[go: up one dir, main page]

CN107222487B - An account docking system in a hybrid cloud environment - Google Patents

An account docking system in a hybrid cloud environment Download PDF

Info

Publication number
CN107222487B
CN107222487B CN201710449712.5A CN201710449712A CN107222487B CN 107222487 B CN107222487 B CN 107222487B CN 201710449712 A CN201710449712 A CN 201710449712A CN 107222487 B CN107222487 B CN 107222487B
Authority
CN
China
Prior art keywords
account
cloud environment
user
information
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710449712.5A
Other languages
Chinese (zh)
Other versions
CN107222487A (en
Inventor
孙艳军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou 360 Billion Fang Intelligent Co ltd
Original Assignee
Hangzhou Qiyi Cloud Computing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Qiyi Cloud Computing Co ltd filed Critical Hangzhou Qiyi Cloud Computing Co ltd
Priority to CN201710449712.5A priority Critical patent/CN107222487B/en
Publication of CN107222487A publication Critical patent/CN107222487A/en
Application granted granted Critical
Publication of CN107222487B publication Critical patent/CN107222487B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses an account docking system in a hybrid cloud environment, which comprises a single sign-on service part and an account synchronization part, wherein the single sign-on service part comprises: the single sign-on service part is used for determining whether the user is allowed to directly log in the public cloud environment according to the current login condition of the user when a login request of the user for the public cloud environment is received; and the account synchronization part is used for converting the private account information in the private cloud environment and then storing the converted private account information in an account system of the public cloud environment. By applying the technical scheme provided by the embodiment of the invention, enterprises and institutions in a hybrid cloud environment can conveniently use to uniformly manage member accounts, the management cost can be reduced, the burden of account maintenance is reduced, users can log in a public cloud environment by using account information of a private cloud environment without additional registration, and the working efficiency is improved by using public cloud service.

Description

一种混合云环境的账号对接系统An account docking system in a hybrid cloud environment

技术领域technical field

本发明涉及计算机应用技术领域,特别是涉及一种混合云环境的账号对接系统。The invention relates to the technical field of computer applications, in particular to an account docking system in a hybrid cloud environment.

背景技术Background technique

随着云计算技术的发展,SaaS(Software-as-a-Service,软件即服务)服务也得到的快速发展。SaaS服务是一种典型的公有云服务,是一种通过网络提供软件的模式,所有的服务都托管在云上,不需要用户再购买软件,且无需对软件进行维护。用户只需要注册账号,成为会员即可享受其提供的服务。With the development of cloud computing technology, SaaS (Software-as-a-Service, Software-as-a-Service) services have also developed rapidly. SaaS service is a typical public cloud service. It is a mode of providing software through the network. All services are hosted on the cloud, and users do not need to purchase software and do not need to maintain the software. Users only need to register an account and become a member to enjoy the services it provides.

大部分企业和机构具有各自的私有云环境,且在其私有云环境中已经存在一套账号系统。如果同时使用公有云环境,其为了方便管理成员,希望能够直接使用私有云环境中的账号系统进行统一管理。Most enterprises and institutions have their own private cloud environments, and an account system already exists in their private cloud environments. If the public cloud environment is used at the same time, in order to facilitate the management of members, it is hoped that the account system in the private cloud environment can be directly used for unified management.

如何实现混合云环境的账号对接,以便于企业和机构对账号进行统一管理是目前本领域技术人员亟需解决的技术问题。How to realize account docking in a hybrid cloud environment so that enterprises and institutions can manage accounts in a unified manner is a technical problem that needs to be solved urgently by those skilled in the art.

发明内容SUMMARY OF THE INVENTION

本发明的目的是提供一种混合云环境的账号对接系统,以方便使用混合云环境的企业和机构对成员账号进行统一管理,减少管理成本,提高工作效率。The purpose of the present invention is to provide an account docking system in a hybrid cloud environment, so as to facilitate unified management of member accounts by enterprises and institutions using the hybrid cloud environment, reduce management costs, and improve work efficiency.

为解决上述技术问题,本发明提供如下技术方案:In order to solve the above-mentioned technical problems, the present invention provides the following technical solutions:

一种混合云环境的账号对接系统,包括单点登录服务部分和账号同步部分,其中:An account docking system in a hybrid cloud environment, including a single sign-on service part and an account synchronization part, wherein:

所述单点登录服务部分,用于在接收到用户针对公有云环境的登录请求时,根据所述用户当前登录情况,确定是否允许所述用户直接登录所述公有云环境;The single sign-on service part is configured to determine whether to allow the user to directly log in to the public cloud environment according to the current login status of the user when receiving a user's login request for the public cloud environment;

所述账号同步部分,用于将私有云环境中的私有账号信息进行转换处理后存储到所述公有云环境的账号系统中。The account synchronization part is used for converting the private account information in the private cloud environment and storing it in the account system of the public cloud environment.

在本发明的一种具体实施方式中,所述单点登录服务部分包括账号存储连接适配器、单点登录协议实现模块、账号解析逻辑模块、单点登录模块和域-存储映射表,其中,In a specific embodiment of the present invention, the single sign-on service part includes an account storage connection adapter, a single sign-on protocol implementation module, an account resolution logic module, a single sign-on module and a domain-storage mapping table, wherein,

所述账号存储连接适配器,用于连接所述私有云环境中的一个或多个账号存储系统;The account storage connection adapter is used to connect one or more account storage systems in the private cloud environment;

所述单点登录协议实现模块,用于通过所述账号存储连接适配器从相应的账号存储系统中提取原始账号信息;The single sign-on protocol implementation module is used to extract the original account information from the corresponding account storage system through the account storage connection adapter;

所述账号解析逻辑模块,用于接收所述单点登录协议实现模块发送的所述原始账号信息,将所述原始账号信息转换为结构化账号信息;The account analysis logic module is configured to receive the original account information sent by the single sign-on protocol implementation module, and convert the original account information into structured account information;

所述单点登录模块,用于接收所述账号解析逻辑模块返回的所述结构化账号信息,在接收到所述用户的登录请求时,根据所述结构化账号信息查询所述公有云环境的账号系统中是否存在所述用户的用户记录,如果是,则设置所述用户的状态信息,并跳转到相应页面完成用户登录;The single sign-on module is configured to receive the structured account information returned by the account resolution logic module, and when receiving a login request from the user, query the public cloud environment according to the structured account information. Whether there is a user record of the user in the account system, if so, set the status information of the user, and jump to the corresponding page to complete the user login;

所述域-存储映射表,用于存储从域到所述私有云环境的账号存储系统的映射关系。The domain-storage mapping table is used to store the mapping relationship from the domain to the account storage system of the private cloud environment.

在本发明的一种具体实施方式中,所述账号存储连接适配器具体用于根据所述私有云环境中的账号存储系统的类型,选择对应连接方式连接所述私有云环境中的一个或多个账号存储系统。In a specific embodiment of the present invention, the account storage connection adapter is specifically configured to select a corresponding connection mode to connect one or more of the account storage systems in the private cloud environment according to the type of the account storage system in the private cloud environment Account storage system.

在本发明的一种具体实施方式中,所述单点登录协议实现模块包括集中式认证服务CAS子模块和/或安全断言标记语言SAML子模块。In a specific embodiment of the present invention, the single sign-on protocol implementation module includes a centralized authentication service CAS sub-module and/or a security assertion markup language SAML sub-module.

在本发明的一种具体实施方式中,所述账号解析逻辑模块具体用于对所述原始账号信息进行预处理、过滤、校验和转换操作,获得所述原始账号信息对应的结构化账号信息。In a specific embodiment of the present invention, the account analysis logic module is specifically configured to perform preprocessing, filtering, verification and conversion operations on the original account information to obtain structured account information corresponding to the original account information .

在本发明的一种具体实施方式中,所述单点登录模块,还用于在接收到所述用户的登录请求时,如果确定所述用户未登录,则输出账号输入框,接收所述用户输入的账号信息,提取所述账号信息中的前缀或者后缀域信息,根据所述域信息确定所述账号信息对应的账号存储系统。In a specific embodiment of the present invention, the single sign-on module is further configured to, when receiving a login request from the user, if it is determined that the user is not logged in, output an account input box to receive the user From the input account information, extract the prefix or suffix domain information in the account information, and determine the account storage system corresponding to the account information according to the domain information.

在本发明的一种具体实施方式中,所述账号同步部分包括主动账号同步模块;In a specific embodiment of the present invention, the account synchronization part includes an active account synchronization module;

所述主动账号同步模块,用于根据接收到的调整指令,对所述公有云环境的账号系统中的账号信息进行调整。The active account synchronization module is configured to adjust the account information in the account system of the public cloud environment according to the received adjustment instruction.

在本发明的一种具体实施方式中,所述账号同步部分还包括被动账号同步模块;In a specific embodiment of the present invention, the account synchronization part further includes a passive account synchronization module;

所述被动账号同步模块,用于在所述用户登录所述公有云环境时,根据所述私有云环境传递的账号信息,更新所述公有云环境的相应账号信息。The passive account synchronization module is configured to update the corresponding account information of the public cloud environment according to the account information transmitted by the private cloud environment when the user logs in to the public cloud environment.

在本发明的一种具体实施方式中,所述账号同步部分还包括被动账号同步开关,用于控制所述被动账号同步模块是否启用。In a specific embodiment of the present invention, the account synchronization part further includes a passive account synchronization switch for controlling whether the passive account synchronization module is enabled.

在本发明的一种具体实施方式中,所述主动账号同步模块包括账号增量同步接口。In a specific embodiment of the present invention, the active account synchronization module includes an account increment synchronization interface.

应用本发明实施例所提供的技术方案,混合云环境的账号对接系统包括单点登录服务部分和账号同步部分,其中,单点登录服务部分用于在接收到用户针对公有云环境的登录请求时,根据用户当前登录情况,确定是否允许用户直接登录公有云环境,账号同步部分用于将私有云环境中的账号信息进行转换处理后存储到公有云环境的账号系统中。这样方便使用混合云环境的企业和机构对成员账号进行统一管理,可以减少管理成本,减轻维护账号的负担,用户不需额外注册,使用私有云环境的账号信息即可登录公有云环境,使用公有云服务,提高了工作效率。By applying the technical solutions provided by the embodiments of the present invention, the account docking system in the hybrid cloud environment includes a single sign-on service part and an account synchronization part, wherein the single sign-on service part is used when receiving a user's login request for the public cloud environment , according to the current login status of the user, determine whether to allow the user to directly log in to the public cloud environment, and the account synchronization part is used to convert the account information in the private cloud environment and store it in the account system of the public cloud environment. In this way, it is convenient for enterprises and institutions using the hybrid cloud environment to manage member accounts in a unified manner, which can reduce management costs and reduce the burden of maintaining accounts. Cloud services improve work efficiency.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative efforts.

图1为本发明实施例中混合云环境的账号对接系统的一种结构示意图;1 is a schematic structural diagram of an account docking system in a hybrid cloud environment according to an embodiment of the present invention;

图2为本发明实施例中混合云环境的账号对接系统的一种应用示意图;2 is a schematic diagram of an application of an account docking system in a hybrid cloud environment according to an embodiment of the present invention;

图3为本发明实施例中混合云环境的账号对接系统的另一种结构示意图。FIG. 3 is another schematic structural diagram of an account docking system in a hybrid cloud environment according to an embodiment of the present invention.

具体实施方式Detailed ways

为了使本技术领域的人员更好地理解本发明方案,下面结合附图和具体实施方式对本发明作进一步的详细说明。显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make those skilled in the art better understand the solution of the present invention, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments. Obviously, the described embodiments are only some, but not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

参见图1所示,为本发明实施例所提供的一种混合云环境的账号对接系统的结构示意图,该系统包括单点登录服务部分100和账号同步部分200,其中:1 is a schematic structural diagram of an account docking system in a hybrid cloud environment provided by an embodiment of the present invention. The system includes a single sign-on service part 100 and an account synchronization part 200, wherein:

单点登录服务部分100,用于在接收到用户针对公有云环境的登录请求时,根据用户当前登录情况,确定是否允许用户直接登录公有云环境;The single sign-on service part 100 is configured to determine whether to allow the user to directly log in to the public cloud environment according to the user's current login status when receiving a user's login request for the public cloud environment;

账号同步部分200,用于将私有云环境中的私有账号信息进行转换处理后存储到公有云环境的账号系统中。The account synchronization part 200 is used for converting the private account information in the private cloud environment and storing it in the account system of the public cloud environment.

本发明实施例主要针对已经拥有私有云环境账号,使用公有云服务的企业或机构。该企业或者机构成员无需重新注册,通过本发明实施例所提供的账号对接系统可直接使用私有云环境中的私有账号进行单点登录,使用公有云服务。同时,通过本发明实施例所提供的账号对接系统可以实现公有云环境与私有云环境中账号信息的同步更新。The embodiments of the present invention are mainly aimed at enterprises or institutions that already have private cloud environment accounts and use public cloud services. The enterprise or organization member does not need to re-register, and the account docking system provided by the embodiment of the present invention can directly use the private account in the private cloud environment to perform single sign-on and use the public cloud service. At the same time, the account docking system provided by the embodiment of the present invention can realize the synchronous update of account information in the public cloud environment and the private cloud environment.

在本发明实施例中,混合云环境的账号对接系统具体可以由登录服务器实现,如图2所示,该登录服务器可以部署在私有云环境中,其能够访问私有云环境中的账号存储系统,如数据库、域控服务器等,同时能够访问公有云环境中的账号系统。In the embodiment of the present invention, the account docking system in the hybrid cloud environment may be implemented by a login server. As shown in FIG. 2 , the login server may be deployed in a private cloud environment and can access the account storage system in the private cloud environment. Such as databases, domain control servers, etc., and can access the account system in the public cloud environment.

本发明实施例所提供的混合云环境的账号对接系统包括单点登录服务部分100和账号同步部分200。The account docking system in the hybrid cloud environment provided by the embodiment of the present invention includes a single sign-on service part 100 and an account synchronization part 200 .

单点登录(Single Sign On,SSO),是指在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统,包括将当前主要的登录映射到其他应用中用于同一个用户的登录的机制。Single sign-on (Single Sign On, SSO) means that in multiple application systems, users only need to log in once to access all mutually trusted application systems, including mapping the current main login to other applications for the same application. User's login mechanism.

在本发明实施例中,单点登录服务部分100用于处理用户的登录请求,在接收到用户针对公有云环境的登录请求时,根据用户当前登录情况,确定是否允许用户直接登录公有云环境。In this embodiment of the present invention, the single sign-on service part 100 is configured to process a user's login request. When receiving a user's login request for the public cloud environment, it determines whether to allow the user to directly log in to the public cloud environment according to the user's current login status.

如图3所示,在本发明的一种具体实施方式中,单点登录服务部分100包括账号存储连接适配器110、单点登录协议实现模块120、账号解析逻辑模块130、单点登录模块140和域-存储映射表150,其中,As shown in FIG. 3, in a specific embodiment of the present invention, the single sign-on service part 100 includes an account storage connection adapter 110, a single sign-on protocol implementation module 120, an account resolution logic module 130, a single sign-on module 140 and Domain-storage mapping table 150, where,

账号存储连接适配器110,用于连接私有云环境中的一个或多个账号存储系统;an account storage connection adapter 110 for connecting to one or more account storage systems in a private cloud environment;

单点登录协议实现模块120,用于通过账号存储连接适配器110从相应的账号存储系统中提取原始账号信息;The single sign-on protocol implementation module 120 is configured to extract the original account information from the corresponding account storage system through the account storage connection adapter 110;

账号解析逻辑模块130,用于接收单点登录协议实现模块120发送的原始账号信息,将原始账号信息转换为结构化账号信息;The account resolution logic module 130 is configured to receive the original account information sent by the single sign-on protocol implementation module 120, and convert the original account information into structured account information;

单点登录模块140,用于接收账号解析逻辑模块130返回的结构化账号信息,在接收到用户的登录请求时,根据结构化账号信息查询公有云环境的账号系统中是否存在用户的用户记录,如果是,则设置用户的状态信息,并跳转到相应页面完成用户登录;The single sign-on module 140 is configured to receive the structured account information returned by the account resolution logic module 130, and when receiving the user's login request, query whether there is a user record of the user in the account system of the public cloud environment according to the structured account information, If yes, set the user's status information, and jump to the corresponding page to complete the user login;

域-存储映射表150,用于存储从域到私有云环境的账号存储系统的映射关系。The domain-storage mapping table 150 is used to store the mapping relationship from the domain to the account storage system of the private cloud environment.

在本发明实施例中,单点登录服务部分100从下至上可以包括账号存储连接适配器110、单点登录协议实现模块120、账号解析逻辑模块130、单点登录模块140和域-存储映射表150。In this embodiment of the present invention, the single sign-on service part 100 may include, from bottom to top, an account storage connection adapter 110 , a single sign-on protocol implementation module 120 , an account resolution logic module 130 , a single sign-on module 140 and a domain-storage mapping table 150 .

账号存储连接适配器110用于连接私有云环境中的一个或多个账号存储系统。私有云环境中的账号存储系统可以有一个或多个,类型可以相同或不同,如可以为数据库、LDAP(Lightweight Directory Access Protocol,轻量目录访问协议)/Active Directory(活动目录)等类型。也就是说,同一企业或机构可以同时支持一种或者多种账号存储系统,对于一种账号存储系统还可以同时支持多个实例。例如:某企业的私有云环境支持账号存储在M个数据库中和N个LDAP/Active Directory中,其中,M和N满足条件:M、N都为自然数,并且M+N大于等于1。The account storage connection adapter 110 is used to connect one or more account storage systems in the private cloud environment. There may be one or more account storage systems in the private cloud environment, and the types may be the same or different, such as database, LDAP (Lightweight Directory Access Protocol, Lightweight Directory Access Protocol)/Active Directory (Active Directory) and other types. That is to say, the same enterprise or organization can support one or more account storage systems at the same time, and an account storage system can also support multiple instances at the same time. For example, an enterprise's private cloud environment supports account storage in M databases and N LDAP/Active Directory, where M and N satisfy the conditions: M and N are both natural numbers, and M+N is greater than or equal to 1.

账号存储连接适配器110具体可以根据私有云环境中的账号存储系统的类型,选择对应连接方式连接私有云环境中的一个或多个账号存储系统。即账号存储连接适配器110根据不同的账号存储系统选择不同的连接方式。如对于数据库其可以选择对应的数据库驱动程序,对于LDAP/Active Directory其可以使用开源程序库ldaptive实现连接。The account storage connection adapter 110 may specifically select a corresponding connection mode to connect to one or more account storage systems in the private cloud environment according to the type of the account storage system in the private cloud environment. That is, the account storage connection adapter 110 selects different connection modes according to different account storage systems. For example, for the database, it can choose the corresponding database driver, and for LDAP/Active Directory, it can use the open source library ldaptive to realize the connection.

账号存储连接适配器110可以被上层调用,从相应账号存储系统中读取账号信息。The account storage connection adapter 110 can be called by the upper layer to read account information from the corresponding account storage system.

单点登录协议实现模块120用于通过账号存储连接适配器110从相应账号存储系统中提取原始账号信息。单点登录协议实现模块120可以包括一系列的单点登录协议子模块,如可以包括支持CAS(Central Authentication Service,集中式认证服务)单点登录协议的CAS子模块和/或支持SAML(Security Assertion Markup Language,安全断言标记语言)单点登录协议的SAML子模块。当然,也支持扩展其他单点登录协议实现。The single sign-on protocol implementation module 120 is configured to extract the original account information from the corresponding account storage system through the account storage connection adapter 110 . The single sign-on protocol implementation module 120 may include a series of single sign-on protocol sub-modules, for example, may include a CAS sub-module that supports the CAS (Central Authentication Service, centralized authentication service) single sign-on protocol and/or supports SAML (Security Assertion). Markup Language, Security Assertion Markup Language) SAML submodule of the single sign-on protocol. Of course, extending other single sign-on protocol implementations is also supported.

CAS单点登录协议,是一种针对万维网的单点登录协议,由耶鲁大学发明,现在由Jasig组织维护和发展。SAML单点登录协议,是一个基于XML的开源标准数据格式。The CAS single sign-on protocol, a single sign-on protocol for the World Wide Web, was invented by Yale University and is now maintained and developed by the Jasig organization. SAML single sign-on protocol is an open source standard data format based on XML.

对同一企业或者机构,本发明实施例可以同时支持一种或者多种单点登录协议。单点登录协议实现模块120通过账号存储连接适配器110从对应的账号存储系统中提取原始账号信息。For the same enterprise or organization, this embodiment of the present invention can support one or more single sign-on protocols at the same time. The single sign-on protocol implementation module 120 extracts the original account information from the corresponding account storage system through the account storage connection adapter 110 .

原始账号信息可以包括原始部门信息、原始群组信息和原始用户信息等。其中,原始部门信息可以包括当前用户所属部门信息,以及从根部门开始的所有父级部门信息;原始群组信息没有层级关系,是群组的集合;原始用户信息可以包括私有云环境中账号存储系统中的用户标识(Id)、邮箱、手机号码、用户名等基本信息,用户标识(Id)可以在私有云环境的账号存储系统中唯一定位一个用户。The original account information may include original department information, original group information, original user information, and the like. The original department information may include the information of the department to which the current user belongs, as well as the information of all parent departments starting from the root department; the original group information has no hierarchical relationship and is a collection of groups; the original user information may include account storage in the private cloud environment Basic information such as user ID (Id), email address, mobile phone number, user name, etc. in the system, user ID (Id) can uniquely locate a user in the account storage system of the private cloud environment.

账号解析逻辑模块130用于接收单点登录协议实现模块120发送的原始账号信息,将原始账号信息转换为结构化账号信息。即账号解析逻辑模块130的输入数据是单点登录协议实现模块120返回的原始账号信息。账号解析逻辑模块130可以依次对原始账号信息进行预处理、过滤、校验和转换操作,获得原始账号信息对应的结构化账号信息。The account resolution logic module 130 is configured to receive the original account information sent by the single sign-on protocol implementation module 120, and convert the original account information into structured account information. That is, the input data of the account resolution logic module 130 is the original account information returned by the single sign-on protocol implementation module 120 . The account resolution logic module 130 may sequentially perform preprocessing, filtering, verification and conversion operations on the original account information to obtain structured account information corresponding to the original account information.

在对原始账号信息进行预处理的过程中可以为企业或机构设置默认部门和默认群组。针对某企业或机构而言,如果该企业或机构设置了默认部门,则当原始账号信息中不包括部门信息时,账号解析逻辑模块130生成的结构化账号信息中的部门为默认部门;默认群组同理。如果该企业或机构没有设置默认部门和默认群组,且在传入的原始账号信息中不包括部门和群组时,账号解析逻辑模块130生成的结构化账号信息中不包含部门和群组,表示将该用户加入到根部门,不加入到任何群组。In the process of preprocessing the original account information, a default department and a default group can be set for the enterprise or institution. For an enterprise or institution, if the enterprise or institution has set a default department, when the original account information does not include department information, the department in the structured account information generated by the account parsing logic module 130 is the default department; Group is the same. If the enterprise or institution has not set the default department and default group, and the incoming original account information does not include the department and group, the structured account information generated by the account parsing logic module 130 does not include the department and group, Indicates that the user is added to the root department and not to any group.

对原始账号信息进行过滤操作,即是根据企业或机构的要求设置过滤条件,不满足过滤条件的用户不能登录。例如:企业或机构可以设置不允许某些部门成员登录,不允许离职员工登录等。Filtering the original account information means setting filter conditions according to the requirements of the enterprise or organization. Users who do not meet the filter conditions cannot log in. For example, an enterprise or institution can be set to not allow members of certain departments to log in, and not allow left employees to log in, etc.

对原始账号信息进行校验操作,即是对原始账号信息进行逻辑检查和格式检查。逻辑检查是指检查该用户是否满足约束条件,如用户是否有所属部门,是否包含从根部门开始的所有父级部门等。格式检查包括检查账号的编码、账号的长度等是否符合设定要求,账号中的邮箱或者手机号码是否合法等。校验失败后可以报错,并给出相应的错误信息。The verification operation on the original account information is to perform logical checking and format checking on the original account information. Logical check refers to checking whether the user satisfies the constraints, such as whether the user has a department, whether it contains all parent departments starting from the root department, etc. The format check includes checking whether the code of the account, the length of the account, etc. meet the set requirements, and whether the email or mobile phone number in the account is legal. After the verification fails, an error can be reported and the corresponding error message is given.

对原始账号信息进行转换操作,即根据设定的转换规则对原始账号信息进行转换。如将学生学号加上特定的后缀,将某些字段根据规则进行拼接等。The conversion operation is performed on the original account information, that is, the original account information is converted according to the set conversion rules. For example, adding a specific suffix to the student number, splicing some fields according to the rules, etc.

通过对原始账号信息进行预处理、过滤、校验和转换操作,账号解析逻辑模块130可以获得原始账号信息对应的结构化账号信息,其返回的结构化账号信息可以包含完整的部门层级信息,即包括当前部门从根部门开始的所有上级部门,而且这些部门可以从根部门开始一级一级向下到当前部门构造整个部门链。By preprocessing, filtering, verifying and converting the original account information, the account parsing logic module 130 can obtain structured account information corresponding to the original account information, and the returned structured account information may include complete department-level information, that is, Including all the superior departments of the current department starting from the root department, and these departments can construct the entire department chain from the root department down to the current department.

单点登录模块140用于用户登录。可以接收账号解析逻辑模块130返回的结构化账号信息,在接收到用户的登录请求时,访问公有云环境的账号系统,根据结构化账号信息查询公有云环境的账号系统中是否存在用户的用户记录,如果存在,则设置用户的状态信息,并跳转至相应页面完成用户登录。The single sign-on module 140 is used for user login. The structured account information returned by the account analysis logic module 130 can be received, when receiving the user's login request, access the account system of the public cloud environment, and query whether there is a user record in the account system of the public cloud environment according to the structured account information , if it exists, set the user's status information, and jump to the corresponding page to complete the user login.

单点登录模块140的输入是账号解析逻辑模块130返回的结构化账号信息。在接收到用户的登录请求时,单点登录模块140可以访问公有云环境的账号系统,使用从账号解析逻辑模块130返回的结构化账号信息查询是否存在该用户的用户记录,如果存在,则表明该用户是已经存在的合法用户,可以设置该用户的状态信息,并跳转到相应的合适页面,完成用户登录过程。The input of the single sign-on module 140 is the structured account information returned by the account resolution logic module 130 . When receiving the user's login request, the single sign-on module 140 can access the account system of the public cloud environment, and use the structured account information returned from the account resolution logic module 130 to query whether there is a user record of the user, if there is, it indicates that The user is an existing legal user, the user's status information can be set, and the user can jump to a corresponding appropriate page to complete the user login process.

单点登录模块140还可以用于在接收到用户的登录请求时,如果确定用户未登录,则输出用户账号输入框,接收用户输入的账号信息,提取账号信息中的前缀或者后缀域信息,根据域信息确定账号信息对应的账号存储地址。The single sign-on module 140 can also be used to output the user account input box when receiving the user's login request, if it is determined that the user is not logged in, receive the account information input by the user, and extract the prefix or suffix domain information in the account information, according to The domain information determines the account storage address corresponding to the account information.

域-存储映射表150用于存储从域到私有云环境的账号存储系统的映射关系。通过域-存储映射表150可以根据域查询对应的账号存储系统。The domain-storage mapping table 150 is used to store the mapping relationship from the domain to the account storage system of the private cloud environment. The corresponding account storage system can be queried according to the domain through the domain-storage mapping table 150 .

通过单点登录服务部分100进行的一次正常的单点登录过程可以描述如下:A normal single sign-on process performed by the single sign-on service part 100 can be described as follows:

首先,单点登录模块140在接收到用户的登录请求时,如果判断用户未登录,则弹出账号输入框。First, when the single sign-on module 140 receives the user's login request, if it is determined that the user is not logged in, an account input box will pop up.

在用户输入账号信息后,单点登录模块140可以提取用户输入的账号信息中的前缀或者后缀域信息,根据域信息可以判断该账号信息对应的账号存储系统,即存储在私有云环境的哪一个账号存储系统上。具体判断逻辑可以为:若域信息不存在,则使用私有云环境中默认的账号存储系统;若域信息存在,则查询域-存储映射表150,得到私有云环境中对应的账号存储系统。After the user inputs the account information, the single sign-on module 140 can extract the prefix or suffix domain information in the account information input by the user, and can determine the account storage system corresponding to the account information according to the domain information, that is, which one of the private cloud environment to store the account information in. on the account storage system. The specific judgment logic may be: if the domain information does not exist, use the default account storage system in the private cloud environment; if the domain information exists, query the domain-storage mapping table 150 to obtain the corresponding account storage system in the private cloud environment.

然后,单点登录模块140调用单点登录协议实现模块120开始账号信息的提取过程。即单点登录协议实现模块120根据目标账号存储系统的类型选择合适的账号存储连接适配器110,连接目标账号存储系统,提取原始账号信息。Then, the single sign-on module 140 calls the single sign-on protocol implementation module 120 to start the process of extracting account information. That is, the single sign-on protocol implementation module 120 selects an appropriate account storage connection adapter 110 according to the type of the target account storage system, connects to the target account storage system, and extracts the original account information.

进而,原始账号信息被账号解析逻辑模块130转换成结构化账号信息。Further, the original account information is converted into structured account information by the account parsing logic module 130 .

最后,单点登录模块140使用结构化账号信息完成该用户所用账号的登录过程。Finally, the single sign-on module 140 uses the structured account information to complete the login process of the account used by the user.

在本发明实施例中,账号同步部分200用于将私有云环境中的私有账号信息进行转换处理后存储到公有云环境的账号系统中。In the embodiment of the present invention, the account synchronization part 200 is configured to convert the private account information in the private cloud environment and store it in the account system of the public cloud environment.

在本发明的一个实施例中,账号同步部分200可以包括主动账号同步模块210;In one embodiment of the present invention, the account synchronization part 200 may include an active account synchronization module 210;

主动账号同步模块210用于根据接收到的调整指令,对公有云环境的账号系统中的账号信息进行调整。The active account synchronization module 210 is configured to adjust the account information in the account system of the public cloud environment according to the received adjustment instruction.

在本发明实施例中,主动账号同步模块210可以提供一组接口,企业或机构的账号管理人员可以随时调用这组接口来对公有云环境的账号系统中的账号信息进行调整操作,如进行增、删、改等操作。In the embodiment of the present invention, the active account synchronization module 210 may provide a set of interfaces, and the account management personnel of the enterprise or institution can call this set of interfaces at any time to adjust the account information in the account system of the public cloud environment, such as adding , delete, modify and other operations.

具体的,主动账号同步模块210可以包括账号增量同步接口。账号管理人员可以调用账号增量同步接口实时的将私有云环境的存储系统中的账号信息或者账号变更信息同步到对应的公有云环境的账号系统中。Specifically, the active account synchronization module 210 may include an account increment synchronization interface. The account administrator can call the account increment synchronization interface to synchronize the account information or account change information in the storage system of the private cloud environment to the corresponding account system of the public cloud environment in real time.

通过该账号增量同步接口可以进行批量操作,可以通过状态码控制账号增量更新行为,同时也可以进行默认部门或者默认群组的设置。Through the account incremental synchronization interface, batch operations can be performed, the account incremental update behavior can be controlled through the status code, and the default department or default group can also be set.

通过账号增量同步接口可以进行批量操作,账号管理人员可以一次同步一批账号信息,加快账号同步的过程。批量操作结束后,账号增量同步接口可以返回全部成功、部分成功和全部失败三种信息。对于全部成功,返回全部成功标志、成功记录条数。对于部分成功,返回部分成功标志、部分成功记录条数、以及失败记录的详细信息。在失败记录的详细信息中,各失败记录可以用唯一Id标识,同时包括当前记录失败的状态码和失败的原因。对于全部失败,返回全部失败标志和失败记录的详细信息。Batch operations can be performed through the account incremental synchronization interface, and account managers can synchronize a batch of account information at a time, speeding up the process of account synchronization. After the batch operation is completed, the account incremental synchronization interface can return three types of information: complete success, partial success, and complete failure. For all successes, return all success flags and the number of successful records. For partial success, returns the partial success flag, the number of partial success records, and the details of the failed records. In the detailed information of the failure record, each failure record can be identified by a unique ID, and also includes the status code of the current record failure and the reason for the failure. For all failures, return all failure flags and details of the failure record.

账号增量同步接口可以通过状态码控制账号增量更新行为。如对于删除操作,通过状态码可以控制是冻结账号还是删除账号等;对应新建账号,通过状态码可以控制导入的新账号是与已有账号关联,还是新建一个账号。The account incremental synchronization interface can control the account incremental update behavior through the status code. For example, for the deletion operation, you can control whether to freeze the account or delete the account through the status code; for a new account, you can control whether the imported new account is associated with an existing account or a new account is created through the status code.

在本发明实施例中,状态码可以由4位二进制数值表示,从左到右,依次描述如下:In this embodiment of the present invention, the status code may be represented by a 4-bit binary value, which is described in sequence from left to right as follows:

第一位,表示新增用户时是否需要绑定邮箱,0表示不绑定,1表示绑定。The first digit indicates whether the mailbox needs to be bound when adding a new user, 0 means no binding, and 1 means binding.

第二位,表示新增用户时是否需要绑定手机号,0表示不绑定,1表示绑定。The second digit indicates whether the mobile phone number needs to be bound when adding a new user, 0 means no binding, and 1 means binding.

第三位和第四位组合表示如下:The combination of the third and fourth digits is expressed as follows:

00,表示冻结账号,被冻结的账号不允许登录,但是数据不会删除。当账号管理人员将该账号解冻后,该用户可以再次登录。00, which means that the account is frozen. The frozen account is not allowed to log in, but the data will not be deleted. After the account administrator unfreezes the account, the user can log in again.

10,表示删除账号,账号删除后,相关数据也会删除。10, means to delete the account. After the account is deleted, the related data will also be deleted.

01,表示用户账号不存在则新增,新增的用户账号状态为未激活状态;在导入账号时,若用户账号已经存在,则修改用户账号。01, which means that the user account will be added if it does not exist, and the status of the newly added user account is inactive; when importing an account, if the user account already exists, the user account will be modified.

11,表示用户账号不存在则新增,新增的用户账号状态为激活状态;在导入账号时,若用户账号已经存在,则修改用户账号。11, indicates that the user account does not exist, then add it, and the state of the newly added user account is active; when importing an account, if the user account already exists, modify the user account.

其中,绑定表示账号关联,即将公有云环境中注册过的账号与私有云环境的存储系统中对应的账号关联起来。未激活的用户不可以登录,需要通过手机或者邮箱激活后才可以登录。The binding means account association, that is, the account registered in the public cloud environment is associated with the corresponding account in the storage system of the private cloud environment. Inactive users cannot log in. They need to be activated by mobile phone or email before they can log in.

只有新增用户时,状态码的第一位、第二位才起作用。Only when a new user is added, the first and second digits of the status code take effect.

与单点登录类似,账号增量同步接口也可以支持为企业或机构设置全局的默认部门或者默认群组。当导入的成员用户账号信息包括部门或者群组信息时,直接使用其中的部门或者群组信息。当导入的成员账号信息中未指定部门或者群组,并且已经设置全局默认部门或者默认群组时,使用默认部门或者默认群组,等同于将该成员加入默认部门或者默认群组中。当导入的成员账号信息中既未指定部门或者群组,也未指定默认部门或者默认群组时,将该用户加入到根部门,不加入到任何群组。Similar to single sign-on, the account incremental synchronization interface can also support setting a global default department or default group for an enterprise or institution. When the imported member user account information includes department or group information, the department or group information in it is used directly. When no department or group is specified in the imported member account information, and the global default department or default group has been set, using the default department or default group is equivalent to adding the member to the default department or default group. When neither a department or group nor a default department or default group is specified in the imported member account information, the user will be added to the root department and will not be added to any group.

通过主动账号同步模块210进行主动账号同步过程可以描述如下:The active account synchronization process by the active account synchronization module 210 can be described as follows:

首先,账号管理人员传入合适的账号信息和状态码,鉴权信息,调用账号增量同步接口。First, the account manager passes in the appropriate account information, status code, authentication information, and calls the account incremental synchronization interface.

然后,主动账号同步模块210处理请求,其处理的操作可以分成四步:为请求分配唯一的序列号;对请求鉴权;将账号信息同步到公有云环境的账号系统和返回批量操作结果。Then, the active account synchronization module 210 processes the request, and its processing operations can be divided into four steps: assigning a unique serial number to the request; authenticating the request; synchronizing account information to the account system of the public cloud environment and returning batch operation results.

最后,账号管理人员获得批量操作的结果。Finally, the account manager gets the result of the batch operation.

下面对上述主动账号同步模块210处理请求的4个步骤进行具体说明。The four steps of processing the request by the active account synchronization module 210 will be described in detail below.

为请求分配唯一的序列号:为了便于跟踪接口处理的状态,主动账号同步模块210给每个请求分配一个随机的序列号。请求处理的每个步骤产生的日志信息都包含该序列号,并且请求的返回的结果信息也包含该序列号。账号管理人员即接口调用方可以使用序列号查询日志,跟踪请求的详细运行过程。Assign a unique sequence number to the request: In order to facilitate tracking the status of the interface processing, the active account synchronization module 210 assigns a random sequence number to each request. The log information generated by each step of the request processing contains the sequence number, and the result information returned by the request also contains the sequence number. The account manager, that is, the interface caller, can use the serial number to query the log and track the detailed running process of the request.

对请求鉴权:为了禁止非授权用户调用该接口,主动账号同步模块210会对接收到的请求进行鉴权,通过鉴权的请求才能进行账号同步。Request authentication: In order to prohibit unauthorized users from calling this interface, the active account synchronization module 210 authenticates the received request, and account synchronization can be performed only through the authenticated request.

将账号信息同步到公有云环境的账号系统:具体支持增、删、改三种操作,操作的行为受状态码控制。主动账号同步模块210与公有云账号系统进行交互,完成账号的同步操作。Synchronize account information to the account system of the public cloud environment: it supports three operations of adding, deleting, and changing, and the behavior of the operation is controlled by the status code. The active account synchronization module 210 interacts with the public cloud account system to complete the account synchronization operation.

返回批量操作结果:如果请求在鉴权阶段失败,会返回全部失败。如果请求在账号同步阶段出错,会返回完全成功、部分成功和全部失败三种结果之一。返回的信息中包括唯一的序列号,方便追踪和调试。Return batch operation results: If the request fails in the authentication phase, all failures will be returned. If the request fails during the account synchronization phase, it will return one of three results: complete success, partial success, and total failure. The returned information includes a unique serial number for easy tracking and debugging.

在本发明的另一个实施例中,账号同步部分200还可以包括被动账号同步模块220;In another embodiment of the present invention, the account synchronization part 200 may further include a passive account synchronization module 220;

被动账号同步模块220,用于在用户登录公有云环境时,根据私有云环境传递的账号信息,更新公有云环境的相应账号信息。The passive account synchronization module 220 is configured to update the corresponding account information of the public cloud environment according to the account information transmitted by the private cloud environment when the user logs in to the public cloud environment.

在本发明实施例中,账号同步部分200除包含主动账号同步模块210外,还可以包括被动账号同步模块220。被动账号同步模块220可以在用户登录公有云环境时,根据私有云环境传递过来的账号信息,更新公有云环境的相应账号信息。In the embodiment of the present invention, the account synchronization part 200 may further include a passive account synchronization module 220 in addition to the active account synchronization module 210 . The passive account synchronization module 220 can update the corresponding account information of the public cloud environment according to the account information transmitted from the private cloud environment when the user logs in to the public cloud environment.

账号同步部分200还可以包括被动账号同步开关,用于控制被动账号同步模块220是否启用。被动账号同步模块220由被动账号同步开关控制,只有当被动账号同步开关打开时,被动账号同步模块220才被启用。被动账号同步开关的控制过程可以发生在用户登录过程中。The account synchronization part 200 may further include a passive account synchronization switch for controlling whether the passive account synchronization module 220 is enabled. The passive account synchronization module 220 is controlled by the passive account synchronization switch, and the passive account synchronization module 220 is enabled only when the passive account synchronization switch is turned on. The control process of the passive account synchronization switch can occur during the user login process.

当被动账号同步开关打开时,用户登录公有云环境过程中,单点登录模块140可以从账号解析逻辑模块130中获得结构化账号信息,然后向公有云环境的账号系统中查询该用户。若查询不到对应的公有云账号信息,说明公有云环境的账号系统中不存在该用户,单点登录模块140调用被动账号同步模块220向公有云环境的账号系统中写入用户账号信息,完成账号的同步。若查询到对应的账号信息,则比较两者的账号信息,若账号信息有变化,则更新公有云环境的账号系统中的账号信息。When the passive account synchronization switch is turned on, the single sign-on module 140 can obtain structured account information from the account resolution logic module 130 during the process of the user logging in to the public cloud environment, and then query the account system of the public cloud environment for the user. If the corresponding public cloud account information cannot be queried, it means that the user does not exist in the account system of the public cloud environment, and the single sign-on module 140 calls the passive account synchronization module 220 to write the user account information into the account system of the public cloud environment, and completes Account synchronization. If the corresponding account information is queried, the two account information is compared, and if the account information changes, the account information in the account system of the public cloud environment is updated.

本发明实施例通过主动账号同步模块210或者被动账号同步模块220可以实现公有云环境中账号系统的同步,具有较高的实用价值。In the embodiment of the present invention, the synchronization of the account system in the public cloud environment can be realized by the active account synchronization module 210 or the passive account synchronization module 220, which has high practical value.

以图3为例,对本发明实施例所提供的混合云环境的账号对接系统进行详细说明。Taking FIG. 3 as an example, the account docking system in the hybrid cloud environment provided by the embodiment of the present invention will be described in detail.

在实际应用中,公有云环境会记录用户的登录状态。当公有云环境判断用户未登录或者登录状态失效时会将用户页面重定向到登录页面,开始单点登录过程。In practical applications, the public cloud environment records the user's login status. When the public cloud environment determines that the user is not logged in or the login status is invalid, the user page will be redirected to the login page to start the single sign-on process.

用户单点登录时,首先访问单点登录服务部分100判断单点服务端是否有会话Session缓存用户的单点登录状态,如果已经被缓存,则直接获得相应用户的信息,与公有云环境的账号系统交互完成登录过程。如果没有记录用户的单点登录状态,单点登录模块140调用对应的单点登录协议实现模块120操作,跳转到账号登录页面。When a user SSO, first access the SSO service part 100 to determine whether the SSO has a session to cache the user's SSO status, and if it has been cached, directly obtain the corresponding user's information, and the account of the public cloud environment. The system interactively completes the login process. If the single sign-on status of the user is not recorded, the single sign-on module 140 invokes the operation of the corresponding single sign-on protocol implementation module 120 to jump to the account login page.

大型企业或者学校等机构的私有云环境中可以有多个账号存储系统,如数据库1、数据库2、LDAP等,并且账号格式各异,如:学校中学生用学号登录,老师用教工号登录。单点登录服务部分100使用域-存储映射表150记录域到私有云环境的账号存储系统的映射关系,可以根据域查询对应的账号存储系统。In the private cloud environment of large enterprises or schools, there can be multiple account storage systems, such as database 1, database 2, LDAP, etc., and the account formats are different. For example, middle school students log in with their student IDs, and teachers log in with their staff IDs. The single sign-on service part 100 uses the domain-storage mapping table 150 to record the mapping relationship between the domain and the account storage system of the private cloud environment, and can query the corresponding account storage system according to the domain.

用户登录时,输入的账号信息中可以包含域前缀或者后缀信息,如:domainN\account或者account@domainN形式;账号信息中不包含域则表示账号存储在默认域中。单点登录模块140提取账号信息中的域信息,得到对应的目标账号存储。When a user logs in, the input account information can contain domain prefix or suffix information, such as: domainN\account or account@domainN; if the account information does not contain a domain, it means that the account is stored in the default domain. The single sign-on module 140 extracts the domain information in the account information to obtain the corresponding target account storage.

单点登录协议实现模块120针对不同的账号存储系统使用账号存储连接适配器110选择不同的连接库。如针对mysql数据库,选择mysql驱动;针对oracle数据库选择oracle驱动,针对ldap数据库可以选择ldaptive库。The single sign-on protocol implementation module 120 uses the account storage connection adapter 110 to select different connection libraries for different account storage systems. For example, for the mysql database, select the mysql driver; for the oracle database, select the oracle driver, and for the ldap database, you can select the ldaptive library.

账号解析逻辑模块130可以根据域信息查询私有存储信息,针对不同的存储做不同的处理。具体包括账号过滤、账号校验和账号转换三步。账号过滤是根据企业或机构的要求和账号特点设置过滤条件,允许或者禁止某些用户登录。其使用场景较多。例如:企业采用公有云环境初期一般会小范围试用,此时账号过滤可以仅允许特定成员登录。同时,账号过滤也可禁止某些成员登录,如禁止已经离职员工登录,禁止已经毕业的学生登录等;账号转换是将不同的账号信息转换成统一的格式。针对不同的账号格式,其转换方式也不一样。首先转换后的账号Id含有企业特有的标识,用来在公有云环境的账号系统中唯一标识该账号信息。例如:对于学号,转换之后的账号加上学校特有的域名作为后缀,如浙江大学的学生Id可以加上@stu.zju.edu.cn,而老师Id加上@tea.zju.edu.cn,以在公有云环境的账号系统中进行唯一标识。如果登录时输入的账号含有域信息,则转换之后对应账号也包括域信息。The account resolution logic module 130 may query private storage information according to the domain information, and perform different processing for different storages. Specifically, it includes three steps: account filtering, account verification, and account conversion. Account filtering is to set filtering conditions according to the requirements of enterprises or institutions and account characteristics, allowing or prohibiting certain users to log in. It has many usage scenarios. For example, in the early stage of adopting a public cloud environment, an enterprise generally conducts a small-scale trial. At this time, account filtering can only allow specific members to log in. At the same time, account filtering can also prohibit some members from logging in, such as prohibiting the login of employees who have left, and prohibiting the login of students who have graduated. Account conversion is to convert different account information into a unified format. For different account formats, the conversion methods are also different. First, the converted account ID contains an enterprise-specific identifier, which is used to uniquely identify the account information in the account system of the public cloud environment. For example: For student ID, add the school's unique domain name as a suffix to the converted account. For example, the student ID of Zhejiang University can add @stu.zju.edu.cn, and the teacher ID can add @tea.zju.edu.cn , to uniquely identify it in the account system of the public cloud environment. If the account entered during login contains domain information, the corresponding account after conversion also includes domain information.

账号解析逻辑模块130解析后生成的账号格式的部门信息包含从根部门到当前部门的完整部门路径,一个用户可以属于多个部门。返回的部门信息是一个部门路径集合。集合的元素表示方式可以为:根部门信息>下一级子部门信息>…>当前用户所示部门信息。账号解析逻辑模块130返回的群组是一个群组集合,返回的用户信息是包含所有关注的字段。The account formatted department information generated by the account parsing logic module 130 includes a complete department path from the root department to the current department, and a user may belong to multiple departments. The department information returned is a set of department paths. The elements of the set can be represented in the following manner: root department information > sub-department information at the next level > ... > department information indicated by the current user. The group returned by the account resolution logic module 130 is a group set, and the returned user information is a field containing all concerns.

被动账号同步功能由被动账号同步模块220提供。从图3可以看出被动账号同步模块220的输入数据为账号解析逻辑模块130解析后的结构化账号信息。由于账号解析逻辑模块130返回了登录用户所有的账号信息,因此可以将这些信息增加到公有云环境的账号系统中,也可以用这些账号信息来更新公有云环境的账号系统中的已有账号。The passive account synchronization function is provided by the passive account synchronization module 220 . It can be seen from FIG. 3 that the input data of the passive account synchronization module 220 is the structured account information parsed by the account parsing logic module 130 . Since the account resolution logic module 130 returns all account information of the logged-in user, the information can be added to the account system of the public cloud environment, and the account information can also be used to update existing accounts in the account system of the public cloud environment.

主动账号同步模块210进行主动账号同步时,为请求分配序列号和对请求使用前置过滤器(Filter)实现鉴权。请求首先被Filter拦截处理,只有过滤器鉴权通过,请求才能到达业务处理逻辑。对请求分配的序列号由UUID和客户端请求IP拼接而成。其中,UUID(Universally Unique Identifier,通用唯一识别码)是一个软件建构的标准,目的是让分布式系统中的所有元素,都能进行唯一辨识。可以使用序列号唯一标识一个请求。When the active account synchronization module 210 performs active account synchronization, it allocates a serial number to the request and uses a pre-filter (Filter) to implement authentication for the request. The request is first intercepted and processed by the Filter, and the request can reach the business processing logic only if the filter is authenticated. The serial number assigned to the request is concatenated from the UUID and the client request IP. Among them, UUID (Universally Unique Identifier, Universal Unique Identifier) is a standard for software construction, and the purpose is to make all elements in a distributed system uniquely identified. A sequence number can be used to uniquely identify a request.

主动账号同步模块210包括的账号增量同步接口支持账号的增、删、改操作。对于增加或者修改操作,传入的账号信息即为私有云环境中账号信息,新增账号必须满足一定的顺序约束。The account increment synchronization interface included in the active account synchronization module 210 supports account addition, deletion and modification operations. For adding or modifying operations, the incoming account information is the account information in the private cloud environment, and the newly added accounts must satisfy certain order constraints.

需要先同步部门和群组,最后同步普通用户。同步用户时,如果找不到用户所在的部门或群组,则忽略加入部门和群组的动作。Departments and groups need to be synchronized first, and then common users are synchronized last. When synchronizing users, if the user's department or group cannot be found, the action of joining the department and group is ignored.

新增部门时,需要先出现父部门,再出现子部门,以保证部门创建的顺序。如果找不到对应部门的父部门,则此部门同步失败。When adding a new department, the parent department needs to appear first and then the sub-department to ensure the order in which the departments are created. If the parent department of the corresponding department cannot be found, the synchronization of this department fails.

删除部门时,先将所有部门成员移出,最后再删除该部门。When deleting a department, remove all department members first, and then delete the department last.

主动账号同步模块210提供的账号增量同步接口设计成幂等的,对于同样的请求,执行1次和N次,最终结果一样。当出现同步失败时,可以多次重试,不会因数据重复提交而造成状态混乱。The account increment synchronization interface provided by the active account synchronization module 210 is designed to be idempotent, and the same request is executed once and N times, and the final result is the same. When synchronization fails, it can be retried multiple times without causing state confusion due to repeated submission of data.

账号增量同步接口的状态码编码当前只使用了4位二进制编码表示,支持向高位扩展,控制更多的同步行为。并且,扩展与现有功能兼容。The status code encoding of the account incremental synchronization interface currently only uses 4-bit binary encoding, which supports expansion to high bits to control more synchronization behaviors. Also, extensions are compatible with existing functionality.

应用本发明实施例所提供的技术方案,混合云环境的账号对接系统包括单点登录服务部分和账号同步部分,其中,单点登录服务部分用于在接收到用户针对公有云环境的登录请求时,根据用户当前登录情况,确定是否允许用户直接登录公有云环境,账号同步部分用于将私有云环境中的账号信息进行转换处理后存储到公有云环境的账号系统中。这样方便使用混合云环境的企业和机构对成员账号进行统一管理,可以减少管理成本,减轻维护账号的负担,用户不需额外注册,使用私有云环境的账号信息即可登录公有云环境,使用公有云服务,提高了工作效率。By applying the technical solutions provided by the embodiments of the present invention, the account docking system in the hybrid cloud environment includes a single sign-on service part and an account synchronization part, wherein the single sign-on service part is used when receiving a user's login request for the public cloud environment , according to the current login status of the user, determine whether to allow the user to directly log in to the public cloud environment, and the account synchronization part is used to convert the account information in the private cloud environment and store it in the account system of the public cloud environment. In this way, it is convenient for enterprises and institutions using the hybrid cloud environment to manage member accounts in a unified manner, which can reduce management costs and reduce the burden of maintaining accounts. Cloud services improve work efficiency.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似部分互相参见即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments may be referred to each other.

专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Professionals may further realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two, in order to clearly illustrate the possibilities of hardware and software. Interchangeability, the above description has generally described the components and steps of each example in terms of functionality. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of the present invention.

结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of a method or algorithm described in connection with the embodiments disclosed herein may be directly implemented in hardware, a software module executed by a processor, or a combination of the two. The software module can be placed in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other in the technical field. in any other known form of storage medium.

本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的技术方案及其核心思想。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以对本发明进行若干改进和修饰,这些改进和修饰也落入本发明权利要求的保护范围内。The principles and implementations of the present invention are described herein using specific examples, and the descriptions of the above embodiments are only used to help understand the technical solutions and core ideas of the present invention. It should be pointed out that for those skilled in the art, without departing from the principle of the present invention, several improvements and modifications can also be made to the present invention, and these improvements and modifications also fall within the protection scope of the claims of the present invention.

Claims (9)

1. An account docking system of a hybrid cloud environment, comprising a single sign-on service part and an account synchronization part, wherein:
the single sign-on service part is used for determining whether the user is allowed to directly log in the public cloud environment according to the current login condition of the user when a login request of the user for the public cloud environment is received;
the account synchronization part is used for converting the private account information in the private cloud environment and then storing the converted private account information in the account system of the public cloud environment;
the single sign-on service part comprises an account number storage connection adapter, a single sign-on protocol implementation module, an account number analysis logic module, a single sign-on module and a domain-storage mapping table, wherein,
the account storage connection adapter is used for connecting one or more account storage systems in the private cloud environment;
the single sign-on protocol implementation module is used for extracting original account information from a corresponding account storage system through the account storage connection adapter;
the account analysis logic module is used for receiving the original account information sent by the single sign-on protocol implementation module and converting the original account information into structured account information;
the single sign-on module is used for receiving the structured account information returned by the account analysis logic module, inquiring whether a user record of the user exists in the account system of the public cloud environment according to the structured account information when a sign-on request of the user is received, and if so, setting the state information of the user and skipping to a corresponding page to finish user sign-on;
the domain-storage mapping table is used for storing mapping relations from domains to account storage systems of the private cloud environment.
2. The account docking system of the hybrid cloud environment of claim 1, wherein the account storage connection adapter is specifically configured to select a corresponding connection mode to connect to one or more account storage systems in the private cloud environment according to a type of the account storage system in the private cloud environment.
3. The account docking system of a hybrid cloud environment of claim 1, wherein the single sign-on protocol implementation module comprises a Centralized Authentication Service (CAS) sub-module and/or a Security Assertion Markup Language (SAML) sub-module.
4. The account docking system of the hybrid cloud environment of claim 1, wherein the account parsing logic module is specifically configured to perform preprocessing, filtering, checking, and converting operations on the original account information to obtain structured account information corresponding to the original account information.
5. The account docking system in the hybrid cloud environment according to claim 1, wherein the single sign-on module is further configured to, when receiving a login request of the user, if it is determined that the user is not logged in, output an account input box, receive account information input by the user, extract prefix or suffix domain information in the account information, and determine, according to the domain information, an account storage system corresponding to the account information.
6. The account docking system of a hybrid cloud environment of any of claims 1 to 5, wherein the account synchronization portion comprises an active account synchronization module;
and the active account synchronization module is used for adjusting the account information in the account system of the public cloud environment according to the received adjustment instruction.
7. The account docking system of a hybrid cloud environment of claim 6, wherein the account synchronization portion further comprises a passive account synchronization module;
and the passive account synchronization module is used for updating corresponding account information of the public cloud environment according to the account information transmitted by the private cloud environment when the user logs in the public cloud environment.
8. The account docking system of a hybrid cloud environment of claim 7, wherein the account synchronization portion further comprises a passive account synchronization switch configured to control whether the passive account synchronization module is enabled.
9. The account docking system of a hybrid cloud environment of claim 7, wherein the active account synchronization module comprises an account incremental synchronization interface.
CN201710449712.5A 2017-06-13 2017-06-13 An account docking system in a hybrid cloud environment Active CN107222487B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710449712.5A CN107222487B (en) 2017-06-13 2017-06-13 An account docking system in a hybrid cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710449712.5A CN107222487B (en) 2017-06-13 2017-06-13 An account docking system in a hybrid cloud environment

Publications (2)

Publication Number Publication Date
CN107222487A CN107222487A (en) 2017-09-29
CN107222487B true CN107222487B (en) 2020-09-08

Family

ID=59949531

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710449712.5A Active CN107222487B (en) 2017-06-13 2017-06-13 An account docking system in a hybrid cloud environment

Country Status (1)

Country Link
CN (1) CN107222487B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108011961A (en) * 2017-12-07 2018-05-08 携程旅游信息技术(上海)有限公司 Voice interactive system based on mixing cloud service
CN109598114B (en) * 2018-11-23 2021-07-09 金色熊猫有限公司 Cross-platform unified user account management method and system
CN111416795B (en) * 2019-01-08 2022-07-29 阿里巴巴集团控股有限公司 Data synchronization method, device, computing equipment and medium
CN110417863B (en) * 2019-06-27 2021-01-29 华为技术有限公司 Method and device for generating identification code, and method and device for identity authentication
CN111488095A (en) * 2020-04-07 2020-08-04 中国人民财产保险股份有限公司 User login management method and device
CN112487390B (en) * 2020-11-27 2025-01-17 网宿科技股份有限公司 Micro-service switching method and system
CN113779541A (en) * 2021-08-02 2021-12-10 浪潮软件股份有限公司 Auth service-based account information interaction method and storage medium
CN114189375B (en) * 2021-12-06 2024-02-27 银清科技有限公司 Service system management method and device
CN114500002B (en) * 2021-12-31 2023-11-10 济南超级计算技术研究院 Cluster account distribution method and system based on LDAP
CN114697111B (en) * 2022-03-30 2024-06-07 浪潮云信息技术股份公司 Method and system for cross-cloud access to public cloud and public cloud
CN117453816B (en) * 2023-10-24 2024-05-07 上海宁盾信息科技有限公司 User data unifying method, system, computer and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102437914A (en) * 2010-12-08 2012-05-02 袁永亮 Method for providing user identity identification and user identity authentication for internet service by telecommunication network
CN103067406A (en) * 2013-01-14 2013-04-24 暨南大学 Access control system and access control method between public cloud and private cloud
CN105119974A (en) * 2015-07-21 2015-12-02 信阳启航信息科技有限公司 Internet-of-things system using hybrid cloud architecture and realization method
CN105528694A (en) * 2015-12-31 2016-04-27 青岛英特沃克网络科技有限公司 Enterprise interconnected office system based on cluster communication
CN106302117A (en) * 2016-08-15 2017-01-04 上海云睦网络科技有限公司 Message delivery system, method and apparatus

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8140669B2 (en) * 2009-08-31 2012-03-20 International Business Machines Corporation Resolving hostnames on a private network with a public internet server
US9060025B2 (en) * 2013-02-05 2015-06-16 Fortinet, Inc. Cloud-based security policy configuration

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102437914A (en) * 2010-12-08 2012-05-02 袁永亮 Method for providing user identity identification and user identity authentication for internet service by telecommunication network
CN103067406A (en) * 2013-01-14 2013-04-24 暨南大学 Access control system and access control method between public cloud and private cloud
CN105119974A (en) * 2015-07-21 2015-12-02 信阳启航信息科技有限公司 Internet-of-things system using hybrid cloud architecture and realization method
CN105528694A (en) * 2015-12-31 2016-04-27 青岛英特沃克网络科技有限公司 Enterprise interconnected office system based on cluster communication
CN106302117A (en) * 2016-08-15 2017-01-04 上海云睦网络科技有限公司 Message delivery system, method and apparatus

Also Published As

Publication number Publication date
CN107222487A (en) 2017-09-29

Similar Documents

Publication Publication Date Title
CN107222487B (en) An account docking system in a hybrid cloud environment
US11824970B2 (en) Systems, methods, and apparatuses for implementing user access controls in a metadata driven blockchain operating via distributed ledger technology (DLT) using granular access objects and ALFA/XACML visibility rules
US11431486B2 (en) System or method to implement consensus on read on distributed ledger/blockchain
US11169985B2 (en) System and method for supporting SQL-based rich queries in hyperledger fabric blockchains
JP6188732B2 (en) Computer-implemented method, computer program product, and system for managing tenant-specific data sets in a multi-tenant environment
US11474992B2 (en) Domain name registration and management
US11366803B2 (en) Method for providing relational decentralized identifier service and blockchain node using the same
WO2022008996A1 (en) Privacy preserving architecture for permissioned blockchains
US20120290592A1 (en) Federated search apparatus, federated search system, and federated search method
US11762746B2 (en) Failover between decentralized identity stores
US11775664B2 (en) Blockchain managed access system
US20110202667A1 (en) Database Virtualization
CN103001945A (en) A method for secure access to multiple resource identifiers
Wang et al. Blockzone: A blockchain-based dns storage and retrieval scheme
US8761399B2 (en) Keystore management system
CN117097540A (en) Campus identity verification safety management method based on intelligent network connection
JP2022088326A (en) Method of selectively updating world state database in block chain network, system therefor, and computer program therefor
CN104881615B (en) A kind of efficient secret protection ciphertext connected reference operation demonstration method under cloud environment
CN112818038A (en) Data management method based on combination of block chain and IPFS (Internet protocol file system) and related equipment
Mukherjee et al. Web3db: Web 3.0 rdbms for individual data ownership
CN111541654A (en) User management method, device and computer equipment based on multi-tenant cloud management platform
Millar et al. dCache, agile adoption of storage technology
CN113194159B (en) DNS authority data management method and system
CN114860843A (en) A data synchronization method and device
JP4016017B2 (en) Data backup method and computer system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: Room 1601-7, Building 3, Haichuang Technology Center, Cangqian Street, Yuhang District, Hangzhou City, Zhejiang Province 311121

Patentee after: Hangzhou 360 Billion Fang Intelligent Co.,Ltd.

Country or region after: China

Address before: Room 1601-7, Building 3, Haichuang Technology Center, Cangqian Street, Yuhang District, Hangzhou City, Zhejiang Province 311121

Patentee before: Hangzhou Qiyi cloud computing Co.,Ltd.

Country or region before: China

CP03 Change of name, title or address