[go: up one dir, main page]

CN113742711B - Method and device for container access - Google Patents

Method and device for container access Download PDF

Info

Publication number
CN113742711B
CN113742711B CN202011126234.2A CN202011126234A CN113742711B CN 113742711 B CN113742711 B CN 113742711B CN 202011126234 A CN202011126234 A CN 202011126234A CN 113742711 B CN113742711 B CN 113742711B
Authority
CN
China
Prior art keywords
container
user
address
access
authorized
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011126234.2A
Other languages
Chinese (zh)
Other versions
CN113742711A (en
Inventor
梁晓雷
樊建刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Wodong Tianjun Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN202011126234.2A priority Critical patent/CN113742711B/en
Publication of CN113742711A publication Critical patent/CN113742711A/en
Application granted granted Critical
Publication of CN113742711B publication Critical patent/CN113742711B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • G06F8/63Image based installation; Cloning; Build to order
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种容器访问的方法和装置,涉及计算机技术领域。该方法的一具体实施方式包括:接收用户发来的容器访问请求,并返回已经授权的容器地址列表;根据用户选择的第一容器地址,校验用户对第一容器地址的操作权限;若校验不通过,则从已经授权的容器地址列表中删除第一容器地址,并将删除后的已经授权的容器地址列表返回给用户,以使用户进行再次选择,直至用户对所选择的第二容器地址的操作权限校验通过;根据第二容器地址访问第二容器。该实施方式解决了容器更新镜像或者配置更新后,容器地址发生漂移或者保持不变,运行环境回到初始状态情况下存在的授权和使用问题,避免了泄露和提前预制超级用户的危险,提高了安全性和便利性。

The present invention discloses a method and device for container access, and relates to the field of computer technology. A specific implementation of the method includes: receiving a container access request from a user, and returning a list of authorized container addresses; verifying the user's operating authority for the first container address according to the first container address selected by the user; if the verification fails, deleting the first container address from the authorized container address list, and returning the deleted authorized container address list to the user, so that the user can make another selection until the user passes the verification of the operating authority for the selected second container address; accessing the second container according to the second container address. This implementation solves the authorization and use problems that exist when the container address drifts or remains unchanged after the container image is updated or the configuration is updated, and the operating environment returns to the initial state, avoids the risk of leakage and pre-prepared super users, and improves security and convenience.

Description

Method and device for accessing container
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for accessing a container.
Background
The bastion system has great effect in the process of system testing, developing and operating and is mainly used for providing some commands and instruction operations for the machines where the business is deployed by users. Techniques for deploying services using containers are lighter and more efficient in resource utilization than techniques for deploying using physical and virtual machines. The current common method for the bastion machine to register the user is to pre-establish a super account in a physical machine, a virtual machine or a container, and then use the super account for injection when the appointed account needs to authorize a certain user.
In the process of implementing the present invention, the inventor finds that at least the following problems exist in the prior art:
Under the scene of using the container to deploy the business, after the container changes the mirror image or updates the configuration, restart occurs, the container address changes, the original address drifts, at this moment, the original address of the container can still carry on the administrator to log in and carry out the order operation, have great potential safety hazard; prefabricating superusers and rights in physical machines, virtual machines, or containers may cause security problems due to disclosure of the superusers' passwords or keys.
Disclosure of Invention
In view of this, the embodiments of the present invention provide a method and an apparatus for accessing a container, which can solve the authorization and use problems of a bastion system when the running state of the container returns to the initial state, where the address of the container drifts or remains unchanged after the updating mirror image or configuration update of the container in the container deployment scenario.
To achieve the above object, according to one aspect of an embodiment of the present invention, there is provided a method of accessing a container.
A method for accessing a container comprises the steps of receiving a container access request sent by a user and returning an authorized container address list; checking the operation authority of the user on the first container address according to the first container address selected by the user; if the verification is not passed, deleting the first container address from the authorized container address list, and returning the deleted authorized container address list to the user so that the user can select again until the operation authority of the user on the selected second container address is verified; and accessing a second container according to the second container address.
Optionally, the method performs user operation authorization of the container by: receiving a container operation authorization request sent by a user, wherein the container operation authorization request comprises user information and container address information for requesting authorization; checking whether the user has the operation authority of the container according to the user information and the container address information; if yes, generating a key pair, and injecting a public key in the key pair into the container; and returning the login mode and the token to the user to complete operation authorization.
Optionally, the container access request includes a token of the user, and before returning the list of authorized container addresses, further includes:
and carrying out identity verification on the user according to the token.
Optionally, accessing the second container according to the second container address includes: logging in to the second container to access the second container using a private key of a key pair, the key pair being generated upon authorization of a user to operate the container, in accordance with the second container address; if the login fails, regenerating the key pair, injecting the public key of the regenerated key pair into the second container, and logging in the second container by using the private key of the regenerated key pair to access the second container.
According to another aspect of an embodiment of the present invention, there is provided an apparatus for container access.
An apparatus for container access, the apparatus comprising: the access request module is used for receiving a container access request sent by a user and returning an authorized container address list; the permission verification module is used for verifying the operation permission of the user on the first container address according to the first container address selected by the user; the container selection module is used for deleting the first container address from the authorized container address list if the verification is not passed, and returning the deleted authorized container address list to the user so as to enable the user to select again until the user passes the verification of the operation authority of the selected second container address; and the container access module is used for accessing the second container according to the second container address.
Optionally, the method performs user operation authorization of the container by: receiving a container operation authorization request sent by a user, wherein the container operation authorization request comprises user information and container address information for requesting authorization; checking whether the user has the operation authority of the container according to the user information and the container address information; if yes, generating a key pair, and injecting a public key in the key pair into the container; the login mode and the token are returned to the user to complete the authorization.
Optionally, the container access request includes a token of the user, and the apparatus further includes a token check module for:
Before returning the authorized container address list, the identity of the user is checked according to the token.
Optionally, the container access module is further configured to: logging in to the second container to access the second container using a private key of a key pair, the key pair being generated upon authorization of a user to operate the container, in accordance with the second container address; if the login fails, regenerating the key pair, injecting the public key of the regenerated key pair into the second container, and logging in the second container by using the private key of the regenerated key pair to access the second container.
According to yet another aspect of an embodiment of the present invention, an electronic device for container access is provided.
An electronic device for container access, comprising: one or more processors; and the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are enabled to realize the method for accessing the container provided by the embodiment of the invention.
According to yet another aspect of an embodiment of the present invention, a computer-readable medium is provided.
A computer readable medium having stored thereon a computer program which when executed by a processor implements a method of container access provided by an embodiment of the invention.
One embodiment of the above invention has the following advantages or benefits: receiving a container access request sent by a user and returning an authorized container address list; checking the operation authority of the user on the first container address according to the first container address selected by the user; if the verification is not passed, deleting the first container address from the authorized container list, and returning the deleted authorized container address list to the user so that the user can select again until the operation authority of the user on the selected second container address passes the verification; according to the second container address, the second container is accessed, the problems of authorization and use existing in the bastion system when the container operation environment returns to the initial state after the container is updated by the container updating mirror image or configuration updating and when the container address is shifted or kept unchanged in the container deployment scene are solved, the purposes of safely accessing the container and executing a series of operations after the container updating mirror image or configuration updating are achieved, the safety is improved, and the risks of password leakage and advanced prefabrication of super users are avoided.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of the main steps of a container access method according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a process for performing a user-to-container authorization application in accordance with one embodiment of the present invention;
FIG. 3 is a schematic architecture diagram of a container access method according to an embodiment of the present invention;
FIG. 4 is a detailed flow diagram of a container access method according to one embodiment of the invention;
FIG. 5 is a schematic diagram of the major modules of a container access device according to an embodiment of the present invention;
FIG. 6 is an exemplary system architecture diagram in which embodiments of the present invention may be applied;
Fig. 7 is a schematic diagram of a computer system suitable for use in implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
The fort system, also known as the springboard system, plays a tremendous role in the system testing, development and operation and maintenance process. The method mainly provides some command operations and instruction operations for the machine where the business is deployed by the user, and mainly comprises recording and auditing of user operation behaviors, security damage stopping, discovery and forbidden operation and the like. Compared with the prior art of deploying services by using physical machines and virtual machines, the technology of deploying services by using containers is lighter in weight and more efficient in resource utilization rate, realizes the purposes of one-time construction and everywhere operation by combining images, and has the unique advantages that the container technology is rapidly popularized and used.
In the scenario of deploying a service using containers, there are two problems: after the mirror image of the container is replaced or the configuration is updated, restarting is carried out, the address of the container is changed, and the address of the original container is drifted. Since the user is authorized by the container address, and the container address is the only key to characterize the user's rights and user account. Before restarting, the authorization has been successful, indicating that the user has the right to perform command operations using administrator login to the container address. After restarting, the current address of the container is changed, the original address of the container drifts, and the user finds that the original address of the container can still be logged in by an administrator to execute command operation at the moment, because the mapping is marked in the bastion system, and after the address of the container drifts, the operation authority of the user can still be injected; the huge security problem of pre-creating superusers and rights in physical machines, virtual machines or containers is the disclosure of passwords or keys for this superuser.
In order to solve the technical problems in the prior art, the invention provides a method and a device for accessing a container, wherein an authorization interface is added, an authorized private key and a secret key are randomly generated, and salt adding treatment is performed, so that the risks of leakage and advanced prefabrication of super users are avoided; when a user logs in to access a container, executing permission verification on the operation of the user on the container, and confirming whether the user has the operation permission on the container; when the container is restarted, if the address of the container is unchanged, automatically authorizing the user and the container; if the container address changes, the user is required to resubmit the application of the operating rights to the new container address.
Fig. 1 is a schematic diagram of the main steps of a container access method according to an embodiment of the present invention. As shown in fig. 1, the method for accessing a container according to the embodiment of the present invention mainly includes the following steps S101 to S104.
Step S101: receiving a container access request sent by a user, and returning an authorized container address list;
Step S102: checking the operation authority of the user on the first container address according to the first container address selected by the user;
Step S103: if the verification is not passed, deleting the first container address from the authorized container address list, and returning the deleted authorized container address list to the user so as to enable the user to select again until the operation authority of the user on the selected second container address passes the verification;
Step S104: the second container is accessed according to the second container address.
According to the steps S101 to S104, when the user needs to access the container, checking the operation authority of the user on the container is performed; if the container address is unchanged, automatically authorizing the user and the container address; if the container address changes, the user is required to resubmit the application of the operating rights to the new container address. Under the condition that the container address drifts after the container is updated with the mirror image or the configuration, the user can be prevented from logging in the previous container address, the problems of authorization and use existing in the bastion system when the container running environment returns to the initial state after the container is updated with the mirror image or the configuration is updated in the container deployment scene and the container address drifts or remains unchanged are solved, the purposes of safely accessing the container and executing a series of operations after the container is updated with the mirror image or the configuration are achieved, the risks of password leakage and advanced prefabrication of super users are avoided, and the safety is improved.
According to one embodiment of the invention, user operation authorization of the container is performed by: receiving a container access authorization request sent by the user, wherein the container access authorization request comprises user information and container address information for requesting authorization; checking whether the user has the operation authority of the container according to the user information and the container address information; if yes, generating a key pair, and injecting a public key in the key pair into the container; the login mode and the token are returned to the user to complete the authorization.
According to another embodiment of the invention, the container access request further comprises a token of the user and, before returning the list of authorized container addresses, further comprises an identity check of the user based on the token.
According to yet another embodiment of the present invention, accessing the second container according to the second container address further comprises logging in to the second container using the private key of the key pair to access the second container according to the second container address; if the access fails, the key pair is regenerated, the public key of the regenerated key pair is injected into the second container, and the private key of the regenerated key pair is used for logging in the second container to access the second container.
FIG. 2 is a schematic flow chart of a process for performing a user-to-container authorization application in accordance with one embodiment of the present invention. According to the technical scheme of the invention, the processing flow of the application for authorizing the operation of the container by the user is shown in fig. 2 and mainly comprises the following steps:
1. Packaging user information and ip information of a container which is requested to be operated by a user into a request, and sending an authorization request to the fort machine;
2. The fort machine checks the ip information according to the user information, and confirms that the user has the operation authority of the ip;
3. The fort machine dynamically generates a key pair of a container, injects a public key of the key pair into the container, and records the corresponding relation among user information, ip information and the encrypted key pair;
4. and returning the login mode and the token of the user accessing the container, thereby completing operation authorization.
FIG. 3 is a schematic diagram of the architecture of a container access method according to an embodiment of the present invention. As shown in fig. 3, a system architecture is shown in which a user accesses a target container through a fort system. According to the technical scheme of the invention, the process of accessing the container mainly comprises the following steps of:
1. when a user requests to access a target container, an operation instruction for the target container and a token of the user are packaged into a container access request and sent to a fort system for permission verification;
2. The fort checks the user token and after the check passes, returns the address list (ip list) of the container that the user has authorized for the user to select. When the bastion machine authorizes the user, the corresponding relation between the user information and the ip information of the authorized container is stored, so that the ip list of the authorized container of the user can be obtained according to the corresponding relation;
3. the user selects ip of the designated container to perform an operation, such as a security breach or other operation;
4. The fort checks the user's operational rights to the ip that he chooses. If the container has the ip drift, indicating that the fort machine no longer has the operation authority to the ip, deleting the ip selected by the user from the ip list of the authorized container, and returning the deleted ip list to the user;
5. If the ip of the container has not changed, which indicates that the container has not shifted, the ip information corresponding to the ip of the container (including, for example, which application, which service group, which department, etc. the ip belongs to), the user information (including, for example, whether the user has authority over the application deployed in the container, which department the user belongs to, etc.), and the public key are obtained from the information stored in the bastion system, and the public key is injected into the container. Then, the container is accessed and operated through the private key and the container access request sent by the user, and the operation result of the user is returned.
Fig. 4 is a schematic flow diagram of a container access method according to one embodiment of the invention. As shown in fig. 4, in an embodiment of the present invention, the main flow of the container access method includes:
1. A user uses a token to initiate a login request to a fort system;
2. The fort machine checks the token, obtains the user information of the user, including the ip list authorized by the user, and returns the list;
3. the user selects the ip of the container to be accessed and initiates an operation request;
4. The fort machine receives the appointed ip operation request, and verifies the operation authority of the user to the ip according to the user information and the ip information. If the user does not have the operation authority of the ip, the user is informed of initializing and updating the container, the ip is shifted, the ip is deleted from the authorized list, and the authorized list is returned for secondary selection by the user; if the user has the operation authority of the ip, attempting to log in the ip, and executing the operation;
5. If the fort machine fails to log in the ip by using the private key, the container is initialized and restarted, the ip is not drifted, namely the original ip is reserved, and at the moment, the fort machine performs key secondary injection operation on the ip. The key secondary injection operation refers to: regenerating a key pair by the fort system, encrypting and storing a public key and a private key into a database, and injecting the public key into a container corresponding to the ip;
6. when the operation authority of the bastion system to the user and the ip passes the verification, the bastion system enters a container to execute the operation requested by the user, and finally returns an execution result.
Fig. 5 is a schematic diagram of the main modules of container access according to an embodiment of the invention. As shown in fig. 5, a container access device 500 according to an embodiment of the present invention mainly includes an access request module 501, a rights verification module 502, a container selection module 503, and a container access module 504.
An access request module 501, configured to receive a container access request sent by a user, and return an authorized container address list;
the permission verification module 502 is configured to verify, according to a first container address selected by a user, an operation permission of the user to the first container address;
A container selection module 503, configured to delete the first container address from the authorized container address list if the verification is not passed, and return the deleted authorized container address list to the user, so that the user performs reselection until the user passes the verification of the operation authority of the selected second container address;
The container access module 504 is configured to access the second container according to the second container address.
According to one embodiment of the invention, the user performs user operation authorization of the container by:
Receiving a container operation authorization request sent by a user, wherein the container operation authorization request comprises user information and container address information for requesting authorization; checking whether the user has the operation authority of the container according to the user information and the container address information; if yes, generating a key pair, and injecting a public key in the key pair into the container; the login mode and the token are returned to the user to complete the authorization.
According to another embodiment of the invention, the container access request comprises a token of the user, and the apparatus further comprises a token check module (not shown in the figure) for:
Before returning the authorized container address list, the identity of the user is checked according to the token.
According to yet another embodiment of the present invention, the container access module 504 may also be configured to:
Logging in the second container by using the private key in the key pair according to the second container address to log in the second container; the key pair is generated when the user performs operation authorization on the container; if the login fails, regenerating the key pair, injecting the public key of the regenerated key pair into the second container, and logging in the second container by using the private key of the regenerated key pair to access the second container.
According to the technical scheme of the embodiment of the invention, the method comprises the steps of receiving a container access request sent by a user and returning an authorized container address list; checking the operation authority of the user on the first container address according to the first container address selected by the user; if the verification is not passed, deleting the first container address from the authorized container address list, and returning the deleted authorized container address list to the user so that the user can select again until the operation authority of the user on the selected second container address passes the verification; according to the technical means of accessing the second container to access the container according to the second container address, the problems of authorization and use of the bastion system under the condition that the running environment of the container returns to the initial state after the container is updated by the container updating mirror image or configuration updating and the container address is drifted or kept unchanged under the container deployment scene are solved. After the container is updated with the mirror image or the configuration is updated, the purposes of safely accessing the container and executing a series of operations are achieved, the safety is improved, and the risks of password leakage and advanced prefabrication of super users are avoided.
Fig. 6 illustrates an exemplary system architecture 600 of a container access method or container access device to which embodiments of the present invention may be applied.
As shown in fig. 6, the system architecture 600 may include terminal devices 601, 602, 603, a network 604, and a server 605. The network 604 is used as a medium to provide communication links between the terminal devices 601, 602, 603 and the server 605. The network 604 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 605 via the network 604 using the terminal devices 601, 602, 603 to receive or send messages, etc. Various client applications, such as a container management tool, an operation and maintenance class application, a test class application, a right setting tool, a software development class application, etc., may be installed on the terminal devices 601, 602, 603.
The terminal devices 601, 602, 603 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 605 may be a server providing various services, such as a background management server for performing authority determination on the user by using the terminal devices 601, 602, 603. The background management server can analyze and other processing on the received data such as the container address access request and the like, and feed back the processing result to the terminal equipment.
It should be noted that, the method for accessing a container provided by the embodiment of the present invention is generally performed by the server 605, and accordingly, the device for accessing a container is generally disposed in the server 605.
It should be understood that the number of terminal devices, networks and servers in fig. 6 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 7, there is illustrated a schematic diagram of a computer system 700 suitable for use in implementing a terminal device or server in accordance with an embodiment of the present invention. The terminal device or server shown in fig. 7 is only an example, and should not impose any limitation on the functions and scope of use of the embodiments of the present invention.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU) 701, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data required for the operation of the system 700 are also stored. The CPU 701, ROM 702, and RAM 703 are connected to each other through a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input section 706 including a keyboard, a mouse, and the like; an output portion 707 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 708 including a hard disk or the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. The drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read therefrom is mounted into the storage section 708 as necessary.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 701.
The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units or modules involved in the embodiments of the present invention may be implemented in software or in hardware. The described units or modules may also be provided in a processor, for example, as: a processor includes an access request module, a rights verification module, a container selection module, and a container access module. Where the names of the units or modules do not in some way constitute a limitation of the unit or module itself, for example, the access request module may also be described as "a module for receiving a container access request from a user and returning a list of authorized container addresses".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include: receiving a container access request sent by a user, and returning an authorized container address list; checking the operation authority of the user on the first container address according to the first container address selected by the user; if the verification is not passed, deleting the first container address from the authorized container address list, and returning the deleted authorized container address list to the user so as to enable the user to select again until the operation authority of the user on the selected second container address passes the verification; the second container is accessed according to the second container address.
According to the technical scheme of the embodiment of the invention, the method comprises the steps of receiving a container access request sent by a user and returning an authorized container address list; checking the operation authority of the user on the first container address according to the first container address selected by the user; if the verification is not passed, deleting the first container address from the authorized container address list, and returning the deleted authorized container address list to the user so as to enable the user to select again until the operation authority of the user on the selected second container address passes the verification; according to the technical means of accessing the second container according to the second container address, the problems of authorization and use existing under the condition that the running environment returns to the initial state after the container is updated by the container updating mirror image or configuration updating are solved, the risks of leakage and advanced prefabrication of super users are avoided, and the safety and convenience are improved.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims (6)

1.一种容器访问的方法,其特征在于,包括:1. A method for accessing a container, comprising: 接收用户发来的容器访问请求,并返回已经授权的容器地址列表;Receive container access requests from users and return a list of authorized container addresses; 根据所述用户选择的第一容器地址,校验所述用户对所述第一容器地址的操作权限;According to the first container address selected by the user, verifying the user's operation authority on the first container address; 若校验不通过,则从所述已经授权的容器地址列表中删除所述第一容器地址,并将删除后的已经授权的容器地址列表返回给所述用户,以使所述用户进行再次选择,直至所述用户对所选择的第二容器地址的操作权限校验通过;If the verification fails, the first container address is deleted from the authorized container address list, and the deleted authorized container address list is returned to the user, so that the user can select again, until the user passes the operation authority verification of the second container address selected by the user; 根据所述第二容器地址访问第二容器;accessing the second container according to the second container address; 其中,通过以下方式进行用户对容器的操作授权:接收用户发来的容器操作授权请求,所述容器操作授权请求包括用户信息和请求授权的容器地址信息;根据所述用户信息和所述容器地址信息,校验所述用户是否具有容器的操作权限;若是,则生成密钥对,并将密钥对中的公钥注入所述容器;将登录方式和令牌返回给所述用户以完成操作授权;The operation authorization of the container by the user is performed in the following manner: receiving a container operation authorization request sent by the user, the container operation authorization request including user information and container address information for which authorization is requested; verifying whether the user has the container operation authority according to the user information and the container address information; if so, generating a key pair and injecting the public key in the key pair into the container; returning the login method and the token to the user to complete the operation authorization; 根据所述第二容器地址访问第二容器包括:根据所述第二容器地址,使用密钥对中的私钥登录所述第二容器以访问所述第二容器,所述密钥对是在进行用户对容器的操作授权时生成的;若登录失败,则重新生成密钥对,并把重新生成的密钥对中的公钥注入到所述第二容器,使用重新生成的密钥对中的私钥登录所述第二容器来访问所述第二容器。Accessing the second container according to the second container address includes: according to the second container address, using a private key in a key pair to log in to the second container to access the second container, the key pair being generated when the user authorizes an operation on the container; if the login fails, regenerating the key pair, injecting the public key in the regenerated key pair into the second container, and using the private key in the regenerated key pair to log in to the second container to access the second container. 2.根据权利要求1所述的方法,其特征在于,所述容器访问请求包括所述用户的令牌,并且,在返回已经授权的容器地址列表之前,还包括:2. The method according to claim 1, wherein the container access request includes the token of the user, and before returning the authorized container address list, further comprising: 根据所述令牌对用户进行身份校验。The user's identity is verified based on the token. 3.一种容器访问的装置,其特征在于,包括:3. A container access device, comprising: 访问请求模块,用于接收用户发来的容器访问请求,并返回已经授权的容器地址列表;The access request module is used to receive container access requests from users and return a list of authorized container addresses; 权限校验模块,用于根据所述用户选择的第一容器地址,校验所述用户对所述第一容器地址的操作权限;An authority verification module, used to verify the user's operation authority on the first container address according to the first container address selected by the user; 容器选择模块,用于若校验不通过,则从所述已经授权的容器地址列表中删除所述第一容器地址,并将删除后的已经授权的容器地址列表返回给所述用户,以使所述用户进行再次选择,直至所述用户对所选择的第二容器地址的操作权限校验通过;a container selection module, configured to delete the first container address from the authorized container address list if the verification fails, and return the deleted authorized container address list to the user so that the user can select again until the user passes the operation authority verification for the selected second container address; 容器访问模块,根据所述第二容器地址访问第二容器;A container access module, accessing the second container according to the second container address; 其中,通过以下方式进行用户对容器的操作授权:接收用户发来的容器操作授权请求,所述容器操作授权请求包括用户信息和请求授权的容器地址信息;根据所述用户信息和所述容器地址信息,校验该所述用户是否具有容器的操作权限;若是,则生成密钥对,并将密钥对中的公钥注入所述容器;将登录方式和令牌返回给所述用户以完成授权;The operation authorization of the container by the user is performed in the following manner: receiving a container operation authorization request sent by the user, the container operation authorization request including user information and container address information for which authorization is requested; verifying whether the user has the container operation authority according to the user information and the container address information; if so, generating a key pair and injecting the public key in the key pair into the container; returning the login method and the token to the user to complete the authorization; 所述容器访问模块还用于:根据所述第二容器地址,使用密钥对中的私钥登录所述第二容器以访问所述第二容器,所述密钥对是在进行用户对容器的操作授权时生成的;若登录失败,则重新生成密钥对,并把重新生成的密钥对中的公钥注入到所述第二容器,使用重新生成的密钥对中的私钥登录所述第二容器来访问所述第二容器。The container access module is further used to: log in to the second container using a private key in a key pair according to the second container address to access the second container, wherein the key pair is generated when the user authorizes the operation of the container; if the login fails, regenerate the key pair, inject the public key in the regenerated key pair into the second container, and use the private key in the regenerated key pair to log in to the second container to access the second container. 4.根据权利要求3所述的装置,其特征在于,所述容器访问请求包括所述用户的令牌,并且,所述装置还包括令牌校验模块,用于:4. The device according to claim 3, wherein the container access request includes a token of the user, and the device further comprises a token verification module for: 在返回已经授权的容器地址列表之前,根据所述令牌对用户进行身份校验。Before returning the authorized container address list, the user's identity is verified based on the token. 5.一种容器访问的电子设备,其特征在于,包括:5. An electronic device for container access, comprising: 一个或多个处理器;one or more processors; 存储装置,用于存储一个或多个程序,a storage device for storing one or more programs, 当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现如权利要求1-2中任一所述的方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the method according to any one of claims 1-2. 6.一种计算机可读介质,其上存储有计算机程序,其特征在于,所述程序被处理器执行时实现如权利要求1-2中任一所述的方法。6. A computer-readable medium having a computer program stored thereon, wherein when the program is executed by a processor, the method according to any one of claims 1 to 2 is implemented.
CN202011126234.2A 2020-10-20 2020-10-20 Method and device for container access Active CN113742711B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011126234.2A CN113742711B (en) 2020-10-20 2020-10-20 Method and device for container access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011126234.2A CN113742711B (en) 2020-10-20 2020-10-20 Method and device for container access

Publications (2)

Publication Number Publication Date
CN113742711A CN113742711A (en) 2021-12-03
CN113742711B true CN113742711B (en) 2024-10-18

Family

ID=78728038

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011126234.2A Active CN113742711B (en) 2020-10-20 2020-10-20 Method and device for container access

Country Status (1)

Country Link
CN (1) CN113742711B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1384642A (en) * 2001-04-29 2002-12-11 华为技术有限公司 Method of adding subscriber's security confirmation to simple network management protocol
CN111490981A (en) * 2020-04-01 2020-08-04 广州虎牙科技有限公司 Access management method and device, bastion machine and readable storage medium

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771677B (en) * 2008-12-31 2013-08-07 华为技术有限公司 Method for providing resource for access user, server and system thereof
SG11201403482TA (en) * 2011-12-21 2014-07-30 Ssh Comm Security Oyj Automated access, key, certificate, and credential management
CN106851699B (en) * 2015-12-04 2020-11-03 展讯通信(上海)有限公司 Method and system for maintaining alternative cell list and mobile terminal
US10225084B1 (en) * 2015-12-29 2019-03-05 EMC IP Holding Company LLC Method, apparatus and computer program product for securely sharing a content item
CN106657068A (en) * 2016-12-23 2017-05-10 腾讯科技(深圳)有限公司 Login authorization method and device, login method and device
CN107239688B (en) * 2017-06-30 2019-07-23 平安科技(深圳)有限公司 The purview certification method and system in Docker mirror image warehouse
CN107948203B (en) * 2017-12-29 2019-09-13 平安科技(深圳)有限公司 A kind of container login method, application server, system and storage medium
CN108810006B (en) * 2018-06-25 2021-08-10 百度在线网络技术(北京)有限公司 Resource access method, device, equipment and storage medium
CN109150910A (en) * 2018-10-11 2019-01-04 平安科技(深圳)有限公司 Log in token generation and verification method, device and storage medium
CN109600366A (en) * 2018-12-06 2019-04-09 中链科技有限公司 The method and device of protection user data privacy based on block chain
CN111784887A (en) * 2019-11-29 2020-10-16 北京沃东天骏信息技术有限公司 A method, device and system for authorization and release of user access

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1384642A (en) * 2001-04-29 2002-12-11 华为技术有限公司 Method of adding subscriber's security confirmation to simple network management protocol
CN111490981A (en) * 2020-04-01 2020-08-04 广州虎牙科技有限公司 Access management method and device, bastion machine and readable storage medium

Also Published As

Publication number Publication date
CN113742711A (en) 2021-12-03

Similar Documents

Publication Publication Date Title
JP6987931B2 (en) Secure single sign-on and conditional access for client applications
US10735472B2 (en) Container authorization policies for network trust
KR102036758B1 (en) Fast smart card logon and federated full domain logon
JP6121049B2 (en) Secure access to resources using proxies
JP6222592B2 (en) Mobile application identity verification for mobile application management
CN110661831B (en) A Secure Initialization Method of Big Data Proving Ground Based on Trusted Third Party
WO2019036012A1 (en) Application user single sign-on
CN108289098B (en) Authority management method and device of distributed file system, server and medium
CN111052706A (en) Extending Single Sign-On to Relying Parties of Federated Login Providers
US11005847B2 (en) Method, apparatus and computer program product for executing an application in clouds
CN113297595B (en) Privilege escalation processing method, device, storage medium and electronic device
US20140052994A1 (en) Object Signing Within a Cloud-based Architecture
JP7027612B2 (en) Connecting to an anonymous session on a client device via a helper
CN106936772A (en) A kind of access method, the apparatus and system of cloud platform resource
US20230135968A1 (en) Control of access to computing resources implemented in isolated environments
CN113114464A (en) Unified security management system and identity authentication method
US11620147B2 (en) Metadata service provisioning in a cloud environment
CN111988262B (en) Authentication method, authentication device, server and storage medium
US11366883B2 (en) Reflection based endpoint security test framework
CN113055186B (en) Cross-system service processing method, device and system
CN113742711B (en) Method and device for container access
US20240007465A1 (en) Controlling access to components of a software-defined data center in a hybrid environment
CN108259414B (en) A virtual resource management and control method and server
CN118278037A (en) Data access method, device, equipment and storage medium
CN114640505A (en) FTP user authentication method and system and construction method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant