CN107465650A - A kind of access control method and device - Google Patents

A kind of access control method and device Download PDF

Info

Publication number
CN107465650A
CN107465650A CN201610395197.2A CN201610395197A CN107465650A CN 107465650 A CN107465650 A CN 107465650A CN 201610395197 A CN201610395197 A CN 201610395197A CN 107465650 A CN107465650 A CN 107465650A
Authority
CN
China
Prior art keywords
access request
access
white list
authentication
api
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610395197.2A
Other languages
Chinese (zh)
Other versions
CN107465650B (en
Inventor
黄江伟
牛异腾
徐瑞涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610395197.2A priority Critical patent/CN107465650B/en
Publication of CN107465650A publication Critical patent/CN107465650A/en
Application granted granted Critical
Publication of CN107465650B publication Critical patent/CN107465650B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

This application discloses a kind of access control method and device.API access request is received, is conducted interviews control according to default inquiry list and access control information corresponding with the access request and default inquiry list;When judging the access request by the access control, authenticated according to authentication information corresponding with the access request and default first white list;When judging the access request by the authentication, receive the access request.Realized by two-step evolution and authenticate and refined the scope of Control granularity.

Description

A kind of access control method and device
Technical field
The application belongs to field of cloud calculation, specifically, is related to a kind of access control method and device.
Background technology
Authentication (authentication) refers to the right for verifying whether user possesses access system.Traditional authentication is logical Password is crossed to verify.The premise of this mode is that each user for obtaining password has been authorized to.When establishing user, Just for this, user distributes a password, and the password of user can be specified by keeper, can also voluntarily applied by user.
But the weakness of this mode is fairly obvious, once password is stolen or user's lost password, situation will be very numb It is tired of, it is necessary to which keeper is remodified to user cipher, and the legal identity of manual verification user is also wanted before Modify password.
At the same time, in the prior art, access is authenticated by way of API takes and accesses key, access control grain It is often bigger to spend scope, and uses a kind of mode control authority, lacks classification mechanism.
The shortcomings that in order to overcome this authentication mode, is, it is necessary to a relatively reliable access control method.
The content of the invention
In view of this, technical problems to be solved in this application there is provided a kind of method for authenticating and device.
In order to solve the above-mentioned technical problem, this application discloses a kind of method for authenticating, including:
API access request is received, according to access control information corresponding with the access request and default look into List is ask to conduct interviews control;
When judging the access request by the access control, according to authentication information corresponding with the access request And default first white list is authenticated;
When judging the access request by the authentication, receive the access request.
Wherein, methods described further comprises:Do not pass through when according to the access control information judgement access request During access control, the second white list is obtained, and the access request is authenticated according to second white list.
Wherein, the access control information of the access request is obtained, is specifically included:With obtaining the source IP of the access request Visitor corresponding to location and the access request signs.
Wherein, judge that the access request by access control, specifically includes according to the access control information:According to institute Inquire about default IP address list with stating the source IP of access request and/or visitor's signature is looked into according to corresponding to the access request Default visitor's signature list is ask, judges the access request whether by the access control according to preset strategy.
Wherein, authentication information corresponding to obtaining the access request, is specifically included:Obtain corresponding to the access request The information that source corresponding to API semantic, described access request is applied, and should according to the acquisition of information that the source is applied and the source With corresponding default first white list.
Wherein, judge that the access request passes through authentication, tool according to the authentication information and default first white list Body includes:The information applied according to semantic, the described source of the API, first white list is inquired about, judges the access request Whether the target of the access request is had permission.
Wherein, first white list includes:Send the corresponding relation between the API of access request and source application;With/ Or, send the API of access request and the corresponding relation of target information;
Second white list includes:Send the API and source application and the corresponding relation of target information of access request.
Wherein, methods described further comprises:First white list and second white list are changed dynamically to adjust The authentication granularity of the whole access control and the authentication.
A kind of authentication device is also disclosed in the application, including:
Access control module, for receiving API access request, according to access control corresponding with the access request Information and default inquiry list conduct interviews control;
Authentication module, for when judging the access request by the access control, according to the access request Corresponding authentication information and default first white list are authenticated;
First respond module, for being asked when according to the authentication information and the default first white list judgement access Ask when passing through authentication, receive the access request.
Described device further comprises the second respond module:When according to the access control information judgement access request When not passing through access control, second respond module is used to obtain the second white list, and according to second white list to institute Access request is stated to be authenticated.
Wherein, the access control module, is specifically used for:Obtain the source IP address of the access request and the access Visitor corresponding to request signs.
Wherein, the access control module, is specifically used for:Default IP is inquired about according to the source IP of the access request Location list and/or the visitor according to corresponding to the access request sign and inquire about default visitor's signature list, according to default Whether strategy judges the access request by the access control.
Wherein, the authentication module, is specifically used for:Semantic, the described access for obtaining API corresponding to the access request please The information of source application corresponding to asking, and the acquisition of information applied according to the source corresponding with source application described default the One white list.
Wherein, the authentication module, is specifically used for, and the information applied according to semantic, the described source of the API, inquires about institute The first white list is stated, judges whether the access request has permission to the target of the access request.
Wherein, first white list includes:Send the corresponding relation between the API of access request and source application;And/or Send the API of access request and the corresponding relation of target information;
Second white list includes:Send the API and source application and the corresponding relation of target information of access request.
Wherein, described device further comprises authenticating granularity adjusting module, and the authentication granularity adjusting module is used for, changed First white list and second white list are dynamically to adjust the authentication granularity of the access control and the authentication.
Compared with prior art, the application can be obtained including following technique effect:
1) authenticated by the API semantic access to being initiated by API, avoid to take using API and access KEY and enter Row authenticates cumbersome, it also avoid accessing trouble caused by KEY loses;
2) granularity of authentication is adjusted by changing the first white list and the second white list, can be by authentication Task-size Controlling any Scope;
3) the two-step evolution mode of access control and authentication is used, further ensures the security of accessed data.
Certainly, implementing any product of the application must be not necessarily required to reach all the above technique effect simultaneously.
Brief description of the drawings
Accompanying drawing described herein is used for providing further understanding of the present application, forms the part of the application, this Shen Schematic description and description please is used to explain the application, does not form the improper restriction to the application.In the accompanying drawings:
Fig. 1 is the typical case Sample Scenario figure of the embodiment of the present application;
Fig. 2 is the techniqueflow chart of the embodiment of the present application one;
Fig. 3 is the apparatus structure schematic diagram of the embodiment of the present application three;
Fig. 4 is the techniqueflow chart of the application application scenarios example.
Embodiment
Presently filed embodiment is described in detail below in conjunction with drawings and Examples, and thereby how the application is applied Technological means can fully understand and implement according to this to solve technical problem and reach the implementation process of technical effect.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net Network interface and internal memory.
Internal memory may include computer-readable medium in volatile memory, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Internal memory is computer-readable medium Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer-readable instruction, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moved State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM), Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus Or any other non-transmission medium, the information that can be accessed by a computing device available for storage.Define, calculate according to herein Machine computer-readable recording medium does not include non-temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
Some vocabulary has such as been used to censure specific components among specification and claim.Those skilled in the art should It is understood that hardware manufacturer may call same component with different nouns.This specification and claims are not with name The difference of title is used as the mode for distinguishing component, but is used as the criterion of differentiation with the difference of component functionally.Such as logical The "comprising" of piece specification and claim mentioned in is an open language, therefore should be construed to " include but do not limit In "." substantially " refer in receivable error range, those skilled in the art can be described within a certain error range solution Technical problem, basically reach the technique effect.In addition, " coupling " one word is herein comprising any direct and indirect electric property coupling Means.Therefore, if the first device of described in the text one is coupled to a second device, representing the first device can directly electrical coupling The second device is connected to, or the second device is electrically coupled to indirectly by other devices or coupling means.Specification Subsequent descriptions for implement the application better embodiment, so it is described description be for the purpose of the rule for illustrating the application, It is not limited to scope of the present application.The protection domain of the application is worked as to be defined depending on appended claims institute defender.
It should also be noted that, term " comprising ", "comprising" or its any other variant are intended to nonexcludability Comprising, so that commodity or system including a series of elements not only include those key elements, but also including without clear and definite The other element listed, or also include for this commodity or the intrinsic key element of system.In the feelings not limited more Under condition, the key element that is limited by sentence "including a ...", it is not excluded that in the commodity including the key element or system also Other identical element be present.
Fig. 1 show a typical case exemplary system figure of the embodiment of the present application.Fig. 1 is that a cloud computing cluster is automatic Change operational system System, including at least storage manager Master, infrastructure service cluster Cluster, client Client, clothes Business device cluster.Wherein, storage manager Master is to be used to store operational system in cloud computing automation operational system System Manage the service of metadata;The infrastructure service cluster Cluster runs operational system System infrastructure service in the cluster, Such as Service1~ServiceN in Fig. 1;The client Client, it is present on the machine of all System management, For completing the management work of the operational system machine managed system System and the application operated above, as shown in Figure 1 Client1~ClientN;The server cluster is cluster where all Service of operational system System, generally by five Platform machine forms, and mainly runs the key service of the operational system System;It is all inside and outside operational system System Service is communicated by the API with semanteme with storage manager Master.Embodiment illustrated in fig. 2 will be combined with lower part It is expanded on further in such a typical cloud computing cluster automation operational system, a kind of access control method of the application Implementation process.
Fig. 2 is the techniqueflow chart of the embodiment of the present application one, and with reference to Fig. 2, a kind of access control method of the application can be by such as Lower step is realized:
Step S210:Receive API access request, according to access control information corresponding with the access request and Default inquiry list conducts interviews control;
Step S220:When judging the access request by the access control, according to corresponding with the access request Authentication information and default first white list authenticated;
Step S230:When judging the access request by the authentication, receive the access request.
Specifically, in step S210, when storage manager Master receives the access request sent by semantic API When, the access control information of access request is obtained first, and wherein access control information can be including according to the access request solution (source IP address can also be bound to send or be encapsulated in access request and carry the source IP address analysed with access request Send, the invention is not restricted to this) and the access request carry visitor signature.The method for authenticating of the application need to undergo two Level control, the access control information are used for access control.
Visitor's signature sends the information of the visitor of access request, when there is application call API, built-in signature Service can be given tacit consent to beats a signature to visitor, parses visitor's signature and may know that the visitor information for calling this API. At the same time, in the embodiment of the present application, the access request is parsed, acquisition is with sending the source IP of the access request Location.
It should be noted that " access request " described herein, including read/write/deletion/establishment to target information/ It is at least one in calling, subsequently repeat no more.
Specifically, the access control can be the feasible mode of the following two kinds:
First, pre-set the IP address list with access rights, when getting the source in access control information During IP address, default IP address list is inquired about according to the source IP address, if what can be inquired about arrives, illustrates that the source IP has To storage manager Master access rights, the authentication that the access request can be obtained by access control and further is believed Breath.
Second, pre-set visitor's signature list with access rights, when getting the institute in access control information When stating visitor's signature corresponding to access request, signed according to the visitor and inquire about default visitor's signature list, if having It can match, then judge the access request by access control and can further obtain mirror corresponding to the access request Weigh information.
Certainly it should be noted that the mode of above two access control can be used alone to combine is reflected Power, the application are not restricted to this.
Specifically, in step S220, after the access request is judged by access control, further, obtain Authentication information corresponding to the access request.Wherein, authentication information further comprises the language of API corresponding to the access request The information that source corresponding to adopted, described access request is applied.After the information of source application corresponding to the access request is obtained, obtain Default first white list corresponding with the information of source application.Wherein, the authentication information can be the access It is being carried in request or by binding with the access request and resolved obtaining.
Due in the automatic operational system System of cloud computing cluster, any other service access storage manager Master When, only unique mode, i.e., different semantemes is carried by API, these API, each semanteme is by staff according to need Carry out self-defined.When in access request without the target information of access, storage manager Master can be by parsing this A little semantic behaviors for determining API, i.e., the access request sent by these API specifically access those data.Therefore, the application will API semanteme is used to authenticate, and directly can obtain the object content of the access request, i.e., described access by API semanteme Request be to storage manager Master management a certain application/service, certain a part of first number of even a certain application/service It is believed that breath.
After obtaining API semanteme corresponding to the access request, the semanteme of the API is analyzed, described in acquisition The information that source corresponding to access request is applied, and the according to corresponding to the default source application of the information inquiry that the source is applied One white list.Specifically, first white list includes:Send the corresponding relation between the API of access request and source application; And/or send the API of access request and the corresponding relation of target information.
Such as:First white list can be showed in the form of such as following table one:
Table one
Or following form:
In table one, Name1~Name3 is different API semanteme, and A1~A5 is the source application for sending access request, is carried The S of different labels is represented by addressable target information.
The first white list as illustrated in the tables, above, source can be conducted interviews using active by the semantic API for Name1 Using or service for A1 A2 A3, other application or service in cloud computing operational system System, pass through this API of Name1 Have no access rights.Equally, the API that can be Name2 by semanteme carry out data access source application or service be A1 A3, All it is no access right for any data managed in Master by the access request that this API is sent in addition to A1/A3 Limit.
Further, as shown in above-mentioned form, when A1 conducts interviews to S1 by the semantic API for being Name1, it is merely able to access To S1 S11 S13 partial information or the data such as S14, but A1 by it is semantic S1 is conducted interviews for Name2 API when, can And have access to service S1 S12 partial information or the data such as S15.Above table is a kind of existing way of the first white list, First white list can occur in the form of following following table two:
Table two
In table two, the source application only A1 that the data in Master is conducted interviews by the semantic API for Name1 A2 A3, in addition, when other application is conducted interviews by the semantic API for being Name1 to the data in Master, it is in authentication It can not pass through.Similarly, can this semantic API conducts interviews to Master by Name3 only A2 A3 A4 the application such as A5 Or service.
Contrast shown in above-mentioned table one and table two, two kinds of multi-forms of the first white list, its Control granularity is different.Press According to the mode of table one, the matched rule of the first white list has two layers, and first layer is different semantic API and sends the difference of request The matched rule of application/service, that include in the second layer is of specific information/data in different semantic API and Master With rule.But in table two, only one layer of matched rule, its Control granularity scope to authentication is obviously more than shown in table one.When So, the existing way of the first white list shown in the table two of table one can be adjusted according to demand.Above table content is only for lifting Example explanation uses, and to the application and is not limited in any way.
Specifically, in step S220, the access request is authenticated according to the authentication information, only need to be according to institute State authentication information inquire about the first white list judge whether the access request allows to access, if it has not, then backward reference unsuccessfully Error message.
It should be noted that when judging that the access request does not pass through access control according to the access control information, The second white list is obtained, and the access request is authenticated according to second white list.Specifically, in the second white list Including:Send the API and source application and the corresponding relation of target information of access request.Second white list can have as follows The existence form of table three:
Table three
As shown in Table 3, for not by the access request of access control, according to the second matched rule for accessing white list The access request is responded.
In the present embodiment, for the access request sent out by API, its access control information and authentication information are obtained respectively, it is right The access request carries out two-step evolution, realizes the orderly and tight authentication of the automatic operational system of cloud computing cluster.Compare By way of traditional semanteme API authenticates to the access initiated by API, the authentication of the embodiment of the present application offer Mode, behavioural analysis and authentication are directly carried out by the API semantic access request to receiving, avoid password loss band The inconvenience come, directly efficiently;Secondly, in the embodiment of the present application, using two-step evolution mode, accessed data are further ensured Safety.
In the embodiment of the present application two, changing the particle size range of authentication can be realized by following embodiment:
First white list and second white list are changed dynamically to adjust the access control and the authentication Authentication granularity.
Embodiment corresponding to Fig. 2 is accepted, is modified for the first white list corresponding to table one so as to further reduce The particle size range of authentication.Table four is a kind of feasible modifications mode of table one, as follows:
Table four
As shown in Table 4, by accessing first the modification of white list, the visit initiated by a certain semantic API Master Ask that request is further refined control.
The target information that the access request that this semantic API is initiated by Name1 can access have S11 S13 S14, root According to shown in white list, this access request can only carry out read operation to S11, write operation is carried out to S13, carries out deletion behaviour to S14 Make, any operation than that described above is all no authority.Certainly, above table and its content only use for citing, not Any restrictions are formed to the application.
Specifically, when doing Task-size Controlling, source application, addressable target information and access type in table four all can roots Modified according to demand and granularity can be refined more, do not repeated herein.
Modified for the second white list corresponding to table three so as to further reduce the particle size range of authentication with first White list is similar, and here is omitted.
In the present embodiment, by changing the filtering rule of the first white list and the second white list, authority can be freely scaled The access granularity scope of control.Relative to prior art, the embodiment of the present application can further reduce the controling power of access rights Scope is spent, so as to realize further strict and refinement authentication, improves the security of accessed data.
Fig. 3 is the apparatus structure schematic diagram of the embodiment of the present application three, with reference to Fig. 3, a kind of access control apparatus tool of the application Body includes authentication module access control module 310, authentication module, authentication module 320, the first respond module 330.
The access control module 310, for receiving API access request, according to corresponding with the access request Access control information and default inquiry list conduct interviews control;
The authentication module 320, for when judging the access request by the access control, according to the visit Ask that authentication information and default first white list are authenticated corresponding to request;
First respond module 330, for when according to the authentication information and default first white list judgement institute When stating access request and passing through authentication, receive the access request.
Described device further comprises the second respond module 340:When according to the access control information judgement access When request does not pass through access control, second respond module is used to obtain the second white list, and according to second white list The access request is authenticated.
Wherein, the access control module 310, is specifically used for:Obtain the source IP address of the access request and described Visitor corresponding to access request signs.
Wherein, the access control module 310, is specifically used for:Inquired about according to the source IP of the access request default IP address list and/or the visitor according to corresponding to the access request sign and inquire about default visitor's signature list, according to Whether preset strategy judges the access request by the access control.
Wherein, the authentication module 320, is specifically used for:Obtain semantic, the described visit of API corresponding to the access request Ask the information of source application corresponding to request.
Wherein, the authentication module 320, is specifically additionally operable to:Applied according to the acquisition of information that the source is applied and the source Corresponding first white list.
Wherein, the authentication module 320, is specifically used for, the information applied according to semantic, the described source of the API, inquiry First white list, judges whether the access request has permission to the target of the access request.
Wherein, first white list includes:Send the corresponding relation between the API of access request and source application;And/or Send the API of access request and the corresponding relation of target information;
Second white list includes:Send the API and source application and the corresponding relation of target information of access request.
Wherein, described device further comprises authenticating granularity adjusting module 350, and the authentication granularity adjusting module is used for, First white list and second white list are changed dynamically to adjust the authentication grain of the access control and the authentication Degree.
Fig. 3 shown devices can perform Fig. 1 and embodiment illustrated in fig. 2 methods described, and its implementing principle and technical effect is not Repeat again.
Application example
A kind of a kind of specific implementation of the method for authenticating of the application under application-specific scene is elaborated below with reference to Fig. 4 Mode.
Ali's space-based automates operational system, it is necessary to store substantial amounts of Meta information, TjMaster as cloud computing cluster It is the center that whole spacebased system Meta information storage exchanges, the correctness of TjMaster data is related to whole spacebased system Stability and availability, TjMaster unique access entrance is semantic API.
In spacebased system, because day base management substantial amounts of cluster, each service of space-based and client can lead to The semantic API for crossing TjMaster offers is written and read access to TjMaster, for the metadata of TjMaster management, is not Each application can read/write, it is therefore desirable to the read/write of each service is authenticated, the language by API is used in space-based Justice is authenticated, and controls read/write authority of each service to different metadata.
The access of TjMaster Meta data is broadly divided into two major classes, and one kind is space-based client, and space-based client is distributed On the machine of all space-based trustships, all there is a space-based client in the machine of every day base management;Another kind of is horizon Service, these service are mainly distributed in a space-based cluster, and space-based cluster is made up of the machine of 5 or so, above Run each key service of TjMaster and space-based, space-based service Various Functions, to the Meta information above TjMaster Requirements for access it is also related to service functions.
In order to implement the control of authority accessed TjMaster, using the method for authenticating of the application, pass through two-step evolution control Make access of the semantic API to TjMaster.
First, when TjMaster receives API access request, the access control information of the access request is first obtained So as to the control that conducted interviews to the access request.Specifically, access control information can be source IP corresponding to access request Location or the signature of visitor, so as to be separated according to the access control information area, the access request received comes from day basis set Group's outside access or space-based cluster internal access.
When judging that the access request comes from space-based cluster internal, the authentication letter of the access request is further obtained Breath.Specifically, authentication information includes the letter of the source application of the semantic and described access request of API corresponding to the access request Breath, after obtaining the information of source application, obtain the first white list corresponding to the application of source.Specifically, in first white list, enumerate Corresponding relation between access request and application, i.e., which application is one be able to access that from space-based inter access;Enter one Step, the white list also illustrates the corresponding relation between the semanteme for the API for sending access request and source application, i.e., from day The access request which application inside base can be sent by a certain specific API;Further, the white list also illustrates The access request sent by a certain specific API is applied in source inside space-based, which target information to have access rights to.
When judging the access request by authenticating according to the filtering rule of the first white list, i.e., described access request is had the right When limit conducts interviews to the target that it is accessed, receive the access request, if not passing through the mistake of authentication, then backward reference failure False information.
It should be noted that first white list and second white list can be changed, it is white so as to change Control granularity of the matched rule of list from restriction authentication.
If in addition, it should be noted that the access request does not pass through access control, i.e. when according to the access request Source IP address or visitor's signature judge that the access request comes from non-space-based cluster internal, then obtain non-space-based cluster correspondence The second white list.Specifically, the access control information of access request and access request is listed in second white list Corresponding relation between the target information of source application.That is, one outside space-based cluster to a certain source application it is a certain Whether customizing messages has access rights.
Specifically, the form that a kind of white list is realized with code enumerate it is as follows:
This API of AddMachine semanteme be toward TjMaster add a machine Meta information, this white list Defining this API allows whether four fields (allowed_field) of operation, and API calling source come from day basis set Group (for is_public if false, then this API self energy comes from space-based cluster), it is allowed to the application (allowed_ of calling apps).Pass through this white list, it can be appreciated that the request that this semantic API is sent by AddMachine can change four It field and can only be called by the service from space-based cluster, and machine_manager and healing_ can only be allowed Service is called.
Some preferred embodiments of the present invention have shown and described in described above, but as previously described, it should be understood that the present invention Be not limited to form disclosed herein, be not to be taken as the exclusion to other embodiment, and available for various other combinations, Modification and environment, and above-mentioned teaching or the technology or knowledge of association area can be passed through in the scope of the invention is set forth herein It is modified., then all should be in this hair and the change and change that those skilled in the art are carried out do not depart from the spirit and scope of the present invention In the protection domain of bright appended claims.

Claims (18)

  1. A kind of 1. access control method, it is characterised in that including:
    API access request is received, is arranged according to access control information corresponding with the access request and default inquiry Table conducts interviews control;
    When judging the access request by the access control, according to authentication information corresponding with the access request and Default first white list is authenticated;
    When judging the access request by the authentication, receive the access request.
  2. 2. the method as described in claim 1, it is characterised in that methods described further comprises:
    When judging that the access request does not pass through access control according to the access control information, the second white list is obtained, and The access request is authenticated according to second white list.
  3. 3. the method as described in claim 1, it is characterised in that the access control information corresponding with the access request, Specifically include:
    Visitor corresponding to the source IP address of the access request and the access request signs.
  4. 4. method as claimed in claim 3, it is characterised in that judge the access request by the access control, specifically Including:
    Default IP address list and/or the visit according to corresponding to the access request are inquired about according to the source IP of the access request Whether the person of asking, which signs, inquires about default visitor's signature list, judge the access request by the access according to preset strategy Control.
  5. 5. the method as described in claim 1, it is characterised in that the authentication information corresponding with the access request, specifically Including:
    The information that source corresponding to semantic, the described access request of API corresponding to the access request is applied.
  6. 6. method as claimed in claim 5, it is characterised in that methods described also includes,
    Acquisition of information default first white list corresponding with source application applied according to the source.
  7. 7. method as claimed in claim 6, it is characterised in that described to judge that the access request by authentication, specifically includes:
    The information applied according to semantic, the described source of the API, first white list is inquired about, judges the access request pair Whether the target of the access request has permission.
  8. 8. method as claimed in claim 2, it is characterised in that
    First white list includes:Send the corresponding relation between the API of access request and source application;And/or send access The API of request and the corresponding relation of target information;
    Second white list includes:Send the API and source application and the corresponding relation of target information of access request.
  9. 9. method as claimed in claim 8, it is characterised in that methods described further comprises:
    First white list and second white list are changed dynamically to adjust the mirror of the access control and the authentication Weigh granularity.
  10. A kind of 10. access control apparatus, it is characterised in that including:
    Authentication module access control module, for receiving API access request, accessed according to corresponding with the access request Control information and default inquiry list conduct interviews control;
    Authentication module authentication module, for when judging the access request by the access control, according to the access Authentication information corresponding to request and default first white list are authenticated;
    First respond module, for leading to when according to the authentication information and the default first white list judgement access request When crossing authentication, receive the access request.
  11. 11. device as claimed in claim 10, it is characterised in that described device further comprises the second respond module:
    When judging that the access request does not pass through access control according to the access control information, second respond module, The access request is authenticated for obtaining the second white list, and according to second white list.
  12. 12. device as claimed in claim 10, it is characterised in that the access control module, be specifically used for:
    Obtain the access request source IP address and the access request corresponding to visitor signature.
  13. 13. device as claimed in claim 12, it is characterised in that the access control module, be specifically used for:
    Default IP address list and/or the visit according to corresponding to the access request are inquired about according to the source IP of the access request Whether the person of asking, which signs, inquires about default visitor's signature list, judge the access request by the access according to preset strategy Control.
  14. 14. device as claimed in claim 10, it is characterised in that the authentication module, be specifically used for:
    Obtain the information that source corresponding to semantic, the described access request of API corresponding to the access request is applied.
  15. 15. device as claimed in claim 14, it is characterised in that the authentication module, be specifically additionally operable to:
    Acquisition of information default first white list corresponding with source application applied according to the source.
  16. 16. device as claimed in claim 14, it is characterised in that the authentication module, be specifically used for, according to the API's The information of semantic, described source application, inquires about first white list, judges target of the access request to the access request Whether have permission.
  17. 17. device as claimed in claim 11, it is characterised in that
    First white list includes:Send the corresponding relation between the API of access request and source application;And/or send access The API of request and the corresponding relation of target information;
    Second white list includes:Send the API and source application and the corresponding relation of target information of access request.
  18. 18. device as claimed in claim 17, it is characterised in that described device further comprises authenticating granularity adjusting module;
    The authentication granularity adjusting module is used for, and changes first white list and second white list dynamically to adjust institute State the authentication granularity of access control and the authentication.
CN201610395197.2A 2016-06-06 2016-06-06 Access control method and device Active CN107465650B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610395197.2A CN107465650B (en) 2016-06-06 2016-06-06 Access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610395197.2A CN107465650B (en) 2016-06-06 2016-06-06 Access control method and device

Publications (2)

Publication Number Publication Date
CN107465650A true CN107465650A (en) 2017-12-12
CN107465650B CN107465650B (en) 2020-10-27

Family

ID=60545623

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610395197.2A Active CN107465650B (en) 2016-06-06 2016-06-06 Access control method and device

Country Status (1)

Country Link
CN (1) CN107465650B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108471409A (en) * 2018-03-15 2018-08-31 苏州思必驰信息科技有限公司 The application programming interfaces authentication configuration method and system of voice dialogue platform
CN109492358A (en) * 2018-09-25 2019-03-19 国网浙江省电力有限公司信息通信分公司 A kind of open interface uniform authentication method
CN109739806A (en) * 2018-12-28 2019-05-10 安谋科技(中国)有限公司 Memory pool access method, internal storage access controller and system on chip
CN110414226A (en) * 2018-04-28 2019-11-05 北京安天网络安全技术有限公司 A kind of security maintenance method and system based on common-denominator target protection
CN110647540A (en) * 2019-08-13 2020-01-03 平安普惠企业管理有限公司 Business data query method and device, computer equipment and storage medium
CN112738100A (en) * 2020-12-29 2021-04-30 北京天融信网络安全技术有限公司 Authentication method, device, authentication equipment and authentication system for data access
CN112733103A (en) * 2021-01-11 2021-04-30 浪潮云信息技术股份公司 Interface access control method and device
CN117336101A (en) * 2023-11-29 2024-01-02 南京中孚信息技术有限公司 Fine-grained network access control method, system, equipment and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1816192A (en) * 2005-02-04 2006-08-09 法国无线电话公司 Process for the secure management of the execution of an application
CN101034990A (en) * 2007-02-14 2007-09-12 华为技术有限公司 Right management method and device
US20120030354A1 (en) * 2010-08-02 2012-02-02 Ebay, Inc. Application platform with flexible permissioning
CN103514052A (en) * 2013-08-15 2014-01-15 飞天诚信科技股份有限公司 Multi-application mutually-accessing method and smart card
CN104317626A (en) * 2014-11-13 2015-01-28 北京奇虎科技有限公司 Application software permission control method, device and system for terminal equipment
CN105404796A (en) * 2015-10-21 2016-03-16 浪潮电子信息产业股份有限公司 JavaScript source file protection method and apparatus

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1816192A (en) * 2005-02-04 2006-08-09 法国无线电话公司 Process for the secure management of the execution of an application
CN101034990A (en) * 2007-02-14 2007-09-12 华为技术有限公司 Right management method and device
US20120030354A1 (en) * 2010-08-02 2012-02-02 Ebay, Inc. Application platform with flexible permissioning
CN103514052A (en) * 2013-08-15 2014-01-15 飞天诚信科技股份有限公司 Multi-application mutually-accessing method and smart card
CN104317626A (en) * 2014-11-13 2015-01-28 北京奇虎科技有限公司 Application software permission control method, device and system for terminal equipment
CN105404796A (en) * 2015-10-21 2016-03-16 浪潮电子信息产业股份有限公司 JavaScript source file protection method and apparatus

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108471409A (en) * 2018-03-15 2018-08-31 苏州思必驰信息科技有限公司 The application programming interfaces authentication configuration method and system of voice dialogue platform
CN110414226A (en) * 2018-04-28 2019-11-05 北京安天网络安全技术有限公司 A kind of security maintenance method and system based on common-denominator target protection
CN109492358A (en) * 2018-09-25 2019-03-19 国网浙江省电力有限公司信息通信分公司 A kind of open interface uniform authentication method
CN109739806A (en) * 2018-12-28 2019-05-10 安谋科技(中国)有限公司 Memory pool access method, internal storage access controller and system on chip
CN110647540A (en) * 2019-08-13 2020-01-03 平安普惠企业管理有限公司 Business data query method and device, computer equipment and storage medium
CN112738100A (en) * 2020-12-29 2021-04-30 北京天融信网络安全技术有限公司 Authentication method, device, authentication equipment and authentication system for data access
CN112738100B (en) * 2020-12-29 2023-09-01 北京天融信网络安全技术有限公司 Authentication method, device, authentication equipment and authentication system for data access
CN112733103A (en) * 2021-01-11 2021-04-30 浪潮云信息技术股份公司 Interface access control method and device
CN117336101A (en) * 2023-11-29 2024-01-02 南京中孚信息技术有限公司 Fine-grained network access control method, system, equipment and medium
CN117336101B (en) * 2023-11-29 2024-02-23 南京中孚信息技术有限公司 Fine-grained network access control method, system, equipment and medium

Also Published As

Publication number Publication date
CN107465650B (en) 2020-10-27

Similar Documents

Publication Publication Date Title
CN107465650A (en) A kind of access control method and device
US10326795B2 (en) Techniques to provide network security through just-in-time provisioned accounts
WO2021169112A1 (en) Shared permission-based service data procesing method, apparatus and device, and medium
CA2930253C (en) Single set of credentials for accessing multiple computing resource services
US8839234B1 (en) System and method for automated configuration of software installation package
US11108825B2 (en) Managed real-time communications between user devices
US8990950B2 (en) Enabling granular discretionary access control for data stored in a cloud computing environment
US7954135B2 (en) Techniques for project lifecycle staged-based access control
CN109889517B (en) Data processing method, permission data set creating device and electronic equipment
CN108289098B (en) Authority management method and device of distributed file system, server and medium
CN105812350B (en) Cross-platform single sign-on system
US20140215575A1 (en) Establishment of a trust index to enable connections from unknown devices
US10148637B2 (en) Secure authentication to provide mobile access to shared network resources
WO2011142996A2 (en) Methods and systems for forcing an application to store data in a secure storage location
CN108053088A (en) A kind of Subscriber Management System, method and apparatus
US9237156B2 (en) Systems and methods for administrating access in an on-demand computing environment
CN116438778A (en) Persistent source value of assumed alternate identity
US20240048562A1 (en) Sponsor delegation for multi-factor authentication
US20240007458A1 (en) Computer user credentialing and verification system
US11595372B1 (en) Data source driven expected network policy control
CN107623701A (en) A kind of fast and safely authentication method and device based on 802.1X
EP2947593B1 (en) Security apparatus session sharing
CN114070616A (en) Distributed session sharing method and system based on redis cache
US11907394B1 (en) Isolation and authorization for segregated command and query database resource access
CN115659394A (en) Database access system, method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant