CN118427162A - Authorization control method and device for operating system, electronic equipment, storage medium and program product - Google Patents
Authorization control method and device for operating system, electronic equipment, storage medium and program product Download PDFInfo
- Publication number
- CN118427162A CN118427162A CN202410893429.1A CN202410893429A CN118427162A CN 118427162 A CN118427162 A CN 118427162A CN 202410893429 A CN202410893429 A CN 202410893429A CN 118427162 A CN118427162 A CN 118427162A
- Authority
- CN
- China
- Prior art keywords
- directory
- directory path
- path
- variable
- custom
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 53
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000012795 verification Methods 0.000 claims abstract description 34
- 238000007726 management method Methods 0.000 claims description 55
- 238000012937 correction Methods 0.000 claims description 24
- 230000015654 memory Effects 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 description 15
- 238000009434 installation Methods 0.000 description 11
- 230000006399 behavior Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/13—File access structures, e.g. distributed indices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/11—File system administration, e.g. details of archiving or snapshots
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present disclosure relates to an authorization control method, apparatus, electronic device, storage medium and program product for an operating system, the method comprising: setting the identity verification information of the target data warehouse as a custom identity variable, and storing the custom identity variable in a custom variable directory under a designated directory; acquiring a first directory path, wherein the first directory path is used for describing the position of a custom variable directory in a file system; correcting the first directory path to remove a part of the first directory path corresponding to a second directory path, so as to obtain a corrected first directory path, wherein the second directory path is used for describing the position of a specified directory in a file system; reading the value of the self-defined identity variable under the appointed directory according to the corrected first directory path; and sending a target request containing the value of the self-defined identity variable to a server side of the target data warehouse so as to enable the server side to execute identity verification. The present disclosure may enable efficient and easy authentication.
Description
Technical Field
The present disclosure relates to the field of computers, and in particular, to a method, an apparatus, an electronic device, a storage medium, and a program product for controlling authorization of an operating system.
Background
The authorized management of the operating system mainly comprises management and control of software installation/upgrading actions and operating system version updating actions. After the operating system is authorized to be activated, the user can install/upgrade software for the operating system and update the operating system version through the official server.
For an operating system that uses RPM (RPM PACKAGE MANAGER, initially RED HAT PACKAGE MANAGER, now a recursive abbreviation, an open-source package management system that is capable of installing, uninstalling, verifying, querying and updating packages packaged in RPM format), the operating system consists of RPM packages. For such operating systems, the version update of the operating system is accomplished by updating all RPM packages installed within the operating system, i.e., the operating system version update may be split into a series of RPM package updates. For such an operating system, the software installation/upgrading behavior and the operating system version updating behavior are controlled, and the purpose of controlling the software package installation/upgrading behavior can be achieved by controlling the two behaviors. The user can use a YUM (YUM-Dog Updater Modified for improving the package management)/DNF (DANDIFIED YUM, which is the next generation version of YUM) component for implementing authorization management, specifically, pull the RPM package for installation/upgrade through a YUM repository located on a remote HTTP server, and dynamically modify the user name and password for HTTP Basic identity authentication by configuring a YUM custom identity variable for the YUM repository, and when a request message is sent to the remote HTTP server, the YUM/DNF component can read the value of the YUM custom identity variable from the YUM custom variable directory and then add the value to the request message for the remote HTTP server to execute Basic identity authentication. At this time, because the YUM custom variable directory is fixedly stored under the system root directory, the YUM/DNF component can successfully find the directory and read the YUM custom identity variable therein.
However, in an operating system using a hybrid mirror/package mechanism represented by RPM-ostree (an open-source system employing hybrid mirror/package mechanism, which combines the features of RPM and OSTree (an open-source system for version updating of Linux release operating system), on one hand, RPM-based software package installation management is provided, and on the other hand, OSTree-based operating system version updating is provided), the operating system is mirror-based, the operating system version is updated through a OSTree warehouse, the software package is installed/updated through a YUM warehouse, its authorization management is implemented by an RPM-ostree component, and the same management mode is adopted for the operating system version and the software package, so that the capability of normally resolving YUM custom identity variables is not provided, and the RPM mechanism cannot be imitated, and Basic identity verification is implemented by adding the value of YUM custom identity variables in a request message, but other more complex methods are required, which causes more calculation resource consumption.
Disclosure of Invention
The present disclosure provides an authorization control method, apparatus, electronic device, storage medium and program product for an operating system, so as to at least solve the problem of how to simply implement identity verification in authorization control in the related art.
According to a first aspect of embodiments of the present disclosure, there is provided an authorization management method of an operating system, the authorization management method including: setting the identity verification information of a target data warehouse as a self-defined identity variable, wherein the self-defined identity variable is stored under a self-defined variable directory, and the self-defined variable directory is a subdirectory under a specified directory; acquiring a first directory path, wherein the first directory path is used for describing the position of the custom variable directory in a file system; correcting the first directory path to remove a part of the first directory path corresponding to a second directory path to obtain a corrected first directory path, wherein the second directory path is used for describing the position of the appointed directory in a file system; reading the value of the self-defined identity variable under the appointed directory according to the corrected first directory path; and sending a target request to a server side of the target data warehouse, wherein the target request comprises the value of the self-defined identity variable so as to be used for the server side to execute identity verification.
Optionally, the modifying the first directory path to remove a portion of the first directory path corresponding to the second directory path, to obtain a modified first directory path, including: acquiring the second directory path; and deleting the part which is overlapped with the second directory path from the first directory path to obtain the corrected first directory path.
Optionally, said deleting a portion of said first directory path that overlaps said second directory path, resulting in said revised first directory path, includes: counting the number of path layers contained in the second directory path; and deleting the directory paths with the corresponding front layers from the first directory paths according to the path layers to obtain the corrected first directory paths.
Optionally, the modifying the first directory path to remove a portion of the first directory path corresponding to the second directory path, to obtain a modified first directory path, including: and under the condition of having a default custom directory path, taking the default custom directory path as the corrected first directory path, wherein the splicing result of the second directory path and the default custom directory path is the same as that of the first directory path.
Optionally, the modifying the first directory path to remove a portion of the first directory path corresponding to the second directory path, to obtain a modified first directory path, including: and under the condition that the designated directory is not the system root directory, correcting the first directory path to remove the part corresponding to the second directory path in the first directory path, and obtaining the corrected first directory path.
Optionally, the modifying the first directory path to remove a portion of the first directory path corresponding to the second directory path, to obtain a modified first directory path, and further includes: and in the case that the specified directory is determined to be the system root directory, taking the first directory path as the corrected first directory path.
Optionally, the target data warehouse comprises at least one of: software package repository, operating system image repository.
According to a second aspect of embodiments of the present disclosure, there is provided an authorization management device of an operating system, the authorization management device including: the setting unit is configured to set the identity verification information of the target data warehouse as a custom identity variable, wherein the custom identity variable is stored under a custom variable directory, and the custom variable directory is a subdirectory under a specified directory; an obtaining unit configured to obtain a first directory path, wherein the first directory path is used for describing a position of the custom variable directory in a file system; a correction unit configured to correct the first directory path to remove a portion of the first directory path corresponding to a second directory path, so as to obtain a corrected first directory path, where the second directory path is used for describing a location of the specified directory in a file system; the reading unit is configured to read the value of the custom identity variable under the specified directory according to the corrected first directory path; and the request unit is configured to send a target request to a server side of the target data warehouse, wherein the target request contains the value of the self-defined identity variable so as to be used for the server side to execute identity verification.
Optionally, the correction unit is further configured to: acquiring the second directory path; and deleting the part which is overlapped with the second directory path from the first directory path to obtain the corrected first directory path.
Optionally, the correction unit is further configured to: counting the number of path layers contained in the second directory path; and deleting the directory paths with the corresponding front layers from the first directory paths according to the path layers to obtain the corrected first directory paths.
Optionally, the correction unit is further configured to: and under the condition of having a default custom directory path, taking the default custom directory path as the corrected first directory path, wherein the splicing result of the second directory path and the default custom directory path is the same as that of the first directory path.
Optionally, the correction unit is further configured to correct the first directory path to remove a portion of the first directory path corresponding to the second directory path, to obtain the corrected first directory path, if it is determined that the specified directory is not a system root directory.
Optionally, the modification unit is further configured to take the first directory path as the modified first directory path in a case where it is determined that the specified directory is the system root directory.
Optionally, the target data warehouse comprises at least one of: software package repository, operating system image repository.
According to a third aspect of embodiments of the present disclosure, there is provided an electronic device, comprising: at least one processor; at least one memory storing computer-executable instructions, wherein the computer-executable instructions, when executed by the at least one processor, cause the at least one processor to perform an authorization management method for an operating system according to an exemplary embodiment of the present disclosure.
According to a fourth aspect of embodiments of the present disclosure, there is provided a computer-readable storage medium, instructions in which, when executed by at least one processor, cause the at least one processor to perform a method of authorization management of an operating system according to an exemplary embodiment of the present disclosure.
According to a fifth aspect of embodiments of the present disclosure, there is provided a computer program product comprising computer instructions which, when executed by at least one processor, cause the at least one processor to perform a method of authorization management of an operating system according to an exemplary embodiment of the present disclosure.
The technical scheme provided by the embodiment of the disclosure at least brings the following beneficial effects:
According to the authorization management and control method, the device, the electronic equipment, the storage medium and the program product of the operating system, through correcting the first directory path describing the custom variable directory, removing the part (namely the part corresponding to the second directory path) of the appointed directory (namely the directory of the current operating system version) where the custom variable directory is located, the custom variable directory can be smoothly positioned under the directory of the current operating system version, so that the value of the custom identity variable is read and added into a target request initiated to a target data warehouse, effective and simple identity verification is realized, the consumption of computing resources is reduced, and the efficient implementation of the authorization management and control is ensured.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure and do not constitute an undue limitation on the disclosure.
FIG. 1 is a flowchart of an authorization management method for an operating system according to an exemplary embodiment of the present disclosure.
FIG. 2 is a flow chart of an authorization management method for an operating system according to a specific embodiment of the present disclosure.
Fig. 3 is a block diagram of an authorization management device of an operating system according to an exemplary embodiment of the present disclosure.
Fig. 4 is a block diagram of an electronic device according to an exemplary embodiment of the present disclosure.
Detailed Description
In order to enable those skilled in the art to better understand the technical solutions of the present disclosure, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein. The embodiments described in the examples below are not representative of all embodiments consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.
It should be noted that, in this disclosure, "at least one of the items" refers to a case where three types of juxtaposition including "any one of the items", "a combination of any of the items", "an entirety of the items" are included. For example, "including at least one of a and B" includes three cases side by side as follows: (1) comprises A; (2) comprising B; (3) includes A and B. For example, "at least one of the first and second steps is executed", that is, three cases are juxtaposed as follows: (1) performing step one; (2) executing the second step; (3) executing the first step and the second step.
Hereinafter, an authorization control method, apparatus, electronic device, storage medium, and program product of an operating system according to exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings.
As can be seen by a detailed analysis of the operating system using the rpm-ostree mechanism, in such operating systems, each time an operating system version is updated, a new directory is created under the system root directory, thereby forming an operating system environment of a corresponding version, so that a plurality of subdirectories can be included under the system root directory, and a corresponding YUM library exists under the directory of each environment. At this time, in order to implement the control of different operating system versions, the rpm-ostree component responsible for the authorization control acquires the complete directory path from the system root directory when acquiring the directory path. At this time, for Basic identity verification of software package installation/upgrade behavior, if it is desired to emulate RPM mechanism, adding the value of YUM custom identity variable in the request message, then the value of YUM custom identity variable needs to be read by calling YUM library. However, the YUM library can only work in the environment of the operating system version where the YUM library is located, and can only read the file under the environment directory, and the YUM library cannot identify the complete YUM custom variable directory path acquired by the rpm-ostree component, and thus cannot read the required custom identity variable, so that the Basic identity verification method cannot be used. In short, it is that the information description (i.e., the YUM custom variable directory path obtained by the rpm-ostree component) does not match the information reading capability (i.e., the YUM library can only read files under its own environment directory).
Based on the analysis, according to the authorization management and control method of the operating system of the exemplary embodiment of the disclosure, by correcting the first directory path describing the custom variable directory, removing the part of the specified directory (i.e. the directory of the current operating system version) where the custom variable directory is located, the YUM library can smoothly locate the custom variable directory under the directory of the current operating system version, so that the information description is matched with the information reading capability, thereby reading the value of the custom identity variable, adding the value to the target request initiated to the target data warehouse, realizing effective and simple identity verification, reducing the consumption of computing resources, and guaranteeing the efficient implementation of the authorization management and control.
FIG. 1 is a flowchart of an authorization management method for an operating system according to an exemplary embodiment of the present disclosure. The method is applied to an entitlement management component of an operating system, such as, but not limited to, an rpm-ostree component.
Referring to fig. 1, in step 101, authentication information of a target data warehouse is set as a custom identity variable.
This step is used on the one hand to specify the target data warehouse and on the other hand to set authentication information for the target data warehouse. The user-defined identity variable used by the identity verification information is stored in a user-defined variable directory, and the user-defined variable directory is a subdirectory in a designated directory.
In particular, the target data warehouse is a warehouse from which data needs to be acquired, such as a target YUM warehouse. In the current operating system version, there may be multiple data warehouses of the same type, such as multiple YUM warehouses, so it is necessary to specify which data warehouse or data warehouses of that type are to be managed by this time management entity, the specified warehouse being the target data warehouse. As an example, the target data warehouse may be preset by the operating system, or may be manually configured by the user, as this disclosure is not limited in this regard.
When the identity verification information is set for the target data warehouse, the identity verification information is specifically set as a self-defined identity variable, and the identity verification information is definitely set as a variable instead of the value of the variable, so that the identity verification information of the target data warehouse is corresponding to the self-defined identity variable, and then the identity verification information of the target data warehouse can be automatically modified by modifying the value of the self-defined identity variable, so that the dynamic update of the identity verification information is realized. In addition, the definition, assignment and dynamic update of the custom identity variable are generally performed by an authorized client program in the operating system specially responsible for the custom variable, specifically, a subdirectory is generated under the directory of the current operating system version (recorded as a designated directory) and is used as a custom variable directory, and a file is generated under the custom variable directory and filled with file contents, wherein the file name is the same as the specific custom variable name, the file contents are used as the value of the specific custom variable, and the value of the specific custom variable can be dynamically modified by dynamically modifying the file contents. It should be appreciated that a plurality of custom variables may be maintained under a custom variable directory, including custom identity variables such as custom usernames (e.g., denoted by auth_u), custom passwords (e.g., denoted by auth_p).
As an example, step 101 may be specifically performed by adding a username and password field for authentication to a configuration file of the target data repository, and then assigning a custom user name and a custom password, respectively.
In step 102, a first directory path is obtained.
The first directory path is used to describe the location of the custom variable directory in a file system, which is a mechanism or structure used by the operating system to manage and store file data, that defines how files are organized on the storage device, including file naming, organization, access rights, storage locations, and so forth. The file system is part of the operating system, responsible for handling the creation, deletion, reading and writing of files, and provides for the organization and management of data through the file system. Since this directory path is obtained by the entitlement management component, it is the complete directory path starting from the system root directory.
In step 103, the first directory path is modified to remove a portion of the first directory path corresponding to the second directory path, so as to obtain a modified first directory path.
The second directory path is used to describe the location of the specified directory in the file system, and by removing the corresponding portion of the first directory path, only the directory path of the custom variable directory in the specified directory is maintained. As an example, the first directory path is/ostree/deploy/fedora/deploy/1/etc/yum/vars/, the second directory path is/ostree/deploy/fedora/deploy/1/, and the corrected first directory path is/etc/yum/vars/.
In step 104, the value of the custom identity variable is read under the specified directory according to the modified first directory path.
Because the revised first directory path only keeps the directory path of the custom variable directory in the appointed directory, the custom variable directory can be identified by a tool (such as a YUM library) in the current operating system, and the reliable reading of the custom identity variable is realized.
As previously described, the custom variable directory of the first directory path description may store a plurality of custom variables, including custom identity variables. Taking the customized identity variable including the customized user name auth_u and the customized password auth_p as an example, step 104 may be specifically executed to read the contents of the files named auth_u and auth_p in the customized variable directory as the values of the corresponding customized identity variables according to the corrected first directory path.
In step 105, a target request is sent to a server of a target data warehouse. The target request contains the value of the self-defined identity variable, so that the server side can execute identity verification.
The read value of the self-defined identity variable is used as the identity verification information to be added into the target request and sent to the server side of the target data warehouse, so that the server side can verify whether the identity verification information in the target request is correct or not, the sending of the identity verification information can be realized while the target request is sent, no additional identity verification operation is required to be configured, effective and simple identity verification is realized, and the efficient implementation of authorization management and control is ensured.
As an example, the target request may be a request to install/upgrade software, which may be sent in the form of a message, where a custom identity variable value as authentication information may be added at a specified location in the message, for example in the header.
An authorization management method for an operating system according to an exemplary embodiment of the present disclosure is further described below.
Regarding how step 103 performs the correction operation in particular, in some embodiments, optionally step 103 includes: acquiring a second directory path; and deleting the part which is overlapped with the second directory path from the first directory path to obtain a corrected first directory path. The authorization management component has the ability to obtain a complete directory path from the system root directory. The correction of the first directory path can be realized by acquiring the directory path of the designated directory, namely the second directory path, and deleting the corresponding content from the first directory path. It should be appreciated that since the directory path often includes symbols, such as "/", for distinguishing between different levels of directories, when deleting portions that overlap with the second directory path, it is necessary to ensure that the remaining portions are formally complete, rather than simply deleting the entire content that overlaps with the second directory path. Still take the case that the first directory path is/ostree/deploy/fedora/deploy/1/etc/yum/vars/, the second directory path is/ostree/deploy/fedora/deploy/1/as an example, at this time, "/" should be reserved at the beginning of the modified first directory path, so "/ostree/deploy/fedora/deploy/1" is actually deleted).
Further optionally, the deleting the portion overlapping with the second directory path from the first directory path, and obtaining the corrected first directory path includes: counting the number of path layers contained in the second directory path; and deleting the directory paths of the corresponding layers in front from the first directory paths according to the path layers to obtain corrected first directory paths. By adopting a way of calculating the number of path layers and deleting the directory paths of the corresponding front layers when deleting the part which is overlapped with the second directory path, the comparison of the actual texts of the second directory path is not needed, thereby being beneficial to further reducing the consumption of calculation resources. Taking the first directory path and the second directory path as examples, the number of path layers included in the second directory path may be counted as 5, so that the 5-layer directory path in the first directory path may be deleted.
Regarding how step 103 performs the correction operation in particular, in other embodiments, step 103 optionally includes: and under the condition of having a default custom directory path (for example, per etc/yum/vars /), taking the default custom directory path as a corrected first directory path, wherein the splicing result of the second directory path and the default custom directory path is the same as that of the first directory path. For the case of having the default custom directory path, the second directory path and the default custom directory path are spliced together just as the first directory path, so the revised first directory path is necessarily the same as the default custom directory path. In contrast, by directly using the default custom directory path as the corrected first directory path, the correction operation with the same effect can be realized without acquiring the second directory path, and the computing resource consumption of the correction operation can be sufficiently reduced.
With respect to the trigger condition for performing the correction of step 103, optionally, step 103 includes: and under the condition that the designated directory is not the system root directory, correcting the first directory path to remove the part corresponding to the second directory path in the first directory path, and obtaining the corrected first directory path. For operating systems that use the hybrid mirror-package mechanism represented by RPM-ostree, the specified directory is often not the system root directory because the authorization management is performed under a specific operating system version, but for operating systems that use the package mechanism represented by RPM, the specified directory is often the system root directory, i.e., no modification to the first directory path is required. By configuring the trigger condition that the designated directory is not the system root directory for the correction operation, a insurance can be added to confirm whether the correction operation needs to be executed in advance, thereby reducing unnecessary correction operation and corresponding computing resource consumption.
Further optionally, step 103 further includes: in the case where it is determined that the specified directory is the system root directory, the first directory path is taken as the corrected first directory path. By fully utilizing the above-mentioned trigger condition, the first directory path is directly used as the modified first directory path under the condition that the trigger condition is not satisfied, that is, the modification operation is not executed, and the subsequent steps are continuously executed based on the first directory path to realize the authorization management and control, the authorization management and control method according to the exemplary embodiment of the present disclosure can be compatible with the hybrid image-software package mechanism and the software package mechanism at the same time, so that the authorization management and control method can be conveniently multiplexed in an operating system using different mechanisms.
With respect to the type of target repository, optionally, the target data repository includes at least one of: software package repository, operating system image repository. In an operating system using a software package mechanism represented by RPM, custom identity variables are applied in maturity, and accordingly, the custom identity variables specifically belong to YUM custom variables, so that the target data warehouse can support a software package warehouse, such as a YUM warehouse, so that management and control of basic software package installation/upgrading behaviors can be satisfied. However, in an operating system using a hybrid mirror-software package mechanism, represented by rpm-ostree, the operating system version update behavior is not under control, resulting in that in the event of an unauthorized activation of the operating system, the operating system version update can still be performed through the system preset official OSTree repository address. By further adding an operating system mirror image warehouse, such as OSTree warehouse, as a warehouse type supported by a target data warehouse, the custom identity variable under a conventional software package mechanism can be popularized and applied to the management and control of the version updating behavior of the operating system, and the comprehensive management and control is ensured.
Next, an authorization management method of an operating system according to a specific embodiment of the present disclosure is described with reference to fig. 2.
In this particular embodiment, the operating system uses an rpm-ostree mechanism, so the entitlement management component is an rpm-ostree component, and the rpm-ostree component reads the value of the custom identity variable by calling the YUM library.
Before the rpm-ostree component performs the authorization control method, the authorized client program in the operating system needs to define YUM custom variables auth_u and auth_p, i.e., YUM custom identity variables including YUM custom usernames and YUM custom passwords. The specific operation is that a/etc/YUM/vars/catalog is generated under the current operating system version catalog, a file with the same name is generated under the catalog, and file contents are filled, and the file contents are used for HTTP Basic identity verification by a remote HTTP server where a controlled YUM warehouse and a controlled OSTree warehouse (namely a target data warehouse) are located.
The authorization management method is then performed by the rpm-ostree component.
Referring to fig. 2, in step 201, the username and password fields of the managed YUN repository are configured.
This step presets or manually configures the managed YUM repository by the user under the operating system in/etc/YUM. Repos. D/directory, adds the username and password fields for HTTP Basic authentication, and assigns an auth_u variable and an auth_p variable, respectively. When manually configured by a user, the rpm-ostree component may receive the user's configuration results.
In step 202, HTTP Basic authentication information is configured for a managed OSTree repository address URL (Uniform Resource Locator ).
This step also adds the user name and password required for HTTP Basic authentication to the OSTree repository configuration URL using YUM custom variables auth_u and auth_p, either pre-set or manually configured by the user.
Steps 201 and 202 correspond to step 101 in fig. 1, and are respectively performed in a manner suitable for two different types of data warehouses, namely, a YUM warehouse and a OSTree warehouse.
In step 203, a YUM custom variable directory path, i.e., a first directory path, is obtained.
This step corresponds to step 102 in fig. 1.
In step 204, it is determined whether or not a non-system root directory is designated as the root directory of the package installation, and if so, the process goes to step 205, and if not, the process goes to step 208.
The package installation root directory is the current operating system version directory, i.e., the specified directory described above. This step corresponds to the correction operation trigger condition judgment of step 103 in fig. 1.
In step 205, the actual system path of the package installation root directory, i.e., the second directory path, is obtained.
In step 206, the number of YUM custom variable path layers that need to be canceled, i.e., the number of path layers for the second directory path, is counted.
In step 207, the YUM custom variable directory path is revised based on the count.
Steps 205 to 207 correspond to the correction operation of step 103 in fig. 1.
In step 208, the actual variable values of the YUM custom variables auth_u and auth_p are read.
This step corresponds to step 104 in fig. 1. Specifically, all files under the YUM defined variable directory are read, file names are used as variable names, file contents are used as variable values, and the file contents with the file names of auth_u and auth_p are the actual variable values of the YUM defined variables auth_u and auth_p.
In step 209, the YUM custom variables are replaced when resolving YUM repository configurations.
The method specifically comprises the steps of obtaining field values of usernames and password configured in the YUM warehouse, and replacing YUM custom variables auth_u and auth_p in the field values as actual variable values.
In step 210, an authentication header is added to the YUM repository request message.
The method specifically comprises the step of adding an authentication message header into all HTTP request messages sent by a remote HTTP server where a controlled YUM warehouse is located by using user name and password field values configured by the YUM warehouse.
In step 211, an authentication header is added to the OSTree repository request message.
The method specifically comprises the step of adding an Authorization message header to all HTTP request messages sent by a remote HTTP server where a controlled OSTree warehouse is located by using actual variable values of YUM custom variables auth_u and auth_p.
Steps 209 to 211 correspond to step 105 in fig. 1. Steps 209 and 210 are directed to YUM repository-based software package installation/upgrade activities, and step 211 is directed to OSTree repository-based operating system version update activities.
After receiving the HTTP request message, the remote HTTP server performs HTTP Basic identity verification according to the Authorization message header, returns an HTTP response message with a status code of 200 and containing the request resource if verification is passed, and returns an HTTP response message with a status code of 401 and containing no request resource if verification is not passed.
In step 212, the response message is parsed, i.e., the HTTP response message returned from the remote HTTP server where the managed YUM repository and the managed OSTree repository are located is parsed.
It should be noted that, each time the software package installation/upgrade behavior or the operating system version update behavior is performed, the authorization management method according to the exemplary embodiment of the present disclosure needs to be performed to implement authorization management. It should be understood that the present disclosure of the authorization management method is described herein for exemplary purposes in a comprehensive description of both the software package and the operating system, to illustrate that the authorization management component is capable of performing both the authorization management of the software package and the operating system. In practice, however, in addition to steps 203 to 208, step 212 being the steps that must be performed, other steps may be selectively performed according to the object involved in the actual management. In other words, steps 201, 209, and 210 may be performed when only the software package is required to be managed, steps 202 and 211 may not be performed, steps 202 and 211 may be performed when only the operating system is required to be managed, and steps 201, 209, and 210 may not be performed.
Furthermore, where reasonable, the order of execution of the specific steps described above is adjustable and optional. For example, step 201 need only be performed before step 209, step 202 is not necessarily performed before steps 203 to 208, and steps for YUM warehouse and OSTree warehouse may be performed in parallel, so that there is no dependency on the execution sequence of steps 201 and 202. As another example, step 203 must be performed regardless of the result of the determination of step 204, so in order to facilitate drawing of the flowchart, step 203 is arranged before step 204, but in practice step 203 need not be performed before step 204. In the case that the determination result of step 204 is yes, step 203 may be executed before step 207; in the case where the result of the determination in step 204 is negative, step 203 may be executed before step 208.
It should also be appreciated that both the software package and the operating system may need to be managed under the current os version directory, and if the os version update is performed, a new os version directory may be generated, and the installation/upgrade of the software package may be managed under the new directory. In particular, when a rollback to the old version of the operating system is required, operations are performed under the directory of the old version operating system.
Fig. 3 is a block diagram of an authorization management device of an operating system according to an exemplary embodiment of the present disclosure. Referring to fig. 3, the apparatus includes a setting unit 301, an acquisition unit 302, a correction unit 303, a reading unit 304, and a requesting unit 305.
The setting unit 301 may set the authentication information of the target data repository to a custom identity variable, where the custom identity variable is stored under a custom variable directory, and the custom variable directory is a subdirectory under a specified directory.
Optionally, the target data repository comprises at least one of: software package repository, operating system image repository.
The obtaining unit 302 may obtain a first directory path, where the first directory path is used to describe a location of a custom variable directory in a file system.
The correction unit 303 may correct the first directory path to remove a portion of the first directory path corresponding to a second directory path, where the second directory path is used to describe a location of the specified directory in the file system, to obtain a corrected first directory path.
Optionally, the correction unit 303 may further: acquiring a second directory path; and deleting the part which is overlapped with the second directory path from the first directory path to obtain a corrected first directory path.
Optionally, the correction unit 303 may further: counting the number of path layers contained in the second directory path; and deleting the directory paths of the corresponding front layers from the first directory paths according to the path layers to obtain corrected first directory paths.
Optionally, the correction unit 303 may further: and under the condition of having the default custom directory path, taking the default custom directory path as a corrected first directory path, wherein the splicing result of the second directory path and the default custom directory path is the same as that of the first directory path.
Optionally, the correction unit 303 may further correct the first directory path to remove a portion of the first directory path corresponding to the second directory path, to obtain a corrected first directory path, where it is determined that the specified directory is not the system root directory.
Alternatively, the correction unit 303 may further use the first directory path as the corrected first directory path in the case where it is determined that the specified directory is the system root directory.
The reading unit 304 may read the value of the custom identity variable under the specified directory according to the modified first directory path.
The request unit 305 may send a target request to the server of the target data repository, where the target request includes the value of the custom identity variable for the server to perform identity verification.
According to embodiments of the present disclosure, an electronic device may be provided. Fig. 4 is a block diagram of an electronic device 400 including at least one memory 401 having stored therein a set of computer-executable instructions 4011 and an operating system 4012, and at least one processor 402, which when the set of computer-executable instructions 4011 is executed by the at least one processor 402, performs a method of authorization management of the operating system according to embodiments of the present disclosure, in accordance with embodiments of the present disclosure.
By way of example, electronic device 400 may be a PC computer, tablet device, personal digital assistant, smart phone, or other device capable of executing the above-described set of instructions. Here, the electronic device 400 is not necessarily a single electronic device, but may be any apparatus or a collection of circuits capable of executing the above-described instructions (or instruction sets) individually or in combination. The electronic device 400 may also be part of an integrated control system or system manager, or may be configured as a portable electronic device that interfaces with either locally or remotely (e.g., via wireless transmission).
In electronic device 400, processor 402 may include a Central Processing Unit (CPU), a Graphics Processor (GPU), a programmable logic device, a special purpose processor system, a microcontroller, or a microprocessor. By way of example, and not limitation, processor 402 may also include an analog processor, a digital processor, a microprocessor, a multi-core processor, a processor array, a network processor, and the like.
The processor 402 may execute instructions or code stored in a memory, wherein the memory 401 may also store data. The instructions and data may also be transmitted and received over a network via a network interface device, which may employ any known transmission protocol.
The memory 401 may be integrated with the processor 402, for example, RAM or flash memory is arranged within an integrated circuit microprocessor or the like. In addition, the memory 401 may include a separate device, such as an external disk drive, a storage array, or other storage device that may be used by any database system. The memory 401 and the processor 402 may be operatively coupled or may communicate with each other, for example, through an I/O port, a network connection, etc., such that the processor 402 is able to read files stored in the memory 401.
In addition, electronic device 400 may also include a video display (such as a liquid crystal display) and a user interaction interface (such as a keyboard, mouse, touch input device, etc.). All components of the electronic device may be connected to each other via a bus and/or a network.
According to an embodiment of the present disclosure, there may also be provided a computer-readable storage medium, wherein the instructions in the computer-readable storage medium, when executed by at least one processor, cause the at least one processor to perform the authorization management method of the operating system of the embodiments of the present disclosure. Examples of the computer readable storage medium herein include: read-only memory (ROM), random-access programmable read-only memory (PROM), electrically erasable programmable read-only memory (EEPROM), random-access memory (RAM), dynamic random-access memory (DRAM), static random-access memory (SRAM), flash memory, nonvolatile memory, CD-ROM, CD-R, CD + R, CD-RW, CD+RW, DVD-ROM, DVD-R, DVD + R, DVD-RW, DVD+RW, DVD-RAM, BD-ROM, BD-R, BD-R LTH, BD-RE, blu-ray or optical disk storage, hard Disk Drives (HDD), solid State Disks (SSD), card-type memories (such as multimedia cards, secure Digital (SD) cards or ultra-fast digital (XD) cards), magnetic tapes, floppy disks, magneto-optical data storage devices, hard disks, solid state disks, and any other devices configured to store computer programs and any associated data, data files and data structures in a non-transitory manner and to provide the computer programs and any associated data, data files and data structures to a processor or computer to enable the processor or computer to execute the programs. The computer programs in the computer readable storage media described above can be run in an environment deployed in a computer device, such as a client, host, proxy device, server, etc., and further, in one example, the computer programs and any associated data, data files, and data structures are distributed across networked computer systems such that the computer programs and any associated data, data files, and data structures are stored, accessed, and executed in a distributed fashion by one or more processors or computers.
According to an embodiment of the present disclosure, there is provided a computer program product comprising computer instructions which, when executed by a processor, implement a method of controlling authorization of an operating system of an embodiment of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
Claims (11)
1. An authorization control method for an operating system, wherein the authorization control method comprises the following steps:
Setting the identity verification information of a target data warehouse as a self-defined identity variable, wherein the self-defined identity variable is stored under a self-defined variable directory, and the self-defined variable directory is a subdirectory under a specified directory;
Acquiring a first directory path, wherein the first directory path is used for describing the position of the custom variable directory in a file system;
Correcting the first directory path to remove a part of the first directory path corresponding to a second directory path to obtain a corrected first directory path, wherein the second directory path is used for describing the position of the appointed directory in a file system;
reading the value of the self-defined identity variable under the appointed directory according to the corrected first directory path;
And sending a target request to a server side of the target data warehouse, wherein the target request comprises the value of the self-defined identity variable so as to be used for the server side to execute identity verification.
2. The method of claim 1, wherein modifying the first directory path to remove a portion of the first directory path corresponding to a second directory path, the modified first directory path comprising:
acquiring the second directory path;
And deleting the part which is overlapped with the second directory path from the first directory path to obtain the corrected first directory path.
3. The method of authorization management as recited in claim 2, wherein said deleting the portion of the first directory path that overlaps with the second directory path results in the revised first directory path, comprising:
counting the number of path layers contained in the second directory path;
And deleting the directory paths with the corresponding front layers from the first directory paths according to the path layers to obtain the corrected first directory paths.
4. The method of claim 1, wherein modifying the first directory path to remove a portion of the first directory path corresponding to a second directory path, the modified first directory path comprising:
And under the condition of having a default custom directory path, taking the default custom directory path as the corrected first directory path, wherein the splicing result of the second directory path and the default custom directory path is the same as that of the first directory path.
5. The method of claim 1, wherein modifying the first directory path to remove a portion of the first directory path corresponding to a second directory path, the modified first directory path comprising:
And under the condition that the designated directory is not the system root directory, correcting the first directory path to remove the part corresponding to the second directory path in the first directory path, and obtaining the corrected first directory path.
6. The method of claim 5, wherein modifying the first directory path to remove a portion of the first directory path corresponding to a second directory path, resulting in a modified first directory path, further comprises:
And in the case that the specified directory is determined to be the system root directory, taking the first directory path as the corrected first directory path.
7. An authorization management method according to any one of claims 1 to 6, wherein the target data repository comprises at least one of: software package repository, operating system image repository.
8. An authorization management device for an operating system, the authorization management device comprising:
The setting unit is configured to set the identity verification information of the target data warehouse as a custom identity variable, wherein the custom identity variable is stored under a custom variable directory, and the custom variable directory is a subdirectory under a specified directory;
An obtaining unit configured to obtain a first directory path, wherein the first directory path is used for describing a position of the custom variable directory in a file system;
A correction unit configured to correct the first directory path to remove a portion of the first directory path corresponding to a second directory path, so as to obtain a corrected first directory path, where the second directory path is used for describing a location of the specified directory in a file system;
the reading unit is configured to read the value of the custom identity variable under the specified directory according to the corrected first directory path;
And the request unit is configured to send a target request to a server side of the target data warehouse, wherein the target request contains the value of the self-defined identity variable so as to be used for the server side to execute identity verification.
9. An electronic device, comprising:
at least one processor;
At least one memory storing computer-executable instructions,
Wherein the computer executable instructions, when executed by the at least one processor, cause the at least one processor to perform the method of entitlement management of an operating system as claimed in any one of claims 1 to 7.
10. A computer-readable storage medium, wherein instructions in the computer-readable storage medium, when executed by at least one processor, cause the at least one processor to perform the method of authorization management for an operating system according to any one of claims 1 to 7.
11. A computer program product comprising computer instructions which, when executed by at least one processor, cause the at least one processor to perform the method of authorising an operating system as claimed in any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410893429.1A CN118427162B (en) | 2024-07-04 | 2024-07-04 | Authorization control method and device for operating system, electronic equipment, storage medium and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410893429.1A CN118427162B (en) | 2024-07-04 | 2024-07-04 | Authorization control method and device for operating system, electronic equipment, storage medium and program product |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118427162A true CN118427162A (en) | 2024-08-02 |
| CN118427162B CN118427162B (en) | 2024-09-03 |
Family
ID=92321731
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410893429.1A Active CN118427162B (en) | 2024-07-04 | 2024-07-04 | Authorization control method and device for operating system, electronic equipment, storage medium and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118427162B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100306236A1 (en) * | 2009-05-29 | 2010-12-02 | Sun Microsystems, Inc. | Data Policy Management System and Method for Managing Data |
| WO2019153592A1 (en) * | 2018-02-06 | 2019-08-15 | 平安科技(深圳)有限公司 | User authority data management device and method, and computer readable storage medium |
| CN112364306A (en) * | 2020-11-18 | 2021-02-12 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Method and system for authorizing software use license of embedded operating system |
| CN116302725A (en) * | 2022-09-09 | 2023-06-23 | 苏州浪潮智能科技有限公司 | Method for obtaining RMT test results, RMT test method, device and medium |
| CN117272351A (en) * | 2023-11-21 | 2023-12-22 | 麒麟软件有限公司 | User authority management method and system for operating system |
| CN117313127A (en) * | 2023-09-27 | 2023-12-29 | 重庆长安汽车股份有限公司 | Data access authority control method and device, electronic equipment and storage medium |
| CN117668781A (en) * | 2023-11-13 | 2024-03-08 | 深圳太极数智技术有限公司 | Authorization verification package generation method, device, terminal and storage medium |
-
2024
- 2024-07-04 CN CN202410893429.1A patent/CN118427162B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100306236A1 (en) * | 2009-05-29 | 2010-12-02 | Sun Microsystems, Inc. | Data Policy Management System and Method for Managing Data |
| WO2019153592A1 (en) * | 2018-02-06 | 2019-08-15 | 平安科技(深圳)有限公司 | User authority data management device and method, and computer readable storage medium |
| CN112364306A (en) * | 2020-11-18 | 2021-02-12 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Method and system for authorizing software use license of embedded operating system |
| CN116302725A (en) * | 2022-09-09 | 2023-06-23 | 苏州浪潮智能科技有限公司 | Method for obtaining RMT test results, RMT test method, device and medium |
| CN117313127A (en) * | 2023-09-27 | 2023-12-29 | 重庆长安汽车股份有限公司 | Data access authority control method and device, electronic equipment and storage medium |
| CN117668781A (en) * | 2023-11-13 | 2024-03-08 | 深圳太极数智技术有限公司 | Authorization verification package generation method, device, terminal and storage medium |
| CN117272351A (en) * | 2023-11-21 | 2023-12-22 | 麒麟软件有限公司 | User authority management method and system for operating system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118427162B (en) | 2024-09-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20190303120A1 (en) | Dynamic container deployment with parallel conditional layers | |
| US8443361B2 (en) | Systems and methods for tracking a history of changes associated with software packages in a computing system | |
| US8316224B2 (en) | Systems and methods for tracking a history of changes associated with software packages and configuration management in a computing system | |
| EP3678019B1 (en) | Mirror image upgrading method and device | |
| US8495351B2 (en) | Preparing and preserving a system configuration during a hot upgrade | |
| US9417870B2 (en) | Managing user access to alternative versions of a particular function of a software product from within a current version of the software product | |
| US20150128133A1 (en) | Virtual appliance integration with cloud management software | |
| JP2008090840A (en) | How to use virtualization software for shipping software products | |
| US20210141632A1 (en) | Automated software patching for versioned code | |
| US20160062754A1 (en) | Coordinating Application Deployment with a Platform Tier | |
| US10346150B2 (en) | Computerized system and method for patching an application by separating executables and working data using different images | |
| CN113760306B (en) | Method and device for installing software, electronic equipment and storage medium | |
| US9703848B2 (en) | Caching linked queries for optimized compliance management | |
| CN113110849A (en) | Loading resources on demand | |
| CN118427162B (en) | Authorization control method and device for operating system, electronic equipment, storage medium and program product | |
| Turnbull | The Docker Book | |
| CN117170802A (en) | Method, system, equipment and medium for rapidly manufacturing operating system mirror image based on information creation platform | |
| US20150212866A1 (en) | Management system for service of multiple operating environments, and methods thereof | |
| US20080209408A1 (en) | Seeding product information | |
| US11947495B1 (en) | System and method for providing a file system without duplication of files | |
| US12045335B2 (en) | Software discovery within software packaging and deployment systems | |
| Patrão | vSphere Lifecycle Manager | |
| CN116400861A (en) | File deletion method and device of NAS disk | |
| CN114296778A (en) | Message notification method and device | |
| US20060136429A1 (en) | Control of policies for setting file associations in information handling systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |