CN113742714A - Method, device and apparatus for managing access between microservices and storage medium - Google Patents
Method, device and apparatus for managing access between microservices and storage medium Download PDFInfo
- Publication number
- CN113742714A CN113742714A CN202110867897.8A CN202110867897A CN113742714A CN 113742714 A CN113742714 A CN 113742714A CN 202110867897 A CN202110867897 A CN 202110867897A CN 113742714 A CN113742714 A CN 113742714A
- Authority
- CN
- China
- Prior art keywords
- service component
- micro
- component
- token
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims description 52
- 238000007726 management method Methods 0.000 claims abstract description 43
- 230000001419 dependent effect Effects 0.000 abstract description 6
- 238000004891 communication Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 11
- 238000012545 processing Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 230000002093 peripheral effect Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 3
- 230000009545 invasion Effects 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/101—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
- G06F21/1014—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to tokens
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention discloses a micro service room access management method, which comprises the steps of receiving a target micro service component access request sent by a first micro service component by utilizing a key traffic component in a server, wherein the access request comprises a temporary permission token and a target micro service component interface address; based on the temporary permission token and the target micro-service component interface address, verifying whether the first micro-service component has permission to access the target micro-service component by using the keylock component; and if the target micro-service component has the authority, accessing the first micro-service component to the target micro-service component based on the interface address of the target micro-service component. In addition, the invention also discloses a micro-service access management device, equipment and a storage medium, and the access management method is completed in the three-party dependent package component, so that the invention reduces the mutual interference between the access management and the service code, and improves the reliability of the user on the micro-service access management.
Description
Technical Field
The invention relates to the field of authority management, in particular to a method, equipment, a device and a storage medium for managing access between micro services based on keylogging.
Background
The micro-service architecture is a mainstream system architecture at present, and the advantages of decoupling, independent deployment, higher availability and elasticity and the like of micro-services are widely pursued by various companies, but a series of problems are also brought, one of which is the access right control among the services. Usually, a company only performs access authority control on micro-services of a public cloud accessing a private cloud, a common means is signature and signature verification, a blacklist is added, and the purpose is achieved through database storage of a defined strategy and appropriate code modification. In order to solve the problem, a role control method based on keylogging is introduced to perform interface-level access right control on micro-services.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a method, equipment, a device and a storage medium for managing access among micro services, and aims to solve the technical problem that certain invasion is generated on business codes in the prior art due to access authority management and control.
In order to achieve the above object, the present invention provides a method for managing access between microservices, which is used for a server, wherein the server comprises a keylock component, and the method comprises the following steps:
receiving a target micro service component access request sent by a first micro service component, wherein the access request comprises a temporary permission token and a target micro service component interface address;
based on the temporary permission token and the target micro-service component interface address, verifying whether the first micro-service component has permission to access the target micro-service component by using the keylock component;
and if the target micro-service component has the authority, accessing the first micro-service component to the target micro-service component based on the interface address of the target micro-service component.
Optionally, before the step of receiving the target micro service component access request sent by the first micro service component, the method further includes
Receiving a permission token generation request sent by the first micro service component;
generating a temporary permission token corresponding to the first micro service component by utilizing the keylog component based on the generation request;
and sending the temporary permission token to the first micro-service component.
Optionally, the generation request includes an interface address of the first micro-service component, the server includes a configuration file corresponding to the keylock component, and the configuration file includes a role and interface permission binding table and a role table corresponding to the interface address;
the step of generating the temporary permission token corresponding to the first microservice component by utilizing the keylock component based on the generation request comprises the following steps:
determining the role of the first micro service component based on the interface address of the first micro service component and the role table corresponding to the interface address;
acquiring an interface authority corresponding to the first micro service component based on the role and interface authority binding relation table;
generating the temporary permission token based on the interface permission.
Optionally, the step of verifying, by using the keylock component, whether the first microservice component has the right to access the target microservice component based on the right token and the target microservice component address specifically includes:
determining the role of the target micro-service component based on the interface address of the target micro-service component and the role table corresponding to the interface address;
acquiring interface authority corresponding to the target micro-service component based on the roles and the role and interface authority binding relation table;
judging whether the authority of the first micro service component in the temporary authority token is matched with the authority of the target micro service component interface;
if so, judging that the first micro-service component has the authority to access the target micro-service component;
and if not, judging that the first micro service component has no authority to access the target micro service component, and sending no-authority information to the first micro service component.
Optionally, before the step of receiving the permission token generation request sent by the first micro service component, the method further includes:
configuring a binding table of the roles and the interface authorities and a role table corresponding to the interface address;
generating the configuration file based on the binding table of the role and the interface authority and the role table corresponding to the interface address;
and loading the configuration file when the keylock component is started.
Optionally, the temporary permission token comprises a validity time limit;
before the step of verifying whether the first micro service component has the right to access the target micro service component based on the right token and the target micro service component address by using the keylock component based on the configuration file, the method further comprises the following steps:
judging whether the temporary authority token is invalid or not based on the actual time of the temporary authority token and the effective time limit;
if the actual time does not exceed the effective time limit, judging that the time is not invalid, and executing the following steps: and based on the authority token and the target micro-service component address, verifying whether the first micro-service component has the authority to access the target micro-service component by using the keylock component.
In addition, to achieve the above object, the present invention provides a microservice access management apparatus for a server including a keylock component, the apparatus comprising:
the request receiving module is used for receiving a target micro service component access request sent by a first micro service component, wherein the access request comprises a temporary permission token and a target micro service component interface address;
the permission checking module is used for checking whether the first micro service component has permission to access the target micro service component or not by utilizing the keylock component based on the temporary permission token and the target micro service component interface address
Optionally, the apparatus further comprises:
the request receiving module is further configured to receive an authority token generation request sent by the first micro service component;
the token generation module is used for generating a temporary permission token corresponding to the first micro service component by utilizing the keylock component based on the generation request;
and the token sending module is used for sending the temporary permission token to the first micro-service component.
In addition, to achieve the above object, the present invention further provides an inter-microservice access management apparatus, including: the system comprises a memory, a processor and a micro-service access management program which is stored on the memory and can run on the processor, wherein the micro-service access management program realizes the steps of the micro-service access management method when being executed by the processor.
In addition, to achieve the above object, the present invention also provides a computer readable storage medium having a micro inter-service access management program stored thereon, where the micro inter-service access management program, when executed by a processor, implements the steps of the above inter-micro-service access management method.
The method for managing access between micro-services provided by the embodiment of the invention is used for a server, and a key traffic component in the server is used for receiving a target micro-service component access request sent by a first micro-service component, wherein the access request comprises a temporary permission token and a target micro-service component interface address; based on the temporary permission token and the target micro-service component interface address, verifying whether the first micro-service component has permission to access the target micro-service component by using the keylock component; and if the target micro-service component has the authority, accessing the first micro-service component to the target micro-service component based on the interface address of the target micro-service component. Because the authority management method is completed in the three-party dependent package assembly, the invention reduces the mutual interference between the authority management and the service code, and improves the reliability of the user to the micro-service access management.
Drawings
FIG. 1 is a schematic diagram of a server in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method for managing and controlling permissions between microservices according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for managing and controlling permissions between microservices according to a second embodiment of the present invention;
FIG. 4 is a detailed flowchart of the step S30 in FIG. 2 according to the present invention;
FIG. 5 is a flowchart illustrating a detailed process of step S102 in FIG. 3 according to the present invention;
FIG. 6 is a functional block diagram of a device for managing and controlling permissions among microservices according to a first embodiment of the present invention;
FIG. 7 is a functional block diagram of a device for managing rights between microservices according to a second embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the descriptions relating to "first", "second", etc. in the present invention are for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present invention.
The main solution of the embodiment of the invention is as follows: receiving a target micro-service component access request sent by a first micro-service component by using a keylock component in the server, wherein the access request comprises a temporary permission token and a target micro-service component interface address; based on the temporary permission token and the target micro-service component interface address, verifying whether the first micro-service component has permission to access the target micro-service component by using the keylock component; and if the target micro-service component has the authority, accessing the first micro-service component to the target micro-service component based on the interface address of the target micro-service component.
In the prior art, for the method for controlling the authority among the micro services, either the granularity of control is too large, or a certain invasion is caused to the service code.
The invention provides a solution, which enables the authority management and control to reach the interface level, the granularity of the management and control is finer, and meanwhile, the invasion to the service code is avoided.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a server in a hardware operating environment according to an embodiment of the present invention.
The server of the embodiment of the invention is a server with a keylog component.
Typically, the server comprises: at least one processor 301, a memory 302, and an inter-microservice rights management program stored on the memory and operable on the processor.
The processor 301 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and so on. The processor 301 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 301 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 301 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. The processor 301 may further include an AI (Artificial Intelligence) processor, which is configured to process operations related to inter-microservice authority management and control, so that a method model for inter-microservice authority management and control may be trained and learned autonomously, thereby improving efficiency and accuracy.
In some embodiments, the server may further optionally include: a communication interface 303 and at least one peripheral device. The processor 301, the memory 302 and the communication interface 303 may be connected by a bus or signal lines. Various peripheral devices may be connected to communication interface 303 via a bus, signal line, or circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 304, a display screen 305, and a power source 306.
The communication interface 303 may be used to connect at least one peripheral device related to I/O (Input/Output) to the processor 301 and the memory 302. In some embodiments, processor 301, memory 302, and communication interface 303 are integrated on the same chip or circuit board; in some other embodiments, any one or two of the processor 301, the memory 302 and the communication interface 303 may be implemented on a single chip or circuit board, which is not limited in this embodiment.
The Radio Frequency circuit 304 is used for receiving and transmitting RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuitry 304 communicates with communication networks and other communication devices via electromagnetic signals. The rf circuit 304 converts an electrical signal into an electromagnetic signal to transmit, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 304 comprises: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. The radio frequency circuitry 304 may communicate with other devices via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: metropolitan area networks, various generation mobile communication networks (2G, 3G, 4G, and 5G), Wireless local area networks, and/or WiFi (Wireless Fidelity) networks. In some embodiments, the rf circuit 304 may further include a bluetooth network, NFC (Near Field Communication, short-range wireless Communication) related circuit, which is not limited in this application.
The display screen 305 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display screen 305 is a touch display screen, the display screen 305 also has the ability to capture touch signals on or over the surface of the display screen 305. The touch signal may be input to the processor 301 as a control signal for processing. At this point, the display screen 305 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display screen 305 may be one, the front panel of the electronic device; in other embodiments, the display screens 305 may be at least two, respectively disposed on different surfaces of the electronic device or in a folded design; in still other embodiments, the display screen 305 may be a flexible display screen disposed on a curved surface or a folded surface of the electronic device. Even further, the display screen 305 may be arranged in a non-rectangular irregular figure, i.e. a shaped screen. The Display screen 305 may be made of LCD (Liquid Crystal Display), OLED (Organic Light-Emitting Diode), and the like.
The power supply 306 is used to power various components in the electronic device. The power source 306 may be alternating current, direct current, disposable or rechargeable. When the power source 306 includes a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.
Those skilled in the art will appreciate that the architecture shown in FIG. 1 does not constitute a limitation of a server, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
Based on the hardware structure, the invention provides an embodiment of a method for managing and controlling the authority between micro-services
Referring to fig. 2, fig. 2 is a schematic flow chart of a method for managing and controlling permissions among microservices, where the method for managing and controlling permissions among microservices provided by the embodiment of the present invention is applied to a server, and includes the following steps:
step S20, receiving a target micro service component access request sent by a first micro service component, where the access request includes a temporary permission token and the target micro service component interface address.
In particular implementations, the first microserver component sends the access request to the server in a variety of forms, including, but not limited to: bluetooth, wired networks, wireless networks, etc.
It should be noted that microservice is a software development technique, a variant of the Service Oriented Architecture (SOA) architectural style, which constructs applications as a set of loosely coupled services. In the microservice architecture, services are fine-grained and protocols are lightweight. In one microservice architecture, a plurality of microservice components are included. The first micro service component initiates the interaction request when a plurality of micro service components need to interact, and the target micro service component receives the interaction request when the plurality of micro service components need to interact.
Meanwhile, each micro service component corresponds to a temporary authority Token, wherein a Token (Token) is a string of characters generated by the server and serves as a Token requested by the first micro service component, after logging in for the first time, the server can distribute a Token character string to a subsequent request of the first micro service component, the first micro service component only needs to bring the Token, and the server can know the access initiated by the micro service component.
As an embodiment, in order for the first micro service component to obtain the authority token, referring to fig. 3, before step S20, the method further includes:
step S101, receiving an authority token generation request sent by the first micro service component;
step S102, based on the generation request, generating a temporary permission token corresponding to the first micro service component by using the keylock component;
it should be noted that keylock is an open source IAM (identity identification and access management) solution for applications and services, provides a single sign-on (SSO) function, supports OpenID Connect, OAuth 2.0, and SAML2.0 standard protocols, has a simple and easy-to-use management console, and provides support for social account login such as LDAP, Active Directory, Github, Google, and the like, so that very simple out-of-box use is achieved, and isolation of different interface rights is achieved by deploying a keylock component in a server.
And step S103, sending the temporary permission token to the first micro-service component.
It is to be understood that the manner of sending the temporary permission token to the first microservice component includes, but is not limited to: bluetooth, wired networks, wireless networks, etc.
And step S30, based on the temporary permission token and the target micro-service component interface address, using the keylock component to check whether the first micro-service component has permission to access the target micro-service component.
The micro service architecture includes a plurality of micro service components, each micro service component includes a corresponding interface, it is understood that each interface corresponds to an interface address, it should be noted that, the corresponding micro service component is determined by the micro service interface address, so as to determine a target micro service component to be accessed in the micro service architecture, for example, the micro service architecture includes four micro service components, when a first micro service component needs to access a second micro service component, in order to quickly determine the micro service component to be accessed, the second micro service component can be determined as the micro service component to be accessed by the interface address of the second micro service component.
As an embodiment, a three-party dependency package includes a configuration file corresponding to the keylog component, and the configuration file includes a role and interface permission binding table and an interface address corresponding role table, before step S101, the method further includes: configuring a binding table of the roles and the interface authorities and a role table corresponding to the interface address; generating a configuration file based on the binding table of the role and the interface authority and the role table corresponding to the interface address; and loading the configuration file when the keylock component is started.
It should be noted that, the three-party dependent package is a three-party JAR package, the software field, JAR file (Java Archive, english: Java Archive) is a package file format, and is generally used to aggregate a large number of Java class files, related metadata and resource (text, picture, etc.) files into one file to develop Java platform application software or library, and an executable JAR file is a self-contained Java application program, which is stored in a specially configured JAR file, and can be directly executed by JVM without extracting files or setting class paths in advance. To run an application stored in non-executable AR, it must be added to your class path and the main class of the application is called by name. But with an executable JAR file we can run an application without extracting it or knowing the main entry point. The executable JAR helps to facilitate release and execution of Java applications. For the embodiment, the three-party dependent package is a three-party jar package corresponding to the keylog component.
Further, the temporary authority token generation process includes an effective time limit, where it is to be noted that the effective time limit is an expiration time of the token, and whether the token is invalid can be determined by comparing the effective time limit of the temporary authority token with the current time, for example, when the effective time limit of the temporary authority token is 25/7/2021, and when the current time is 12/7/26/2021, it is determined that the temporary authority token is invalid, and if the effective time limit of the temporary authority token is 13/7/26/2021, it is determined that the temporary authority token is valid.
As another embodiment, before step S30, the method further includes determining whether the temporary permission token is invalid based on the actual time of the temporary permission token and the validity time limit; if the actual time does not exceed the effective time limit, judging that the time is not invalid, and executing the following steps: and S40. And if the actual time exceeds the valid time limit, judging that the token is invalid, and sending token invalidation information to the client so that the client executes the steps S101-S103. It should be noted that the verification process is performed by the keylock component in the server.
In addition, in order to reduce the interaction flow and improve the efficiency of the authority management, another embodiment is provided, in which the client periodically checks the validity of the token, and after the token fails, the client performs the above steps S101 to S103, for example, the client performs validity check on the temporary authority token every hour, and after the temporary authority token expires, the client retransmits the token generation instruction to the server.
And step S40, accessing the first micro service component to the target micro service component based on the interface address of the target micro service component.
In this embodiment, after the access is allowed, the first microserver component communicates with the target microserver component through the server.
The embodiment provides a method for managing authority among micro services, which comprises the steps that a server comprising a keylog component receives an access request of a target micro service component sent by a first micro service component, wherein the access request comprises a temporary authority token and an interface address of the target micro service component; based on the temporary permission token and the target micro-service component interface address, verifying whether the first micro-service component has permission to access the target micro-service component by using the keylock component; if the authority exists, the first micro service component is accessed to the target micro service component based on the interface address of the target micro service component, and the authority management method is completed in the three-party dependent package component, so that the mutual interference between authority management and service codes is reduced, and the reliability of the user on micro service access management is improved.
Further, a second embodiment of the present invention is proposed based on the first embodiment, and referring to fig. 4, fig. 4 is a schematic flow chart of another embodiment of the present application, and the difference between the second embodiment and the first embodiment is that step S30 includes:
step S301, determining the role of the target micro-service component based on the interface address of the target micro-service component and the role table corresponding to the interface address;
it should be noted that the server includes a configuration file corresponding to the keylog component, where the configuration file is a computer file and may configure parameters and initial settings for some computer programs, and in this embodiment, the configuration file mainly includes a role and interface permission binding table and a role table corresponding to an interface address.
In a specific implementation process, a corresponding relation is established for interface addresses and roles, and the roles are bound with interface permissions, specifically, the roles include real-roles and client-roles, further, an independent real-role is established for each micro service system, independent micro service components in the system correspondingly establish a client and client roles corresponding to the client, the field roles in the corresponding fields of the micro service systems are allocated to the micro service components which do not need to be isolated independently in the same micro service system, and the client roles corresponding to the client are allocated to other micro service components which only need to access the micro service components corresponding to a certain client. It can be understood that multiple microservice components may correspond to the same role, and the same microservice component may also correspond to multiple roles, for example, a first microservice component of a first microservice system may have a domain role of the first microservice system, and may also have a client role corresponding to a second microservice component in a second microservice system. It should be noted that, because the basis for determining different micro service components is the interface addresses corresponding to the different micro service components, the role is bound to the micro service component by the interface address of the micro service component.
Step S302, acquiring an interface authority corresponding to the target micro-service component based on the role and interface authority binding relation table;
in a specific implementation process, after setting a role corresponding to each micro service component, assigning a corresponding authority to the corresponding role, specifically, setting an authority to allow access to other micro service components having domain roles in a domain corresponding to the same micro service system for domain roles, for example, a first micro service system corresponds to a first domain, a first micro service component in the first micro service system corresponds to a domain role in the first domain, the first interface has an authority to access to interfaces having other domain roles in the first micro service component in the first domain, further, setting an authority to only allow access to a client corresponding to the client role for client roles, for example, a first micro service system includes a role corresponding to the first micro service component, includes a client role corresponding to a second micro service component in the second micro service system, the first microservice component has permission to access the second microservice component.
Step S303, judging whether the authority of the first micro service component in the temporary authority token is matched with the authority of the interface of the target micro service component.
It should be noted that the temporary permission token includes a role permission corresponding to the first micro service component, and by determining whether the role includes a role permission corresponding to the target micro service component, if so, it is determined that the target micro service component matches the first micro service component permission.
If so, judging that the first micro-service component has the authority to access the target micro-service component and executing the step S40;
and if not, judging that the first micro service component has no authority to access the target micro service component, and sending no-authority information to the first micro service component.
The embodiment provides a method for managing authority among micro services, which comprises the steps that a server comprising a keylog component receives an access request of a target micro service component sent by a first micro service component, wherein the access request comprises a temporary authority token and an interface address of the target micro service component; based on the temporary permission token and the target micro-service component interface address, verifying whether the first micro-service component has permission to access the target micro-service component by using the keylock component; if the authority exists, the first micro service component is accessed to the target micro service component based on the interface address of the target micro service component, and the authority management method is completed in the three-party dependent package component, so that the mutual interference between authority management and service codes is reduced, and the reliability of the user on micro service access management is improved.
Further, a third embodiment of the present invention is proposed based on the first embodiment, and the third embodiment is different from the first and/or second embodiments in that, referring to fig. 5, fig. 5 is a schematic flow chart of the third embodiment of the present application, and the step S102 includes:
s1021, determining the role of the first micro-service component based on the interface address of the first micro-service component and the role table corresponding to the interface address;
s1022, acquiring the interface authority corresponding to the first micro service component based on the role and interface authority binding relation table;
s1023 generates the temporary permission token based on the interface permission.
It should be noted that the method of this embodiment is only a specific execution process of the step of generating the temporary permission token corresponding to the first micro service component by using the keylock component based on the generation request in the method of the foregoing embodiment, and an execution principle and a corresponding implementation of the method may refer to an execution process of the step of verifying whether the first micro service component has the permission to access the target micro service component by using the keylock component based on the temporary permission token and the target micro service component interface address in the foregoing embodiment, which is not described herein again.
It can be understood that, in the above microservice architecture, one microservice component includes a plurality of service function modules, each function module corresponds to one interface, in other embodiments, when the function modules between the microservice components are mutually invoked, the corresponding module interface addresses need to be read, and the method for controlling permissions among microservice components may also be used for controlling permissions for mutual invocation among the function modules in the microservice component.
Further, as another embodiment, the execution steps of the inter-microservice permission management and control method in the foregoing embodiment may also be used in a conventional C/S model (client-server model), for example, a client accesses a server, and the present invention is not limited in particular.
Referring to fig. 6, fig. 6 is a block diagram of a first embodiment of an inter-microservice access management apparatus according to an embodiment of the present invention, and based on the embodiment described in fig. 2, the apparatus includes:
the request receiving module is used for receiving a target micro service component access request sent by a first micro service component, wherein the access request comprises a temporary permission token and a target micro service component interface address;
the permission checking module is used for checking whether the first micro service component has permission to access the target micro service component or not by utilizing the keylock component based on the temporary permission token and the target micro service component interface address
It should be noted that, each module in the apparatus of this embodiment correspondingly executes the method steps in the foregoing embodiment, and therefore, the implementation manner thereof may refer to the foregoing embodiment, which is not described herein again.
It should be understood that the above is only an example, and the technical solution of the present invention is not limited in any way, and those skilled in the art can set the technical solution based on the needs in practical application, and the technical solution is not limited herein.
Referring to fig. 7, fig. 7 is a block diagram of a second embodiment of an inter-microservice access management apparatus according to an embodiment of the present invention, and based on the embodiment shown in fig. 3, the apparatus includes:
the request receiving module is further configured to receive an authority token generation request sent by the first micro service component;
the token generation module is used for generating a temporary permission token corresponding to the first micro service component by utilizing the keylock component based on the generation request;
and the token sending module is used for sending the temporary permission token to the first micro-service component.
It should be noted that, each module in the apparatus of this embodiment correspondingly executes the method steps in the foregoing embodiment, and therefore, the implementation manner thereof may refer to the foregoing embodiment, which is not described herein again.
It should be understood that the above is only an example, and the technical solution of the present invention is not limited in any way, and those skilled in the art can set the technical solution based on the needs in practical application, and the technical solution is not limited herein.
In addition, to achieve the above object, the present invention further provides a computer readable storage medium having a micro-service access management program stored thereon, where the micro-service access management program, when executed by a processor, implements the steps of the inter-micro-service access management method according to the foregoing method embodiment. Therefore, a detailed description thereof will be omitted. In addition, the beneficial effects of the same method are not described in detail. For technical details not disclosed in embodiments of the computer-readable storage medium referred to in the present application, reference is made to the description of embodiments of the method of the present application. It is determined that, by way of example, the program instructions may be deployed to be executed on one computing device or on multiple computing devices at one site or distributed across multiple sites and interconnected by a communication network.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A microservice access management method for a server, the server comprising a keylock component, the method comprising the steps of:
receiving a target micro service component access request sent by a first micro service component, wherein the access request comprises a temporary permission token and a target micro service component interface address;
based on the temporary permission token and the target micro-service component interface address, verifying whether the first micro-service component has permission to access the target micro-service component by using the keylock component;
and if the target micro-service component has the authority, accessing the first micro-service component to the target micro-service component based on the interface address of the target micro-service component.
2. The inter-microservice access management method of claim 1, wherein prior to the step of receiving the target microservice component access request sent by the first microservice component, the method further comprises
Receiving a permission token generation request sent by the first micro service component;
generating a temporary permission token corresponding to the first micro service component by utilizing the keylog component based on the generation request;
and sending the temporary permission token to the first micro-service component.
3. The inter-microservice access management method of claim 2, wherein the generation request comprises the first microservice component interface address, the server comprises a configuration file corresponding to a keylog component, the configuration file comprises a role-to-interface rights binding table and a role table corresponding to an interface address;
based on the generation request, generating a temporary permission token corresponding to the first microservice component by using the keylock component, wherein the temporary permission token comprises:
determining the role of the first micro service component based on the interface address of the first micro service component and the role table corresponding to the interface address;
acquiring an interface authority corresponding to the first micro service component based on the role and interface authority binding relation table;
generating the temporary permission token based on the interface permission.
4. The inter-microservice access management method of claim 3, wherein the step of verifying, by the keylock component, whether the first microservice component has the right to access the target microservice component based on the rights token and the target microservice component address specifically comprises:
determining the role of the target micro-service component based on the interface address of the target micro-service component and the role table corresponding to the interface address;
acquiring interface authority corresponding to the target micro-service component based on the roles and the role and interface authority binding relation table;
judging whether the authority of the first micro service component corresponding to the temporary authority token is matched with the authority of the target micro service component interface;
if so, judging that the first micro-service component has the authority to access the target micro-service component;
and if not, judging that the first micro service component has no authority to access the target micro service component, and sending no-authority information to the first micro service component.
5. The inter-microservice access management method of claim 4, wherein the step of receiving the permission token generation request sent by the first microservice component further comprises, prior to the step of receiving the permission token generation request sent by the first microservice component:
configuring a binding table of the roles and the interface authorities and a role table corresponding to the interface address;
generating a configuration file based on the binding table of the role and the interface authority and the role table corresponding to the interface address;
and loading the configuration file when the keylock component is started.
6. The inter-microservice access management method of claim 5, wherein the temporary entitlement token comprises a validity time limit;
the step of verifying whether the first micro service component has the right to access the target micro service component by using the keylock component based on the right token and the target micro service component address further comprises the following steps:
judging whether the temporary authority token is invalid or not based on the actual time of the temporary authority token and the effective time limit;
if the actual time does not exceed the effective time limit, judging that the time is not invalid, and executing the following steps: and based on the authority token and the target micro-service component address, verifying whether the first micro-service component has the authority to access the target micro-service component by using the keylock component.
7. A microservice access management apparatus, the apparatus being for use with a server, the server comprising a keylock component, the apparatus comprising:
the request receiving module is used for receiving a target micro service component access request sent by a first micro service component, wherein the access request comprises a temporary permission token and a target micro service component interface address;
and the permission checking module is used for checking whether the first micro service component has permission to access the target micro service component or not by utilizing the keylock component based on the temporary permission token and the interface address of the target micro service component.
8. The inter-microservice access management apparatus of claim 7, wherein the apparatus further comprises:
the request receiving module is further configured to receive an authority token generation request sent by the first micro service component;
the token generation module is used for generating a temporary permission token corresponding to the first micro service component by utilizing the keylock component based on the generation request;
and the token sending module is used for sending the temporary permission token to the first micro-service component.
9. An inter-microservice access management device, the device further comprising: memory, a processor and an inter-microservice access management program stored on the memory and executable on the processor, the inter-microservice access management program when executed by the processor implementing the steps of the inter-microservice access management method according to any of claims 1 to 8.
10. A computer-readable storage medium, having stored thereon a micro inter-service access management program, which when executed by a processor, performs the steps of the micro inter-service access management method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110867897.8A CN113742714A (en) | 2021-07-28 | 2021-07-28 | Method, device and apparatus for managing access between microservices and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110867897.8A CN113742714A (en) | 2021-07-28 | 2021-07-28 | Method, device and apparatus for managing access between microservices and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113742714A true CN113742714A (en) | 2021-12-03 |
Family
ID=78729508
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110867897.8A Pending CN113742714A (en) | 2021-07-28 | 2021-07-28 | Method, device and apparatus for managing access between microservices and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113742714A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116881942A (en) * | 2023-07-21 | 2023-10-13 | 广州三叠纪元智能科技有限公司 | Role authority verification method and system for distributed system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110198318A (en) * | 2019-06-03 | 2019-09-03 | 浪潮云信息技术有限公司 | A kind of container service user authen method |
| CN111767095A (en) * | 2020-06-30 | 2020-10-13 | 平安国际智慧城市科技股份有限公司 | Micro-service generation method and device, terminal equipment and storage medium |
-
2021
- 2021-07-28 CN CN202110867897.8A patent/CN113742714A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110198318A (en) * | 2019-06-03 | 2019-09-03 | 浪潮云信息技术有限公司 | A kind of container service user authen method |
| CN111767095A (en) * | 2020-06-30 | 2020-10-13 | 平安国际智慧城市科技股份有限公司 | Micro-service generation method and device, terminal equipment and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116881942A (en) * | 2023-07-21 | 2023-10-13 | 广州三叠纪元智能科技有限公司 | Role authority verification method and system for distributed system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10205750B2 (en) | Policy-based secure web boot | |
| US10558407B2 (en) | Availability of devices based on location | |
| US8347378B2 (en) | Authentication for computer system management | |
| US7519816B2 (en) | Portable computing environment solution | |
| US9960912B2 (en) | Key management for a rack server system | |
| US10133525B2 (en) | Autonomous secure printing | |
| US9208339B1 (en) | Verifying Applications in Virtual Environments Using a Trusted Security Zone | |
| KR101018435B1 (en) | Apparatus and method for security management of user terminal | |
| US20090193491A1 (en) | Secure element manager | |
| WO2018000370A1 (en) | Mobile terminal authentication method and mobile terminal | |
| CN107430669A (en) | computing system and method | |
| US10771462B2 (en) | User terminal using cloud service, integrated security management server for user terminal, and integrated security management method for user terminal | |
| CN113746777B (en) | Method for safely accessing data and electronic equipment | |
| CN113014452A (en) | Network flow testing method, device, testing end and storage medium | |
| CN113742714A (en) | Method, device and apparatus for managing access between microservices and storage medium | |
| CN112866287A (en) | Cross-network access method, device and system based on office environment and storage medium | |
| KR101386363B1 (en) | One-time passwords generator for generating one-time passwords in trusted execution environment of mobile device and method thereof | |
| KR20240044407A (en) | Systems and methods for hosting and remotely provisioning payment HSMs with out-of-band management | |
| Catuogno et al. | Smartk: Smart cards in operating systems at kernel level | |
| KR101351243B1 (en) | Method and system for application authentication | |
| CN117235771B (en) | Permission management and control method of application program and electronic equipment | |
| CN113641966B (en) | Application integration method, system, equipment and medium | |
| US20240129294A1 (en) | Automatically generating task-based and limited-privilege user security credentials | |
| CN115906118A (en) | Multi-data-source authentication method and device, electronic equipment and storage medium | |
| CN108804125A (en) | application management method, device and terminal device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |