[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN101594386B - Method and device for constructing reliable virtual organization based on distributed strategy verification - Google Patents

Method and device for constructing reliable virtual organization based on distributed strategy verification Download PDF

Info

Publication number
CN101594386B
CN101594386B CN2009100879874A CN200910087987A CN101594386B CN 101594386 B CN101594386 B CN 101594386B CN 2009100879874 A CN2009100879874 A CN 2009100879874A CN 200910087987 A CN200910087987 A CN 200910087987A CN 101594386 B CN101594386 B CN 101594386B
Authority
CN
China
Prior art keywords
virtual organization
policy
target
server
mapping policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009100879874A
Other languages
Chinese (zh)
Other versions
CN101594386A (en
Inventor
李建欣
怀进鹏
胡春明
沃天宇
刘超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN2009100879874A priority Critical patent/CN101594386B/en
Publication of CN101594386A publication Critical patent/CN101594386A/en
Application granted granted Critical
Publication of CN101594386B publication Critical patent/CN101594386B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method and a device for constructing a reliable virtual organization based on distributed strategy verification. The method comprises the following steps: establishing a mapping strategy between an initial autonomous domain and a target autonomous domain through a virtual organization server which is included in the initial autonomous domain or the target autonomous domain, and storing the mapping strategy; customizing a virtual organization coordination strategy according to the mapping strategy, an initial autonomous domain strategy, a virtual organization server strategy and a target autonomous domain strategy; distributedly verifying whether the virtual organization coordination strategy is reliable or not according to an effective regulation of the virtual organization coordination strategy; and if so, constructing the reliable virtual organization according to the virtual organization coordination strategy. The technical proposal realizes the aim of quickly and safely constructing the reliable virtual organization aiming at the problems of low constructing efficiency existing in the virtual organization constructing method and potential safety hazard existing in the virtual organization coordination strategy in the prior art.

Description

Reliable virtual organization construction method and device based on distributed strategy verification
Technical field
The present invention relates to Virtual Organization's constructing technology, particularly a kind of reliable virtual organization construction method and device based on distributed strategy verification belong to Distributed Calculation and field of information security technology.
Background technology
Along with the computer nowadays technology rapid development; Virtual (Virtualization), software are promptly served the development of (Software as a Service) and Web interaction technique; To make up believable networked software application system based on the Internet effective support is provided, constantly being that the user provides much simpler, transparent modes and dynamically obtains large-scale calculations and stores service ability.For example " cloud " and " cloud computing is exactly a kind of typical this type of application model.
So-called " cloud " can be regarded as computer cluster, can comprise hundreds of thousands platform even up to a million computers.The benefit of " cloud " is that computer wherein can updated at any time.Present " cloud " basically all is that large enterprise is used; The elasticity calculation services of Amazon (Amazon) (Elastic Compute Cloud for example; Abbreviation EC2), simple data stores service (Simple Storage Service; Be called for short S3), the cloud computing product Windows Azure of Microsoft etc., all be to make up such " cloud.
" cloud " be " platform of cloud computing, promptly so-called " cloud computing can be regarded as the calculating that is based on " cloud ", further, be based on virtual, software is promptly served and correlation technique such as Web exchange on emerging technology." what cloud computing brought is that a kind of new resource and software application are attempted, and the user only just can visit " cloud " through network and by browser very easily, " cloud " center as data storage and application service.At present in the large enterprise that has " cloud "; Its user according to enterprises " cloud " carried out " cloud computing is specially; calculating that the user is required and storage capacity will be transferred in the whole local area network (so-called " cloud ") of enterprises; through letting the calculating that the user carried out be distributed on a large amount of distributed computers, but not in local computer or the remote server, will be more similar with the Internet thereby make the operation of enterprise data center; and then make that enterprise can be with resource switch to the application of needs, according to demand access computer and storage system.
Along with the continuous development of hardware technology, the enterprises structure " cloud " that appears as of virtual machine is provided convenience.Because virtual machine itself has good isolation performance, the property monitored and animal migration, has guaranteed single computer or triangular web node security property in " cloud ", yet " cloud " managed on the whole that demand side is realized to the security strategy of virtual machine.Security policy manager based on virtual machine; Can make up " cloud computing platform, IT company such as the product VirtualCenter of VMWare, the product Hyper-V of Microsoft, the system OVirt of RedHat etc. both at home and abroad in the single territory (said single territory relates to enterprise or school etc.) effectively.Yet, along with " user uses the retractility to capability requirement in the cloud computing platform, and user's demand might not be satisfied in the autonomous territory that each single territory provided (can comprise at least one " cloud ").Therefore, the inventor relies on the experience of being engaged in research work for many years in this area, and heightened awareness remains a plurality of autonomous inter-domain resources of solution to a plurality of autonomous territories formation VO of structure (Virtual Organization, Virtual Organization) and shares a kind of method.For example when virtual resource in the autonomous territory of certain enterprise was not enough, the part virtual resource that can rent the autonomous territory of Amazon formed VO; Perhaps certain network strategy laboratory forms the VO of oneself for making up the system that many geographical position are disposed, need rent the virtual resource that is in the autonomous territory of diverse geographic location provider.But in the prior art, when making up VO, there is following defective:
1. between autonomous territory can the associating aspect: relate to cross-domain resource and share; The adding of its virtual resource is withdrawed from often comparatively frequent; In this case, the efficient that VO makes up is challenged, like VOMS (Virtual Organization Management Service; The management for Virtual Organizations service), CAS (Central Authentication Service; Central authorities' authentication service) wait the VO management system need assign the user to add VO in advance, because the structure of VO directly is basic module with user, so the efficient of VO structure is not high.
2. make up the tactful fail safe aspect of VO:, destroy the fail safe of original autonomous domain policy because the authority mutual mapping between autonomous territory is easy to cause a lower-level user to enjoy higher-level user's authority through the mapping winding.
3.VO operational efficiency can the guarantee aspect: because VO makes up a plurality of processes such as relating to strategy customization, security verification; Guarantee finally to use the efficient of VO subscriber authorisation of VO most important; To this problem; In the method for the structure VO of prior art dynamic trust chain, owing to do not have relevant authorized agreement that VO user's confidence level is limited, so the efficient of VO subscriber authorisation is relatively low.
Summary of the invention
The purpose of this invention is to provide a kind of reliable virtual organization construction method and device based on distributed strategy verification; Make up efficient fail safe not high, initial autonomous territory to Virtual Organization in the prior art Virtual Organization construction method and have hidden danger and the lower technical problem of Virtual Organization's subscriber authorisation efficient, to realize making up quickly and safely the purpose of reliable virtual organization.
For realizing above-mentioned purpose, the invention provides a kind of reliable virtual organization construction method based on distributed strategy verification, comprising:
Through Virtual Organization's server, to set up and start from the mapping policy of controlling between territory and the autonomous territory of target, and store said mapping policy, said Virtual Organization server is included in said initial autonomous territory or the autonomous territory of target;
According to the autonomous domain policy of said mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy;
Effectively regular according to Virtual Organization's coordination strategy, whether the said Virtual Organization of the checking coordination strategy that distributes is credible, if then according to said Virtual Organization coordination strategy, make up reliable virtual organization;
Through Virtual Organization's server, set up and start from the mapping policy of controlling between territory and the autonomous territory of target, and store said mapping policy, comprising:
Said mapping policy is based on role's hierarchy mapping strategy, comprises one-level mapping policy and secondary mapping policy;
Set up to start from and control in the territory one-level mapping policy of assigned role in assigned role to the Virtual Organization server, and be stored in said Virtual Organization server;
Set up the secondary mapping policy of assigned role in the autonomous territory of assigned role to target in the said Virtual Organization server, and be stored in initial autonomous territory;
According to said one-level mapping policy and secondary mapping policy, set up assigned role in the autonomous territory of assigned role in the said initial autonomous territory to said target based on role's hierarchy mapping strategy;
According to the autonomous domain policy of said mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy comprises:
Said initial autonomous domain policy comprises initial autonomous territory role's level inheritance;
Said Virtual Organization server policy comprises Virtual Organization's role server level inheritance;
The autonomous domain policy of said target comprises the autonomous territory of target role's level inheritance;
According to the autonomous territory of said one-level mapping policy, secondary mapping policy, initial autonomous territory role's level inheritance, Virtual Organization's role server level inheritance and target role's level inheritance, customizing virtual organizing cooperating strategy;
Effectively regular according to Virtual Organization's coordination strategy, whether the said Virtual Organization of the checking coordination strategy that distributes is credible, comprising:
The said Virtual Organization effective rule of coordination strategy comprises first rule and second rule;
Said first rule does; In the mapping policy between said initial autonomous territory and the autonomous territory of target; One of which bar mapping policy chain comprises at least one assigned role in the said Virtual Organization server, and comprises in the said initial autonomous territory assigned role in the autonomous territory of an assigned role and said target;
Said second rule does; Said assigned role is included in the closure set that said initial autonomous territory, Virtual Organization's server and the autonomous territory of target are constituted, and does not have in the said initial autonomous territory the direct mapping policy of assigned role in the autonomous territory of assigned role to said target;
According to said first rule and second rule, whether the said Virtual Organization of the checking coordination strategy that distributes is credible;
Said distribution verifies that said Virtual Organization coordination strategy comprises:
According to Virtual Organization's server policy, adopt the Warshall algorithm to obtain Virtual Organization's server closure set;
According to initial autonomous domain policy, adopt the Warshall algorithm to obtain the closure set of initial autonomous territory;
According to the autonomous domain policy of target, adopt the Warshall algorithm to obtain the closure set of the autonomous territory of target;
According to the set of said initial autonomous territory closure, the closure set of the autonomous territory of target, Virtual Organization's server closure set, one-level mapping policy and secondary mapping policy, generate the mapping policy complete or collected works;
Whether judge has the mapping policy chain of violating said first rule and/or second rule, if having, then said Virtual Organization coordination strategy is insincere among the said mapping policy complete or collected works.
Further, the invention provides a kind of reliable virtual organization construction device based on distributed strategy verification, comprising:
The mapping policy module is used for the server through Virtual Organization, sets up to start from the mapping policy of controlling between territory and the autonomous territory of target, and stores said mapping policy;
Customized module is connected in said mapping policy module, is used for according to the autonomous domain policy of said mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy;
The distribution authentication module is connected in said customized module, is used for according to the effective rule of Virtual Organization's coordination strategy, and whether the said Virtual Organization of the checking coordination strategy that distributes is credible;
Make up module, be connected in said distribution authentication module, be used for then according to said Virtual Organization coordination strategy, making up reliable virtual organization if the said Virtual Organization of the checking coordination strategy that distributes is credible;
Said mapping policy module comprises:
One-level mapping policy unit is used for setting up and starts from the one-level mapping policy of controlling assigned role in territory assigned role to the Virtual Organization server, and is stored in said Virtual Organization server;
Secondary mapping policy unit is used for setting up the secondary mapping policy of assigned role in the autonomous territory of said Virtual Organization server assigned role to target, and is stored in initial autonomous territory;
The hierarchy mapping policy unit; Be connected to said one-level mapping policy unit and secondary mapping policy unit; Be used for according to said mapping policy one-level mapping policy and mapping policy secondary mapping policy, set up assigned role in the autonomous territory of assigned role in the said initial autonomous territory to said target based on role's hierarchy mapping strategy;
Said customized module also is used for according to the autonomous territory of said one-level mapping policy, secondary mapping policy, initial autonomous territory role's level inheritance, Virtual Organization's role server level inheritance and target role's level inheritance; Customizing virtual organizing cooperating strategy; Wherein, Said initial autonomous domain policy comprises initial autonomous territory role's level inheritance; Said Virtual Organization server policy comprises Virtual Organization's role server level inheritance, and the autonomous domain policy of said target comprises the autonomous territory of target role's level inheritance;
Said distribution authentication module also is used for according to first rule and second rule; Whether the said Virtual Organization of the checking coordination strategy that distributes is credible; Wherein, the said Virtual Organization effective rule of coordination strategy comprises said first rule and second rule, and said first rule does; In the mapping policy between said initial autonomous territory and the autonomous territory of target; One of which bar mapping policy chain comprises at least one assigned role in the said Virtual Organization server, and comprises in the said initial autonomous territory assigned role in the autonomous territory of an assigned role and said target, and said second rule does; Said assigned role is included in the closure set that said initial autonomous territory, Virtual Organization's server and the autonomous territory of target are constituted, and does not have in the said initial autonomous territory the direct mapping policy of assigned role in the autonomous territory of assigned role to said target;
Said distribution authentication module also is used for the server policy according to Virtual Organization, adopts the Warshall algorithm to obtain Virtual Organization's server closure set; According to initial autonomous domain policy, adopt the Warshall algorithm to obtain the closure set of initial autonomous territory; According to the autonomous domain policy of target, adopt the Warshall algorithm to obtain the closure set of the autonomous territory of target; According to the set of said initial autonomous territory closure, the closure set of the autonomous territory of target, Virtual Organization's server closure set, one-level mapping policy and secondary mapping policy, generate the mapping policy complete or collected works; Whether judge has the mapping policy chain of violating said first rule and/or second rule, if having, then said Virtual Organization coordination strategy is insincere among the said mapping policy complete or collected works.
Can know by above technical scheme; Reliable virtual organization construction method and device based on distributed strategy verification provided by the present invention; A kind of Virtual Organization's building mode based on distributed strategy verification is provided; Whether checking Virtual Organization coordination strategy is credible through distributing, if then according to said Virtual Organization coordination strategy, makes up the technical scheme of Virtual Organization; Make up efficient fail safe not high, initial autonomous territory to Virtual Organization in the prior art Virtual Organization construction method and have the technical problem of hidden danger, realized making up quickly and safely the purpose of reliable virtual organization.
Description of drawings
Fig. 1 is the flow chart that the present invention is based on the reliable virtual organization construction method of distributed strategy verification;
Fig. 2 constitutes the structural representation of reliable virtual organization for the autonomous territory of the present invention;
Fig. 3 is the structural representation that the present invention is based on the reliable virtual organization construction device of distributed strategy verification;
Fig. 4 is the structural representation that the present invention is based on mapping policy module in the reliable virtual organization construction device of distributed strategy verification;
Fig. 5 is a reliable virtual organization structural representation of the present invention;
Fig. 6 is each server-assignment structural representation of reliable virtual organization.
Embodiment
Through accompanying drawing and embodiment, technical scheme of the present invention is done further detailed description below.
Fig. 1 is the flow chart that the present invention is based on the reliable virtual organization construction method of distributed strategy verification.As shown in Figure 1, this method comprises:
101, through Virtual Organization's server, to set up and start from the mapping policy of controlling between territory and the autonomous territory of target, and store said mapping policy, said Virtual Organization server is included in said initial autonomous territory or the autonomous territory of target;
Shown in the structural representation that constitutes Virtual Organization for the autonomous territory of the present invention like Fig. 2; Comprise initial autonomous territory 1, the autonomous territory 2 of target and Virtual Organization's server (Virtual Organization Server in the structure of reliable virtual organization 4; VOS) 3; Wherein, Virtual Organization's server 3 can be consulted to select or initiatively choose certain station server in the autonomous territory by initial autonomous territory 1 by the autonomous territory 2 of initial autonomous territory 1 and target, and Virtual Organization's server 3 can be certain station server that is included in the initial autonomous territory 1 in the present embodiment.Further, initial autonomous territory 1 comprises role R A1And R A2, the role
Figure GSB00000676615000071
(
Figure GSB00000676615000072
Expression role level inheritance), be specially initial autonomous domain policy H i, wherein the role is associated with authority, if user of expression belongs to role R A1The member, then be assigned role R automatically A2All authorities; The autonomous territory 2 of target comprises role R B1And R B2, the role Be specially the autonomous domain policy of target If in like manner user of expression belongs to role R B1The member, then be assigned role R automatically B2All authorities; Virtual Organization's server 3 comprises role R VO1And R VO2, the role Be specially the server policy H of Virtual Organization VOIf in like manner user of expression belongs to role R VO2The member, then be assigned role R automatically VO1All authorities.To set up role R A1And R B1Between mapping policy be example, particularly, through said R A1And R B1Between mapping policy be based on role's hierarchy mapping strategy, at first set up one-level mapping policy m VO, set up particularly to start from and control assigned role R in the territory 1 A1Assigned role R to Virtual Organization's server 3 VO1One-level mapping policy m 1, and be stored in said Virtual Organization server 3; Then set up secondary mapping policy m i, set up assigned role R in Virtual Organization's server 3 particularly VO1Assigned role R to the autonomous territory 2 of target B1Secondary mapping policy m i, and be stored in the initial autonomous territory 1; According to said one-level mapping policy m 1With secondary mapping policy m i, set up to start from and control assigned role R in the territory 1 A1Assigned role R to the autonomous territory 2 of target B1Based on role's hierarchy mapping strategy, can be expressed as mapping policy chain (m 1, m i).Can be through above-mentioned to set up role R A1And R B1Between mapping policy be example, set up and start from the mapping policy of controlling all roles in territory 1 and the autonomous territory 2 of target, correspondingly role-security is also inherited accordingly;
102, according to the autonomous domain policy of said mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy;
According to said one-level mapping policy m 1With secondary mapping policy m i, initial autonomous domain policy H i, the server policy H of Virtual Organization VOWith the autonomous domain policy of target
Figure GSB00000676615000081
Customizing virtual organizing cooperating strategy;
103, effectively regular according to Virtual Organization's coordination strategy, whether the said Virtual Organization of the checking coordination strategy that distributes is credible, if then according to said Virtual Organization coordination strategy, make up reliable virtual organization;
The said Virtual Organization effective rule of coordination strategy comprises first rule and second rule; As shown in Figure 2 again, with mapping policy chain (m 1, m i) be example,
Said first rule does, in the mapping policy between initial autonomous territory 1 and the autonomous territory 2 of target, and mapping policy chain (m 1, m i) comprise assigned role R at least one Virtual Organization's server 3 VO1, and comprise assigned role R in the said initial autonomous territory 1 A1With assigned role R in the autonomous territory of said target B1
Said second rule is assigned role R A1, R B1And R VO1Be included in the closure set that said initial autonomous territory 1, Virtual Organization's server 3 and the autonomous territory 2 of target constituted, and do not have assigned role R in the initial autonomous territory 1 A1To the autonomous territory 2 assigned role R of target B1Direct mapping policy;
Said first rule and second rule avoided in the autonomous territory 2 of target as shown in Figure 2 the script role
Figure GSB00000676615000082
Role's level inheritance, become by after the mapping policy repeatedly
Figure GSB00000676615000083
In actual conditions, usually show as 2 ends in the autonomous territory of target, one belongs to role R B1Low level authority user through the repeatedly role transforming between autonomous territory 2 and the Virtual Organization's server 3, finally in the autonomous territory 2 of target, obtain high-level role R B2The authority that could visit, thus the fail safe in the autonomous territory 2 of target is caused potential threat, particularly, another one-level mapping policy m 3Be the role
Figure GSB00000676615000084
(m wherein 1And m 3The unified m that is expressed as i), pass through the role again
Figure GSB00000676615000085
And role
Figure GSB00000676615000086
Mapping policy, will go out by mapping policy
Figure GSB00000676615000091
R further VO2R is arranged B2Authority, R VO1R is arranged VO2Authority, R B1R is arranged VO1Authority, so R B2Just have R B1Authority, reason is, another one-level mapping policy m 3With m iDo not constitute a complete mapping policy chain, just do not have simultaneously yet and follow the regulation that in first rule mapping policy chain need comprise assigned role and target autonomy territory 2 assigned roles in the said initial autonomous territory 1.For script R B1Have R B2Normal persona level inheritance, caused the confusion of role's level inheritance in the autonomous territory 2 of target, threatened the fail safe in the autonomous territory 2 of target;
According to said first rule and second rule; Whether crediblely verify to each mapping policy chain of setting up based on role's hierarchy mapping strategy; Rather than wait all mapping policy chains all to set up to be over and go checking again; Whether the said Virtual Organization of the checking coordination strategy that distributes is credible, and along with the foundation completion all about the mapping policy chain of role and authority relation, reliable virtual organization promptly makes up completion.
About the concrete grammar of the said Virtual Organization of the checking coordination strategy that distributes, can realize through following steps:
Step 11, according to the server policy H of Virtual Organization VO, adopt the Warshall algorithm to obtain Virtual Organization's server closure set
Figure GSB00000676615000092
The server closure set of general Virtual Organization has only one;
Step 12, according to initial autonomous domain policy H i, adopt the Warshall algorithm to obtain the closure set of initial autonomous territory
Figure GSB00000676615000093
The closure set of general initial autonomous territory also has only one;
Step 13, adopt the Warshall algorithm to obtain target autonomous territory closure set
Figure GSB00000676615000095
because the autonomous territory of target generally has a plurality of according to the autonomous domain policy of target
Figure GSB00000676615000094
; Therefore k=n, there is the closure set of the autonomous territory of a plurality of targets in corresponding meeting;
Step 14, gather according to said initial autonomous territory closure The closure set of the autonomous territory of target
Figure GSB00000676615000098
Virtual Organization's server closure set
Figure GSB00000676615000099
The unified expression m of one-level mapping policy VOWith secondary mapping policy m i, generate mapping policy complete or collected works S;
Step 15, judge whether the mapping policy chain of violating said first rule and/or second rule is arranged among the said mapping policy complete or collected works, if having, then said Virtual Organization coordination strategy is insincere.
Violate the mapping policy chain of said first rule, comprising: assigned role at least one said Virtual Organization server, and comprise in the said initial autonomous territory assigned role in the assigned role and another said initial autonomous territory; Perhaps, comprise assigned role at least one said Virtual Organization server, and comprise in the autonomous territory of a said target assigned role in the assigned role and another said initial autonomous territory, this situation is referred to as to exist implicit expression conflict strategy;
The mapping policy chain of violating said second rule comprises: assigned role in the said initial autonomous territory; Not through assigned role in the said Virtual Organization server; Map directly to assigned role in the autonomous territory of said target, this situation is referred to as to exist and shows that conflict is tactful;
Judge whether there is implicit expression conflict strategy among the said mapping policy complete or collected works and/or shows the conflict strategy, if then said Virtual Organization coordination strategy is insincere.
In practical application, according to above method, the said Virtual Organization of the checking coordination strategy that distributes the whether concrete programming mode of credible subprogram is:
Figure GSB00000676615000101
The reliable virtual organization construction method that present embodiment provided based on distributed strategy verification; Whether checking Virtual Organization coordination strategy is credible through distributing; If then according to said Virtual Organization coordination strategy; Make up the technical scheme of Virtual Organization, make up efficient fail safe not high, initial autonomous territory to Virtual Organization in the prior art Virtual Organization construction method and have the technical problem of hidden danger, realized making up quickly and safely the purpose of reliable virtual organization.
Fig. 3 is the structural representation that the present invention is based on the reliable virtual organization construction device of distributed strategy verification.As shown in Figure 3, the reliable virtual organization construction device based on distributed strategy verification that present embodiment provided comprises: mapping policy module 301, customized module 302, distribution authentication module 303 and structure module 304.Wherein mapping policy module 301 is set up and is started from the mapping policy of controlling between territory and the autonomous territory of target, and store said mapping policy through Virtual Organization's server; Customized module 302 is connected in mapping policy module 301, according to the autonomous domain policy of said mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy; Distribution authentication module 303 is connected in custom mold and determines 302, and is effectively regular according to Virtual Organization's coordination strategy, and whether the said Virtual Organization of the checking coordination strategy that distributes is credible; Make up module 304 and be connected in distribution authentication module 303,,, make up reliable virtual organization then according to said Virtual Organization coordination strategy if the said Virtual Organization of the checking coordination strategy that distributes is credible.
Further; Like Fig. 4 is to the present invention is based on shown in the structural representation of mapping policy module 301 in the reliable virtual organization construction device of distributed strategy verification, and mapping policy module 301 comprises one-level mapping policy unit 401, secondary mapping policy unit 402 and hierarchy mapping policy unit 403.Wherein, one-level mapping policy unit 401 is set up to start from and is controlled in the territory one-level mapping policy of assigned role in assigned role to the Virtual Organization server, and is stored in said Virtual Organization server; The mapping policy secondary mapping policy of assigned role in the autonomous territory of assigned role to target in the said Virtual Organization server is set up in secondary mapping policy unit 402, and is stored in initial autonomous territory; Hierarchy mapping policy unit 403 is connected to one-level mapping policy unit 401 and secondary mapping policy unit 402; And according to said one-level mapping policy and secondary mapping policy, set up assigned role in the autonomous territory of assigned role in the said initial autonomous territory to said target based on role's hierarchy mapping strategy.
What need explain here is; The concrete grammar that present embodiment makes up reliable virtual organization based on the reliable virtual organization construction device of distributed strategy verification; As above-mentioned said, repeat no more here based on the specific descriptions among the reliable virtual organization construction method embodiment of distributed strategy verification.
The reliable virtual organization construction device that present embodiment provided based on distributed strategy verification; Utilize the distribution authentication module to distribute and verify whether Virtual Organization's coordination strategy is credible; If; Then according to said Virtual Organization coordination strategy; Through making up the technical scheme of module construction reliable virtual organization, make up efficient fail safe not high, initial autonomous territory to Virtual Organization in the prior art Virtual Organization construction method and have the technical problem of hidden danger, realized making up quickly and safely the purpose of reliable virtual organization.
Fig. 5 is a reliable virtual organization structural representation of the present invention.As shown in Figure 5, Virtual Organization's structure mainly comprises management for Virtual Organizations device 501 and Virtual Organization's O&M device 502, wherein,
Management for Virtual Organizations device 501 is used to the access point that the keeper provides operating database, and encapsulation is to the order of database manipulation, and the management of user right; Checking to administrator role, user role; And realize the establishment of Virtual Organization, policy configurations, user management, Role Management and the rights management of Virtual Organization; And, be that different Virtual Organization generates different databases according to the establishment demand of different virtual tissue; Carry out service processes, so that the operation of reading Virtual Organization's database to be provided, and when the user sends inquiry or obtains instruction, for the user provides query interface.
Virtual Organization's O&M device 502 is used to provide command-line tools such as Attribute certificate request, letter of attorment establishment, generates the required Attribute certificate of said resource requestor for resource requestor according to application demand; Funding source supplier uses, and the checking to resource requestor Attribute certificate, certificate of capability is provided, and carries out to authorize and force and decision-making.
Further, management for Virtual Organizations device 501 comprises door module 5011, configuration service module 5012 and operation service module 5013.Wherein, door module 5011 is used to the access point that the keeper provides operating database, and encapsulation is to the order of database manipulation, and the management of user right; Configuration service module 5012; Connect door module 5011; Be used for checking to administrator role, user role; And realize the establishment of Virtual Organization, policy configurations, user management, Role Management and the rights management of Virtual Organization, and, be the different different databases of Virtual Organization's generation according to the establishment demand of different virtual tissue; Operation service module 5013 connects configuration service module 5012, is used to carry out service processes, so that the operation of reading Virtual Organization's database to be provided, and when the user sends inquiry or obtains instruction, for the user provides query interface.
Again further; Virtual Organization's O&M device 502 comprises the autonomous territory 5022 of initial autonomous territory 5021 and target; Wherein, Initial autonomous territory 5021 is connected with operation service module 5013, is used to provide command-line tools such as Attribute certificate request, letter of attorment establishment, generates the required Attribute certificate of said resource requestor for resource requestor according to application demand; The autonomous territory 5022 of target belongs to an autonomous territory that adds Virtual Organization, is used for funding source supplier and uses, and the checking to resource requestor Attribute certificate, certificate of capability is provided, and carries out to authorize and force and decision-making.
The combined with virtual institutional framework, the running of this Virtual Organization is specially:
In management for Virtual Organizations device 501 sides:
Step 51, keeper or the user of Virtual Organization import user's identity information through 5011 logins of door module, and said identity information comprises user name, password and identifying code, or adopt the letter of identity login;
Step 52, through the cryptographic hash contrast of configuration service module 5012 with user in the identity information of user input and the database, perhaps realize letter of identity checking to the user through the https agreement, with the generation authorization information, and will be saved in the mutual session;
Step 53, if said authorization information for passing through state; The operational order that configuration service module 5012 receives to door module 5011; And the operations such as establishment, deletion and configuration of realization different virtual tissue database; Wherein in the configuration operation of configuration service module 5012, mainly comprise user's adding and withdraw from, user's group and role's foundation and destruction and user and group/role's mapping policy assigns and operates.
In management for Virtual Organizations device 502 sides:
Step 54, user at first differentiate through two-way identity based on GSS-API secured session and operation service module 5013 through initial autonomous territory 5021; Set up the context of secured session; And configuration attribute certificate acquisition parameter information table, appointment need be obtained the certificate of character types etc.;
The request instruction in the initial autonomous territory of user is read in step 55,5013 services of operation service module, and the information of inquiry appointment Virtual Organization database, returns the required attribute information of user (through 5013 certificate signature of operation service module) according to demand;
The resource request visit is initiated to the autonomous territory 5022 of target in step 56, initial autonomous territory 5021, sets up secured session with the autonomous territory 5022 of target, and carries the Attribute certificate of the Virtual Organization that asks;
The identity attribute information in initial autonomous territory is verified in step 57, the autonomous territory 5022 of target, and according to the security strategy of this locality resource access request is made ultimate authority.
Present embodiment provides Virtual Organization's structure; To the Virtual Organization that builds based on distributed strategy verification; The management for Virtual Organizations device that comprises through himself and Virtual Organization's O&M device have been realized the operation to whole Virtual Organization, possess the high characteristics of safety and operational efficiency.
After Virtual Organization is built into; In its management for Virtual Organizations life cycle; Carry out from the tissue task that is established to; The one-level mapping policy in Virtual Organization's coordination strategy, each autonomous territory all changes at any time, and autonomous territory also can add or withdraw from any time, and these change and all can cause Virtual Organization's coordination strategy believable reappraising whether.In conjunction with being shown in each server-assignment structural representation of reliable virtual organization like Fig. 6; Present embodiment adds Virtual Organization's 1 background that builds based on distributed strategy verification with the autonomous territory 2 that comprises autonomous domain server 602; The management process of Virtual Organization to autonomous domain policy in Virtual Organization's coordination strategy and Virtual Organization's server policy is described, is specially:
Step 61: the Virtual Organization's server in Virtual Organization 1 601 of autonomous domain server 602 initiates to join request in the autonomous territory 2, and the part public information of the autonomous domain policy of storing in the autonomous domain server 602 is sent to Virtual Organization's server 601;
Step 62: Virtual Organization 1 differentiates the identity in the autonomous territory 2 of new adding through said part public information, verify successfully like access control after, will initiate coordination strategies to the autonomous domain server in the autonomous territory 3~5 603~605 and upgrade and the requests of reappraising;
Step 63: assessment result is returned through the assessment from autonomous domain policy to each autonomous domain server 603~605 in autonomous territory 3~5.If there is not collision scenario in assessment result for each autonomous territory 3~5, then return correct.If existence and conflict processing policy are " cooperation are preferential ", then the autonomous domain policy that has this autonomous territory of conflicting is revised, until assessing successfully.Which if processing policy is " autonomous territory is preferential ", then should conflict specifically in autonomous territory to 601 reports of Virtual Organization's server;
Step 64: Virtual Organization's server 601 is after the return messages that receive each the autonomous territory that comprises autonomous domain server 603~605; Solve suggestion if receive " autonomous territory the is preferential " conflict in certain autonomous territory; Whether Virtual Organization makes amendment to its autonomous domain policy according to pre-configured decision; If revise then repeat to get into step 2; If checking Virtual Organization coordination strategy is believable, then all successes of the safety evaluation result in whole autonomous territories, then notice comprises that autonomous territory 2 adds successfully.
In Virtual Organization, about autonomous territory withdraw from and renewal to wait other operating procedures be similarly with said process all, repeat no more here.
Further; Present embodiment is used for explanation after Virtual Organization is built into; The user is using Virtual Organization to need said user is authorized in the Virtual Organization; Can be divided into that role in the initial autonomous territory at user place assigns, the role of Virtual Organization in Virtual Organization's server assigns and the autonomous territory of target in the role assign three processes, be specially:
Step 71: the user sends outside role inquiry request to the autonomous domain server that it belongs in the initial autonomous territory; Autonomous domain server all open role sets that said user is related are signed (wherein autonomous domain server signing messages is used for Virtual Organization's server and the autonomous territory of target is verified every mapping policy chain validity), form credentials and send to the user;
Step 72: the user sends the role of Virtual Organization assignment request to Virtual Organization's server, and Virtual Organization's server, generates credentials and sends to the user for the role set of user under Virtual Organization signed through the inquiry to Virtual Organization's coordination strategy;
Step 73: for the user of Virtual Organization; The role that transmit under the Virtual Organization in initial autonomous territory gives its inner autonomous domain server, checks the validity of said mapping policy chain by the autonomous domain server in initial autonomous territory, for the user assigns the role in the autonomous territory of target; And be transmitted to the autonomous domain server in the autonomous territory of target; And by the autonomous domain server in the autonomous territory of target the user is authorized, if Authorization result is for allowing, the autonomous territory of target is with the resource request of authorized user; If Authorization result is refusal or uncertain, the autonomous territory of target is with the resource request of refusing user's.
Provide the associated authorization agreement that the user of Virtual Organization adds Virtual Organization the user's of Virtual Organization confidence level is limited in the present embodiment, improved the mandate efficient that VO user adds Virtual Organization.
What should explain at last is: above embodiment is only in order to technical scheme of the present invention to be described but not limit it; Although the present invention has been carried out detailed explanation with reference to preferred embodiment; Those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, also can not make amended technical scheme break away from the spirit and the scope of technical scheme of the present invention and these are revised or be equal to replacement.

Claims (4)

1. the reliable virtual organization construction method based on distributed strategy verification is characterized in that, comprising:
Through Virtual Organization's server, to set up and start from the mapping policy of controlling between territory and the autonomous territory of target, and store said mapping policy, said Virtual Organization server is included in said initial autonomous territory or the autonomous territory of target;
According to the autonomous domain policy of said mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy;
Effectively regular according to Virtual Organization's coordination strategy, whether the said Virtual Organization of the checking coordination strategy that distributes is credible, if then according to said Virtual Organization coordination strategy, make up reliable virtual organization;
Through Virtual Organization's server, set up and start from the mapping policy of controlling between territory and the autonomous territory of target, and store said mapping policy, comprising:
Said mapping policy is based on role's hierarchy mapping strategy, comprises one-level mapping policy and secondary mapping policy;
Set up to start from and control in the territory one-level mapping policy of assigned role in assigned role to the Virtual Organization server, and be stored in said Virtual Organization server;
Set up the secondary mapping policy of assigned role in the autonomous territory of assigned role to target in the said Virtual Organization server, and be stored in initial autonomous territory;
According to said one-level mapping policy and secondary mapping policy, set up assigned role in the autonomous territory of assigned role in the said initial autonomous territory to said target based on role's hierarchy mapping strategy;
According to the autonomous domain policy of said mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy comprises:
Said initial autonomous domain policy comprises initial autonomous territory role's level inheritance;
Said Virtual Organization server policy comprises Virtual Organization's role server level inheritance;
The autonomous domain policy of said target comprises the autonomous territory of target role's level inheritance;
According to the autonomous territory of said one-level mapping policy, secondary mapping policy, initial autonomous territory role's level inheritance, Virtual Organization's role server level inheritance and target role's level inheritance, customizing virtual organizing cooperating strategy;
Effectively regular according to Virtual Organization's coordination strategy, whether the said Virtual Organization of the checking coordination strategy that distributes is credible, comprising:
The said Virtual Organization effective rule of coordination strategy comprises first rule and second rule;
Said first rule does; In the mapping policy between said initial autonomous territory and the autonomous territory of target; One of which bar mapping policy chain comprises at least one assigned role in the said Virtual Organization server, and comprises in the said initial autonomous territory assigned role in the autonomous territory of an assigned role and said target;
Said second rule does; Said assigned role is included in the closure set that said initial autonomous territory, Virtual Organization's server and the autonomous territory of target are constituted, and does not have in the said initial autonomous territory the direct mapping policy of assigned role in the autonomous territory of assigned role to said target;
According to said first rule and second rule, whether the said Virtual Organization of the checking coordination strategy that distributes is credible;
Said distribution verifies that said Virtual Organization coordination strategy comprises:
According to Virtual Organization's server policy, adopt the Warshall algorithm to obtain Virtual Organization's server closure set;
According to initial autonomous domain policy, adopt the Warshall algorithm to obtain the closure set of initial autonomous territory;
According to the autonomous domain policy of target, adopt the Warshall algorithm to obtain the closure set of the autonomous territory of target;
According to the set of said initial autonomous territory closure, the closure set of the autonomous territory of target, Virtual Organization's server closure set, one-level mapping policy and secondary mapping policy, generate the mapping policy complete or collected works;
Whether judge has the mapping policy chain of violating said first rule and/or second rule, if having, then said Virtual Organization coordination strategy is insincere among the said mapping policy complete or collected works.
2. the reliable virtual organization construction method based on distributed strategy verification according to claim 1 is characterized in that, violates the mapping policy chain of said first rule, comprising:
At least one assigned role in the said Virtual Organization server, and comprise in the said initial autonomous territory another assigned role in the assigned role and said initial autonomous territory.
3. the reliable virtual organization construction method based on distributed strategy verification according to claim 1 is characterized in that, the mapping policy chain of violating said second rule comprises:
Assigned role in the said initial autonomous territory not through assigned role in the said Virtual Organization server, maps directly to assigned role in the autonomous territory of said target.
4. the reliable virtual organization construction device based on distributed strategy verification is characterized in that, comprising:
The mapping policy module is used for the server through Virtual Organization, sets up to start from the mapping policy of controlling between territory and the autonomous territory of target, and stores said mapping policy;
Customized module is connected in said mapping policy module, is used for according to the autonomous domain policy of said mapping policy, initial autonomous domain policy, Virtual Organization's server policy and target, customizing virtual organizing cooperating strategy;
The distribution authentication module is connected in said customized module, is used for according to the effective rule of Virtual Organization's coordination strategy, and whether the said Virtual Organization of the checking coordination strategy that distributes is credible;
Make up module, be connected in said distribution authentication module, be used for then according to said Virtual Organization coordination strategy, making up reliable virtual organization if the said Virtual Organization of the checking coordination strategy that distributes is credible;
Said mapping policy module comprises:
One-level mapping policy unit is used for setting up and starts from the one-level mapping policy of controlling assigned role in territory assigned role to the Virtual Organization server, and is stored in said Virtual Organization server;
Secondary mapping policy unit is used for setting up the secondary mapping policy of assigned role in the autonomous territory of said Virtual Organization server assigned role to target, and is stored in initial autonomous territory;
The hierarchy mapping policy unit; Be connected to said one-level mapping policy unit and secondary mapping policy unit; Be used for according to said mapping policy one-level mapping policy and mapping policy secondary mapping policy, set up assigned role in the autonomous territory of assigned role in the said initial autonomous territory to said target based on role's hierarchy mapping strategy;
Said customized module also is used for according to the autonomous territory of said one-level mapping policy, secondary mapping policy, initial autonomous territory role's level inheritance, Virtual Organization's role server level inheritance and target role's level inheritance; Customizing virtual organizing cooperating strategy; Wherein, Said initial autonomous domain policy comprises initial autonomous territory role's level inheritance; Said Virtual Organization server policy comprises Virtual Organization's role server level inheritance, and the autonomous domain policy of said target comprises the autonomous territory of target role's level inheritance;
Said distribution authentication module also is used for according to first rule and second rule; Whether the said Virtual Organization of the checking coordination strategy that distributes is credible; Wherein, the said Virtual Organization effective rule of coordination strategy comprises said first rule and second rule, and said first rule does; In the mapping policy between said initial autonomous territory and the autonomous territory of target; One of which bar mapping policy chain comprises at least one assigned role in the said Virtual Organization server, and comprises in the said initial autonomous territory assigned role in the autonomous territory of an assigned role and said target, and said second rule does; Said assigned role is included in the closure set that said initial autonomous territory, Virtual Organization's server and the autonomous territory of target are constituted, and does not have in the said initial autonomous territory the direct mapping policy of assigned role in the autonomous territory of assigned role to said target;
Said distribution authentication module also is used for the server policy according to Virtual Organization, adopts the Warshall algorithm to obtain Virtual Organization's server closure set; According to initial autonomous domain policy, adopt the Warshall algorithm to obtain the closure set of initial autonomous territory; According to the autonomous domain policy of target, adopt the Warshall algorithm to obtain the closure set of the autonomous territory of target; According to the set of said initial autonomous territory closure, the closure set of the autonomous territory of target, Virtual Organization's server closure set, one-level mapping policy and secondary mapping policy, generate the mapping policy complete or collected works; Whether judge has the mapping policy chain of violating said first rule and/or second rule, if having, then said Virtual Organization coordination strategy is insincere among the said mapping policy complete or collected works.
CN2009100879874A 2009-06-29 2009-06-29 Method and device for constructing reliable virtual organization based on distributed strategy verification Expired - Fee Related CN101594386B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100879874A CN101594386B (en) 2009-06-29 2009-06-29 Method and device for constructing reliable virtual organization based on distributed strategy verification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100879874A CN101594386B (en) 2009-06-29 2009-06-29 Method and device for constructing reliable virtual organization based on distributed strategy verification

Publications (2)

Publication Number Publication Date
CN101594386A CN101594386A (en) 2009-12-02
CN101594386B true CN101594386B (en) 2012-07-04

Family

ID=41408823

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100879874A Expired - Fee Related CN101594386B (en) 2009-06-29 2009-06-29 Method and device for constructing reliable virtual organization based on distributed strategy verification

Country Status (1)

Country Link
CN (1) CN101594386B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843387B (en) * 2011-06-20 2017-02-01 北京太能沃可网络科技股份有限公司 Cloud computing safety control platform based on safety classification
CN102664912A (en) * 2012-03-20 2012-09-12 浪潮电子信息产业股份有限公司 Shared method for roles between different clouds
CN103152420B (en) * 2013-03-11 2016-03-02 汉柏科技有限公司 A kind of method avoiding single-point-of-failofe ofe Ovirt virtual management platform
CN106341416B (en) * 2016-09-29 2019-07-09 中国联合网络通信集团有限公司 A kind of access method at multi-stage data center and multi-stage data center
CN111614672A (en) * 2017-05-26 2020-09-01 朱海燕 CAS basic verification method and CAS-based authority authentication device
CN109873801B (en) 2018-12-12 2020-07-24 阿里巴巴集团控股有限公司 Method, device, storage medium and computing equipment for establishing trusted channel between user and trusted computing cluster
CN109861980B (en) 2018-12-29 2020-08-04 阿里巴巴集团控股有限公司 Method, device, storage medium and computing equipment for establishing trusted computing cluster

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805449A (en) * 2006-01-13 2006-07-19 南京邮电大学 Trusted model based dynamic role access control method
US7103784B1 (en) * 2000-05-05 2006-09-05 Microsoft Corporation Group types for administration of networks
CN101242272A (en) * 2008-03-11 2008-08-13 南京邮电大学 Realization method for cross-grid secure platform based on mobile agent, assertion

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7103784B1 (en) * 2000-05-05 2006-09-05 Microsoft Corporation Group types for administration of networks
CN1805449A (en) * 2006-01-13 2006-07-19 南京邮电大学 Trusted model based dynamic role access control method
CN101242272A (en) * 2008-03-11 2008-08-13 南京邮电大学 Realization method for cross-grid secure platform based on mobile agent, assertion

Also Published As

Publication number Publication date
CN101594386A (en) 2009-12-02

Similar Documents

Publication Publication Date Title
CN107241360B (en) A kind of data safety shares exchange method and data safety shares switching plane system
CN101594386B (en) Method and device for constructing reliable virtual organization based on distributed strategy verification
Takabi et al. Security and privacy challenges in cloud computing environments
Kamboj et al. User authentication using Blockchain based smart contract in role-based access control
CN104871172B (en) Equipment for connection allocates framework
US10104053B2 (en) System and method for providing annotated service blueprints in an intelligent workload management system
RU2598324C2 (en) Means of controlling access to online service using conventional catalogue features
CN104769908A (en) LDAP-based multi-tenant in-cloud identity management system
CN104823196A (en) Hardware-based device authentication
CN102045337A (en) Apparatus and methods for managing network resources
CN104718526A (en) Secure mobile framework
CN112702402A (en) System, method, device, processor and storage medium for realizing government affair information resource sharing and exchange based on block chain technology
CN108701175A (en) Associating user accounts with enterprise workspaces
EP2586155A1 (en) Authorization control
CN101309146B (en) Implementing method of network security system capable of self-updating letter of representation
CN106487770B (en) Method for authenticating and authentication device
CN104363306A (en) Private cloud management control method for enterprise
CN114866346B (en) Password service platform based on decentralization
Zeydan et al. Blockchain-Based Service Orchestration for 5G Vertical Industries in Multicloud Environment
Falcão et al. Supporting confidential workloads in spire
Talib et al. Security framework of cloud data storage based on multi agent system architecture: Semantic literature review
US20150156193A1 (en) Creating and managing certificates in a role-based certificate store
CN111083088B (en) Cloud platform hierarchical management method and device based on multiple security domains
CN108809930B (en) User authority management method and device
CN110189440A (en) A kind of smart lock monitoring equipment and its method based on block chain

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120704

Termination date: 20170629