的共享锁,以待对更新后的待轮转目标凭据的加载。In addition, the creation module 601 is also configured to: receive a write request for a target credential to be rotated, and create a shared lock for the target credential to be rotated in the cache according to the write request; the device 600 also includes: a write module, used to clear the cache to be rotated The target credential writes data in the corresponding database for the target credential to be rotated, so that the target credential to be rotated is updated; the release module is used to release the shared lock in the cache after writing data in the corresponding database to be rotated Loading of the updated target credentials to be rotated.
此外,确定模块,还用于:接收目标凭据的读请求,根据读请求确定针对缓存中目标凭据是否存在共享锁;该装置600还包括,获取模块,用于如果具有共享锁,则从对应的数据库中获取对应的目标凭据。In addition, the determining module is also configured to: receive a read request of the target credential, and determine whether there is a shared lock for the target credential in the cache according to the read request; the apparatus 600 also includes an acquiring module, configured to obtain the corresponding Get the corresponding target credentials from the database.
此外,获取模块,还用于如果不存在共享锁,从缓存中获取目标凭据。In addition, the acquisition module is also used to obtain the target credentials from the cache if there is no shared lock.
此外,该装置600还包括:加载模块,用于如果缓存中不具有所述目标凭据,则从对应的数据库中进行加载目标凭据,并从缓存中获取目标凭据。In addition, the apparatus 600 further includes: a loading module, configured to load the target credential from the corresponding database if the cache does not have the target credential, and acquire the target credential from the cache.
上述具体的实施方式请参考前文所述的具体实施方式,此处就不再赘述。For the specific implementation manners above, please refer to the specific implementation manners described above, and details will not be repeated here.
以上描述了图6所示的装置600的内部功能和结构,在一个可能的设计中,图6所示的装置600的结构可实现为计算设备,如,云服务器。如图7所示,该设备700可以包括:存储器701、处理器702;The internal functions and structure of the apparatus 600 shown in FIG. 6 are described above. In a possible design, the structure of the apparatus 600 shown in FIG. 6 can be implemented as a computing device, such as a cloud server. As shown in FIG. 7, the device 700 may include: a memory 701 and a processor 702;
存储器701,用于存储计算机程序。The memory 701 is used for storing computer programs.
处理器702,用于执行计算机程序,以用于:获取待轮转目标凭据,创建待轮转目标凭据对应的替换凭据,待轮转目标凭据存放于获取区域中;将获取区域中的待轮转目标凭据替换为替换凭据,以待获取;删除待轮转目标凭据,并将获取区域中的替换数据作为下一次待轮转目标凭据。The processor 702 is configured to execute a computer program for: acquiring a target credential to be rotated, creating a replacement credential corresponding to the target credential to be rotated, storing the target credential to be rotated in the acquisition area; replacing the target credential to be rotated in the acquisition area It is a replacement credential to be obtained; delete the target credential to be rotated, and use the replacement data in the acquisition area as the target credential to be rotated next time.
此外,处理器702,还用于:在获取到待轮转目标凭据后,根据当前时间确定待轮转目标凭据对应的操作动作;操作动作包括创建替换凭据的操作动作、将待轮转目标凭据替换为替换凭据的操作动作以及删除待轮转目标凭据的操作动作。In addition, the processor 702 is also configured to: after obtaining the target credential to be rotated, determine the operation action corresponding to the target credential to be rotated according to the current time; the operation action includes creating a replacement credential, replacing the target credential to be rotated with a replacement The operation action of the credential and the operation action of deleting the target credential to be rotated.
具体的,处理器702,具体用于:查询待轮转凭据,根据凭据类型,获取对应类型的所述待轮转目标凭据。Specifically, the processor 702 is specifically configured to: query the credentials to be rotated, and acquire the corresponding type of target credentials to be rotated according to the type of credentials.
此外,处理器702,还用于:将创建后的替换凭据存放至用于轮转凭据程序对应凭据的前版本中,待轮转目标凭据存放至用于轮转凭据程序对应凭据的当前版本中,将用于轮转凭据程序对应凭据的当前版本作为获取区域。In addition, the processor 702 is also configured to: store the created replacement credential in the previous version of the credential corresponding to the credential rotation program, store the credential to be rotated in the current version of the credential corresponding to the credential rotation program, and use The current version of the credential corresponding to the credential rotation program is used as the acquisition area.
此外,处理器702,还用于:将存放至用于轮转凭据程序对应凭据的当前版本中待轮转目标凭据替换为替换数据,将待轮转目标凭据存放在用于轮转凭据程序对应凭据的前版本中。In addition, the processor 702 is also configured to: replace the target credential to be rotated stored in the current version of the credential corresponding to the credential rotation program with replacement data, and store the target credential to be rotated in the previous version of the credential corresponding to the credential rotation program middle.
具体的,处理器702,具体用于:删除存放在用于轮转凭据程序对应凭据的前版本中的待轮转目标凭据。Specifically, the processor 702 is specifically configured to: delete the target credential to be rotated stored in the previous version of the credential corresponding to the credential rotation program.
此外,处理器702,还用于:接收待轮转目标凭据的写请求,根据写请求针对缓存中待轮转目标凭据创建共享锁;清除缓存中待轮转目标凭据,在对应的数据库针对待轮转目标凭据进行数据写入,使得待轮转目标凭据进行了更新;在对应的数据库中写入数 据后,解除缓存中的共享锁,以待对更新后的待轮转目标凭据的加载。In addition, the processor 702 is also configured to: receive a write request for the target credential to be rotated, and create a shared lock for the target credential to be rotated in the cache according to the write request; Write data so that the target credentials to be rotated are updated; after writing the data in the corresponding database, release the shared lock in the cache to load the updated target credentials to be rotated.
此外,处理器702,还用于:接收目标凭据的读请求,根据读请求确定针对缓存中目标凭据是否存在共享锁;如果具有共享锁,则从对应的数据库中获取对应的目标凭据。In addition, the processor 702 is also configured to: receive a read request of the target credential, determine whether there is a shared lock for the target credential in the cache according to the read request; if there is a shared lock, obtain the corresponding target credential from the corresponding database.
此外,处理器702,还用于:如果不存在共享锁,从缓存中获取目标凭据。In addition, the processor 702 is further configured to: if there is no shared lock, acquire the target credential from the cache.
此外,处理器702,还用于:如果缓存中不具有目标凭据,则从对应的数据库中进行加载目标凭据,并从缓存中获取所述目标凭据。In addition, the processor 702 is further configured to: if there is no target credential in the cache, load the target credential from the corresponding database, and acquire the target credential from the cache.
上述具体的实施方式请参考前文所述的具体实施方式,此处就不再赘述。For the specific implementation manners above, please refer to the specific implementation manners described above, and details will not be repeated here.
另外,本发明实施例提供了一种计算机存储介质,计算机程序被一个或多个处理器执行时,致使一个或多个处理器实现图1-图4方法实施例中一种凭据的轮转方法的步骤。In addition, an embodiment of the present invention provides a computer storage medium. When the computer program is executed by one or more processors, one or more processors are caused to implement a credential rotation method in the method embodiments shown in FIGS. 1-4 . step.
另外,在上述实施例及附图中的描述的一些流程中,包含了按照特定顺序出现的多个操作,但是应该清楚了解,这些操作可以不按照其在本文中出现的顺序来执行或并行执行,操作的序号如101、102、103等,仅仅是用于区分开各个不同的操作,序号本身不代表任何的执行顺序。另外,这些流程可以包括更多或更少的操作,并且这些操作可以按顺序执行或并行执行。需要说明的是,本文中的“第一”、“第二”等描述,是用于区分不同的消息、设备、模块等,不代表先后顺序,也不限定“第一”和“第二”是不同的类型。In addition, in some of the processes described in the above embodiments and accompanying drawings, multiple operations appearing in a specific order are included, but it should be clearly understood that these operations may not be executed in the order in which they appear herein or executed in parallel , the serial numbers of the operations, such as 101, 102, 103, etc., are only used to distinguish different operations, and the serial numbers themselves do not represent any execution order. Additionally, these processes can include more or fewer operations, and these operations can be performed sequentially or in parallel. It should be noted that the descriptions of "first" and "second" in this article are used to distinguish different messages, devices, modules, etc. are different types.
以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative effort.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助加必需的通用硬件平台的方式来实现,当然也可以通过硬件和软件结合的方式来实现。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以计算机产品的形式体现出来,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be realized by means of a general hardware platform plus necessary, and of course, can also be realized by a combination of hardware and software. Based on such an understanding, the above-mentioned technical solution can be embodied in the form of computer products in essence or in other words, the part that contributes to the prior art, and the present invention can adopt computer-usable media (including but not limited to disk storage, CD-ROM, optical storage, etc.) embodied in the form of a computer program product.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程多媒体数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程多媒体数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或 多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable multimedia data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable multimedia data processing equipment Produce means for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程多媒体数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable multimedia data processing device to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the The instruction means implements the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程多媒体数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable multimedia data processing device, so that a series of operation steps are performed on the computer or other programmable device to produce computer-implemented processing, thereby executing on the computer or other programmable device The instructions provide steps for implementing the functions specified in the procedure or procedures of the flowchart and/or the block or blocks of the block diagram.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。Memory may include non-permanent storage in computer-readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read-only memory (ROM) or flash RAM. Memory is an example of computer readable media.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape magnetic disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.
最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (12)

  1. 一种凭据的轮转方法,其特征在于,包括:A credential rotation method, characterized by comprising:
    获取待轮转目标凭据,创建所述待轮转目标凭据对应的替换凭据,所述待轮转目标凭据存放于获取区域中;Acquiring the target credential to be rotated, creating a replacement credential corresponding to the target credential to be rotated, and storing the target credential to be rotated in the acquisition area;
    将获取区域中的所述待轮转目标凭据替换为所述替换凭据,以待获取;replacing the to-be-rotated target credential in the acquisition area with the replacement credential for acquisition;
    删除所述待轮转目标凭据,并将所述获取区域中的替换数据作为下一次待轮转目标凭据。The target credential to be rotated is deleted, and the replacement data in the acquisition area is used as the target credential to be rotated next time.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    在获取到所述待轮转目标凭据后,根据当前时间确定所述待轮转目标凭据对应的操作动作;After acquiring the target credential to be rotated, determine the operation action corresponding to the target credential to be rotated according to the current time;
    所述操作动作包括创建替换凭据的操作动作、将所述待轮转目标凭据替换为所述替换凭据的操作动作以及删除所述待轮转目标凭据的操作动作。The operation action includes an operation action of creating a replacement credential, an operation action of replacing the target credential to be rotated with the replacement credential, and an operation action of deleting the target credential to be rotated.
  3. 根据权利要求1所述的方法,其特征在于,所述获取待轮转目标凭据,包括:The method according to claim 1, wherein said obtaining the target credentials to be rotated comprises:
    查询待轮转凭据,根据凭据类型,获取对应类型的所述待轮转目标凭据。Query the credentials to be rotated, and obtain the corresponding target credentials to be rotated according to the credential type.
  4. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    将创建后的替换凭据存放至用于轮转凭据程序对应凭据的前版本中,所述待轮转目标凭据存放至用于轮转凭据程序对应凭据的当前版本中,将用于轮转凭据程序对应凭据的当前版本作为获取区域。Store the created replacement credential in the previous version of the credential corresponding to the credential rotation program, and store the target credential to be rotated in the current version of the credential corresponding to the credential rotation program, which will be used in the current version of the credential corresponding to the credential rotation program version as the fetch area.
  5. 根据权利要求1所述的方法,其特征在于,所述将获取区域中的所述待轮转目标凭据替换为所述替换凭据,包括:The method according to claim 1, wherein the replacing the target credential to be rotated in the acquisition area with the replacement credential comprises:
    将存放至用于轮转凭据程序对应凭据的当前版本中待轮转目标凭据替换为所述替换数据,将待轮转目标凭据存放在用于轮转凭据程序对应凭据的前版本中。The replacement data is used to replace the target credential to be rotated stored in the current version of the credential corresponding to the credential rotation program, and the target credential to be rotated is stored in the previous version of the credential corresponding to the credential rotation program.
  6. 根据权利要求5所述的方法,其特征在于,所述删除所述待轮转目标凭据,包括:The method according to claim 5, wherein the deleting the target credential to be rotated comprises:
    删除存放在用于轮转凭据程序对应凭据的前版本中的待轮转目标凭据。Delete the target credential to be rotated stored in the previous version of the credential used in the credential rotation program.
  7. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    接收待轮转目标凭据的写请求,根据所述写请求针对缓存中所述待轮转目标凭据创建共享锁;receiving a write request for the target credential to be rotated, and creating a shared lock for the target credential to be rotated in the cache according to the write request;
    清除所述缓存中所述待轮转目标凭据,在对应的数据库针对所述待轮转目标凭据进行数据写入,使得所述待轮转目标凭据进行了更新;clearing the target credential to be rotated in the cache, and writing data to the target credential to be rotated in the corresponding database, so that the target credential to be rotated is updated;
    在对应的数据库中写入数据后,解除所述缓存中的共享锁,以待对更新后的待轮转目标凭据的加载。After the data is written in the corresponding database, the shared lock in the cache is released to wait for the loading of the updated target credentials to be rotated.
  8. 根据权利要求7所述的方法,其特征在于,所述方法还包括:The method according to claim 7, wherein the method further comprises:
    接收目标凭据的读请求,根据所述读请求确定针对缓存中所述目标凭据是否存在共享锁;receiving a read request for the target credential, and determining whether there is a shared lock for the target credential in the cache according to the read request;
    如果具有共享锁,则从对应的数据库中获取对应的所述目标凭据。If there is a shared lock, the corresponding target credential is obtained from the corresponding database.
  9. 根据权利要求8所述的方法,其特征在于,所述方法还包括:The method according to claim 8, characterized in that the method further comprises:
    如果不存在共享锁,从所述缓存中获取所述目标凭据。If no shared lock exists, the target credential is acquired from the cache.
  10. 根据权利要求9所述的方法,其特征在于,所述方法还包括:The method according to claim 9, characterized in that the method further comprises:
    如果所述缓存中不具有所述目标凭据,则从对应的数据库中进行加载所述目标凭据,并从所述缓存中获取所述目标凭据。If the target credential does not exist in the cache, load the target credential from the corresponding database, and acquire the target credential from the cache.
  11. 一种计算设备,包括:存储器、处理器;A computing device, comprising: a memory, a processor;
    所述存储器,用于存储计算机程序;The memory is used to store computer programs;
    所述处理器,执行所述计算机程序,以用于:The processor executes the computer program for:
    获取待轮转目标凭据,创建所述待轮转目标凭据对应的替换凭据,所述待轮转目标凭据存放于获取区域中;Acquiring the target credential to be rotated, creating a replacement credential corresponding to the target credential to be rotated, and storing the target credential to be rotated in the acquisition area;
    将获取区域中的所述待轮转目标凭据替换为所述替换凭据,以待获取;replacing the to-be-rotated target credential in the acquisition area with the replacement credential for acquisition;
    删除所述待轮转目标凭据,并将所述获取区域中的替换数据作为下一次待轮转目标凭据。The target credential to be rotated is deleted, and the replacement data in the acquisition area is used as the target credential to be rotated next time.
  12. 一种存储有计算机程序的计算机可读存储介质,其特征在于,计算机程序被一个或多个处理器执行时,致使所述一个或多个处理器实现权利要求1-10任一项所述方法中的步骤。A computer-readable storage medium storing a computer program, characterized in that, when the computer program is executed by one or more processors, the one or more processors are caused to implement the method described in any one of claims 1-10 in the steps.
PCT/CN2022/110879 2021-08-12 2022-08-08 Credential rotation method, computing device, and storage medium WO2023016414A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110923482.8A CN113382024B (en) 2021-08-12 2021-08-12 Rotation method of credential, computing device and storage medium
CN202110923482.8 2021-08-12

Publications (1)

Publication Number Publication Date
WO2023016414A1 true WO2023016414A1 (en) 2023-02-16

Family

ID=77576965

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/110879 WO2023016414A1 (en) 2021-08-12 2022-08-08 Credential rotation method, computing device, and storage medium

Country Status (2)

Country Link
CN (1) CN113382024B (en)
WO (1) WO2023016414A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113382024B (en) * 2021-08-12 2021-12-21 阿里云计算有限公司 Rotation method of credential, computing device and storage medium
CN116015854B (en) * 2022-12-26 2024-05-17 支付宝(杭州)信息技术有限公司 Emergency treatment method and device for evidence leakage

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160357955A1 (en) * 2014-10-27 2016-12-08 Amazon Technologies, Inc. Automatic rotation and storage of security credentials
CN106657068A (en) * 2016-12-23 2017-05-10 腾讯科技(深圳)有限公司 Login authorization method and device, login method and device
US20180145966A1 (en) * 2016-04-25 2018-05-24 International Business Machines Corporation Protection of application passwords using a secure proxy
CN111835513A (en) * 2020-07-17 2020-10-27 支付宝(杭州)信息技术有限公司 Method, device and equipment for updating certificate data
CN113382024A (en) * 2021-08-12 2021-09-10 阿里云计算有限公司 Rotation method of credential, computing device and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8875256B2 (en) * 2012-11-13 2014-10-28 Advanced Micro Devices, Inc. Data flow processing in a network environment
US10567381B1 (en) * 2015-12-17 2020-02-18 Amazon Technologies, Inc. Refresh token for credential renewal
US10397207B1 (en) * 2017-07-17 2019-08-27 Amazon Technologies, Inc. Automatic credential rotation
CN109033774B (en) * 2018-08-31 2020-08-07 阿里巴巴集团控股有限公司 Method and device for acquiring and feeding back user resources and electronic equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160357955A1 (en) * 2014-10-27 2016-12-08 Amazon Technologies, Inc. Automatic rotation and storage of security credentials
US20180145966A1 (en) * 2016-04-25 2018-05-24 International Business Machines Corporation Protection of application passwords using a secure proxy
CN106657068A (en) * 2016-12-23 2017-05-10 腾讯科技(深圳)有限公司 Login authorization method and device, login method and device
CN111835513A (en) * 2020-07-17 2020-10-27 支付宝(杭州)信息技术有限公司 Method, device and equipment for updating certificate data
CN113382024A (en) * 2021-08-12 2021-09-10 阿里云计算有限公司 Rotation method of credential, computing device and storage medium

Also Published As

Publication number Publication date
CN113382024B (en) 2021-12-21
CN113382024A (en) 2021-09-10

Similar Documents

Publication Publication Date Title
US10868673B2 (en) Network access control based on distributed ledger
US11675746B2 (en) Virtualized server systems and methods including domain joining techniques
WO2023016414A1 (en) Credential rotation method, computing device, and storage medium
US8776089B2 (en) File system independent content aware cache
US11392497B1 (en) Low latency access to data sets using shared data set portions
US10599535B2 (en) Restoring distributed shared memory data consistency within a recovery process from a cluster node failure
US10445186B1 (en) Associating a guest application within a virtual machine to create dependencies in backup/restore policy
US11550713B1 (en) Garbage collection in distributed systems using life cycled storage roots
US9275238B2 (en) Method and apparatus for data security reading
US8893272B2 (en) Method and device for recombining runtime instruction
US9910881B1 (en) Maintaining versions of control plane data for a network-based service control plane
US11593270B1 (en) Fast distributed caching using erasure coded object parts
US9330266B2 (en) Safe data storage method and device
US10031668B2 (en) Determining status of a host operation without accessing the host in a shared storage environment
US9305007B1 (en) Discovering relationships using deduplication metadata to provide a value-added service
US11422715B1 (en) Direct read in clustered file systems
US11748140B2 (en) Virtual machine security policy implementation
US11483205B1 (en) Defragmentation of licensed resources in a provider network
US20180069859A1 (en) Mobile terminal and control method thereof
US11604669B2 (en) Single use execution environment for on-demand code execution
US20240020388A1 (en) Mechanisms for secure and verifiable storage of configuration and parametric data
US11593030B2 (en) Cross-stream transactions in a streaming data storage system
US20230131706A1 (en) Two-Hierarchy File System
US11994954B2 (en) Fast disaster recover from backup storage using smart links
US20220214946A1 (en) Provider-agnostic management of backup data stored on a cloud-based object storage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22855395

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE