Method and apparatus for creating a database

By creating a database under the user's cloud account and authorizing it using RAM roles, the problem of users being unable to manage the database is solved, enabling users to manage database permissions and providing a better user experience.

CN114706835BActive Publication Date: 2026-07-03BEIJING OCEANBASE TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING OCEANBASE TECHNOLOGY CO LTD
Filing Date
2022-03-29
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

In traditional database creation mechanisms, users cannot manage the database, nor can they know about load balancing strategies or server operating status, resulting in a poor user experience.

Method used

On the cloud platform, database service providers create databases directly under the user's cloud account and authorize the database service provider to use the user's cloud resources through RAM roles, giving the user management privileges over the database.

Benefits of technology

Users can manage the database, learn about load balancing strategies and server operating status, thus improving the user experience.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN114706835B_ABST
    Figure CN114706835B_ABST
Patent Text Reader

Abstract

This disclosure provides a method and apparatus for creating a database. The method is executed by a database service provider in a cloud platform and includes: receiving a database creation request, the request requesting the creation of a database for a user under a user's cloud account, the cloud platform storing the user's cloud account; and responding to the database creation request, creating the database for the user under the user's cloud account. In this disclosure, the database service provider can directly create the database for the user under the user's cloud account, enabling the user to have database management permissions. This avoids the problem in traditional database creation mechanisms where the database service provider creates the database under its own cloud account, preventing the user from managing the database.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the technical field, and more specifically to a method and apparatus for creating a database. Background Technology

[0002] With the increasing prevalence of cloud technology, database service providers can create databases for users on cloud platforms. When a user needs to create a database on a cloud platform, the database service provider will purchase cloud resources (such as servers) under its own cloud account to create the database and then sell the created database to the user. In this database creation mechanism, the server used to create the database and the data in the database are both hosted on the database service provider's premises. For the user, they only use the database and are unaware of the database creation architecture or the underlying cloud resources on which the database depends.

[0003] As users become more knowledgeable, they often desire the ability to view and manage databases. However, in the traditional database creation mechanisms described above, users only have access to the database but not management privileges. For example, users cannot know the load balancing strategies used in the database, nor can they know the operational status of the servers within the database. Therefore, these traditional database creation mechanisms fail to meet user needs, resulting in a poor user experience. Summary of the Invention

[0004] In view of this, the present disclosure aims to provide a method and apparatus for creating a database to improve user experience.

[0005] In a first aspect, a method for creating a database is provided, the method being executed by a database service provider in a cloud platform, the method comprising: receiving a database creation request, the database creation request being used to request the creation of a database for the user under the user's cloud account, the cloud platform recording the user's cloud account; and responding to the database creation request, creating the database for the user under the user's cloud account.

[0006] In one possible implementation, the cloud platform stores RAM roles, which are created based on the user's cloud account. Creating the database for the user under the user's cloud account includes: creating the database for the user under the user's cloud account using the RAM roles.

[0007] In one possible implementation, the RAM role association utilizes the permissions required to create the database using a target resource, which is a cloud resource under the user's cloud account.

[0008] In one possible implementation, the user has ownership of the devices in the database, and / or ownership of the data in the database.

[0009] Secondly, a method for creating a database is provided, the method being applied to a cloud platform, the cloud platform recording a user's cloud account, the method comprising: receiving a database creation request, the database creation request being used to request the creation of a database under the user's cloud account.

[0010] In one possible implementation, the cloud platform stores RAM roles, which are created based on the user's cloud account and are assigned to the database service provider within the cloud platform.

[0011] In one possible implementation, the method further includes: receiving a creation request for the RAM role sent by the user, the creation request being used to request the creation of the RAM role based on the user's cloud account; and receiving an indication message sent by the user, the indication message being used to indicate that the cloud account authorized for the RAM role is the cloud account of the database service provider.

[0012] In one possible implementation, the method further includes: receiving an authorization request sent by the user, the authorization request being used to request that the RAM role be granted the permission required to create the database using a target resource, the target resource being a cloud resource under the user's cloud account.

[0013] In one possible implementation, the user has ownership of the devices in the database, and / or ownership of the data in the database.

[0014] Thirdly, a method for creating a database is provided, the method being executed by a user in a cloud platform, the method comprising: sending a database creation request, the database creation request being used to request the creation of a database for the user under the user's cloud account, the cloud platform recording the user's cloud account.

[0015] In one possible implementation, the cloud platform stores RAM roles, which are created based on the user's cloud account and are assigned to the database service provider within the cloud platform.

[0016] In one possible implementation, the RAM role association utilizes the permissions required to create the database using a target resource, which is a cloud resource under the user's cloud account.

[0017] In one possible implementation, the user has ownership of the devices in the database, and / or ownership of the data in the database.

[0018] Fourthly, an apparatus for creating a database is provided, the apparatus being disposed at a database service provider in a cloud platform, the apparatus comprising: a receiving unit for receiving a database creation request, the database creation request being for requesting the creation of a database for the user under the user's cloud account, the cloud platform recording the user's cloud account; and a processing unit for responding to the database creation request and creating the database for the user under the user's cloud account.

[0019] In one possible implementation, the cloud platform stores RAM roles, which are created based on the user's cloud account. The processing unit is further configured to: create the database for the user under the user's cloud account using the RAM roles.

[0020] In one possible implementation, the RAM role association utilizes the permissions required to create the database using a target resource, which is a cloud resource under the user's cloud account.

[0021] In one possible implementation, the user has ownership of the devices in the database, and / or ownership of the data in the database.

[0022] Fifthly, an apparatus for creating a database is provided, the apparatus being a cloud platform, the cloud platform storing user cloud accounts, the apparatus comprising: a receiving unit for receiving a database creation request, the database creation request being used to request the creation of a database under the user's cloud account.

[0023] In one possible implementation, the cloud platform stores RAM roles, which are created based on the user's cloud account and are assigned to the database service provider.

[0024] In one possible implementation, the receiving unit is further configured to: receive a creation request for the RAM role sent by the user, the creation request being used to request the creation of the RAM role based on the user's cloud account; and receive indication information sent by the user, the indication information being used to indicate that the cloud account authorized for the RAM role is the cloud account of the database service provider.

[0025] In one possible implementation, the receiving unit is further configured to: receive an authorization request sent by the user, the authorization request being used to request that the RAM role be granted the permission required to create the database using a target resource, the target resource being a cloud resource under the user's cloud account.

[0026] In one possible implementation, the user has ownership of the devices in the database, and / or ownership of the data in the database.

[0027] Sixthly, an apparatus for creating a database is provided, the apparatus being located at a user's location in a cloud platform, the apparatus comprising: a sending unit for sending a database creation request, the database creation request being used to request the creation of a database for the user under the user's cloud account, the cloud platform recording the user's cloud account.

[0028] A seventh aspect provides an apparatus including an input / output interface, a processor, and a memory. The processor controls the input / output interface to input or output information, the memory stores a computer program, and the processor retrieves and runs the computer program from the memory, causing the apparatus to perform the methods described in any of the preceding aspects.

[0029] Eighthly, a computer program product is provided, the computer program product comprising: computer program code, which, when run on a computer, causes the computer to perform the methods described in the preceding aspects.

[0030] Ninthly, a computer-readable medium is provided that stores program code, which, when run on a computer, causes the computer to perform the methods described in the preceding aspects.

[0031] In this disclosure, the database service provider can directly create databases for users under their cloud accounts, giving users management privileges. This avoids the problem in traditional database creation mechanisms where the database service provider creates the database under its own cloud account, preventing users from managing the database. Attached Figure Description

[0032] Figure 1 The diagram shown is a schematic of the cloud architecture applicable to the embodiments of this disclosure.

[0033] Figure 2 The diagram shows the hardware and software deployment in the physical server.

[0034] Figure 3 The diagram shows the hardware configuration of a physical server.

[0035] Figure 4 The diagram illustrates the creation of a database in a traditional cloud platform.

[0036] Figure 5 The diagram shown is a flowchart of a method for creating a database according to an embodiment of this disclosure.

[0037] Figure 6(a) is a schematic diagram of the relationship between the database and the cloud account in an embodiment of this disclosure.

[0038] Figure 6(b) shows a flowchart of a method for creating a database according to another embodiment of this disclosure.

[0039] Figure 7 This is a schematic diagram of an apparatus for creating a database according to an embodiment of the present disclosure.

[0040] Figure 8 This is a schematic diagram of an apparatus for creating a database according to an embodiment of the present disclosure.

[0041] Figure 9 This is a schematic diagram of an apparatus for creating a database according to an embodiment of the present disclosure.

[0042] Figure 10 This is a schematic block diagram of an apparatus according to another embodiment of the present disclosure. Detailed Implementation

[0043] The technical solutions of the present disclosure will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present disclosure, and not all embodiments.

[0044] To facilitate understanding, the following text will first combine... Figures 1 to 3 This disclosure describes the cloud architecture to which the embodiments of this disclosure apply. Figure 1 This is a schematic diagram of a system to which embodiments of this disclosure apply. Figure 1 The system 100 shown includes a cloud platform 110 and at least one client 110.

[0045] The cloud platform 110 can be a single cloud server or a cluster of cloud servers. Clients 120 can be installed on terminal devices such as computers, tablets, and smartphones. Each client 120 establishes a connection with the cloud platform 110 via a wireless or wired network.

[0046] A cloud server refers to a physical server capable of providing computing services, such as elastic computing services. A schematic diagram of a physical server's composition is shown below. Figure 2 and Figure 3 As shown, Figure 2 This shows the hardware and software deployment in the physical server. Figure 3 The hardware configuration of the physical server is shown. See also... Figure 2The physical server includes a hardware platform 210, which may include hard drives, central processing units, network interfaces, and storage, among other things, in the server's physical structure. A software platform 220 runs on the hardware platform 210. The software platform 220 may include virtualization software, virtual machine operating systems, virtual machine communication software, and virtual machine application software. The virtualization software (e.g., a hypervisor) is an intermediary layer between the physical hardware and the virtual machines, responsible for coordinating the access of each virtual machine to the hardware platform. The hypervisor, also known as a Virtual Machine Monitor (VMM), may include a virtual hardware platform that implements the virtual machines, containing virtualized storage, a central processing unit, hard drives, graphics cards, and network interfaces. Multiple virtual machines (VMs) VM1 to VMn run on top of the VMM, with the virtual machine software systems running on the virtual hardware platform of the virtual machine monitor. Communication between virtual machines can be achieved through a virtual switch; the software platform 220 also includes virtual machine communication software, such as a virtual switch.

[0047] See Figure 3 The physical server may include a processing unit 310 and a communication interface 320. The processing unit 310 is used to execute the functions defined by the operating system and various software programs running on the physical server, such as those described above. Figure 2The software platform 220 shown illustrates the functions of various software components. For example, the processing unit implements the functions of a VMM, a virtual switch, or a virtual machine. The communication interface 320 is used for communication and interaction with other devices, which may be other physical servers. Optionally, the communication interface 320 may be a network adapter card. Optionally, the physical server may also include an input / output interface 330, which is connected to input / output devices for receiving input information and outputting operation results. The input / output interface 330 may be a mouse, keyboard, monitor, or optical drive, etc. Optionally, the physical server may also include auxiliary storage 340, generally also called external storage. The storage medium of the auxiliary storage 340 may be magnetic media (e.g., floppy disk, hard disk, magnetic tape), optical media (e.g., optical disc), or semiconductor media (e.g., solid-state drive), etc. The processing unit 310 can have various specific implementations. For example, the processing unit 310 may include a processor 312 and memory 311. The processor 312 executes related operations according to the program units stored in the memory 311. The processor 312 can be a central processing unit (CPU) or a graphics processing unit (GPU), and it can be a single-core or multi-core processor. The processing unit 310 can also be implemented using a logic device with built-in processing logic, such as a field-programmable gate array (FPGA) or a digital signal processor (DSP). Furthermore, Figure 2 This is just one example of a physical server; a physical server may contain more than... Figure 2 The number of components displayed may be more or less, or there may be different component configurations.

[0048] Cloud Account

[0049] Before using cloud services, you typically need to register a cloud account. A cloud account serves as the basic entity for cloud resource ownership, resource usage metering, and billing. Users can pay for the resources they own through their cloud account and have complete control over all resources under their name.

[0050] By default, resources in a cloud platform can only be accessed by a cloud account; any other user must obtain explicit authorization from the cloud account to access them. A cloud account can be understood as the root or administrator account in an operating system, so it is sometimes referred to as the root account or master account.

[0051] To ensure cloud account security, it's generally advisable to avoid unauthorized login to the console or the creation of access keys for others unless absolutely necessary. In some implementations, a Resource Access Management (RAM) user can be created under the cloud account, granting the RAM user corresponding resource access permissions. This allows others to directly access resources under the cloud account through the RAM user.

[0052] RAM

[0053] RAM is a service provided by cloud platforms to manage user identities and resource access permissions. Through RAM, you can create RAM users, manage RAM users (such as employees, systems, or applications), and control the permissions of these RAM users.

[0054] For enterprises with multiple users collaborating, RAM can be used to assign different resource access permissions to each user. On the one hand, this avoids sharing cloud account keys with other users, and on the other hand, it allows for the allocation of the minimum permissions to users as needed, thereby reducing the enterprise's information security risks.

[0055] RAM offers more granular access control. Each permission can be configured with the resources it grants. For example, a cloud account can grant a RAM user the permissions to deploy and stop an app. Specifically, the permissions to deploy an app can be configured with resources APP1 and APP2, and the permissions to stop an app can be configured with resources APP2 and APP3. In this case, the RAM user can deploy APP1 and APP2, but not APP3. Furthermore, the RAM user can stop APP2 and APP3, but not APP1.

[0056] RAM role

[0057] RAM roles, like RAM users, are a type of RAM identity. A RAM role is a virtual user without a fixed authentication key and needs to be assumed by a trusted entity user to function properly. Typically, an entity user assuming a RAM role can be considered a RAM user.

[0058] Generally, a RAM role has a defined identity and can be assigned a set of permission policies. An entity user assuming a RAM role can only access authorized resources based on the corresponding permission policies. In some implementations, after successfully assuming a RAM role, the entity user will obtain a RAM role security token (also known as a "RAM role token"), which can be used to access authorized resources as a RAM role.

[0059] In some implementations, an entity user can invoke the STS API AssumeRole to assume a RAM role and obtain a security token for that RAM role. This RAM role security token can then be used to access cloud service APIs. The security token can be understood as a temporary access key for the RAM role identity. RAM role identities typically do not have a fixed access key; when an entity user wants to use a RAM role, they must assume the RAM role to obtain the corresponding security token, and then use the security token to invoke the cloud service API.

[0060] Entity users can assume RAM roles through the cloud platform's console. For example, an entity user can switch identities from their current logged-in identity to a RAM role in the console. Alternatively, entity users can assume RAM roles by calling APIs. For instance, an entity user can obtain a security token by calling the AssumeRole interface and use the security token to access cloud service APIs.

[0061] Currently, RAM supports three types of roles based on the trusted entity: cloud account, cloud service, and identity provider. For the cloud account type RAM role, the RAM user playing the role can be either their own cloud account or another user's cloud account. This type of role is primarily used to resolve cross-account access and temporary authorization issues.

[0062] In some implementations, User A can create a RAM role of type cloud account in the console using the following steps: First, User A can log in to the RAM console using their cloud account and, on the Roles page, click Create Role to display the Role Creation panel. In the Role Creation panel, select Cloud Account as the Trusted Entity type, then set the RAM role information and enter the RAM role name. Finally, User A can select a cloud account that can assume this RAM role to complete the RAM role creation. Afterwards, User A can authorize the created RAM role.

[0063] In some cases, User A can choose the current cloud account to assume the RAM role, meaning User A allows RAM users under the current cloud account to assume the RAM role. In other cases, User A can choose another cloud account to assume the RAM role, meaning User A allows RAM users under another user's (e.g., User B's) cloud account to assume the RAM role, thus completing cross-cloud account resource authorization access.

[0064] Currently, RAM roles can be identified by their Role ARN. The Role ARN is a global resource descriptor for a RAM role, used to specify the specific role. Typically, Role ARNs follow cloud ARN naming conventions. After creating a RAM role, you can usually view its Role ARN on the basic information page.

[0065] In some situations, users with cloud accounts may need to modify permissions for other users or revoke permissions already granted to them. These operations can be achieved by removing permissions from RAM users or RAM roles, or by removing RAM users themselves. For ease of understanding, the following describes the process of removing permissions from RAM users or RAM roles, as well as deleting RAM users.

[0066] Remove permissions from RAM users or RAM roles.

[0067] Suppose user A needs to modify the permissions of a RAM role. User A can log in to the RAM console and select the user login name whose authorization needs to be revoked on the user page. Then, user A can click the Permission Management tab on the user's basic information page and click Remove Permission in the operation column of the target permission on the Permission Management tab to complete the modification of RAM role permissions.

[0068] Remove RAM role

[0069] Suppose user A needs to delete a RAM role. User A can log in to the RAM console and click "Delete" in the operation column of the user page to delete the RAM role.

[0070] In some implementations, the impact of deleting a user can be viewed in the delete user dialog box before deleting a RAM role. When you are sure you want to delete the user, click "I am aware of the risks, confirm deletion".

[0071] Access key and encrypted access key

[0072] Cloud servers require the use of an Access Key Id (AK) and a Secret Access Key (SK) to verify the identity of the sender of a request. The AK identifies the user. The SK is the key used by the user to encrypt the authentication string and by the cloud platform to verify the authentication string. Typically, the SK needs to be kept confidential.

[0073] When a user sends a request to a cloud server, the request includes an authentication string generated using the SK corresponding to the AK and the authentication mechanism. Correspondingly, upon receiving the user's request, the cloud server can also generate an authentication string using the SK corresponding to the AK and the authentication mechanism, and compare it with the authentication string included in the user's request. Specifically, the SK used by the cloud server is the same as the SK used by the user, and the authentication mechanism used by the cloud server is the same as the authentication mechanism used by the user. If the authentication strings are the same, the cloud server assumes the user has the specified operation permissions and executes the relevant operation; if the authentication strings are different, the cloud server will ignore the operation and return an error code.

[0074] With the increasing prevalence of cloud technology, database service providers can create databases for users on cloud platforms. When a user needs to create a database on a cloud platform, see [link to relevant documentation]. Figure 4 Database service providers create databases by purchasing cloud resources (such as servers) under their own cloud accounts and then sell the created databases to users. In this database creation mechanism, the servers used to create the database and the data in the database are hosted on the database service provider's premises. For users, they only use the database and are unaware of the database creation architecture or the underlying cloud resources on which the database depends.

[0075] As users become more knowledgeable, they often desire the ability to view and manage databases. However, in the traditional database creation mechanisms described above, users only have access to the database but not management privileges. For example, users cannot know the load balancing strategies used in the database, nor can they know the operational status of the servers within the database. Therefore, these traditional database creation mechanisms fail to meet user needs, resulting in a poor user experience.

[0076] To avoid the aforementioned problems, this disclosure provides a method for creating a database. On a cloud platform, the database service provider can directly create the database under the user's cloud account, thus granting the user management privileges and improving the user experience.

[0077] The following text combines Figure 5 The method described in the embodiments of this disclosure, Figure 5 This is a flowchart of a method for creating a database according to an embodiment of this disclosure. It should be understood that... Figure 5 The method shown can be applied to a cloud platform and executed by a database service provider within that platform. The cloud platform could be, for example, a... Figures 1 to 3 Any of the cloud platforms shown. The cloud platform records the user's cloud account. Figure 5 The method shown includes steps S510 to S520.

[0078] In step S510, a database creation request is received.

[0079] The database creation request is used to request the creation of a database for the user under their cloud account. In some implementations, this database creation request can be sent by the user through a client on the cloud platform. Accordingly, the database service provider can receive this database creation request through the cloud platform.

[0080] Furthermore, the aforementioned database creation request can request to create a database using target resources within the cloud platform. These target resources may include servers, computing devices, etc., within the cloud platform. In some implementations, the target resources are resources under the user's cloud account; that is, the target resources are resources purchased by the user using their cloud account within the cloud platform.

[0081] In step S520, in response to the database creation request, a database is created for the user under the user's cloud account.

[0082] The database mentioned above is created under the user's cloud account, which means the user has management privileges over the database. For example, the user can know the load balancing strategy used in the database. Another example is that the user can know the operational status of the servers within the database.

[0083] In the disclosed embodiments, the database service provider can directly create databases for users under their cloud accounts, giving users management privileges over the databases. This avoids the problem in traditional database creation mechanisms where the database service provider creates the database under its own cloud account, preventing users from managing the database.

[0084] As mentioned above, the cloud account is the fundamental entity responsible for ownership of cloud resources. Because database service providers create databases directly under the user's cloud account, the user not only owns the cloud resources used to create the database (e.g., servers), but also owns the data stored in the database.

[0085] As explained above, database service providers need to utilize target resources under a user's cloud account to create a database. Therefore, the database service provider requires access permissions to the target resources to create the database. In some implementations, users can send an AK / SK to the database service provider, allowing the database service to access the target resources under the user's cloud account. However, as mentioned above, the AK / SK is a long-term, fixed key associated with the cloud account. If the user sends the AK / SK to the database service provider, resulting in key leakage, it will reduce the security of the user's cloud account.

[0086] Therefore, this disclosure also provides an authorization method whereby a user can create a RAM role using their cloud account and grant the RAM role to a database service provider. Simultaneously, the RAM role possesses the permissions required to create a database using the target resources. In this way, the database service provider can create a database using the target resources by assuming the role of a RAM character. This RAM role-based authorization method avoids the problem of users sending their cloud account's associated AK / SK to the database service provider, which could lead to a decrease in the security of the user's cloud account.

[0087] To facilitate understanding, the following section first describes the method for users to create RAM roles based on their cloud accounts. Specifically, the method also includes the following steps executed by the cloud platform or the cloud host: receiving a RAM role creation request from the user, the request being used to request the creation of a RAM role based on the user's cloud account; and receiving an instruction message from the user, indicating that the RAM role requires authorization using the database service provider's cloud account.

[0088] It should be noted that the above-mentioned RAM role creation can be performed in the RAM console of the cloud platform. The specific implementation method has been described in detail when introducing RAM roles above, and will not be repeated here for the sake of brevity.

[0089] After a user creates a RAM role, the user needs to grant permissions to the RAM role. That is, the above method also includes: receiving an authorization request sent by the user, the authorization request being used to request that the RAM role be granted the permissions required to create a database using a target resource, wherein the target resource is a cloud resource under the user's cloud account.

[0090] The permissions required to create a database using the target resource may include permissions to access the target resource and / or permissions to manage the target resource.

[0091] It should be noted that the above method for setting permissions for RAM roles can be implemented through the RAM console of the cloud platform. For specific implementation methods, please refer to the introduction of RAM roles above. This disclosure embodiment does not limit this.

[0092] After a user creates a RAM role for a database service provider based on their cloud account and grants the corresponding permissions, the database service provider can then use the RAM role to create a database using the target resources. That is, step S520 above includes: creating the database for the user under their cloud account using the RAM role.

[0093] For ease of understanding, the method of this disclosure embodiment is described below using Figure 6(a) as an example to illustrate the relationship between the database and the cloud account. The method shown in Figure 6(b) includes steps S610 to S660.

[0094] In step S610, the user creates a RAM role for the database service provider's cloud account based on their own cloud account.

[0095] In step S620, the user grants first permissions to the RAM role, completing the creation of the cross-account RAM role.

[0096] In some implementations, the aforementioned first permission may include the permissions required to create a database using cloud resources under the user's cloud account, such as the permission to access and manage cloud resources under the user's cloud account. It should be noted that the aforementioned first permission can be set based on the requirements of the database service provider.

[0097] In step S630, the user provides the RAM role's ARN to the database service provider.

[0098] In step S640, the user requests the creation of a database service.

[0099] In some implementations, users can send database creation requests to database service providers through a cloud platform to request the creation of a database for the user under their cloud account.

[0100] In step S650, the database service provider creates a database for the user under the user's cloud account using the RAM role.

[0101] In some implementations, database service providers can use Role-Based Networks (ARNs) to determine RAM roles. They can then leverage the STS service within the cloud platform to assume the RAM role and obtain temporary operation credentials (e.g., security tokens) provided by the cloud platform.

[0102] In some implementations, security tokens have an expiration time; that is, the security token is valid for a period of time and expires after the specified period.

[0103] In step S660, the database service provider creates the database within a limited time based on the security token.

[0104] The above-mentioned database creation can include operations such as database resource creation and database deployment.

[0105] The above text combined Figure 1 Figure 6 and above have described in detail the method embodiments of this disclosure. The following will be combined with... Figures 7 to 8 The present disclosure provides a detailed description of the apparatus embodiments. It should be understood that the descriptions of the method embodiments correspond to the descriptions of the apparatus embodiments; therefore, any parts not described in detail can be found in the foregoing method embodiments.

[0106] Figure 7 This is a schematic diagram of an apparatus for creating a database according to an embodiment of the present disclosure. Figure 7The device 700 shown is located at the database service provider in the cloud platform. The device 700 includes a receiving unit 710 and a processing unit 720.

[0107] The receiving unit 710 is used to receive a database creation request, which is used to request the creation of a database for the user under the user's cloud account, and the cloud platform records the user's cloud account.

[0108] Processing unit 720 is configured to, in response to the database creation request, create the database for the user under the user's cloud account.

[0109] In one possible implementation, the cloud platform stores RAM roles, which are created based on the user's cloud account. The processing unit is further configured to: create the database for the user under the user's cloud account using the RAM roles.

[0110] In one possible implementation, the RAM role association utilizes the permissions required to create the database using a target resource, which is a cloud resource under the user's cloud account.

[0111] In one possible implementation, the user has ownership of the devices in the database, and / or ownership of the data in the database.

[0112] Figure 8 This is a schematic diagram of an apparatus for creating a database according to an embodiment of the present disclosure. Figure 8 The device 800 shown is a cloud platform, which records users' cloud accounts. The device 800 includes a receiving unit 810.

[0113] The receiving unit 810 is used to receive a database creation request, which is used to request the creation of a database under the user's cloud account.

[0114] In one possible implementation, the cloud platform stores RAM roles, which are created based on the user's cloud account and are assigned to the database service provider.

[0115] In one possible implementation, the receiving unit is further configured to: receive a creation request for the RAM role sent by the user, the creation request being used to request the creation of the RAM role based on the user's cloud account; and receive indication information sent by the user, the indication information being used to indicate that the cloud account authorized for the RAM role is the cloud account of the database service provider.

[0116] In one possible implementation, the receiving unit is further configured to: receive an authorization request sent by the user, the authorization request being used to request that the RAM role be granted the permission required to create the database using a target resource, the target resource being a cloud resource under the user's cloud account.

[0117] In one possible implementation, the user has ownership of the devices in the database, and / or ownership of the data in the database.

[0118] Figure 9 This is a schematic diagram of an apparatus for creating a database according to an embodiment of the present disclosure. Figure 9 The device 900 shown is located at the user's location in the cloud platform, and the device 900 includes: a sending unit 910.

[0119] Sending unit 910 is used to send a database creation request, which requests the creation of a database for the user under the user's cloud account, and the cloud platform records the user's cloud account.

[0120] In an optional embodiment, the processing unit 720 may be a processor 1020, the receiving unit 710 may be an input / output interface 1040, and the device 1000 may further include a memory 1010, specifically as follows: Figure 10 As shown.

[0121] In an optional embodiment, the receiving unit 810 may be an input / output interface 1040, and the device 1000 may further include a processor 1020 and a memory 1010, specifically as follows: Figure 10 As shown.

[0122] In an optional embodiment, the transmitting unit 910 may be an input / output interface 1040, and the device 1000 may further include a processor 1020 and a memory 1010, specifically as follows: Figure 10 As shown.

[0123] Figure 10 This is a schematic block diagram of an apparatus according to another embodiment of the present disclosure. Figure 10 The illustrated device 1000 may include: a memory 1010, a processor 1020, an input / output interface 1030, and a transceiver 1040. The memory 1010, processor 1020, input / output interface 1030, and transceiver 1040 are connected via internal interconnections. The memory 1010 stores instructions, and the processor 1020 executes the instructions stored in the memory 1020 to control the input / output interface 1030 to receive input data and information, output operation results, and control the transceiver 1040 to send signals.

[0124] It should be understood that in the embodiments of this disclosure, the processor 1020 may be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits to execute relevant programs in order to implement the technical solutions provided in the embodiments of this disclosure.

[0125] It should also be understood that transceiver 1040, also known as a communication interface, uses transceiver devices such as, but not limited to, transceivers to enable communication between terminal 1000 and other devices or communication networks.

[0126] The memory 1010 may include read-only memory and random access memory, and provides instructions and data to the processor 1020. A portion of the processor 1020 may also include non-volatile random access memory. For example, the processor 1020 may also store device type information.

[0127] In implementation, each step of the above method can be completed by the integrated logic circuitry of the hardware in the processor 1020 or by instructions in software form. The method for requesting uplink transmission resources disclosed in this embodiment can be directly implemented by the hardware processor, or by a combination of hardware and software modules in the processor. The software modules can reside in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. This storage medium is located in memory 1010, and the processor 1020 reads the information in memory 1010 and, in conjunction with its hardware, completes the steps of the above method. To avoid repetition, detailed descriptions are omitted here.

[0128] It should be understood that in the embodiments of this disclosure, the processor can be a central processing unit (CPU), or it can be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or any conventional processor.

[0129] It should be understood that in the embodiments of this disclosure, "B corresponding to A" means that B is associated with A, and B can be determined based on A. However, it should also be understood that determining B based on A does not mean that B is determined solely based on A; B can also be determined based on A and / or other information.

[0130] It should be understood that the term "and / or" in this article is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, or B existing alone. Additionally, the character " / " in this article generally indicates that the preceding and following related objects have an "or" relationship.

[0131] It should be understood that in the various embodiments of this disclosure, the sequence number of each process does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this disclosure.

[0132] In the several embodiments provided in this disclosure, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.

[0133] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0134] In addition, the functional units in the various embodiments of this disclosure can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.

[0135] In the above embodiments, implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, as a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this disclosure are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can read or a data storage device such as a server or data center that integrates one or more available media. The available media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., digital video discs, DVDs) or semiconductor media (e.g., solid-state disks, SSDs), etc.

[0136] The above description is merely a specific embodiment of this disclosure, but the scope of protection of this disclosure is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this disclosure should be included within the scope of protection of this disclosure. Therefore, the scope of protection of this disclosure should be determined by the scope of the claims.

Claims

1. A method for creating a database, the method being performed by a database service provider in a cloud platform, the database service provider having a first cloud account in the cloud platform; the method comprising: Receive a database creation request, the database creation request being used to request the creation of a database for the user under the user's second cloud account, the user's second cloud account being recorded on the cloud platform; In response to the database creation request, the database service provider uses the Role Global Resource Descriptor (ARN) provided by the user to determine the RAM role, and creates the database for the user under the second cloud account by using the first cloud account to play the RAM role, so that the user has management rights over the database; The RAM role is created based on the user's second cloud account.

2. The method as described in claim 1, wherein the RAM role association utilizes the permissions required to create the database using the target resource, and the target resource is a cloud resource under the user's second cloud account.

3. The method of claim 1, wherein the user has ownership of the device in the database, and / or ownership of the data in the database.

4. A method for creating a database, the method being applied to a cloud platform, the cloud platform recording a first cloud account of a database service provider and a second cloud account of a user, the method comprising: Receive a database creation request, the database creation request being used to request the creation of a database under the user's second cloud account; The database creation request is forwarded to the database service provider, which uses the Role Global Resource Descriptor (ARN) provided by the user to determine the RAM role, and uses the first cloud account to play the RAM role to create the database for the user under the second cloud account, so that the user has management rights over the database. The RAM role is created based on the user's second cloud account.

5. The method as described in claim 4, wherein the RAM role is assigned to the database service provider in the cloud platform.

6. The method of claim 5, further comprising: Receive the RAM role creation request sent by the user, the creation request being used to request the creation of the RAM role based on the user's second cloud account; The system receives an instruction message sent by the user, which indicates that the RAM role needs to authorize the first cloud account.

7. The method of claim 5 or 6, further comprising: The system receives an authorization request sent by the user, which requests permission to create the database using the target resource, which is a cloud resource under the user's second cloud account.

8. The method of claim 4, wherein the user has ownership of the device in the database, and / or ownership of the data in the database.

9. A method for creating a database, the method being performed by a user in a cloud platform, the cloud platform recording a first cloud account of a database service provider and a second cloud account of the user, the method comprising: The cloud platform sends a database creation request to the database service provider, and the database creation request is used to request the creation of a database for the user under the user's second cloud account. This enables the database service provider to determine the RAM role using the Role Global Resource Descriptor (ARN) provided by the user, and to create the database for the user under the second cloud account by using the first cloud account to assume the RAM role, thereby giving the user management privileges over the database. The RAM role is created based on the user's second cloud account.

10. An apparatus for creating a database, the apparatus being disposed at a database service provider in a cloud platform, the database service provider having a first cloud account in the cloud platform; the apparatus comprising: A receiving unit is used to receive a database creation request, the database creation request being used to request the creation of a database for the user under the user's second cloud account, the cloud platform recording the user's second cloud account; The processing unit is configured to respond to the database creation request by enabling the database service provider to determine the RAM role using the Role Global Resource Descriptor (ARN) provided by the user, and to create the database for the user under the user's second cloud account by using the first cloud account to assume the RAM role, thereby enabling the user to have management permissions for the database. The RAM role is created based on the user's second cloud account.

11. The apparatus of claim 10, wherein the RAM role association utilizes the permissions required to create the database using the target resource, the target resource being a cloud resource under the user's second cloud account.

12. The apparatus of claim 10, wherein the user has ownership of the device in the database, and / or ownership of the data in the database.

13. An apparatus for creating a database, the apparatus being a cloud platform, the cloud platform storing a first cloud account of a database service provider and a second cloud account of a user, the apparatus comprising: A receiving unit is configured to receive a database creation request, wherein the database creation request is used to request the creation of a database under the user's second cloud account; The forwarding unit is used to forward the database creation request to the database service provider, so that the provider can determine the RAM role using the Role Global Resource Descriptor (ARN) provided by the user, and create the database for the user under the second cloud account by using the first cloud account to play the RAM role, so that the user has the management rights of the database. The RAM role is created based on the user's second cloud account.

14. The apparatus of claim 13, wherein the RAM role is assigned to the database service provider in the cloud platform.

15. The apparatus of claim 14, wherein the receiving unit is further configured to: Receive a RAM role creation request sent by the user, the creation request being used to request the creation of the RAM role based on the user's second cloud account; and The system receives an instruction message sent by the user, which indicates that the RAM role needs to authorize the first cloud account.

16. The apparatus of claim 14 or 15, wherein the receiving unit is further configured to: The system receives an authorization request sent by the user, which requests permission to create the database using the target resource, which is a cloud resource under the user's first cloud account.

17. The apparatus of claim 13, wherein the user has ownership of the device in the database, and / or ownership of the data in the database.

18. An apparatus for creating a database, the apparatus being located at a user's location in a cloud platform, the cloud platform storing a first cloud account of a database service provider and a second cloud account of the user, the apparatus comprising: The sending unit is used to send a database creation request to a database service provider through the cloud platform. The database creation request is used to request the creation of a database for the user under the user's second cloud account. This enables the database service provider to determine the RAM role using the Role Global Resource Descriptor (ARN) provided by the user, and to create the database for the user under the second cloud account by assuming the RAM role based on the first cloud account, thereby giving the user management privileges over the database. The RAM role is created based on the user's second cloud account.

19. An apparatus for creating a database, comprising a memory and a processor, the memory storing executable code, the processor being configured to execute the executable code to implement the method of any one of claims 1-3.

20. An apparatus for creating a database, comprising a memory and a processor, the memory storing executable code, the processor being configured to execute the executable code to implement the method of any one of claims 4-8.

21. An apparatus for creating a database, comprising a memory and a processor, the memory storing executable code, the processor being configured to execute the executable code to implement the method of claim 9.