Search

EP-4742593-A1 - CROSS-ACCOUNT RESOURCE CALLING METHOD BASED ON CLOUD COMPUTING TECHNOLOGY, AND RELATED DEVICE

EP4742593A1EP 4742593 A1EP4742593 A1EP 4742593A1EP-4742593-A1

Abstract

This application provides a cross-account resource invoking method based on a cloud computing technology and a related device. The method is applied to a cloud management system. The cloud management system is configured to manage an infrastructure on which a first service of a first tenant and a second service of a second tenant are configured. The cloud management system obtains an authorization request of the first tenant. The authorization request includes a tenant identifier of the second tenant, an authorization name, and a specific permission for the second service to invoke the first service. The cloud management system creates the specific permission based on the authorization request. The cloud management system obtains a permission obtaining request that is inputted by the second tenant and that includes the authorization name and a tenant identifier of the first tenant, and configures, based on the permission obtaining request, the second tenant to obtain the specific permission. The cloud management system allows, based on the specific permission when the second tenant configures the second service to invoke the first service, the second service to invoke the first service. In this way, a security degree of service scheduling in a cross-service and cross-account scenario can be improved, and efficiency of permission configuration and resource utilization can be improved.

Inventors

  • ZHAI, Honggang

Assignees

  • Huawei Cloud Computing Technologies Co., Ltd.

Dates

Publication Date
20260513
Application Date
20240719

Claims (13)

  1. A cross-account resource invoking method based on a cloud computing technology, wherein the method is applied to a cloud management system, the cloud management system is configured to manage an infrastructure, a first service of a first tenant and a second service of a second tenant are configured on the infrastructure, and the method comprises: obtaining an authorization request inputted by the first tenant, wherein the authorization request comprises a tenant identifier of the second tenant, an authorization name, and a specific permission for the second service to invoke the first service; creating the specific permission based on the authorization request; obtaining a permission obtaining request inputted by the second tenant, wherein the permission obtaining request comprises the authorization name and a tenant identifier of the first tenant; configuring, based on the permission obtaining request, the second tenant to obtain the specific permission; and allowing, based on the specific permission when the second tenant configures the second service to invoke the first service, the second service to invoke the first service.
  2. The method according to claim 1, wherein the second tenant comprises at least one user, and the method further comprises: configuring, based on the permission obtaining request, the second service to create at least one second sub-service corresponding to the at least one user, and configuring the first service to create at least one first sub-service corresponding to the at least one user; and the allowing, based on the specific permission when the second tenant configures the second service to invoke the first service, the second service to invoke the first service comprises: allowing, based on the specific permission when the at least one user configures the second service to invoke the first service, the at least one second sub-service to invoke the at least one corresponding first sub-service.
  3. The method according to claim 1 or 2, wherein the first service is a container service.
  4. The method according to claim 3, wherein the specific permission comprises a container resource permission, the container resource permission corresponds to a container user, and the container resource permission is a permission to use a container resource.
  5. The method according to any one of claims 1 to 4, wherein the permission obtaining request comprises credential information of the second tenant, and the configuring, based on the permission obtaining request, the second tenant to obtain the specific permission comprises: configuring, based on the credential information, the second tenant to perform identity switching to the first tenant, to cause the second tenant to obtain the specific permission.
  6. A cross-account resource invoking apparatus based on a cloud computing technology, wherein the apparatus is used in a cloud management system, the cloud management system is configured to manage an infrastructure, a first service of a first tenant and a second service of a second tenant are configured on the infrastructure, and the apparatus comprises: a first obtaining module, configured to obtain an authorization request inputted by the first tenant, wherein the authorization request comprises a tenant identifier of the second tenant, an authorization name, and a specific permission for the second service to invoke the first service; a creation module, configured to create the specific permission based on the authorization request; a second obtaining module, configured to obtain a permission obtaining request inputted by the second tenant, wherein the permission obtaining request comprises the authorization name and a tenant identifier of the first tenant; a first configuration module, configured to configure, based on the permission obtaining request, the second tenant to obtain the specific permission; and a second configuration module, configured to allow, based on the specific permission when the second tenant configures the second service to invoke the first service, the second service to invoke the first service.
  7. The apparatus according to claim 6, wherein the second tenant comprises at least one user, and the apparatus further comprises: a third configuration module, configured to: configure, based on the permission obtaining request, the second service to create at least one second sub-service corresponding to the at least one user, and configure the first service to create at least one first sub-service corresponding to the at least one user, wherein the second configuration module is specifically configured to allow, based on the specific permission when the at least one user configures the second service to invoke the first service, the at least one second sub-service to invoke the at least one corresponding first sub-service.
  8. The apparatus according to claim 6 or 7, wherein the first service is a container service.
  9. The apparatus according to claim 8, wherein the specific permission comprises a container resource permission, the container resource permission corresponds to a container user, and the container resource permission is a permission to use a container resource.
  10. The apparatus according to any one of claims 6 to 9, wherein the permission obtaining request comprises credential information of the second tenant, and the first configuration module is specifically configured to configure, based on the credential information, the second tenant to perform identity switching to the first tenant, to cause the second tenant to obtain the specific permission.
  11. A computing device cluster, comprising at least one computing device, wherein each computing device comprises a processor and a memory; and a processor in the at least one computing device is configured to execute instructions stored in a memory in the at least one computing device, to enable the computing device cluster to perform the method according to any one of claims 1 to 5.
  12. A computer program product comprising instructions, wherein when the instructions are run by a computing device cluster, the computing device cluster is enabled to perform the method according to any one of claims 1 to 5.
  13. A computer-readable storage medium, comprising computer program instructions, wherein when the computer program instructions are executed by a computing device cluster, the computing device cluster performs the method according to any one of claims 1 to 5.

Description

This application claims priorities to Chinese Patent Application No. 202310952497.6, filed with the China National Intellectual Property Administration on July 31, 2023 and entitled "CROSS-ACCOUNT MULTI-SERVICE INTEGRATION METHOD", and to Chinese Patent Application No. 202311697137.2, filed with the China National Intellectual Property Administration on December 11, 2023 and entitled "CROSS-ACCOUNT RESOURCE INVOKING METHOD BASED ON CLOUD COMPUTING TECHNOLOGY AND RELATED DEVICE", both of which are incorporated herein by reference in their entireties. TECHNICAL FIELD This application relates to the field of cloud service technologies, and in particular, to a cross-account resource invoking method based on a cloud computing technology and a related device. BACKGROUND In a cloud serving (Cloud Serving) scenario, some cloud service platforms provide resource sharing services of a specific type. If other services need to use the resources of this type during work processing, the resources of this type are invoked in a cross-service manner. For example, a big data service can use, in a cross-service manner, container cluster resources provided by a container service. In this way, a plurality of services can fully use, in a time division multiplexing manner, the resources of the specific type provided by the cloud service platform. Users who use cloud services manage and use resources by using accounts. The accounts are independent of each other. Resources possessed by different accounts are isolated from each other. If a user needs to use resources of another account in a cross-account manner, authorization from the another account is needed. Currently, in a cross-service and cross-account service resource invoking scenario, an authorizing account provides, for an authorized account, credential information needed for logging in to the authorizing account, for example, account and password, certificate, and token. The authorized account uses the credential information to invoke resources in an identity of the authorizing account. However, providing credential information of a current account for another account poses security risks, and a security problem like abuse of the credential information by the another account may occur. SUMMARY This application provides a cross-account resource invoking method based on a cloud computing technology and a related device, to implement, by using an authorization name and a tenant identifier of a first tenant, highly secure authorization of a cross-account and cross-service resource usage permission, and meet a requirement of using a service resource in a cross-service and cross-account scenario. According to a first aspect, this application provides a cross-account resource invoking method based on a cloud computing technology. The method is applied to a cloud management system. The cloud management system is configured to manage an infrastructure. A first service of a first tenant and a second service of a second tenant are configured on the infrastructure. The cloud management system obtains an authorization request inputted by the first tenant. The authorization request includes a tenant identifier of the second tenant, an authorization name, and a specific permission for the second service to invoke the first service. The cloud management system creates the specific permission based on the obtained authorization request. The cloud management system obtains a permission obtaining request that is inputted by the second tenant and that includes the authorization name and a tenant identifier of the first tenant, and configures, based on the permission obtaining request, the second tenant to obtain the specific permission. In this way, a cross-service permission can be obtained by using the tenant identifier of the first tenant and the authorization name, and the first tenant does not need to externally disclose credential information such as account and password, certificate, and token of the first tenant. This improves security of cross-account and cross-service service invoking. The cloud management system allows, based on the specific permission when the second tenant configures the second service to invoke the first service, the second service to invoke the first service. While secure cross-service and cross-account service invoking is implemented, cross-service and cross-account service configuration is facilitated and service utilization is improved. In a possible implementation, the second tenant includes at least one user. After obtaining the permission obtaining request, the cloud management system configures the second service to create at least one second sub-service corresponding to the at least one user, and configures the first service to create at least one first sub-service corresponding to the at least one user. When the user configures the second service to invoke the first service, the cloud management system allows the at least one second sub-service to inv