[go: up one dir, main page]

CN106549976B - A user identity authentication method and system configuration method suitable for transparent computing systems - Google Patents

A user identity authentication method and system configuration method suitable for transparent computing systems Download PDF

Info

Publication number
CN106549976B
CN106549976B CN201611130519.7A CN201611130519A CN106549976B CN 106549976 B CN106549976 B CN 106549976B CN 201611130519 A CN201611130519 A CN 201611130519A CN 106549976 B CN106549976 B CN 106549976B
Authority
CN
China
Prior art keywords
user
operating system
client
server
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611130519.7A
Other languages
Chinese (zh)
Other versions
CN106549976A (en
Inventor
郑瑾
李俊
张尧学
胡小龙
张祖平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Central South University
Original Assignee
Central South University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Central South University filed Critical Central South University
Priority to CN201611130519.7A priority Critical patent/CN106549976B/en
Publication of CN106549976A publication Critical patent/CN106549976A/en
Application granted granted Critical
Publication of CN106549976B publication Critical patent/CN106549976B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种适用于透明计算系统的用户身份认证方法及系统配置方法,该认证方法包括当用户开机登录时,客户端发送登录请求信息给认证服务器,认证服务器查询后台数据库,获取用户可启动的操作系统权限列表并发送给客户端;用户选择操作系统,向存储服务器发起远程加载请求;存储服务器对客户端的用户名和密码进行认证,认证通过后查看用户操作系统镜像的配置文件,并根据客户端的IP与将要启动的操作系统镜像的IP设置判定认证成功与否。该系统配置方法用于配置使用该用户身份认证方法的透明计算系统。本发明实现了用户的权限管理,能提供一些个性化服务,完善了用户体验。

The invention discloses a user identity authentication method and a system configuration method suitable for a transparent computing system. The authentication method includes that when the user starts up and logs in, the client sends login request information to the authentication server, and the authentication server queries the background database to obtain user information. The list of operating system permissions to start is sent to the client; the user selects an operating system and initiates a remote loading request to the storage server; the storage server authenticates the user name and password of the client, and checks the configuration file of the user’s operating system image after the authentication is passed. The client's IP and the IP setting of the operating system image to be started determine whether the authentication is successful or not. The system configuration method is used to configure a transparent computing system using the user identity authentication method. The present invention realizes user authority management, can provide some personalized services, and improves user experience.

Description

一种适用于透明计算系统的用户身份认证方法及系统配置 方法A User Identity Authentication Method and System Configuration Applicable to Transparent Computing System method

技术领域technical field

本发明涉及透明计算系统领域,尤其涉及适用于透明计算系统的用户身份认证方法及使用该用户身份认证方法的透明计算系统的配置方法。The invention relates to the field of transparent computing systems, in particular to a user identity authentication method suitable for a transparent computing system and a configuration method of a transparent computing system using the user identity authentication method.

背景技术Background technique

透明计算是一种用户无需感知计算机操作系统、中间件、应用程序和通信网络的具体所在,只需根据自己的需求,通过网络从所需要的各种客户端(包括固定、移动、以及家庭中的各类客户端)中选择并使用相应服务(例如计算、电话、电视、上网和娱乐等)的计算模式。透明计算系统的特征主要有以下几点:Transparent computing is a kind of user does not need to perceive the specific location of the computer operating system, middleware, application program and communication network, but only needs to use the network from various clients (including fixed, mobile, and home) according to their own needs. The computing mode that selects and uses corresponding services (such as computing, telephone, TV, Internet access and entertainment, etc.) The characteristics of the transparent computing system mainly include the following points:

Ⅰ、存储与计算分离。透明计算系统分为客户端和服务器两个部分,其中用户使用的客户端无需预先安装任何操作系统及应用软件,所有软件资源均统一存储在服务器内。当用户访问透明计算服务器时,按需加载软件资源,并在本地执行与计算。Ⅰ. Separation of storage and computing. The transparent computing system is divided into two parts: the client and the server. The client used by the user does not need to install any operating system and application software in advance, and all software resources are uniformly stored in the server. When a user accesses a transparent computing server, software resources are loaded on-demand and executed and computed locally.

Ⅱ、跨终端、跨操作系统平台的支持。用户能够在任何终端上访问透明计算服务器获得所需的服务,并根据需要选择操作系统平台。对于客户端来说,使用之前不需要或尽量减少对客户端的安装与配置,以提高用户体验性。Ⅱ. Cross-terminal and cross-operating system platform support. Users can access the transparent computing server on any terminal to obtain the required services, and select the operating system platform according to their needs. For the client, there is no need or minimal installation and configuration of the client before use to improve user experience.

Ⅲ、客户端与服务器之间采用流块式传输指令和数据。客户端在远程加载操作系统时,不需要将整个操作系统下载到本地运行,而是将服务器存储的数据划分为大小相同的数据块,客户端仅下载所需部分的数据块,所有数据块以数据流的形式传输。Ⅲ. The instruction and data are transmitted in block format between the client and the server. When the client loads the operating system remotely, it does not need to download the entire operating system to run locally, but divides the data stored in the server into data blocks of the same size. The client only downloads the required part of the data blocks, and all data blocks are Transmission in the form of data stream.

但是,目前透明计算的身份认证存在以下几个缺点:However, the current identity authentication of transparent computing has the following disadvantages:

(1)传统的静态密码身份认证技术,仅通过用户名、密码来辨别用户已不适用于新型的透明计算模式。透明计算将操作系统作为一种服务提供给用户,而负责存储操作系统镜像的存储服务器和负责用户权限管理的认证服务器是相互分离的,单纯验证其一是无法保证用户数据安全的,非法用户如果知道操作系统镜像地址,那么就可以绕开认证服务器,直接启动存储服务器的操作系统镜像,造成用户数据泄露等安全问题。(1) The traditional static password authentication technology, which only identifies users by username and password, is no longer suitable for the new transparent computing model. Transparent computing provides the operating system as a service to users, and the storage server responsible for storing the operating system image and the authentication server responsible for user rights management are separated from each other. Simply verifying one of them cannot guarantee the security of user data. If an illegal user If you know the address of the operating system image, you can bypass the authentication server and directly start the operating system image of the storage server, causing security issues such as user data leakage.

(2)短信密码、动态口令等新型的身份认证技术需要通过第三方协助来完成,采用这种方式势必会将用户的个人信息分享给第三方,这并不是用户愿意见到的。(2) New identity authentication technologies such as SMS passwords and dynamic passwords need to be completed with the assistance of a third party. Using this method will inevitably share the user's personal information with the third party, which is not what the user wants to see.

(3)透明计算在医疗、教育等领域发挥着越来越重要的作用,而这些领域有一个共同特点:内网都是以静态IP方式分配IP地址的,静态分配IP方式相比于动态获取IP优势在于内网用户IP不会冲突,出现故障容易定位,有专门的网络管理员负责IP管理。而透明计算系统目前仍旧采用动态获取IP方式,在终端用户运行实例操作系统时,无法实时辨别用户身份,不利于故障的定位与排除。(3) Transparent computing is playing an increasingly important role in fields such as medical care and education, and these fields have a common feature: Intranets are all assigned IP addresses in a static IP manner. The advantage of IP is that the intranet user IP will not conflict, and it is easy to locate faults, and a dedicated network administrator is responsible for IP management. However, the transparent computing system still adopts the method of dynamically obtaining IP. When end users run the instance operating system, it is impossible to identify the user's identity in real time, which is not conducive to fault location and troubleshooting.

发明内容Contents of the invention

本发明目的在于提供一种适用于透明计算系统的用户身份认证方法使用该用户身份认证方法的透明计算系统的配置方法,以解决目前透明计算的单一身份认证易造成用户数据泄露、需第三方协助以及无法实时辨别用户身份的技术问题。The purpose of the present invention is to provide a user identity authentication method suitable for a transparent computing system and a configuration method of a transparent computing system using the user identity authentication method, so as to solve the problem that the current single identity authentication of transparent computing easily causes user data leakage and requires assistance from a third party And technical problems that cannot identify users in real time.

为实现上述目的,本发明提供了一种适用于透明计算系统的用户身份认证方法,包括当用户开机登录时,执行以下认证步骤:In order to achieve the above object, the present invention provides a user identity authentication method suitable for a transparent computing system, which includes performing the following authentication steps when the user logs in after powering on the computer:

S1:客户端以静态方式获取IP,DHCP服务器根据MAC和IP绑定的配置文件静态分配IP;S1: The client obtains the IP in a static manner, and the DHCP server statically assigns the IP according to the configuration file bound to the MAC and IP;

S2:客户端发送登录请求信息给认证服务器,登录请求信息包括认证服务器地址、用户名和密码;S2: The client sends login request information to the authentication server, and the login request information includes the address of the authentication server, user name and password;

S3:认证服务器查询后台数据库,获取用户可启动的操作系统权限列表并写入文本信息发送给客户端,文本信息包括用户标识、操作系统数量和操作系统名称;S3: The authentication server queries the background database, obtains the user-startable operating system permission list, writes text information and sends it to the client, and the text information includes user ID, operating system number and operating system name;

S4:用户通过客户端选择想要远程加载的操作系统,向存储服务器发起远程加载请求,加载请求信息包含用户名、密码、存储服务器地址和远程操作系统镜像唯一标识;S4: The user selects the operating system to be remotely loaded through the client, and initiates a remote loading request to the storage server. The loading request information includes the user name, password, storage server address and the unique identifier of the remote operating system image;

S5:存储服务器对来自发起远程加载请求的客户端的用户名和密码进行认证,认证通过后查看用户操作系统镜像的配置文件,并确认客户端的IP是否与将要启动的操作系统镜像的IP设置一致,如一致,则判定用户身份认证成功。S5: The storage server authenticates the user name and password from the client that initiates the remote loading request, checks the configuration file of the user's operating system image after the authentication is passed, and confirms whether the IP of the client is consistent with the IP setting of the operating system image to be started, such as If they are consistent, it is determined that the user identity authentication is successful.

作为本发明的用户身份认证方法的进一步改进:As a further improvement of the user identity authentication method of the present invention:

步骤S2和S3中,客户端与认证服务器使用http协议进行通信;步骤S4和S5中,客户端与存储服务器使用iSCSI协议进行通信。In steps S2 and S3, the client communicates with the authentication server using the http protocol; in steps S4 and S5, the client communicates with the storage server using the iSCSI protocol.

作为一个总的技术构思,本发明还提供了一种使用上述的适用于透明计算系统的用户身份认证方法的透明计算系统的系统配置方法,包括以下步骤:As a general technical idea, the present invention also provides a system configuration method for a transparent computing system using the above-mentioned user identity authentication method suitable for a transparent computing system, including the following steps:

1)在网络引导程序NBP源码中添加网络配置、用户身份认证策略代码,并重新编译生成NBP引导程序;1) Add network configuration and user identity authentication policy code to the network boot program NBP source code, and recompile to generate the NBP boot program;

2)擦除客户端的硬盘上的BIOS模式下的主引导分区MBR,用编译生成的NBP引导程序替换原主引导分区MBR;2) Erase the main boot partition MBR in BIOS mode on the client's hard disk, and replace the original main boot partition MBR with the compiled NBP boot program;

3)配置认证服务器的MySQL和Tomcat服务,并将身份认证后台程序部署在Tomcat上;3) Configure the MySQL and Tomcat services of the authentication server, and deploy the identity authentication daemon on Tomcat;

4)配置存储服务器的iSCSI服务,将用户操作系统镜像与用户名及密码绑定,修改操作系统镜像的访问权限,并设置能够访问的IP地址;4) Configure the iSCSI service of the storage server, bind the user operating system image to the user name and password, modify the access rights of the operating system image, and set the IP address that can be accessed;

5)修改DHCP服务器的配置文件,以静态方式分配IP,将应用透明计算系统的客户端的物理地址与IP绑定;5) Modify the configuration file of the DHCP server, assign IP in a static manner, and bind the physical address of the client applying the transparent computing system to the IP;

6)制作远程加载的用户操作系统镜像,修改各个操作系统内核的网络配置文件,将制作好的操作系统镜像存储在iSCSI配置文件中指定的位置。6) Create a remote-loaded user operating system image, modify the network configuration file of each operating system kernel, and store the created operating system image in the location specified in the iSCSI configuration file.

本发明具有以下有益效果:The present invention has the following beneficial effects:

1、本发明的适用于透明计算系统的用户身份认证方法,将用户客户端MAC地址、IP地址以及用户身份相结合,用户获取服务时需向认证服务器和存储服务器进行多次认证,认证服务器负责用户的权限管理,存储服务器不仅负责用户操作系统镜像存储,还基于用户身份认证和基于IP地址授权两种方式对用户身份进行认证。增强了透明计算系统的安全可靠性,对医院、学校等企业内网用户,客户端运行操作系统出现故障时,更易排查与定位。此外,通过透明计算系统Web认证服务器实现了用户的权限管理,不仅可以为所有用户提供统一的服务,还能够针对不同权限的用户提供一些个性化服务,比如每个用户都有不同的可启动的操作系统列表等,完善了用户体验。1. The user identity authentication method applicable to the transparent computing system of the present invention combines the user client MAC address, IP address and user identity. When the user obtains the service, it needs to perform multiple authentications to the authentication server and the storage server, and the authentication server is responsible for For user rights management, the storage server is not only responsible for user operating system image storage, but also authenticates user identities based on user identity authentication and IP address-based authorization. The security and reliability of the transparent computing system are enhanced, and for intranet users such as hospitals and schools, it is easier to troubleshoot and locate when the operating system on the client side fails. In addition, the web authentication server of the transparent computing system realizes user rights management, which can not only provide unified services for all users, but also provide some personalized services for users with different rights. For example, each user has a different bootable The operating system list, etc., improve the user experience.

2、本发明的使用前述用户身份认证方法的透明计算系统的系统配置方法,配置简单易于实现;用户认证策略模块化,降低了移植难度,扩大了适用范围。2. The system configuration method of the transparent computing system using the aforementioned user identity authentication method of the present invention is simple and easy to implement; the user authentication strategy is modularized, which reduces the difficulty of transplantation and expands the scope of application.

除了上面所描述的目的、特征和优点之外,本发明还有其它的目的、特征和优点。下面将参照附图,对本发明作进一步详细的说明。In addition to the objects, features and advantages described above, the present invention has other objects, features and advantages. The present invention will be described in further detail below with reference to the accompanying drawings.

附图说明Description of drawings

构成本申请的一部分的附图用来提供对本发明的进一步理解,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The accompanying drawings constituting a part of this application are used to provide further understanding of the present invention, and the schematic embodiments and descriptions of the present invention are used to explain the present invention, and do not constitute an improper limitation of the present invention. In the attached picture:

图1是本发明优选实施例1的透明计算系统的整体结构框图;Fig. 1 is the overall structural block diagram of the transparent computing system of preferred embodiment 1 of the present invention;

图2是本发明优选实施例1的适用于透明计算系统的用户身份认证方法的流程示意图;FIG. 2 is a schematic flow diagram of a user identity authentication method applicable to a transparent computing system according to preferred embodiment 1 of the present invention;

图3是本发明优选实施例1的客户端发送给认证服务器的登录请求信息的数据格式示意图;Fig. 3 is a schematic diagram of the data format of the login request information sent by the client to the authentication server in preferred embodiment 1 of the present invention;

图4是本发明优选实施例1的认证服务器响应客户端的文本信息的数据格式示意图;Fig. 4 is a schematic diagram of the data format of the authentication server responding to the text information of the client in the preferred embodiment 1 of the present invention;

图5是本发明优选实施例2的适用于透明计算系统的用户身份认证方法的流程示意图;5 is a schematic flowchart of a user identity authentication method applicable to a transparent computing system according to preferred embodiment 2 of the present invention;

图6是本发明优选实施例3的使用本发明的用户身份认证方法的透明计算系统的系统配置方法的流程图。Fig. 6 is a flow chart of the system configuration method of the transparent computing system using the user identity authentication method of the present invention according to the preferred embodiment 3 of the present invention.

具体实施方式Detailed ways

以下结合附图对本发明的实施例进行详细说明,但是本发明可以由权利要求限定和覆盖的多种不同方式实施。The embodiments of the present invention will be described in detail below with reference to the accompanying drawings, but the present invention can be implemented in many different ways defined and covered by the claims.

实施例1:Example 1:

图1示出了本实施例的透明计算系统的整体结构框图,客户端硬件平台是x86架构的移动平板,其硬盘预先烧录好网络引导程序NBP(根据开源项目编写的网络引导程序);服务器端包含两部分:负责用户权限信息管理的认证服务器(即Web认证服务器)和负责用户操作系统镜像存储的存储服务器。存储服务器需配置iSCSI服务、DHCP服务,Web认证服务器需配置MySQL服务、Tomcat服务(参见实施例3)。Fig. 1 shows the overall structural block diagram of the transparent computing system of the present embodiment, and the client hardware platform is the mobile panel of x86 structure, and its hard disk burns the network boot program NBP (according to the network boot program written by open source project) in advance; The end consists of two parts: the authentication server responsible for user rights information management (that is, the Web authentication server) and the storage server responsible for user operating system image storage. The storage server needs to be configured with iSCSI service and DHCP service, and the web authentication server needs to be configured with MySQL service and Tomcat service (see Example 3).

参见图2,本实施例的适用于透明计算系统的用户身份认证方法 ,包括以下步骤:Referring to Fig. 2, the user identity authentication method applicable to the transparent computing system of the present embodiment includes the following steps:

S201:客户端上电开机登录,首先进行网络配置,以静态方式获取IP地址,DHCP服务器根据MAC和IP绑定的配置文件静态分配IP。S201: The client is powered on and logged in, and first performs network configuration to obtain an IP address in a static manner, and the DHCP server statically assigns an IP according to a configuration file bound with MAC and IP.

S202:客户端发送登录请求信息给认证服务器,终端引导程序将Web认证服务器URL地址、用户名和密码信息组成(登录请求信息的数据格式如图3所示)的登录请求信息,通过http协议发送到Web认证服务器进行认证。S202: The client sends login request information to the authentication server, and the terminal boot program sends the login request information composed of the URL address of the Web authentication server, user name and password information (the data format of the login request information is shown in Figure 3) to The web authentication server performs authentication.

S203:Web认证服务器根据收到的客户端用户名和密码信息查询后台MySQL数据库,获取用户的操作系统权限列表。S203: The web authentication server queries the background MySQL database according to the received client user name and password information, and obtains the operating system authority list of the user.

S204:Web认证服务端程序将包含用户权限信息(即有哪些操作系统可供用户远程加载)的查询结果按照图4所示的数据格式写进文本信息,该文本信息包括用户标识(Access字段)、操作系统数量(Count字段)、操作系统名称(OS_name字段)和结束符(Flag字段),并通过http协议发送到客户端。S204: The web authentication server program writes the query results including user permission information (that is, which operating systems are available for users to remotely load) into text information according to the data format shown in Figure 4, and the text information includes user identification (Access field) , operating system number (Count field), operating system name (OS_name field) and terminator (Flag field), and send them to the client through the http protocol.

S205:客户端在内存中查找Web认证服务器返回的文本数据,并解析出用户标识(Access字段)、操作系统数量(Count字段)、操作系统名称(OS_name字段)等用户权限信息。S205: The client searches the memory for the text data returned by the web authentication server, and parses out user permission information such as the user ID (Access field), the number of operating systems (Count field), and the name of the operating system (OS_name field).

S206:将用户权限信息(即可供选择的操作系统列表)呈现在客户端屏幕上供用户选择,根据用户选择启动的操作系统,向存储服务器发起远程加载请求,即客户端向存储服务器发送加载请求信息,加载请求信息包含用户名、密码、存储服务器地址和远程操作系统镜像唯一标识。认证服务器负责用户的权限管理(数据库中是否存在该用户、该用户有哪些操作系统可供远程加载),存储服务器针对每一个操作系统镜像在配置文件中也配置了用户名密码,用于存储服务器端基于用户验证。此步骤中,无论是否存在该用户都需进行一次反馈。用户标识确定该用户是否存在,不存在的用户是不能进行后续认证的。存在用户至少有一个系统可供选择,该系统的名称会反馈给客户端显示。S206: Present user permission information (that is, a list of operating systems to choose) on the client screen for the user to choose, and initiate a remote loading request to the storage server according to the operating system selected by the user, that is, the client sends a loading request to the storage server Request information, loading request information includes user name, password, storage server address and unique identifier of the remote operating system image. The authentication server is responsible for user rights management (whether the user exists in the database, which operating systems the user has available for remote loading), and the storage server also configures the user name and password in the configuration file for each operating system image, which is used for storage server End-based user authentication. In this step, no matter whether the user exists or not, a feedback is required. The user ID determines whether the user exists, and the non-existing user cannot perform subsequent authentication. There is at least one system for the user to choose, and the name of the system will be displayed back to the client.

S207:存储服务器对发起远程加载请求的客户端的用户名和密码进行认证。S207: The storage server authenticates the user name and password of the client that initiates the remote loading request.

S208:存储服务器对用户名和密码认证通过的请求,查询访问权限配置文件,验证发起请求的客户端IP地址是否被允许加载该操作系统镜像。S208: storing the server's request for passing the authentication of the user name and password, querying the access rights configuration file, and verifying whether the IP address of the requesting client is allowed to load the operating system image.

S209:IP地址认证通过,终端按需加载远程操作系统到本地运行,数据以流块式传输。S209: The IP address authentication is passed, the terminal loads the remote operating system to run locally as required, and the data is transmitted in stream blocks.

采用静态分配IP,DHCP服务器会将MAC和IP绑定,而存储服务器配设置了用户名密码和IP限制,三者间接关联在一起,客户端请求DHCP服务器静态分配IP是用MAC地址请求的,所以存储服务器的配置文件要和DHCP服务器配置文件一致。客户端有用户名密码、MAC地址,DHCP服务器有MAC地址、IP地址,存储服务器有用户名密码、IP地址,这三部分配置需一致,否则无法认证成功。因为MAC和IP绑定是DHCP提供的静态分配方式,本发明主要结合了IP授权,进而将MAC结合进来。With static allocation of IP, the DHCP server will bind MAC and IP, and the storage server is equipped with user name password and IP restrictions. Therefore, the storage server configuration file must be consistent with the DHCP server configuration file. The client has a username, password, and MAC address, the DHCP server has a MAC address, and IP address, and the storage server has a username, password, and IP address. The configurations of these three parts must be consistent, otherwise the authentication will not succeed. Because the binding of MAC and IP is a static distribution mode provided by DHCP, the present invention mainly combines IP authorization, and then combines MAC.

实施例2:Example 2:

参见图5,本实施例的适用于透明计算系统的用户身份认证方法 ,包括以下步骤:Referring to Fig. 5, the user identity authentication method applicable to the transparent computing system of the present embodiment includes the following steps:

当用户开机登录时,执行以下认证步骤:When the user boots up and logs in, the following authentication steps are performed:

S1:客户端发送登录请求信息包给认证服务器,所述登录请求信息(参见图3)包括认证服务器地址、用户名和密码。S1: The client sends a login request packet to the authentication server. The login request information (see FIG. 3 ) includes the authentication server address, user name and password.

S2:认证服务器查询后台数据库,获取所述用户可启动的操作系统权限列表并写入文本信息发送给客户端,所述文本信息(参见图4)包括用户标识、操作系统数量、操作系统名称和结束符。S2: The authentication server queries the background database, obtains the operating system permission list that the user can start, writes text information and sends it to the client, and the text information (see Figure 4) includes user ID, operating system number, operating system name and terminator.

S3:用户通过客户端选择想要远程加载的操作系统,向存储服务器发起远程加载请求,加载请求信息包含用户名、密码、存储服务器地址和远程操作系统镜像唯一标识。S3: The user selects the operating system to be remotely loaded through the client, and initiates a remote loading request to the storage server. The loading request information includes the user name, password, storage server address, and the unique identifier of the remote operating system image.

S4:存储服务器对来自发起远程加载请求的客户端的用户名和密码进行认证,认证通过后查看用户操作系统镜像的配置文件,并确认客户端的IP是否与将要启动的操作系统镜像的IP设置一致,如一致,则判定用户身份认证成功。S4: The storage server authenticates the user name and password from the client that initiates the remote loading request, checks the configuration file of the user operating system image after the authentication is passed, and confirms whether the IP of the client is consistent with the IP setting of the operating system image to be started, such as If they are consistent, it is determined that the user identity authentication is successful.

用户身份认证成功后,远程加载操作系统镜像实例到客户端运行,并置当前用户为在线状态。After the user authentication is successful, the operating system image instance is remotely loaded to the client to run, and the current user is set to be online.

综上,本发明的适用于透明计算系统的用户身份认证方法,不再单纯地使用用户名密码,而是将用户操作系统镜像与用户使用的客户端的IP地址绑定在一起,使用静态分配IP方式,只有在IP地址、MAC地址和用户名密码都正确的情况下才能远程加载操作系统镜像实例到本地运行,增强了透明计算系统的安全可靠性,对医院、学校等企业内网用户,客户端运行操作系统出现故障时,更易排查与定位。To sum up, the user identity authentication method applicable to the transparent computing system of the present invention no longer simply uses the user name and password, but binds the user operating system image with the IP address of the client used by the user, and uses statically allocated IP addresses. Only when the IP address, MAC address, and username and password are correct can the operating system image instance be remotely loaded and run locally, which enhances the security and reliability of the transparent computing system, and is suitable for intranet users such as hospitals and schools, and customers When the operating system running on the terminal fails, it is easier to troubleshoot and locate.

此外,通过透明计算系统Web认证服务器实现了用户的权限管理,不仅可以为所有用户提供统一的服务,还能够针对不同权限的用户提供一些个性化服务,比如每个用户都有不同的可启动的操作系统列表等,完善了用户体验。In addition, the web authentication server of the transparent computing system realizes user rights management, which can not only provide unified services for all users, but also provide some personalized services for users with different rights. For example, each user has a different bootable The operating system list, etc., improve the user experience.

实施例3:Example 3:

参见图6,使用实施例1或实施例2的用户身份认证方法的透明计算系统的系统配置方法,包括以下步骤:Referring to Fig. 6, the system configuration method of the transparent computing system using the user identity authentication method of embodiment 1 or embodiment 2 includes the following steps:

1)在引导程序NBP源码中添加网络配置和用户身份认证策略代码,并重新编译生成NBP引导程序;1) Add network configuration and user authentication policy codes to the bootloader NBP source code, and recompile to generate the NBP bootloader;

2)擦除客户端的硬盘上的BIOS模式下的主引导分区MBR,将编译生成的NBP引导程序烧写至原主引导分区MBR位置;2) Erase the main boot partition MBR in BIOS mode on the client's hard disk, and burn the compiled NBP boot program to the original main boot partition MBR location;

3)配置认证服务器的MySQL和Tomcat服务,并将身份认证后台程序部署在Web认证服务器的Tomcat上;3) Configure the MySQL and Tomcat services of the authentication server, and deploy the identity authentication background program on the Tomcat of the Web authentication server;

4)配置存储服务器的iSCSI服务,将用户操作系统镜像与用户名及密码绑定,修改操作系统镜像的访问权限,并设置能够访问的IP地址;4) Configure the iSCSI service of the storage server, bind the user operating system image to the user name and password, modify the access rights of the operating system image, and set the IP address that can be accessed;

5)修改DHCP服务器的配置文件,以静态方式分配IP,将应用透明计算系统的客户端的物理地址与IP绑定;5) Modify the configuration file of the DHCP server, assign IP in a static manner, and bind the physical address of the client applying the transparent computing system to the IP;

6)制作远程加载的用户操作系统镜像,修改各个操作系统内核的网络配置文件,将制作好的操作系统镜像存储在iSCSI配置文件中的指定位置。6) Create a remote-loaded user operating system image, modify the network configuration file of each operating system kernel, and store the created operating system image in the specified location in the iSCSI configuration file.

上述的系统配置方法,配置简单易于实现;将用户认证策略模块化,降低了移植难度,扩大了适用范围。The above system configuration method is simple and easy to implement; the user authentication strategy is modularized, which reduces the difficulty of transplantation and expands the scope of application.

以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (3)

1. a kind of method for authenticating user identity suitable for transparent computing system, which is characterized in that including being logged in when user is switched on When, execute following authenticating step:
S1: client obtains IP, the configuration file static allocation IP that Dynamic Host Configuration Protocol server is bound according to MAC and IP in a static manner;
S2: client send landing request information to certificate server, the landing request information include address of the authentication server, Username and password;
S3: certificate server inquires background data base, obtains the bootable operating system permissions list of the user and text is written This information is sent to client, and the text information includes user identifier, operating system quantity and OS name;
S4: user selects to want the operating system of remote loading by client, initiates remote loading request to storage server, The load request information includes user name, password, storage server address and remote operating system mirror image unique identification;
S5: storage server authenticates the username and password from the client for initiating remote loading request, and certification is logical Later check the configuration file of operating system of user mirror image, and confirm client IP whether with by operating system mirror to be started The IP setting of picture is consistent, such as consistent, then determines user identity authentication success.
2. the method for authenticating user identity according to claim 1 suitable for transparent computing system, which is characterized in that described In step S2 and S3, the client is communicated with the certificate server using http agreement;In the step S4 and S5, The client is communicated with the storage server using iSCSI protocol.
3. a kind of using as claimed in claim 1 or 2 suitable for the transparent of the method for authenticating user identity of transparent computing system The ' In System Reconfiguration Method of computing system, which comprises the following steps:
1) network configuration, user identity authentication pol-icy code are added in network boot NBP source code, and recompilate generation NBP bootstrap;
2) the main boot subregion MBR under the BIOS mode on the hard disk of client is wiped, is replaced with the NBP bootstrap that compiling generates Change former main boot subregion MBR;
3) MySQL and the Tomcat service of certificate server are configured, and authentication background program is deployed on Tomcat;
4) iSCSI service for configuring storage server, by operating system of user mirror image and user name and cryptographic binding, modification operation The access authority of system image, and the IP address being able to access that is set;
5) configuration file for modifying Dynamic Host Configuration Protocol server, distributes IP in a static manner, by the client of application transparent computing system Physical address and IP are bound;
6) the operating system of user mirror image for making remote loading, modifies the network profile of each operating system nucleus, will make The position that the operating system mirrored storage performed is specified in iSCSI configuration file.
CN201611130519.7A 2016-12-09 2016-12-09 A user identity authentication method and system configuration method suitable for transparent computing systems Active CN106549976B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611130519.7A CN106549976B (en) 2016-12-09 2016-12-09 A user identity authentication method and system configuration method suitable for transparent computing systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611130519.7A CN106549976B (en) 2016-12-09 2016-12-09 A user identity authentication method and system configuration method suitable for transparent computing systems

Publications (2)

Publication Number Publication Date
CN106549976A CN106549976A (en) 2017-03-29
CN106549976B true CN106549976B (en) 2019-11-12

Family

ID=58397200

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611130519.7A Active CN106549976B (en) 2016-12-09 2016-12-09 A user identity authentication method and system configuration method suitable for transparent computing systems

Country Status (1)

Country Link
CN (1) CN106549976B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107197373A (en) * 2017-06-06 2017-09-22 深圳前海茂佳软件科技有限公司 TV access right management method, TV and computer-readable recording medium
CN107528918A (en) * 2017-09-15 2017-12-29 湖南新云网科技有限公司 Application program for mobile terminal management method and system based on lucidification disposal
CN107707656A (en) * 2017-10-10 2018-02-16 李梓彤 The remote loading method and system of operating system
CN110032414B (en) * 2019-03-06 2023-06-06 联想企业解决方案(新加坡)有限公司 Apparatus and method for secure user authentication in remote console mode
CN111291429B (en) * 2020-01-21 2023-04-25 李岗 Data protection method and system
CN115469878B (en) * 2022-09-13 2023-11-24 上海掌御信息科技有限公司 A Android code diversity compilation method
CN118449855B (en) * 2024-07-04 2024-12-20 荣耀终端有限公司 Network configuration method and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1670698A (en) * 2005-04-06 2005-09-21 清华大学 Computing device and method based on transparent computing
CN102610012A (en) * 2012-02-14 2012-07-25 中国民航信息网络股份有限公司 Common platform system and method of electronic boarding card
CN102664958A (en) * 2012-04-27 2012-09-12 中山大学 Transparent computing system
CN104166586A (en) * 2014-09-04 2014-11-26 中南大学 Transparent computing method and transparent computing system based on virtualization technology
CN104363207A (en) * 2014-10-29 2015-02-18 北京成众志科技有限公司 Multi-factor security enhancement authorization and authentication method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1670698A (en) * 2005-04-06 2005-09-21 清华大学 Computing device and method based on transparent computing
CN102610012A (en) * 2012-02-14 2012-07-25 中国民航信息网络股份有限公司 Common platform system and method of electronic boarding card
CN102664958A (en) * 2012-04-27 2012-09-12 中山大学 Transparent computing system
CN104166586A (en) * 2014-09-04 2014-11-26 中南大学 Transparent computing method and transparent computing system based on virtualization technology
CN104363207A (en) * 2014-10-29 2015-02-18 北京成众志科技有限公司 Multi-factor security enhancement authorization and authentication method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种用于网络计算的可定制启动协议;周悦芝;《软件学报》;20031231;全文 *
利用DHCP服务器分配静态IP地址;刘新向;《洛阳师范学院学报》;20050531;第4节 *

Also Published As

Publication number Publication date
CN106549976A (en) 2017-03-29

Similar Documents

Publication Publication Date Title
CN106549976B (en) A user identity authentication method and system configuration method suitable for transparent computing systems
EP3675418B1 (en) Issuance of service configuration file
US10505733B2 (en) Generating and managing a composite identity token for multi-service use
CN107113300B (en) Multi-faceted computing instance identity
EP3844938B1 (en) Accessing resources in a remote access or cloud-based network environment
CN102947797B (en) Online service access control using scale-out directory features
CN111934918A (en) Network isolation method and device for container instances in same container cluster
US20130013727A1 (en) System and method for providing a mobile persona environment
US11522847B2 (en) Local mapped accounts in virtual desktops
US10255092B2 (en) Managed virtual machine deployment
US11165761B2 (en) Methods, devices, and computer program products for service security protection
JPWO2006095875A1 (en) Network system, storage device access control method, management server, storage device, login control method, network boot system, and unit storage unit access method
CN106411857A (en) Private cloud GIS service access control method based on virtual isolation mechanism
US20190098107A1 (en) Geographic location based user computing asset provisioning in distributed computing systems
CN110414257A (en) A data access method and server
US9086939B2 (en) Reactivation of a software image from a source machine onto a target machine
US11366883B2 (en) Reflection based endpoint security test framework
US10838784B2 (en) Real-time file system event mapping to cloud events
US20230195442A1 (en) Recreating software installation bundles from a host in a virtualized computing system
US20220021532A1 (en) Tracking Tainted Connection Agents
Krishnan et al. Google cloud SQL
CN112637111A (en) Virtualized cloud platform system
US12340241B2 (en) Recreating a software image from a host in a virtualized computing system
US20230229484A1 (en) Communication between control planes in a virtualized computing system having an autonomous cluster
CN118035965A (en) Method and device for computing power by using graphic processor cooperatively by multiple users

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant