CN106936772A - A kind of access method, the apparatus and system of cloud platform resource - Google Patents

本发明公开了一种云平台资源的访问方法、装置及系统，包括：云平台侧将接收的用户终端发送的请求访问资源的主账号认证信息与保存的主账号信息进行匹配；当匹配成功时，将云桌面和请求访问资源的主账号推送到与主账号对应的授权的资源设备；分别接收资源设备发送的与主账号对应该资源设备的从账号，资源设备的从账号是由该资源设备从预先保存的主账号与从账号的对应关系中获取，并在云桌面上自动填写从账号后发送的；根据保存的从账号权限信息，对主账号对应的从账号进行合法性验证；当验证通过时，允许访问资源设备上的资源。采用本发明实施例提供的方案，节省了云平台等待用户登录资源设备的时间，从而提高了访问云平台资源的访问效率。

The present invention discloses a cloud platform resource access method, device and system, comprising: the cloud platform side matches the master account authentication information received from a user terminal requesting to access resources with the saved master account information; when the matching is successful , push the cloud desktop and the primary account requesting to access the resource to the authorized resource device corresponding to the primary account; respectively receive the secondary account of the resource device corresponding to the primary account sent by the resource device, and the secondary account of the resource device is determined by the resource device It is obtained from the corresponding relationship between the pre-saved master account and the slave account, and is sent after the slave account is automatically filled in on the cloud desktop; according to the saved slave account permission information, the legitimacy of the slave account corresponding to the master account is verified; when verified When passed, allows access to resources on the resource device. By adopting the solution provided by the embodiment of the present invention, the cloud platform saves the time of waiting for the user to log in to the resource device, thereby improving the access efficiency of accessing the cloud platform resources.

一种云平台资源的访问方法、装置及系统A method, device and system for accessing cloud platform resources

技术领域technical field

本发明涉及网络安全技术领域，尤其涉及一种云平台资源的访问方法、装置及系统。The present invention relates to the technical field of network security, in particular to a method, device and system for accessing cloud platform resources.

背景技术Background technique

云平台是一种将用户桌面操作系统与实际终端设备相分离的应用模式，是将原本运行在用户终端上的桌面操作系统和应用程序托管到服务器端运行，并由用户终端通过网络远程进行访问，用户终端仅实现输入输出与界面显示功能。用户终端在访问云平台上的应用资源时，为了保证云平台的安全性以及用户身份的合法性，云平台需要对访问的用户进行认证，认证通过后，用户才可以使用云平台上的应用资源。The cloud platform is an application mode that separates the user's desktop operating system from the actual terminal device. It hosts the desktop operating system and applications originally running on the user terminal to the server, and the user terminal accesses them remotely through the network. , the user terminal only implements input and output and interface display functions. When the user terminal accesses the application resources on the cloud platform, in order to ensure the security of the cloud platform and the legitimacy of the user identity, the cloud platform needs to authenticate the accessing user. After the authentication is passed, the user can use the application resources on the cloud platform .

目前，现有的访问云平台上的应用资源的方式主要为：用户使用终端在云桌面登录界面上输入4A主账号和静态密码，终端将4A主账号和静态密码发送给云平台控制器，云平台控制器将该4A主账号和静态密码转发给活动目录(AD，Active Directory)域服务器，AD域服务器将该4A主账号和静态密码与AD域账号库中的账号和密码进行匹配，即对用户身份进行第一次验证。如果在AD域账号库中匹配到与该4A主账号和静态密码相同的账号和密码，则对该用户验证通过，云平台控制器将与该用户被授权使用的云平台列表发送给用户终端，云平台列表中记录了该用户可使用的云平台的应用资源。用户在用户终端上显示的云平台列表中选择想要访问的应用资源，并输入应用资源的访问账号和访问密码，用户终端将访问账号和访问密码发送给云平台控制器，云平台控制器对访问账号和访问密码进行认证，如果认证通过，则允许用户终端访问应用资源，如果认证未通过，则拒绝用户终端访问应用资源。At present, the existing ways to access application resources on the cloud platform are as follows: the user uses a terminal to enter the 4A main account and static password on the cloud desktop login interface, and the terminal sends the 4A main account and static password to the cloud platform controller. The platform controller forwards the 4A main account number and static password to the Active Directory (AD, Active Directory) domain server, and the AD domain server matches the 4A main account number and static password with the account number and password in the AD domain account database, that is, the User identity is verified for the first time. If the same account number and password as the 4A main account number and static password are matched in the AD domain account database, then the user is authenticated, and the cloud platform controller sends the list of cloud platforms authorized to use by the user to the user terminal, The cloud platform list records the application resources of the cloud platform available to the user. The user selects the application resource to be accessed from the cloud platform list displayed on the user terminal, and enters the access account and access password of the application resource, the user terminal sends the access account and access password to the cloud platform controller, and the cloud platform controller The access account and access password are authenticated. If the authentication is passed, the user terminal is allowed to access the application resource, and if the authentication fails, the user terminal is denied access to the application resource.

上述现有的访问云平台的应用资源的方法中，由于用户需要两次输入认证信息，操作步骤繁琐，云平台侧则需要等待用户登录的时间，使得访问云平台应用资源的访问效率低。In the above-mentioned existing method for accessing application resources of the cloud platform, since the user needs to input authentication information twice, the operation steps are cumbersome, and the cloud platform side needs to wait for the user to log in, which makes the access efficiency of accessing the application resources of the cloud platform low.

发明内容Contents of the invention

本发明实施例提供一种云平台资源的访问方法、装置及系统，用以解决现有技术中存在的访问云平台应用资源的访问效率低问题。Embodiments of the present invention provide a method, device and system for accessing cloud platform resources to solve the problem of low access efficiency in accessing cloud platform application resources in the prior art.

本发明实施例提供一种云平台资源的访问方法，包括：An embodiment of the present invention provides a method for accessing cloud platform resources, including:

云平台侧将接收的用户终端发送的请求访问资源的主账号认证信息与保存的主账号信息进行匹配；The cloud platform side matches the received primary account authentication information sent by the user terminal requesting to access resources with the saved primary account information;

当匹配成功时，将云桌面和请求访问资源的主账号推送到与所述主账号对应的授权的资源设备；When the matching is successful, push the cloud desktop and the primary account requesting to access the resource to the authorized resource device corresponding to the primary account;

分别接收资源设备发送的与所述主账号对应该资源设备的从账号，所述资源设备的从账号是由该资源设备从预先保存的主账号与从账号的对应关系中获取，并在所述云桌面上自动填写所述从账号后发送的；Respectively receive the secondary account of the resource device corresponding to the primary account sent by the resource device, the secondary account of the resource device is obtained by the resource device from the pre-saved correspondence between the primary account and the secondary account, and in the It is sent after the account is automatically filled in on the cloud desktop;

根据保存的从账号权限信息，对所述主账号对应的从账号进行合法性验证；Verifying the validity of the slave account corresponding to the master account according to the stored slave account authority information;

当验证通过时，允许访问所述资源设备上的资源。When the authentication is passed, access to resources on the resource device is allowed.

通过本发明实施例提供的上述方法，由于云平台的资源设备在获取到与主账号对应的从账号后，将从账号自动填写到云桌面上，减少了用户通过云桌面访问资源设备输入从账号信息的步骤，节省了云平台等待用户登录资源设备的时间，从而提高了访问云平台资源的访问效率。Through the above method provided by the embodiment of the present invention, after the resource device of the cloud platform obtains the slave account corresponding to the master account, it will automatically fill in the slave account on the cloud desktop, which reduces the need for users to access the resource device through the cloud desktop to enter the slave account. The information step saves the cloud platform from waiting for the user to log in to the resource device, thereby improving the access efficiency of accessing the cloud platform resources.

进一步的，在将云桌面和主账号推送到与所述主账号对应的授权的资源设备之前，还包括：Further, before pushing the cloud desktop and the main account to the authorized resource device corresponding to the main account, it also includes:

在保存的主账号与授权的资源设备的对应关系中查找请求访问资源的主账号对应的授权的资源设备。The authorized resource device corresponding to the primary account requesting to access the resource is searched in the stored correspondence between the primary account and the authorized resource device.

进一步的，在允许访问所述资源设备上的资源之前，还包括：Further, before allowing access to resources on the resource device, it also includes:

通过堡垒机记录访问资源的操作信息。Record the operation information of accessing resources through the bastion host.

进一步的，所述主账号信息至少包括主账号和静态密码。Further, the primary account information includes at least the primary account and a static password.

本发明实施例还提供了一种云平台资源的访问装置，包括：The embodiment of the present invention also provides a device for accessing cloud platform resources, including:

匹配单元，用于将接收的用户终端发送的请求访问资源的主账号认证信息与保存的主账号信息进行匹配；A matching unit, configured to match the received primary account authentication information sent by the user terminal requesting access to resources with the saved primary account information;

推送单元，用于当匹配成功时，将云桌面和请求访问资源的主账号推送到与所述主账号对应的授权的资源设备；A push unit, configured to push the cloud desktop and the primary account requesting to access resources to the authorized resource device corresponding to the primary account when the matching is successful;

接收单元，用于分别接收资源设备发送的与所述主账号对应该资源设备的从账号，所述资源设备的从账号是由该资源设备从预先保存的主账号与从账号的对应关系中获取，并在所述云桌面上自动填写所述从账号后发送的；The receiving unit is configured to respectively receive the slave account of the resource device corresponding to the master account sent by the resource device, and the slave account of the resource device is obtained by the resource device from the pre-saved correspondence between the master account and the slave account , and sent after automatically filling in the said secondary account on the said cloud desktop;

验证单元，用于根据保存的从账号权限信息，对所述主账号对应的从账号进行合法性验证；A verification unit, configured to verify the legitimacy of the slave account corresponding to the master account according to the saved permission information of the slave account;

允许访问单元，用于当验证通过时，允许访问所述资源设备上的资源。The access allowing unit is configured to allow access to resources on the resource device when the verification is passed.

通过本发明实施例提供的上述装置，由于云平台的资源设备在获取到与主账号对应的从账号后，将从账号自动填写到云桌面上，减少了用户通过云桌面访问资源设备输入从账号信息的步骤，节省了云平台等待用户登录资源设备的时间，从而提高了访问云平台资源的访问效率。Through the above-mentioned device provided by the embodiment of the present invention, after the resource device of the cloud platform obtains the slave account corresponding to the master account, it will automatically fill in the slave account on the cloud desktop, which reduces the need for the user to access the resource device through the cloud desktop to enter the slave account. The information step saves the cloud platform from waiting for the user to log in to the resource device, thereby improving the access efficiency of accessing the cloud platform resources.

进一步的，上述装置，还包括：Further, the above-mentioned device also includes:

查找单元，用于在将云桌面和主账号推送到与所述主账号对应的授权的资源设备之前，在保存的主账号与授权的资源设备的对应关系中查找请求访问资源的主账号对应的授权的资源设备。The search unit is configured to search for the account corresponding to the master account requesting to access resources in the stored correspondence between the master account and the authorized resource device before pushing the cloud desktop and the master account to the authorized resource device corresponding to the master account. Authorized resource device.

进一步的，上述装置，还包括：Further, the above-mentioned device also includes:

记录单元，用于在允许访问所述资源设备上的资源之前，通过堡垒机记录访问资源的操作信息。The recording unit is configured to record the operation information of accessing resources through the bastion host before allowing access to the resources on the resource device.

进一步的，所述主账号信息至少包括主账号和静态密码。Further, the primary account information includes at least the primary account and a static password.

本发明实施例还提供了一种云平台资源的访问系统，包括：用户终端、云桌面控制器、活动目录AD域服务器和资源设备，其中：The embodiment of the present invention also provides a cloud platform resource access system, including: a user terminal, a cloud desktop controller, an active directory AD domain server and a resource device, wherein:

所述用户终端，用于将用户在登录认证界面输入的请求访问资源的主账号认证信息发送给所述云桌面控制器；The user terminal is configured to send, to the cloud desktop controller, the main account authentication information input by the user on the login authentication interface and requesting access to resources;

所述云桌面控制器，用于将所述主账号认证信息发送给所述AD域服务器；当接收到所述AD域服务器发送的匹配成功消息时，将云桌面和请求访问资源的主账号推送到所述主账号对应的授权的资源设备；接收所述资源设备发送的与所述主账号对应的从账号；根据保存的从账号权限信息，对所述主账号对应的从账号进行合法性验证；当验证通过时，允许访问所述资源设备上的资源；The cloud desktop controller is configured to send the primary account authentication information to the AD domain server; when receiving the matching success message sent by the AD domain server, push the cloud desktop and the primary account requesting to access resources to the authorized resource device corresponding to the primary account; receiving the secondary account corresponding to the primary account sent by the resource device; and verifying the legitimacy of the secondary account corresponding to the primary account according to the saved permission information of the primary account ; When the verification is passed, access to the resource on the resource device is allowed;

所述AD域服务器，用于将所述主账号认证信息与保存的主账号信息进行匹配；当匹配成功时，向所述云桌面控制器发送匹配成功消息；The AD domain server is configured to match the primary account authentication information with the saved primary account information; when the matching is successful, send a matching success message to the cloud desktop controller;

所述资源设备，用于根据预先保存的主账号与从账号的对应关系，确定与接收的所述主账号对应的从账号；将确定的所述从账号自动填写到所述云桌面上并发送给所述云桌面控制器。The resource device is configured to determine a slave account corresponding to the received master account according to the pre-saved correspondence between the master account and the slave account; automatically fill in the determined slave account on the cloud desktop and send to the cloud desktop controller.

通过本发明实施例提供的上述系统，由于云平台的资源设备在获取到与主账号对应的从账号后，将从账号自动填写到云桌面上，减少了用户通过云桌面访问资源设备输入从账号信息的步骤，节省了云平台等待用户登录资源设备的时间，从而提高了访问云平台资源的访问效率。Through the above-mentioned system provided by the embodiment of the present invention, since the resource device of the cloud platform obtains the slave account corresponding to the master account, it will automatically fill in the slave account on the cloud desktop, which reduces the need for users to access resource devices through the cloud desktop to enter the slave account. The information step saves the cloud platform from waiting for the user to log in to the resource device, thereby improving the access efficiency of accessing the cloud platform resources.

本申请的其它特征和优点将在随后的说明书中阐述，并且，部分地从说明书中变得显而易见，或者通过实施本申请而了解。本申请的目的和其他优点可通过在所写的说明书、权利要求书、以及附图中所特别指出的结构来实现和获得。Additional features and advantages of the application will be set forth in the description which follows, and, in part, will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

附图说明Description of drawings

附图用来提供对本发明的进一步理解，并且构成说明书的一部分，与本发明实施例一起用于解释本发明，并不构成对本发明的限制。在附图中：The accompanying drawings are used to provide a further understanding of the present invention, and constitute a part of the description, and are used together with the embodiments of the present invention to explain the present invention, and do not constitute a limitation to the present invention. In the attached picture:

图1为本发明实施例提供的云平台资源的访问方法的流程图；Fig. 1 is the flowchart of the access method of cloud platform resource provided by the embodiment of the present invention;

图2为本发明实施例1提供的云平台资源的访问方法的流程图；FIG. 2 is a flowchart of a method for accessing cloud platform resources provided by Embodiment 1 of the present invention;

图3为本发明实施例2提供的云平台资源的访问装置的结构示意图；3 is a schematic structural diagram of a device for accessing cloud platform resources provided by Embodiment 2 of the present invention;

图4为本发明实施例3提供的云平台资源的访问系统的结构示意图。FIG. 4 is a schematic structural diagram of a system for accessing cloud platform resources provided by Embodiment 3 of the present invention.

具体实施方式detailed description

为了给出提高访问云平台资源的访问效率的实现方案，本发明实施例提供了一种云平台资源的访问方法、装置及系统，以下结合说明书附图对本发明的优选实施例进行说明，应当理解，此处所描述的优选实施例仅用于说明和解释本发明，并不用于限定本发明。并且在不冲突的情况下，本申请中的实施例及实施例中的特征可以相互组合。In order to provide an implementation plan for improving the access efficiency of accessing cloud platform resources, embodiments of the present invention provide a method, device and system for accessing cloud platform resources. The preferred embodiments of the present invention will be described below in conjunction with the accompanying drawings. It should be understood that , the preferred embodiments described here are only used to illustrate and explain the present invention, not to limit the present invention. And in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined with each other.

本发明实施例提供一种云平台资源的访问方法，如图1所示，包括：The embodiment of the present invention provides a method for accessing cloud platform resources, as shown in Figure 1, including:

步骤101、云平台将接收的用户终端发送的请求访问资源的主账号认证信息与保存的主账号信息进行匹配。Step 101, the cloud platform matches the received primary account authentication information sent by the user terminal requesting to access resources with the saved primary account information.

步骤102、当匹配成功时，将云桌面和请求访问资源的主账号推送到与该主账号对应的授权的资源设备。Step 102. When the matching is successful, push the cloud desktop and the primary account requesting to access resources to the authorized resource device corresponding to the primary account.

步骤103、分别接收资源设备发送的与该主账号对应该资源设备的从账号，该资源设备的从账号是由该资源设备从预先保存的主账号与从账号的对应关系中获取，并在该云桌面上自动填写该从账号后发送的。Step 103: Receive respectively the slave account of the resource device corresponding to the master account sent by the resource device, the slave account of the resource device is obtained by the resource device from the pre-saved correspondence between the master account and the slave account, and in the The cloud desktop automatically fills in the slave account and sends it.

步骤104、根据保存的从账号权限信息，对该主账号对应的从账号进行合法性验证。Step 104, according to the saved permission information of the secondary account, verify the validity of the secondary account corresponding to the primary account.

步骤105、当验证通过时，允许访问该资源设备上的资源。Step 105. When the verification is passed, access to the resource on the resource device is allowed.

本发明实施例中，用户想要访问云平台侧的资源时，通过用户终端的云桌面登录页面访问云平台侧提供的云桌面，该用户终端可以为手机、电脑等。云平台侧需要对请求访问的用户进行身份认证，认证合法后才能访问云平台侧的资源。主账号是用户登录云平台门户的账号，从账号是登录云平台侧资源设备的账号。In the embodiment of the present invention, when the user wants to access resources on the cloud platform side, he can access the cloud desktop provided by the cloud platform side through the cloud desktop login page of the user terminal, which can be a mobile phone or a computer. The cloud platform side needs to authenticate the identity of the user requesting access, and the resources on the cloud platform side can only be accessed after the authentication is legal. The primary account is the account used by the user to log in to the cloud platform portal, and the secondary account is the account used to log in to the resource device on the cloud platform side.

下面结合附图，用具体实施例对本发明提供的方法及装置和相应系统进行详细描述。The method, device and corresponding system provided by the present invention will be described in detail below with specific embodiments in conjunction with the accompanying drawings.

实施例1：Example 1:

本发明实施例1提供了一种云平台资源的访问方法，如图2所示，具体包括如下处理步骤：Embodiment 1 of the present invention provides a method for accessing cloud platform resources, as shown in FIG. 2 , specifically including the following processing steps:

步骤201、用户终端向云平台侧的云桌面控制器发送请求访问资源的主账号认证信息。Step 201, the user terminal sends the master account authentication information requesting to access resources to the cloud desktop controller on the cloud platform side.

本发明实施例中，用户使用终端在4A统一门户上点击云桌面登录链接，在云桌面登录界面上输入主账号认证信息，该主账号认证信息包括主账号和静态密码。用户可以通过点击登录按钮触发用户终端发送主账号认证信息。4A是指：认证Authentication、账号Account、授权Authorization、审计Audit，即统一安全管理平台解决方案。In the embodiment of the present invention, the user uses a terminal to click on the cloud desktop login link on the 4A unified portal, and enters the main account authentication information on the cloud desktop login interface. The main account authentication information includes the main account and a static password. The user can trigger the user terminal to send the primary account authentication information by clicking the login button. 4A refers to: Authentication, Account, Authorization, Audit, that is, a unified security management platform solution.

云平台侧对用户进行认证过程中涉及到云桌面控制器，活动目录(AD，Active Directory)域服务器，以及用户请求访问资源对应的资源设备。The process of authenticating the user on the cloud platform side involves a cloud desktop controller, an Active Directory (AD, Active Directory) domain server, and a resource device corresponding to a resource requested by the user.

步骤202、云桌面控制器将接收的该主账号发送给AD域服务器。Step 202, the cloud desktop controller sends the received primary account to the AD domain server.

步骤203、AD域服务器确定接收的该主账号信息与保存的主账号信息是否匹配，如果否，进入步骤204，如果是，进入步骤206。Step 203 , the AD domain server determines whether the received master account information matches the saved master account information, if not, go to step 204 , if yes, go to step 206 .

具体的，AD域服务器将该主账号信息与保存的主账号信息进行匹配。AD域服务器中保存的主账号信息为预先录入的用户的主账号和静态密码。Specifically, the AD domain server matches the main account information with the stored main account information. The main account information saved in the AD domain server is the pre-registered user's main account and static password.

步骤204、AD域服务器向云桌面控制器发送匹配失败消息。Step 204, the AD domain server sends a matching failure message to the cloud desktop controller.

步骤205、该云桌面控制器向用户终端发送主账号认证失败消息。Step 205, the cloud desktop controller sends a message that the primary account authentication fails to the user terminal.

步骤206、AD域服务器向云桌面控制器发送匹配成功消息。Step 206, the AD domain server sends a matching success message to the cloud desktop controller.

步骤207、该云桌面控制器在保存的主账号与授权的资源设备的对应关系中查找请求访问资源的主账号对应的授权的资源设备。Step 207, the cloud desktop controller searches for the authorized resource device corresponding to the master account requesting to access resources in the saved correspondence between the master account and the authorized resource device.

步骤208、该云桌面控制器将云桌面和该主账号推送到该主账号对应的授权的资源设备。Step 208, the cloud desktop controller pushes the cloud desktop and the primary account to the authorized resource device corresponding to the primary account.

步骤209、该资源设备根据预先保存的主账号与从账号的对应关系，确定与接收的该主账号对应的从账号。Step 209 , the resource device determines the slave account corresponding to the received master account according to the pre-stored correspondence between the master account and the slave account.

本发明实施例中，该资源设备显示的云桌面上部署的4A平台代理agent，可以根据资源设备中预先保存的主账号与从账号的对应关系，查找到与该主账号对应的从账号。In the embodiment of the present invention, the 4A platform agent deployed on the cloud desktop displayed by the resource device can find the slave account corresponding to the master account according to the correspondence between the master account and the slave account pre-saved in the resource device.

步骤210、该资源设备将该从账号发送给云桌面控制器。Step 210, the resource device sends the slave account to the cloud desktop controller.

步骤211、云桌面控制器根据保存的从账号权限信息，验证该主账号对应的从账号是否合法，如果否，进入步骤212，如果是，进入步骤214。Step 211 , the cloud desktop controller verifies whether the slave account corresponding to the master account is legal according to the saved permission information of the slave account, if not, go to step 212 , if yes, go to step 214 .

步骤212、云桌面控制器向该资源设备发送验证失败信息。Step 212, the cloud desktop controller sends verification failure information to the resource device.

步骤213、该资源设备拒绝该主账号对应的从账号对资源进行访问。Step 213, the resource device rejects the slave account corresponding to the master account from accessing resources.

步骤214、云桌面控制器向该资源设备发送验证成功信息。Step 214, the cloud desktop controller sends verification success information to the resource device.

步骤215、该资源设备允许该主账号对应的从账号对资源进行访问。Step 215, the resource device allows the slave account corresponding to the master account to access resources.

进一步的，当该主账号对应的从账号是合法的，可以通过堡垒机进行监控，即记录用户所有的操作信息。Furthermore, when the secondary account corresponding to the primary account is legal, it can be monitored through the bastion host, that is, all operation information of the user is recorded.

通过本发明实施例提供的方法，由于云平台的资源设备在获取到与主账号对应的从账号后，将从账号自动填写到云桌面上，减少了用户通过云桌面访问资源设备输入从账号信息的步骤，节省了云平台等待用户登录资源设备的时间，从而提高了访问云平台资源的访问效率。Through the method provided by the embodiment of the present invention, after the resource device of the cloud platform obtains the slave account corresponding to the master account, it will automatically fill in the slave account on the cloud desktop, which reduces the need for users to access resource devices through the cloud desktop to input slave account information The steps save the time for the cloud platform to wait for the user to log in to the resource device, thereby improving the access efficiency of accessing the resources of the cloud platform.

实施例2：Example 2:

基于同一发明构思，根据本发明上述实施例提供的云平台资源的访问方法，相应地，本发明实施例2还提供了一种云平台资源的访问装置，其结构示意图如图3所示，具体包括：Based on the same inventive concept, according to the method for accessing cloud platform resources provided by the above-mentioned embodiments of the present invention, correspondingly, Embodiment 2 of the present invention also provides a device for accessing cloud platform resources, the structural diagram of which is shown in Figure 3, specifically include:

匹配单元301，用于将接收的用户终端发送的请求访问资源的主账号认证信息与保存的主账号信息进行匹配；The matching unit 301 is configured to match the received primary account authentication information sent by the user terminal requesting to access resources with the saved primary account information;

推送单元302，用于当匹配成功时，将云桌面和请求访问资源的主账号推送到与所述主账号对应的授权的资源设备；Pushing unit 302, configured to push the cloud desktop and the primary account requesting to access resources to the authorized resource device corresponding to the primary account when the matching is successful;

接收单元303，用于分别接收资源设备发送的与所述主账号对应该资源设备的从账号，所述资源设备的从账号是由该资源设备从预先保存的主账号与从账号的对应关系中获取，并在所述云桌面上自动填写所述从账号后发送的；The receiving unit 303 is configured to respectively receive the slave account of the resource device corresponding to the master account sent by the resource device, and the slave account of the resource device is obtained from the corresponding relationship between the master account and the slave account saved in advance by the resource device Obtained and sent after automatically filling in the slave account on the cloud desktop;

验证单元304，用于根据保存的从账号权限信息，对所述主账号对应的从账号进行合法性验证；A verification unit 304, configured to verify the legitimacy of the slave account corresponding to the master account according to the saved permission information of the slave account;

允许访问单元305，用于当验证通过时，允许访问所述资源设备上的资源。The access allowing unit 305 is configured to allow access to resources on the resource device when the verification is passed.

本发明实施例中，用户使用终端在4A统一门户上点击云桌面登录链接，在云桌面登录界面上输入主账号认证信息，该主账号认证信息包括主账号和静态密码。用户可以通过点击登录按钮触发用户终端发送主账号认证信息。4A是指：认证Authentication、账号Account、授权Authorization、审计Audit，即统一安全管理平台解决方案。In the embodiment of the present invention, the user uses a terminal to click on the cloud desktop login link on the 4A unified portal, and enters the main account authentication information on the cloud desktop login interface. The main account authentication information includes the main account and a static password. The user can trigger the user terminal to send the primary account authentication information by clicking the login button. 4A refers to: Authentication, Account, Authorization, Audit, that is, a unified security management platform solution.

进一步的，上述装置，还包括：Further, the above-mentioned device also includes:

查找单元306，用于在将云桌面和主账号推送到与所述主账号对应的授权的资源设备之前，在保存的主账号与授权的资源设备的对应关系中查找请求访问资源的主账号对应的授权的资源设备。The search unit 306 is configured to search for the correspondence between the primary account requesting to access resources in the stored correspondence between the primary account and the authorized resource device before pushing the cloud desktop and the primary account to the authorized resource device corresponding to the primary account. The authorized resource device.

进一步的，上述装置，还包括：Further, the above-mentioned device also includes:

记录单元307，用于在允许访问所述资源设备上的资源之前，通过堡垒机记录访问资源的操作信息。The recording unit 307 is configured to record the operation information of accessing resources through the bastion host before allowing access to the resources on the resource device.

进一步的，所述主账号信息至少包括主账号和静态密码。Further, the primary account information includes at least the primary account and a static password.

上述各单元的功能可对应于图1或图2所示流程中的相应处理步骤，在此不再赘述。The functions of the above units may correspond to the corresponding processing steps in the flow shown in FIG. 1 or FIG. 2 , and will not be repeated here.

通过本发明实施例提供的装置，由于云平台的资源设备在获取到与主账号对应的从账号后，将从账号自动填写到云桌面上，减少了用户通过云桌面访问资源设备输入从账号信息的步骤，节省了云平台等待用户登录资源设备的时间，从而提高了访问云平台资源的访问效率。With the device provided by the embodiment of the present invention, after the resource device of the cloud platform obtains the slave account corresponding to the master account, it will automatically fill in the slave account on the cloud desktop, which reduces the need for users to access resource devices through the cloud desktop to input slave account information The steps save the time for the cloud platform to wait for the user to log in to the resource device, thereby improving the access efficiency of accessing the resources of the cloud platform.

实施例3：Example 3:

基于同一发明构思，根据本发明上述实施例提供的云平台资源的访问方法，相应地，本发明实施例3还提供了一种云平台资源的访问系统，其结构示意图如图4所示，包括：用户终端401、云桌面控制器402、活动目录AD域服务器403和资源设备404，其中：Based on the same inventive concept, according to the method for accessing cloud platform resources provided by the above-mentioned embodiments of the present invention, correspondingly, Embodiment 3 of the present invention also provides a system for accessing cloud platform resources, the structural diagram of which is shown in Figure 4, including : user terminal 401, cloud desktop controller 402, active directory AD domain server 403 and resource device 404, wherein:

所述用户终端401，用于将用户在登录认证界面输入的请求访问资源的主账号认证信息发送给所述云桌面控制器；The user terminal 401 is configured to send, to the cloud desktop controller, the main account authentication information input by the user on the login authentication interface requesting access to resources;

所述云桌面控制器402，用于将所述主账号认证信息发送给所述AD域服务器；当接收到所述AD域服务器发送的匹配成功消息时，将云桌面和请求访问资源的主账号推送到所述主账号对应的授权的资源设备；接收所述资源设备发送的与所述主账号对应的从账号；根据保存的从账号权限信息，对所述主账号对应的从账号进行合法性验证；当验证通过时，允许访问所述资源设备上的资源；The cloud desktop controller 402 is configured to send the primary account authentication information to the AD domain server; when receiving the matching success message sent by the AD domain server, the cloud desktop and the primary account requesting to access resources Push to the authorized resource device corresponding to the master account; receive the slave account corresponding to the master account sent by the resource device; verify the validity of the slave account corresponding to the master account according to the saved permission information of the slave account Verification; when the verification is passed, access to resources on the resource device is allowed;

所述AD域服务器403，用于将所述主账号认证信息与保存的主账号信息进行匹配；当匹配成功时，向所述云桌面控制器发送匹配成功消息；The AD domain server 403 is configured to match the primary account authentication information with the stored primary account information; when the matching is successful, send a matching success message to the cloud desktop controller;

所述资源设备404，用于根据预先保存的主账号与从账号的对应关系，确定与接收的所述主账号对应的从账号；将确定的所述从账号自动填写到所述云桌面上并发送给所述云桌面控制器。The resource device 404 is configured to determine the slave account corresponding to the received master account according to the pre-saved correspondence between the master account and the slave account; automatically fill in the determined slave account on the cloud desktop and Send to the cloud desktop controller.

本发明实施例3中提供的上述如图4所示的云平台资源的访问系统，其中所包括的用户终端401、云桌面控制器402、活动目录AD域服务器403和资源设备404进一步的功能，可对应于图1、图2所示流程中的相应处理步骤，在此不再赘述。The above-mentioned cloud platform resource access system as shown in FIG. 4 provided in Embodiment 3 of the present invention, further functions of the user terminal 401, cloud desktop controller 402, active directory AD domain server 403 and resource device 404 included therein, It may correspond to corresponding processing steps in the flow charts shown in FIG. 1 and FIG. 2 , and will not be repeated here.

综上所述，本发明实施例提供的方案，云平台侧将接收的用户终端发送的请求访问资源的主账号认证信息与保存的主账号信息进行匹配；当匹配成功时，将云桌面和请求访问资源的主账号推送到与主账号对应的授权的资源设备；分别接收资源设备发送的与主账号对应该资源设备的从账号，资源设备的从账号是由该资源设备从预先保存的主账号与从账号的对应关系中获取，并在云桌面上自动填写从账号后发送的；根据保存的从账号权限信息，对主账号对应的从账号进行合法性验证；当验证通过时，允许访问资源设备上的资源。采用本发明实施例提供的方案，节省了云平台等待用户登录资源设备的时间，从而提高了访问云平台资源的访问效率。To sum up, in the solution provided by the embodiment of the present invention, the cloud platform side matches the received primary account authentication information sent by the user terminal requesting to access resources with the saved primary account information; when the matching is successful, the cloud desktop and the requested The primary account for accessing resources is pushed to the authorized resource device corresponding to the primary account; the secondary account of the resource device corresponding to the primary account sent by the resource device is respectively received, and the secondary account of the resource device is the primary account saved in advance by the resource device. Obtained from the corresponding relationship with the slave account, and sent after the slave account is automatically filled in on the cloud desktop; according to the saved slave account permission information, the legitimacy of the slave account corresponding to the master account is verified; when the verification is passed, access to resources is allowed resources on the device. By adopting the solution provided by the embodiment of the present invention, the cloud platform saves the time of waiting for the user to log in to the resource device, thereby improving the access efficiency of accessing the cloud platform resources.

本申请的实施例所提供的云平台资源的访问装置可通过计算机程序实现。本领域技术人员应该能够理解，上述的模块划分方式仅是众多模块划分方式中的一种，如果划分为其他模块或不划分模块，只要云平台资源的访问装置具有上述功能，都应该在本申请的保护范围之内。The device for accessing cloud platform resources provided by the embodiments of the present application can be realized by computer programs. Those skilled in the art should be able to understand that the above-mentioned module division method is only one of many module division methods. If it is divided into other modules or not divided into modules, as long as the cloud platform resource access device has the above functions, it should be included in this application. within the scope of protection.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器，使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中，使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品，该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上，使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

显然，本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样，倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内，则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and equivalent technologies thereof, the present invention also intends to include these modifications and variations.