[go: up one dir, main page]

CN114615008B - A black and white list control method and device for a mass storage distributed system - Google Patents

A black and white list control method and device for a mass storage distributed system Download PDF

Info

Publication number
CN114615008B
CN114615008B CN202210043473.4A CN202210043473A CN114615008B CN 114615008 B CN114615008 B CN 114615008B CN 202210043473 A CN202210043473 A CN 202210043473A CN 114615008 B CN114615008 B CN 114615008B
Authority
CN
China
Prior art keywords
cluster
blacklist
white list
load balancing
web
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210043473.4A
Other languages
Chinese (zh)
Other versions
CN114615008A (en
Inventor
吴昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Metabrain Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202210043473.4A priority Critical patent/CN114615008B/en
Publication of CN114615008A publication Critical patent/CN114615008A/en
Application granted granted Critical
Publication of CN114615008B publication Critical patent/CN114615008B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

本发明涉及海量存储分布式系统访问权限控制领域,具体公开一种海量存储分布式系统黑白名单控制方法及装置,配置集群环境,使集群Web与SSH连接,并开启集群CTDB高可用状态和负载均衡状态;在集群创建用户和存储桶,设置存储桶的访问控制列表为公共读及以上权限;创建网页文件并上传至存储桶,对存储桶开启静态网站托管,并开放网站的所有访问权限;针对存储桶内的网页配置主机的黑名单和白名单,并将黑名单和白名单保存入数据库。本发明能够对特定来源的主机限制访问,对特定来源的主机允许访问,能够支持根据需求进行不同数量、组合策略的控制,提高系统的健壮性、易用性和功能的丰富性,提高海量存储自动化平台的竞争力。

The invention relates to the field of access authority control of mass storage distributed systems, specifically discloses a method and device for controlling black and white lists of mass storage distributed systems, configures the cluster environment, connects the cluster Web to SSH, and enables the cluster CTDB high-availability state and load balancing Status; create a user and storage bucket in the cluster, set the access control list of the storage bucket to public read and above permissions; create a web page file and upload it to the storage bucket, enable static website hosting for the storage bucket, and open all access permissions to the website; for The webpage in the storage bucket configures the blacklist and whitelist of the host, and saves the blacklist and whitelist into the database. The invention can restrict access to hosts from a specific source, allow access to hosts from a specific source, and can support the control of different numbers and combination strategies according to requirements, improve the robustness, ease of use, and richness of functions of the system, and improve mass storage. Competitiveness of the automation platform.

Description

一种海量存储分布式系统黑白名单控制方法及装置A black and white list control method and device for a mass storage distributed system

技术领域technical field

本发明涉及海量存储分布式系统访问权限控制领域,具体涉及一种海量存储分布式系统黑白名单控制方法及装置。The invention relates to the field of access authority control of a mass storage distributed system, in particular to a method and device for controlling a black and white list of a mass storage distributed system.

背景技术Background technique

海量存储的自动化操作在IT企业、云计算、大数据、虚拟化等领域得到了广泛应用。与此同时这些领域对客户端访问托管网站的安全要求也越来越高,仅能够支持客户端访问托管网站,无法支持访问限制与访问允许的相关访问控制,已无法满足用户的使用,还需要能够对特定来源的主机限制访问,对特定来源的主机允许访问,并且能够支持根据需求进行不同数量、组合策略的控制。由于目前海量存储分布式系统的自动化平台无法支持访问限制与访问允许的相关访问控制,将影响系统的健壮性、易用性和功能的丰富性,并严重影响海量存储自动化平台的竞争力。The automated operation of mass storage has been widely used in IT enterprises, cloud computing, big data, virtualization and other fields. At the same time, these fields have higher and higher security requirements for client access to hosting websites. It can only support client access to hosting websites, but cannot support access control related to access restrictions and access permissions. It can no longer meet the needs of users. It can restrict access to hosts from a specific source, allow access to hosts from a specific source, and can support control of different numbers and combinations of policies according to requirements. Since the automation platform of the mass storage distributed system cannot support access control related to access restriction and access permission, it will affect the robustness, ease of use and richness of functions of the system, and seriously affect the competitiveness of the mass storage automation platform.

发明内容Contents of the invention

为解决上述问题,本发明提供一种海量存储分布式系统黑白名单控制方法及装置,可实现对主机进行限制访问和允许访问,并根据需要进行不同数量、组合策略的控制,提高系统健壮性、易用性和功能的丰富性。In order to solve the above problems, the present invention provides a method and device for controlling the black and white list of a mass storage distributed system, which can realize restricting and allowing access to hosts, and control different numbers and combination strategies according to needs, so as to improve system robustness, Ease of use and richness of features.

第一方面,本发明的技术方案提供一种海量存储分布式系统黑白名单控制方法,包括以下步骤:In the first aspect, the technical solution of the present invention provides a method for controlling black and white lists of a mass storage distributed system, comprising the following steps:

配置集群环境,使集群Web与SSH连接,并开启集群CTDB高可用状态和负载均衡状态;Configure the cluster environment, enable the cluster Web to connect to SSH, and enable the cluster CTDB high availability and load balancing status;

在集群创建用户和存储桶,设置存储桶的访问控制列表为公共读及以上权限;Create users and storage buckets in the cluster, and set the access control list of storage buckets to public read and above permissions;

创建网页文件并上传至存储桶,对存储桶开启静态网站托管,并开放网站的所有访问权限;Create a web page file and upload it to the storage bucket, enable static website hosting for the storage bucket, and open all access rights to the website;

针对存储桶内的网页配置主机的黑名单和白名单,并将黑名单和白名单保存入数据库。Configure the blacklist and whitelist of hosts for the web pages in the storage bucket, and save the blacklist and whitelist into the database.

进一步地,该方法还包括以下步骤:Further, the method also includes the following steps:

数据库获取黑名单,将黑名单加入防盗链策略中进行黑名单校验;The database obtains the blacklist, and adds the blacklist to the anti-leech policy for blacklist verification;

其中,将黑名单加入防盗链策略中进行黑名单校验,具体包括:Among them, the blacklist is added to the anti-leech policy for blacklist verification, including:

模拟黑名单中每一个主机与集群Web的连接,进行连接校验;Simulate the connection between each host in the blacklist and the cluster Web, and perform connection verification;

若有主机与集群Web正常连接,则黑名单异常,程序报错;否则黑名单正常,执行下一步;If there is a normal connection between the host and the cluster Web, the blacklist is abnormal and the program reports an error; otherwise, the blacklist is normal and the next step is performed;

检验黑名单中每一个主机是否能访问集群Web中的网页;Check whether each host in the blacklist can access the web pages in the cluster Web;

若均不能访问,则黑名单正常,将黑名单生效;否则黑名单异常,程序报错。If none of them can be accessed, the blacklist is normal and the blacklist will take effect; otherwise, the blacklist is abnormal and the program reports an error.

进一步地,该方法还包括以下步骤:Further, the method also includes the following steps:

数据库获取白名单,将白名单加入防盗链策略中进行白名单校验;The database obtains the white list, and adds the white list to the anti-leech policy for white list verification;

其中,将白名单加入防盗链策略中进行白名单校验,具体包括:Among them, add the white list to the anti-leech policy for white list verification, including:

模拟白名单中每一个主机与集群Web的连接,进行连接校验;Simulate the connection between each host in the whitelist and the cluster Web, and perform connection verification;

若所有主机与集群Web均正常连接,则白名单正常,执行下一步;否则白名单异常,程序报错;If all hosts are connected to the cluster Web normally, then the whitelist is normal and proceed to the next step; otherwise, the whitelist is abnormal and the program reports an error;

检验白名单中每一个主机是否能访问集群Web中的网页;Verify that each host in the whitelist can access the web pages in the cluster Web;

若均能访问,则白名单正常,将白名单生效;否则白名单异常,程序报错。If all can be accessed, the whitelist is normal and the whitelist will take effect; otherwise, the whitelist is abnormal and the program reports an error.

进一步地,该方法还包括以下步骤:Further, the method also includes the following steps:

若某个主机既在黑名单中又在白名单中,则将该主机执行黑名单校验,并在白名单中删除。If a certain host is in both the blacklist and the whitelist, the host will be verified in the blacklist and deleted from the whitelist.

进一步地,配置集群环境,使集群Web与SSH连接,并开启集群CTDB高可用状态和负载均衡状态,具体包括:Further, configure the cluster environment, connect the cluster Web to SSH, and enable the cluster CTDB high availability status and load balancing status, including:

获取海量存储管理软件信息和SSH信息,其中海量存储管理软件信息包括海量存储管理软件地址、登录名和登录密码,SSH信息包括SSH登录用户名和登录密码;Obtain mass storage management software information and SSH information, where mass storage management software information includes mass storage management software address, login name, and login password, and SSH information includes SSH login user name and login password;

根据海量存储管理软件信息和SSH信息,登录集群Web端并进行集群Web 与SSH连接;According to the mass storage management software information and SSH information, log in to the cluster web terminal and connect the cluster web and SSH;

查询集群健康状态,若集群健康,则执行下一步,否则报错退出程序;Query the health status of the cluster, if the cluster is healthy, execute the next step, otherwise report an error and exit the program;

获取并检测集群CTDB高可用状态,若集群CTDB高可用状态为开启,则执行下一步,否则报错退出程序并提示需配置并开启集群CTDB高可用状态;Obtain and detect the high-availability status of the cluster CTDB. If the high-availability status of the cluster CTDB is enabled, execute the next step. Otherwise, an error will be reported and the program will exit and prompt to configure and enable the high-availability status of the cluster CTDB;

获取并检测集群负载均衡状态,若集群负载均衡状态为开启,则执行下一步,否则将集群负载均衡开启后再次获取并检测集群负载均衡状态;Obtain and detect the cluster load balancing status. If the cluster load balancing status is enabled, execute the next step; otherwise, enable cluster load balancing and obtain and detect the cluster load balancing status again;

获取并检测集群负载均衡自动开启状态,若集群负载均衡自动开启状态为开启,则执行下一步,否则将开启集群负载均衡自启动后再次获取并检测集群负载均衡自动开启状态;Obtain and detect the automatic activation status of cluster load balancing. If the automatic activation status of cluster load balancing is enabled, execute the next step. Otherwise, enable cluster load balancing and obtain and detect the automatic activation status of cluster load balancing again after startup;

判断当前已配置负载均衡域名数量是否超过阈值,若超过则报错退出程序,否则执行下一步进行在集群创建用户和存储桶。Determine whether the number of currently configured load balancing domain names exceeds the threshold, and if so, report an error and exit the program; otherwise, execute the next step to create users and storage buckets in the cluster.

第二方面,本发明的技术方案提供一种海量存储分布式系统黑白名单控制装置,包括,In the second aspect, the technical solution of the present invention provides a black and white list control device for a mass storage distributed system, including:

集群环境配置模块:配置集群环境,使集群Web与SSH连接,并开启集群C TDB高可用状态和负载均衡状态;Cluster environment configuration module: configure the cluster environment, connect the cluster Web with SSH, and enable the cluster C TDB high availability state and load balancing state;

用户创建模块:在集群创建用户;User creation module: create users in the cluster;

存储桶创建模块:在集群创建存储桶;Bucket creation module: create buckets in the cluster;

桶权限配置模块:设置存储桶的访问控制列表为公共读及以上权限;Bucket permission configuration module: set the access control list of the bucket to public read and above permissions;

静态网站配置模块:创建网页文件并上传至存储桶,对存储桶开启静态网站托管,并开放网站的所有访问权限;Static website configuration module: create a webpage file and upload it to the storage bucket, enable static website hosting for the storage bucket, and open all access rights to the website;

黑白名单配置模块:针对存储桶内的网页配置主机的黑名单和白名单,并将黑名单和白名单保存入数据库。Black and white list configuration module: configure the black list and white list of the host for the web pages in the storage bucket, and save the black list and white list into the database.

进一步地,该装置还包括,Further, the device also includes,

黑白名单校验模块:数据库获取黑名单,将黑名单加入防盗链策略中进行黑名单校验;Black and white list verification module: the database obtains the black list, and adds the black list to the anti-leech strategy for black list verification;

其中,将黑名单加入防盗链策略中进行黑名单校验,具体包括:Among them, the blacklist is added to the anti-leech policy for blacklist verification, including:

模拟黑名单中每一个主机与集群Web的连接,进行连接校验;Simulate the connection between each host in the blacklist and the cluster Web, and perform connection verification;

若有主机与集群Web正常连接,则黑名单异常,程序报错;否则黑名单正常,执行下一步;If there is a normal connection between the host and the cluster Web, the blacklist is abnormal and the program reports an error; otherwise, the blacklist is normal and the next step is performed;

检验黑名单中每一个主机是否能访问集群Web中的网页;Check whether each host in the blacklist can access the web pages in the cluster Web;

若均不能访问,则黑名单正常,将黑名单生效;否则黑名单异常,程序报错。If none of them can be accessed, the blacklist is normal and the blacklist will take effect; otherwise, the blacklist is abnormal and the program reports an error.

进一步地,黑白名单校验模块还用于数据库获取白名单,将白名单加入防盗链策略中进行白名单校验;Further, the black and white list verification module is also used to obtain the white list from the database, adding the white list to the anti-leech strategy for white list verification;

其中,将白名单加入防盗链策略中进行白名单校验,具体包括:Among them, add the white list to the anti-leech policy for white list verification, including:

模拟白名单中每一个主机与集群Web的连接,进行连接校验;Simulate the connection between each host in the whitelist and the cluster Web, and perform connection verification;

若所有主机与集群Web均正常连接,则白名单正常,执行下一步;否则白名单异常,程序报错;If all hosts are connected to the cluster Web normally, then the whitelist is normal and proceed to the next step; otherwise, the whitelist is abnormal and the program reports an error;

检验白名单中每一个主机是否能访问集群Web中的网页;Verify that each host in the whitelist can access the web pages in the cluster Web;

若均能访问,则白名单正常,将白名单生效;否则白名单异常,程序报错。If all can be accessed, the whitelist is normal and the whitelist will take effect; otherwise, the whitelist is abnormal and the program reports an error.

进一步地,黑白名单校验模块还用于在某个主机既在黑名单中又在白名单中时,将该主机执行黑名单校验,并在白名单中删除。Further, the black-and-white list verification module is also used to perform blacklist verification on a certain host and delete it from the white list when the host is both in the black list and in the white list.

进一步地,集群环境配置模块包括,Further, the cluster environment configuration module includes,

集群站点配置导入模块:获取海量存储管理软件信息和SSH信息,其中海量存储管理软件信息包括海量存储管理软件地址、登录名和登录密码,SSH信息包括SSH登录用户名和登录密码;Cluster site configuration import module: obtain mass storage management software information and SSH information, wherein mass storage management software information includes mass storage management software address, login name and login password, and SSH information includes SSH login user name and login password;

集群登录模块:根据海量存储管理软件信息和SSH信息,登录集群Web端并进行集群Web与SSH连接;Cluster login module: According to the mass storage management software information and SSH information, log in to the cluster web terminal and connect the cluster web and SSH;

CTDB准入模块:查询集群健康状态,若集群非健康,则报错退出程序,否则获取并检测集群CTDB高可用状态,若集群CTDB高可用状态为开启,则触发负载均衡校验配置模块执行,否则报错退出程序并提示需配置并开启集群CTDB高可用状态;CTDB access module: query the health status of the cluster. If the cluster is not healthy, it will report an error and exit the program. Otherwise, it will obtain and detect the high availability status of the cluster CTDB. If the cluster CTDB high availability status is enabled, it will trigger the execution of the load balancing verification configuration module, otherwise Exit the program with an error and prompt to configure and enable the high availability state of the cluster CTDB;

负载均衡校验配置模块:获取并检测集群负载均衡状态,若集群负载均衡状态为关闭,则将集群负载均衡开启后再次获取并检测集群负载均衡状态,否则获取并检测集群负载均衡自动开启状态,若集群负载均衡自动开启状态为关闭,则将开启集群负载均衡自启动后再次获取并检测集群负载均衡自动开启状态,否则判断当前已配置负载均衡域名数量是否超过阈值,若超过则报错退出程序,否则触发用户创建模块执行。Load balancing verification configuration module: obtain and detect the status of cluster load balancing. If the status of cluster load balancing is off, enable cluster load balancing and then obtain and detect the status of cluster load balancing again. Otherwise, obtain and detect the status of automatically enabling cluster load balancing. If the automatic enablement status of the cluster load balancing is off, the cluster load balancing will be enabled to obtain and detect the automatic activation status of the cluster load balancing again after startup, otherwise, judge whether the number of currently configured load balancing domain names exceeds the threshold, and if so, report an error and exit the program. Otherwise trigger user created module execution.

本发明提供的一种海量存储分布式系统黑白名单控制方法及装置,相对于现有技术,具有以下有益效果:为主机配置黑名单和白名单,能够对特定来源的主机限制访问,对特定来源的主机允许访问,并且能够支持根据需求进行不同数量、组合策略的控制,提高系统的健壮性、易用性和功能的丰富性,并提高海量存储自动化平台的竞争力。Compared with the prior art, the method and device for controlling black and white lists of a mass storage distributed system provided by the present invention have the following beneficial effects: configure black lists and white lists for hosts, restrict access to hosts from specific sources, and restrict access to hosts from specific sources. The mainframe allows access, and can support the control of different quantities and combination strategies according to requirements, improve the robustness, ease of use and richness of functions of the system, and improve the competitiveness of the mass storage automation platform.

附图说明Description of drawings

为了更清楚的说明本申请实施例或现有技术的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单的介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application or the prior art, the accompanying drawings that need to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the accompanying drawings in the following description are only For some embodiments of the present application, those of ordinary skill in the art can also obtain other drawings based on these drawings without creative effort.

图1为本发明实施例一提供的一种海量存储分布式系统黑白名单控制方法流程示意图。FIG. 1 is a schematic flowchart of a method for controlling black and white lists in a mass storage distributed system according to Embodiment 1 of the present invention.

图2为本发明实施例一中集群自检过程流程示意图。FIG. 2 is a schematic flow chart of the cluster self-inspection process in Embodiment 1 of the present invention.

图3为本发明实施例一中负载均衡状态检测流程示意图。FIG. 3 is a schematic diagram of a load balancing state detection process in Embodiment 1 of the present invention.

图4为本发明实施例一中防盗链策略流程示意图。FIG. 4 is a schematic flowchart of an anti-leeching strategy in Embodiment 1 of the present invention.

图5为本发明实施例二提供的一种海量存储分布式系统黑白名单控制装置结构示意框图。FIG. 5 is a schematic block diagram showing the structure of a black-and-white list control device for a mass storage distributed system according to Embodiment 2 of the present invention.

图6为本发明实施例三提供的一种终端的结构示意图。FIG. 6 is a schematic structural diagram of a terminal provided by Embodiment 3 of the present invention.

具体实施方式Detailed ways

为了使本技术领域的人员更好地理解本申请方案,下面结合附图和具体实施方式对本申请作进一步的详细说明。显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to enable those skilled in the art to better understand the solution of the present application, the present application will be further described in detail below in conjunction with the drawings and specific implementation methods. Apparently, the described embodiments are only some of the embodiments of this application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.

实施例一Embodiment one

本实施例一提供一种海量存储分布式系统黑白名单控制方法,以对特定来源的主机限制访问,对特定来源的主机允许访问,并且能够支持根据需求进行不同数量、组合策略的控制。Embodiment 1 provides a black and white list control method for a mass storage distributed system, which restricts access to hosts from a specific source, allows access to hosts from a specific source, and can support control of different numbers and combinations of strategies according to requirements.

如图1所示,该方法包括以下步骤。As shown in Figure 1, the method includes the following steps.

S1,配置集群环境,使集群Web与SSH(Secure Shell,一种网络协议,用于计算机之间的加密登录)连接,并开启集群CTDB(Cluster Trivial Databas e,一种轻量级的集群数据库实现)高可用状态和负载均衡状态。S1, configure the cluster environment, connect the cluster Web to SSH (Secure Shell, a network protocol for encrypted login between computers), and open the cluster CTDB (Cluster Trivial Database e, a lightweight cluster database implementation ) High availability status and load balancing status.

S2,在集群创建用户和存储桶,设置存储桶的访问控制列表为公共读及以上权限。S2, create a user and a storage bucket in the cluster, and set the access control list of the storage bucket to public read and above permissions.

S3,创建网页文件并上传至存储桶,对存储桶开启静态网站托管,并开放网站的所有访问权限。S3, create a web page file and upload it to the storage bucket, enable static website hosting for the storage bucket, and open all access permissions to the website.

S4,针对存储桶内的网页配置主机的黑名单和白名单,并将黑名单和白名单保存入数据库。S4, configuring a blacklist and a whitelist of hosts for web pages in the storage bucket, and saving the blacklist and whitelist into a database.

可以理解的是,黑名单内的主机为不可访问网页的主机,白名单内的主机为可访问网页的主机,用户可根据需要在黑白名单内添加任意数量的主机,基于黑白名单配置实现对主机访问权限的控制,且能够支持根据需求进行不同数量、组合策略的控制。It is understandable that the hosts in the blacklist are hosts that cannot access the webpage, and the hosts in the whitelist are hosts that can access the webpage. Users can add any number of hosts to the blacklist and whitelist as needed, and realize the host authentication based on the blacklist and whitelist configuration. Control of access rights, and can support the control of different quantities and combinations of strategies according to requirements.

为进一步对本发明进行解释,以下提供一具体实施例,该具体实施例包括以下过程。In order to further explain the present invention, a specific embodiment is provided below, and the specific embodiment includes the following process.

(一)集群环境配置(1) Cluster environment configuration

可以理解的是,在配置黑白名单前,配置集群环境,以保证后续可正常配置黑白名单。本实施例的集群环境配置包括使集群Web与SSH连接,并开启集群C TDB高可用状态和负载均衡状态,具体执行以下过程实现。It is understandable that before configuring the black and white lists, configure the cluster environment to ensure that the black and white lists can be configured normally in the future. The configuration of the cluster environment in this embodiment includes connecting the cluster Web with SSH, and enabling the cluster C TDB high availability state and load balancing state, and the following process is specifically implemented.

S101,获取海量存储管理软件信息和SSH信息。S101. Obtain mass storage management software information and SSH information.

其中海量存储管理软件信息包括海量存储管理软件地址、登录名和登录密码,SSH信息包括SSH登录用户名和登录密码。The mass storage management software information includes the mass storage management software address, login name, and login password, and the SSH information includes the SSH login user name and login password.

具体的,通过env配置文件获取海量存储管理软件地址$CLUSTER_IP,管理软件登陆名$CLUSTER_USERNAME和管理软件密码$CLUSTER_PASSWORD,SSH登陆用户名$SSH_NAME和SSH登陆密码$SSH_PASSWORD。Specifically, the mass storage management software address $CLUSTER_IP, management software login name $CLUSTER_USERNAME and management software password $CLUSTER_PASSWORD, SSH login user name $SSH_NAME and SSH login password $SSH_PASSWORD are obtained through the env configuration file.

S102,根据海量存储管理软件信息和SSH信息,登录集群Web端并进行集群 Web与SSH连接。S102. According to the mass storage management software information and SSH information, log in to the cluster web terminal and connect the cluster web and SSH.

使用login_console登陆集群web端并保存$SESSION,使用ssh_connect 进行SSH连接,并保存$CLUSTER_SSH。Use login_console to log in to the web side of the cluster and save $SESSION, use ssh_connect for SSH connection, and save $CLUSTER_SSH.

S103,查询集群健康状态,若集群非健康,则报错退出程序,否则进行获取并检测集群CTDB高可用状态,若集群CTDB高可用状态为开启,则执行下一步进行负载均衡状态检测,否则报错退出程序并提示需配置并开启集群CTDB高可用状态。S103. Query the health status of the cluster. If the cluster is not healthy, report an error and exit the program. Otherwise, obtain and detect the high availability status of the cluster CTDB. If the cluster CTDB high availability status is enabled, execute the next step to detect the load balancing status, otherwise report an error and exit. The program also prompts to configure and enable the high availability state of the cluster CTDB.

如图2所示,进行集群自检过程,通过icfs-s查询集群健康状态$CLUSTE R_HEALTH,如果集群状态异常,则返回1程序报错,如果集群状态正常,则返回 0,并保存入数据库进行持久化存储,然后通过verify_ctdb_start($SESSION)判断集群环境的CTDB高可用状态是否为开启,如果未开启,则报错并提示需要开启CTDB高可用后再进行下一步的负载均衡状态检测。As shown in Figure 2, the cluster self-inspection process is performed, and the cluster health status $CLUSTE R_HEALTH is queried through icfs-s. If the cluster status is abnormal, it will return 1 and the program will report an error. If the cluster status is normal, it will return 0 and save it in the database for persistence. Then use verify_ctdb_start($SESSION) to judge whether the high-availability status of CTDB in the cluster environment is enabled. If it is not enabled, an error will be reported and it will prompt that CTDB high-availability needs to be enabled before the next step of load balancing status detection.

S104,获取并检测集群负载均衡状态,若集群负载均衡状态为开启,则执行下一步,否则将集群负载均衡开启后再次获取并检测集群负载均衡状态。S104. Obtain and detect the cluster load balancing status. If the cluster load balancing status is enabled, perform the next step; otherwise, enable the cluster load balancing status to acquire and detect the cluster load balancing status again.

S105,获取并检测集群负载均衡自动开启状态,若集群负载均衡自动开启状态为开启,则执行下一步,否则将开启集群负载均衡自启动后再次获取并检测集群负载均衡自动开启状态。S105. Obtain and detect the automatic enabling state of the cluster load balancing. If the automatic enabling state of the cluster load balancing is enabled, perform the next step;

S106,判断当前已配置负载均衡域名数量是否超过阈值,若超过则报错退出程序,否则执行下一步进行在集群创建用户和存储桶。S106. Determine whether the number of currently configured load balancing domain names exceeds the threshold, and if so, report an error and exit the program; otherwise, execute the next step to create users and storage buckets in the cluster.

如图3所示,集群CTDB高可用状态正常开启后,进行负载均衡状态检测,最后进行接收端连接数配置。As shown in Figure 3, after the high-availability state of the cluster CTDB is normally enabled, the load balancing state is detected, and finally the number of connections at the receiving end is configured.

使用get_loadbalance_service_status($SESSION)来获取当前负载均衡状态$LOADBALANCE_STATE,然后使用get_loadbalance_selfstart_status($SESSI ON)来获取负载均衡自启动状态$SELFSTART_STATE,如果存在关闭状态,则将其开启;使用get_ctdb_vir_ip_list()来获取CTDB虚拟IP$VIR_IP_LIST,使用config_loadbalanc_subdomain($SESSION,$VIR_IP_LIST)来进行接收端连接数配置。Use get_loadbalance_service_status($SESSION) to get the current load balancing state $LOADBALANCE_STATE, then use get_loadbalance_selfstart_status($SESSI ON) to get the load balancing self-starting state $SELFSTART_STATE, if there is a closed state, turn it on; use get_ctdb_vir_ip_list() to get CTDB For virtual IP $VIR_IP_LIST, use config_loadbalanc_subdomain($SESSION, $VIR_IP_LIST) to configure the number of connections at the receiving end.

其中,接收端连接数配置具体包括配置负载均衡域名$LOADBALANCE_DOMAIN, 用以生成静态网站托管域名$WEBSITE_DOMAIN,并进行入库持久化存储;然后判断当前已配置负载均衡域名数$LOADBALANCE_DOMAIN,当域名数量$LOADBALANCE_DOMAIN>20时,系统报错提示大于最大值并退出。Among them, the configuration of the number of connections at the receiving end specifically includes configuring the load balancing domain name $LOADBALANCE_DOMAIN, which is used to generate the static website hosting domain name $WEBSITE_DOMAIN, and store it in the database for persistent storage; When LOADBALANCE_DOMAIN>20, the system will report an error indicating that it is greater than the maximum value and exit.

(二)用户、存储桶和桶ACL权限(2) User, storage bucket and bucket ACL permissions

集群环境配置成功后,进行用户和存储桶的创建,并配置存储桶的ACL(访问控制列表)权限配置。After the cluster environment configuration is successful, create users and storage buckets, and configure the ACL (Access Control List) permission configuration of storage buckets.

使用create_user($USER_NAME)创建用户;使用create_bucket($BUCKET_N AME)创建桶,使用set_bucket_acl($USER_NAME,$BUCKET_NAME,$ALL_READ)来为用户$USER_NAME的桶$BUCKET_NAME设置公共读$ALL_READ权限的桶ACL权限。Use create_user($USER_NAME) to create a user; use create_bucket($BUCKET_NAME) to create a bucket, use set_bucket_acl($USER_NAME,$BUCKET_NAME,$ALL_READ) to set the public read $ALL_READ bucket ACL permission for the bucket $BUCKET_NAME of user $USER_NAME .

(三)静态网站配置(3) Static website configuration

为存储桶配置ACL权限后,进行静态网站配置。After configuring the ACL permission for the bucket, configure the static website.

创建网页文件$WEB_FILE并上传至桶$OBJECT_BUCKET,具体地,在桶$BUCKE T_NAME内,使用echo方法,写入html网页文件$INDEX_HTML,并使用s3_put_ object($INDEX_HTML,$BUCKET_NAME)将网页文件$INDEX_HTML上传至桶。Create a webpage file $WEB_FILE and upload it to the bucket $OBJECT_BUCKET. Specifically, in the bucket $BUCKET_NAME, use the echo method to write the html webpage file $INDEX_HTML, and use s3_put_ object($INDEX_HTML, $BUCKET_NAME) to write the webpage file $INDEX_HTML Upload to bucket.

然后对桶$OBJECT_BUCKET开启静态网站托管,开放该网站的所有访问权限。Then enable static website hosting for the bucket $OBJECT_BUCKET and open all access rights to the website.

(四)黑白名单配置及校验(4) Black and white list configuration and verification

进行待限制访问的黑名单$BLACK_LISTS配置,允许访问的白名单$WHITE_LI STS进行配置,并轮询获取黑白名单,从而支持多个访问来源的黑白名单,将黑白名单中的网站信息持久化保存入数据库,用$BLACK_LIST_ID标记此$BLACK_LI ST,用$WHITE_LIST_ID标记此$WHITE_LISTS。Configure the blacklist $BLACK_LISTS to be restricted access, configure the whitelist $WHITE_LI STS that is allowed to access, and poll to obtain the blacklist and blacklist, thereby supporting the blacklist and whitelist of multiple access sources, and persistently saving the website information in the blacklist and blacklist into database, mark this $BLACK_LIST with $BLACK_LIST_ID, and mark this $WHITE_LISTS with $WHITE_LIST_ID.

如图4所示,使用set_bucket_anti_stealing_link($BUCKET_NAME,$BLACK _REFFER_LIST,$WHITE_REFFER_LIST)来为桶$BUCKET_NAME中的所有网页,比如 $INDEX_HTML设置白名单$WHITE_REFFER_LIST或者黑名单$BLACK_REFFER_LIST。As shown in Figure 4, use set_bucket_anti_stealing_link($BUCKET_NAME, $BLACK _REFFER_LIST, $WHITE_REFFER_LIST) to set whitelist $WHITE_REFFER_LIST or blacklist $BLACK_REFFER_LIST for all webpages in bucket $BUCKET_NAME, such as $INDEX_HTML.

然后数据库中获取配置的$BLACK_LIST与$WHITE_LIST,开启对该网站$WEBS ITE_DOMAIN的防盗链设置,并将黑名单$BLACK_LIST与$白名单$WHITE_LIST同时添加入防盗链策略中;如果使用者在$BLACK_LIST中只配置了一个黑名单,未配置白名单,则只将1个黑名单添加至防盗链策略,并持久化保存为$REFER_1;若$BLACK_LIST中配置了多个黑名单,未配置白名单,则将数据库中所有属于$BLACK_LIST_ID的所有黑名单,轮询添加至防盗链策略;支持配置单个/多个黑名单,单个/多个白名单,支持仅配置黑名单,仅配置白名单,同时配置黑白名单,当黑白名单中存在相同主机信息时,黑名单中的主机名单生效;然后程序在集群首节点调用curl命令进行防盗链黑白名单生效检测自验,当所有黑名单中的来源主机都无法访问$WEBSITE_DOMAIN时,持久化保存$BLACK_VALUE为TRUE,当所有白名单来源的主机都无法访问$WEBSITE_DOMAIN时,持久化保存$WHITE_VALUE 也为TRUE时,程序自检通过返为1。Then get the configured $BLACK_LIST and $WHITE_LIST from the database, enable the anti-leech setting of the website $WEBS ITE_DOMAIN, and add the blacklist $BLACK_LIST and $whitelist $WHITE_LIST to the anti-leech policy at the same time; if the user is in $BLACK_LIST If only one blacklist is configured in $BLACK_LIST and no whitelist is configured, only one blacklist will be added to the anti-leech policy, and it will be persistently saved as $REFER_1; if multiple blacklists are configured in $BLACK_LIST and no whitelist is configured, All blacklists belonging to $BLACK_LIST_ID in the database will be polled and added to the anti-leech policy; support configuration of single/multiple blacklists, single/multiple whitelists, support configuration of only blacklist, only whitelist, and configuration at the same time Black and white list, when the same host information exists in the black and white list, the host list in the black list will take effect; then the program calls the curl command on the first node of the cluster to perform self-test for the effective detection of the anti-leech black and white list, when all the source hosts in the black list cannot When accessing $WEBSITE_DOMAIN, the persistent storage of $BLACK_VALUE is TRUE. When all whitelist source hosts cannot access $WEBSITE_DOMAIN, the persistent storage of $WHITE_VALUE is also TRUE, and the program self-test passes and returns to 1.

本实施例中,将黑名单加入防盗链策略中进行黑名单校验,具体包括:In this embodiment, the blacklist is added to the anti-leech policy for blacklist verification, specifically including:

步骤一,模拟黑名单中每一个主机与集群Web的连接,进行连接校验;Step 1, simulate the connection between each host in the blacklist and the cluster Web, and perform connection verification;

步骤二,若有主机与集群Web正常连接,则黑名单异常,程序报错;否则黑名单正常,执行下一步;Step 2, if there is a normal connection between the host and the cluster Web, the blacklist is abnormal, and the program reports an error; otherwise, the blacklist is normal, and the next step is performed;

步骤三,检验黑名单中每一个主机是否能访问集群Web中的网页;Step 3, check whether each host in the blacklist can access the web pages in the cluster Web;

步骤四,若均不能访问,则黑名单正常,将黑名单生效;否则黑名单异常,程序报错。Step 4, if none of them can be accessed, the blacklist is normal, and the blacklist will take effect; otherwise, the blacklist is abnormal, and the program reports an error.

将白名单加入防盗链策略中进行白名单校验,具体包括:Add the whitelist to the anti-leech policy for whitelist verification, including:

步骤一,模拟白名单中每一个主机与集群Web的连接,进行连接校验;Step 1, simulate the connection between each host in the whitelist and the cluster Web, and perform connection verification;

步骤二,若所有主机与集群Web均正常连接,则白名单正常,执行下一步;否则白名单异常,程序报错;Step 2: If all hosts are connected to the cluster Web normally, the whitelist is normal, and the next step is executed; otherwise, the whitelist is abnormal and the program reports an error;

步骤三,检验白名单中每一个主机是否能访问集群Web中的网页;Step 3, check whether each host in the whitelist can access the web pages in the cluster Web;

步骤四,若均能访问,则白名单正常,将白名单生效;否则白名单异常,程序报错。Step 4, if all can be accessed, the white list is normal, and the white list will take effect; otherwise, the white list is abnormal, and the program reports an error.

如图4所示,防盗链策略具体为:As shown in Figure 4, the anti-leech policy is specifically:

自动调用curl_check_web_site($INDEX_HTML),通过curl的方式curl$BA LCK_REFFER_LIST[n]$INDEX_HTML来模拟每一个黑名单主机与集群web服务的连通标签$CONNECT_FLAG,如果FLAG为TRUE,则程序报错提示防盗链黑名单异常,然后再使用get_static_website_trusteeship($BLACK_REFFER_LIST[n],$INDE X_HTML)来校验每一个黑名单host主机是否能够访问集群web服务中的网页,如果可以,则$VISIT_FLAG置为FLASE,程序报错。Automatically call curl_check_web_site($INDEX_HTML), and use curl to simulate the connection label $CONNECT_FLAG between each blacklisted host and cluster web service through curl. If the list is abnormal, then use get_static_website_trusteeship($BLACK_REFFER_LIST[n],$INDE X_HTML) to verify whether each blacklist host can access the web pages in the cluster web service. If yes, set $VISIT_FLAG to FLASE, and the program reports an error.

如果设置白名单$WHITE_REFFER_LIST,则自动调用curl_check_web_site ($INDEX_HTML),通过curl的方式curl$WHITE_REFFER_LIST[n]$INDEX_HTML 来模拟每一个白名单主机与集群web服务的连通标签$CONNECT_FLAG,如果FLAG 为FLASE,则程序报错提示防盗链白名单异常,然后再使用gret_static_websit e_trusteeship($WHITE_REFFER_LIST[n],$INDEX_HTML)来校验每一个白名单ho st主机是否能够访问集群web服务中的网页,如果不可以,则$VISIT_FLAG置为 FLASE,程序报错。If the whitelist $WHITE_REFFER_LIST is set, curl_check_web_site ($INDEX_HTML) will be called automatically, and curl$WHITE_REFFER_LIST[n]$INDEX_HTML is used to simulate the connection label $CONNECT_FLAG between each whitelist host and the cluster web service through curl. If FLAG is FLASE, Then the program reports an error indicating that the anti-leech whitelist is abnormal, and then uses gret_static_websit e_trusteeship($WHITE_REFFER_LIST[n],$INDEX_HTML) to verify whether each whitelisted host can access the web pages in the cluster web service. If not, then Set $VISIT_FLAG to FLASE, and the program reports an error.

如果黑名单$BLACK_REFFER_LIST与白名单$WHITE_REFFER_LIST存在相同元素,则默认调用黑名单设置逻辑,将$WHITE_REFFER_LIST中删除与$BLACK_REFF ER_LIST相同元素,并进入黑名单校验逻辑get_static_website_trusteeship($BLACK_REFFER_LIST[n],$INDEX_HTML)。If the blacklist $BLACK_REFFER_LIST has the same elements as the whitelist $WHITE_REFFER_LIST, the blacklist setting logic will be invoked by default to delete the same elements as $BLACK_REFFER_LIST from $WHITE_REFFER_LIST, and enter the blacklist verification logic get_static_website_trusteeship($BLACK_REFFER_LIST[n],$ INDEX_HTML).

本实施例提供的海量存储分布式系统黑白名单控制方法,为主机配置黑名单和白名单,能够对特定来源的主机限制访问,对特定来源的主机允许访问,并且能够支持根据需求进行不同数量、组合策略的控制,提高系统的健壮性、易用性和功能的丰富性,并提高海量存储自动化平台的竞争力。The black and white list control method of the mass storage distributed system provided by this embodiment configures the black list and white list for the host, can restrict access to the host of a specific source, allow access to the host of a specific source, and can support different numbers, Combination policy control improves the robustness, ease of use and richness of functions of the system, and improves the competitiveness of the mass storage automation platform.

实施例二Embodiment two

在实施例一基础上,本实施例二提供一种海量存储分布式系统黑白名单控制装置,用于实现前述实施例一的方法。On the basis of the first embodiment, the second embodiment provides a black-and-white list control device for a mass storage distributed system, which is used to implement the method in the first embodiment.

如图5所示,本实施例二提供的一种海量存储分布式系统黑白名单控制装置包括以下功能模块。As shown in FIG. 5 , the device for controlling a blacklist and whitelist of a mass storage distributed system provided in Embodiment 2 includes the following functional modules.

集群环境配置模块100:配置集群环境,使集群Web与SSH连接,并开启集群CTDB高可用状态和负载均衡状态。Cluster environment configuration module 100: configure the cluster environment, connect the cluster Web with SSH, and enable the cluster CTDB high availability state and load balancing state.

用户创建模块105:在集群创建用户。User creation module 105: create a user in the cluster.

存储桶创建模块106:在集群创建存储桶。Bucket creation module 106: create a bucket in the cluster.

桶权限配置模块107:设置存储桶的访问控制列表为公共读及以上权限。Bucket permission configuration module 107: set the access control list of the storage bucket to public read permission and above.

静态网站配置模块108:创建网页文件并上传至存储桶,对存储桶开启静态网站托管,并开放网站的所有访问权限。Static website configuration module 108: create a webpage file and upload it to the storage bucket, enable static website hosting for the storage bucket, and open all access rights of the website.

黑白名单配置模块109:针对存储桶内的网页配置主机的黑名单和白名单,并将黑名单和白名单保存入数据库。Black and white list configuration module 109: configure the black list and white list of hosts for the web pages in the storage bucket, and save the black list and white list into the database.

本实施例中,为实现集群环境的配置,集群环境配置模块100具体包括以下功能模块。In this embodiment, in order to realize the configuration of the cluster environment, the cluster environment configuration module 100 specifically includes the following functional modules.

集群站点配置导入模块101:获取海量存储管理软件信息和SSH信息,其中海量存储管理软件信息包括海量存储管理软件地址、登录名和登录密码,SSH信息包括SSH登录用户名和登录密码.Cluster site configuration import module 101: Acquire mass storage management software information and SSH information, wherein the mass storage management software information includes mass storage management software address, login name and login password, and SSH information includes SSH login user name and login password.

集群登录模块102:根据海量存储管理软件信息和SSH信息,登录集群Web 端并进行集群Web与SSH连接。Cluster login module 102: according to the mass storage management software information and SSH information, log in to the cluster Web terminal and connect the cluster Web and SSH.

CTDB准入模块103:查询集群健康状态,若集群非健康,则报错退出程序,否则获取并检测集群CTDB高可用状态,若集群CTDB高可用状态为开启,则触发负载均衡校验配置模块执行,否则报错退出程序并提示需配置并开启集群CTDB 高可用状态。CTDB access module 103: Query the health status of the cluster. If the cluster is not healthy, report an error and exit the program. Otherwise, obtain and detect the high-availability status of the cluster CTDB. If the cluster CTDB high-availability status is enabled, trigger the execution of the load balancing verification configuration module. Otherwise, an error will be reported to exit the program and a prompt needs to be configured and enabled for the high availability state of the cluster CTDB.

负载均衡校验配置模块104:获取并检测集群负载均衡状态,若集群负载均衡状态为关闭,则将集群负载均衡开启后再次获取并检测集群负载均衡状态,否则获取并检测集群负载均衡自动开启状态,若集群负载均衡自动开启状态为关闭,则将开启集群负载均衡自启动后再次获取并检测集群负载均衡自动开启状态,否则判断当前已配置负载均衡域名数量是否超过阈值,若超过则报错退出程序,否则触发用户创建模块执行。Load balance verification configuration module 104: obtain and detect the cluster load balance status, if the cluster load balance status is off, then obtain and detect the cluster load balance status again after the cluster load balance is turned on, otherwise obtain and detect the cluster load balance automatic enable state , if the automatic enablement status of the cluster load balancing is off, then the cluster load balancing will be enabled to obtain and detect the automatic activation status of the cluster load balancing again after startup, otherwise, judge whether the number of currently configured load balancing domain names exceeds the threshold, and if so, report an error and exit the program , otherwise triggers user-created module execution.

本实施例的海量存储分布式系统黑白名单控制装置还包括黑白名单校验模块110:数据库获取黑名单,将黑名单加入防盗链策略中进行黑名单校验;数据库获取白名单,将白名单加入防盗链策略中进行白名单校验。基于黑白名单校验模块110实现黑白名单的校验和生效。The mass storage distributed system black-and-white list control device of this embodiment also includes a black-and-white list verification module 110: the database acquires a blacklist, and adds the blacklist to the anti-leeching strategy for blacklist verification; the database acquires a whitelist, and adds the whitelist Whitelist verification is performed in the anti-leech policy. The verification and validation of the black and white lists are implemented based on the black and white list verification module 110 .

其中,将黑名单加入防盗链策略中进行黑名单校验,具体包括:Among them, the blacklist is added to the anti-leech policy for blacklist verification, including:

模拟黑名单中每一个主机与集群Web的连接,进行连接校验;Simulate the connection between each host in the blacklist and the cluster Web, and perform connection verification;

若有主机与集群Web正常连接,则黑名单异常,程序报错;否则黑名单正常,执行下一步;If there is a normal connection between the host and the cluster Web, the blacklist is abnormal and the program reports an error; otherwise, the blacklist is normal and the next step is performed;

检验黑名单中每一个主机是否能访问集群Web中的网页;Check whether each host in the blacklist can access the web pages in the cluster Web;

若均不能访问,则黑名单正常,将黑名单生效;否则黑名单异常,程序报错。If none of them can be accessed, the blacklist is normal and the blacklist will take effect; otherwise, the blacklist is abnormal and the program reports an error.

其中,将白名单加入防盗链策略中进行白名单校验,具体包括:Among them, add the white list to the anti-leech policy for white list verification, including:

模拟白名单中每一个主机与集群Web的连接,进行连接校验;Simulate the connection between each host in the whitelist and the cluster Web, and perform connection verification;

若所有主机与集群Web均正常连接,则白名单正常,执行下一步;否则白名单异常,程序报错;If all hosts are connected to the cluster Web normally, then the whitelist is normal and proceed to the next step; otherwise, the whitelist is abnormal and the program reports an error;

检验白名单中每一个主机是否能访问集群Web中的网页;Verify that each host in the whitelist can access the web pages in the cluster Web;

若均能访问,则白名单正常,将白名单生效;否则白名单异常,程序报错。If all can be accessed, the whitelist is normal and the whitelist will take effect; otherwise, the whitelist is abnormal and the program reports an error.

黑白名单校验模块110还用于在某个主机既在黑名单中又在白名单中时,将该主机执行黑名单校验,并在白名单中删除。The black-and-white list verification module 110 is also used for performing black-list verification on a certain host and deleting it from the white-list when the host is in both the black-list and the white-list.

本实施例的海量存储分布式系统黑白名单控制装置用于实现前述的海量存储分布式系统黑白名单控制方法,因此该装置中的具体实施方式可见前文中的海量存储分布式系统黑白名单控制方法的实施例部分,所以,其具体实施方式可以参照相应的各个部分实施例的描述,在此不再展开介绍。The black-and-white list control device of the mass storage distributed system in this embodiment is used to realize the aforementioned black-and-white list control method of the mass storage distributed system, so the specific implementation of the device can be seen in the above-mentioned black-and-white list control method of the mass storage distributed system For the embodiment part, therefore, for the specific implementation manner, reference may be made to the descriptions of the corresponding embodiments of each part, and no further introduction will be made here.

另外,由于本实施例的海量存储分布式系统黑白名单控制装置用于实现前述的海量存储分布式系统黑白名单控制方法,因此其作用与上述方法的作用相对应,这里不再赘述。In addition, since the device for controlling the blacklist and whitelist of a distributed mass storage system in this embodiment is used to implement the aforementioned method for controlling a blacklist and whitelist of a distributed massive storage system, its function corresponds to that of the above method, and will not be repeated here.

实施例三Embodiment Three

图6为本发明实施例提供的一种终端装置600的结构示意图,该终端装置6 00可以用于执行本发明实施例提供的海量存储分布式系统黑白名单控制的方法。FIG. 6 is a schematic structural diagram of a terminal device 600 provided by an embodiment of the present invention. The terminal device 600 can be used to implement the method for controlling black and white lists of a mass storage distributed system provided by an embodiment of the present invention.

其中,该终端装置600可以包括:处理器610、存储器620及通信单元630。这些组件通过一条或多条总线进行通信,本领域技术人员可以理解,图中示出的服务器的结构并不构成对本发明的限定,它既可以是总线形结构,也可以是星型结构,还可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Wherein, the terminal device 600 may include: a processor 610 , a memory 620 and a communication unit 630 . These components communicate through one or more buses. Those skilled in the art can understand that the structure of the server shown in the figure does not constitute a limitation to the present invention. It can be a bus structure, a star structure, or a More or fewer components than shown, or combinations of certain components, or different arrangements of components may be included.

其中,该存储器620可以用于存储处理器610的执行指令,存储器620可以由任何类型的易失性或非易失性存储终端或者它们的组合实现,如静态随机存取存储器(SRAM),电可擦除可编程只读存储器(EEPROM),可擦除可编程只读存储器(EPROM),可编程只读存储器(PROM),只读存储器(ROM),磁存储器,快闪存储器,磁盘或光盘。当存储器620中的执行指令由处理器610执行时,使得终端600能够执行以下上述方法实施例中的部分或全部步骤。Wherein, the memory 620 can be used to store the execution instructions of the processor 610, and the memory 620 can be realized by any type of volatile or non-volatile storage terminal or their combination, such as static random access memory (SRAM), electronic Erasable Programmable Read Only Memory (EEPROM), Erasable Programmable Read Only Memory (EPROM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Magnetic Memory, Flash Memory, Magnetic Disk or Optical Disk . When the execution instructions in the memory 620 are executed by the processor 610, the terminal 600 is enabled to perform some or all of the steps in the following above-mentioned method embodiments.

处理器610为存储终端的控制中心,利用各种接口和线路连接整个电子终端的各个部分,通过运行或执行存储在存储器620内的软件程序和/或模块,以及调用存储在存储器内的数据,以执行电子终端的各种功能和/或处理数据。所述处理器可以由集成电路(Integrated Circuit,简称IC)组成,例如可以由单颗封装的IC所组成,也可以由连接多颗相同功能或不同功能的封装IC而组成。举例来说,处理器610可以仅包括中央处理器(Central Processing Unit,简称 CPU)。在本发明实施方式中,CPU可以是单运算核心,也可以包括多运算核心。The processor 610 is the control center of the storage terminal, using various interfaces and lines to connect various parts of the entire electronic terminal, by running or executing software programs and/or modules stored in the memory 620, and calling data stored in the memory, To perform various functions of the electronic terminal and/or process data. The processor may be composed of an integrated circuit (Integrated Circuit, IC for short), for example, may be composed of a single packaged IC, or may be composed of multiple packaged ICs connected with the same function or different functions. For example, the processor 610 may only include a central processing unit (Central Processing Unit, CPU for short). In the embodiments of the present invention, the CPU may be a single computing core, or may include multiple computing cores.

通信单元630,用于建立通信信道,从而使所述存储终端可以与其它终端进行通信。接收其他终端发送的用户数据或者向其他终端发送用户数据。The communication unit 630 is configured to establish a communication channel, so that the storage terminal can communicate with other terminals. Receive user data sent by other terminals or send user data to other terminals.

实施例四Embodiment four

本发明还提供一种计算机存储介质,其中,该计算机存储介质可存储有程序,该程序执行时可包括本发明提供的各实施例中的部分或全部步骤。所述的存储介质可为磁碟、光盘、只读存储记忆体(英文:read-only memory,简称:ROM) 或随机存储记忆体(英文:random access memory,简称:RAM)等。The present invention also provides a computer storage medium, wherein the computer storage medium may store a program, and the program may include part or all of the steps in the various embodiments provided by the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (English: read-only memory, ROM for short) or a random access memory (English: random access memory, RAM for short), and the like.

本领域的技术人员可以清楚地了解到本发明实施例中的技术可借助软件加必需的通用硬件平台的方式来实现。基于这样的理解,本发明实施例中的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中如U盘、移动硬盘、只读存储器(ROM,R ead-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质,包括若干指令用以使得一台计算机终端(可以是个人计算机,服务器,或者第二终端、网络终端等)执行本发明各个实施例所述方法的全部或部分步骤。Those skilled in the art can clearly understand that the technologies in the embodiments of the present invention can be implemented by means of software plus a necessary general-purpose hardware platform. Based on such an understanding, the technical solutions in the embodiments of the present invention essentially or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products are stored in a storage medium such as a USB flash drive, mobile Various media that can store program codes, such as hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk, including several instructions to make a computer A terminal (which may be a personal computer, a server, or a second terminal, a network terminal, etc.) executes all or part of the steps of the methods described in various embodiments of the present invention.

本说明书中各个实施例之间相同相似的部分互相参见即可。尤其,对于终端实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例中的说明即可。For the same and similar parts among the various embodiments in this specification, refer to each other. In particular, for the terminal embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for relevant details, refer to the description in the method embodiment.

在本发明所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present invention, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.

以上公开的仅为本发明的优选实施方式,但本发明并非局限于此,任何本领域的技术人员能思之的没有创造性的变化,以及在不脱离本发明原理前提下所作的若干改进和润饰,都应落在本发明的保护范围内。The above disclosure is only a preferred embodiment of the present invention, but the present invention is not limited thereto, any non-creative changes that those skilled in the art can think of, and some improvements and modifications made without departing from the principle of the present invention , should fall within the protection scope of the present invention.

Claims (8)

1. A black-and-white list control method of a mass storage distributed system is characterized by comprising the following steps:
configuring a cluster environment, connecting a cluster Web with SSH, and starting a high-availability state and a load balancing state of a cluster CTDB;
creating a user and a storage bucket in the cluster, and setting an access control list of the storage bucket as public read and above authorities;
creating a webpage file, uploading the webpage file to a storage barrel, starting a static website for hosting the storage barrel, and opening all access rights of the website;
configuring a blacklist and a whitelist of a host according to the webpage in the storage barrel, and storing the blacklist and the whitelist into a database;
the database acquires a blacklist, and adds the blacklist into an anti-theft chain strategy to carry out blacklist verification;
the database acquires a white list, and adds the white list into an anti-theft chain strategy to carry out white list verification;
if a host is in the blacklist and the whitelist, the host is checked and deleted in the whitelist.
2. The method for controlling black-and-white lists of a mass storage distributed system according to claim 1, wherein adding the black list into an anti-hotlinking policy to perform black list verification, specifically comprises:
simulating the connection between each host in the blacklist and the Web of the cluster, and performing connection verification;
if the host is normally connected with the clustered Web, the blacklist is abnormal, and the program is wrongly reported; otherwise, the blacklist is normal, and executing the next step;
checking whether each host in the blacklist can access the Web pages in the cluster Web;
if the blacklist cannot be accessed, the blacklist is normal, and the blacklist is validated; otherwise, the blacklist is abnormal, and the program reports errors.
3. The method for black-and-white list control of a mass storage distributed system of claim 2, wherein,
adding the white list into the anti-theft chain strategy to carry out white list verification, which comprises the following steps:
simulating the connection between each host in the white list and the Web of the cluster, and performing connection verification;
if all hosts are normally connected with the clustered Web, the white list is normal, and the next step is executed; otherwise, the white list is abnormal, and the program reports errors;
checking whether each host in the white list can access the Web pages in the cluster Web;
if both the access is possible, the white list is normal, and the white list is validated; otherwise, the white list is abnormal, and the program reports errors.
4. A method for controlling a black-and-white list of a distributed mass storage system according to any one of claims 1 to 3, wherein configuring a cluster environment, connecting a cluster Web with an SSH, and opening a high availability state and a load balancing state of a cluster CTDB, specifically includes:
acquiring mass storage management software information and SSH information, wherein the mass storage management software information comprises a mass storage management software address, a login name and a login password, and the SSH information comprises an SSH login user name and a login password;
logging in a cluster Web end according to the mass storage management software information and the SSH information and connecting the cluster Web with the SSH;
inquiring the health state of the cluster, if the cluster is healthy, executing the next step, otherwise, reporting an error to exit the program;
acquiring and detecting a high availability state of the CTDB, if the high availability state of the CTDB is on, executing the next step, otherwise, reporting an error exit program and prompting that the high availability state of the CTDB is required to be configured and started;
acquiring and detecting a cluster load balancing state, if the cluster load balancing state is started, executing the next step, otherwise, acquiring and detecting the cluster load balancing state again after the cluster load balancing is started;
acquiring and detecting an automatic starting state of the cluster load balancing, if the automatic starting state of the cluster load balancing is started, executing the next step, otherwise, acquiring and detecting the automatic starting state of the cluster load balancing again after the automatic starting of the cluster load balancing is started;
judging whether the number of the currently configured load balancing domain names exceeds a threshold value, if so, reporting a fault to exit the program, otherwise, executing the next step to establish users and storage barrels in the cluster.
5. A black-and-white list control device of a mass storage distributed system is characterized by comprising,
cluster environment configuration module: configuring a cluster environment, connecting a cluster Web with SSH, and starting a high-availability state and a load balancing state of a cluster CTDB;
a user creation module: creating users in a cluster;
a storage bucket creation module: creating a storage bucket in a cluster;
barrel authority configuration module: setting an access control list of the storage barrel as public reading authority and the authority;
static website configuration module: creating a webpage file, uploading the webpage file to a storage barrel, starting a static website for hosting the storage barrel, and opening all access rights of the website;
black and white list configuration module: configuring a blacklist and a whitelist of a host according to the webpage in the storage barrel, and storing the blacklist and the whitelist into a database;
black and white list verification module: the database acquires a blacklist, and adds the blacklist into an anti-theft chain strategy to carry out blacklist verification; the database acquires a white list, and adds the white list into an anti-theft chain strategy to carry out white list verification; when a host is in the blacklist and the whitelist, the host is checked and deleted in the whitelist.
6. The mass storage distributed system black-and-white list control device of claim 5, wherein,
adding the blacklist into an anti-theft chain strategy for blacklist verification, which specifically comprises the following steps:
simulating the connection between each host in the blacklist and the Web of the cluster, and performing connection verification;
if the host is normally connected with the clustered Web, the blacklist is abnormal, and the program is wrongly reported; otherwise, the blacklist is normal, and executing the next step;
checking whether each host in the blacklist can access the Web pages in the cluster Web;
if the blacklist cannot be accessed, the blacklist is normal, and the blacklist is validated; otherwise, the blacklist is abnormal, and the program reports errors.
7. The device for controlling black-and-white lists of mass storage distributed systems according to claim 6, wherein adding the white list to the hotlink protection policy for performing the white list verification, specifically comprises:
simulating the connection between each host in the white list and the Web of the cluster, and performing connection verification;
if all hosts are normally connected with the clustered Web, the white list is normal, and the next step is executed; otherwise, the white list is abnormal, and the program reports errors;
checking whether each host in the white list can access the Web pages in the cluster Web;
if both the access is possible, the white list is normal, and the white list is validated; otherwise, the white list is abnormal, and the program reports errors.
8. The mass storage distributed system black-and-white list control device of any of claims 5-7, wherein the cluster environment configuration module comprises,
cluster site configuration import module: acquiring mass storage management software information and SSH information, wherein the mass storage management software information comprises a mass storage management software address, a login name and a login password, and the SSH information comprises an SSH login user name and a login password;
cluster login module: logging in a cluster Web end according to the mass storage management software information and the SSH information and connecting the cluster Web with the SSH;
CTDB admission module: inquiring the health state of the cluster, if the cluster is unhealthy, reporting an error exit program, otherwise, acquiring and detecting the high availability state of the CTDB of the cluster, if the high availability state of the CTDB of the cluster is on, triggering a load balancing verification configuration module to execute, otherwise, reporting the error exit program, prompting that the high availability state of the CTDB of the cluster is required to be configured and started;
load balancing verification configuration module: and acquiring and detecting a cluster load balancing state, if the cluster load balancing state is closed, acquiring and detecting the cluster load balancing state again after the cluster load balancing is started, otherwise acquiring and detecting an automatic cluster load balancing starting state, if the cluster load balancing automatic starting state is closed, acquiring and detecting the automatic cluster load balancing starting state again after the automatic cluster load balancing starting state is started, otherwise judging whether the number of the currently configured load balancing domain names exceeds a threshold value, if so, reporting to the wrong to exit the program, otherwise triggering a user creation module to execute.
CN202210043473.4A 2022-01-14 2022-01-14 A black and white list control method and device for a mass storage distributed system Active CN114615008B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210043473.4A CN114615008B (en) 2022-01-14 2022-01-14 A black and white list control method and device for a mass storage distributed system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210043473.4A CN114615008B (en) 2022-01-14 2022-01-14 A black and white list control method and device for a mass storage distributed system

Publications (2)

Publication Number Publication Date
CN114615008A CN114615008A (en) 2022-06-10
CN114615008B true CN114615008B (en) 2023-08-08

Family

ID=81857322

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210043473.4A Active CN114615008B (en) 2022-01-14 2022-01-14 A black and white list control method and device for a mass storage distributed system

Country Status (1)

Country Link
CN (1) CN114615008B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116010741B (en) * 2023-01-06 2026-02-03 济南浪潮数据技术有限公司 Static website hosting method, device, equipment and storage medium
CN120017410B (en) * 2025-03-27 2025-10-10 浪潮云信息技术股份公司 URL authority control method and system based on black and white list

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752300A (en) * 2012-06-28 2012-10-24 用友软件股份有限公司 Dynamic antitheft link system and dynamic antitheft link method
CN109660579A (en) * 2017-10-11 2019-04-19 阿里巴巴集团控股有限公司 Data processing method, system and electronic equipment
CN113810358A (en) * 2021-02-05 2021-12-17 京东科技控股股份有限公司 Access limiting method, device, computer equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10819652B2 (en) * 2018-07-02 2020-10-27 Amazon Technologies, Inc. Access management tags

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102752300A (en) * 2012-06-28 2012-10-24 用友软件股份有限公司 Dynamic antitheft link system and dynamic antitheft link method
CN109660579A (en) * 2017-10-11 2019-04-19 阿里巴巴集团控股有限公司 Data processing method, system and electronic equipment
CN113810358A (en) * 2021-02-05 2021-12-17 京东科技控股股份有限公司 Access limiting method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN114615008A (en) 2022-06-10

Similar Documents

Publication Publication Date Title
US11017107B2 (en) Pre-deployment security analyzer service for virtual computing resources
JP5522307B2 (en) System and method for remote maintenance of client systems in electronic networks using software testing with virtual machines
US12393691B2 (en) Securing node groups
US11281768B1 (en) Firmware security vulnerability verification service
CN111159713B (en) Construction method and system of self-learning trusted policy based on SELinux
CN103455352B (en) The method of application deployment software and application software dispose device
CN111159691B (en) A method and system for dynamic trusted verification of application program
CN107643940A (en) Container creation method, relevant device and computer-readable storage medium
CN103077345B (en) Based on software authorization method and the system of virtual machine
WO2012016086A2 (en) Providing a multi-phase lockstep integrity reporting mechanism
US12067121B2 (en) Trusted boot method and apparatus, electronic device, and readable storage medium
CN114615008B (en) A black and white list control method and device for a mass storage distributed system
US20200342109A1 (en) Baseboard management controller to convey data
CN118484813B (en) Dynamic trusted measurement implementation method, device, equipment, medium and trusted system
CN116208368A (en) Method and device for network domain security detection based on domain environment
WO2022256128A1 (en) Firmware policy enforcement via a security processor
CN111177703A (en) Method and device for determining data integrity of operating system
CN114598500B (en) Security service providing method, platform, electronic device, medium and program
CN109039823A (en) A kind of network system firewall detection method, device, equipment and storage medium
CN114443147B (en) Trusted hardware technology-based super monitoring type unmanned aerial vehicle trusted detection method
CN116302165A (en) A firmware support package trusted loading method, device, terminal and storage medium
CN117056930A (en) File reinforcement method, device, equipment and medium based on mimicry system environment
CN117807568B (en) Installation permission control method and device based on Linux operating system, electronic equipment and storage medium
CN114499977B (en) Authentication method and device
CN117579336A (en) Access control method and system for power systems based on wireless protocols

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 215100 Building 9, No.1 guanpu Road, Guoxiang street, Wuzhong Economic Development Zone, Suzhou City, Jiangsu Province

Patentee after: Suzhou Yuannao Intelligent Technology Co.,Ltd.

Country or region after: China

Address before: 215100 Building 9, No.1 guanpu Road, Guoxiang street, Wuzhong Economic Development Zone, Suzhou City, Jiangsu Province

Patentee before: SUZHOU LANGCHAO INTELLIGENT TECHNOLOGY Co.,Ltd.

Country or region before: China