CN117290871A - Micro-service product authentication method, device, equipment and readable storage medium - Google Patents

Micro-service product authentication method, device, equipment and readable storage medium Download PDF

Info

Publication number
CN117290871A
CN117290871A CN202311316799.0A CN202311316799A CN117290871A CN 117290871 A CN117290871 A CN 117290871A CN 202311316799 A CN202311316799 A CN 202311316799A CN 117290871 A CN117290871 A CN 117290871A
Authority
CN
China
Prior art keywords
micro
service product
authentication
iam
authenticated
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311316799.0A
Other languages
Chinese (zh)
Inventor
谢文倩
黄启庆
于沈课
安晓博
尹萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Cloud Information Technology Co Ltd
Original Assignee
Inspur Cloud Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Cloud Information Technology Co Ltd filed Critical Inspur Cloud Information Technology Co Ltd
Priority to CN202311316799.0A priority Critical patent/CN117290871A/en
Publication of CN117290871A publication Critical patent/CN117290871A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a micro-service product authentication method, a device, equipment and a readable storage medium, which are applied to the technical field of computers and comprise the following steps: obtaining a micro-service product to be authenticated; adding a iam-gateway component to the pod of the micro-service product to be authenticated; acquiring authentication metadata corresponding to a micro-service product to be authenticated from a database; the micro-service product is authenticated with the iam-gateway component based on the authentication metadata. The method adds a iam-gateway component to the pod of the micro-service product to be authenticated; the iam-gateway component is utilized to authenticate the micro-service product to be authenticated, so that the invasiveness of authentication to the micro-service product codes can be reduced, personalized authentication service can be independently carried out for each micro-service product, the authority control in the product service can be carried out, and the invasiveness of the authentication function to the service product codes can be reduced.

Description

Micro-service product authentication method, device, equipment and readable storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for authenticating a micro-service product.
Background
The micro-service architecture is a development trend of IT (internet Technology ) service management, the general mode of micro-service gateway authentication is to develop a public dependency package, all products in a platform need to be referenced by the public dependency package according to requirements, and authority control is carried out according to the requirements, so that the mode has higher invasiveness on service product codes, and the problems of different service product reference dependency packages and different authentication logics are easily caused. In addition, the micro-service product is generally completely independent, and different programming languages and different databases can be used, so that multiple sets of authentication dependency packages are required to be developed according to different languages, and the workload of developers is increased. In addition, when the authentication function is changed, a plurality of dependent packages need to be modified at the same time, which is complex.
In order to reduce the complexity of the authentication function, a unified authentication service may be used, the authentication function is applied to the gateway, and the unified authentication gateway performs filtering and forwarding of the request. While this approach may reduce the invasiveness of the authentication function to the service product code, it does not control the authentication of interface calls inside the cluster. That is, a request can be arbitrarily invoked between services as long as authentication of the unified authentication gateway is passed, and authority control is not performed any more.
Therefore, the authentication based on the micro-service product has the problem that the invasiveness of the authentication function to the service product code is reduced while the authority control in the product service can not be solved.
Disclosure of Invention
Accordingly, the present invention is directed to a method, apparatus, device and readable storage medium for authenticating a micro-service product, which solve the problem that in the prior art, the micro-service product authentication cannot solve the problem that the authority control in the product service can be performed and the invasiveness of the authentication function to the service product code is reduced.
In order to solve the technical problems, the invention provides a micro-service product authentication method, which comprises the following steps:
obtaining a micro-service product to be authenticated;
adding a iam-gateway component to the pod of the micro-service product to be authenticated;
acquiring authentication metadata corresponding to the micro-service product to be authenticated from a database;
authenticating the micro-service product according to the authentication metadata by using the iam-gateway component.
Optionally, the obtaining, from a database, authentication metadata corresponding to the micro-service product to be authenticated includes:
storing the authentication metadata in the database; the authentication metadata are authentication metadata which are obtained by the micro-service product to be authenticated through the CRD custom resource function custom of Kubernetes;
and acquiring the authentication metadata from the database.
Optionally, after the storing the authentication metadata in the database, the method further includes:
caching the authentication metadata into a memory of the iam-gateway component in the micro service product Pod to be authenticated;
correspondingly, the acquiring the authentication metadata from the database comprises the following steps:
and acquiring the authentication metadata from the memory of the iam-gateway component.
Optionally, the method further comprises:
when the change of the authentication metadata in the database is monitored through the iam-gateway-operator service, the changed authentication metadata is cached in the memory of the iam-gateway component.
Optionally, the method further comprises:
when a version update occurs to the iam-gateway component;
and updating the iam-gateway component in the to-be-authenticated micro-service product pod by using a public configuration or a site configuration mode.
Optionally, the authenticating the micro-service product by using the iam-gateway component according to the authentication metadata includes:
when authenticating the non-list type interface of the micro service product, authenticating the micro service product according to the authentication metadata by utilizing the iam-gateway component;
when the list type interface of the micro service product is authenticated, the iam-gateway component is used for acquiring user rights and sending the user rights to the micro service product to be authenticated, so that the micro service product screens a resource list according to the user rights, the screened resource is sent to the iam-gateway component, and the iam-gateway component is used for authenticating the micro service product according to the screened resource.
The invention also provides a micro-service product authentication device, which comprises:
the first acquisition module is used for acquiring the micro-service product to be authenticated;
an adding module for adding a iam-gateway component to the pod of the micro-service product to be authenticated;
the second acquisition module is used for acquiring authentication metadata corresponding to the micro-service product to be authenticated from a database;
and the authentication module is used for authenticating the micro-service product according to the authentication metadata by utilizing the iam-gateway component.
Optionally, the second obtaining module includes:
a storage unit, configured to store the authentication metadata in the database; the authentication metadata are authentication metadata which are obtained by the micro-service product to be authenticated through the CRD custom resource function custom of Kubernetes;
and the acquisition unit is used for acquiring the authentication metadata from the database.
The invention also provides a micro-service product authentication device, comprising:
a memory for storing a computer program;
and the processor is used for realizing the micro-service product authentication method when executing the computer program.
The invention also provides a readable storage medium, wherein the readable storage medium stores computer executable instructions, and when the computer executable instructions are loaded and executed by a processor, the micro-service product authentication method is realized.
The method comprises the steps of obtaining a micro-service product to be authenticated; adding a iam-gateway component to the pod of the micro-service product to be authenticated; acquiring authentication metadata corresponding to a micro-service product to be authenticated from a database; the micro-service product is authenticated with the iam-gateway component based on the authentication metadata. The method adds a iam-gateway component to the pod of the micro-service product to be authenticated; the iam-gateway component is utilized to authenticate the micro-service product to be authenticated, so that the invasiveness of authentication to the micro-service product codes can be reduced, personalized authentication service can be independently carried out for each micro-service product, the authority control in the product service can be carried out, and the invasiveness of the authentication function to the service product codes can be reduced.
In addition, the invention also provides a micro-service product authentication device, equipment and a readable storage medium, which also have the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for authenticating a micro service product according to an embodiment of the present invention;
FIG. 2 is a diagram showing an example of CR variation in iam-gateway-operator processing according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating an exemplary method for authenticating a ecs microservice product according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a micro service product authentication device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a micro service product authentication device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Microservice architecture is a trend in IT service governance, microservice products are generally completely independent, possibly using different programming languages, and possibly using different databases. In order to control the authority of the service product, the common dependence package is developed, and all products in the platform need to be referenced according to the requirement, and the authority is controlled according to the requirement. This approach is highly intrusive to service product codes and easily causes the problem of different service product reference dependency packages and different authentication logic. In general, the larger the organization, the more platform components, the less likely the in-house developer will be required to unify the development languages, which may exist in java (which is a door object-oriented programming language), go (which is a static type language), python (Python is a high-level scripting language that combines interpretive, compiled, interactive, and object-oriented), etc. Based on the above, multiple sets of authentication dependency packages need to be developed according to different languages. When the authentication function is changed, a plurality of dependent packages need to be modified at the same time, and the service product application needs to upgrade the dependent packages. In this case, the service product application use dependency package is not uniform, and the authentication dependency package logic of different languages is not uniform. Under the condition of higher security requirement level, when all interfaces of the platform are required to carry out running authentication operation, a common scheme is to deploy a unified authentication service application, integrate an authentication dependent package in the service product application, send an authentication request to the unified authentication service application by the service product application, and confirm whether the interfaces are accessible in the component dependent package according to a returned result.
In this scenario, in order to reduce the complexity of the authentication function, a general scheme is to use a unified authentication service, apply the authentication function to the gateway, and make filtering and forwarding of the request by the unified authentication gateway. This approach can reduce the invasiveness of the authentication function to the service product code, but cannot control the authentication of interface calls inside the cluster. That is, a request can be freely invoked between services as long as authentication of the unified authentication gateway is passed, and authority control is not performed any more.
Therefore, the authentication based on the micro-service product has the problem that the invasiveness of the authentication function to the service product code is reduced while the authority control in the product service can not be solved.
Referring to fig. 1, fig. 1 is a flowchart of a micro service product authentication method according to an embodiment of the invention. The method may include:
s101: and obtaining the micro-service product to be authenticated.
The embodiment obtains each micro-service product to be authenticated.
S102: iam-gateway components are added to the pod of the micro-service product to be authenticated.
Specifically, iam-gateway components are added to the pod of each micro-service product to be authenticated, and iam-gateway components are used for authentication gateway. Pod is a logical abstraction, the smallest unit of kubernetes creation and management, a Pod is composed of a container or containers, and a Pod can be understood as an application instance. kubernetes, abbreviated as K8s, is an abbreviation that replaces 8 characters "kubernete" with 8, and is an open source application for managing containerization on multiple hosts in a cloud platform.
S103: and acquiring authentication metadata corresponding to the micro-service product to be authenticated from the database.
Because the application interfaces of the micro service product are different, iam-gateway cannot know which interfaces the service product is configured with in advance, and it is unclear whether the specific requirements of each interface are accessible to all persons, accessible to login, or require authentication according to specific resources. Thus, it is necessary to determine the authentication items of the respective micro service products to be authenticated by acquiring the authentication metadata of the respective micro service products to be authenticated from the database.
Further, the obtaining the authentication metadata corresponding to the micro-service product to be authenticated from the database may include the following steps:
the authentication metadata is stored in a database; the authentication metadata are authentication metadata obtained by the CRD custom resource function of the Kubernetes of the micro-service product to be authenticated; authentication metadata is obtained from a database.
Specifically, by using the CRD (Custom Resource Definition, definition of custom resource) custom resource function of Kubernetes, the configuration of the authentication metadata of each micro service product is stored in a database for summarization, and the authentication metadata of each micro service product to be authenticated is obtained from the database to determine the authentication item of each micro service product to be authenticated. CRD (Custom Resource Definition) custom resources: allowing a user to customize kubernetes resources, which is a type; including specifiable names and modes without any programming. The CRD is a built-in resource type of Kubernetes, i.e. a definition of a custom resource, for describing what a user-defined resource is. The present embodiment is not limited to a specific configuration. For example, the CRD may make a specific configuration for access rights of URLs, where the specific rights configuration of the URL list mainly includes the following attributes: (1) url: the interface accesses the address. In order to facilitate batch configuration, ant-style address configuration can be supported, and when a plurality of urls capable of being successfully matched exist, the addresses matched first are preferentially matched according to the list sequence. (2) method: the interface access method includes GET, POST, PUT, DELETE and the like. (3) urlType: the interface type supports three configurations of WHITE and LOGIN_ ACCESS, RESOURCE, wherein WHITE indicates that the interface is a WHITE list interface, and is directly released without authority control; the LOGIN_ACCESS indicates that the interface can be accessed for LOGIN, and only checks whether the token is valid; the RESOURCE represents that the interface is an interface which needs to check the specific RESOURCE authority, and when the parameter is configured, the RESOURCE attribute content is put into the header and is transmitted to the service product back-end interface. (4) resource: the RESOURCE ID field in the interface, url type=resource, is passed to the backend. The field supports multiple resource instance IDs, and commas are used for splicing when the multiple resource instance IDs exist. iam-gateway will perform a preliminary screening of the resource, passing only authenticated resource id to the service product. (4.1) if the field is not configured, default to be. If an operation such as creating a resource cannot be specific to a certain resource, only for the operation, the field may not be configured, and when a request is forwarded, the field is automatically configured as a. (4.2) if the interface is a field in the request path, such as url=/ecs/{ serverld }, resource = path:: serverld. (4.3) if the interface is a field in the request postParam, such as access interface url? id=xxx, then resource=param:: id; (4.4) if the interface is a field in the request body, such as the request body is { "data": { "id": "xxx", "name": "}), then resource = body:: data.id. (5) resource service: inquiring the resource instance details according to the resource ID, and returning the resource instance details to the resource instance details, wherein the resource instance details must comprise a resource ID (resource ID), an accountId (resource home tenant ID) field and a createId (resource creator ID) field, and the iam-gateway component needs to authenticate the resource according to the two fields to check whether a user has the operation authority of the resource. (6) action: and operating the resources corresponding to the interfaces. If a cloud server resource is created, createecs can be filled in; modifying cloud server resources, updateEcs, etc. can be filled in.
Further, after the authentication metadata is stored in the database, the method may further include the following steps:
caching the authentication metadata into a memory of a iam-gateway component in the to-be-authenticated micro-service product Pod; correspondingly, acquiring authentication metadata from the database may include:
authentication metadata is obtained from the memory of the iam-gateway component.
In this embodiment, while the authentication metadata are stored in the public database, the authentication metadata corresponding to each micro-service product are respectively cached in the memory of the iam-gateway component of the corresponding micro-service product pod, so that the iam-gateway component can perform authentication to directly read data from the memory, and the reading speed is faster.
Further, the method can further comprise the following steps:
when the change of the authentication metadata in the database is monitored through the iam-gateway-operator service, the changed authentication metadata is cached in the memory of the iam-gateway component.
Specifically, the document of K8s has no operator, the operator essentially means that a user registers Custom Resource Derinition customized by himself, then creates a corresponding Resource instance (called Custom Resource, abbreviated as CR), and then continuously detects the state of CR defined in the current K8s by writing a controller by himself, and if the state and the expectation are inconsistent, the adjustment is performed. The control/management specifically performs the steps of adding, deleting and changing the corresponding resources according to the expected state and the actual state by calling the client of the k85 api server. The embodiment also uses iam-gateway-operator service to monitor the data change condition in the database, and when the data change occurs in the database, the authentication metadata in the memory of the iam-gateway component is updated in time. As shown in fig. 2, fig. 2 is a diagram illustrating an example of CR modification of iam-gateway-operator processing according to an embodiment of the present invention. When the CR of the service product changes, the change may be CR creation or CR update, the metadata is stored in the database, and when iam-gateway-operator monitors that the resource of the database changes, the update data interface of iam-gateway component in the pod of the micro service product is called, and the service product authentication metadata is stored in the cache.
Further, the method can further comprise the following steps:
when a version update occurs to the iam-gateway component;
the iam-gateway component in the micro service product pod to be authenticated is updated by means of a public configuration or a site configuration.
Specifically, aiming at the condition that the version update exists in the authentication dependent package at the current stage, the service product application needs to update the dependent package, and the problems that the service product application uses the dependent package to be non-uniform, the logic of the authentication dependent package in different languages is non-uniform and the like are very easy to occur. Therefore, the embodiment can directly reference the public configuration or site configuration by the configuration information such as iam-gateway version in the service product layout file, so that the problem of inconsistency of iam-gateway version is prevented, and version update is more convenient.
S104: the micro-service product is authenticated with the iam-gateway component based on the authentication metadata.
Specifically, taking the specific authority configuration of the url list as an example, the iam-gateway component filters the request according to the specific authority configuration of the url list. For authenticated data, resource= in header; the resource field in the header is the authenticated resource ID, and the service product back end queries the data of the specific resource.
Further, the authenticating the micro service product by using the iam-gateway component according to the authentication metadata may include the following steps:
when authenticating a non-list type interface of a micro-service product, authenticating the micro-service product by utilizing a iam-gateway component according to the authentication metadata;
when the list type interface of the micro service product is authenticated, the iam-gateway component is utilized to acquire user rights and send the user rights to the micro service product to be authenticated, so that the micro service product screens a resource list according to the user rights, the screened resources are sent to the iam-gateway component, and the iam-gateway component is utilized to authenticate the micro service product according to the screened resources.
This embodiment allows for the specific way in which authentication may be performed for different interfaces. Such as: list class interfaces and non-list class interfaces. For the list class interface, all resources that the user is allowed to access under the current service need to be acquired in the iam-gateway component, for example, when authorization exists, authorization using (all resources) is directly returned (all resources). And putting the resource list into a header and transmitting the resource list to a service product, such as a ecs container, and carrying out resource screening by the service product according to actual needs. If the resource list contains, care is taken to translate at the time of query. For non-list class interfaces, there is no step of service product screening resources.
By applying the micro-service product authentication method provided by the embodiment of the invention, the micro-service product to be authenticated is obtained; adding a iam-gateway component to the pod of the micro-service product to be authenticated; acquiring authentication metadata corresponding to a micro-service product to be authenticated from a database; the micro-service product is authenticated with the iam-gateway component based on the authentication metadata. The method adds a iam-gateway component to the pod of the micro-service product to be authenticated; the iam-gateway component is utilized to authenticate the micro-service product to be authenticated, so that the invasiveness of authentication to the micro-service product codes can be reduced, personalized authentication service can be independently carried out for each micro-service product, the authority control in the product service can be carried out, and the invasiveness of the authentication function to the service product codes can be reduced. In addition, the data is cached in the memory of the iam-gateway component, so that the iam-gateway component can read the data faster; in addition, the iam-gateway component in the to-be-authenticated micro-service product pod is updated in a public configuration or site configuration mode, so that version updating is more convenient.
In order to better understand the micro service product authentication method provided in the present application by taking the micro service product as ecs ((Elastic Compute Service, a cloud computing server with elastically scalable processing capability) as an example, reference may be made to fig. 3, and fig. 3 is an exemplary diagram of a ecs micro service product authentication method provided in an embodiment of the present invention.
In the Ecs micro service product application Pod, both the Ecs container and the iam-gateway container are launched, when the user wants to access Ecs the service product interface:
1. the user logs in the platform through the unified authentication center to acquire a token.
2. The token is placed in the header and the ecs interface is accessed.
3. The request is forwarded through services such as Nginx (nginix is a high-performance HTTP and reverse proxy server) to the Pod of the ecs service product.
4. The request firstly enters a iam-gateway container of the Pod of the ecs service product, iam-gateway requests to a unified authentication center, whether the request is legal or not is requested by a user, and if the authentication is passed, the request is forwarded to ecs service product; if the authentication fails, an error code is returned 403.
5. For the list type interface, all resources which the user is allowed to access under the current service need to be acquired in a iam-gateway container, and when the user is authorized, the user is authorized to use, and the user returns directly. And putting the resource list into a header and transmitting the resource list to a service product, such as a ecs container, and carrying out resource screening by the service product according to actual needs. If the resource list contains, care is taken to translate at the time of query.
The micro service product authentication device provided by the embodiment of the present invention is described below, and the micro service product authentication device described below and the micro service product authentication method described above may be referred to correspondingly.
Referring to fig. 4 specifically, fig. 4 is a schematic structural diagram of a micro-service product authentication device according to an embodiment of the present invention, which may include:
a first obtaining module 100, configured to obtain a micro service product to be authenticated;
an adding module 200 for adding iam-gateway components to the pod of the micro-service product to be authenticated;
the second obtaining module 300 is configured to obtain authentication metadata corresponding to the micro-service product to be authenticated from a database;
an authentication module 400, configured to authenticate the micro service product according to the authentication metadata by using the iam-gateway component.
Based on the above embodiment, the second obtaining module 300 may include:
a storage unit, configured to store the authentication metadata in the database; the authentication metadata are authentication metadata which are obtained by the micro-service product to be authenticated through the CRD custom resource function custom of Kubernetes;
and the acquisition unit is used for acquiring the authentication metadata from the database.
Based on the above embodiment, the micro service product authentication apparatus may further include:
a storage module, configured to cache the authentication metadata into a memory of the iam-gateway component in the micro service product Pod to be authenticated after the authentication metadata is stored into the database;
correspondingly, the second obtaining module 300 is specifically configured to obtain the authentication metadata from the memory of the iam-gateway component.
Based on the above embodiment, the micro service product authentication apparatus may further include:
and the change storage module is used for caching the changed authentication metadata into the memory of the iam-gateway component when the change of the authentication metadata in the database is monitored through the iam-gateway-operator service.
Based on the above embodiment, the micro service product authentication apparatus may further include:
the update detection module is used for generating version update when the iam-gateway component generates version update;
and the component updating module is used for updating the iam-gateway component in the to-be-authenticated micro-service product pod by using a public configuration or site configuration mode.
Based on the above embodiment, the authentication module 400 may include:
the non-list interface authentication unit is used for authenticating the micro-service product according to the authentication metadata by utilizing the iam-gateway component when authenticating the non-list interface of the micro-service product;
and the list interface authentication unit is used for acquiring user rights by using the iam-gateway component and transmitting the user rights to the micro-service product to be authenticated when the list interface of the micro-service product is authenticated, so that the micro-service product screens a resource list according to the user rights, transmits the screened resource to the iam-gateway component, and authenticates the micro-service product by using the iam-gateway component according to the screened resource.
The micro-service product authentication device provided by the embodiment of the invention is used for acquiring the micro-service product to be authenticated through the first acquisition module 100; an adding module 200 for adding iam-gateway components to the pod of the micro-service product to be authenticated; the second obtaining module 300 is configured to obtain authentication metadata corresponding to the micro-service product to be authenticated from a database; an authentication module 400, configured to authenticate the micro service product according to the authentication metadata by using the iam-gateway component. The device adds a iam-gateway component to the pod of the micro-service product to be authenticated; the iam-gateway component is utilized to authenticate the micro-service product to be authenticated, so that the invasiveness of authentication to the micro-service product codes can be reduced, personalized authentication service can be independently carried out for each micro-service product, the authority control in the product service can be carried out, and meanwhile, the invasiveness of the authentication function to the service product codes can be reduced. In addition, the data is cached in the memory of the iam-gateway component, so that the iam-gateway component can read the data faster; in addition, the iam-gateway component in the to-be-authenticated micro-service product pod is updated in a public configuration or site configuration mode, so that version updating is more convenient.
The micro service product authentication device provided by the embodiment of the present invention is described below, and the micro service product authentication device described below and the micro service product authentication method described above may be referred to correspondingly.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a micro service product authentication device according to an embodiment of the present invention, which may include:
a memory 10 for storing a computer program;
a processor 20 for executing a computer program for implementing the micro-service product authentication method described above.
The memory 10, the processor 20, and the communication interface 31 all communicate with each other via a communication bus 32.
In the embodiment of the present invention, the memory 10 is used for storing one or more programs, the programs may include program codes, the program codes include computer operation instructions, and in the embodiment of the present invention, the memory 10 may store programs for implementing the following functions:
obtaining a micro-service product to be authenticated;
adding a iam-gateway component to the pod of the micro-service product to be authenticated;
acquiring authentication metadata corresponding to a micro-service product to be authenticated from a database;
the micro-service product is authenticated with the iam-gateway component based on the authentication metadata.
In one possible implementation, the memory 10 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, and at least one application program required for functions, etc.; the storage data area may store data created during use.
In addition, memory 10 may include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include NVRAM. The memory stores an operating system and operating instructions, executable modules or data structures, or a subset thereof, or an extended set thereof, where the operating instructions may include various operating instructions for performing various operations. The operating system may include various system programs for implementing various basic tasks as well as handling hardware-based tasks.
The processor 20 may be a central processing unit (Central Processing Unit, CPU), an asic, a dsp, a fpga or other programmable logic device, and the processor 20 may be a microprocessor or any conventional processor. The processor 20 may call a program stored in the memory 10.
The communication interface 31 may be an interface of a communication module for connecting with other devices or systems.
Of course, it should be noted that the structure shown in fig. 5 does not limit the micro service product authentication device in the embodiment of the present invention, and the micro service product authentication device may include more or less components than those shown in fig. 5 or may combine some components in practical applications.
The following describes a readable storage medium provided in an embodiment of the present invention, and the readable storage medium described below and the micro-service product authentication method described above may be referred to correspondingly.
The present invention also provides a readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the micro-service product authentication method described above.
The readable storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Finally, it is further noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The foregoing has described in detail the method, apparatus, device and readable storage medium for authentication of a microservice product, wherein specific examples are employed to illustrate the principles and embodiments of the present invention, and the above examples are only used to help understand the method and core idea of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.

Claims (10)

1. A method of authenticating a microservice product, comprising:
obtaining a micro-service product to be authenticated;
adding a iam-gateway component to the pod of the micro-service product to be authenticated;
acquiring authentication metadata corresponding to the micro-service product to be authenticated from a database;
authenticating the micro-service product according to the authentication metadata by using the iam-gateway component.
2. The method for authenticating a micro-service product according to claim 1, wherein the obtaining authentication metadata corresponding to the micro-service product to be authenticated from a database comprises:
storing the authentication metadata in the database; the authentication metadata are authentication metadata which are obtained by the micro-service product to be authenticated through the CRD custom resource function custom of Kubernetes;
and acquiring the authentication metadata from the database.
3. The micro service product authentication method according to claim 2, further comprising, after said saving said authentication metadata into said database:
caching the authentication metadata into a memory of the iam-gateway component in the micro service product Pod to be authenticated;
correspondingly, the acquiring the authentication metadata from the database comprises the following steps:
and acquiring the authentication metadata from the memory of the iam-gateway component.
4. The micro service product authentication method of claim 3, further comprising:
when the change of the authentication metadata in the database is monitored through the iam-gateway-operator service, the changed authentication metadata is cached in the memory of the iam-gateway component.
5. The micro service product authentication method of claim 1, further comprising:
when a version update occurs to the iam-gateway component;
and updating the iam-gateway component in the to-be-authenticated micro-service product pod by using a public configuration or a site configuration mode.
6. The method of claim 1, wherein authenticating the micro service product using the iam-gateway component based on the authentication metadata comprises:
when authenticating the non-list type interface of the micro service product, authenticating the micro service product according to the authentication metadata by utilizing the iam-gateway component;
when the list type interface of the micro service product is authenticated, the iam-gateway component is used for acquiring user rights and sending the user rights to the micro service product to be authenticated, so that the micro service product screens a resource list according to the user rights, the screened resource is sent to the iam-gateway component, and the iam-gateway component is used for authenticating the micro service product according to the screened resource.
7. A micro service product authentication apparatus, comprising:
the first acquisition module is used for acquiring the micro-service product to be authenticated;
an adding module for adding a iam-gateway component to the pod of the micro-service product to be authenticated;
the second acquisition module is used for acquiring authentication metadata corresponding to the micro-service product to be authenticated from a database;
and the authentication module is used for authenticating the micro-service product according to the authentication metadata by utilizing the iam-gateway component.
8. The micro service product authentication apparatus of claim 7, wherein the second acquisition module comprises:
a storage unit, configured to store the authentication metadata in the database; the authentication metadata are authentication metadata which are obtained by the micro-service product to be authenticated through the CRD custom resource function custom of Kubernetes;
and the acquisition unit is used for acquiring the authentication metadata from the database.
9. A micro service product authentication apparatus, comprising:
a memory for storing a computer program;
processor for implementing the micro service product authentication method according to any of claims 1 to 6 when executing said computer program.
10. A readable storage medium having stored therein computer executable instructions which when loaded and executed by a processor implement the micro-service product authentication method according to any of claims 1 to 6.
CN202311316799.0A 2023-10-12 2023-10-12 Micro-service product authentication method, device, equipment and readable storage medium Pending CN117290871A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311316799.0A CN117290871A (en) 2023-10-12 2023-10-12 Micro-service product authentication method, device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311316799.0A CN117290871A (en) 2023-10-12 2023-10-12 Micro-service product authentication method, device, equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN117290871A true CN117290871A (en) 2023-12-26

Family

ID=89258503

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311316799.0A Pending CN117290871A (en) 2023-10-12 2023-10-12 Micro-service product authentication method, device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN117290871A (en)

Similar Documents

Publication Publication Date Title
US9241047B2 (en) System and method for providing virtual web access
US7472349B1 (en) Dynamic services infrastructure for allowing programmatic access to internet and other resources
US10447684B2 (en) Hosted application sandbox model
US8626803B2 (en) Method and apparatus for automatically providing network services
Ciurana Developing with google app engine
US7269664B2 (en) Network portal system and methods
US8060932B2 (en) Modular enterprise authorization solution
US7117504B2 (en) Application program interface that enables communication for a network software platform
US8516037B2 (en) Methods for dynamic partitioning of applications in client-server environments
US20070006325A1 (en) Method, system and computer program for controlling access to resources in web applications
US20160359861A1 (en) Accessing an application through application clients and web browsers
WO2007075846A2 (en) Method and system for providing virtualized application workspaces
WO2002087133A2 (en) Method and system for generalized and adaptive transaction processing between uniform information services and applications
US11882154B2 (en) Template representation of security resources
Varanasi et al. Spring Rest
Sharma Modern API Development with Spring and Spring Boot: Design highly scalable and maintainable APIs with REST, gRPC, GraphQL, and the reactive paradigm
Bakalova et al. WebSphere dynamic cache: improving J2EE application performance
CN117290871A (en) Micro-service product authentication method, device, equipment and readable storage medium
US8843647B1 (en) Systems and methods for application server self-service console
Novotny et al. GridLab Portal Design
US8214499B2 (en) System and method for enabling software applications as a service in a non-intrusive manner
Braun et al. WSIA-WSRP Core Specification
Braun et al. Web Services for Remote Portlets Specification
CN118043776A (en) Scalable change control management
Buckner et al. Portlet development guide

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination