CN118300900A - Multi-cluster multi-user oriented cloud platform management system and authentication method - Google Patents
Multi-cluster multi-user oriented cloud platform management system and authentication method Download PDFInfo
- Publication number
- CN118300900A CN118300900A CN202410720712.4A CN202410720712A CN118300900A CN 118300900 A CN118300900 A CN 118300900A CN 202410720712 A CN202410720712 A CN 202410720712A CN 118300900 A CN118300900 A CN 118300900A
- Authority
- CN
- China
- Prior art keywords
- authentication
- service
- rbac
- cloud platform
- abac
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000004927 fusion Effects 0.000 claims description 9
- 238000007726 management method Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000002071 nanotube Substances 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
Abstract
本说明书实施例公开了一种面向多集群多用户的云平台管理系统、鉴权方法。本说明书实施例的系统包括至少一个云平台,每个云平台可部署不同类型的集群;每个云平台配置有IAM服务,IAM服务具有面向用户访问的API接口;IAM服务包括用于支持RBAC鉴权的Keystone组件和用于支持ABAC鉴权的Casbin组件;Casbin组件融合进Keystone组件,使得每个云平台对接收到的API访问请求,先进行RBAC鉴权,若鉴权成功,鉴权结束并返回访问结果给用户;若鉴权失败,再进行ABAC鉴权。本说明书实施例的方法由系统中的任意一个云平台执行,依次进行RBAC鉴权和ABAC鉴权。
The embodiments of this specification disclose a cloud platform management system and authentication method for multiple clusters and multiple users. The system of the embodiments of this specification includes at least one cloud platform, and each cloud platform can deploy different types of clusters; each cloud platform is configured with an IAM service, and the IAM service has an API interface for user access; the IAM service includes a Keystone component for supporting RBAC authentication and a Casbin component for supporting ABAC authentication; the Casbin component is integrated into the Keystone component, so that each cloud platform first performs RBAC authentication on the received API access request. If the authentication is successful, the authentication ends and returns the access result to the user; if the authentication fails, ABAC authentication is performed. The method of the embodiments of this specification is executed by any cloud platform in the system, and RBAC authentication and ABAC authentication are performed in sequence.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of data processing technologies, and in particular, to a cloud platform management system and an authentication method for multiple clusters and multiple users.
Background
There are various types of existing IaaS (Infrastructure AS A SERVICE as a service) cloud platforms, including OpenStack cloud platform, kubernetes (K8S), and the like. Different types of cloud platforms have different authentication systems, for example, the OpenStack cloud platform only supports role-based access control RBAC authentication for multiple tenants on a single OpenStack cluster; as another example, kubernetes supports multi-tenant based role-based access control RBAC authentication or attribute-based access control ABAC authentication, and both authentications may not be used simultaneously. In practical applications, there are often multiple authentication requirements, and for this purpose, a technical solution for satisfying the multiple authentication requirements is needed.
Disclosure of Invention
One or more embodiments of the present disclosure describe a cloud platform management system and an authentication method for multiple clusters and multiple users, which can meet the authority control requirements of different services and services, can perform role-based access control RBAC authentication on simple services or services, and can use role-based access control RBAC and attribute-based access control ABAC authentication on complex services or services.
In a first aspect, embodiments of the present disclosure provide a multi-cluster multi-user oriented cloud platform management system, including at least one cloud platform, where each cloud platform may deploy different types of clusters; each cloud platform is configured with an IAM service, and the IAM service is provided with an API interface facing user access; the IAM service includes a Keystone component for supporting role-based access control RBAC authentication and a Casbin component for supporting attribute-based access control ABAC authentication; the Casbin component is integrated into the Keystone component, so that each cloud platform firstly carries out role-based access control RBAC authentication on the received API access request, and if the role-based access control RBAC authentication is successful, the authentication is finished and an access result is returned to the user; and if the role-based access control RBAC authentication fails, performing attribute-based access control ABAC authentication.
In some embodiments, the IAM service of each cloud platform is further configured with a synchronization service; when there are two or more cloud platforms, the IAM service of a certain cloud platform serves as a master service that synchronizes information data to the IAM service of other cloud platforms serving as slave services.
In some embodiments, when the IAM service of a certain cloud platform is used as a master service, the master service synchronizes information data to the IAM service of other cloud platforms as slave services, including:
when an IAM service of a certain cloud platform receives an API access request, the IAM service of the cloud platform serves as a master service, changes, caused by the API access request, on information data are synchronously distributed to IAM services of other cloud platforms serving as slave services.
In some embodiments, when the IAM service of a certain cloud platform is used as a master service, the master service synchronizes information data to the IAM service of other cloud platforms as slave services, and the method further includes:
when the slave service does not receive the API access request during the process of distributing the API access request to the slave service by the master service, the slave service periodically acquires information data of the master service and performs information data synchronization.
In some embodiments, the cloud platform may deploy any one type of OpenStack cluster, kubernetes cluster, cluster integrated with OpenStack and Kubernetes, openStack cluster deployed with Kubernetes.
In some embodiments, the IAM service has a user access oriented API interface that is a RESTful API interface.
In a second aspect, embodiments of the present disclosure provide an authentication method, where the method is performed on any one of the cloud platforms in the system described in the first aspect; the method comprises the following steps:
receiving an API access request sent by a user;
Performing role-based access control RBAC authentication on the API access request by using a Keystone component of the fusion Casbin component; when the role-based access control RBAC authentication is successful, returning an access result to the user; and when the access control RBAC authentication based on the role fails, performing attribute-based access control ABAC authentication on the API access request by utilizing a Keystone component of the fusion Casbin component, and when the attribute-based access control ABAC authentication is successful, returning an access result to the user, otherwise, returning authentication failure to the user.
In some embodiments, the role-based access control RBAC authentication of API access requests using the Keystone component of the converged Casbin component includes:
analyzing the API access request to obtain token data and operation information of the user; wherein the operation information comprises an operation type and request information;
Based on the operation type of the operation information, obtaining RBAC authentication rules corresponding to the operation type from an RBAC authentication rule table; the RBAC authentication rule table stores a plurality of RBAC authentication rules, and each RBAC authentication rule comprises an operation role and an operation type;
analyzing the token data of the user to obtain user information, role information and project information;
matching the role information of the user with the operation roles in the RBAC authentication rules, if so, controlling RBAC authentication based on the access of the roles, otherwise, failing authentication.
In some embodiments, the performing attribute-based access control ABAC authentication on the API access request using the Keystone component of the fusion Casbin component includes:
Based on the operation type of the operation information, obtaining an ABAC authentication rule corresponding to the operation type from an ABAC authentication rule table; the ABAC authentication rule table stores a plurality of ABAC authentication rules, and each ABAC authentication rule comprises an operation type and an operation object; the request information and the operation object comprise service names, access area IDs and access resource information;
And matching the request information of the operation information with the operation object in the obtained ABAC authentication rule, if so, successfully authenticating the access control ABAC based on the attribute, returning an access result to the user, and otherwise, returning authentication failure to the user.
In some embodiments, the method further comprises: before receiving an API request for authentication, each cloud platform configures an RBAC authentication rule table and an ABAC authentication rule table; the RBAC authentication rule table is configured in a file form, and the ABAC authentication rule table is configured in a database form.
The technical scheme provided by some embodiments of the present specification has the following beneficial effects:
In one or more embodiments of the present disclosure, a system of an embodiment of the present disclosure includes at least one cloud platform capable of deploying different types of clusters, and by deploying an IAM service of a Keystone component fused with Casbin components in the cloud platform, role-based access control RBAC authentication and attribute-based access control ABAC authentication can be simultaneously implemented, so that not only role-based access control RBAC authentication in a simple service or service scenario, but also role-based access control RBAC authentication and attribute-based access control ABAC authentication in a complex service or service scenario can be satisfied; furthermore, the IAM service is also configured with synchronization capability, so that the IAM service provides unified authentication and authorization services of multiple clusters in the cloud platform.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present description, the drawings that are required in the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present description, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is an example system block diagram of a cloud platform management system for multiple clusters and multiple users provided in an embodiment of the present disclosure;
Fig. 2 is a flowchart of an authentication method according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification.
The terms first, second, third and the like in the description and in the claims and in the above drawings are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
The existing OpenStack cloud platform (mainstream open source virtualized dispatch cloud platform) only supports multi-user role-based access control RBAC authentication for a single OpenStack cluster. The Kubernetes cloud platform (mainstream open source container cloud scheduling platform) supports multi-user based role-based access control RBAC or attribute-based access control ABAC authentication, but cannot support both at the same time, and cannot share the same authentication service for multiple heterogeneous cloud platforms. In an actual production environment, we often need to perform unified authentication management on multiple self-built IaaS (Infrastructure AS A SERVICE as a service) clouds, container clouds, and other public/private cloud platforms of a nanotube, and in the management and operation processes, role-based access control RBAC authentication and role-based access control ABAC authentication need to be simultaneously utilized.
Role-based access control RBAC authentication is a common method of rights control that primarily focuses on the roles of users in an organization or system, and the rights possessed by those roles. The method is suitable for a scene with definite organization structure and relatively fixed roles and responsibilities. For example, in an in-enterprise system, employees may be assigned different roles, each role having particular rights, to access or operate particular resources, depending on their job or department.
Access control ABAC authentication based on rights is a more flexible and fine-grained rights control method. It decides the access control policy based on attributes of the user, the resource, the environment, etc. The method is suitable for scenes in which a large number of users and resources need to be processed and the permission needs are complex and changeable. For example, in a cloud computing environment, users and resources may have a variety of attributes, such as geographic location, time, device type, etc., from which access control policies may be dynamically formulated and enforced by rights-based access control ABAC authentication.
Thus, different businesses and services need to select the proper authentication mode according to the characteristics and requirements. For example, some simple businesses or services may only require the use of role-based access control RBAC authentication, while some complex businesses or services may require the use of a combination of role-based access control RBAC authentication and attribute-based access control ABAC authentication to meet their more complex and sophisticated rights control requirements.
Therefore, the embodiment of the specification provides a cloud platform management system for multiple clusters and multiple users, and each cloud platform in the system has the capabilities of role-based access control RBAC authentication and attribute-based access control ABAC authentication so as to support the authentication requirements of complex cloud platforms.
The system of the embodiment of the specification comprises at least one cloud platform, and each cloud platform can be deployed with different types of clusters, such as an OpenStack cluster, a Kubernetes cluster, a cluster integrated with OpenStack and Kubernetes, an OpenStack cluster deployed with Kubernetes, and the like.
When there is one cloud platform, the cloud platform may deploy one or two or more identical clusters, or may deploy one or two or more different types of clusters.
When there are two or more cloud platforms, each cloud platform may deploy one or two or more identical clusters, or may deploy one or two or more different types of clusters.
Taking fig. 1 as an example, in fig. 1, there are four cloud platforms located in the areas-1, -2, -3, and-4, respectively. The cloud platform at the area-1 and the cloud platform at the area-2 are respectively provided with a cluster, namely an OpenStack-1 cluster and an OpenStack-2 cluster. The cloud platform at region-3 and the cloud platform at region-4 are each deployed with two clusters, kubeClipper and Kubernetes-3, kubeClipper and Kubernetes-4, respectively. The KubeClipper cluster is a cluster of an open source Kubernetes cloud platform facing the AI application.
Each cloud platform is configured with IAM (IDENTITY AND ACCESS MANAGEMENT ) services.
The IAM service includes a Keystone component and a Casbin component. The Keystone component is used for providing unified verification, and can provide perfect role-based access control RBAC authentication service. The Casbin component is an authorization library that supports access control models, such as attribute-based access control ABAC, and Casbin component can support attribute-based access control ABAC authentication services.
The Casbin component merges into the Keystone component. Specifically, casbin Python development suite is introduced, so that the two are fused, and the fused IAM service can simultaneously support role-based access control RBAC authentication and attribute-based access control ABAC authentication. That is, the IAM service of the Keystone component, the native support role-based access control RBAC authentication, adds Casbin attribute-based access control ABAC authentication of the component on the basis of honoring the role-based access control RBAC authentication.
Taking fig. 1 as an example, there is a respective Keystone (IAM) component in each region that provides authentication of role-based access control RBAC and attribute-based access control ABAC for services within its cluster.
The IAM service has an API interface for user access. The API interface is an application programming interface, which is a set of rules and protocols that define how the different software components communicate and interact with each other. The API interface may be a RESTful API interface that uses standard HTTP request methods (e.g., GET, POST, PUT, DELETE) to access and manipulate resources, typically using JSON or XML formats to transfer data.
The IAM service of each cloud platform is also configured with a synchronous service; when there are two or more cloud platforms, the IAM service of a certain cloud platform serves as a master service that synchronizes information data to the IAM service of other cloud platforms serving as slave services.
Taking fig. 1 as an example, in fig. 1, there are four cloud platforms, and the IAM service of the cloud platform at the area-1 is an IAM master service, and the IAM service of the cloud platform at the areas-2, -3 and-4 is an IAM slave service. The IAM master service at the area-1 synchronizes information data to the IAM slave service at the area-2, the area-3, and the area-4 using the IAM synchronization service.
Specifically, when the IAM service of a certain cloud platform is used as a master service, the master service synchronizes information data to the IAM service of other cloud platforms serving as slave services, and the method comprises the following steps:
when an IAM service of a certain cloud platform receives an API access request, the IAM service of the cloud platform serves as a master service, changes, caused by the API access request, on information data are synchronously distributed to IAM services of other cloud platforms serving as slave services.
When the master service receives an API access request to perform creation, update or deletion operation, the synchronous service distributes the request to the slave service at the same time and performs corresponding operation. This maintains data consistency between the master and slave services.
In addition, when the IAM service of a certain cloud platform is used as a master service, the master service synchronizes information data to the IAM service of other cloud platforms serving as slave services, and the method further comprises the following steps:
when the slave service does not receive the API access request during the process of distributing the API access request to the slave service by the master service, the slave service periodically acquires information data of the master service and performs information data synchronization.
Assuming that during this process, the slave service has unexpectedly not received an API access request (e.g., network disruption, service abnormality, and service unavailability), the slave service periodically acquires information data from the master service for synchronization. For example, synchronization is performed in a delta manner. The slave service periodically acquires information data from the master service, compares the information data with the information data of the current slave service, acquires the information data which the current slave service does not have, and then performs corresponding data update. In addition, even if the cloud platform corresponding to the slave service is disconnected from the master service network, the slave service can ensure that the authentication service is normal under the synchronous service.
The system of the embodiment of the specification further comprises a service gateway, wherein the service gateway is used for acquiring the operation requirement of the user, converting the operation requirement of the user into an API access request through an API interface and sending the API access request to a certain cloud platform.
The cloud platform firstly authenticates the received API access request based on the role access control RBAC, and if the role access control RBAC authentication is successful, the authentication is finished and an access result is returned to the user; and if the role-based access control RBAC authentication fails, performing attribute-based access control ABAC authentication.
As shown in fig. 2, the embodiment of the present disclosure further provides an authentication method, which is performed by any one of the cloud platforms in the above system. The method comprises the following steps:
Step 102, receiving an API access request sent by a user;
104, performing role-based access control RBAC authentication on the API access request by using a Keystone component of the converged Casbin component; when the role-based access control RBAC authentication is successful, returning an access result to the user; and when the access control RBAC authentication based on the role fails, performing attribute-based access control ABAC authentication on the API access request by utilizing a Keystone component of the fusion Casbin component, and when the attribute-based access control ABAC authentication is successful, returning an access result to the user, otherwise, returning authentication failure to the user.
The method of the embodiment of the specification can only perform role-based access control RBAC authentication on the API access request by using the Keystone component fused with Casbin components, or can re-use attribute-based access control ABAC authentication after the role-based access control RBAC authentication fails. This allows different authentication requirements to be met.
Next, each step will be described in detail.
In step 102, the API access request includes token data and operation information for the user.
Before the cloud platform is put into use, each cloud platform is default provided with a plurality of roles, for example, a total manager admin, a system manager system_admin, a system reader system_reader, a project manager project_admin, a project member project_member, a project reader project_reader, and the like, and a new role can be defined. The platform manager can bind roles for different users (including principal users and tenants) of the cloud platform, so that the cloud platform has different roles under different users.
After the user logs in, token data (namely token data) of the corresponding user is returned, wherein the token data comprises user information, role information, project information and the like.
The operation information includes an operation type and request information. The operation types may include operations of deleting, querying, creating, updating, etc. of different service contents. For example, the operation type may be identified as "identity: delete_user" for performing a delete operation of the authentication service. The request information includes a service name, an access area ID, and access resource information. The request information can determine what service access is performed on what resources on which cloud platform.
In step 104, role-based access control RBAC authentication and attribute-based access control ABAC authentication are performed sequentially. After successful authentication with role-based access control RBAC, attribute-based access control ABAC authentication is no longer required. When authentication fails with role-based access control RBAC, attribute-based access control ABAC authentication is required.
The role-based access control RBAC authentication for the API access request using the Keystone component of the converged Casbin component includes:
step A11, analyzing the API access request to obtain token data and operation information of a user;
step A13, based on the operation type of the operation information, obtaining RBAC authentication rules corresponding to the operation type from an RBAC authentication rule table;
The RBAC authentication rule table stores a plurality of RBAC authentication rules, and each RBAC authentication rule comprises an operation role and an operation type. For example, the rule "identity: delete_user" is "role: admin". "identity: delete_user" is the operation type, and "role: admin" is the operation role.
Step A15, analyzing the token data of the user to obtain user information, role information and project information;
And step A17, matching the role information of the user with the operation roles in the RBAC authentication rules, if so, controlling RBAC authentication based on the access of the roles, otherwise, failing authentication.
Taking the deletion operation of the authentication service as an example, the operation type of "identity: delete_user" is first used to match a certain RBAC authentication rule in the RBAC authentication rule table. Then, compare role is admin to decide whether to allow execution of the subsequent logic of this API.
In the matching process, when one rule in the RBAC authentication rule table can be matched, the other rules in the RBAC authentication rule table are not required to be matched. For example, the operation type "identity: delete_user" is first used to match a plurality of RBAC authentication rules in the RBAC authentication rule table, each RBAC authentication rule corresponding to a different role. After the operation type and the operation role of one RBAC authentication rule are successfully matched, other rules do not need to be matched one by one.
The performing attribute-based access control (ABAC) authentication on the API access request by using the Keystone component of the fusion Casbin component comprises the following steps:
step B11, based on the operation type of the operation information, obtaining an ABAC authentication rule corresponding to the operation type from an ABAC authentication rule table;
the ABAC authentication rule table stores a plurality of ABAC authentication rules, and each ABAC authentication rule comprises an operation type and an operation object.
Each ABAC authentication rule also contains a rule name, a rule description, a rule efficacy (either allowing execution or denying execution). The operation type is identified by "service_type", for example, "service_type" is "identity", i.e. the operation type is authentication service.
The request information and the operation object each include a service name, an access area ID, and access resource information.
And step B13, matching the request information of the operation information with the operation object in the obtained ABAC authentication rule, if so, successfully authenticating the access control ABAC based on the attribute, returning an access result to the user, and otherwise, returning authentication failure to the user.
Before the method is put into application, a platform administrator or a user administrator can bind corresponding ABAC authentication rules for different users of the cloud platform aiming at different resource classes or specific resources. After the user logs in, corresponding token data including information of the user, the project, the role and the like is returned.
And B13, when the request information is matched with the service name, the access area ID and the access resource information in the operation object, the authentication is considered to be successful, otherwise, the authentication is failed.
Specifically, the matching judgment is performed layer by layer. For example, the { service_type }: { service_name: { region_id }: { resource_type } is matched layer by layer in sequence, i.e., the operation type, the service name, the access region ID, and the access resource information are matched layer by layer. If the matching is successful, the resource type has access rights in the area; conversely, none of the resource types has access rights in this region.
If the access resource information is not the resource type { resource_type }, but the resource ID { resource_id }, the matching is successful only when the resource_id is identical, the resource ID has access rights in the area, and other resource IDs cannot be accessed even if the resource IDs belong to the same resource type. Conversely, this resource ID does not have access rights in this area.
In the matching process, when one rule in the ABAC authentication rule table can be matched, other rules in the ABAC authentication rule table are not required to be matched.
Each API access request is sequentially authenticated by role-based access control RBAC and attribute-based access control ABAC. When the role-based access control RBAC authentication is successful, attribute-based access control ABAC authentication is not required.
The authentication process uses a white list rule, and follows the short circuit principle. For example, when a role is matched as a manager, all resources of the region can be accessed without performing attribute-based access control (ABAC) authentication.
The method of the embodiment of the specification further comprises the following steps: before receiving an API request for authentication, each cloud platform configures an RBAC authentication rule table and an ABAC authentication rule table; the RBAC authentication rule table is configured in a file form, and the ABAC authentication rule table is configured in a database form.
The RBAC authentication rules table is configured by predefining a policy. Yaml static file. Typically this file is self-defining by the respective services that make up the cloud platform.
The ABAC authentication rule table is formed by inserting system rule information into ABAC _ policies tables of a key database in a deployment stage of a cloud platform. The platform administrator or user administrator may bind corresponding ABAC authentication rules for different users of the cloud platform for different resource classes or specific resources.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present description, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (Digital Subscriber Line, DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., digital versatile disk (DIGITAL VERSATILE DISC, DVD)), or a semiconductor medium (e.g., solid state disk (SolidState Disk, SSD)), etc.
Those skilled in the art will appreciate that implementing all or part of the above-described embodiment methods may be accomplished by way of a computer program, which may be stored in a computer-readable storage medium, instructing relevant hardware, and which, when executed, may comprise the embodiment methods as described above. And the aforementioned storage medium includes: various media capable of storing program code, such as ROM, RAM, magnetic or optical disks. The technical features in the present examples and embodiments may be arbitrarily combined without conflict.
The above-described embodiments are merely preferred embodiments of the present disclosure, and do not limit the scope of the disclosure, and various modifications and improvements made by those skilled in the art to the technical solutions of the disclosure should fall within the protection scope defined by the claims of the disclosure without departing from the design spirit of the disclosure.
Claims (10)
1. A cloud platform management system for multiple clusters and multiple users comprises at least one cloud platform, and is characterized in that each cloud platform can be deployed with different types of clusters; each cloud platform is configured with an IAM service, and the IAM service is provided with an API interface facing user access; the IAM service includes a Keystone component for supporting role-based access control RBAC authentication and a Casbin component for supporting attribute-based access control ABAC authentication; the Casbin component is integrated into the Keystone component, so that each cloud platform firstly carries out role-based access control RBAC authentication on the received API access request, and if the role-based access control RBAC authentication is successful, the authentication is finished and an access result is returned to the user; and if the role-based access control RBAC authentication fails, performing attribute-based access control ABAC authentication.
2. The system of claim 1, wherein the IAM service of each cloud platform is further configured with a synchronization service; when there are two or more cloud platforms, the IAM service of a certain cloud platform serves as a master service that synchronizes information data to the IAM service of other cloud platforms serving as slave services.
3. The system of claim 2, wherein when the IAM service of a certain cloud platform is used as a master service, the master service synchronizes information data to the IAM service of other cloud platforms as slave services, comprising:
when an IAM service of a certain cloud platform receives an API access request, the IAM service of the cloud platform serves as a master service, changes, caused by the API access request, on information data are synchronously distributed to IAM services of other cloud platforms serving as slave services.
4. The system of claim 3, wherein when the IAM service of a certain cloud platform is used as a master service, the master service synchronizes information data to the IAM service of other cloud platforms as slave services, and further comprising:
when the slave service does not receive the API access request during the process of distributing the API access request to the slave service by the master service, the slave service periodically acquires information data of the master service and performs information data synchronization.
5. The system of claim 1, wherein the cloud platform is capable of deploying any one type of OpenStack clusters, kubernetes clusters, clusters integrated with OpenStack and Kubernetes, and OpenStack clusters deployed with Kubernetes.
6. The system of claim 1, wherein the IAM service has a user access oriented API interface that is a RESTful API interface.
7. An authentication method, wherein the method is performed on any one of the cloud platforms in a multi-cluster multi-user oriented cloud platform management system according to any one of claims 1-6; the method comprises the following steps:
receiving an API access request sent by a user;
Performing role-based access control RBAC authentication on the API access request by using a Keystone component of the fusion Casbin component; when the role-based access control RBAC authentication is successful, returning an access result to the user; and when the access control RBAC authentication based on the role fails, performing attribute-based access control ABAC authentication on the API access request by utilizing a Keystone component of the fusion Casbin component, and when the attribute-based access control ABAC authentication is successful, returning an access result to the user, otherwise, returning authentication failure to the user.
8. The method of claim 7, wherein the role-based access control RBAC authentication of API access requests using the Keystone component of the fusion Casbin component comprises:
analyzing the API access request to obtain token data and operation information of the user; wherein the operation information comprises an operation type and request information;
Based on the operation type of the operation information, obtaining RBAC authentication rules corresponding to the operation type from an RBAC authentication rule table; the RBAC authentication rule table stores a plurality of RBAC authentication rules, and each RBAC authentication rule comprises an operation role and an operation type;
analyzing the token data of the user to obtain user information, role information and project information;
matching the role information of the user with the operation roles in the RBAC authentication rules, if so, controlling RBAC authentication based on the access of the roles, otherwise, failing authentication.
9. The method of claim 8, wherein the utilizing the Keystone component of the fusion Casbin component to perform attribute-based access control ABAC authentication on API access requests comprises:
Based on the operation type of the operation information, obtaining an ABAC authentication rule corresponding to the operation type from an ABAC authentication rule table; the ABAC authentication rule table stores a plurality of ABAC authentication rules, and each ABAC authentication rule comprises an operation type and an operation object; the request information and the operation object comprise service names, access area IDs and access resource information;
And matching the request information of the operation information with the operation object in the obtained ABAC authentication rule, if so, successfully authenticating the access control ABAC based on the attribute, returning an access result to the user, and otherwise, returning authentication failure to the user.
10. The method as recited in claim 7, further comprising: before receiving an API request for authentication, each cloud platform configures an RBAC authentication rule table and an ABAC authentication rule table; the RBAC authentication rule table is configured in a file form, and the ABAC authentication rule table is configured in a database form.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410720712.4A CN118300900B (en) | 2024-06-05 | 2024-06-05 | Multi-cluster multi-user oriented cloud platform management system and authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410720712.4A CN118300900B (en) | 2024-06-05 | 2024-06-05 | Multi-cluster multi-user oriented cloud platform management system and authentication method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118300900A true CN118300900A (en) | 2024-07-05 |
| CN118300900B CN118300900B (en) | 2024-09-10 |
Family
ID=91681402
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410720712.4A Active CN118300900B (en) | 2024-06-05 | 2024-06-05 | Multi-cluster multi-user oriented cloud platform management system and authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118300900B (en) |
Citations (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104217146A (en) * | 2014-09-04 | 2014-12-17 | 浪潮通用软件有限公司 | Access control method based on ABAC (Attribute Based Access Control) and RBAC (Role Based Access Control) |
| CN104484617A (en) * | 2014-12-05 | 2015-04-01 | 中国航空工业集团公司第六三一研究所 | Database access control method on basis of multi-strategy integration |
| CN106572116A (en) * | 2016-11-10 | 2017-04-19 | 长春理工大学 | Role-and-attribute-based cross-domain secure switch access control method of integrated network |
| CN107315950A (en) * | 2017-05-03 | 2017-11-03 | 北京大学 | Automation division methods and access control method that a kind of cloud computing platform administrator right is minimized |
| CN109889480A (en) * | 2018-12-25 | 2019-06-14 | 武汉烽火信息集成技术有限公司 | Based on container and the totally-domestic of cloud platform fusion cloud platform management method and system |
| CN110990150A (en) * | 2019-11-15 | 2020-04-10 | 北京浪潮数据技术有限公司 | Tenant management method and system of container cloud platform, electronic device and storage medium |
| CN112667977A (en) * | 2020-12-29 | 2021-04-16 | 齐鲁工业大学 | Smart city-oriented block chain identity authentication and access control method and system |
| CN113098695A (en) * | 2021-04-21 | 2021-07-09 | 金陵科技学院 | Micro-service unified authority control method and system based on user attributes |
| CN113542189A (en) * | 2020-04-14 | 2021-10-22 | 华为技术有限公司 | Authentication method, device and system |
| CN113765925A (en) * | 2021-09-08 | 2021-12-07 | 浙江九州云信息科技有限公司 | Improvement method based on OSAC and PERM access control model |
| CN114153655A (en) * | 2021-10-29 | 2022-03-08 | 郑州云海信息技术有限公司 | Disaster tolerance system creating method, disaster tolerance method, device, equipment and medium |
| CN114172700A (en) * | 2021-11-24 | 2022-03-11 | 中国人寿保险股份有限公司上海数据中心 | Unified authentication system and method based on cloud platform and domain control server |
| CN114285850A (en) * | 2021-12-27 | 2022-04-05 | 北银金融科技有限责任公司 | Cross-cluster multi-tenant resource management system based on container platform |
| CN114528155A (en) * | 2022-02-11 | 2022-05-24 | 联通(广东)产业互联网有限公司 | Disaster recovery method, platform, system, computer equipment and storage medium |
| CN114553450A (en) * | 2020-11-24 | 2022-05-27 | 贝斯平环球公司 | Merging management system and control method of merging management system |
| US20220385668A1 (en) * | 2021-05-28 | 2022-12-01 | Capital One Services, Llc | Evaluation of effective access permissions in identity and access management (iam) systems |
| CN115422526A (en) * | 2022-10-31 | 2022-12-02 | 平安银行股份有限公司 | Role authority management method, device and storage medium |
| CN116244037A (en) * | 2023-02-09 | 2023-06-09 | 天翼云科技有限公司 | Data processing method, device and network equipment |
| US20230319049A1 (en) * | 2022-04-01 | 2023-10-05 | Shopify Inc. | Method and system for workflow attestation |
| CN116955015A (en) * | 2023-09-19 | 2023-10-27 | 恒生电子股份有限公司 | Data backup system and method based on data storage service |
| US11855987B1 (en) * | 2017-11-09 | 2023-12-26 | Amazon Technologies, Inc. | Utilizing distributed ledger for cloud service access control |
| CN117555522A (en) * | 2023-11-22 | 2024-02-13 | 云赛智联股份有限公司 | Cloud pipe bus for multi-cloud management platform |
| CN117574340A (en) * | 2023-11-21 | 2024-02-20 | 中国建设银行股份有限公司 | Permission control method and device for cloud platform |
| CN117955667A (en) * | 2022-10-28 | 2024-04-30 | 国网上海能源互联网研究院有限公司 | Safety monitoring and safety access control method and system for power distribution safety protection |
| CN118114272A (en) * | 2023-12-29 | 2024-05-31 | 中科方德软件有限公司 | Role and attribute-based hybrid permission access control method and device |
-
2024
- 2024-06-05 CN CN202410720712.4A patent/CN118300900B/en active Active
Patent Citations (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104217146A (en) * | 2014-09-04 | 2014-12-17 | 浪潮通用软件有限公司 | Access control method based on ABAC (Attribute Based Access Control) and RBAC (Role Based Access Control) |
| CN104484617A (en) * | 2014-12-05 | 2015-04-01 | 中国航空工业集团公司第六三一研究所 | Database access control method on basis of multi-strategy integration |
| CN106572116A (en) * | 2016-11-10 | 2017-04-19 | 长春理工大学 | Role-and-attribute-based cross-domain secure switch access control method of integrated network |
| CN107315950A (en) * | 2017-05-03 | 2017-11-03 | 北京大学 | Automation division methods and access control method that a kind of cloud computing platform administrator right is minimized |
| US11855987B1 (en) * | 2017-11-09 | 2023-12-26 | Amazon Technologies, Inc. | Utilizing distributed ledger for cloud service access control |
| CN109889480A (en) * | 2018-12-25 | 2019-06-14 | 武汉烽火信息集成技术有限公司 | Based on container and the totally-domestic of cloud platform fusion cloud platform management method and system |
| CN110990150A (en) * | 2019-11-15 | 2020-04-10 | 北京浪潮数据技术有限公司 | Tenant management method and system of container cloud platform, electronic device and storage medium |
| CN113542189A (en) * | 2020-04-14 | 2021-10-22 | 华为技术有限公司 | Authentication method, device and system |
| CN114553450A (en) * | 2020-11-24 | 2022-05-27 | 贝斯平环球公司 | Merging management system and control method of merging management system |
| CN112667977A (en) * | 2020-12-29 | 2021-04-16 | 齐鲁工业大学 | Smart city-oriented block chain identity authentication and access control method and system |
| CN113098695A (en) * | 2021-04-21 | 2021-07-09 | 金陵科技学院 | Micro-service unified authority control method and system based on user attributes |
| US20220385668A1 (en) * | 2021-05-28 | 2022-12-01 | Capital One Services, Llc | Evaluation of effective access permissions in identity and access management (iam) systems |
| CN113765925A (en) * | 2021-09-08 | 2021-12-07 | 浙江九州云信息科技有限公司 | Improvement method based on OSAC and PERM access control model |
| CN114153655A (en) * | 2021-10-29 | 2022-03-08 | 郑州云海信息技术有限公司 | Disaster tolerance system creating method, disaster tolerance method, device, equipment and medium |
| CN114172700A (en) * | 2021-11-24 | 2022-03-11 | 中国人寿保险股份有限公司上海数据中心 | Unified authentication system and method based on cloud platform and domain control server |
| CN114285850A (en) * | 2021-12-27 | 2022-04-05 | 北银金融科技有限责任公司 | Cross-cluster multi-tenant resource management system based on container platform |
| CN114528155A (en) * | 2022-02-11 | 2022-05-24 | 联通(广东)产业互联网有限公司 | Disaster recovery method, platform, system, computer equipment and storage medium |
| US20230319049A1 (en) * | 2022-04-01 | 2023-10-05 | Shopify Inc. | Method and system for workflow attestation |
| CN117955667A (en) * | 2022-10-28 | 2024-04-30 | 国网上海能源互联网研究院有限公司 | Safety monitoring and safety access control method and system for power distribution safety protection |
| CN115422526A (en) * | 2022-10-31 | 2022-12-02 | 平安银行股份有限公司 | Role authority management method, device and storage medium |
| CN116244037A (en) * | 2023-02-09 | 2023-06-09 | 天翼云科技有限公司 | Data processing method, device and network equipment |
| CN116955015A (en) * | 2023-09-19 | 2023-10-27 | 恒生电子股份有限公司 | Data backup system and method based on data storage service |
| CN117574340A (en) * | 2023-11-21 | 2024-02-20 | 中国建设银行股份有限公司 | Permission control method and device for cloud platform |
| CN117555522A (en) * | 2023-11-22 | 2024-02-13 | 云赛智联股份有限公司 | Cloud pipe bus for multi-cloud management platform |
| CN118114272A (en) * | 2023-12-29 | 2024-05-31 | 中科方德软件有限公司 | Role and attribute-based hybrid permission access control method and device |
Non-Patent Citations (1)
| Title |
|---|
| 黄爽;黄必清;: "云制造平台安全体系架构", 计算机集成制造系统, no. 04, 30 March 2018 (2018-03-30) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118300900B (en) | 2024-09-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10819652B2 (en) | Access management tags | |
| CA2803839C (en) | Online service access controls using scale out directory features | |
| US8745205B2 (en) | System and method for intelligent workload management | |
| TWI473029B (en) | Extensible and programmable multi-tenant service architecture | |
| US11102196B2 (en) | Authenticating API service invocations | |
| US7702758B2 (en) | Method and apparatus for securely deploying and managing applications in a distributed computing infrastructure | |
| US10324701B1 (en) | Rapid deployment of computing instances | |
| WO2011159284A1 (en) | Volume management | |
| US10104163B1 (en) | Secure transfer of virtualized resources between entities | |
| CN109240837B (en) | Construction method of universal cloud storage service API | |
| US20200195649A1 (en) | Method for managing a cloud computing system | |
| WO2020001162A1 (en) | Container management method, apparatus, and device | |
| CN109542590A (en) | The method of virtual Socket communication under Docker cluster multi-tenant | |
| US20230179634A1 (en) | Secure policy distribution in a cloud environment | |
| CN114281253B (en) | Storage volume management method | |
| CN114239055A (en) | Distributed database multi-tenant isolation method and system | |
| CN114710350B (en) | Method and device for distributing callable resources, electronic equipment and storage medium | |
| US20190222480A1 (en) | Secure Collaborative Data Communications Network | |
| CN118300900A (en) | Multi-cluster multi-user oriented cloud platform management system and authentication method | |
| US20240205226A1 (en) | Authentication and identity architecture for a management plane of a multi-tenant computing system | |
| CN115037757B (en) | Multi-cluster service management system | |
| US11757976B2 (en) | Unified application management for heterogeneous application delivery | |
| CN115766123A (en) | Data cross-domain authorization method and device and electronic equipment | |
| US11632375B2 (en) | Autonomous data source discovery | |
| CN115766618A (en) | A multi-server resource configuration system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |