[go: up one dir, main page]

CN111541654A - User management method, device and computer equipment based on multi-tenant cloud management platform - Google Patents

User management method, device and computer equipment based on multi-tenant cloud management platform Download PDF

Info

Publication number
CN111541654A
CN111541654A CN202010269726.0A CN202010269726A CN111541654A CN 111541654 A CN111541654 A CN 111541654A CN 202010269726 A CN202010269726 A CN 202010269726A CN 111541654 A CN111541654 A CN 111541654A
Authority
CN
China
Prior art keywords
user
special domain
management platform
tenant cloud
cloud management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010269726.0A
Other languages
Chinese (zh)
Inventor
窦焕娟
曾兵
何牧君
孙洪涛
高会娟
王文博
王媛媛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dawning Information Industry Beijing Co Ltd
Original Assignee
Dawning Information Industry Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dawning Information Industry Beijing Co Ltd filed Critical Dawning Information Industry Beijing Co Ltd
Priority to CN202010269726.0A priority Critical patent/CN111541654A/en
Publication of CN111541654A publication Critical patent/CN111541654A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a user management method and device based on a multi-tenant cloud management platform and computer equipment. The user management method based on the multi-tenant cloud management platform comprises the following steps: receiving a login request of a user, wherein the login request carries identity information which indicates that the user is a local domain user or a special domain user; judging whether the user is a special domain user or not according to the identity information; and if the user is the special domain user, the special domain server is utilized to log in and check the user. According to the user management method, device and computer equipment based on the multi-tenant cloud management platform, the login request of the user is received, whether the user is a special domain user is judged according to the identity information, if the user is the special domain user, the special domain server is used for login verification of the user, the user does not need to be created again, the third party user can manage the multi-tenant cloud management platform resources, the management efficiency is improved, the real-time requirement is met, and the adaptability is high.

Description

基于多租户云管平台的用户管理方法、装置和计算机设备User management method, device and computer equipment based on multi-tenant cloud management platform

技术领域technical field

本发明涉及云管平台技术领域,尤其涉及一种基于多租户云管平台的用户管理方法、装置和计算机设备。The invention relates to the technical field of cloud management platforms, in particular to a user management method, device and computer equipment based on a multi-tenant cloud management platform.

背景技术Background technique

随着云应用的飞速发展,基于多租户云的应用也愈加广泛。实现多租户技术的重点在于,不同租户间应用程序环境的隔离(application context isolation)以及数据的隔离(data isolation)以维持不同租户间访问资源不会相互干扰,同时数据的保密性高。使用较多的多租户模型是通过关系数据库实现全共享方式,即不同租户共享同一个数据库、同一个名字空间。不同租户的数据在同一组表中共存,通过租户id标记和访问不同租户的数据(应用需要调整访问数据的SQL以包含租户id)。关系数据库采用二维表结构来存储数据。由于数据结构简单、清晰,存取路径对用户透明,具有更高的数据独立性和更好的安全保密性,因此关系数据库得到了广泛的应用。With the rapid development of cloud applications, applications based on multi-tenant clouds are becoming more and more extensive. The key point of realizing multi-tenancy technology lies in application context isolation and data isolation between different tenants, so as to maintain that access resources between different tenants will not interfere with each other, and at the same time, the confidentiality of data is high. The multi-tenant model that is used more is to achieve full sharing through relational databases, that is, different tenants share the same database and the same namespace. Data from different tenants coexists in the same set of tables, tagged and accessed by tenant id (applications need to adjust the SQL that accesses the data to include the tenant id). A relational database uses a two-dimensional table structure to store data. Because the data structure is simple and clear, the access path is transparent to users, and it has higher data independence and better security and confidentiality, so the relational database has been widely used.

目前,在多租户云管平台中,租户的部门组织层级结构变得丰富,由于二维表结构表达能力相对较差,因此在存储很多非结构化数据时,会变得应变能力差、弹性差。如果多租户云需要集成第三方用户,如何在云管平台中不重新创建用户,来实现第三方用户管理多租户云管平台资源是亟需解决的问题。由于对某些应用效率差等原因,关系型数据库不能满足实时性要求,也不适合许多特殊应用。同时,关系型数据库还存在普遍的SQL注入攻击。At present, in the multi-tenant cloud management platform, the hierarchical structure of the tenant's department has become rich. Due to the relatively poor expressive ability of the two-dimensional table structure, when a lot of unstructured data is stored, it will become poor in adaptability and elasticity. . If the multi-tenant cloud needs to integrate third-party users, how to manage the resources of the multi-tenant cloud management platform by third-party users without re-creating users in the cloud management platform is an urgent problem to be solved. Due to the poor efficiency of some applications, relational databases cannot meet real-time requirements, nor are they suitable for many special applications. At the same time, there are also common SQL injection attacks in relational databases.

发明内容SUMMARY OF THE INVENTION

本发明的目的旨在至少在一定程度上解决上述的技术问题之一。The purpose of the present invention is to solve one of the above-mentioned technical problems at least to a certain extent.

为此,本发明的第一个目的在于提出一种基于多租户云管平台的用户管理方法,无需重新创建用户,即可实现第三方用户管理多租户云管平台资源,提高管理效率,满足实时性要求,适应性强。Therefore, the first object of the present invention is to propose a user management method based on a multi-tenant cloud management platform, which can realize the third-party users to manage the resources of the multi-tenant cloud management platform without re-creating users, improve management efficiency, and satisfy real-time requirements. Sexual requirements, strong adaptability.

本发明的第二个目的在于提出一种基于多租户云管平台的用户管理装置。The second object of the present invention is to provide a user management device based on a multi-tenant cloud management platform.

本发明的第三个目的在于提出一种计算机设备。The third object of the present invention is to propose a computer device.

本发明的第四个目的在于提出一种非临时性计算机可读存储介质。A fourth object of the present invention is to propose a non-transitory computer-readable storage medium.

为了实现上述目的,本发明第一方面实施例提出一种基于多租户云管平台的用户管理方法,该方法包括:In order to achieve the above object, an embodiment of the first aspect of the present invention provides a user management method based on a multi-tenant cloud management platform, the method comprising:

接收用户的登录请求,所述登录请求携带有身份信息,所述身份信息指示所述用户为本地域用户或特殊域用户;Receive a login request from a user, where the login request carries identity information, and the identity information indicates that the user is a domain user or a special domain user;

根据所述身份信息判断所述用户是否为所述特殊域用户;Determine whether the user is the special domain user according to the identity information;

如果所述用户为所述特殊域用户,则利用特殊域服务器对所述用户进行登录校验。If the user is the user of the special domain, the login verification of the user is performed by using the special domain server.

可选的,方法还包括:Optionally, the method also includes:

如果所述用户为所述本地域用户,则直接利用所述多租户云管平台对所述用户进行登录校验。If the user is the local domain user, the multi-tenant cloud management platform is directly used to perform login verification on the user.

可选的,方法还包括:Optionally, the method also includes:

在所述多租户云管平台中,配置特殊域用户信息。In the multi-tenant cloud management platform, special domain user information is configured.

可选的,配置特殊域用户信息,包括:Optionally, configure special domain user information, including:

配置所述特殊域服务器的参数,所述参数包括所述特殊域服务器的统一资源定位符URL、所述特殊域用户的名称和密码以及所述特殊域用户的专有名称DN;Configuring the parameters of the special domain server, the parameters include the uniform resource locator URL of the special domain server, the name and password of the special domain user, and the distinguished name DN of the special domain user;

根据所述参数将所述特殊域用户同步至所述多租户云管平台中。The special domain user is synchronized to the multi-tenant cloud management platform according to the parameter.

可选的,方法还包括:Optionally, the method also includes:

在所述多租户云管平台中,生成所述特殊域用户的角色信息。In the multi-tenant cloud management platform, the role information of the special domain user is generated.

可选的,所述特殊域为轻量目录访问协议LDAP域。Optionally, the special domain is a Lightweight Directory Access Protocol LDAP domain.

本发明实施例的多租户云管平台的用户管理方法,通过接收用户的登录请求,并根据所述身份信息判断所述用户是否为所述特殊域用户,如果所述用户为所述特殊域用户,则利用特殊域服务器对所述用户进行登录校验,无需重新创建用户,即可实现第三方用户管理多租户云管平台资源,提高管理效率,满足实时性要求,适应性强。The user management method of the multi-tenant cloud management platform according to the embodiment of the present invention determines whether the user is the special domain user by receiving the user's login request and according to the identity information, and if the user is the special domain user , a special domain server is used to perform login verification on the user, and a third-party user can manage the resources of the multi-tenant cloud management platform without re-creating the user, improving management efficiency, meeting real-time requirements, and having strong adaptability.

为了实现上述目的,本发明第二方面实施例提出了一种多租户云管平台的用户管理装置,包括:In order to achieve the above object, a second aspect of the present invention provides a user management device for a multi-tenant cloud management platform, including:

接收模块,用于接收用户的登录请求,所述登录请求携带有身份信息,所述身份信息指示所述用户为本地域用户或特殊域用户;a receiving module, configured to receive a login request from a user, where the login request carries identity information, and the identity information indicates that the user is a domain user or a special domain user;

判断模块,用于根据所述身份信息判断所述用户是否为特殊域用户;a judgment module, configured to judge whether the user is a special domain user according to the identity information;

校验模块,用于当所述用户为所述特殊域用户时,利用特殊域服务器对所述用户进行登录校验。A verification module, configured to use a special domain server to perform login verification on the user when the user is the special domain user.

可选的,所述校验模块,还用于:Optionally, the verification module is also used for:

如果所述用户为所述本地域用户,则直接利用所述多租户云管平台对所述用户进行登录校验。If the user is the local domain user, the multi-tenant cloud management platform is directly used to perform login verification on the user.

可选的,装置还包括:Optionally, the device further includes:

配置模块,用于在所述多租户云管平台中,配置特殊域用户信息。The configuration module is used for configuring special domain user information in the multi-tenant cloud management platform.

可选的,所述配置模块,用于:Optionally, the configuration module is used for:

配置所述特殊域服务器的参数,所述参数包括所述特殊域服务器的统一资源定位符URL、所述特殊域用户的名称和密码以及所述特殊域用户的专有名称DN;Configuring the parameters of the special domain server, the parameters include the uniform resource locator URL of the special domain server, the name and password of the special domain user, and the distinguished name DN of the special domain user;

根据所述参数将所述特殊域用户同步至所述多租户云管平台中。The special domain user is synchronized to the multi-tenant cloud management platform according to the parameter.

可选的,所述配置模块,还用于:Optionally, the configuration module is also used for:

在所述多租户云管平台中,生成所述特殊域用户的角色信息。In the multi-tenant cloud management platform, the role information of the special domain user is generated.

可选的,所述特殊域为轻量目录访问协议LDAP域。Optionally, the special domain is a Lightweight Directory Access Protocol LDAP domain.

本发明实施例的基于多租户云管平台的用户管理装置,通过接收用户的登录请求,并根据所述身份信息判断所述用户是否为所述特殊域用户,如果所述用户为所述特殊域用户,则利用特殊域服务器对所述用户进行登录校验,无需重新创建用户,即可实现第三方用户管理多租户云管平台资源,提高管理效率,满足实时性要求,适应性强。The user management device based on the multi-tenant cloud management platform according to the embodiment of the present invention determines whether the user is a user in the special domain by receiving a user's login request and according to the identity information, if the user is in the special domain For users, a special domain server is used to perform login verification on the users, and there is no need to recreate users, so that third-party users can manage the resources of the multi-tenant cloud management platform, improve management efficiency, meet real-time requirements, and have strong adaptability.

为了实现上述目的,本发明第三方面实施例提出了一种计算机设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时,实现如第一方面实施例所述的基于多租户云管平台的用户管理方法。In order to achieve the above object, an embodiment of the third aspect of the present invention provides a computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, the processor executing all When the computer program is described, the user management method based on the multi-tenant cloud management platform according to the embodiment of the first aspect is implemented.

为了实现上述目的,本发明第四方面实施例还提出了一种非临时性计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如第一方面实施例所述的基于多租户云管平台的用户管理方法。In order to achieve the above object, the embodiment of the fourth aspect of the present invention further provides a non-transitory computer-readable storage medium on which a computer program is stored, characterized in that, when the computer program is executed by a processor, the first The user management method based on the multi-tenant cloud management platform described in the aspect embodiment.

本发明附加的方面和优点将在下面的描述中部分给出,部分将从下面的描述中变得明显,或通过本发明的实践了解到。Additional aspects and advantages of the present invention will be set forth, in part, from the following description, and in part will be apparent from the following description, or may be learned by practice of the invention.

附图说明Description of drawings

构成本发明的一部分的说明书附图用来提供对本发明的进一步理解,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The accompanying drawings forming a part of the present invention are used to provide further understanding of the present invention, and the exemplary embodiments of the present invention and their descriptions are used to explain the present invention, and do not constitute an improper limitation of the present invention. In the attached image:

图1是本发明一实施例的基于多租户云管平台的用户管理方法的流程图;1 is a flowchart of a user management method based on a multi-tenant cloud management platform according to an embodiment of the present invention;

图2是本发明另一实施例的基于多租户云管平台的用户管理方法的流程图;2 is a flowchart of a user management method based on a multi-tenant cloud management platform according to another embodiment of the present invention;

图3是本发明又一实施例的基于多租户云管平台的用户管理方法的流程图;3 is a flowchart of a user management method based on a multi-tenant cloud management platform according to another embodiment of the present invention;

图4是本发明再一实施例的基于多租户云管平台的用户管理方法的流程图;4 is a flowchart of a user management method based on a multi-tenant cloud management platform according to yet another embodiment of the present invention;

图5是本发明一具体实施例的多租户云管平台的用户管理方法的流程图;5 is a flowchart of a user management method of a multi-tenant cloud management platform according to a specific embodiment of the present invention;

图6是本发明一实施例的多租户云管平台的用户管理装置的结构示意图;6 is a schematic structural diagram of a user management device of a multi-tenant cloud management platform according to an embodiment of the present invention;

图7是本发明另一实施例的多租户云管平台的用户管理装置的结构示意图。FIG. 7 is a schematic structural diagram of a user management apparatus of a multi-tenant cloud management platform according to another embodiment of the present invention.

具体实施方式Detailed ways

需要说明的是,在不冲突的情况下,本发明中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本发明。It should be noted that the embodiments of the present invention and the features of the embodiments may be combined with each other under the condition of no conflict. The present invention will be described in detail below with reference to the accompanying drawings and in conjunction with the embodiments.

以下结合具体实施例对本发明作进一步详细描述,这些实施例不能理解为限制本发明所要求保护的范围。The present invention will be further described in detail below with reference to specific embodiments, which should not be construed as limiting the scope of the claimed protection of the present invention.

下面参考附图描述本发明实施例的基于多租户云管平台的用户管理方法、装置和计算机设备。The following describes the user management method, apparatus, and computer equipment based on the multi-tenant cloud management platform according to the embodiments of the present invention with reference to the accompanying drawings.

图1是本发明一实施例的基于多租户云管平台的用户管理方法的流程图,如图1所示,该方法包括以下步骤:FIG. 1 is a flowchart of a user management method based on a multi-tenant cloud management platform according to an embodiment of the present invention. As shown in FIG. 1 , the method includes the following steps:

S1,接收用户的登录请求。S1, receiving a login request from a user.

其中,登录请求携带有身份信息,该身份信息用于指示发出登录请求的用户的身份是本地域用户,还是特殊域用户。本地域用户和特殊域用户两者的登录校验方式不同。The login request carries identity information, and the identity information is used to indicate whether the identity of the user who sends the login request is a local domain user or a special domain user. The login verification methods for local domain users and special domain users are different.

S2,根据登录请求判断用户是否为特殊域用户。S2, according to the login request, determine whether the user is a special domain user.

其中,特殊域为轻量目录访问协议LDAP域。LDAP是轻量目录访问协议(Lightweight Directory Access Protocol)的缩写,以信息目录的形式存在。LDAP是一个为查询、浏览和搜索而优化的专业分布式数据库,它呈树状结构组织数据,可以更好的存储层级丰富的数据信息。The special domain is the Lightweight Directory Access Protocol LDAP domain. LDAP is the abbreviation of Lightweight Directory Access Protocol (Lightweight Directory Access Protocol), which exists in the form of an information directory. LDAP is a professional distributed database optimized for querying, browsing and searching. It organizes data in a tree-like structure, which can better store hierarchically rich data information.

S3,如果用户为特殊域用户,则利用特殊域服务器对用户进行登录校验。S3, if the user is a special domain user, the special domain server is used to perform login verification on the user.

在本发明的一个实施例中,特殊域用户即LDAP域用户,也就是第三方平台用户。采用关系数据库和利用LDAP域的特性即树形结构存储多租户用户信息,分别实现多租户云管平台自定义创建用户以及同步第三方平台用户来管理云管平台。由于LDAP协议的安全机制,保证了同步过程中的用户信息安全。具体体现如下:In one embodiment of the present invention, the special domain user is the LDAP domain user, that is, the third-party platform user. The relational database and the tree structure of the LDAP domain are used to store multi-tenant user information, and the multi-tenant cloud management platform can be customized to create users and synchronize third-party platform users to manage the cloud management platform. Due to the security mechanism of the LDAP protocol, the security of user information in the synchronization process is guaranteed. The specific manifestations are as follows:

1始终使用框架提供的功能来进行正确的验证,过滤或转义用户输入的数据,以防止被恶意修改;1 Always use the functions provided by the framework for proper validation, filtering or escaping user-entered data to prevent malicious modification;

使用LDAP库的大多数Web框架提供了一种经过验证的方法,用于在查询之前转义或删除不安全的字符。Most web frameworks that use LDAP libraries provide a proven method for escaping or removing unsafe characters before querying.

2不允许用户指定客户端的属性值,而使用可由用户指定的存储值或服务器端功能;2 Do not allow users to specify client-side attribute values, but use user-specified stored values or server-side functions;

其中,属性值是指存在于LDIF(LDAP交换格式)文件中,用于描述某个类的特性。Among them, the attribute value refers to the characteristic that exists in the LDIF (LDAP Interchange Format) file and is used to describe a certain class.

存储值是指LDAP默认的属性值,如org(组织);服务器端功能指LDAP服务器默认提供的功能,如增加、删除、修改、查询等。The stored value refers to the default attribute value of LDAP, such as org (organization); the server-side function refers to the function provided by the LDAP server by default, such as adding, deleting, modifying, and querying.

本发明实施例的基于多租户云管平台的用户管理方法,通过接收用户的登录请求,并根据身份信息判断用户是否为特殊域用户,如果用户为特殊域用户,则利用特殊域服务器对用户进行登录校验,无需重新创建用户,即可实现第三方用户管理多租户云管平台资源,提高管理效率,满足实时性要求,适应性强。The user management method based on the multi-tenant cloud management platform according to the embodiment of the present invention receives the user's login request and determines whether the user is a special domain user according to the identity information. Login verification, without re-creating users, can realize third-party users to manage multi-tenant cloud management platform resources, improve management efficiency, meet real-time requirements, and have strong adaptability.

在本发明的另一个实施例中,如图2所示,基于多租户云管平台的用户管理方法还包括以下步骤:In another embodiment of the present invention, as shown in FIG. 2 , the user management method based on the multi-tenant cloud management platform further includes the following steps:

S4,如果用户为本地域用户,则直接利用多租户云管平台对用户进行登录校验。S4, if the user is a local user, the multi-tenant cloud management platform is directly used to perform login verification on the user.

当确定发出登录请求的用户为本地域用户时,则可直接在多租户云管平台采用Shiro方式登录校验。When it is determined that the user who sends the login request is a local user, the Shiro method can be used for login verification directly on the multi-tenant cloud management platform.

在本发明的又一个实施例中,如图3所示,基于多租户云管平台的用户管理方法还包括以下步骤:In yet another embodiment of the present invention, as shown in FIG. 3 , the user management method based on the multi-tenant cloud management platform further includes the following steps:

S5,在多租户云管平台中,配置特殊域用户信息。S5, in the multi-tenant cloud management platform, configure user information of a special domain.

具体地,可配置特殊域服务器的参数,然后根据参数将特殊域用户同步至多租户云管平台中。其中,参数可包括特殊域服务器的统一资源定位符URL、特殊域用户的名称和密码以及特殊域用户的专有名称DN。Specifically, the parameters of the special domain server can be configured, and then the special domain users can be synchronized to the multi-tenant cloud management platform according to the parameters. The parameters may include the URL of the Uniform Resource Locator of the special domain server, the name and password of the special domain user, and the distinguished name DN of the special domain user.

举例来说,在多租户云管平台中,利用LDAP协议集成第三方用户,会预先约定待同步的第三方用户信息存储到LDAP服务器上,指定用户类为top->posixAccount->inetOrgPerson。在多租户云管平台中配置LDAP服务器,参数一共有四项,包括LDAP服务器的URL、用户名、密码、用户专有名称DN。其中,LDAP服务器的URL、用户名和密码为检查测试连接的三项参数。若三项参数中任意一项参数有误,则连接LDAP服务器失败。另外一项参数“用户专有名称DN”是指待同步LDAP指定目录下的用户。若输入LDAP不存在的目录,则会导致同步用户失败以及LDAP域用户登录认证失败。若LDAP服务器参数配置正确且连接成功,则可将LDAP域用户同步到多租户云管平台。在LDAP域用户同步到多租户云管平台后,原LDAP域用户在多租户云管平台显示的用户名为“LDAP用户名+@LDAP.com”。由于同步策略为增量式同步,因此LDAP域同步到多租户云管平台后显示的用户名为“用户名+@LDAP.com”。For example, in a multi-tenant cloud management platform, using the LDAP protocol to integrate third-party users, it will pre-agreed that the third-party user information to be synchronized is stored on the LDAP server, and the specified user class is top->posixAccount->inetOrgPerson. To configure the LDAP server in the multi-tenant cloud management platform, there are four parameters, including the URL of the LDAP server, user name, password, and user distinguished name DN. Among them, the URL, user name and password of the LDAP server are the three parameters for checking the test connection. If any of the three parameters is incorrect, the connection to the LDAP server fails. Another parameter "user distinguished name DN" refers to the user in the directory specified by the LDAP to be synchronized. If you enter a directory that does not exist in LDAP, user synchronization will fail and LDAP domain user login authentication will fail. If the LDAP server parameters are configured correctly and the connection is successful, the LDAP domain users can be synchronized to the multi-tenant cloud management platform. After LDAP domain users are synchronized to the multi-tenant cloud management platform, the user name of the original LDAP domain user displayed on the multi-tenant cloud management platform is "LDAP username+@LDAP.com". Since the synchronization policy is incremental synchronization, the user name displayed after the LDAP domain is synchronized to the multi-tenant cloud management platform is "username+@LDAP.com".

在本发明的再一个实施例中,如图4所示,基于多租户云管平台的用户管理方法还包括以下步骤:In yet another embodiment of the present invention, as shown in FIG. 4 , the user management method based on the multi-tenant cloud management platform further includes the following steps:

S6,在多租户云管平台中,生成特殊域用户的角色信息。S6, in the multi-tenant cloud management platform, the role information of the special domain user is generated.

多租户云管平台提供了为LDAP域用户配置角色和组织的功能,从而保证多租户的权限隔离和数据隔离,提高了安全性。The multi-tenant cloud management platform provides the function of configuring roles and organizations for LDAP domain users, thereby ensuring multi-tenant permission isolation and data isolation and improving security.

在本发明的一个具体实施例中,如图5所示,基于多租户云管平台的用户管理方法包括以下步骤:In a specific embodiment of the present invention, as shown in FIG. 5 , the user management method based on the multi-tenant cloud management platform includes the following steps:

S501,用户登录。S501, the user logs in.

接收用户发送的登录请求。Receive the login request sent by the user.

S502,判断是否是本地域用户。S502, determine whether it is a local domain user.

如果是本地域用户,则跳转到步骤S503;如果非本地域用户,则跳转到步骤S505。If it is a local domain user, go to step S503; if it is not a local domain user, go to step S505.

S503,多租户云管平台Shiro登录认证。S503, the multi-tenant cloud management platform Shiro login authentication.

S504,判断用户名密码输入是否正确。S504, it is judged whether the input of the user name and password is correct.

如果不正确,则返回步骤S501;如果正确,则跳转到步骤S509。If it is not correct, go back to step S501; if correct, go to step S509.

S505,确定为LDAP域用户,则进入步骤S506。S505, if it is determined to be an LDAP domain user, then go to step S506.

S506,判断LDAP服务是否已经成功连接。S506, determine whether the LDAP service has been successfully connected.

如果成功连接,则跳转到步骤S507;如果连接不成功,则跳转到步骤S510。If the connection is successful, go to step S507; if the connection is unsuccessful, go to step S510.

S507,判断用户名密码输入是否正确。S507, it is judged whether the input of the user name and password is correct.

如果正确,则跳转到步骤S508;如果不正确,则返回步骤S501。If correct, go to step S508; if incorrect, go back to step S501.

S508,判断是否已经为LDAP域用户分配组织和角色。S508, determine whether an organization and a role have been assigned to the LDAP domain user.

如果已分配,则跳转到步骤S509;如果未分配,则跳转到步骤S511。If allocated, go to step S509; if not, go to step S511.

S509,成功登录多租户云管系统。S509, the multi-tenant cloud management system is successfully logged in.

S510,LDAP成功配置。S510, LDAP is successfully configured.

在LDAP配置成功之后,返回到步骤S501。After the LDAP configuration is successful, return to step S501.

S511,多租户云管平台分配组织和角色。S511, the multi-tenant cloud management platform assigns organizations and roles.

在多租户云管平台为LDAP域用户分配组织和角色后,返回到步骤S501。After the multi-tenant cloud management platform assigns organizations and roles to the LDAP domain users, return to step S501.

为了实现上述实施例,本发明还提出了一种基于多租户云管平台的用户管理装置。In order to realize the above embodiments, the present invention also provides a user management device based on a multi-tenant cloud management platform.

图6是本发明一实施例的基于多租户云管平台的用户管理装置的结构示意图。FIG. 6 is a schematic structural diagram of a user management device based on a multi-tenant cloud management platform according to an embodiment of the present invention.

如图6所示,该装置包括接收模块61、判断模块62以及校验模块63。As shown in FIG. 6 , the device includes a receiving module 61 , a judging module 62 and a checking module 63 .

接收模块61,用于接收用户的登录请求。其中,登录请求携带有身份信息,身份信息指示用户为本地域用户或特殊域用户。The receiving module 61 is configured to receive a user's login request. The login request carries identity information, and the identity information indicates that the user is a domain user or a special domain user.

判断模块62,用于根据登录请求判断用户是否为特殊域用户。The judging module 62 is used for judging whether the user is a special domain user according to the login request.

校验模块63,用于当用户为特殊域用户时,利用特殊域服务器对用户进行登录校验。The verification module 63 is configured to use the special domain server to perform login verification on the user when the user is a special domain user.

校验模块63还用于如果用户为本地域用户,则直接利用多租户云管平台对用户进行登录校验。The verification module 63 is further configured to directly use the multi-tenant cloud management platform to perform login verification on the user if the user is a local user.

在本发明的另一个实施例中,如图7所示,该装置还包括:In another embodiment of the present invention, as shown in FIG. 7 , the device further includes:

配置模块64,用于在多租户云管平台中,配置特殊域用户信息。The configuration module 64 is configured to configure special domain user information in the multi-tenant cloud management platform.

配置模块64用于配置特殊域服务器的参数,并根据参数将特殊域用户同步至多租户云管平台中。参数包括特殊域服务器的统一资源定位符URL、特殊域用户的名称和密码以及特殊域用户的专有名称DN。The configuration module 64 is configured to configure parameters of the special domain server, and synchronize the special domain users to the multi-tenant cloud management platform according to the parameters. Parameters include the Uniform Resource Locator URL of the special domain server, the special domain user's name and password, and the special domain user's distinguished name DN.

配置模块64还用于在多租户云管平台中,生成特殊域用户的角色信息。The configuration module 64 is further configured to generate role information of a special domain user in the multi-tenant cloud management platform.

应当理解的是,本实施例的基于多租户云管平台的用户管理装置与第一方面实施例的基于多租户云管平台的用户管理方法的描述一致,此处不再赘述。It should be understood that the user management apparatus based on the multi-tenant cloud management platform in this embodiment is consistent with the description of the user management method based on the multi-tenant cloud management platform in the embodiment of the first aspect, and will not be repeated here.

本发明实施例的基于多租户云管平台的用户管理装置,通过接收用户的登录请求,并根据身份信息判断用户是否为特殊域用户,如果用户为特殊域用户,则利用特殊域服务器对用户进行登录校验,无需重新创建用户,即可实现第三方用户管理多租户云管平台资源,提高管理效率,满足实时性要求,适应性强。The user management device based on the multi-tenant cloud management platform according to the embodiment of the present invention determines whether the user is a special domain user by receiving the user's login request and according to the identity information. Login verification, without re-creating users, can realize third-party users to manage multi-tenant cloud management platform resources, improve management efficiency, meet real-time requirements, and have strong adaptability.

为了实现上述实施例,本发明还提出了一种计算机设备。In order to realize the above embodiments, the present invention also provides a computer device.

该计算机设备包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,处理器执行计算机程序时,实现如第一方面实施例的基于多租户云管平台的用户管理方法。The computer device includes a memory, a processor, and a computer program stored on the memory and running on the processor. When the processor executes the computer program, the multi-tenant cloud management platform-based user management method according to the embodiment of the first aspect is implemented.

为了实现上述实施例,本发明还提出了一种非临时性计算机可读存储介质。In order to realize the above embodiments, the present invention also provides a non-transitory computer-readable storage medium.

该非临时性计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现如第一方面实施例的基于多租户云管平台的用户管理方法。The non-transitory computer-readable storage medium stores a computer program thereon, and when the computer program is executed by the processor, implements the user management method based on the multi-tenant cloud management platform according to the embodiment of the first aspect.

需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that, in this document, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any relationship between these entities or operations. any such actual relationship or sequence exists. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device that includes a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article, or device that includes the element.

在流程图中表示或在此以其他方式描述的逻辑和/或步骤,例如,可以被认为是用于实现逻辑功能的可执行指令的定序列表,可以具体实现在任何计算机可读介质中,以供指令执行系统、装置或设备(如基于计算机的系统、包括处理器的系统或其他可以从指令执行系统、装置或设备取指令并执行指令的系统)使用,或结合这些指令执行系统、装置或设备而使用。就本说明书而言,"计算机可读介质"可以是任何可以包含、存储、通信、传播或传输程序以供指令执行系统、装置或设备或结合这些指令执行系统、装置或设备而使用的装置。计算机可读介质的更具体的示例(非穷尽性列表)包括以下:具有一个或多个布线的电连接部(电子装置),便携式计算机盘盒(磁装置),随机存取存储器(RAM),只读存储器(ROM),可擦除可编辑只读存储器(EPROM或闪速存储器),光纤装置,以及便携式光盘只读存储器(CDROM)。另外,计算机可读介质甚至可以是可在其上打印程序的纸或其他合适的介质,因为可以例如通过对纸或其他介质进行光学扫描,接着进行编辑、解译或必要时以其他合适方式进行处理来以电子方式获得程序,然后将其存储在计算机存储器中。The logic and/or steps represented in flowcharts or otherwise described herein, for example, may be considered an ordered listing of executable instructions for implementing the logical functions, may be embodied in any computer-readable medium, For use with, or in conjunction with, an instruction execution system, apparatus, or device (such as a computer-based system, a system including a processor, or other system that can fetch instructions from and execute instructions from an instruction execution system, apparatus, or apparatus) or equipment. For the purposes of this specification, a "computer-readable medium" can be any device that can contain, store, communicate, propagate, or transport the program for use by or in connection with an instruction execution system, apparatus, or apparatus. More specific examples (non-exhaustive list) of computer readable media include the following: electrical connections with one or more wiring (electronic devices), portable computer disk cartridges (magnetic devices), random access memory (RAM), Read Only Memory (ROM), Erasable Editable Read Only Memory (EPROM or Flash Memory), Fiber Optic Devices, and Portable Compact Disc Read Only Memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program may be printed, as may be done, for example, by optically scanning the paper or other medium, followed by editing, interpretation, or other suitable means as necessary process to obtain the program electronically and then store it in computer memory.

应当理解,本发明的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。例如,如果用硬件来实现,和在另一实施方式中一样,可用本领域公知的下列技术中的任一项或他们的组合来实现:具有用于对数据信号实现逻辑功能的逻辑门电路的离散逻辑电路,具有合适的组合逻辑门电路的专用集成电路,可编程门阵列(PGA),现场可编程门阵列(FPGA)等。It should be understood that various parts of the present invention may be implemented in hardware, software, firmware or a combination thereof. In the above-described embodiments, various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or a combination of the following techniques known in the art: Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, Programmable Gate Arrays (PGA), Field Programmable Gate Arrays (FPGA), etc.

需要说明的是,在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。It should be noted that, in the description of this specification, reference to the description of the terms "one embodiment", "some embodiments", "example", "specific example", or "some examples" etc. is intended to be combined with the embodiment or The particular features, structures, materials, or characteristics described by way of example are included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, those skilled in the art may combine and combine the different embodiments or examples described in this specification, as well as the features of the different embodiments or examples, without conflicting each other.

在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。In the description of this specification, description with reference to the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples", etc., mean specific features described in connection with the embodiment or example , structure, material or feature is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, those skilled in the art may combine and combine the different embodiments or examples described in this specification, as well as the features of the different embodiments or examples, without conflicting each other.

Claims (14)

1. A user management method based on a multi-tenant cloud management platform is characterized by comprising the following steps:
receiving a login request of a user, wherein the login request carries identity information which indicates that the user is a local domain user or a special domain user;
judging whether the user is the special domain user or not according to the identity information;
and if the user is the special domain user, performing login verification on the user by using a special domain server.
2. The method of claim 1, further comprising:
and if the user is the local domain user, directly utilizing the multi-tenant cloud management platform to log in and check the user.
3. The method of claim 1, further comprising:
and configuring special domain user information in the multi-tenant cloud management platform.
4. The method of claim 3, wherein configuring domain-specific user information comprises:
configuring parameters of the special domain server, wherein the parameters comprise a Uniform Resource Locator (URL) of the special domain server, a name and a password of the special domain user and a special name (DN) of the special domain user;
and synchronizing the special domain users to the multi-tenant cloud management platform according to the parameters.
5. The method of claim 4, further comprising:
and generating role information of the special domain user in the multi-tenant cloud management platform.
6. The method of claim 1, wherein the special domain is a lightweight directory access protocol, LDAP, domain.
7. A user management device based on a multi-tenant cloud management platform is characterized by comprising:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a login request of a user, the login request carries identity information, and the identity information indicates that the user is a local domain user or a special domain user;
the judging module is used for judging whether the user is a special domain user according to the identity information;
and the verification module is used for performing login verification on the user by using a special domain server when the user is the special domain user.
8. The apparatus of claim 7, wherein the verification module is further configured to:
and if the user is the local domain user, directly utilizing the multi-tenant cloud management platform to log in and check the user.
9. The apparatus of claim 7, further comprising:
and the configuration module is used for configuring the special domain user information in the multi-tenant cloud management platform.
10. The apparatus of claim 9, wherein the configuration module is to:
configuring parameters of the special domain server, wherein the parameters comprise a Uniform Resource Locator (URL) of the special domain server, a name and a password of the special domain user and a special name (DN) of the special domain user;
and synchronizing the special domain users to the multi-tenant cloud management platform according to the parameters.
11. The apparatus of claim 10, wherein the configuration module is further configured to:
and generating role information of the special domain user in the multi-tenant cloud management platform.
12. The apparatus of claim 7, wherein the special domain is a Lightweight Directory Access Protocol (LDAP) domain.
13. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor, when executing the computer program, implements the multi-tenant cloud management platform-based user management method according to any one of claims 1 to 6.
14. A non-transitory computer readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the multi-tenant cloud management platform-based user management method according to any one of claims 1 to 6.
CN202010269726.0A 2020-04-08 2020-04-08 User management method, device and computer equipment based on multi-tenant cloud management platform Pending CN111541654A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010269726.0A CN111541654A (en) 2020-04-08 2020-04-08 User management method, device and computer equipment based on multi-tenant cloud management platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010269726.0A CN111541654A (en) 2020-04-08 2020-04-08 User management method, device and computer equipment based on multi-tenant cloud management platform

Publications (1)

Publication Number Publication Date
CN111541654A true CN111541654A (en) 2020-08-14

Family

ID=71980163

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010269726.0A Pending CN111541654A (en) 2020-04-08 2020-04-08 User management method, device and computer equipment based on multi-tenant cloud management platform

Country Status (1)

Country Link
CN (1) CN111541654A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113612865A (en) * 2021-07-29 2021-11-05 济南浪潮数据技术有限公司 Method, device and equipment for managing cloud platform LDAP domain account and readable medium
CN115017179A (en) * 2022-06-15 2022-09-06 中国银行股份有限公司 A fingerprint identification method and device, electronic device, and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843256A (en) * 2012-05-11 2012-12-26 摩卡软件(天津)有限公司 IT (Information Technology) system management method based on lightweight directory access protocol (LDAP)
CN104769908A (en) * 2012-09-07 2015-07-08 甲骨文国际公司 LDAP-based multi-tenant in-cloud identity management system
CN106462717A (en) * 2014-06-23 2017-02-22 甲骨文国际公司 System and method for supporting security in a multitenant application server environment
CN110691089A (en) * 2019-09-29 2020-01-14 星环信息科技(上海)有限公司 Authentication method applied to cloud service, computer equipment and storage medium
CN110753044A (en) * 2019-10-12 2020-02-04 山东英信计算机技术有限公司 An identity authentication method, system, electronic device and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843256A (en) * 2012-05-11 2012-12-26 摩卡软件(天津)有限公司 IT (Information Technology) system management method based on lightweight directory access protocol (LDAP)
CN104769908A (en) * 2012-09-07 2015-07-08 甲骨文国际公司 LDAP-based multi-tenant in-cloud identity management system
CN106462717A (en) * 2014-06-23 2017-02-22 甲骨文国际公司 System and method for supporting security in a multitenant application server environment
CN110691089A (en) * 2019-09-29 2020-01-14 星环信息科技(上海)有限公司 Authentication method applied to cloud service, computer equipment and storage medium
CN110753044A (en) * 2019-10-12 2020-02-04 山东英信计算机技术有限公司 An identity authentication method, system, electronic device and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113612865A (en) * 2021-07-29 2021-11-05 济南浪潮数据技术有限公司 Method, device and equipment for managing cloud platform LDAP domain account and readable medium
CN115017179A (en) * 2022-06-15 2022-09-06 中国银行股份有限公司 A fingerprint identification method and device, electronic device, and storage medium

Similar Documents

Publication Publication Date Title
CN109688120B (en) Dynamic Rights Management System Based on Improved RBAC Model and Spring Security Framework
US12155767B2 (en) Zero-knowledge identity verification in a distributed computing system
CN109936571B (en) Mass data sharing method, open sharing platform and electronic device
US10505733B2 (en) Generating and managing a composite identity token for multi-service use
US20200287718A1 (en) Zero-knowledge identity verification in a distributed computing system
US7849496B2 (en) Providing enterprise management of amorphous communities
CN102982141B (en) A kind of method and device realizing distributed data base agency
WO2021068518A1 (en) Identity authentication method and system, electronic equipment and storage medium
EP3695563A2 (en) Method, apparatus, and computer program product for selectively granting permissions to group-based objects in a group-based communication system
WO2017054543A1 (en) Method and device for accessing resource of cloud storage
US20170041504A1 (en) Service providing system, information processing apparatus, program, and method for generating service usage information
CN109067789A (en) Web vulnerability scanning method, system based on linux system
US10387498B2 (en) Polymorphic configuration management for shared authorization or authentication protocols
US11722481B2 (en) Multiple identity provider authentication system
CN106487744A (en) A kind of Shiro verification method based on Redis storage
KR102295593B1 (en) Automatically generating certification documents
US20220231998A1 (en) Directory service user synchronization
US9015790B2 (en) Integrating sudo rules with entities represented in an LDAP directory
CN111541654A (en) User management method, device and computer equipment based on multi-tenant cloud management platform
CN110414257A (en) A data access method and server
US10021107B1 (en) Methods and systems for managing directory information
CN114297598B (en) User permission processing method and device
US20110153563A1 (en) Enhanced replication of databases
KR20240168992A (en) Systems, methods and storage media for selective graph-based disclosure of computer data structures
CN114547566A (en) Rights management method, system, terminal device and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination