CN113688376A - Tenant authority control method for realizing container cloud platform based on CMDB system and RBAC model - Google Patents
Tenant authority control method for realizing container cloud platform based on CMDB system and RBAC model Download PDFInfo
- Publication number
- CN113688376A CN113688376A CN202110799992.9A CN202110799992A CN113688376A CN 113688376 A CN113688376 A CN 113688376A CN 202110799992 A CN202110799992 A CN 202110799992A CN 113688376 A CN113688376 A CN 113688376A
- Authority
- CN
- China
- Prior art keywords
- user
- authority
- permission
- container cloud
- cloud platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 239000011159 matrix material Substances 0.000 claims abstract description 45
- 238000012423 maintenance Methods 0.000 claims abstract description 40
- 230000008859 change Effects 0.000 claims description 8
- 238000012795 verification Methods 0.000 claims description 8
- 238000011161 development Methods 0.000 claims description 4
- 238000012360 testing method Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 3
- 238000013475 authorization Methods 0.000 abstract description 8
- 210000001503 joint Anatomy 0.000 abstract description 3
- 238000007726 management method Methods 0.000 description 48
- 230000008569 process Effects 0.000 description 7
- 230000018109 developmental process Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000015572 biosynthetic process Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2117—User registration
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to a tenant permission control method for realizing a container cloud platform based on a CMDB system and an RBAC model, which comprises the steps of establishing a unified permission management platform, distributing operation and maintenance role permission of an application system for a user by using the CMDB system, obtaining user information of the CMDB system and incidence relation among the user, the application system and the operation and maintenance role by the unified permission management platform, generating a permission matrix list, and judging whether the permission requirements are met or not for the user logging in any container cloud platform based on the permission matrix list so as to realize tenant permission control. Compared with the prior art, the invention has the advantages of realizing centralized management and unified authorization, reducing the complexity of authorization operation, reducing management overhead, realizing flexible butt joint of the existing system and the like.
Description
Technical Field
The invention relates to the technical field of container cloud platforms, in particular to a tenant permission control method for realizing a container cloud platform based on a CMDB system and a RBAC model.
Background
The cloud computing is one of distributed computing, computing which is taken as required is provided for individuals and enterprise users through network heterogeneous and autonomous services, resources can be rapidly provided and released through the cloud computing, working expenses of resource management, operation and maintenance and the like are greatly reduced, and cost is reduced. While cloud computing has been developed vigorously, container technologies represented by docker are receiving attention and being used gradually, and container technologies also form container ecology including mirror storage, container engine, monitoring, logging, networking, storage, scheduling, and the like. The formation of container ecology also promotes the formation of a container cloud, the container cloud takes a container as a resource segmentation and scheduling unit, the whole software runtime environment is encapsulated, a platform for constructing, publishing and running distributed applications is provided for developers and system administrators, and the container cloud is dedicated to resource sharing and isolation, container arrangement and deployment and the like.
At present, different container cloud platforms have independent authority management modules, and the authority control implementation process is as follows: 1. an administrator creates roles in different container cloud platforms and initializes authority lists according to respective platform authority matrixes; 2. an administrator initializes user information on different platforms and initializes the association relationship of user roles; 3. the new user access requires that an administrator manually adds new users on respective container cloud platforms, configures user roles, and maintains user information in respective databases; 4. after a user logs in different platforms, all application system resources can be checked, and an application system in charge of the user is selected and application operation is carried out; 5. the user needs to access different platforms through the api and needs to log in to different platforms to obtain the authentication tokens token of different platforms.
However, in the existing scheme, an administrator needs to maintain different user information, role information and authority lists on multiple sets of container cloud platforms, manual configuration is needed in the whole process, and configuration is complicated and redundant. In addition, the user information in the existing scheme needs to be manually maintained to respective databases by an administrator, the manual operation cost is high, the user information cannot be in butt joint with an enterprise internal user management system, and the safety certification is lacked. In addition, in the existing scheme, all application systems can be checked and operated after a user logs in a platform, association between the user with finer granularity and the application systems cannot be achieved, and multi-tenant resource isolation of a container cloud platform cannot be achieved. The existing scheme cannot process scenes such as user leaving, application system off-line, application system responsible person change and the like, and the authority management cannot automatically update user authority information. In the existing scheme, users need to log in different container cloud platforms respectively when accessing different platforms through the api, so that the complexity of user operation is increased.
Disclosure of Invention
The invention aims to overcome the defects in the prior art and provide a tenant authority control method for realizing a container cloud platform based on a CMDB system and an RBAC model.
The purpose of the invention can be realized by the following technical scheme:
a tenant authority control method for achieving a container cloud platform based on a CMDB system and an RBAC model includes the steps of creating a unified authority management platform, distributing operation and maintenance role authorities of an application system to users through the CMDB system, obtaining user information of the CMDB system and incidence relations among the users, the application system and the operation and maintenance roles through the unified authority management platform, generating an authority matrix list, and judging whether authority requirements are met or not for the users logging in any container cloud platform based on the authority matrix list so as to achieve tenant authority control.
When a user account logs in any container cloud platform, the unified authority management platform checks a user account password, if the user account password passes the check, whether user role application system information is distributed or not is judged based on an authority matrix list generated by the CMDB, if the user role application system information passes the check, user authority and a registration authentication token are returned, and the user is allowed to log in; otherwise, judging that the user authority is insufficient.
After the user logs in successfully, the container cloud platform page is accessed, the container cloud platform judges whether related application group and role matrix authorities exist according to the authority of the current user returned by the unified authority management platform, if so, related function operation is executed, meanwhile, the front end is controlled to display page elements which can be displayed in the user authority, and the container cloud platform authenticates the user operation and the access resource; and if not, controlling a front-end page to prompt the user that the current operation authority does not exist.
The generating step of the authority matrix list comprises the following steps:
a1) the unified authority management platform is combined with the CMDB system to acquire the user information of the CMDB and the incidence relation among the user, the application system and the operation and maintenance roles;
a2) the unified authority management platform acquires an application system, an application responsible person, a first application operation and maintenance, a second application operation and maintenance and application state data maintained by the CMDB system, automatically configures user data of the container cloud platform, and generates a authority matrix list with a page authority, an operation authority and a data authority configuration relation;
a3) based on the change of the CMDB application responsible person and the application operation and maintenance information and the application offline, the unified authority management platform automatically updates the user authority information by synchronizing the change data of the CMDB, and further automatically updates the content of the authority matrix list.
The specific steps of judging whether the user logging in any container cloud platform meets the authority requirement or not based on the authority matrix list comprise:
b1) initializing a platform authority list through an authority matrix, and configuring authority menus of different container cloud platforms based on the authority matrix list; the concrete contents are as follows:
acquiring a permission matrix list, configuring a relation table for page permission, operation permission and data permission of each role on different container cloud platforms, configuring permission menus of the different container cloud platforms based on the permission matrix list, configuring the permission list of each container cloud platform according to an actual permission matrix, and storing each permission in a data ac _ menu table.
b2) Initializing role authority according to the authority matrix, and distributing container cloud platform authority; the concrete contents are as follows:
the method comprises the steps of setting a container cloud platform user into five roles including an administrator, an operation and maintenance, a development, a test and a common visitor, initializing the roles, configuring container cloud platform authorities owned by the current roles, storing the association relation between each role and an authority list in a data ac _ role _ menu table, and storing information related to the roles in the data ac _ role table.
b3) And calling the CMDB system at regular time, acquiring a user name and an application system, and initializing user authority.
b4) Initializing user authority according to a work order submitted by a user; the method comprises the following specific steps:
b41) a user applies for the authority of the container cloud platform, and operation and maintenance personnel of the container cloud platform configure role authorities corresponding to work orders on an authority management platform according to the work orders submitted by the user;
b42) inquiring whether a user exists in the user table or not according to the user name, and if not, adding the user;
b43) and inquiring the user role association relation table according to the user name and the application system, checking whether the user distributes the application system role applied by the user, if so, prompting that the user authority distribution fails, and if not, distributing the authority corresponding to the application system for the user, and prompting that the user authority distribution succeeds.
b5) And the user logs in the container cloud platform, and the container cloud platform calls the unified authority management platform to carry out authority verification on the logged user. The method comprises the following specific steps:
b51) a user logs in different container cloud platforms according to a user name and a password;
b52) the container cloud platform calls a unified authority management platform, ldaps is called through a user name and a password to verify whether the user name and the password are correct or not, if not, error information is returned to the container cloud platform, if so, user application system role authority information is obtained, a unique user token is generated, and the user token and the application system role authority information are returned to the container cloud platform;
b53) the container cloud platform renders a front-end page according to the authority list information, and the front end displays the page with the authority and the request key according to the authority information;
b54) when a container cloud platform clicks a certain request key to request a rear end, the rear end firstly intercepts the request after receiving the request, the front end judges whether the user can have the authority of the current interface according to a user token in a request header, if not, prompt information of failure of user authority verification is returned, if so, the request enters rear end logic, and after the processing is finished, processed data is returned.
Further, the unified authority management platform adopts a manual or automatic mode to acquire the user information of the CMDB and the association relationship among the user, the application system and the operation and maintenance role.
Compared with the prior art, the tenant permission control method for realizing the container cloud platform based on the CMDB system and the RBAC model at least has the following beneficial effects:
1) the invention combines the unified authority management platform with the existing CMDB system of an enterprise, provides two modes of automatic synchronization and manual synchronization to maintain user data, extracts the authority management module from each container cloud platform, realizes centralized management and unified authorization through the association of the CMDB and the authority management platform, reduces the complexity of authorization operation, reduces management overhead, can realize flexible butt joint of the existing system, and can realize the function of randomly accessing the platform through one-time login;
2) the system is based on the RBAC authority model, the container cloud platform user is divided into five roles of administrator, operation and maintenance, development, test and common visitor, the RBAC-based authority model can realize the multi-tenant authority management of the container cloud platform, and the resource isolation of the container platform is effectively realized;
3) the unified authority management platform is utilized to dock a user management system (CMDB system) in an enterprise, so that the login safety of a user can be improved;
4) according to the invention, an authority management platform is combined with a CMDB system which maintains an application responsible person and applies a first operation and maintenance, a second operation and maintenance and an application system, the corresponding relation between a user and the application system is dynamically obtained from the CMDB, the mapping of a CMDB authority model and a container cloud platform authority model is formed, and the authority control with finer granularity can be realized.
Drawings
FIG. 1 is a schematic diagram illustrating a schematic flowchart of a tenant permission control method for implementing a container cloud platform based on a CMDB system and an RBAC model according to an embodiment of the present invention;
FIG. 2 is a flowchart of the method of the present invention for generating a permission matrix list in an embodiment;
FIG. 3 is a flowchart of the privilege verification steps of the method of the present invention in an embodiment;
fig. 4 is a reference example diagram of the authority table in the embodiment.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, shall fall within the scope of protection of the present invention.
Examples
The RBAC (Role-Based Access Control) model is the most popular rights management model, the RBAC is Role-Based Access Control, and in the RBAC, a user is not directly connected with rights any more, but is indirectly endowed with rights through the attribute of 'Role', namely, the rights are endowed to the roles; permissions are associated with roles to which the user has inherent permissions by becoming appropriate roles, thus decoupling the user's relationship to the permissions. The management is level-dependent, and the role is given to the user, so that the authority is clearly designed and convenient to manage, and the management of the authority is greatly simplified.
A CMDB (Configuration Management Database) is a logical Database containing information of the full life cycle of Configuration items and relationships between Configuration items (including physical relationships, real-time communication relationships, non-real-time communication relationships, and dependency relationships). The CMDB can store and manage various configuration information of equipment in an enterprise IT framework, is closely connected with all service support and service delivery processes, supports the operation of the processes, exerts the value of the configuration information and simultaneously ensures the accuracy of data depending on the related processes.
The invention provides a tenant permission control method for realizing a container cloud platform based on a CMDB (China Mobile database) system and an RBAC (role-based Access control) model based on the advantages of the CMDB system and the RBAC model. The main flow is shown in figure 1:
a user account logs in any container cloud platform, a unified authority management platform checks a user account password, an LDAPS authentication mode can be preferably adopted, if LDAPS authentication passes, whether user role application system information is distributed or not is judged, whether the distribution of the user role application system information is completed based on an authority matrix list generated by a CMDB is judged, specifically, whether current user information exists or not is judged, whether role application system information is distributed or not is judged, if yes, user authority and a registration authentication token are returned, and a user is allowed to log in; otherwise, judging that the user authority is insufficient.
After the user logs in successfully, the container cloud platform page is accessed, the container cloud platform judges whether related application group and role matrix authorities exist according to the authority of the current user returned by the unified authority management platform, if so, related function operation is executed, if corresponding page skipping is needed, page elements which can be displayed in the user authority are displayed at the front end, and the container cloud platform authenticates the user operation and the access resource; and if not, controlling a front-end page to prompt the user that the current operation authority does not exist.
Namely, the method mainly comprises the steps of generating the authority matrix list and verifying the authority.
The steps of generating the permission matrix list are shown in fig. 2, and include the following steps:
1.1) combining the unified authority management platform with an enterprise CMDB operation and maintenance automation system, and executing and acquiring the association relation of user information, users, an application system and operation and maintenance roles of the CMDB in a manual or automatic mode;
1.2) the unified authority management platform acquires data such as an application system, an application responsible person, a first operation and maintenance application, a second operation and maintenance application, an application state and the like maintained by the CMDB system, automatically configures user data of the container cloud platform, and generates a authority matrix list with a page authority, an operation authority and a data authority configuration relation;
1.3) based on the change of the CMDB application responsible person and the application operation and maintenance information and the application offline, the unified authority management platform automatically updates the user authority information by synchronizing the change data of the CMDB, and further automatically updates the content of the authority matrix list.
Fig. 3 is a flowchart of the authorization verification step of the method of the present invention, and the detailed process of the embodiment is divided into two stages, which is described in detail with reference to the accompanying drawings.
The first stage is as follows: rights data management phase
1. And initializing a platform authority list through the authority matrix, and configuring authority menus of different container cloud platforms based on the authority matrix list.
And acquiring a permission matrix list, wherein the permission matrix list is a page permission, operation permission and data permission configuration relation table owned by each role on different container cloud platforms. And configuring authority menus of different container cloud platforms based on the authority matrix list, wherein at present, a plurality of sets of container cloud platforms exist, the authority list of each platform can be configured according to an actual authority matrix, and each authority is stored in a data ac _ menu table.
2. Initializing role authority according to the authority matrix and distributing platform authority
The container cloud platform user is divided into five roles of an administrator, operation and maintenance, development, test and common visitors. Initializing roles and configuring container cloud platform permissions owned by the current roles, namely, the roles can be initialized by importing an authority matrix list maintained by an administrator by one key; the role right can be updated or deleted, for example, a certain interface right is added or deleted to the user. And storing the association relation between each role and the authority list in a data ac _ role _ menu table, and storing the information related to the roles in the data ac _ role table.
3. And calling a Configuration Management Database (CMDB) at regular time, acquiring a user name and an application system, and initializing user authority.
3.1) daily timing synchronization operation and maintenance automation management platform (CMDB) user and application system
And applying a responsible person, a first operation and maintenance system, a second operation and maintenance system and an application system in a daily timing synchronization operation and maintenance automation management platform (CMDB). Data of a management automation management platform (CMDB) is continuously changed, and the CMDB data fluctuation can be caused by the fact that new employees enter jobs, leave jobs, use systems to be on-line and off-line and use operation and maintenance responsible persons, a first operation and maintenance and a second operation and maintenance update.
3.2) synchronizing the operation and maintenance role authority of the user and the application system
Deleting the old data synchronized last time, initializing the authority of the user to be obtained this time, and distributing the authority of obtaining the operation and maintenance roles of the application system to the user. The association relationship of the user role authority is stored in the data ac _ app _ user _ role table.
4. Initializing user authority according to work order submitted by user
4.1) adding user roles according to user application
The user can apply for the authority of the container cloud platform, and operation and maintenance personnel of the container cloud platform configure role authorities corresponding to the work order on the authority management platform according to the work order submitted by the user.
4.2) checking whether the user has the right
And inquiring whether the user exists in the user table or not according to the user name, and if not, adding the user.
4.3) checking whether the user has assigned the role of the application System
And inquiring the user role association relation table according to the user name and the application system, checking whether the user allocates the application system role applied by the user, and prompting that the user authority allocation fails if the user has already allocated the application system role. If not, distributing the authority of the corresponding application system to the user, and prompting the user that the authority distribution is successful.
And a second stage: container cloud platform front and back end authority control
5. User login container cloud platform
5.1) the user logs in different container cloud platforms according to the user name and the password
Cloud platform for logging in different containers through user names and passwords
5.2) unified authority management platform called by container cloud platform
And the container cloud platform calls a unified authority management platform for verification, the ldaps is called through the username and the password to verify whether the username and the password are correct, and if the username and the password are incorrect, error information is returned to the container cloud platform. And if the user application system role authority information is correct, acquiring the user application system role authority information, generating a unique user token, and returning the user token and the application system role authority information to the container cloud platform.
5.3) the container cloud platform renders the page according to the authority information
And the container cloud platform renders a front-end page according to the authority list information, and the front end displays the page and the button with the authority according to the authority information.
5.4) front-back end interaction of cloud platform of container
When a container cloud platform clicks a certain button to request a rear end, the rear end firstly intercepts the request after receiving the request, the front end judges whether a user can have the authority of the current interface according to a user token in a request header, if the user does not have the authority of the interface, prompt information of user authority verification failure is returned, if the user does have the authority of the interface, the request enters rear end logic, and after processing is completed, processed data is returned.
The authority table configuration is shown in fig. 4, which is a schematic diagram of the authority table configuration. The rights table contains the following six parts: ac _ app: an application system table; ac _ user: a user information table; ac _ role: a user role table; ac _ menu: a function permission table; ac _ app _ user _ role: an application-user-role association table; ac _ role _ menu: role-function permission association table.
The unified authority management platform based on the realization of the invention realizes unified user management, role management, authority management, user authorization and the like of a plurality of sets of container cloud platforms. The authority management module is extracted from each container cloud platform, so that centralized management and unified authorization are realized, the complexity of authorization operation is reduced, the management overhead is reduced, the conventional system is flexibly connected, and great flexibility is provided for enterprise change.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and those skilled in the art can easily conceive of various equivalent modifications or substitutions within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A tenant permission control method for realizing a container cloud platform based on a CMDB system and an RBAC model is characterized in that a unified permission management platform is created, the CMDB system is used for distributing operation and maintenance role permission of an application system for a user, the unified permission management platform obtains user information of the CMDB system and incidence relation among the user, the application system and the operation and maintenance role, a permission matrix list is generated, and based on the permission matrix list, whether permission requirements are met or not is judged for the user logging in any container cloud platform, so that tenant permission control is realized.
2. The tenant permission control method for realizing the container cloud platform based on the CMDB system and the RBAC model according to claim 1, characterized in that when a user account logs in any container cloud platform, the unified permission management platform checks a user account password, if the user account password passes the check, whether user role application system information is allocated or not is judged based on a permission matrix list generated by the CMDB, and if the user role application system information passes the check, the user permission and a registration authentication token are returned to allow the user to log in; otherwise, judging that the user authority is insufficient.
3. The tenant permission control method for realizing the container cloud platform based on the CMDB system and the RBAC model according to claim 2, characterized in that after the user logs in successfully, the user accesses a container cloud platform page, the container cloud platform judges whether related application group and role matrix permissions exist according to the current user permission returned by the unified permission management platform, if so, the container cloud platform executes related function operation, and simultaneously controls a front end to display page elements displayable in the user permission, and the container cloud platform authenticates the user operation and access resources; and if not, controlling a front-end page to prompt the user that the current operation authority does not exist.
4. The tenant permission control method for realizing a container cloud platform based on a CMDB system and an RBAC model according to claim 1, wherein the generating of the permission matrix list comprises:
a1) the unified authority management platform is combined with the CMDB system to acquire the user information of the CMDB and the incidence relation among the user, the application system and the operation and maintenance roles;
a2) the unified authority management platform acquires an application system, an application responsible person, a first application operation and maintenance, a second application operation and maintenance and application state data maintained by the CMDB system, automatically configures user data of the container cloud platform, and generates a authority matrix list with a page authority, an operation authority and a data authority configuration relation;
a3) based on the change of the CMDB application responsible person and the application operation and maintenance information and the application offline, the unified authority management platform automatically updates the user authority information by synchronizing the change data of the CMDB, and further automatically updates the content of the authority matrix list.
5. The tenant permission control method for realizing the container cloud platform based on the CMDB system and the RBAC model according to claim 4, wherein the specific step of judging whether the permission requirements are met for the user who logs in any container cloud platform based on the permission matrix list includes:
b1) initializing a platform authority list through an authority matrix, and configuring authority menus of different container cloud platforms based on the authority matrix list;
b2) initializing role authority according to the authority matrix, and distributing container cloud platform authority;
b3) calling a CMDB system at regular time, acquiring a user name and an application system, and initializing user authority;
b4) initializing user authority according to a work order submitted by a user;
b5) and the user logs in the container cloud platform, and the container cloud platform calls the unified authority management platform to carry out authority verification on the logged user.
6. The method for controlling tenant permission based on a CMDB system and an RBAC model for realizing a container cloud platform according to claim 5, wherein the specific contents of step b1) are as follows:
acquiring a permission matrix list, configuring a relation table for page permission, operation permission and data permission of each role on different container cloud platforms, configuring permission menus of the different container cloud platforms based on the permission matrix list, configuring the permission list of each container cloud platform according to an actual permission matrix, and storing each permission in a data ac _ menu table.
7. The method for controlling tenant permission for implementing a container cloud platform based on a CMDB system and an RBAC model according to claim 6, wherein the specific contents of step b2) are as follows:
the method comprises the steps of setting a container cloud platform user into five roles including an administrator, an operation and maintenance, a development, a test and a common visitor, initializing the roles, configuring container cloud platform authorities owned by the current roles, storing the association relation between each role and an authority list in a data ac _ role _ menu table, and storing information related to the roles in the data ac _ role table.
8. The method for controlling the tenant authority based on the CMDB system and the RBAC model for implementing the container cloud platform according to claim 7, wherein the specific steps of step b4) include:
b41) a user applies for the authority of the container cloud platform, and operation and maintenance personnel of the container cloud platform configure role authorities corresponding to work orders on an authority management platform according to the work orders submitted by the user;
b42) inquiring whether a user exists in the user table or not according to the user name, and if not, adding the user;
b43) and inquiring the user role association relation table according to the user name and the application system, checking whether the user distributes the application system role applied by the user, if so, prompting that the user authority distribution fails, and if not, distributing the authority corresponding to the application system for the user, and prompting that the user authority distribution succeeds.
9. The method for controlling tenant permission for implementing a container cloud platform based on a CMDB system and RBAC model according to claim 8, wherein the specific steps of step b5) include:
b51) a user logs in different container cloud platforms according to a user name and a password;
b52) the container cloud platform calls a unified authority management platform, ldaps is called through a user name and a password to verify whether the user name and the password are correct or not, if not, error information is returned to the container cloud platform, if so, user application system role authority information is obtained, a unique user token is generated, and the user token and the application system role authority information are returned to the container cloud platform;
b53) the container cloud platform renders a front-end page according to the authority list information, and the front end displays the page with the authority and the request key according to the authority information;
b54) when a container cloud platform clicks a certain request key to request a rear end, the rear end firstly intercepts the request after receiving the request, the front end judges whether the user can have the authority of the current interface according to a user token in a request header, if not, prompt information of failure of user authority verification is returned, if so, the request enters rear end logic, and after the processing is finished, processed data is returned.
10. The tenant permission control method for realizing the container cloud platform based on the CMDB system and the RBAC model as claimed in claim 4, wherein the unified permission management platform adopts a manual or automatic mode to execute the acquisition of the user information of the CMDB and the association relationship among the user, the application system and the operation and maintenance role.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110799992.9A CN113688376A (en) | 2021-07-15 | 2021-07-15 | Tenant authority control method for realizing container cloud platform based on CMDB system and RBAC model |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110799992.9A CN113688376A (en) | 2021-07-15 | 2021-07-15 | Tenant authority control method for realizing container cloud platform based on CMDB system and RBAC model |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113688376A true CN113688376A (en) | 2021-11-23 |
Family
ID=78577090
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110799992.9A Pending CN113688376A (en) | 2021-07-15 | 2021-07-15 | Tenant authority control method for realizing container cloud platform based on CMDB system and RBAC model |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113688376A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114257590A (en) * | 2021-12-10 | 2022-03-29 | 中信银行股份有限公司 | Cloud platform user information synchronization method and system |
CN116708037A (en) * | 2023-08-07 | 2023-09-05 | 勤源(江苏)科技有限公司 | Cloud platform access right control method and system |
CN117951120A (en) * | 2024-03-26 | 2024-04-30 | 浪潮云信息技术股份公司 | Method and device for integrating CloudBeaver database management system into cloud platform |
WO2024140916A1 (en) * | 2022-12-29 | 2024-07-04 | 天翼物联科技有限公司 | Internet of things permission matrix model and interaction method thereof |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107301354A (en) * | 2017-06-27 | 2017-10-27 | 北京微影时代科技有限公司 | A kind of System right management method and device |
CN107438067A (en) * | 2017-06-27 | 2017-12-05 | 北京溢思得瑞智能科技研究院有限公司 | A kind of multi-tenant construction method and system based on mesos container cloud platforms |
CN109347676A (en) * | 2018-11-02 | 2019-02-15 | 杭州云霁科技有限公司 | A kind of isomery, integrated mixed cloud resource management platform |
CN111447222A (en) * | 2020-03-26 | 2020-07-24 | 广东电网有限责任公司 | Distributed system authority authentication system and method based on micro-service architecture |
CN111586030A (en) * | 2020-04-30 | 2020-08-25 | 武汉时波网络技术有限公司 | Interface authentication and permission verification method and system based on micro-service multi-tenant |
CN112235133A (en) * | 2020-09-28 | 2021-01-15 | 建信金融科技有限责任公司 | Design method of universal cloud pipe platform and universal cloud pipe platform |
-
2021
- 2021-07-15 CN CN202110799992.9A patent/CN113688376A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107301354A (en) * | 2017-06-27 | 2017-10-27 | 北京微影时代科技有限公司 | A kind of System right management method and device |
CN107438067A (en) * | 2017-06-27 | 2017-12-05 | 北京溢思得瑞智能科技研究院有限公司 | A kind of multi-tenant construction method and system based on mesos container cloud platforms |
CN109347676A (en) * | 2018-11-02 | 2019-02-15 | 杭州云霁科技有限公司 | A kind of isomery, integrated mixed cloud resource management platform |
CN111447222A (en) * | 2020-03-26 | 2020-07-24 | 广东电网有限责任公司 | Distributed system authority authentication system and method based on micro-service architecture |
CN111586030A (en) * | 2020-04-30 | 2020-08-25 | 武汉时波网络技术有限公司 | Interface authentication and permission verification method and system based on micro-service multi-tenant |
CN112235133A (en) * | 2020-09-28 | 2021-01-15 | 建信金融科技有限责任公司 | Design method of universal cloud pipe platform and universal cloud pipe platform |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114257590A (en) * | 2021-12-10 | 2022-03-29 | 中信银行股份有限公司 | Cloud platform user information synchronization method and system |
WO2024140916A1 (en) * | 2022-12-29 | 2024-07-04 | 天翼物联科技有限公司 | Internet of things permission matrix model and interaction method thereof |
CN116708037A (en) * | 2023-08-07 | 2023-09-05 | 勤源(江苏)科技有限公司 | Cloud platform access right control method and system |
CN116708037B (en) * | 2023-08-07 | 2023-11-24 | 勤源(江苏)科技有限公司 | Cloud platform access right control method and system |
CN117951120A (en) * | 2024-03-26 | 2024-04-30 | 浪潮云信息技术股份公司 | Method and device for integrating CloudBeaver database management system into cloud platform |
CN117951120B (en) * | 2024-03-26 | 2024-07-23 | 浪潮云信息技术股份公司 | Method and device for integrating CloudBeaver database management system into cloud platform |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113688376A (en) | Tenant authority control method for realizing container cloud platform based on CMDB system and RBAC model | |
US7509672B1 (en) | Cross-platform single sign-on data sharing | |
US8768715B2 (en) | System and method for resource management | |
CN106411857B (en) | A kind of private clound GIS service access control method based on virtual isolation mech isolation test | |
CN108377200B (en) | LDAP and SLURM-based cloud user management method and system | |
US20090094682A1 (en) | Methods and systems for user authorization | |
CN112100262A (en) | Method and system for quickly building and dynamically expanding multi-tenant software as a service (SaaS) platform | |
CN109040065B (en) | Docking method and device for cloud security management platform and cloud platform | |
CN110049048B (en) | Data access method, equipment and readable medium for government affair public service | |
CN101729541B (en) | Method and system for accessing resources of multi-service platform | |
CN104881736A (en) | Multi-Agent worksteam access control method based on improved role | |
CN103188249A (en) | Concentration permission management system, authorization method and authentication method thereof | |
CN101741558A (en) | Method for realizing uniform identity authentication | |
CN112910904B (en) | Login method and device of multi-service system | |
CN111581635B (en) | Data processing method and system | |
CN111898149A (en) | User management system and method for multiple organizations | |
CN110971566A (en) | Account unified management method, system and computer readable storage medium | |
CN112019543A (en) | Multi-tenant permission system based on BRAC model | |
CN108958870B (en) | Shortcut function setting method | |
CN111092870A (en) | Unified authentication method for multiple high-performance computing clusters | |
CN104994086B (en) | A kind of control method and device of data-base cluster permission | |
CN106933605A (en) | A kind of intelligent progress recognizing control method and system | |
CN111953491B (en) | SSH Certificate and LDAP based two-step authentication auditing method | |
CN111611561B (en) | Edge-hierarchical-user-oriented unified management and control method for authentication and authorization | |
WO2024140916A1 (en) | Internet of things permission matrix model and interaction method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |