Ceph distributed block storage access authentication method, medium and device

Abstract

The invention discloses a Ceph distributed block storage access authentication method, which is applied to a storage end of a distributed storage service and an application host connected to the storage end, and comprises the following steps: setting a fixed application host IP for each application host connected to the storage end; the storage end verifies whether the application host has a firstpermission or not through a CepX authentication module; the application host with the first permission verifies whether the application host has the second permission or not through an IP authentication module; and if the application host has the first permission and the second permission, allowing the application host to access the corresponding storage volume in the storage end. CephX authentication is realized between the application host and the storage end through the CephX authentication module so as to ensure the safety of communication between the application host and the storage endand avoid man-in-the-middle attack; on the other hand, the IP authentication of the application host is carried out between the application host and the storage volume through the IP authentication module to realize refined authority management granularity, so that the application host with the specified IP can access the specific storage volume.

Description

technical field [0001] The invention relates to the field of distributed storage access authentication, in particular to a Ceph distributed block storage access authentication method, medium and device. Background technique [0002] Ceph is a reliable, automatic rebalancing, and automatic recovery open source distributed storage system that can provide object storage, block devices, and file system services at the same time. [0003] In the existing technology, in order to prevent data from being completely changed during network transmission and achieve a higher level of security, the CephX encryption authentication protocol is added to identify identities, encrypt and verify data in transmission. In the public network, application hosts whose business front-end ports of the Ceph storage system are on the same network can access the Ceph storage system and perform read and write operations on it. To ensure the security of the Ceph storage system, you can configure CephX se...

AI Technical Summary

Problems solved by technology

Multiple application hosts A, B, xx, etc. can use this set of CephX user 1 / key 1 to perform CephX authentication to access storage volumes. On the distributed storage side, it is impossible to control the denial of an application host’s access to volumes. When CephX is canceled When user 1 / key 1 has access to storage, all application hosts using this user / key cannot access their corresponding distributed storage volumes

Therefore, there is a large granularity of permission control, and the application host that has obtained the user and key can access the storage cluster volume data, and the association between the specified volume and the application host cannot be released on the distributed storage side, and the CephX-authenticated volume cannot be released. Access of application hosts to distributed storage volumes

Images