HK1137531B - Method and system for modeling options for opaque management data for a user and/or an owner - Google Patents
Method and system for modeling options for opaque management data for a user and/or an owner Download PDFInfo
- Publication number
- HK1137531B HK1137531B HK10101236.0A HK10101236A HK1137531B HK 1137531 B HK1137531 B HK 1137531B HK 10101236 A HK10101236 A HK 10101236A HK 1137531 B HK1137531 B HK 1137531B
- Authority
- HK
- Hong Kong
- Prior art keywords
- cim
- management
- class
- access
- opaque
- Prior art date
Links
Description
Technical Field
More particularly, embodiments of the invention relate to a method and system for emulating opaque management data options for users and/or owners.
Background
Information Technology (IT) management may require remote management operations to be performed on the remote systems in order to inventory the remote systems and/or to determine whether the remote systems have been upgraded to date. For example, the management device and/or console may perform the following operations: discovery and/or direction manages resources in a network, operates and/or manages resources, requests and/or controls subscription and/or unsubscribe operations, and performs and/or specified management methods and/or processes. The management device and/or console communicates with devices in the network to ensure availability of remote systems, verify that these systems have been upgraded to date, and/or install security patches if necessary.
Further limitations and disadvantages of conventional and traditional approaches will become apparent to one of skill in the art, through comparison of such systems with some aspects of the present invention as set forth in the remainder of the present application with reference to the drawings.
Disclosure of Invention
A system and/or method is provided for simulating opaque management data options for a user and/or owner, substantially as shown in and/or described in connection with at least one of the figures, as set forth more completely in the claims.
The invention, together with certain other advantages, features and innovations described herein, and various details of specific embodiments thereof, will be best understood from the following description and drawings.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is a diagram illustrating an exemplary process for establishing communication between a management device and a network device in accordance with a preferred embodiment of the present invention;
FIG. 2A is a diagram illustrating an implementation of an opaque management data (OPMD) type model template according to a preferred embodiment of the present invention;
FIG. 2B is a diagram illustrating an implementation of an opaque management data (OPMD) class model template using a role based authorization/(RBA)/Simple Identity Management (SIM) template according to a preferred embodiment of the present invention;
FIG. 2C is a diagram of another implementation of an opaque management data (OPMD) class model template using a role based authorization/simple identity management (RBA/SIM) template according to a preferred embodiment of the present invention;
FIG. 3 is a diagram of an opaque management data (OPMD) class model template using a role based authorization/simple identity management class template according to a preferred embodiment of the present invention.
Detailed Description
Various embodiments of the present invention may include a method and system for simulating opaque management data options for a user and/or owner. In various exemplary embodiments of the present invention, opaque management data operations may be performed in a managed system. The managed system may be managed based on a Common Information Model (CIM) protocol through a Distributed Management Task Force (DMTF) management template. The access authentication operation may be performed during the operation of opaque Management data of a Role Based Authorization (RBA) and/or a Simple Identity Management (SIM) template Based on DMTF/CIM. One or more instances of the cimjdentity class (cimjdentityclass) may be used to verify ownership and/or access rights through instances of the cimjrole class (cimjrole class) and/or cimjprivilege class (cimjprivileclass). Thus, a plurality of public (common) users, which may be represented by instances of a CIM _ Account class, and/or a plurality of public (common) applications, which may be represented by instances of a CIM _ user entity class, may be authenticated by instances of a CIM _ identity class. The operations related to shares may be performed by a "share influencing component (QuotaAfeffectsElement)" association between an instance of the CIM _ identity class and an instance of the CIM _ opaque management data service class. The "share impact component" association may include an "allocated share (allocationquote)" and/or an "allocated bytes (AllocatedBytes)" attribute for tracking and/or validating share-related information in the opaque management data template.
Fig. 1 is a diagram illustrating an exemplary process for establishing communication between a management device and a network device in accordance with a preferred embodiment of the present invention.
As shown in fig. 1, there is illustrated a management device 102, a network device 104, a management connection 106, a remote management agent 108, a management service 110, a processor 112, a memory 114, a processor 116, and a memory 118.
The management device 102 may comprise suitable logic, circuitry, and/or code that may enable management of a network device, such as the network device 104, via a management connection, such as the management connection 106. For example, an Information Technology (IT) operator may use the management device 102 to manage various devices within an IT network. The management device 102 may also include a specialized entity, such as a remote management agent 108, for performing management operations, including operations such as discovering and/or directing management resources in the network, operating and/or managing management resources, requesting and/or controlling subscription and/or unsubscribe operations, and performing and/or specific management methods and/or processes. The management device 102 may perform management operations through, for example, the remote management entity 108, where the management device 102 may communicate with devices in the network to ensure availability of remote systems, verify that these systems have been upgraded to date, and/or install security patches when necessary.
The processor 112 may comprise suitable logic, circuitry, and/or code that may enable performing processing operations in the management device 102, such as management-related operations. The present invention is not limited to a particular processor and may include, for example, a general purpose processor, a special purpose processor, or a suitable combination of hardware, firmware, software and/or code for providing two levels of authorization in accordance with various embodiments of the present invention.
The memory 114 may comprise suitable logic, circuitry, and/or code that may enable permanent and/or non-permanent storage of data and/or code, such as storage and retrieval of data and/or code used by the processor 112 during processing operations associated with management.
The remote management agent 108 may comprise suitable logic, circuitry, and/or code that may enable performing management operations based on one or more management criteria. For example, the remote management agent 108 may perform control and/or management operations for active and/or known nodes in the network that support similar protocols based on web services management (WS-management) and/or alert criteria template (ASF) protocols. The remote management agent 108 may comprise logic and/or software entities that may be integrated within an OS running on the management device 102. The remote management agent 108 may also include logic and/or software entities that may be integrated into a general purpose network controller (NIC) running on the management device 102. The remote management agent 108 may comprise logic and/or software entities that may be integrated within a dedicated management subsystem (e.g., the processor 112 and/or the memory 114) within the management device 102.
The network device 104 may comprise suitable logic, circuitry, and/or code that may enable management performed by one or more management devices, such as the management device 102, via a management connection, such as the management connection 106. The network device 104 may be integrated within a network that may be managed by the management device 102. For example, the network device 104 may include a Personal Computer (PC) that may operate in a network managed by the management device 102. Network device 104 may also include a dedicated entity, such as management service 110, for participating in management operations.
The processor 116 may comprise suitable logic, circuitry, and/or code that may enable performing processing operations, such as management-related operations, in the network device 104. The present invention is not limited to a particular processor and may include, for example, a general purpose processor, a special purpose processor, or a suitable combination of hardware, firmware, software and/or code for providing two levels of authorization in accordance with various embodiments of the present invention.
The memory 118 may comprise suitable logic, circuitry, and/or code that may enable persistent and/or non-persistent storage, such as storage and retrieval of data and/or code used by the processor 116 during processing operations associated with management.
The management service 110 may comprise suitable logic, circuitry, and/or code that may enable performing management operations based on one or more management criteria. For example, management service 110 may participate in control and/or management operations based on WS-management and/or ASF protocols. The management service 110 may comprise logic and/or software entities that may be integrated within an OS running on the network device 104. The management service 110 may also include logic and/or software entities that may be integrated into a general-purpose network controller (NIC) running on the network device 104. Further, the management service 110 may comprise logic and/or software entities that may be integrated within a dedicated management subsystem (e.g., the processor 116 and/or the memory 118) in the network device 104.
Management connections 106 may include interfaces and/or connections for enabling interaction between devices in a managed network. For example, management connection 106 enables management of communications between management device 102 and a network device, such as network device 104. The management connection 106 may use one or more standard management protocols. For example, managing the connection 106 may include using one or more management protocols specified and/or published by a standard entity, such as a Distributed Management Task Force (DMTF). Managing the connection 106 may include using a DMTF-based alert criteria template (ASF) protocol message and/or a WS-management protocol message.
The alert criteria template (ASF) protocol is applicable in the first generation of out-of-band management systems. The ASF protocol may include using a User Datagram (UDP) protocol stack to enable communication between the management device and the network device. An ASF enabled device may be ASF enabled, wherein the device may perform management operations via ASF messages. For example, when the network device 104 may support ASF, the management device 102 may use ASF-based messages to perform management of the network device 104. Recently, WS-management has been proposed and developed as a next generation management protocol. WS-management is a Web services-based specification that typically uses SOAP (XML-based messaging) and HTTP as SOAP transport to communicate. SOAP over HTTP may be used in the HTTP/TLS/TCP protocol stack, which may ensure that better security, reliability and OS independence are provided.
The DMTF management standards working group DASH has defined a Common Information Model (CIM) based tool (instrumentation), similar to an object-oriented representation of management data for managed subsystems that can be accessed using WS-management protocols. CIM may provide a general definition of management information for corresponding systems, networks, applications and services and allow vendor extensions. Devices with Intelligent Platform Management Interface (IPMI) and/or ASF internal interfaces and/or protocols may be managed externally via WS-management messages. For example, when the network device 104 performs IPMI-based and/or ASF-based intercom among its components, the management device 102 may perform CIM mechanism-based management on the network device 104 using WS-management-based messages.
In operation, the network device 104 may be managed by the management device 102. For example, the management device 102 may use the management connection 106 to perform management operations in the network device 104. Management connection 106 may use one or more standards-based management protocols to perform management operations between management device 102 and network device 104. For example, the remote management agent 108 and/or the management service 110 may use WS-management messages to perform management operations between the management device 102 and the network device 104 over the management connection 106.
The DMTF/CIM allows for remote management, control and/or access to subsystems, components and/or devices within a managed system. For example, the network device 104 may include a WBEM/CIM server in a WBEM framework for enabling remote interaction and/or access through WBEM/CIM clients, which may run on a management console, such as the management device 102. Further, CIM-based providers may be utilized to enable direct interaction and/or communication between particular components, subsystems and/or devices within network device 104 within a managed system, such as network device 104.
Based on the general DMTF/CIM model, the opaque management data model may provide a function to allow a user to use opaque data objects to represent storage-related information in the system. An opaque management data (OPMD) template (profile) may provide an abstract representation of storage-related information in a system, where storage devices and/or areas in the system may be represented as storage components, the internal structure, format, and/or details of which need only be defined in small amounts to enable abstraction of internal variables and inter-working (inter-working) of the corresponding storage device and/or area. In this way, entities in the DMTF/CIM-based model may implement and/or interact with (e.g., read and write operations) specific slices in platform memory in a unified manner, and be represented by the opaque management data objects described above, regardless of variables in the corresponding storage components. For example, the remote management agent 110 may interact with the management service using DMTF/CIM based management messages communicated over the management connection 106 to enable interaction with one or more storage components in the network device 104, where the one or more storage components may be represented by opaque management data objects.
Security mechanisms may be used to enable the normalization and control of management access through opaque management data (OPMD) templates in managed systems. This ensures the security of the interaction process based on the opaque management data and/or protects against potential security risks and/or the system is breached when remote access and/or management is used. Such security mechanisms may include building specialized user and/or owner-based entities in opaque management data (OPDM) templates to perform and/or control access-related operations. For example, an opaque management data (OPDM) template may include special access-related components for verifying access credentials (creatials) and/or determining access permissions.
Further, in one embodiment of the invention, the opaque management data model may also use pre-existing generic access management templates to perform and/or control storage access in the platform through an opaque management data (OPMD) template. For example, access to a managed system, such as the network device 104, through a management device, such as the management device 102, during a management operation may be controlled under security principal (security principal) in DMTF/CIM management terminology. The security principles may be present in a managed system, such as network device 104, and may be used to provide a security context based on which an authenticated user and/or group of users may operate in the managed system. The above described security principle based management operations may be implemented using Role Based Authorization (RBA) and/or Simple Identity Management (SIM) templates in a DMTF/CIM based model. The SIM template and/or RBA template may be implemented in the CIM-based provider's management device 102 by a remote management entity 108, a processor 112, and/or a memory 114. Similarly, the SIM template and/or RBA template may be implemented in the CIM-based provider's network device 104 by the management service 110, the processor 116, and/or the memory 118.
A Simple Identity Management (SIM) template may take the form of a local account to manage and/or control access to a network device. One implementation of a SIM in, for example, network device 104, may enable authorization of account information, and/or some other capabilities that security principles may use to attempt to access network device 104 through, for example, management device 102, to perform management operations. Thus, a SIM implementation may provide one or more viable account-related opaque management services and/or operations.
A Role Based Authorization (RBA) template may authorize role attributes for security principals accessing a managed system. In the DMTF/CIM approach, a user of an opaque management data object may have one or more known and/or fixed roles including, for example, an administrator role, an operator role, and/or a read-only role. One implementation of an RBA in, for example, network device 104, may implement authorization of role information and/or some other capabilities that a user may use to attempt to access and/or control an opaque management data object. Thus, an RBA implementation can provide one or more possible role-related services and/or operations, including creating, modifying, exposing, and/or deleting roles.
FIG. 2A is a diagram illustrating an implementation of an opaque management data (OPMD) type model template according to a preferred embodiment of the invention. As shown in fig. 2A, a CIM _ computer system class (CIM _ computer system class)202, a CIM _ Service class (CIM _ Service class)204, a CIM _ opaque management data Service class (CIM _ opaque management data Service class)206, a CIM _ managed parts class (CIM _ managed elements classes) 208, a CIM _ opaque management data class (CIM _ opaque management data class)210, a CIM _ logical device class (CIM _ logical device class)212, a CIM _ Identity class (CIM _ Identity class)214, a CIM _ opaque management data user class (CIM _ opaque management data class)216, and a CIM _ logical device class Role (CIM _ Role class)218 are illustrated.
CIM _ computer System class 202 may include functions that may represent managed systems in DMTF/CIM based templates. For example, one instance of CIM _ computer system class 202 may represent network devices 104 in an opaque management data template.
CIM _ services class 204 may include functions that may generally represent services available in a DMTF/CIM template. CIM _ SERVICE CLASS 204 may serve as a template for other specific services available in the DMTF/CIM template, and may include core functionality and/or information for providing supplements in representing the specific services described above.
CIM _ opaque management data service class 206 may be generated from a super class (superclassCIM _ service class 204) of CIM _ service 204 and may include other functionality to provide service operations specifically directed to an opaque management data (OPMD) template. For example, available opacity management data based services implemented by the managed system represented by the instance of CIM _ computer system class 202 may be handled by the instance of CIM _ opacity management data services class 206. CIM _ opaque management data services class 206 may be used as a central component of the OPMD template and may be used as an interface to receive opaque management data operation requests.
The CIM _ managed element class 208 may include functions that may represent elements in a managed system that may be managed through DMTF/CIM templates. The CIM _ managed component class 208 may be used as a template for other specific components that may be managed through the DMTF/CIM template. CIM _ managed element class 208 may also include some core functionality and/or information to provide supplements in representing the particular elements described above.
CIM _ opaque management data class 210 may be generated from a super class of CIM _ managed elements 208 and may include other functionality to represent storage elements in a managed system in an opaque management data (OPMD) template. For example, CIM _ opaque management class of data 210 may include information that may represent a piece of memory of a managed system represented by an instance of CIM _ computer system class 202.
The CIM _ logical device class 212 may include functionality for providing a logical representation of devices in a DMTF/CIM template. For example, CIM _ logical device class 212 may provide a logical representation corresponding to physical storage entities in the managed system represented by the instance of CIM _ computer system class 202.
CIM _ identity class 214 may include functions that may be used to represent entities that may be used by the DMTF/CIM template. For example, instances of CIM _ ID class 214 may be used to represent and/or identify owners, users, and/or owners/users in DMTF/CIM templates in a managed system. The CIM _ identity class 214 may be used as a template for a user-related class in a DMTF/CIM template and may include core functionality and/or information for providing supplements in representing the above-described specific user processes in the DMTF/CIM template.
CIM _ opaque management data user class 216 may be generated from a super class of CIM _ ID class 214 and may include other functions for representing opaque management data users in a managed system. For example, CIM _ opaque management data user class 216 may include information that is used to represent a particular user of an opaque data object in the system represented by an instance of CIM _ computer system class 202. CIM _ opaque management data user class 216 may also include functions that may be used to represent other opaque management data user-specific information beyond simple verification of access rights and/or privileges. The CIM _ opaque management data user class 216 may include share (quota) related attributes, such as "AllocateQuota" and "Allocated bytes" attributes, which may be used to track and/or validate share information in the opaque management data template.
CIM _ roles class 218 may include functions that are used to represent access groups, which may include different rights in the opaque management data template. CIM _ role 218 may provide rights and/or privilege-like attributes when using CIM _ opaque management data class 210 and/or CIM _ opaque management data user class 216.
During operation, an opaque management data (OPMD) template may provide some functionality to allow a user to use opaque data objects to represent storage related information in a system. An opaque management data (OPMD) template may provide an abstract representation for one or more storage components in a system, including minimal definitions regarding storage structure, format, and/or details. For example, in a managed system represented using an instance of CIM _ computer system class 202, the opacity management data template supports association by a "run service" (HostedService) through one or more instances of CIM _ opacity management data service class 206. CIM _ opaque management data service class 206 may interface with and even fully control opaque management data templates.
Within the opacity management data template, various storage elements, which may correspond to one or more instances of CIM _ logical device class 212, may be represented as instances of CIM _ opacity management data class 210 and/or receive management thereof. Each instance of CIM _ opaque management data class 210 may emulate a storage element corresponding to CIM _ logical device class 212 through, for example, an "opaque management data store" association. The CIM _ opacity management class 210 instance may abstract storage components that may include minimal information about the internal structure, format, and/or other details of the storage device (which may be determined, for example, by CIM _ logical device class 212) for achieving future (programmatic) user uniform accessibility. The opacity management data related operations requested through the CIM _ opacity management data service class 206 may be performed through a "service impact element (serviceaffinity) association" by an instance of the CIM _ opacity management data class 210 on behalf of the storage element.
Access-related operations in the opacity management data template may be provided through the CIM _ opacity management data user class 216. CIM _ opaque management data user class 216 may be used to maintain information about shares, including "allocate shares" and "allocated bytes" attributes. The use of CIM _ opaque management data user class 216 may also be used to model user-related information, where access operations related to opaque management data requested by CIM _ opaque management data service class 206 may be performed by CIM _ opaque management data class 210 through a "service impact parts" association. In addition, CIM _ opaque management data user class 216 may also be used to simulate owner and/or user related operations through "CIM _ opaque management data Ownership (Ownership)" associations during opaque management data operations performed through CIM _ opaque management data class 210. Authentication operations related to owners and/or users may be performed within CIM _ roles class 218 by CIM _ opacity management data class 210 and/or CIM _ opacity management data user class 216 via, for example, "Member of group (MemberOfCollection)" associations and/or "target Only roles (RoleLimitedToTarget)" associations, respectively. In this regard, the use of CIM _ role class 218 may differ from other uses, such as in RBA/SIM templates.
Although the use of CIM _ opacity management data user class 216 in user-related operations may have some beneficial effects, particularly including such information as share attributes, there are some drawbacks to this approach. For example, the use of special access-and/or subscriber-related components in the opaque management data template may result in redundancy, since other access-related components may already exist via the RBA/SIM template, which results in redundant code and redundant storage requirements. Furthermore, using the CIM _ opaque management data user class 216 may also present scalability issues because it requires one CIM _ opaque management data user class 216 for each instance of the CIM _ opaque management data class 210 and, in addition, it requires the same number of instances of CIM _ role classes 218 as CIM _ opaque management data class 210. Due to the direct ownership association between the two classes, deleting an instance of the CIM _ opaque management data class 210 may result in deleting the associated CIM _ opaque management data user class 216, and thus, access information related to the user may be deleted and only rebuilt in subsequent processes. Further, CIM _ opaque management data users may cause new subclasses to be generated from CIM _ ID class 214, even though the attribute allocation shares and/or allocated bytes do not appear to conform to the general description of CIM _ ID class 214. Thus, there is a need to have access-related functionality that can be reused and/or built on existing access functionality independent of the direct ownership associated with the data instance.
Fig. 2B is a diagram illustrating an implementation process of an opaque management data (OPMD) class model template using a Role Based Authorization (RBA)/Simple Identity Management (SIM) template according to a preferred embodiment of the present invention. As shown in FIG. 2B, CIM _ opaque management data service class 206, CIM _ computer system class 202, CIM _ opaque management data class 210, CIM _ ID class 214, CIM _ role class 220, CIM _ privilege class 222, CIM _ Account class 224, and CIM _ user entity class 226 are exposed.
CIM _ opaque management data service class 206, CIM _ opaque management data class 210, and CIM _ computer system class 202 are substantially the same as described in FIG. 2A. However, CIM _ opaque management data service class 206 and/or CIM _ opaque management data class 210 may be modified to implement access-related operations using RBA/SIM template-based mechanisms.
The CIM _ ID class 214 is substantially the same as that described in FIG. 2A. However, CIM _ identity class 214, CIM _ role class 220, CIM _ privilege class 222, and CIM _ Account class 224 may be used to perform access-related operations based on role-based authorization and/or simple identity management (RBA/SIM) templates.
CIM _ roles class 220 may include functions that may represent roles available in the RBA/SIM template. For example, authorized roles including, for example, an administrator, operator, and/or read-only role in a managed system may be represented by CIM _ roles class 220. CIM _ privilege class 222 may include functionality that may be used to represent one or more rights and/or privileges that are typically associated with a role. These rights and/or privileges assigned to the opaque management data template user and/or owner may be represented by instances of CIM _ privilege class 222, which are associated with instances in CIM _ role class 220. CIM _ Account class 224 can include functions that can represent accounts defined in DMTF/CIM templates in a managed system. For example, one instance of CIM _ Account class 224 may represent an account that may be used during opaque management data access and/or use in network device 104.
CIM _ USER entity class 226 may include functions that may represent an application user in a DMTF/CIM template in a managed system. For example, an instance of CIM _ USER entity class 226 may represent an application user, which may be represented by CIM _ IDENTITY class 214.
During operation, the opacity management data template may generally be substantially the same as the template described in FIG. 2A. However, access and/or subscriber related operations may be used through the RBA/SIM based mechanism. Due to the lack of direct ownership association to data and/or user-related components, access functions need not match the same number of already existing data instances, and a common user can do a join (join) representation. Thus, one or more instances of CIM _ ID class 214 may serve as the primary access control component in the template, where an instance of CIM _ ID class 214 may represent an owner and/or user of the opaque management data template. Instances of CIM _ roles class 220 may be used to represent applicable roles by "members of a member group" in each instance of CIM _ identity class 214. The privileges of each instance of CIM _ identity class 214 may be determined by an instance of CIM _ privilege class 222, which may be associated to an intermediate instance of CIM _ role class 220 by a "member of a group of members". Users with the same roles and privileges may be represented by instances of CIM _ account class 224, which may be associated to a single instance of CIM _ identity class 214 by an "assigned identity" association, and these same roles and privileges are defined by instances of CIM _ role class 220 and CIM _ privilege class 222, respectively. Applications, rather than users, can also be used to share the same roles and privileges in a similar manner, where the belonging applications can be represented by instances of CIM _ USER entity class 226, which can be associated to a single instance of CIM _ IDENTITY class 214 by "specifying identity".
Access operations requested by CIM _ opaque management data service class 206 relating to opaque management data may be performed by instances of CIM _ opaque management data class 210 and CIM _ ID class 214 through a "service impact component" association. For opaque management data operations associated with each instance of CIM _ opaque management data class 210, an "opaque management data user part" association with an instance of CIM _ ID class 214 may be used to perform an explicit simulation of owner and/or user access assertions. The "opacity management data user component" may comprise, for example, "is owner (IsOwner)" and/or "access rights (AccessRights)" attributes for determining the ownership status, e.g. wrong/right, and/or access rights, which may include read-only and/or read-write. The quantum-related operations may be performed, for example, by a "quantum impact elements (QuotaAfectsElement)" association between an instance of CIM _ identity class 214 and an instance of CIM _ opaque management data service class 206. The "share impact component" association can be owner and/or user defined share information that is emulated by an instance of CIM _ ID class 214. For example, a "share impact component" association may include "allocate shares" and "bytes allocated" attributes, which may be defined directly in the instance of CIM _ opaque management data user class 216. This may be used to track and/or validate user-specific share information in the opacity management data template, as described in FIG. 2A.
Fig. 2C is a diagram of another implementation of an opaque management data (OPMD) class model template using a role based authorization/simple identity management (RBA/SIM) template according to a preferred embodiment of the present invention. As shown in FIG. 2C, CIM _ opaque management data service class 206, CIM _ computer system class 202, CIM _ opaque management data class 210, CIM _ ID class 214, CIM _ role class 220, CIM _ privilege class 222, CIM _ Account class 224, and CIM _ user entity class 226 are exposed.
CIM _ opaque management data service class 206, CIM _ opaque management data class 210, CIM _ computer system class 202, CIM _ identity class 214, CIM _ role class 220, CIM _ privilege class 222, CIM _ Account class 224, and CIM _ user entity class 226 are substantially the same as described in FIG. 2B. However, a "concrete dependency" association may be used to access certain privileges defined for the CIM _ opaque management data class 210. Thus, an "opacity management data user component" association may not contain attributes and/or information related to access rights and may be used to implement an ownership-related verification operation, for example, between an instance of CIM _ opacity management data class 210 and an instance of CIM _ identity class 214.
FIG. 3 is a flow diagram of an opaque management data (OPMD) class model template using a role based authorization/simple identity management class template in accordance with a preferred embodiment of the present invention. As shown in fig. 3, a flow chart 300 comprising exemplary steps is illustrated that may be used to use RBA/SIM-like templates during opaque management data operations in a managed system (e.g., network device 104).
At step 302, the managed system receives a request for opaque management data based on DMTF/CIM. For example, a request to perform a storage-related operation through an opaque management data template may be issued to network device 104 through management device 102 and management connection 106. At step 304, access-related information pertaining to the requested opaque management data operation is determined. For example, the requested operation may be transferred from an instance of CIM _ computer system class 202 to an instance of CIM _ opaque management data service class 206 based on a "running service" association in a DMTF/CIM based opaque management data template, which may serve as an interface to one or more instances of CIM _ opaque management data class 210, which represents a storage component in the managed system. In one embodiment of the invention, RBA/SIM template based functionality may be used to perform the necessary access authentication operations. For example, an instance of CIM _ opaque management data service class 206 and an instance of CIM _ opaque management data class 210 may use an instance of CIM _ identity class 214 to initiate access-related authentication via a "service impact component" and an "opaque management data user component" association, respectively. In the RBA/SIM function, CIM _ role class 220, CIM _ privilege class 222, CIM _ Account class 224, and CIM _ user entity class 226 may be used for access authentication, which is substantially the same as described in FIGS. 2B and 2C. In the event that access is not granted, the exemplary steps terminate.
Returning now to step 304, if it is determined that access is allowed, the exemplary step proceeds to step 306. At step 306, available information about the quantum pertaining to the operation pertaining to the requested opaque management data is determined. The quantum-related operations may be performed with a subcomponent for performing RBA/SIM template-based functionality to perform access authentication operations. For example, instances of CIM _ opaque managed data service class 206 may use CIM _ identity class 214 through a "share impact component" association to implement share-related operations. The "allocated shares" and "allocated bytes" attributes associated with the "share impact component" may be used to track and/or validate share-related information pertaining to requests pertaining to received opaque management data, as shown in fig. 2B and 2C. If it is determined that the information and/or requirements relating to the share are not feasible, the exemplary steps terminate.
Returning to step 306, if it is determined that the information and/or requirements relating to the share are feasible, the exemplary steps proceed to step 308. At step 308, the requested opaque management data operation may be performed in the managed system. For example, once the access and share validation operations are successful, the requested opaque management data operations may be performed by an instance of CIM _ opaque management data class 210.
Various embodiments of the present invention may include a method and system for simulating opaque management data options for a user and/or owner. Opaque management data operations may be performed in network device 104. The network device 104 may be managed by the management device 102 and the management connection 106 through a Distributed Management Task Force (DMTF) based on Common Information Model (CIM) protocol. The access authentication operation may be performed during an opaque management data operation of a DMTF/CIM based Role Based Authorization (RBA) and/or Simple Identity Management (SIM) template. One or more instances of cimjdentity class 214 may be used to verify ownership and/or access rights through instances of cimjdentity class 220 and cimjprivilege class 222. Thus, multiple public (common) users, which may be represented by instances of the CIM _ IDENTITY class 214 and/or multiple public (common) applications, which may be represented by instances of the CIM _ USER entity class 226, may represent authenticated instances of public users or public applications. The operations related to shares may be performed through a "share impact component" association between an instance of CIM _ identity class 214 and an instance of CIM _ opaque management data service class 206. The "share impact component" association can include an "allocated share" and/or an "allocated bytes" attribute for tracking and/or validating information related to shares in the opacity management data template.
Another embodiment of the present invention may provide a machine or computer readable memory or medium having stored thereon a computer program comprising at least one code segment executable by a machine or computer for controlling the machine or computer to perform the opacity management data option described herein for the simulated user and/or owner.
The present invention can be realized in hardware, software, or a combination of hardware and software. The present invention can be realized in a centralized fashion in at least one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system or other apparatus adapted for carrying out the methods described herein is suited. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
The present invention can also be implemented by a computer program product, which comprises all the features enabling the implementation of the methods of the invention and which, when loaded in a computer system, is able to carry out these methods. The computer program in the present document refers to: any expression, in any programming language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation; b) reproduced in different formats to implement specific functions.
While the invention has been described with reference to several particular embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the invention without departing from its scope. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.
Claims (8)
1. A method of network management, comprising:
in a system managed by a distributed management task group DMTF, verifying operation executed in an opaque management data operation process in network equipment through a Common Information Model (CIM) data model access template;
the step of validating the access-related information is performed by an instance of the cimjdentity class using one or more instances of cimjrole and/or cimjprivilege.
2. The method according to claim 1, comprising validating access related information during said opaque management data operation through said common information model CIM data model access template, wherein said access related information comprises ownership, access rights and/or share information.
3. The method according to claim 2, wherein the CIM data model access template comprises a role based authorization, RBA, and/or a simple identity management, SIM, based template.
4. Method for network management according to claim 3, characterized in that it comprises the use of an instance of a CIM _ Identity class in said step of validating said access-related information performed using a role-based authorization RBA and/or a template based on a simple identity management SIM.
5. The method of claim 4, comprising using a plurality of CIM _ Account classes to represent a plurality of common users sharing a common instance of the CIM _ Identityclass.
6. A network management system, comprising:
one or more processors in the network device managed by the distributed management task group DMTF, a module for verifying operations performed during opaque management data operations in the network device by a common information model, CIM, data model access template;
means, by the one or more processors, for performing the step of validating the access-related information using one or more instances of cimjrole and/or cimjprivilege through an instance of a cimjdentity class.
7. The network management system of claim 6, further comprising means, by the one or more processors, for validating access-related information during the opaque management data operation through the Common Information Model (CIM) data model access template, wherein the access-related information comprises ownership, access rights, and/or share information.
8. The network management system of claim 7, wherein the CIM data model access templates comprise role-based authorization RBAs and/or simple identity management SIM-based templates.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US91719907P | 2007-05-10 | 2007-05-10 | |
| US60/917,199 | 2007-05-10 | ||
| PCT/US2008/063285 WO2008141212A2 (en) | 2007-05-10 | 2008-05-09 | Method and system for modeling options for opaque management data for a user and/or an owner |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1137531A1 HK1137531A1 (en) | 2010-07-30 |
| HK1137531B true HK1137531B (en) | 2011-12-30 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10484385B2 (en) | Accessing an application through application clients and web browsers | |
| US8745701B2 (en) | Method and system for modeling options for opaque management data for a user and/or an owner | |
| JP5516821B2 (en) | System and method for remote maintenance of multiple clients in an electronic network using virtualization and authentication | |
| EP3511822A1 (en) | Method and system for managing access to artifacts in a cloud computing environment | |
| US8254579B1 (en) | Cryptographic key distribution using a trusted computing platform | |
| EP4035327B1 (en) | Template-based onboarding of internet-connectible devices | |
| US10237252B2 (en) | Automatic creation and management of credentials in a distributed environment | |
| JP2011129117A (en) | Cloud federation as service | |
| CN101313512A (en) | A method, terminal and system for performing management operations by a terminal in a communication system | |
| US20240007463A1 (en) | Authenticating commands issued through a cloud platform to execute changes to inventory of virtual objects deployed in a software-defined data center | |
| CN114065183A (en) | Authority control method and device, electronic equipment and storage medium | |
| EP3002699A1 (en) | A method for controlling the execution of an application in a virtual computer environment | |
| WO2022095734A1 (en) | Information processing method, device, apparatus and system, medium, and program | |
| JP2022539679A (en) | OPEN INTERFACE MANAGEMENT METHOD, ELECTRONIC DEVICE, AND STORAGE MEDIUM | |
| CN119276616A (en) | Capacity expansion method, device, equipment and storage medium based on key authorization | |
| CN121039622A (en) | Consent-driven access management for cloud resources | |
| US10708129B1 (en) | Changing hardware capabilities of a device | |
| HK1137531B (en) | Method and system for modeling options for opaque management data for a user and/or an owner | |
| US20080178267A1 (en) | Method and system for simplifying role based authorization profile implementation | |
| CN103546324B (en) | Method and system for intelligent component library management | |
| CN119676078B (en) | Parameter configuration method, device and computer equipment | |
| US8214499B2 (en) | System and method for enabling software applications as a service in a non-intrusive manner | |
| US20120317298A1 (en) | Scripting environment for network device | |
| US11665167B2 (en) | Dynamically deployed limited access interface to computational resources | |
| CN117194136A (en) | Local system and method for integrating third party system thereof and readable storage medium |