September 2021
Beginner to intermediate
392 pages
12h 13m
Chinese
book
Google系统架构解密: 构建安全可靠的系统
by Heather Adkins, Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea, Adam Stubblefield
Content preview from Google系统架构解密: 构建安全可靠的系统
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
72
|
第
6
章
用户
访问
Google
服务的用户。
管理员
是生产系统内所有交互的基础。在工作负载间交互的情况下,管理员可能不会主
动修改系统的状态,但他们会在引导阶段启动工作负载(这本身可能会启动另一个工作
负载)。
正如第
5
章
所述,可以使用审计将所有操作追溯到管理员(或管理员组),这样就可以建
立问责机制,分析特定员工的特权级别。使审计成为可能的前提是管理员及其管理的实体
具备有意义的身份标识。
管理员是通过单点登录集成的全局目录服务进行管理的。全局组管理系统可以让组管理员
代表团队的观点。
机器
是全局库存服务或机器数据库中的编目。在
Google
的生产网络上
,机器可以使用
DNS
名字寻址
。我们还需要将机器身份标识与管理员相关联,以表示谁可以修改机器上运
行的软件。在实践中,我们通常将“能够发布计算机软件镜像”的组与“能够以
root
身份
登录到计算机”的组相关联。
Google
数据中心的每台生产机器都有各自的身份标识
。这里的
身份标识
表明了机器的特
定用途。例如,专门用于测试的实验室机器与运行生产环境工作负载的机器具有不同的身
份。在机器上运行核心应用程序的管理守护进程会引用此标识。
工作负载
是使用编排框架在机器上进行调度的。每个工作负载都有一个由请求者选择的
标识。编排系统负责确保发出请求的实体有权这样做,具体来说就是确保请求者有权调
度以所请求的身份运行的工作负载。编排系统还会限制可以在哪些机器上调度工作负载。
工作负载本身可以执行群组管理等管理任务,但不应该在底层机器上拥有
root
或
管理员
的权限。
用户
身份也有专门的身份子系统。在内部,每一次服务代表用户执行操作时都会使用这些 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.