CN112015524A - Workflow deployment method, device, system and storage medium - Google Patents

Abstract

Embodiments of the present application provide a workflow deployment method, device, system, and storage medium. In the embodiment of the present application, the workflow deployment is combined with a distributed computing system that can serve different tenants, allowing tenants to deploy workflows in their resource domains; in the workflow deployment process, the workflow execution unit is designated to run The system identity used when the workflow execution unit is used to distinguish the access rights of different workflow execution units to the shared storage resources in the distributed computing system. It can implement read-write isolation between different tenants and ensure the security of data in the shared storage resources.

Description

Workflow deployment method, device, system and storage medium

technical field

The present application relates to the field of Internet technologies, and in particular, to a workflow deployment method, device, system, and storage medium.

Background technique

In the face of the high concurrency problem of WorkFlow, some cloud container manufacturers have begun to pay attention to the distributed cluster of Kubernetes, and deploy the workflow in the distributed cluster based on Kubernetes. With the help of the scheduling capability of Kubernetes, the control and operation of the workflow can be realized. .

However, deploying workflows in Kubernetes-based distributed clusters also faces some problems to be solved. One of the problems to be solved is how to ensure the security of data access in the shared storage space in a multi-tenant computing environment.

SUMMARY OF THE INVENTION

Various aspects of the present application provide a workflow deployment method, device, system and storage medium for deploying workflows in a multi-tenant computing environment and ensuring data security in a shared storage space.

An embodiment of the present application provides a distributed computing system, including: a master control node, a workflow management node, and resource domains corresponding to different tenants;

The workflow management node is configured to obtain the system identity used when the workflow execution unit is running according to the workflow deployment information in the target resource domain; and transmit the system identity used when the workflow execution unit is running to the the main control node;

The master control node is configured to deploy the workflow execution unit to the On the working node in the target resource domain; wherein, the workflow execution unit fetches the shared storage resources of the distributed computing system based on the fetching authority corresponding to the system identity used by the workflow execution unit when it runs.

The embodiments of the present application also provide a distributed computing system based on a container orchestration and scheduling system, including: a master control node, a workflow management node, and namespaces corresponding to different tenants;

The workflow management node is configured to acquire, according to the workflow deployment information in the target namespace, the system identity used by the container runtime required by the to-be-deployed workflow; and transmit the system identity used by the container runtime to the the master control node;

The master control node is used for deploying the container to work under the target namespace when the system identity used when the container is running belongs to the system identity that the target namespace has the right to use On the node; wherein, the container fetches the shared storage resources of the distributed computing system based on the fetch authority corresponding to the system identity used by the container when it runs.

The embodiment of the present application also provides a workflow deployment method, which is applicable to a workflow management node. The method includes: obtaining a system identity used by the workflow execution unit when the workflow execution unit is running according to the workflow deployment information in the target resource domain; The system identity used when the workflow execution unit is running is transmitted to the master control node in the distributed computing system to which the workflow management node belongs, so as to be used by the master control node when the workflow execution unit is running. In the case that the system ID belongs to the system ID that the target resource domain has the right to use, the workflow execution unit is deployed on the worker nodes in the target resource domain; wherein, the workflow execution unit is based on the The fetch authority corresponding to the system identity used at runtime fetches the shared storage resources of the distributed computing system.

The embodiment of the present application further provides a workflow deployment method, which is applicable to a master control node. The method includes: receiving a system identity identifier used by a workflow execution unit when running a workflow execution unit sent by a workflow management node, where the workflow execution unit is a The execution unit of the workflow that needs to be deployed in the target resource domain; in the case that the system identity used when the workflow execution unit is running belongs to the system identity that the target resource domain has the right to use, the workflow The execution unit is deployed on the worker node in the target resource domain; wherein, the workflow execution unit accesses the shared storage resources of the distributed computing system based on the memory access authority corresponding to the system identity used during its runtime. live.

An embodiment of the present application further provides a work management node, including a memory and a processor; the memory is used to store a computer program; when the computer program is executed by the processor, the processor is caused to implement the embodiment of the present application The steps in a method executable by a work management node.

The embodiments of the present application further provide a computer-readable storage medium storing a computer program, when the computer program is executed by the processor, the processor is caused to implement the method in the embodiments of the present application that can be executed by the work management node. step.

The embodiments of the present application further provide a master control node, including a memory and a processor; the memory is used to store a computer program; when the computer program is executed by the processor, the processor is caused to implement the embodiments of the present application Steps in a method executable by a master node.

Embodiments of the present application further provide a computer-readable storage medium storing a computer program, and when the computer program is executed by a processor, the processor causes the processor to implement one of the methods in the embodiments of the present application that can be executed by a master control node. step.

In the embodiment of the present application, the workflow deployment is combined with a distributed computing system that can serve different tenants, allowing tenants to deploy workflows in their resource domains; during the workflow deployment process, the workflow execution unit is designated to run The system identity used when the workflow execution unit is used to distinguish the access rights of different workflow execution units to the shared storage resources in the distributed computing system. It can implement read-write isolation between different tenants and ensure the security of data in the shared storage resources.

Description of drawings

The drawings described herein are used to provide further understanding of the present application and constitute a part of the present application. The schematic embodiments and descriptions of the present application are used to explain the present application and do not constitute an improper limitation of the present application. In the attached image:

FIG. 1a is a schematic structural diagram of a distributed computing system provided by an exemplary embodiment of the present application;

Fig. 1b is a schematic structural diagram of a distributed computing system based on Kubernetes provided by an exemplary embodiment of the present application;

Fig. 2a is a schematic flowchart of a workflow deployment method provided by an exemplary embodiment of the present application;

FIG. 2b is a schematic flowchart of another workflow deployment method provided by an exemplary embodiment of the present application;

FIG. 3 is a schematic structural diagram of a workflow management node according to an exemplary embodiment of the present application;

FIG. 4 is a schematic structural diagram of a master control node according to an exemplary embodiment of the present application.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present application clearer, the technical solutions of the present application will be clearly and completely described below with reference to the specific embodiments of the present application and the corresponding drawings. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

In view of the security problem of data access in shared storage resources faced by deploying workflows in a multi-tenant computing environment in the prior art, in some embodiments of the present application, workflow deployment is combined with distributed computing that can serve different tenants. The system is combined to allow tenants to deploy workflows in their resource domains; during the workflow deployment process, specify the system identity used at runtime for the workflow execution units to distinguish between different workflow execution units and the distributed computing system. Access permissions for storage resources. Each workflow execution unit accesses the shared storage resources in the system based on the access permissions corresponding to the system identity used by the workflow execution unit. Security of data in shared storage resources.

The technical solutions provided by the embodiments of the present application will be described in detail below with reference to the accompanying drawings.

FIG. 1a is a schematic structural diagram of a distributed computing system 10 provided by an exemplary embodiment of the present application. As shown in FIG. 1a, the distributed computing system 10 includes: a master control node 11, a workflow management node 13, and resource domains 14 corresponding to different tenants.

The distributed computing system 10 of this embodiment includes a variety of resources, such as computing resources, storage resources, and network resources, and these resources may be provided by physical devices in the distributed computing system. Physical devices in distributed computing system 10 include, but are not limited to, computer devices, sensor devices, storage devices, conventional servers, cloud servers, or server arrays, and the like. The distributed computing system 10 of this embodiment, on the one hand, can provide various resources to the tenant, and on the other hand allows the tenant to deploy required services on these resources.

Wherein, different tenants can apply for their own resource domains in the distributed computing system 10, and deploy various required services in their own resource domains. Each tenant can apply for one or more resource domains. For each tenant, different services can be deployed in different resource domains, or the same service can be deployed in different resource domains. The resource domain of any tenant includes various resources that the tenant can exclusively enjoy, such as worker nodes that can provide corresponding services for the tenant, various service programs deployed on the worker nodes, and the like. The embodiments of the present application do not limit the implementation form of the service program, for example, various application programs and/or operating systems may be included.

Wherein, different tenants have different user identity credentials, and the user identity credentials of each tenant can uniquely identify the tenant. The user identity credential of the tenant can be any information that can uniquely identify the tenant, for example, the tenant's ID in the distributed computing system 10, or the tenant's name, account number, phone number, Email address and/or home address, etc. In addition, in order to distinguish resource domains of different tenants and different resource domains of the same tenant, each resource domain also has its own identifier, and the identifier of each resource domain can uniquely identify the resource domain. The identifier of the resource domain may be any information that can uniquely identify the resource domain, for example, the ID, name and/or application time of the resource domain in the distributed computing system 10 . In this embodiment, a correspondence relationship between the tenant's user identity credential and the identifier of the tenant's resource domain is maintained.

In order to better serve the tenants, the distributed computing system 10 includes: a master (Master) node 11 . The main control node 11 is a management and control node in the distributed computing system 10 , and is mainly responsible for at least one management of resource management, service scheduling, node management and control, security control, system monitoring, and error correction in the distributed computing system 10 . Optionally, a series of processes related to system management and control can be run on the master control node 11, and these processes can implement management such as resource management, service scheduling, node management and control, security control, system monitoring, and error correction in the distributed computing system 10. ability. The number of master nodes 11 may be one or more. The master node 11 may be deployed on a physical device or a virtual machine in the distributed computing system 10 . In the case where there are multiple master control nodes 11, the multiple master control nodes 11 may be distributed and deployed on multiple physical devices or virtual machines.

In addition to master node 11 , distributed computing system 10 also includes worker nodes 12 . The worker nodes 12 are service nodes in the distributed computing system 10 that can provide tenants with required services. The number of worker nodes 12 may be one or more. Optionally, in the case where there are multiple working nodes 12, the multiple working nodes 12 may be centrally deployed on the same physical device or virtual machine, or may be deployed scatteredly on multiple physical devices or virtual machines. The worker nodes 12 in the distributed computing system 10 are distributed in the resource domains 14 of different tenants, and are used to carry executable units such as service programs or processes deployed by the tenants.

In this embodiment, the tenant can deploy the workflow in its resource domain. In order to facilitate the tenant to deploy the workflow, the distributed computing system 10 further includes a workflow management node 13 . The workflow management node 13 can be centrally deployed on one or more physical machines in the distributed computing system 10, or can be deployed on multiple physical devices or virtual machines in a distributed manner. The workflow management node 13 mainly provides workflow deployment capabilities for different tenants, so that different tenants can deploy workflows in their own resource domains 14 . The workflow deployment mainly refers to the process of determining workflow execution units with execution order according to the workflow deployment information provided by the tenant, and deploying the workflow execution units to the worker nodes 12 in the resource domain 14 of the tenant. Further, the workflow management node 13 can also monitor and manage the workflow execution unit after the workflow is deployed successfully. The workflow execution unit refers to the execution unit required to complete the workflow.

In the distributed computing system 10 , in addition to the resource domains that are exclusively shared by each tenant, it also includes some global shared resources that can be shared by different tenants. In this embodiment, the global shared resources mainly refer to shared storage resources that can be shared by different tenants. The shared storage resource may be a local storage resource or a network storage resource, such as a network attached storage (Network Attached Storage, NAS). For example, data of different tenants may be stored in shared storage resources, and different tenants may access the shared storage resources in distributed computing system 10 . In order to ensure the security of data access in shared storage resources, it is necessary to implement read-write isolation between different tenants to ensure the security of data access in shared storage resources.

In this embodiment, the distributed computing system 10 performs fetch management on its shared storage resources based on the system identity, and each system identity corresponds to a certain fetch authority. Based on this, in the workflow deployment process, the system identity used at runtime is specified for the workflow execution unit, so that the access rights of different workflow execution units to the shared storage resources in the distributed computing system 10 can be distinguished. Each workflow execution unit fetches the shared storage resources in the system based on the fetching authority corresponding to the system identity used during its runtime, which can realize read-write isolation between different tenants and ensure the security of the data in the shared storage resources. sex. The system ID can be a user ID (Uid) or a user group ID (Gid). Gid identifies a group of users.

Specifically, for the scenario of deploying the workflow in the target resource domain, the workflow management node 13 can obtain the system identity used by the workflow execution unit when running the workflow execution unit according to the workflow deployment information in the target resource domain; The system identity used at runtime is transmitted to the master node 11 . The target resource domain can be any resource domain applied by the target tenant, and the target tenant can be any tenant in the system. Target tenants can be individuals, businesses, companies, or divisions of companies, etc. Generally, there are multiple workflow execution units, and of course, it can also be one. The workflow execution unit may be any service unit that can implement certain functions and has execution capability, such as a container, a virtual machine, a process, or a thread.

On the side of the master control node 11, the system identity that the target resource domain has the right to use is maintained in advance. Based on this, when the master control node 11 receives the system ID used by the workflow execution unit when it is running, sent by the workflow management node 13, it can determine whether the system ID used when the workflow execution unit is running belongs to the target resource domain. When it is judged that the system identity used when the workflow execution unit is running belongs to the system identity that the target resource domain has the right to use, deploy the workflow execution unit to the work of the target resource domain on node 12. For the workflow execution unit, the shared storage resource of the distributed computing system 10 can be accessed during its running process based on the access authority corresponding to the system identity used by the workflow execution unit.

In this embodiment of the present application, to successfully deploy the workflow execution unit to the corresponding worker node 12, in addition to the system identity used when the workflow execution unit is running, a workflow execution unit is also required. In an optional embodiment, the tenant may directly provide the workflow execution unit to the master control node 11, and the master control node 11 directly obtains the workflow execution unit submitted by the tenant. Or, in another optional embodiment, the workflow management node 13 acquires the workflow execution units with the execution order from the workflow deployment information, and provides the acquired workflow execution units to the master control node 11, For the tenant, in the process of deploying the workflow, it only needs to interact with the workflow management node 13, and the operation is relatively simple.

Further optionally, if the master control node 11 manages with the workflow execution unit as the granularity, the workflow management node 13 can obtain the workflow execution unit from the workflow deployment information, and execute the workflow execution units in sequence. The workflow execution units are sequentially transmitted to the master node 11 . or,

Further optionally, if the master control node 11 manages the workflow execution unit model as a unit, the workflow management node 13 may generate at least one workflow execution unit model identifiable by the master control node 11 according to the workflow deployment information. The workflow execution unit model includes at least one workflow execution unit; according to the time sequence dependency between the at least one workflow execution unit model, the at least one workflow execution unit model is sequentially sent to the master control node 11 for the master control node 11 The workflow execution unit is deployed in units of the workflow execution unit model. The workflow execution unit model is a management model of the workflow execution unit.

For the master control node 11, it can receive at least one workflow execution unit model sequentially sent by the workflow management node 13; for each workflow execution unit model, determine the runtime of the workflow execution unit in the workflow execution unit model. Whether the used system identities belong to the system identities that the target resource domain has permission to use; if the judgment result is yes, deploy the workflow execution unit in the workflow execution unit model to the worker nodes in the target resource domain. In this process, the master control node 11 can schedule the worker nodes in the target resource domain, so as to successfully deploy the workflow execution units in each workflow execution unit model to the corresponding worker nodes. The scheduling process for any worker node may be to notify the worker node that the workflow execution unit needs to be deployed, and send the workflow execution unit to be deployed on the worker node to the worker node. The notification process and the process of sending the workflow execution unit may be the same communication process, or may be different communication processes.

In an optional embodiment, in addition to the workflow execution unit and the system identity used when the workflow execution unit runs, the workflow deployment information may also include the identity of the target resource domain and the identity of the user who applies for deploying the workflow. certificate. The identifier of the target resource domain is used to identify the resource domain in which the workflow needs to be deployed; the user identity credential is used to identify which tenant applies for deploying the workflow. Considering that different tenants have their own resource domains, the workflow management node 13 can also obtain the identifier of the target resource domain and the user identity credential for applying to deploy the workflow from the workflow deployment information; send the identifier of the target resource domain and the user identity credential to the To the main control node 11 , for the main control node 11 to determine whether the identifier of the target resource domain corresponds to the user identity certificate, that is, to verify the validity of the resource domain; and to receive the determination result returned by the main control node 11 . Further, when the master control node 11 determines that the identifier of the target resource domain corresponds to the user identity credential, the at least one workflow execution unit model is sequentially sent to the master according to the time sequence dependency between the at least one workflow execution unit model. control node 11.

For the master node 11, the corresponding relationship between the identifiers of the resource domains of different tenants and the user identity credentials of different tenants is also maintained. Based on the corresponding relationship, after receiving the identifier of the target resource domain and the user identity credential sent by the workflow management node 13, the master control node 11 can query the maintained correspondence to determine whether the identifier of the target resource domain corresponds to the user identity credential, And return the determination result to the workflow management node 13 .

Further optionally, when the master control node 11 determines that the identifier of the target resource domain corresponds to the user identity credential, the workflow management node 13 may, according to the time-series dependency between at least one workflow execution unit model, sequence the at least one The workflow execution unit model is sent to the master control node 11 for the master control node 11 to deploy the workflow execution unit by using the workflow execution unit model as a unit. For the master control node 11, in the case of determining that the identifier of the target resource domain corresponds to the user identity credential, it can continue to receive at least one workflow execution unit model sequentially sent by the workflow management node 13; for each workflow execution unit model, to determine whether the system identities used by the workflow execution units in the workflow execution unit model are all system identities that the target resource domain has the right to use; if the judgment result is yes, the workflow execution unit model The workflow execution unit is deployed to the worker nodes in the target resource domain.

In an optional embodiment, each tenant includes operation and maintenance management personnel and workflow deployment personnel. The operation and maintenance manager is equivalent to the administrator of the tenant in the distributed computing system 10, and has global configuration and management authority. For example, he can apply to the distributed computing system 10 for resource domains, configure security parameters of resource domains, and deploy for different workflows. Personnel configuration access rights, distribution of related parameters, etc. Workflow deployers are primarily responsible for deploying workflows in resource domains. Optionally, the master control node 11 may provide a resource domain security configuration interface for the operation and maintenance management personnel of the tenant, for the operation and maintenance management personnel to configure the security parameters of the resource domain. The security parameters of the resource domain may include, but are not limited to, the user identity credentials of the resource domain, the identifier of the resource domain, and the system identifier that the resource domain has the right to use, and the like. For the operation and maintenance manager, the security parameters of the resource domain can be configured through the resource domain security configuration interface provided by the master control node 11 . After acquiring the security parameters of the resource domain configured by the operation and maintenance manager, the master control node 11 can establish the corresponding relationship between these security parameters, which mainly refers to the user identity credentials of the resource domain, the identifier of the resource domain, and the resource domain that the resource domain has the right to use. The correspondence between system identities.

For the target resource domain, the corresponding tenant is called the target tenant. The master control node 11 also provides a resource domain security configuration interface for the operation and maintenance manager of the target tenant. For example, the master control node 11 may display the resource domain security configuration interface to the operation and maintenance manager according to a trigger operation of requesting access to the resource domain security configuration interface issued by the operation and maintenance manager of the target tenant. The resource domain security configuration interface may be a web page, an application page, or a command window, and the like. Depending on how the security configuration interface of the resource domain is implemented, the trigger actions for the operation and maintenance administrator to request access to the security configuration interface of the resource domain will also be different. Taking the resource domain security configuration interface as a web page as an example, operation and maintenance managers can enter the link of the web page in the browser on the terminal device they use, click the access control to enter the login page, and enter the login account on the login page. and password, and then display the web page in the browser of the terminal device it uses.

The resource domain security configuration interface contains configuration items of security parameters related to the target resource domain. After seeing the resource domain security configuration interface, the operation and maintenance manager of the target tenant can configure the security parameters of the target resource domain through the configuration items on the resource domain security configuration interface, such as the user identity credentials of the target resource domain and the identifier of the target resource domain. And the system identity that the target resource domain is authorized to use, etc. Wherein, the system identification that the target resource domain has the right to use may be a range of system identifications, or may be a series of specific system identifications.

After acquiring the security parameters of the target resource domain configured by the operation and maintenance manager of the target tenant, the master control node 11 can establish the corresponding relationship between these security parameters, which mainly refers to establishing the user identity credentials of the target resource domain and the identifier of the target resource domain. and the corresponding relationship between the system identities that the target resource domain has the right to use. Furthermore, in the workflow deployment process, based on the system identity that the target resource domain has the right to use, it is possible to verify whether the system identity used when the workflow execution unit is running is legal or not.

In this embodiment of the present application, the manner in which the workflow management node 13 obtains the workflow deployment information is not limited. For example, the workflow management node 13 may provide the workflow deployment personnel with a workflow deployment interface, so that the workflow deployment personnel can configure the workflow deployment information on the workflow deployment interface; and obtain the configuration configured by the workflow deployment personnel on the workflow deployment interface. workflow deployment information. The workflow deployment information here may mainly include: the identifier of the target resource domain where the workflow needs to be deployed, the user identity credential for applying to deploy the workflow, and the system identity used when the workflow execution unit runs.

For the workflow deployer of the target tenant, when the workflow needs to be deployed, a trigger operation requesting to access the workflow deployment interface can be issued. For the workflow management node 13, the trigger operation of accessing the workflow deployment interface can be accessed according to the request issued by the workflow deployment personnel of the target tenant, and the workflow deployment interface can be displayed to the workflow deployment personnel. The workflow deployment interface contains configuration items required to deploy the workflow. The workflow deployer of the target tenant can configure the workflow deployment information through the configuration items on the workflow deployment interface, such as the identifier of the target resource domain where the workflow needs to be deployed, the user credentials for applying to deploy the workflow, and the runtime of the workflow execution unit System identities used, etc.

The workflow deployment interface may be a web page, an application page, or a command window, and the like. Depending on how the workflow deployment interface is implemented, the triggering action for the workflow deployer to request access to the workflow deployment interface will also be different.

In an optional embodiment, after acquiring the workflow deployment information, the workflow management node 13 may acquire, from the workflow deployment information, the identifier of the target resource domain, the user identity credential for applying for deploying the workflow, and the runtime of the workflow execution unit. Information such as the system identity used. First, the identifier of the target resource domain and the user identity credential are sent to the master control node 11, so that the master control node 11 can determine whether the identifier of the target resource domain corresponds to the user identity credential, that is, to verify the validity of the resource domain; and receive The determination result returned by the master control node 11. Further, when the master control node 11 determines that the identifier of the target resource domain corresponds to the user identity credential, at least one workflow execution unit model identifiable by the master control node 11 is generated, and each workflow execution unit model includes at least one workflow Execution unit; according to the time sequence dependency between at least one workflow execution unit model, sequentially send at least one workflow execution unit model and the system identity used by the workflow execution unit in the workflow execution unit model to the master controller Node 11. The master control node 11 receives at least one workflow execution unit model sequentially sent by the workflow management node 13; for each workflow execution unit model, determines the system identity used by the workflow execution unit in the workflow execution unit model when running Whether they all belong to the system identities that the target resource domain has the right to use; if the judgment result is yes, deploy the workflow execution unit in the workflow execution unit model to the worker nodes in the target resource domain.

In the embodiment of the present application, the workflow deployment is combined with a distributed computing system that can serve different tenants, allowing tenants to deploy workflows in their resource domains; during the workflow deployment process, the workflow execution unit is designated to run The system identity used when the workflow execution unit is used to distinguish the access rights of different workflow execution units to the shared storage resources in the distributed computing system. It can implement read-write isolation between different tenants and ensure the security of data in the shared storage resources.

It is worth noting that in the distributed computing system 10 of the embodiment of the present application, the worker nodes may be containerized application programs. Based on this, a container orchestration and scheduling system may be used in the system to create worker nodes in the system. , management, discovery, access, and configuration operations, thereby liberating system operation and maintenance personnel. A container orchestration and scheduling system refers to a system that can automatically deploy, expand, and manage containerized applications, such as Kubernetes (referred to as K8s), but not limited to this. In addition, the distributed computing system 10 of the embodiment of the present application can be applied to various application scenarios, such as a gene sequencing scenario relying on cloud computing.

Relying on the natural resource elasticity advantages of cloud computing, the gene industry has seen a more significant reduction in data storage and large-scale computing costs based on massive data. In the embodiment of the present application, Kubernetes technology and workflow deployment can be combined to provide a workflow solution for gene sequencing, which is conducive to improving the high concurrent processing, resource scheduling, and large file storage that are relied on in the gene sequencing calculation process. and other key capabilities.

Based on the above, an embodiment of the present application further provides a distributed computing system implemented based on a container orchestration and scheduling system, as shown in FIG. 1b. The distributed computing system 20 includes: a master node 21 , namespaces 24 corresponding to different tenants, and a workflow management node 23 . Of these, each namespace 24 contains worker nodes 22 .

In this embodiment, a container orchestration and scheduling system, such as Kubernetes, can be used to logically divide the physical devices in the distributed computing system 20 into a master node 21 and a worker node 22 . The master node 21 and the worker node 22 are deployed on physical devices in the distributed computing system 20 . Optionally, the master node 21 and the worker node 22 are deployed on different physical devices. For the convenience of illustration, a distributed computing system based on Kubernetes is used as an example for illustration in FIG. 1b. Among them, the master control node 21 can be used as the management and control system of the container orchestration and scheduling system. A group of processes related to cluster management run on the master control node 21. Taking Kubernetes as an example, these processes include but are not limited to: kube-apiserver, kube- Controller-manager and kube-scheduler, etc., these processes realize the resource management of the entire cluster, container group (such as Pod in Kubernetes) scheduling, elastic scaling, security control, system monitoring and error correction management capabilities, and are fully automatic Completed. The worker nodes 22 serve as service nodes in the distributed computing system 20, running containerized applications, and these worker nodes 22 are distributed in namespaces 24 of different tenants. On the worker node 22, a container group is the smallest running unit managed by the container orchestration and scheduling system, and the container group includes at least one container. Taking Kubernetes as an example, the smallest running unit managed by Kubernetes is Pod. A Pod is literally translated as a pod, and in this embodiment, refers to a collection of a group of containers, that is, the container group described above. The worker node 22 runs the processes related to the container group in the container orchestration and scheduling system. Taking Kubernetes as an example, the processes related to the container group include but are not limited to: the kubelet and kube-proxy service processes of Kubernetes. These service processes are responsible for the container group. (e.g. Pod) creation, startup, monitoring, restart, destruction and load balancer implementing software mode.

Among them, the role-based access control (Role-Based Access Control, RBAC) authorization policy is used in the container orchestration and scheduling system, and each tenant has different user identity credentials and respective namespaces in the distributed system 20 based on the RBAC authorization policy , each tenant's user credentials uniquely identify that tenant. The user identity credential of the tenant can be any information that can uniquely identify the tenant, for example, it can be the ID of the tenant in the distributed system 20 , or can be the tenant name, account number, phone number, email address registered by the tenant in the distributed system 20 and/or home address, etc. Namespace is a container orchestration and scheduling system, such as an important concept in Kubernetes. By "assigning" the objects inside the distributed system 20 to different Namespaces, different logically grouped projects, groups or user groups are formed, which is convenient for different Groups can be managed separately while sharing resources that use the entire system. For example, container groups (eg, Pods), RCs, and services (Services) created by the tenant in the distributed computing system 20 are all created in the namespace corresponding to the tenant. Each namespace has its own identity, such as an ID or a name. In this embodiment, a correspondence relationship between the tenant's user identity credential and the identifier of the corresponding namespace is maintained.

In the distributed computing system 20, in addition to the private resources that each tenant can share exclusively, it also includes some global shared resources that can be shared by different tenants. In this embodiment, the global shared resources mainly refer to shared storage resources that can be shared by different tenants. Shared storage resources can be local storage resources or network storage resources, such as NAS. In this embodiment, the identity of the tenant's request for the shared storage resource is based on the system identity at the time when the container is running, and each system identity corresponds to a certain access authority. It is worth noting that under the container orchestration and scheduling system, such as the Kubernetes framework, the system identity of the container running time and the user identity credential under the access control of the native RBAC of the container orchestration and scheduling system (such as Kubernetes) belong to two different account systems. .

In this embodiment, different tenants can use the workflow management node 23 in the system to deploy the workflow in their own namespace, that is, the container required for the workflow needs to be deployed on the worker node 22, and the container-based orchestration and scheduling system The native RBAC authorization policy (such as Kubernetes) can implement logical isolation of deployment workflows in multi-tenant scenarios on the namespace. However, the native framework of the container orchestration and scheduling system (such as Kubernetes) does not have the security isolation capability of the container operation process to read and write shared storage resources, but for the characteristics of massive data read and write and the privacy of genes in the gene sequencing scenario and other similar scenarios , the security isolation of read and write of shared storage resources during container operation is an urgent problem to be solved. Based on this, in this embodiment, by extending the specified user layer during the workflow deployment process, the system identity used at runtime is specified for the containers required by the workflow, and at the same time, the container orchestration and scheduling system (such as Kubernetes) The native (PodSecurityPolicy, PSP) model verifies the security parameters used by the container runtime in the bound namespace to ensure the correctness of the system identity specified for the container to be used at runtime, thereby realizing different containers in a multi-tenant scenario. Secure isolation of reads and writes to shared storage resources at runtime.

Based on the above, the workflow deployment principle in the distributed computing system 20 is described by taking the deployment of a workflow in any of the tenants in any of its namespaces as an example. For the convenience of description and distinction, any tenant is referred to as a target tenant, and any namespace of the tenant is referred to as a target namespace, and the workflow deployment principle in the distributed computing system 20 is as follows:

The workflow management node 23 obtains, according to the workflow deployment information in the target namespace, the system identity used when the container is running required for the workflow to be deployed; transmits the system identity used when the container is running to the master control node 21; The control node 21 compares the system identity used when the container is running with the system identity that the target namespace has the right to use; and the system identity used when the container is running belongs to the system identity that the target namespace has the right to use If identified, deploy the container to the worker node under the target namespace. In this way, the container can fetch the shared storage resources of the distributed computing system 20 based on the fetching authority corresponding to the system identity used by the container at runtime.

In an optional embodiment, considering that the minimum running unit of the container orchestration and scheduling system is a container group, the workflow management node is further configured to: generate at least one container group model identifiable by the master control node 21 according to the workflow deployment information, Each container group model contains at least one container; according to the time-series dependencies between the at least one container group model, the at least one container group model is sent to the master control node 21 in turn, so that the master control node 21 can use the container group model as a unit to compare Containers are deployed. The master control node 21 can receive at least one container group model sent in turn by the workflow management node 23; for each received container group model, determine whether the system identities used when the containers in the container group model are run belong to the target naming The system identity that the space has the right to use. If the judgment result is yes, the container in the container group model is deployed to the worker node under the target namespace. Among them, taking Kubernetes as an example, the smallest running unit managed by Kubernetes is a Pod, and the above container group model can be a Pod model.

In an optional embodiment, in addition to the container required by the workflow and the system identity used when the container is running, the workflow deployment information may also include the identity of the target namespace and the user identity credentials for applying to deploy the workflow. . Among them, the identifier of the target namespace is used to identify the namespace in which the workflow needs to be deployed; the user identity credentials are used to identify which tenant applies for the deployment of the workflow. Considering that different tenants have their own namespaces, the workflow management node 13 can also obtain the identifier of the target namespace and the user identity credential for applying to deploy the workflow from the workflow deployment information; send the identifier of the target namespace and the user identity credential to the To the main control node 11 , so that the main control node 11 can determine whether the identifier of the target namespace corresponds to the user identity certificate, that is, verify the validity of the namespace; and receive the determination result returned by the main control node 11 .

For the master node 11, the corresponding relationship between the identifiers of the namespaces of different tenants and the user identity credentials of different tenants is also maintained. Based on the corresponding relationship, after receiving the identifier of the target namespace and the user identity credential sent by the workflow management node 13, the master control node 11 can query the maintained correspondence to determine whether the identifier of the target namespace and the user identity credential correspond to each other, And return the determination result to the workflow management node 13 .

Further optionally, when the master control node 11 determines that the identifier of the target namespace corresponds to the user identity credential, the workflow management node 13 may, according to the time sequence dependency between at least one container group model (such as the Pod model), sequentially The at least one container group model is sent to the master control node 11, so that the master control node 11 deploys containers by using the container group model as a unit. For the master control node 11, when it is determined that the identifier of the target namespace corresponds to the user identity credential, it can continue to receive at least one container group model sequentially sent by the workflow management node 13; for each container group model, determine the Whether the system identities used when the containers in the container group model are run belong to the system identities that the target namespace has permission to use; if the judgment result is yes, deploy the containers in the container group model to the worker nodes in the target namespace superior.

In an optional embodiment, the target tenants include operation and maintenance managers and workflow deployment personnel. The operation and maintenance manager is equivalent to the administrator of the target tenant in the distributed computing system 20, and has global configuration and management authority. For example, he can apply to the distributed computing system 20 for a namespace, configure the security parameters of the namespace, and deploy for different workflows Personnel configuration access rights, distribution of related parameters, etc. Workflow deployers are primarily responsible for deploying workflows in namespaces. Optionally, the master control node 11 may provide a namespace security configuration interface for the operation and maintenance management personnel of the target tenant, for the operation and maintenance management personnel to configure the security parameters of the target namespace. The security parameters of the target namespace may include, but are not limited to: user identity credentials of the target namespace, an identifier of the target namespace, and a system identity that the target namespace has the right to use, and the like. For operation and maintenance managers, the security parameters of the target namespace can be configured through the namespace security configuration interface provided by the master control node 11 . After obtaining the security parameters of the target namespace configured by the operation and maintenance manager, the master control node 11 can establish the corresponding relationship between these security parameters, which mainly refers to the user identity credentials of the target namespace, the identifier of the target namespace, and the target namespace Correspondence between system identities that are authorized to use.

The namespace security configuration interface may be a web page, an application page, or a command window. Depending on how the namespace security configuration interface is implemented, the trigger actions for the operation and maintenance administrator to request access to the namespace security configuration interface will also be different. Taking the namespace security configuration interface as a web page as an example, operation and maintenance managers can enter the link of the web page in the browser on the terminal device they use, click the access control to enter the login page, and enter the login account on the login page. and password, and then display the web page in the browser of the terminal device it uses.

In this embodiment of the present application, the manner in which the workflow management node 23 obtains the workflow deployment information is not limited. For example, the workflow management node 23 is further configured to: provide a workflow deployment interface for the workflow deployment personnel of the target tenant, and obtain the workflow deployment information configured by the workflow deployment personnel on the workflow deployment interface. The workflow deployment information here includes the identifier of the target namespace, the user credentials for applying to deploy the workflow, and the system identifier used by the container runtime required by the workflow to be deployed.

For the workflow deployer of the target tenant, when the workflow needs to be deployed, a trigger operation requesting to access the workflow deployment interface can be issued. For the workflow management node 23, the trigger operation of accessing the workflow deployment interface can be accessed according to the request issued by the workflow deployment personnel of the target tenant, and the workflow deployment interface can be displayed to the workflow deployment personnel. The workflow deployment interface contains configuration items required to deploy the workflow. The workflow deployer of the target tenant can configure the workflow deployment information through the configuration items on the workflow deployment interface, such as the identifier of the target namespace where the workflow needs to be deployed, the user credentials for applying to deploy the workflow, and the system used when the container is running identification, etc.

The workflow deployment interface may be a web page, an application page, or a command window, and the like. Depending on how the workflow deployment interface is implemented, the triggering action for the workflow deployer to request access to the workflow deployment interface will also be different.

In an optional embodiment, after acquiring the workflow deployment information, the workflow management node 23 may acquire, from the workflow deployment information, the identifier of the target namespace, the user identity credentials for applying for deploying the workflow, and the system used when the container is running. identity information, etc. First, the identifier of the target namespace and the user identity credential are sent to the master control node 21, so that the master control node 21 can determine whether the identifier of the target namespace and the user identity credential correspond, that is, to verify the validity of the namespace; and receive The determination result returned by the master control node 21. Further, when the master control node 21 determines that the identifier of the target namespace corresponds to the user identity credential, the workflow management node 23 generates at least one container group model that the master control node 21 can identify according to the workflow deployment information, such as (Pod model) , each container group model contains at least one container; according to the time-series dependencies between the at least one container group model, the at least one container group model and the system identity used by the containers in the container group model are sent to the master node in turn twenty one. The master control node 21 receives at least one container group model sent in turn by the workflow management node 13; for each container group model, it is judged whether the system identities used when the containers in the container group model are running belong to the target namespace and have the right to use them If the judgment result is yes, deploy the container in the container group model to the worker node in the target namespace.

It should be noted that, the workflow management node 23 in this embodiment may adopt, but is not limited to, an argo workflow engine. In the case of using the argo workflow engine, the functions of the argo workflow engine can be extended according to the functions of the workflow management node 23 of the present application. Among them, by extending the native argo workflow engine, adding the function of downloading the system identity used when the container is running to the container, and modifying the PSP verification function when deploying the container, the container orchestration and scheduling system (such as Kubernetes) can be avoided. The native PSP verification limits the security verification of containers in the container group model, so that the system identity used at runtime can be specified for the container and the security verification can be completed. Only the containers that meet the security parameters specified in the PSP model will pass. Verifying and allowing deployment, at the same time, it can solve the access rights to the storage directory in the shared storage resource at the runtime of the container, and realize the security isolation of read and write access to the shared storage resource in a multi-tenant environment.

The distributed computing system 20 shown in FIG. 1b can be used as a specific implementation of the distributed computing system 10 shown in FIG. 1a, and some contents are the same or similar to the distributed computing system 10 shown in FIG. 1a, and the contents not involved in this embodiment are , reference may be made to the descriptions of the foregoing embodiments, which will not be repeated here.

FIG. 2a is a schematic flowchart of a workflow deployment method provided by an exemplary embodiment of the present application. This embodiment is described from the perspective of a workflow management node. As shown in Figure 2a, the method includes:

201a, according to the workflow deployment information in the target resource domain, obtain the system identity used by the workflow execution unit when it runs; wherein, the workflow execution unit manages the workflow based on the access authority corresponding to the system identity used by the workflow execution unit when it runs. The shared storage resource of the distributed computing system to which the node belongs is fetched.

202a. Transmit the system identity used when the workflow execution unit is running to the master node in the distributed computing system, so that the system identity used by the master node when the workflow execution unit is running belongs to the target resource domain and has the right to use it The workflow execution unit is deployed to the worker node in the target resource domain under the condition of the system identity of the target resource domain.

FIG. 2b is a schematic flowchart of a workflow deployment method provided by an exemplary embodiment of the present application. This embodiment is described from the perspective of the master node. As shown in Figure 2b, the method includes:

201b. Receive a system identity used when a workflow execution unit is running and sent by the workflow management node, where the workflow execution unit is an execution unit of the workflow that needs to be deployed in the target resource domain.

202b, in the case that the system identity used when the workflow execution unit is running belongs to the system identity that the target resource domain has the right to use, deploy the workflow execution unit on the worker node in the target resource domain; wherein, the workflow execution The unit fetches the shared storage resources of the distributed computing system based on the fetching authority corresponding to the system identity used by the unit when it runs.

In the embodiment of the present application, the master control node and the workflow management node in the distributed computing system cooperate with each other, allowing the tenant to deploy the workflow in its resource domain, and during the workflow deployment process, the workflow execution unit can be specified The system identity used at runtime to distinguish the access rights of different workflow execution units to the shared storage resources in the distributed computing system. Each workflow execution unit is based on the access rights corresponding to the system identity used at runtime. The shared storage resources in the system are accessed for storage, which can realize read-write isolation between different tenants and ensure the security of data in the shared storage resources.

In an optional embodiment, in the above method embodiment, the workflow management node may further generate at least one workflow execution unit model identifiable by the master control node according to the workflow deployment information, and each workflow execution unit model includes at least one workflow execution unit model. A workflow execution unit; according to the time-series dependencies between at least one workflow execution unit model, at least one workflow execution unit model is sequentially sent to the master control node, so that the master control node uses the workflow execution unit model as a unit to The workflow execution unit is deployed. Correspondingly, the master control node can also receive at least one workflow execution unit model sequentially sent by the workflow management node, and each workflow execution unit model includes at least one workflow execution unit; for each workflow execution unit model, determine the Whether the system identities used by the workflow execution units in the workflow execution unit model belong to the system identities that the target resource domain has the right to use, if the judgment result is yes, the workflow execution unit model in the workflow execution unit model is executed. Cells are deployed on worker nodes in the target resource domain.

In an optional embodiment, in the above method embodiment, the workflow management node can also obtain the identifier of the target resource domain and the user identity credential for applying for deploying the workflow from the workflow deployment information; The user identity credential is sent to the main control node, so that the main control node can determine whether the identifier of the target resource domain corresponds to the user identity credential; and the determination result of whether the identifier of the target resource domain and the user identity credential is returned by the main control node is received. Correspondingly, the master control node can also receive the identifier of the target resource domain sent by the workflow management node and the user identity credential for applying to deploy the workflow; according to the correspondence between the identifier of the resource domain and the user identity credential maintained in advance, determine the target. Check whether the identifier of the resource domain corresponds to the user's identity credential, and return the confirmation result to the workflow management node.

Further, in the above method embodiment, when the master control node determines that the identifier of the target resource domain corresponds to the user identity credential, the workflow management node may, according to the time sequence dependency between at least one workflow execution unit model, sequentially At least one workflow execution unit model is sent to the master control node, so that the master control node deploys the workflow execution unit with the workflow execution unit model as a unit. For the master control node, in the case of determining that the identifier of the target resource domain corresponds to the user identity credential, it can continue to receive at least one workflow execution unit model sequentially sent by the workflow management node; for each workflow execution unit model, Determine whether the system identities used by the workflow execution unit in the workflow execution unit model are all system identities that the target resource domain has the right to use; if the judgment result is yes, the work in the workflow execution unit model is determined. Stream execution units are deployed on worker nodes in the target resource domain.

In an optional embodiment, in the above method embodiment, the workflow management node may further provide a workflow deployment interface for the workflow deployment personnel of the target tenant, and obtain the work flow configured by the workflow deployment personnel on the workflow deployment interface. Flow deployment information; wherein, the workflow deployment information includes the identifier of the target resource domain where the workflow needs to be deployed, the user identity credential for applying to deploy the workflow, and the system identity used when the workflow execution unit runs; the target tenant corresponds to the target resource domain .

In an optional embodiment, in the above method embodiment, the master control node may also provide a resource domain security configuration interface for the operation and maintenance management personnel of the target tenant, so that the operation and maintenance management personnel can configure the security parameters of the target resource domain; The parameters include the user identity credentials of the target resource domain, the identity of the target resource domain, and the system identity that the target resource domain has the right to use; establish the user identity credentials of the target resource domain, the identity of the target resource domain, and the runtime that the target resource domain has the right to use. Correspondence between user ID ranges; among them, the target tenant corresponds to the target resource domain.

It should be noted that, in some of the processes described in the above embodiments and the accompanying drawings, multiple operations appearing in a specific order are included, but it should be clearly understood that these operations may not be performed in accordance with the order in which they appear in this document Or in parallel, the sequence numbers of the operations, such as 201a, 202a, etc., are only used to distinguish different operations, and the sequence numbers themselves do not represent any execution order. Additionally, these flows may include more or fewer operations, and these operations may be performed sequentially or in parallel. It should be noted that the descriptions such as "first" and "second" in this document are used to distinguish different messages, devices, modules, etc., and do not represent a sequence, nor do they limit "first" and "second" are different types.

FIG. 3 is a schematic structural diagram of a node device according to an exemplary embodiment of the present application. The node device can be implemented as the workflow management node in the foregoing embodiment. As shown in FIG. 3 , the node device includes: a memory 31 , a processor 32 and a communication component 33 .

The memory 31 is used to store computer programs and may be configured to store various other data to support operations on the node device. Examples of such data include instructions for any application or method operating on the node device, contact data, phonebook data, messages, pictures, videos, etc.

A processor 32, coupled to the memory 31, is used to execute a computer program in the memory 31 for:

According to the workflow deployment information in the target resource domain, obtain the system identity used when the workflow execution unit is running;

The system identity used when the workflow execution unit is running is transmitted to the master node in the distributed computing system to which the workflow management node belongs through the communication component 33, so that the system identity used by the master node when the workflow execution unit is running In the case of belonging to the system identity that the target resource domain has the right to use, deploy the workflow execution unit to the worker node in the target resource domain; wherein, the workflow execution unit is based on the fetch corresponding to the system identity used during its runtime. Permission to access the shared storage resources of the distributed computing system.

In an optional embodiment, the processor 32 is further configured to: generate at least one workflow execution unit model identifiable by the master control node according to the workflow deployment information, and each workflow execution unit model includes at least one workflow execution unit; According to the time sequence dependency between the at least one workflow execution unit model, the at least one workflow execution unit model is sequentially sent to the master control node through the communication component 33, so that the master control node can use the workflow execution unit model as a unit for the workflow execution unit model. The execution unit is deployed.

In an optional embodiment, the processor 32 is further configured to: before sequentially sending the at least one workflow execution unit model to the master control node, obtain the identifier of the target resource domain and the application for deploying the workflow from the workflow deployment information. User identity credential; send the identification of the target resource domain and the user identity credential to the main control node through the communication component 33, so that the main control node determines whether the identification of the target resource domain and the user identity credential correspond; and receive the target returned by the main control node The result of determining whether the identifier of the resource domain corresponds to the user's identity credential.

In an optional embodiment, the processor 32 is further configured to: provide a workflow deployment interface for the workflow deployment personnel of the target tenant, and obtain the workflow deployment information configured by the workflow deployment personnel on the workflow deployment interface; wherein, The workflow deployment information includes the identifier of the target resource domain where the workflow needs to be deployed, the user identity credentials for applying for deploying the workflow, and the system identity used when the workflow execution unit runs; the target tenant corresponds to the target resource domain.

Further, as shown in FIG. 3 , the node device further includes: a display 34 , a power supply component 35 , an audio component 36 and other components. Only some components are schematically shown in FIG. 3 , which does not mean that the node device only includes the components shown in FIG. 3 . In addition, according to different implementation forms of node devices, components with dotted boxes in FIG. 3 are optional components, not mandatory components.

Correspondingly, the embodiments of the present application further provide a computer-readable storage medium storing a computer program, and when the computer program is executed, each step that can be executed by the workflow management node in the foregoing method embodiments can be implemented.

FIG. 4 is a schematic structural diagram of another node device according to an exemplary embodiment of the present application. The node device may be implemented as the master control node in the foregoing embodiment. As shown in FIG. 4 , the node device includes: a memory 41 , a processor 42 and a communication component 43 .

The memory 41 is used to store computer programs and may be configured to store various other data to support operations on the node device. Examples of such data include instructions for any application or method operating on the node device, contact data, phonebook data, messages, pictures, videos, etc.

A processor 42, coupled to the memory 41, for executing a computer program in the memory 41 for:

Receive through the communication component 43 the system identity used when the workflow execution unit is running and sent by the workflow management node, and the workflow execution unit is the execution unit of the workflow that needs to be deployed in the target resource domain;

In the case that the system identity used when the workflow execution unit is running belongs to the system identity that the target resource domain has the right to use, deploy the workflow execution unit to the worker nodes in the target resource domain;

Wherein, the workflow execution unit fetches the shared storage resources of the distributed computing system based on the fetching authority corresponding to the system identity used during its running.

In an optional embodiment, the processor 42 is specifically configured to: receive at least one workflow execution unit model sequentially sent by the workflow management node through the communication component 43, and each workflow execution unit model includes at least one workflow execution unit; For each workflow execution unit model, determine whether the system identities used by the workflow execution units in the workflow execution unit model when they are running all belong to the system identities that the target resource domain has the right to use. The workflow execution unit in the workflow execution unit model is deployed on the worker nodes in the target resource domain.

In an optional embodiment, the processor 42 is further configured to: receive, through the communication component 43, the identifier of the target resource domain sent by the workflow management node and the user identity credential for applying for deploying the workflow; The correspondence between the user identity credentials determines whether the identifier of the target resource domain corresponds to the user identity credential, and returns the determination result to the workflow management node.

In an optional embodiment, the processor 42 is further configured to: provide a resource domain security configuration interface for the operation and maintenance management personnel of the target tenant, so that the operation and maintenance management personnel can configure the security parameters of the target resource domain; the security parameters include the target resource domain The user identity credential of the target resource domain, the identity of the target resource domain, and the system identity that the target resource domain has the right to use; establish the user identity credential of the target resource domain, the identity of the target resource domain, and the scope of the running user identity that the target resource domain has the right to use. The corresponding relationship between the target tenants and target resource domains.

Further, as shown in FIG. 4 , the node device further includes: a display 44 , a power supply component 45 , an audio component 46 and other components. Only some components are schematically shown in FIG. 4 , which does not mean that the node device only includes the components shown in FIG. 4 . In addition, according to different implementation forms of node devices, components with dotted boxes in FIG. 4 are optional components, not mandatory components.

Correspondingly, the embodiments of the present application further provide a computer-readable storage medium storing a computer program, and when the computer program is executed, the steps in the above method embodiments that can be executed by the master node can be implemented.

The memories in Figures 3 and 4 above can be implemented by any type of volatile or non-volatile storage device or combination thereof, such as static random access memory (SRAM), electrically erasable programmable read only memory ( EEPROM), erasable programmable read only memory (EPROM), programmable read only memory (PROM), read only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

The communication components in FIGS. 3 and 4 described above are configured to facilitate wired or wireless communication between the device where the communication component is located and other devices. The device where the communication component is located can access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof. In one exemplary embodiment, the communication component receives broadcast signals or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component may further include a Near Field Communication (NFC) module, Radio Frequency Identification (RFID) technology, Infrared Data Association (IrDA) technology, Ultra Wide Band (UWB) technology, Bluetooth (BT) technology Wait.

The above-mentioned displays in FIGS. 3 and 4 include a screen, which may include a liquid crystal display (LCD) and a touch panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touch, swipe, and gestures on the touch panel. The touch sensor may not only sense the boundaries of a touch or swipe action, but also detect the duration and pressure associated with the touch or swipe action.

The power supply assemblies in the above-mentioned FIGS. 3 and 4 provide power for various components of the equipment in which the power supply assemblies are located. A power supply assembly may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power to the equipment in which the power supply assembly is located.

The audio components described above in FIGS. 3 and 4 may be configured to output and/or input audio signals. For example, the audio component includes a microphone (MIC) that is configured to receive external audio signals when the device in which the audio component is located is in operating modes, such as call mode, recording mode, and voice recognition mode. The received audio signal may be further stored in memory or transmitted via the communication component. In some embodiments, the audio assembly further includes a speaker for outputting audio signals.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

Memory may include non-persistent memory in computer readable media, random access memory (RAM) and/or non-volatile memory in the form of, for example, read only memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media includes both persistent and non-permanent, removable and non-removable media, and storage of information may be implemented by any method or technology. Information may be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Flash Memory or other memory technology, Compact Disc Read Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media does not include transitory computer-readable media, such as modulated data signals and carrier waves.

It should also be noted that the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device comprising a series of elements includes not only those elements, but also Other elements not expressly listed, or which are inherent to such a process, method, article of manufacture, or apparatus are also included. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article of manufacture, or device that includes the element.

The above descriptions are merely examples of the present application, and are not intended to limit the present application. Various modifications and variations of this application are possible for those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application shall be included within the scope of the claims of the present application.

Claims (24)

1. A distributed computing system, comprising: a master control node, a workflow management node, and resource domains corresponding to different tenants; The workflow management node is configured to obtain the system identity used when the workflow execution unit is running according to the workflow deployment information in the target resource domain; and transmit the system identity used when the workflow execution unit is running to the the main control node; The master control node is configured to deploy the workflow execution unit to the on the worker nodes in the target resource domain; Wherein, the workflow execution unit fetches the shared storage resources of the distributed computing system based on the fetching authority corresponding to the system identity used in the runtime. 2. The system according to claim 1, wherein the workflow management node is further configured to: Generate at least one workflow execution unit model identifiable by the master control node according to the workflow deployment information, and each workflow execution unit model includes at least one workflow execution unit; According to the time sequence dependency between the at least one workflow execution unit model, the at least one workflow execution unit model is sequentially sent to the master control node, so that the master control node uses the workflow execution unit model as the The unit deploys the workflow execution unit. 3. The system according to claim 2, wherein the master control node is specifically used for: receiving the at least one workflow execution unit model sequentially sent by the workflow management node; For each workflow execution unit model, determine whether the system identities used by the workflow execution units in the workflow execution unit model when running all belong to the system identities that the target resource domain has the right to use; if the judgment result is Yes, deploy the workflow execution unit in the workflow execution unit model to the work node in the target resource domain. 4. The system according to claim 3, wherein the workflow management node is further configured to: Obtain the identifier of the target resource domain and the user identity credential for applying to deploy the workflow from the workflow deployment information; send the identifier of the target resource domain and the user identity credential to the master control node; and In the case where the master control node determines that the identifier of the target resource domain corresponds to the user identity credential, according to the time sequence dependency between the at least one workflow execution unit model, the at least one workflow is sequentially The execution unit model is sent to the master node. 5. The system according to claim 4, wherein the master control node is further used for: According to the pre-maintained correspondence between the identifier of the resource domain and the user identity credential, it is determined whether the identifier of the target resource domain corresponds to the user identity credential, and a determination result is returned to the workflow management node. 6. The system according to any one of claims 1-5, wherein the master control node is further configured to: The operation and maintenance management personnel of the target tenant provide a resource domain security configuration interface for the operation and maintenance management personnel to configure the security parameters of the target resource domain; the security parameters include the user identity credentials of the target resource domain, the The identifier of the target resource domain and the system identity that the target resource domain has the right to use; establishing a correspondence between the user identity credential of the target resource domain, the identity of the target resource domain, and the scope of the running user identity that the target resource domain has the right to use; wherein, the target tenant and the target resource domain correspondence. 7. The system according to any one of claims 1-5, wherein the workflow management node is further configured to: Provide a workflow deployment interface for the workflow deployment personnel in the target tenant, and obtain the workflow deployment information configured by the workflow deployment personnel on the workflow deployment interface; The workflow deployment information includes the identifier of the target resource domain where the workflow needs to be deployed, the user identity credential for applying to deploy the workflow, and the system identity used when the workflow execution unit runs; the target tenant and the target resource domain correspondence. 8 . The system according to claim 1 , wherein the system identity used when the workflow execution unit runs is a user identity Uid or a user group identity Gid. 9 . 9. A distributed computing system based on a container orchestration and scheduling system, comprising: a master control node, a workflow management node, and namespaces corresponding to different tenants; The workflow management node is configured to acquire, according to the workflow deployment information in the target namespace, the system identity used by the container runtime required by the to-be-deployed workflow; and transmit the system identity used by the container runtime to the the master control node; The master control node is used for deploying the container to work under the target namespace when the system identity used when the container is running belongs to the system identity that the target namespace has the right to use on the node; Wherein, the container fetches the shared storage resources of the distributed computing system based on the fetching authority corresponding to the system identity used by the container when it runs. 10. The system according to claim 9, wherein the workflow management node is further configured to: Generate at least one container group model identifiable by the master control node according to the workflow deployment information, and each container group model includes at least one container; The at least one container group model is sequentially sent to the master control node according to the time-series dependency between the at least one container group model, so that the master control node deploys containers in units of the container group model. 11. The system according to claim 10, wherein the master control node is specifically used for: receiving the at least one container group model sequentially sent by the workflow management node; For each container group model, it is judged whether the system identities used when the containers in the container group model are running all belong to the system identities that the target namespace has the right to use, and if the judgment result is yes, the container group Containers in the model are deployed on worker nodes under the target namespace. 12. The system according to any one of claims 9-11, wherein the workflow management node is further configured to: Provide a workflow deployment interface for the workflow deployment personnel of the target tenant, and obtain the workflow deployment information configured by the workflow deployment personnel on the workflow deployment interface; The workflow deployment information includes the identifier of the target namespace, the user identity credentials for applying for deploying the workflow, and the system identifier used when the container is run for the workflow to be deployed; wherein the target tenant and the target Namespace correspondence. 13. A workflow deployment method, applicable to a workflow management node, wherein the method comprises: According to the workflow deployment information in the target resource domain, obtain the system identity used when the workflow execution unit is running; Transmitting the system identity used when the workflow execution unit is running to the master control node in the distributed computing system to which the workflow management node belongs, for the master control node to use when the workflow execution unit is running In the case that the system identifier belongs to the system identifier that the target resource domain has the right to use, deploy the workflow execution unit on the worker node in the target resource domain; Wherein, the workflow execution unit fetches the shared storage resources of the distributed computing system based on the fetching authority corresponding to the system identity used in the runtime. 14. The method of claim 13, further comprising: Generate at least one workflow execution unit model identifiable by the master control node according to the workflow deployment information, and each workflow execution unit model includes at least one workflow execution unit; According to the time sequence dependency between the at least one workflow execution unit model, the at least one workflow execution unit model is sequentially sent to the master control node, so that the master control node uses the workflow execution unit model as the The unit deploys the workflow execution unit. 15. The method according to claim 14, wherein before sequentially sending the at least one workflow execution unit model to the master control node, the method further comprises: Obtain the identifier of the target resource domain and the user identity credential for applying to deploy the workflow from the workflow deployment information; sending the identifier of the target resource domain and the user identity credential to the master control node, so that the master control node can determine whether the identifier of the target resource domain corresponds to the user identity credential; and A determination result of whether the identifier of the target resource domain and the user identity credential are corresponding or not returned by the master control node is received. 16. The method of any one of claims 13-15, further comprising: Provide a workflow deployment interface for the workflow deployment personnel of the target tenant, and obtain the workflow deployment information configured by the workflow deployment personnel on the workflow deployment interface; The workflow deployment information includes the identifier of the target resource domain where the workflow needs to be deployed, the user identity credential for applying to deploy the workflow, and the system identity used when the workflow execution unit runs; the target tenant and the target resource domain correspondence. 17. A workflow deployment method, applicable to a master control node, wherein the method comprises: receiving the system identity used when the workflow execution unit is running and sent by the workflow management node, where the workflow execution unit is the execution unit of the workflow that needs to be deployed in the target resource domain; Deploying the workflow execution unit to a worker node in the target resource domain under the condition that the system identity used when the workflow execution unit is running belongs to the system identity that the target resource domain has the right to use ; Wherein, the workflow execution unit fetches the shared storage resources of the distributed computing system based on the fetching authority corresponding to the system identity used in the runtime. 18. The method according to claim 17, wherein deploying the workflow execution unit to a worker node in the target resource domain comprises: receiving at least one workflow execution unit model sequentially sent by the workflow management node, where each workflow execution unit model includes at least one workflow execution unit; For each workflow execution unit model, it is judged whether the system identities used by the workflow execution units in the workflow execution unit model when running all belong to the system identities that the target resource domain has the right to use, if the judgment result is Yes, deploy the workflow execution unit in the workflow execution unit model to the work node in the target resource domain. 19. The method according to claim 18, wherein before receiving the at least one workflow execution unit model sequentially sent by the workflow management node, the method further comprises: receiving the identifier of the target resource domain sent by the workflow management node and the user identity credential for applying to deploy the workflow; According to the pre-maintained correspondence between the identifier of the resource domain and the user identity credential, it is determined whether the identifier of the target resource domain corresponds to the user identity credential, and a determination result is returned to the workflow management node. 20. The method of any one of claims 17-19, further comprising: The operation and maintenance management personnel of the target tenant provide a resource domain security configuration interface for the operation and maintenance management personnel to configure the security parameters of the target resource domain; the security parameters include the user identity credentials of the target resource domain, the The identifier of the target resource domain and the system identity that the target resource domain has the right to use; establishing a correspondence between the user identity credential of the target resource domain, the identity of the target resource domain, and the scope of the running user identity that the target resource domain has the right to use; wherein, the target tenant and the target resource domain correspondence. 21. A node device, comprising: a memory and a processor; the memory is used to store a computer program; when the computer program is executed by the processor, the processor is caused to implement claims 13- 16 The steps of any one of the methods. 22. A computer-readable storage medium storing a computer program, wherein when the computer program is executed by a processor, the processor is caused to perform the steps in the method of any one of claims 13-16 . 23. A node device, comprising: a memory and a processor; the memory stores a computer program that, when executed by the processor, causes the processor to implement claims 17-20 The steps of any one of the methods. 24. A computer-readable storage medium storing a computer program, characterized in that, when the computer program is executed by a processor, the processor is caused to perform the steps in the method of any one of claims 17-20 .

Images