CN113098695B

CN113098695B - Micro-service unified authority control method and system based on user attributes

Info

Publication number: CN113098695B
Application number: CN202110428593.1A
Authority: CN
Inventors: 王洪欣; 张燕; 徐尚瑜; 严冬; 苗丽娟
Original assignee: Jinling Institute of Technology
Current assignee: Jinling Institute of Technology
Priority date: 2021-04-21
Filing date: 2021-04-21
Publication date: 2022-05-03
Anticipated expiration: 2041-04-21
Also published as: CN113098695A

Abstract

The invention provides a micro-service unified authority control method and a system based on user attributes, wherein the method comprises the following steps: storing user attribute information through the right control micro-service; selecting an object needing authorization and a strategy requirement, and creating an access control strategy through the authority control micro-service to realize authority dynamic configuration; when receiving an identity authentication request sent by a client, the gateway forwards the identity authentication request to the right control micro-service, and generates an authentication token after verification and returns the authentication token to the client; when the client requests to use the resources of any business micro-service, the gateway receives the resource request information and the authentication token, forwards the resource request information and the authentication token to the authority control micro-service, completes the resource authentication by analyzing the authentication parameters, releases the resource request to the business micro-service after the authentication is successful, executes corresponding operation and returns the result. The invention completes the unified authority control of the service micro service through the authority control micro service, refines the granularity of the authority access control, and improves the dynamic property, thereby improving the safety of the authority management.

Description

Micro-service unified authority control method and system based on user attributes

Technical Field

The invention relates to the field of micro-service and authority control, in particular to a micro-service unified authority control method and system based on user attributes.

Background

The micro-service technical architecture is a novel software architecture, under the micro-service architecture, one application can be split into a plurality of micro-services and even hundreds of micro-services, and each micro-service needs identity authentication and resource authentication for access. If the authentication and authorization logic is performed on each service microservice system, the uniformity of the authentication and authorization cannot be guaranteed, and a great burden is brought to the maintenance and expansion of the system.

With the emergence of various authentication scenes such as a web end, a mobile end, an open platform and the like, the authentication and authentication logic under the traditional single application architecture cannot ensure reasonable applicability, and the problem that the uniform identity authentication and fine-grained authentication scheme which ensures high efficiency and safety is urgently needed to be solved in the face of the calling among such multiple micro services.

The existing micro-service identity authentication and resource authentication scheme mainly has the following problems:

firstly, by using a mature single application service architecture authentication scheme, authentication and authentication logic can be implemented for each service micro-service system, however, the method cannot ensure the uniformity of authentication and authentication among all micro-services, and brings great difficulty to the maintenance and expansion of the system.

Secondly, the authentication and authorization problem of the micro-service is also solved, and with the development of multiple terminals such as a web terminal, a mobile terminal, an open platform and the like, multiple authentication scenes such as external application access, between a user and a service and between the service and the service appear, and the existing authentication method cannot be applied to the multiple authentication scenes.

And thirdly, unified micro-service authentication and authorization can be realized by extracting the authentication logic scattered in the service micro-service and putting the authentication logic into the gateway. But the entire community has not yet formed a universal production-level out-of-box product for many special customization needs. Specifically, the micro-service authentication realized by the integration of Spring Cloud Zuul and Oauth2 results in a huge and inflexible project; the use of the distributed Session scheme may cause a serious load problem or network overhead.

And fourthly, more and more enterprises and organizations select to store, deliver and expand data in a mode of building a cloud storage platform or a big data platform, and then some data security problems are brought, such as illegal user intrusion and the like.

Disclosure of Invention

Aiming at the defects of the prior art, the invention provides a micro-service unified authority control method and a system based on user attributes, which are used for micro-service unified identity authentication and resource authentication.

In a first aspect, the present application provides a method for controlling micro-service unified rights based on user attributes, where the method includes:

step 1, controlling micro service to store user attribute information in advance through authority;

step 2, selecting an object to be authorized and a strategy requirement corresponding to the object by an administrator, establishing an access control strategy of the object through the authority control micro-service according to the object and the corresponding strategy requirement, and storing the access control strategy into a database to realize dynamic authority configuration;

step 3, when receiving an identity authentication request sent by a client, the gateway forwards the identity authentication request to an authority control micro-service, and after verifying user attribute information, the authority control micro-service generates a unique authentication token and returns the unique authentication token to the client;

and 4, when the client requests to use resources of any service micro-service, the gateway receives resource request information and an authentication token and forwards the resource request information and the authentication token to the authority control micro-service, the authority control micro-service completes resource authentication by analyzing authentication parameters in the resource request information and the authentication token, the resource request is released to the service micro-service after the authentication is successful, and the service micro-service executes corresponding operation and returns the result to the client.

Further, in one implementation, the step 1 includes:

the authority control micro-service encodes the user attribute information through an irreversible encryption algorithm, and stores the user attribute information encrypted through encoding in a relational database in a character string form, wherein the irreversible encryption algorithm comprises an MD5 algorithm and an SHA algorithm.

Further, in one implementation, the step 2 includes:

step 2-1, selecting an object to be authorized by the administrator, and determining a policy requirement corresponding to the object according to the object and the operation type, wherein the policy requirement comprises user attribute information and an access control decision tree; determining the user attribute information, namely determining the key attribute of an access control strategy, and determining the access control decision tree, namely determining the decision mode of the access control strategy;

the determining of the policy requirement corresponding to the object includes: after a user attribute list is obtained, selecting user attribute information in the user attribute list, appointing an access control decision tree, and applying for creating an access control strategy to the right control micro service;

the access control decision tree is a logic structure which represents logical operation of attributes AND attributes by a tree structure, wherein the attributes are user attribute information, each attribute represents a specific feature of a certain user, AND the logical operation of the attributes AND the attributes comprises AND, OR AND NOT;

the access control strategy is that the mapping relation of the user, the role and the authority is determined through the mapping relation of the user and the role and the mapping relation of the role and the resource, namely the access control strategy is set based on an RBAC model; the permission control micro-service is an implementation mode of an access control strategy, and adopts a distributed micro-service and storage mode;

step 2-2, after the attribute value set corresponding to each user specific feature is brought into an access control decision tree, a judgment result is output by a root node of the access control decision tree;

the judgment result comprises true or false; the judgment result is true, which indicates that the mapping relation between the user and the role in the access control strategy can be enabled, and the judgment result is false, which indicates that the mapping relation between the user and the role in the access control strategy cannot be enabled;

step 2-3, the access control strategy of the access control microservice creation object is controlled by the authority, namely, the storage of a user attribute table, an access control decision tree, a role table and a resource data table is completed; the user attribute table comprises users and corresponding user attribute information, the role table comprises user role information and user unique identification information, and the resource data table comprises resource information and authority information;

and simultaneously, determining the mapping relation between the user and the role and the mapping relation between the role and the resource through the access control strategy, and completing resource authority configuration, namely realizing dynamic authority configuration.

Further, in one implementation, the step 3 includes:

step 3-1, when the client requests identity authentication, an identity authentication request is sent to the gateway;

step 3-2, the gateway receives an identity authentication request sent by a client, extracts user attribute information from the identity authentication request, and forwards the user attribute information to an authority control microservice;

specifically, in the present invention, the gateway can cache the validity period of the authentication result generated by the identity authentication, that is, flexibly set the validity period of the authentication token information, and in the validity period, the authentication process of the client can be omitted to speed up the access of the client to the microserver.

Step 3-3, the right control micro service compares the user attribute information with the user attribute information in the database, and if the user attribute information is confirmed to be correct, a unique authentication token is generated;

and 3-4, the authority control micro service returns the unique authentication token to the client.

Specifically, in the present invention, if the identity authentication result is successful, the authorization control microserver sends an identity authentication success prompt and the authentication token to the client; and if the identity authentication result is failure, the authority control micro-service sends an authentication failure prompt to the client.

Further, in one implementation, the step 4 includes:

step 4-1, when the client requests to use the resources of any service microservice, the gateway receives an authentication token and resource request information sent by the client and sends the authentication token and resource request information to the right control microservice;

step 4-2, the right control micro service receives an authentication token and resource request information sent by a gateway, and extracts authentication parameters;

step 4-3, the right control micro service analyzes authentication parameters, inquires an access control strategy list matched with the service micro service, and performs resource authentication, namely, whether the resources required in the resource request information are consistent with the resources listed in the access control strategy list in the database is determined; specifically, in the present invention, the permission control microserver obtains the unique user identifier according to the authentication token of the session, and determines whether the user of the session is legal. And the right control micro-service acquires the access control strategy of the session according to the unique user identifier and the resource request information so as to acquire an access control decision tree, a user-role mapping relation and a role-right mapping relation during authorization. And finally, inquiring the resources and roles matched with the business micro-service through the authority control micro-service.

And 4-4, if the resource authentication is successful, the right control micro service releases the resource request to the service micro service, and the service micro service executes the operation corresponding to the resource request information and returns the execution result to the client.

In the invention, the gateway provides a configuration function for the business microservice, authority configuration can be carried out on the business microservice through the configuration file, the configuration file immediately takes effect without restarting, and dynamic flexible configuration is realized.

In the invention, a plurality of business microservices are registered through a service center. And the serviceId and the micro-service URL of each service micro-service are stored in a configuration file of the gateway layer. When the gateway receives the resource access request, the gateway firstly intercepts the access request, directly inquires the instance address from the service center by retrieving the configuration file after performing resource authentication, and forwards the instance address to the service microservice.

In the invention, when a gateway intercepts a resource access request, a user role matched with a path of the resource access request is retrieved in an authority control filter, the mapping relation between the role and the resource is inquired through an authority control micro service, if the matching is successful, the authentication request is released, and if the matching is failed, an unauthorized access result is directly returned.

In the invention, when a new service micro-service is added and authentication parameters are configured, firstly the service micro-service is registered through a service center, and secondly, the serviceId and the micro-service URL of the service micro-service are added in a gateway layer configuration file; thirdly, configuring the access authority of the service micro-service in the authority management micro-service. The configuration is convenient, and the expansibility is stronger.

In the invention, the resource access request comprises two authorization objects, namely service resources and data resources, the two authorization objects cover all resource types of the business microservice, and different authorization objects have different operation types. The operation types comprise the operations of adding, deleting, modifying and checking data resources, reading and writing file resources and the like.

In a second aspect, the present application provides a micro-service unified rights control system based on user attributes, the system comprising:

the information storage module is used for controlling the micro-service to store the user attribute information in advance through the authority;

the resource configuration module is used for selecting an object to be authorized and a strategy requirement corresponding to the object through an administrator, establishing an access control strategy of the object through the authority control microservice according to the object and the corresponding strategy requirement, and storing the access control strategy into a database to realize dynamic authority configuration;

the identity authentication module is used for forwarding the identity authentication request to the right control micro service when the identity authentication request sent by the client is received through the gateway, and generating a unique authentication token and returning the unique authentication token to the client after the right control micro service verifies the user attribute information;

and the resource authentication module is used for receiving resource request information and an authentication token by the gateway when the client requests to use the resources of any service micro-service, and forwarding the resource request information and the authentication token to the right control micro-service, wherein the right control micro-service completes resource authentication by analyzing authentication parameters in the resource request information and the authentication token, releases the resource request to the service micro-service after the authentication is successful, and the service micro-service executes corresponding operation and returns the result to the client.

Further, in one implementation, the information storage module includes:

and the information encoding unit is used for encoding the user attribute information through an irreversible encryption algorithm by the authority control micro service, and storing the user attribute information after the encryption is realized through the encoding in a relational database in a character string form, wherein the irreversible encryption algorithm comprises (but is not limited to) an MD5 algorithm and an SHA algorithm.

Further, in one implementation, the resource configuration module includes:

the system comprises a requirement determining unit, a policy determining unit and a policy selecting unit, wherein the requirement determining unit is used for selecting an object needing authorization through the administrator and determining a policy requirement corresponding to the object according to the object and an operation type, and the policy requirement comprises user attribute information and an access control decision tree; determining the user attribute information, namely determining the key attribute of an access control strategy, and determining the access control decision tree, namely determining the decision mode of the access control strategy;

the access control strategy is that the mapping relation among the users, the roles and the authorities is determined according to the mapping relation among the users and the roles and the mapping relation among the roles and the resources, namely the access control strategy is set based on an RBAC model; the right control micro service is an implementation mode of an access control strategy, and adopts a distributed micro service and storage mode;

the relationship judgment unit is used for substituting the attribute value set corresponding to each user specific feature into an access control decision tree, and then outputting a judgment result by a root node of the access control decision tree;

the judgment result comprises true or false; the judgment result is true, which indicates that the mapping relation between the user and the role in the access control strategy can be enabled, and the judgment result is false, which indicates that the mapping relation between the user and the role in the access control strategy can not be enabled;

the strategy creating unit is used for controlling the access control strategy of the micro-service creating object through the authority, namely finishing the storage of a user attribute table, an access control decision tree, a role table and a resource data table; the user attribute table comprises users and corresponding user attribute information, the role table comprises user role information and user unique identification information, and the resource data table comprises resource information and authority information;

Further, in one implementation, the identity authentication module includes:

a request sending unit, configured to send an identity authentication request to the gateway when the client requests authentication of an identity;

the information extraction unit is used for receiving an identity authentication request sent by a client through the gateway, extracting user attribute information from the identity authentication request and forwarding the user attribute information to the authority control microservice;

the token generation unit is used for comparing the user attribute information with the user attribute information in the database through the authority control microservice, and generating a unique authentication token if the user attribute information is confirmed to be correct;

and the token returning unit is used for returning the unique authentication token to the client through the authority control microservice.

Further, in one implementation, the resource authentication module includes:

the resource request unit is used for receiving an authentication token and resource request information sent by the client and sending the authentication token and the resource request information to the right control micro-service when the client requests to use the resources of any business micro-service;

the parameter extraction unit is used for receiving an authentication token and resource request information sent by the gateway through the authority control microservice and extracting authentication parameters;

the resource authentication unit is used for analyzing authentication parameters through the authority control micro service, inquiring an access control strategy list matched with the service micro service, and performing resource authentication, namely determining whether the resources required in the resource request information are consistent with the resources listed in the access control strategy list in the database;

and the resource releasing unit is used for releasing the resource request to the service micro-service by the right control micro-service when the resource authentication is successful, and the service micro-service executes the operation corresponding to the resource request information and returns the execution result to the client.

As can be seen from the foregoing technical solutions, an embodiment of the present invention provides a method and a system for controlling a micro-service unified authority based on user attributes, where the method includes: step 1, controlling micro-service to store user attribute information in advance through authority; step 2, selecting an object to be authorized and a strategy requirement corresponding to the object by an administrator, establishing an access control strategy of the object through the authority control micro-service according to the object and the corresponding strategy requirement, and storing the access control strategy into a database to realize dynamic authority configuration; step 3, when receiving an identity authentication request sent by a client, the gateway forwards the identity authentication request to an authority control micro-service, and after verifying user attribute information, the authority control micro-service generates a unique authentication token and returns the unique authentication token to the client; and 4, when the client requests to use resources of any service micro service, the gateway receives resource request information and an authentication token and forwards the resource request information and the authentication token to the authority control micro service, the authority control micro service completes resource authentication by analyzing authentication parameters in the resource request information and the authentication token, the resource request is released to the service micro service after the authentication is successful, and the service micro service executes corresponding operation and returns the result to the client.

In the prior art, the authentication method cannot be applied to various authentication scenes, or can bring about serious load problems and network overhead, or can bring about the problem of data security. Compared with the prior art, the invention has the following beneficial effects:

1. the authority control of a plurality of business micro-services is completed through the authority control micro-service, an independent authority control system does not need to be developed for each business micro-service, repeated development work is avoided, the docking difficulty of an external mechanism is low, the business micro-service is not invasive, and logic decoupling between authority management and business application is realized;

2. the standardized authority control interface is uniformly provided at the gateway layer, so that uniform management is facilitated, the authority can be controlled only by configuring the forwarding interface of the business microservice at the gateway, the system configuration is flexible, and efficient, standard and centralized authority management is realized.

3. During access control, on the basis of traditional role-based access control, user attribute information is added, an access control decision tree is designed, and only users conforming to the logical operation of the access control decision tree can obtain corresponding user roles, so that access rights are determined, authorization modes are greatly enriched, the granularity of resource access is refined, the minimum authorization principle is realized, the data resources are guaranteed not to be illegally used and accessed, and the security of rights management is improved.

Drawings

In order to more clearly illustrate the technical solution of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.

Fig. 1 is a flowchart of a method for controlling unified rights for microservices based on attributes according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of an access control decision tree for attribute and logical operations according to an embodiment of the present invention;

fig. 3 is a schematic diagram of an authority access control method based on user attributes according to an embodiment of the present invention;

fig. 4 is a timing diagram of a micro-service unified permission control method based on attributes according to an embodiment of the present invention;

fig. 5 is a flowchart of an attribute-based microservice unified rights control system according to an embodiment of the present invention.

Detailed Description

In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.

The embodiment of the invention discloses a micro-service unified authority control method and a system based on user attributes, which are applied to management of distributed micro-services and provide unified identity authentication and fine-grained resource authentication for the micro-services. Most of the existing distributed micro-service architectures are directed at multiple users and multiple scenes, and have the defects of multiple user types and large quantity; the method has the characteristics of numerous microservices, high management difficulty, non-uniform interfaces, heavy expansion and maintenance burden and the like. The micro-service unified authentication and authorization scheme formed by the invention provides a standardized authority control interface at a gateway layer, is convenient for unified management, introduces user attribute information to refine the granularity of resource access, and improves the safety of authority management.

In order to make the features and advantages of the present invention more comprehensible and to make the present invention more comprehensible, embodiments accompanying figures are described in detail for further clarity and to make the present invention more comprehensible. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. The embodiment of the invention provides a micro-service unified authority control method and a system based on user attributes, which are used for realizing unified identity authentication and resource authentication under a micro-service architecture and have the characteristics of no invasion to a micro-service module, flexible configuration and high reusability.

As shown in fig. 1, which shows a flowchart of an embodiment of a micro-service unified rights control method based on user attributes according to the present invention, steps 101 to 104 in the flowchart correspond to steps 1 to 4 in this embodiment one to one.

The embodiment of the invention provides a micro-service unified authority control method based on user attributes, which comprises the following steps:

step 1, controlling micro-service to store user attribute information in advance through authority; specifically, the method provided in this embodiment is configured in a gateway based on a microservice architecture.

step 3, when receiving an identity authentication request sent by a client, the gateway forwards the identity authentication request to an authority control micro-service, and after verifying user attribute information, the authority control micro-service generates a unique authentication token and returns the unique authentication token to the client; in this embodiment, the client provides a web or app or applet or open platform or other front-end page that manages and uses information;

In the method for controlling micro-service unified authority based on user attributes according to this embodiment, the step 1 includes:

the right control micro service encodes the user attribute information through an irreversible encryption algorithm, and stores the user attribute information encrypted through encoding in a relational database in a character string form, wherein the irreversible encryption algorithm comprises (but is not limited to) an MD5 algorithm and an SHA algorithm. In this embodiment, the user attribute information includes user basic information and authentication information, which are used to describe some characteristics of the user. The basic information includes but is not limited to name, gender, age, phone, etc., and the authentication information includes but is not limited to username, password, role, etc.

In the method for controlling micro-service unified authority based on user attributes according to this embodiment, the step 2 includes:

step 2-1, selecting an object needing authorization by the administrator, and determining a policy requirement corresponding to the object according to the object and an operation type, wherein the policy requirement comprises user attribute information and an access control decision tree; determining the user attribute information, namely determining the key attribute of an access control strategy, and determining the access control decision tree, namely determining the decision mode of the access control strategy;

the access control decision tree is a logic structure which represents logical operation of attributes AND attributes by a tree structure, wherein the attributes are user attribute information, each attribute represents a specific feature of a certain user, AND the logical operation of the attributes AND the attributes comprises AND, OR AND NOT; the access control decision tree is shown in detail in fig. 2.

in the step 2-1, the authority control microservice configures the role of an administrator, and the administrator can configure the authority information of each user in the system and complete storage.

The authority configuration information is a resource type, an operation level and an operation type which are authorized by an administrator for a user, and the resource type comprises data resources and service resources; the operation types comprise reading and writing operations of files, addition, deletion, modification and check of a database and the like; the operation level can be from the whole system and part of modules to a link request, the granularity is different, different granularities can be set according to the requirement, in order to improve the precision, the granularity can be set to be finer, and in order to expand the control range, the granularity can be set to be coarser. The embodiment is not particularly limited.

There may be an inclusion relationship between the user attributes, for example, a school includes a college, which is consistent with a scenario of hierarchical management of users in real life. The values of the user attributes exist in pairs, and are expressed as' key: value "is assigned to the user in the form of value". The elements are connected through OR characters and are expressed to be in accordance with one value, and the expression form is { key 1: value1 OR key 2: value2 OR key 3: value3 }. AND a plurality of elements are connected by an AND character to represent that all attribute values are met, AND the representation form is { key 1: value1 AND key 2: value2 AND key 3: value3 }. And expressing the value of the attribute which is NOT met through NOT characters, wherein the NOT characters are expressed in the form of { NOT key 1: value1}

and simultaneously, determining the mapping relation between the user and the role and the mapping relation between the role and the resource through the access control strategy, and completing resource authority configuration, namely realizing dynamic authority configuration. In this embodiment, the user-role relationship determines whether the relationship is enabled through the access control decision tree, and after the relationship is enabled, the resources corresponding to the role can be directly used.

In the method for controlling micro-service unified authority based on user attributes according to this embodiment, step 3 includes:

step 3-1, when the client requests to authenticate the identity, an identity authentication request is sent to the gateway;

Step 3-3, the right control micro service compares the user attribute information with the user attribute information in the database, and if the user attribute information is confirmed to be correct, a unique authentication token is generated; specifically, in this embodiment, the user stored in the database has an attribute of a role, and only the resource permission corresponding to the role can be acquired.

In the invention, the gateway provides a uniform authority control micro-service interface as a uniform external standard interface, and any one service micro-service can realize the identity authentication of a user by calling the interface.

Specifically, whether the user attribute information input during user login is the same as the user attribute information successfully decrypted in the resource library or not is judged, if yes, the user identity authentication is successful, and if the user attribute information is different or the decryption is failed, the user identity authentication is judged to be illegal and the user identity authentication is failed. Other authentication methods may also be adopted, and this embodiment is not particularly limited.

If the identity authentication result is successful, the authority control micro-service sends an identity authentication success prompt and the authentication token to the client; and if the identity authentication result is failure, the authority control micro-service sends an authentication failure prompt to the client.

In the method for controlling unified rights for micro services based on user attributes according to this embodiment, step 4 includes:

When the resource is requested, the access control decision tree is used for carrying out logical operation on the attribute values, and the user can obtain the corresponding authority only when the attribute set conforms to the logical operation of the control tree.

Specifically, data D on the cloud server is defined as target data of an access request sent by a client, the data has a mapping relationship with a user role R, and only a user with the role R can access the data D. An access control decision tree is assigned to the role as shown in fig. 3. The access control decision tree comprises three attributes attr0, attr1 and attr2, wherein attr0 can take the following values: { value0, value1}, attr1 may take on values { value2, value3, value4}, and attr2 may take on values { value5, value6 }.

Only when the user simultaneously contains three attribute values of attr0, attr1 and attr2, the value of attr0 is one of { value0 and value1}, the value of attr1 is one of { value2, value3, value,4} and the value of attr2 is one of { value5 and value6}, the user can satisfy the logical operation of the access control tree and further possess a corresponding user role, so as to obtain the access control authority of the role.

Namely { attr 0: value0 OR attr 0: value1} AND { attr1: value2 OR attr1: value3 OR attr1: value4} AND { attr2: value5 OR attr1: value6 }. And after the user attribute is brought into the access control decision tree for operation, the root node outputs true or false. If the result is true, the user has a user role R and has access control authority over the data D according to the mapping relation between the role R and the data D; the result is false, and the user does not have role R and thus does not have access to data D.

The business microservice related in the embodiment can be composed of a plurality of different business microservice applications, and each business microservice shares the same gateway and the right control microservice. And the user information of each business micro-service is stored in the authority control micro-service resource library.

The plurality of business micro services can simultaneously use the authority control micro service gateway to realize unified identity authentication and resource authority management. A plurality of service micro-services simultaneously use a set of user management, so that the service micro-services can be extracted from the complicated multi-user management.

Furthermore, in order to realize fine-grained access control of resources, a hierarchical mode is used for carrying out granularity division on resource objects. The specific description is as follows:

the resources are stored on distributed cloud servers, and access rights of the resources are represented by using a binary group (resource, operation). A binary group (resource, operation) is taken as a specific authorization object, such as (server1- > database1- > table1- > row1, get) represents row1 of a table1 table of a database of database1 on the server1 microserver accessed by the get method. Specifically, a url + method may be used to access a certain database resource, where the complete path of the url indicates the location of a specific resource object.

The client in this embodiment may be any one of a PC Web end, a mobile client, a mobile applet, and an open platform, and is not limited specifically here.

And if the business micro-service is of an Http or Http service type, the authentication token is written into an Http Header and is transmitted into the gateway, and the gateway and the right control micro-service are subjected to identity authentication and then are transmitted to the business micro-service.

When resource authentication is carried out, the system improves a role-based authority access control model (RBAC), changes the fixed mapping mode before the original user and role, increases user attributes and an access control decision tree, determines the user role through the logic operation of the user attributes and the access control decision tree, dynamically expands the original user-role corresponding relation, refines the granularity of access control, and increases the access control dynamics.

Fig. 3 illustrates an access control model based on user attributes, showing a mapping relationship between user-attribute-role-authority. The user is a main body for accessing the service micro-service data, the attribute is used for representing certain characteristic information of the user, the role is different division of labor or positions in an organization or a system, and the user authority is divided into resource access authority and resource operation authority. The user attributes jointly determine whether a user has a certain role through an access control decision tree, and the mapping relation between the role and the authority determines whether the role has the access authority to a certain resource. A user may have multiple roles and have multiple attributes, a role may also be composed of multiple users, a role may have multiple permissions, and each permission may be granted to multiple roles. Namely, the mapping relation between the user and the role and between the role and the authority is many-to-many. The role of the user is determined through the attribute and the access decision control tree, the authority of the user is controlled through the role, the logical separation of the user and the authority is realized, the granularity of access control is refined, and the safety of the system is improved.

Referring to fig. 4, a timing chart of a micro-service unified permission control method based on user attributes provided in an embodiment of the present invention includes the following steps:

s201, a client initiates a registration and permission configuration request and directly sends the registration and permission configuration request to a permission control microservice;

s202, the authority control micro service pre-configures user attribute list information to be stored in a resource library; and the authority control micro-service determines a mapping relation according to an authorized object selected by an administrator, an appointed user attribute and an access control decision tree, creates an access control strategy, and stores the access control strategy into a relational database to realize dynamic authority configuration.

S203, the authority control micro service sends the result of successful configuration to the client.

S204, when the client side initiates an identity authentication request, the identity authentication request is sent to the gateway, and the user attribute information includes but is not limited to a user name and a password.

S205, the gateway forwards the user identity authentication request to the permission control micro service.

S206, the authority control micro-service decrypts, inquires and verifies the user identity attribute information, and generates an identity authentication token after success.

And S207, the authority control micro service returns the inquired user authority strategy and the generated identity authentication token to the client. And if the authentication of the authority control micro-service fails, directly returning an authentication failure result to the client.

S208, the client side carries the authentication token to initiate a request aiming at the resources of the business microservice, and sends the request to the gateway.

S209, the gateway layer is provided with an interceptor which intercepts the resource access request and forwards the resource access request to the access control microservice.

S210, the authority control micro-service analyzes the authentication token, logic operation is carried out on the attribute value according to the access control decision tree, when the attribute set accords with the logic operation of the control tree, and a mapping relation exists between the resource and the user role, the user obtains a corresponding authority, and directly releases a resource request to the business micro-service.

S211, analyzing the authentication token by the authority control micro service. And when the attribute set does not accord with the logical operation of the control tree or the corresponding role has no mapping relation with the resource to be accessed, prompting the result of accessing the resource without permission to the client.

S212, the service micro-service executes corresponding operation according to the resource request.

And S213, directly returning the service resource request result to the client by the service micro service.

A plurality of micro-service systems share a set of authority control micro-service and share a set of user management model. The business micro-service realizes the registration of users, the configuration of user attributes, the determination of access control decision trees and the allocation of roles and authorities through the authority control micro-service.

The business micro service registers the user, the attribute, the role and the authority object into the authority control micro service, and the business micro service does not store the information, thereby realizing the unified management of the user.

The authority information can set different granularities according to the service micro-service requirements. For example, the resource usage range set for the administrator is large, and the usage authority range for the general user is small.

In the embodiment, the permission control micro-service is called, whether the user has the resource and the operation permission of the service micro-service is judged according to the user permission information, if the user has the corresponding permission, the user request is released to the service micro-service, and the service micro-service acquires the service data and the operation permission corresponding to the user.

As shown in fig. 5, in this embodiment, on the basis of the micro-service unified permission control method based on the user attribute, an embodiment of the present invention further provides a micro-service unified permission control system based on the user attribute, where the system includes:

the information storage module 501 is used for controlling the micro-service to store the user attribute information in advance through the authority;

a resource configuration module 502, configured to select, by an administrator, an object to be authorized and a policy requirement corresponding to the object, create, according to the object and the policy requirement corresponding to the object, an access control policy for the object through the access control microservice, and store the access control policy in a database, so as to implement dynamic configuration of an authority;

the identity authentication module 503 is configured to forward an identity authentication request to an access control microservice when the identity authentication request sent by a client is received through a gateway, and generate a unique authentication token and return the unique authentication token to the client after the access control microservice verifies user attribute information;

a resource authentication module 504, configured to, when the client requests to use a resource of any service microservice, receive resource request information and an authentication token by the gateway, and forward the resource request information and the authentication token to the right control microservice, where the right control microservice completes resource authentication by analyzing authentication parameters in the resource request information and the authentication token, and releases a resource request to the service microservice after authentication is successful, and the service microservice executes a corresponding operation and returns a result to the client.

In the system for controlling unified rights for micro-services based on user attributes according to this embodiment, the information storage module includes:

In the system for controlling micro-service unified rights based on user attributes according to this embodiment, the resource configuration module includes:

the determining the policy requirement corresponding to the object includes: after a user attribute list is obtained, selecting user attribute information in the user attribute list, appointing an access control decision tree, and applying for creating an access control strategy for the authority control micro service;

In the system for controlling unified rights for micro-services based on user attributes according to this embodiment, the identity authentication module includes:

the information extraction unit is used for receiving an identity authentication request sent by a client through the gateway, extracting user attribute information from the identity authentication request and forwarding the user attribute information to the authority control micro-service;

In the system for controlling a micro-service unified authority based on user attributes according to this embodiment, the resource authentication module includes:

the parameter extraction unit is used for receiving an authentication token and resource request information sent by the gateway through the authority control micro service and extracting authentication parameters;

and the resource releasing unit is used for releasing the resource request to the service microservice by the authority control microservice when the resource authentication is successful, and the service microservice executes the operation corresponding to the resource request information and returns the execution result to the client.

As can be seen from the foregoing technical solutions, an embodiment of the present invention provides a method and a system for controlling a micro-service unified authority based on user attributes, where the method includes: step 1, controlling micro-service to store user attribute information in advance through authority; step 2, selecting an object to be authorized and a strategy requirement corresponding to the object by an administrator, establishing an access control strategy of the object through the authority control micro-service according to the object and the corresponding strategy requirement, and storing the access control strategy into a database to realize dynamic authority configuration; step 3, when receiving an identity authentication request sent by a client, the gateway forwards the identity authentication request to an authority control micro-service, and after verifying user attribute information, the authority control micro-service generates a unique authentication token and returns the unique authentication token to the client; and 4, when the client requests to use resources of any service micro-service, the gateway receives resource request information and an authentication token and forwards the resource request information and the authentication token to the authority control micro-service, the authority control micro-service completes resource authentication by analyzing authentication parameters in the resource request information and the authentication token, the resource request is released to the service micro-service after the authentication is successful, and the service micro-service executes corresponding operation and returns the result to the client.

In a specific implementation manner, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and when the program is executed, the program may include some or all of the steps in each embodiment of the method and system for controlling micro-service unified rights based on user attributes provided by the present invention. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a Random Access Memory (RAM), or the like.

Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.

The same and similar parts among the various embodiments in this specification may be referred to each other. The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims

1. A micro-service unified authority control method based on user attributes is characterized by comprising the following steps:

step 1, controlling micro-service to store user attribute information in advance through authority;

step 4, when the client requests to use the resources of any service micro-service, the gateway receives resource request information and an authentication token, and forwards the resource request information and the authentication token to the authority control micro-service, the authority control micro-service completes resource authentication by analyzing the resource request information and the authentication parameters in the authentication token, the resource request is released to the service micro-service after the authentication is successful, and the service micro-service executes corresponding operation and returns the result to the client;

the step 2 comprises the following steps:

2. The method for micro-service unified right control based on user attributes as claimed in claim 1, wherein the step 1 comprises:

the authority control micro-service encodes the user attribute information through an irreversible encryption algorithm, and stores the user attribute information after the encryption is realized through encoding in a relational database in a character string mode, wherein the irreversible encryption algorithm comprises an MD5 algorithm and an SHA algorithm.

3. The method for micro-service unified rights control based on user attributes as claimed in claim 1, wherein the step 3 comprises:

4. The method for micro-service unified right control based on user attributes as claimed in claim 1, wherein the step 4 comprises:

step 4-3, the right control micro service analyzes the authentication parameters, inquires an access control strategy list matched with the service micro service, and performs resource authentication, namely, determines whether the resources required in the resource request information are consistent with the resources listed in the access control strategy list in the database;

5. A micro-service unified rights control system based on user attributes, the system comprising:

the resource authentication module is used for receiving resource request information and an authentication token by the gateway when the client requests to use resources of any service micro-service, and forwarding the resource request information and the authentication token to the authority control micro-service, the authority control micro-service completes resource authentication by analyzing authentication parameters in the resource request information and the authentication token, the resource request is released to the service micro-service after the authentication is successful, and the service micro-service executes corresponding operation and returns the result to the client;

the resource configuration module comprises:

6. The micro-service unified right control system based on user attributes as claimed in claim 5, wherein the information storage module comprises:

and the information coding unit is used for coding the user attribute information through an irreversible encryption algorithm by the authority control micro service, and storing the user attribute information after the encryption is realized through the coding in a relational database in a character string mode, wherein the irreversible encryption algorithm comprises an MD5 algorithm and an SHA algorithm.

7. The micro-service unified right control system based on user attributes as claimed in claim 5, wherein the identity authentication module comprises:

a request sending unit, configured to send an identity authentication request to the gateway when the client requests identity authentication;

8. The system of claim 5, wherein the resource authentication module comprises: