WO2024212724A1 - Identity authentication method, platform, electronic device and computer-readable medium - Google Patents

Abstract

The present application relates to the technical field of cloud computing, and particularly relates to an identity authentication method, a platform, an electronic device and a computer-readable medium. The cloud management platform determines a first environment from a plurality of operating environments in advance, and determines an association relationship in which the first environment has a management permission for at least one second environment, wherein the plurality of operating environments comprise the at least one second environment. The method comprises: a first environment receiving a user operation request, wherein the user operation request is used for requesting a service or data in a target environment, and the target environment is any environment among at least one second environment; the first environment confirming that first user information corresponding to the user operation request meets a first authentication condition, and sending an access request to a target; and the target environment determining that the first environment, which is indicated by first identity information in the access request, meets a second authentication condition, and sending second identity information of the target environment itself to the first environment. In this way, the identity authentication efficiency in a plurality of environments can be improved, and the security of the environments can be ensured.

Description

Identity authentication method, platform, electronic device and computer readable medium

This application claims priority to the Chinese patent application filed with the China Patent Office on April 14, 2023, with application number 202310402940.2 and application name “Identity Authentication Method, Platform, Electronic Device and Computer-Readable Medium”, the entire contents of which are incorporated by reference in this application.

Technical Field

The present invention relates to the field of cloud computing technology, and in particular to an identity authentication method, platform, electronic device and computer-readable medium.

Background Art

Cloud computing is a new way of computing and services based on the Internet. It uses Internet technology to combine huge and scalable IT capabilities, such as computing, storage, network and other resource capabilities, and provide them to users as services. Nowadays, with the development of cloud computing, more and more cloud service providers at home and abroad have begun to provide cloud services to users. These cloud services include infrastructure services, platform services, software services, etc.

However, since each cloud service provider has its own service coverage area and business characteristics, when users need to use cloud services across regions, they may need to use services from different clouds across clouds, and identity authentication is usually required to be repeated. The above-mentioned cross-region includes cross-country/region, etc. It can be understood that many environments used in different countries/regions and different stages will have corresponding independent databases, and the data between different environments are therefore isolated from each other. In this way, when the client responds to the user's data processing request to access different environments, each environment needs to record the corresponding user's identity information and authentication information to complete the user's identity authentication and ensure data security. The management and maintenance of these identity information and authentication information in many environments has also become a huge challenge. In addition, the identity information and authentication information recorded in different environments may be different. When these environments require users to enter corresponding information for identity authentication, it will also cause great inconvenience to users.

Therefore, how to provide a solution that allows users to quickly perform identity authentication when accessing different environments is a problem that needs to be solved urgently.

Summary of the invention

The present application provides an identity authentication method, platform, electronic device and computer-readable medium, which can quickly complete the identity authentication of the corresponding user in each operating environment that provides services or data when cross-environment access to services or data is required, thereby improving the response rate of the business platform to user-side requests and ensuring the security of each operating environment.

Specifically, in a first aspect, the present application provides an identity authentication method, which is applied to a cloud management platform that manages multiple operating environments, wherein the cloud management platform predetermines a first environment from multiple operating environments, and determines an association relationship in which the first environment has management authority over at least one second environment, wherein the multiple operating environments include at least one second environment; the method comprises:

The first environment receives a user operation request, wherein the user operation request is used to request services or data in a target environment, wherein the target environment is any environment in at least one second environment; the first environment confirms that the first user information corresponding to the user operation request satisfies the first authentication condition, and sends an access request to the target; the target environment determines the first user information in the access request. The first environment indicated by the identity information satisfies the second authentication condition and sends its own second identity information to the first environment; wherein the first authentication condition is used to authenticate whether the user identity has operation authority; the second authentication condition is used to reversely authenticate whether the first environment has management authority over the target environment, and the second identity information is used to provide access to services or data in the target environment.

For example, the first environment may be a main control environment (main environment) set by a cloud management platform, which serves as a unified access environment for user operation requests. The second environment may be another runtime environment (runtime environment) that is subordinate to the management of the main control environment, that is, the first environment has management authority over the second environment. The management authority may be, for example, the authority for the first environment to access the second environment to obtain the required services or data. The target environment may correspond to a specific second environment requested by the corresponding user operation request.

In this way, a unified main control environment records the user's identity information and authentication information, and a unified main control environment receives user operation requests and performs user identity authentication, which can avoid the problem of repeated authentication caused by the need to record the user's identity information in each operating environment, and is conducive to improving the efficiency of identity authentication. In addition, after the unified main control environment performs user identity authentication, in the process of obtaining services or data in the corresponding operating environment, the corresponding operating environment can perform reverse identity authentication to the main control environment, that is, the above-mentioned authentication process of confirming that the first environment meets the second authentication condition, to confirm that the main control environment is an environment with management authority, rather than an environment forged by an intruder of the business platform. In this way, the security of the corresponding services or data provided by each operating environment can be guaranteed.

In a possible implementation of the first aspect above, the first environment confirms that the first user information corresponding to the user operation request satisfies the first authentication condition, including: the first environment obtains a token for user identity authentication, wherein the token is generated based on second user information recorded in the first environment; the first environment detects that the first user information matches the second user information corresponding to the token, and confirms that the first user information corresponding to the user operation request satisfies the first authentication condition.

That is, the first environment can complete the user authentication process through a token for user identity authentication. Among them, the identity information and authentication information used to verify the user's identity, such as account name and password, etc., that is, the above-mentioned second user information, can be pre-recorded in the first environment. In this way, the first environment can use the recorded second user information to verify whether the first user information input corresponding to the user operation request meets the first authentication condition. There is no need to record the above-mentioned second user information in each operating environment managed by the main control environment. The user terminal that initiates the user operation request can also quickly obtain services or data in each operating environment without repeating identity authentication.

In a possible implementation of the first aspect above, the first user information matches the second user information corresponding to the token, including: the account name and password in the first user information are the same as the account name and password corresponding to the second user information carried by the token.

In a possible implementation of the first aspect above, the access request includes a header request and a verification package, wherein the header request is used to request services or data in a target environment; and the verification package is used to provide the first identity information to the target environment.

In a possible implementation of the first aspect above, the target environment determines that the first environment indicated by the first identity information in the access request meets the second authentication condition, including: the target environment parses the verification package to obtain the first identity information; the target environment sends an identity authentication request to the first environment based on the first identity information; the target environment receives a confirmation result returned by the first environment in response to the identity authentication request, and determines that the first environment indicated by the first identity information meets the second authentication condition.

The identity authentication request sent to the first environment is, for example, a request from the target environment (one of the second environments) to the host. When the first environment (i.e., the master environment) responds to the identity authentication request and returns a confirmation result to the target environment, the target environment can determine that the first environment has management authority over itself, that is, it meets the second authentication condition.

In a possible implementation of the first aspect above, the target environment determines that the first environment indicated by the first identity information in the access request meets the second authentication condition, including: the target environment parses the verification package to obtain the first identity information; the target environment determines the management authority-related information matching the first environment based on the first identity information, and sends an identity authentication request to the first environment based on the management authority-related information, wherein the management authority-related information is used to indicate the association relationship that the first environment has management authority over the target environment; the target environment receives the confirmation result returned by the first environment in response to the identity authentication request, and determines that the first environment indicated by the first identity information meets the second authentication condition.

In a possible implementation of the first aspect above, the verification package is also used to provide the first user information to the target environment, and to send its own second identity information to the first environment, including: the target environment determines that the target environment exists third user information based on the first user information obtained by parsing the verification package, wherein the user name indicated by the third user information is the same as the user name indicated by the first user information; the target environment binds the second identity information with the third user information and sends it to the first environment.

In a possible implementation of the first aspect above, sending the second identity information of itself to the first environment also includes: the target environment determines that the third user information does not exist in the target environment based on the first user information obtained by parsing the verification package; the target environment creates the third user information based on the user name indicated by the first user information, and binds the second identity information with the third user information and sends them to the first environment.

In a possible implementation of the first aspect above, the second identity information is bound to the third user information, including any one of the following methods: adding the third user information as a mark on the second identity information; adding the second identity information and the third user information to the data packet sent to the first environment; adding the second identity information to the third user information.

In the second aspect, the present application provides a cloud management platform, including a first environment and at least one second environment predetermined from multiple operating environments, wherein the first environment has management authority over at least one second environment, wherein the first environment is used to receive user operation requests, and to send an access request to a target environment upon confirming that the first user information corresponding to the user operation request satisfies a first authentication condition, wherein the user operation request is used to request services or data in the target environment, and the target environment is any environment in at least one second environment; the target environment is used to send its own second identity information to the first environment upon determining that the first environment indicated by the first identity information in the access request satisfies a second authentication condition, wherein the first authentication condition is used to authenticate whether the user identity has operation authority, and the second authentication condition is used to reversely authenticate whether the first environment has management authority over the target environment, and the second identity information is used to provide access to services or data in the target environment.

In a third aspect, the present application provides an electronic device comprising: one or more processors; one or more memories; one or more memories storing one or more programs, wherein when one or more programs are executed by one or more processors, the device executes the identity authentication method provided in the first aspect and various possible implementations of the first aspect.

In a fourth aspect, the present application provides a computer-readable medium having instructions stored thereon. When the instructions are executed on a computer, the computer executes the identity authentication method provided in the first aspect and various possible implementations of the first aspect.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram showing an application scenario of an identity authentication method provided in an embodiment of the present application.

FIG2 is a schematic diagram showing the working principle of an identity authentication method provided in an embodiment of the present application.

FIG3 is a schematic diagram showing an implementation flow of an identity authentication method provided in an embodiment of the present application.

FIG4 is a schematic diagram of the software structure of a cloud management platform provided in an embodiment of the present application.

FIG5 is a schematic diagram showing the hardware structure of a server provided in an embodiment of the present application.

DETAILED DESCRIPTION

In order to facilitate the understanding of the present application, the concepts of some technical fields involved in the embodiments of the present application are first explained below.

(1) Cloud: A collection of hardware and software resources. Generally, a cloud has multiple regions in different countries/regions, each of which includes at least one data center, and each data center has hardware and software resources. Different cloud service providers have established different clouds, and different clouds provide users with resources (including computing, storage, network, applications, etc.) for rent in the form of cloud services. Cloud computing supports users to obtain cloud services in multiple locations and using multiple terminals. The hardware and software resources that support cloud services come from the cloud.

(2) Database: used to store a large number of data entities. Database design is the process of planning and structuring the data entities in the database and the relationships between these data entities.

(3) Region, Available Zone (AZ) and Data Center (DC): Different regions are generally far apart in geographical location. Different countries can be different regions, and different regions in the same country can also be different regions, such as the Northern China region, Southern China region, and Singapore region of a certain cloud service provider. Each region has multiple isolated areas called availability zones. The power supply and network between availability zones in the same region are generally independent of each other to improve regional reliability. Availability zones in the same region are connected by a low-latency network. Each availability zone in a region includes at least one data center, and each data center contains a certain amount of hardware resources and software resources.

FIG1 is a schematic diagram showing a scenario in which an identity authentication method is applied according to an embodiment of the present application.

As shown in Figure 1, the scenario includes multiple terminals 100 and a server 200. Among them, the server 200 can be either a cloud server or a cluster of servers distributed in one or more regions. Each region can also include one or more availability zones that provide computing resources, and each availability zone includes at least one data center. The hardware resources contained in the data center can be provided by a host, for example, and the software resources contained in the corresponding data center can be provided by a software program or service running on the host. In other words, each availability zone can provide corresponding computing resources through a host, and these computing resources can be provided to different environments that are isolated from each other, such as a development environment, a test environment, a pre-release environment, a production environment (also known as a release environment), etc., and services with specific functions can be run in each environment to provide corresponding capabilities to handle various business requests initiated by the client.

Continuing to refer to Figure 1, a cloud management platform can be run on the server 200 to manage multiple environments serving the business platform. The multiple environments may include one or more operating environments distributed in different areas. The above-mentioned business platform may, for example, provide services to corresponding clients through environments in different areas such as area A and area B. For example, area A may provide environment A01 and environment A02 as shown in Figure 1, wherein environment A01 may provide services a and b, and environment A02 may provide services c and d. Area B may provide environment B01 and environment B02 as shown in Figure 1, wherein environment B01 may provide services e and f, and environment B02 may provide services g and h. Among them, the services provided in different environments such as environment A01, environment A02, environment B01, and environment B02 may also be used to meet service requirements and data requirements at different stages. For example, during the development stage, users may need to ask for In the testing phase, users may need to obtain configuration services and simulation services in the testing environment. In the pre-release phase, users may need to obtain databases, configuration services, or synchronization services in the pre-release environment. There is no restriction here.

A corresponding client can be run on each terminal 100, and the client can access the business platform served by the server 200 to request the corresponding service to process the business request input by the user. It is understandable that different terminals 100 may be distributed in different areas. In some scenarios, different environments in each area can provide the required services or data to the corresponding different clients. For example, the client A01 located in area A may need to access the environment A01 to obtain the corresponding service, and the client A02 may need to access the environment A02. The client B01 located in area B may need to access the environment B01, and the client B02 may need to access the environment B02. Therefore, the client running on the corresponding terminal 100 may need to access different environments in different areas. In other scenarios, the client in a certain area may also need to access different environments in the area, or access the environment in other areas. For example, the client A01 may also need to access the environment A01, environment A02 of area A, and environment B01 of area B, etc. It is understandable that the above-mentioned users can be, for example, developers or administrators of business platforms, etc., and are not limited here.

It is understandable that since the databases and other middleware in different environments must be separated, the data and resources of each environment are usually isolated from each other. The data and resources between the production environment of area A and the production environment of area B are isolated from each other, and the data and resources between the production environment of area A and the test environment of area A are also usually isolated from each other. This can ensure the security of data and resources in each area.

However, users may need to use data and resources in different environments at different stages, and accordingly, users will access the environment of the corresponding stage through the client to obtain services or data interfaces (Application Programming Interface, API), etc. Users may also need to obtain data or services provided by environments in different regions, and accordingly, users will access the environment of the corresponding region through the client to obtain the required services or required data interfaces, etc.

As mentioned above, given the isolation mechanism between different environments, each environment needs to record the user's identity information and authentication information so that when the user uses the account to log in to access the corresponding environment, the user's identity authentication can be completed and services or data can be provided to the user. Different users have different identity information and authentication information in the same environment. Therefore, the amount of user identity information and corresponding authentication information that needs to be recorded and managed in many environments will be large, which is inconvenient to maintain and manage. When different environments require users to enter identity information or authentication information, it will also bring a large information burden to users, making it inconvenient for users to use cross-environment services or data interfaces.

In order to solve the above problems, the present application provides an identity authentication method, which is applied to electronic devices such as cloud management platforms or servers that manage the above environments.

Specifically, the method pre-sets one of the multiple independently running environments as the master control environment (also known as the main environment), and the other environments are independent operating environments (also known as the runtime environment), and interact with the above-mentioned master control environment through a reserved data interface to establish an association relationship between the master control environment and each operating environment. Then, access requests for each operating environment, such as requests for obtaining services or data in each operating environment, can be initiated through a unified master control environment. At this time, the master control environment can complete a user identity authentication based on the authentication information of the corresponding user recorded and operated. When the operating environment receives the access request initiated by the master control environment, it can reversely authenticate the master control environment, such as verifying whether the identity information of the master control environment corresponds to the identity of the associated master control environment, etc., to complete the user identity authentication in the operating environment. Then, after verifying the identity of the master control environment, each operating environment can uniformly provide the service or data acquisition authority requested by the corresponding user through the master control environment.

In this way, when accessing multiple independently running environments to obtain services or data, only the master environment needs to record and operate By using user identity information and authentication information, identity authentication can be quickly completed in the master control environment and each operating environment. This facilitates the unified management of identity information and authentication information of different users, simplifies the operation of users entering identity information and verification information, and eliminates the need for users to repeatedly enter identity authentication information when accessing different environments. In addition, access requests to each operating environment can first complete an identity authentication in the master control environment, then verify the relationship between the master control environment and the operating environment, and then perform a second identity authentication on the user in each operating environment, which can also improve security.

It can be understood that the above-mentioned master control environment and each operating environment can belong to the same business platform, or they can belong to associated business platforms that are mutually authorized to manage user identity information and authentication information. The above-mentioned master control environment can be a subordinate environment corresponding to each operating environment on the same business platform, or it can be any environment selected from multiple parallel and independently running environments that has management authority over other environments. Among them, the management authority can at least include the authority to access other environments. This application is not limited here.

In addition, the above-mentioned authentication information for user identity authentication can be, for example, a token information generated based on the account and password input by the user. The authentication mode adopted by the token can be, for example, the authentication mode corresponding to the access token, which is not limited here. The above-mentioned identity information can include the identity identification (Identity, ID) information of the main control environment and the identity identification information corresponding to each operating environment. It can be understood that when the above-mentioned main control environment receives user operations, it can obtain the corresponding token through the account and password for authentication. After completing the authentication, the main control environment can send the token and the identity information of the main control environment to the requested operating environment. Afterwards, the above-mentioned operating environment can perform reverse identity authentication on the main control environment based on the received token and identity information, and provide its own identity information to the main control environment after the authentication is successful, so as to provide the requested service or data through the main control environment.

In some actual authentication scenarios, some operating environments may not record the user identity information corresponding to the access request initiated by the main control environment. At this time, the operating environment can create the corresponding user identity information, bind its own authentication information with the user identity information, and provide it to the main control environment for use.

It is understandable that the server 200 to which the configuration data management method provided in the embodiment of the present application is applicable may be an application server, a database server, etc., or a cluster or other electronic device with strong storage capacity and strong computing capacity. No limitation is made here.

It can be understood that the identity authentication method provided in the embodiment of the present application may be applicable to the terminal 100 including but not limited to laptops, tablet computers, desktops, laptops, handheld computers, netbooks, mobile phones, augmented reality (AR) and virtual reality (VR) devices, smart TVs, devices in which one or more processors are embedded or coupled, or other devices capable of accessing the network.

Based on the scenario shown in FIG1 above, FIG2 shows a schematic diagram of the working principle of an identity authentication method according to an embodiment of the present application.

As shown in FIG2 , the identity authentication scheme provided by the present application can uniformly access the user operation request received through the terminal 100, etc. to the gateway 211 of the main control environment 210 for processing, refer to process ① shown in FIG2 . The user operation request can be, for example, a service acquisition request or a data acquisition request for a remote operating environment in another area. At this time, the gateway 211 of the main control environment 210 can obtain the corresponding token according to the recorded or user-entered account, password, etc. to perform user identity authentication, refer to process ② shown in FIG2 .

After confirming that the logged-in user identity is legitimate, the main control environment 210 sends a corresponding access request to the requested operating environment 220. In some embodiments, referring to process ③ shown in FIG. 2 , the access request sent by the main control environment 210 to the operating environment 220 may include a header request based on header information (header) and a verification packet. The request can be accessed to the corresponding environment by the gateway 221 of the operating environment 220. Among them, the header request can include the obtained token information and the identity information of the main control environment 210, so as to request the operating environment 220 to obtain services or data. The verification packet can also include the token information and the identity information of the main control environment 210, and can be parsed by the operating environment 220, referring to the process ④ shown in Figure 2. Furthermore, referring to the process ⑤ shown in Figure 2, the operating environment 220 can use the identity information obtained by parsing the packet to verify whether the main control environment 210 is the environment to which it belongs, that is, to perform a reverse identity verification on the main control environment 210.

After the operating environment 220 successfully reversely verifies its identity with the main control environment 210, referring to process ⑥ shown in Figure 2, the operating environment 220 can provide the identity information of the operating environment to the main control environment 210 to respond to the header request of the main control environment 210 and provide the main control environment 210 with the permission to obtain the requested service or data.

Based on the application scenario shown in FIG1 above, FIG3 shows a schematic diagram of an interactive process for implementing an identity authentication method according to an embodiment of the present application. Among them, the process shown in FIG3 mainly involves the interaction between the master control environment 210 and the operating environment 220. The master control environment 210 and the operating environment 220 can be uniformly managed by the cloud management platform, and the cloud management platform can determine the master control environment from the multiple environments managed, and set the association relationship between the master control environment and each operating environment, such as the relationship that the operating environment is subordinate to the master control environment.

It should be stated here that the steps in the methods and processes in the embodiments of the present application are numbered for ease of reference, rather than to limit the order of precedence. If there is an order between the steps, the text description shall prevail.

As shown in FIG3 , specifically, the process includes the following steps:

301: The main control environment 210 receives an operation request from a user, wherein the operation request is used to request to obtain services or data from a remote operating environment.

Exemplarily, a user may initiate a request to obtain services or data in some environments through some handheld terminals 100, such as laptop computers and other electronic devices. These environments may be environments running on servers in the same region, or environments provided in different availability zones in different regions; they may be different environments at the same stage, or operating environments at different stages, such as a test environment, a pre-release environment, and the like.

As mentioned above, among the environments belonging to the same business platform or different business platforms, one of the environments can be pre-set as the master control environment, and the master control environment and other operating environments can be connected through an API and establish a relationship of ownership. Among them, the master control environment 210 can be used to access service or data acquisition requests for all environments, and the request may include a request to obtain services or data in a remote operating environment 220.

302: The main control environment 210 obtains token information for verifying whether the user identity is legitimate based on the recorded account information.

Exemplarily, the main control environment 210 can pre-record the account, password, etc. registered by each user to verify the legitimacy of the user's identity, and to mark the corresponding user or the tenant to which the corresponding user belongs to obtain the service or data in each environment. When the user logs in through the terminal's web page or the installed client, he or she can also enter the account information such as the account and password for verification. At this time, the main control environment 210 can receive the verification request issued by the terminal 100 in response to the user's operation, and obtain a token for user identity authentication based on the recorded account information, such as the account, password, etc. After the main control environment 210 obtains the token, it can be saved and used to execute the following steps 303 to 304.

303: The main control environment 210 confirms the legitimacy of the user identity based on the token information.

For example, the main control environment 210 can use the token information obtained above to verify whether the account password entered by the user when logging in is correct, thereby verifying whether the user's identity is legitimate. If the information matches the account and password information input by the user, the main control environment 210 can determine that the user identity is legal and has the right to access the services or data in the requested environment. On the contrary, if the account and password information corresponding to the token information does not match the account and password information input by the user, the main control environment 210 can determine that the user identity is illegal and has no right to access the requested environment.

304 : The main control environment 210 calls the first environment interface and initiates an access request to the running environment 220 .

Exemplarily, after determining that the identity of the user initiating the operation is legitimate, the main control environment 210 can call the interface of the corresponding operating environment to initiate an access request according to the operating environment related information corresponding to the user's operation request. For example, the first environment interface of the operating environment 220 above initiates an access request to the operating environment 220. The access request may include a header request and a verification package. The header request can be used to request the required services or data from the target operating environment, and the verification package can be parsed by the operating environment 220 to provide the above token information to the operating environment 220.

In addition, the main control environment 210 can also provide the identity information corresponding to the main control environment 210 to the operating environment 220 through the verification package, so that the operating environment 220 can use it to reversely verify the legality of the identity of the main control environment 210. For details, please refer to the relevant description in the following step 306, which will not be repeated here.

305: The operating environment 220 parses the verification packet in the access request to obtain token information and the first identity information of the main control environment.

Exemplarily, after receiving the access request from the main control environment 210, the operating environment 220 may first parse the verification package text carried by the access request to obtain the token information therein and the first identity information corresponding to the main control environment 210. The token information therein can be used by the operating environment 220 to bind the corresponding user identity when providing the requested service or data; the first identity information therein can be used by the operating environment 220 to verify the identity of the above-mentioned main control environment 210, for example, to verify whether the main control environment 210 is the environment to which the operating environment 220 belongs, or to verify whether the main control environment 210 has the management authority over the corresponding operating environment 220, etc.

306 : The operating environment 220 calls the second environment interface to initiate a reverse identity authentication request to the main control environment 210 .

Exemplarily, after parsing the first identity information of the main control environment 210, the operating environment 220 may initiate an authentication request to the main control environment 210 based on the main control environment identification information that matches the first identity information, or directly based on the first identity information. The operating environment 220 may call the second environment interface provided by the main control environment 210 to initiate an identity authentication request to the main control environment 210.

In the embodiment of the present application, for ease of understanding, the process in which the main control environment 210 initiates an access request to the operating environment can be described as a forward process, and the process in which the operating environment 220 initiates an identity authentication request to the main control environment executed in this step can be described as a reverse process. Therefore, the operating environment 220 can call the second environment interface to initiate a reverse identity authentication request to the main control environment 210.

It can be understood that in some embodiments, the identity information of the master control environment can be pre-recorded in each operating environment belonging to the same master control environment. In this way, when each operating environment receives an access request initiated by the master control environment, it can determine the master control environment identity information that matches the received first identity information from the recorded master control environment identity information, and initiate a reverse identity authentication request based on the matched identity information. In other embodiments, each operating environment can also directly send an identity authentication request to the corresponding master control environment based on the received first identity information, which is not limited here. The identity authentication request initiated by the operating environment 220 can be used, for example, to request confirmation whether the operating environment 220 belongs to the corresponding master control environment, etc.

307: The main control environment 210 returns the authentication result to the running environment 220 in response to the identity authentication request.

Exemplarily, when the main control environment 210 receives the above-mentioned identity authentication request sent back by the requested operating environment 200, it can feedback the authentication result to the operating environment 220. For example, the main control environment 210 can return information such as "true" or "false" to the operating environment 220 as the authentication result, and this application does not limit this.

It can be understood that the process of reverse authentication of the operating environment 220 to the master control environment 210 described in the above steps 306 to 307 can ensure that the access request to the operating environment 220 to obtain services or data is from a legitimate master control environment, rather than an illegal environment forged by an illegal user or an intruder of the business platform. In this way, the security of the data in the accessed operating environment 220 can be guaranteed. The above-mentioned legitimate master control environment can be, for example, the master control environment to which the operating environment 220 belongs, or an authenticated environment that has other authorization relationships with the operating environment 220, which is not limited here.

308: The operating environment 220 confirms that the authentication is successful based on the received authentication result.

Exemplarily, the operating environment 220 confirms whether the identity authentication of the main control environment 210 is passed according to the authentication result information fed back by the main control environment 210, such as the above-mentioned "true" or "false".

309: The operating environment 220 determines whether there is user information with the same name in the environment.

If the judgment result is yes, the operating environment 220 may execute the following step 311 to provide its own identity information to the corresponding main control device.

If the judgment result is no, the operating environment 220 may execute the following step 310 to first create user information identical to the user information in the received token information, that is, the above-mentioned user information with the same name.

Exemplarily, the operating environment 220 can confirm the user information for which the service or data needs to be obtained, such as the account name or user name, password and other account information corresponding to the user, based on the token information parsed in the above step 305, and determine whether there is user information in the current environment that is consistent with the account name or user name. If the operating environment 220 determines that the corresponding user information exists in the current environment, and the user information is the same as the user information indicated by the above token, such as the corresponding user name, etc., the operating environment 220 can determine that the user information with the same name exists in the current environment. If the operating environment 220 determines that the corresponding user information does not exist in the current environment, or the recorded user information is different from the user information indicated by the above token, such as the corresponding user name, etc., the operating environment 220 can determine that there is no user information with the same name in the current environment.

310: The operating environment 220 creates user information with the same name.

Exemplarily, the operating environment 220 can create corresponding user information with the same name according to the user information indicated by the parsed token. For example, if the corresponding user name in the user information indicated by the parsed token is "yibao01", the user name of the user information with the same name created by the operating environment 220 is also "yibao01".

It can be understood that the same-name user information in the above-mentioned operating environment 220 is mainly used to mark the second identity information provided to the main control environment 210 that initiates the access request when executing the following step 311. For details, please refer to the relevant description below, which will not be repeated here.

It can be understood that in some scenarios of remote access to the operating environment, the operating environment 220 automatically creates the same-name user information to synchronize the corresponding user information with the main control environment 210, and can ensure that the corresponding user operation is successfully executed after completing the identity authentication of the above steps 301 to 310. For example, the same-name user information can ensure that the operating environment 220 successfully executes the following step 311, and the main control environment 210 successfully executes the following step 312, and completes the process of returning the requested service or data to the user.

311: The operating environment 220 provides the second identity information of the operating environment to the main control environment 210 by using the user information of the same name.

For example, after confirming that the identity of the main control environment 210 is legitimate, the operating environment 220 can The information is bound to the existing information of the user with the same name and sent to the main control device 210. In order to distinguish it from the first identity information corresponding to the main control environment 210, the identity information provided by the operating environment 220 can be marked as the second identity information. The above binding method may include but is not limited to marking the information of the user with the same name on the above second identity information, adding the above second identity information to the information of the user with the same name, or compressing the above second identity information and the information of the user with the same name into the same package.

It can be understood that the second identity information provided by the operating environment 220 to the authenticated main control environment 210 can be used to authorize the main control environment 210 to obtain services or data in the corresponding operating environment.

312: The main control environment 210 uses the received second identity information to call a service interface or a data interface in the operating environment to obtain services or data.

Exemplarily, the main control environment 210 can obtain the required services or data from the operating environment 220 according to the second identity information fed back by the operating environment 220, and then provide them to the terminal 100 corresponding to the user operation or the client running on the terminal 100.

In this way, through the execution of the above steps 301 to 312, the identity authentication required when the user obtains the services or data in each operating environment through the unified control of the main control environment 220 does not require the user to repeatedly enter the account password for identity authentication, which is convenient for user operations, especially for the user to schedule access to services or data in the remote operating environment. In addition, the operating environment subordinate to the corresponding main control environment, when accepting the access request of the main control environment, performs reverse authentication to the main control environment, which can also improve the security of the identity authentication related information uniformly controlled by the main control environment, which is conducive to continuing to protect the data security of each user, the tenant to which each user belongs, and each region and environment.

It can be understood that users can integrate the services provided by different environments corresponding to different business platforms according to their own business needs or usage scenarios. For different environments of the same business platform, different users can have different user names or account names and passwords, etc., to verify user identity and user permissions. For the environments of different business platforms, users of each business platform can also be distinguished by the identification information of the corresponding business platform. Therefore, each business platform can control the unique information differences of the corresponding environment of each business platform, such as domain name, environment interface (API), login account, password, etc., and switch consistently with the corresponding users on different business platforms or different environments, so that the corresponding users can use the environment of different business platforms.

For example, a user can integrate some services in the production environment of region A, the test environment of region A, the production environment of region B, and the test environment of region B to develop or test the functions of a client or a business platform webpage. As mentioned above, different regions A and B can refer to regional isolation between different countries, or regional isolation between different provinces and cities, etc., which is not limited here.

FIG4 shows a schematic diagram of the structure of a cloud management platform according to an embodiment of the present application.

As shown in FIG4 , the cloud management platform 400 can manage multiple environments. As mentioned above, these environments can serve the same business platform or different business platforms; these environments can provide services at corresponding stages for software products such as clients at different stages; and these environments can be distributed in the same area or in different areas, for example, environments A01 and A02 can be distributed in area A, environments B01 and B02 can be distributed in area B, and so on. This application does not make any restrictions here.

Based on the above-mentioned identity authentication method provided by the present application, the cloud management platform 400 can set the environment A01 in multiple environments as the master environment. In addition, the master environment A01 and the operating environments A02, B01, and B02 can establish a master-slave relationship through some environment interfaces (APIs) to set the environments A02, B01, and B02 as operating environments subordinate to the master environment A01. As an example, the above-mentioned environment interface may include interface I shown in FIG. 4, which is the master environment A reverse authentication interface provided to the operating environment on 01. In addition, the above environment interface may also include interface II and interface III shown in FIG4 as two interfaces provided to the main control environment 01. Among them, interface II may be used to receive access requests initiated by the main control environment; interface III may be used to provide the requested services and data to the main control environment.

Through the above-mentioned interface I preset on the main control environment and interface II and interface III on the operating environment, the main control environment and the operating environment can execute the interaction process shown in Figure 3 above, and implement the above-mentioned identity authentication method provided by this application.

FIG5 shows a schematic diagram of the hardware structure of a server 200 according to an embodiment of the present application.

As shown in Figure 5, in some embodiments, the server 200 may include one or more processors 504, a system control logic 508 connected to at least one of the processors 504, a system memory 512 connected to the system control logic 508, a non-volatile memory (NVM) 516 connected to the system control logic 508, and a network interface 520 connected to the system control logic 508.

In some embodiments, the processor 504 may include one or more single-core or multi-core processors. In some embodiments, the processor 504 may include any combination of general-purpose processors and special-purpose processors (e.g., graphics processors, application processors, baseband processors, etc.). In an embodiment where the server 200 uses an eNB (Evolved Node B) 101 or a RAN (Radio Access Network) controller 102, the processor 504 may be configured to execute various compliant embodiments, for example, the embodiments shown in Figures 2 to 3 above or other embodiments.

In some embodiments, system control logic 508 may include any suitable interface controller to provide any suitable interface to at least one of processors 504 and/or any suitable device or component in communication with system control logic 508 .

In some embodiments, the system control logic 508 may include one or more memory controllers to provide an interface to the system memory 512. The system memory 512 may be used to load and store data and/or instructions. In some embodiments, the memory 512 of the server 200 may include any suitable volatile memory, such as a suitable dynamic random access memory (DRAM).

NVM 516 may include one or more tangible, non-transitory computer-readable media for storing data and/or instructions. In some embodiments, NVM 516 may include any suitable non-volatile memory such as flash memory and/or any suitable non-volatile storage device, such as at least one of a HDD (Hard Disk Drive), a CD (Compact Disc) drive, and a DVD (Digital Versatile Disc) drive.

NVM 516 may include a portion of storage resources on the device on which server 200 is installed, or it may be accessible by the device but not necessarily a portion of the device. For example, NVM/storage 516 may be accessed over a network via network interface 520.

In particular, system memory 512 and NVM 516 may include, respectively, a temporary copy and a permanent copy of instructions 524. Instructions 524 may include instructions that, when executed by at least one of processors 504, cause server 200 to implement the method shown in FIG. 3. In some embodiments, instructions 524, hardware, firmware, and/or software components thereof may additionally/alternatively be located in system control logic 508, network interface 520, and/or processor 504.

The network interface 520 may include a transceiver for providing a radio interface for the server 200, thereby communicating with any other suitable device (such as a front-end module, an antenna, etc.) through one or more networks. In some embodiments, the network interface 520 may be integrated with other components of the server 200. For example, the network interface 520 may be integrated with at least one of the processor 504, the system memory 512, the NVM 516, and a firmware device (not shown) having instructions. When at least one of the processors 504 executes the instructions, the server 200 implements the method shown in FIG. 3 above.

The network interface 520 may further include any suitable hardware and/or firmware to provide a multiple-input multiple-output radio interface. For example, the network interface 520 may be a network adapter, a wireless network adapter, a telephone modem and/or a wireless modem.

In one embodiment, at least one of the processors 504 may be packaged together with logic for one or more controllers of the system control logic 508 to form a system in package (SiP). In one embodiment, at least one of the processors 504 may be integrated on the same die with logic for one or more controllers of the system control logic 508 to form a system on a chip (SoC).

The server 200 may further include an input/output (I/O) device 532. The I/O device 532 may include a user interface to enable a user to interact with the server 200; and a peripheral component interface design to enable peripheral components to interact with the server 200. In some embodiments, the server 200 further includes a sensor for determining at least one of an environmental condition and location information related to the server 200.

In some embodiments, the user interface may include, but is not limited to, a display (e.g., an LCD display, a touch screen display, etc.), a speaker, a microphone, one or more cameras (e.g., a still image camera and/or a video camera), a flashlight (e.g., an LED flash), and a keyboard.

In some embodiments, the peripheral component interface may include, but is not limited to, a non-volatile memory port, an audio jack, and a power interface.

In some embodiments, the sensors may include, but are not limited to, gyroscope sensors, accelerometers, proximity sensors, ambient light sensors, and positioning units. The positioning unit may also be part of or interact with the network interface 520 to communicate with components of a positioning network (e.g., global positioning system (GPS) satellites).

References to "one embodiment" or "an embodiment" in the specification mean that the specific features, structures, or characteristics described in conjunction with the embodiment are included in at least one exemplary implementation or technology disclosed according to the embodiment of the present application. The appearance of the phrase "in one embodiment" in various places in the specification does not necessarily all refer to the same embodiment.

The disclosure of the embodiment of the present application also relates to an operating device for executing the text. The device can be specially constructed for the required purpose or it can include a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program can be stored in a computer-readable medium, such as, but not limited to any type of disk, including a floppy disk, an optical disk, a CD-ROM, a magneto-optical disk, a read-only memory (ROM), a random access memory (RAM), an EPROM, an EEPROM, a magnetic or optical card, an application-specific integrated circuit (ASIC) or any type of medium suitable for storing electronic instructions, and each can be coupled to a computer system bus. In addition, the computer mentioned in the specification may include a single processor or may be an architecture involving multiple processors for increased computing power.

In addition, the language used in this specification has been primarily selected for readability and instructional purposes and may not be selected to describe or limit the disclosed subject matter. Therefore, the present application embodiment disclosure is intended to illustrate rather than limit the scope of the concepts discussed herein.

Claims (12)

An identity authentication method, characterized in that it is applied to a cloud management platform that manages multiple operating environments, the cloud management platform predetermines a first environment from the multiple operating environments, and determines an association relationship in which the first environment has management authority over at least one second environment, the multiple operating environments including the at least one second environment; The method comprises: The first environment receives a user operation request, wherein the user operation request is used to request a service or data in a target environment, wherein the target environment is any environment in the at least one second environment; The first environment confirms that the first user information corresponding to the user operation request satisfies a first authentication condition, and sends an access request to the target; The target environment determines that the first environment indicated by the first identity information in the access request satisfies the second authentication condition, and sends its own second identity information to the first environment; Among them, the first authentication condition is used to authenticate whether the user identity has operation authority; the second authentication condition is used to reversely authenticate whether the first environment has management authority over the target environment, and the second identity information is used to provide access to services or data in the target environment. The method according to claim 1, characterized in that the first environment confirms that the first user information corresponding to the user operation request satisfies the first authentication condition, comprising: The first environment obtains a token for user identity authentication, wherein the token is generated based on second user information recorded in the first environment; The first environment detects that the first user information matches the second user information corresponding to the token, and confirms that the first user information corresponding to the user operation request satisfies a first authentication condition. The method according to claim 2, characterized in that the first user information matches the second user information corresponding to the token, comprising: The account name and password in the first user information are the same as the account name and password corresponding to the second user information carried by the token. The method according to claim 1, characterized in that the access request includes a header request and a verification packet, wherein: The header request is used to request services or data in the target environment; The verification packet is used to provide the first identity information to the target environment. The method according to claim 4, characterized in that the target environment determines that the first environment indicated by the first identity information in the access request satisfies the second authentication condition, comprising: The target environment parses the verification packet to obtain the first identity information; The target environment sends an identity authentication request to the first environment according to the first identity information; The target environment receives a confirmation result returned by the first environment in response to the identity authentication request, and determines that the first environment indicated by the first identity information satisfies a second authentication condition. The method according to claim 4, characterized in that the target environment determines that the first environment indicated by the first identity information in the access request satisfies the second authentication condition, comprising: The target environment parses the verification packet to obtain the first identity information; The target environment determines, based on the first identity information, management authority-related information matching the first environment. information, and sends an identity authentication request to the first environment according to the management authority related information, wherein the management authority related information is used to indicate an association relationship in which the first environment has management authority over the target environment; The target environment receives a confirmation result returned by the first environment in response to the identity authentication request, and determines that the first environment indicated by the first identity information satisfies a second authentication condition. The method according to claim 5 or 6, characterized in that the verification package is also used to provide the first user information to the target environment, and The sending the second identity information of the user to the first environment includes: The target environment determines, based on the first user information obtained by parsing the verification package, that third user information exists in the target environment, wherein a user name indicated by the third user information is the same as a user name indicated by the first user information; The target environment binds the second identity information and the third user information and sends the binding to the first environment. The method according to claim 7, wherein the sending the second identity information of the self to the first environment further comprises: The target environment determines, based on the first user information obtained by parsing the verification package, that the third user information does not exist in the target environment; The target environment creates the third user information according to the user name indicated by the first user information, binds the second identity information with the third user information, and sends the binding to the first environment. The method according to claim 7 or 8, characterized in that the binding of the second identity information with the third user information comprises any one of the following methods: adding the third user information to the second identity information as a mark; adding the second identity information and the third user information to a data packet sent to the first environment; The second identity information is added to the third user information. A cloud management platform, characterized in that it comprises a first environment and at least one second environment predetermined from a plurality of operating environments, wherein the first environment has management authority over the at least one second environment, wherein: The first environment is used to receive a user operation request, and to send an access request to a target environment when confirming that first user information corresponding to the user operation request satisfies a first authentication condition, wherein the user operation request is used to request a service or data in the target environment, and the target environment is any environment in the at least one second environment; The target environment is used to send its own second identity information to the first environment when it is determined that the first environment indicated by the first identity information in the access request satisfies the second authentication condition, wherein the first authentication condition is used to authenticate whether the user identity has operation authority, and the second authentication condition is used to reversely authenticate whether the first environment has management authority over the target environment, and the second identity information is used to provide access to services or data in the target environment. An electronic device, characterized in that it comprises: one or more processors; one or more memories; the one or more memories store one or more programs, and when the one or more programs are executed by the one or more processors, the device executes the identity authentication method described in any one of claims 1 to 9. A computer-readable medium, characterized in that instructions are stored on the readable medium, and when the instructions are executed on a computer, the computer executes the identity authentication method according to any one of claims 1 to 9.