TW201828655A - Environment isolation method and device resolves the problem of high complexity and incomplete isolation carried at environmental isolation during the RPC call process - Google Patents
Environment isolation method and device resolves the problem of high complexity and incomplete isolation carried at environmental isolation during the RPC call process Download PDFInfo
- Publication number
- TW201828655A TW201828655A TW106102699A TW106102699A TW201828655A TW 201828655 A TW201828655 A TW 201828655A TW 106102699 A TW106102699 A TW 106102699A TW 106102699 A TW106102699 A TW 106102699A TW 201828655 A TW201828655 A TW 201828655A
- Authority
- TW
- Taiwan
- Prior art keywords
- address
- routing
- rpc
- isolation
- rpc client
- Prior art date
Links
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
本發明關於通信技術領域,特別關於一種環境隔離方法。本發明同時還關於一種RPC客戶端以及環境隔離設備。 The invention relates to the field of communication technologies, and in particular to an environmental isolation method. The invention also relates to an RPC client and an environmental isolation device.
RPC(Remote Procedure Call,遠端程序呼叫)是一個分散式運算的客戶端-伺服器(Client/Server)的協議,由於通過RPC能夠從遠端電腦程式上請求服務的同時不需要瞭解底層網路技術,因此RPC既簡單而又廣受歡迎。遠端程序呼叫總是由客戶端對伺服器發出一個執行若干過程請求,使用客戶端提供的參數,服務端將執行結果返回給客戶端。目前大部分的雲計算平臺的公有雲計算產品均提供了RPC的服務功能,方便各類語言開發者快速使用。 RPC (Remote Procedure Call) is a decentralized client-server protocol. Because RPC can request services from remote computer programs without knowing the underlying network. Technology, so RPC is both simple and popular. The remote program call is always issued by the client to the server to perform several process requests. Using the parameters provided by the client, the server returns the execution result to the client. At present, most of the cloud computing platform's public cloud computing products provide RPC service functions, which are convenient for various language developers to use quickly.
如圖1所示,為RPC原理示意圖。(RPC)客戶端與(RPC)伺服器利用各自的傳輸編碼通過協定在各個頻段相互連接,其中客戶端具有介面模組,伺服器則具有用於運行的實施模組。通過RPC可以充分利用非共用記憶體 的多處理器環境(例如通過局域網連接得多台伺服器),這樣可以簡便地將應用分佈在多台伺服器上,應用程式就像運行在一個多處理器的電腦上一樣。技術人員可以方便的實現過程代碼共用,提高系統資源的利用率,也可以將以大量資料處理的操作分散到處理能力較強的集群中運行,從而減輕單機負擔,同時也能更好的做服務化處理。 As shown in Figure 1, it is a schematic diagram of the RPC principle. The (RPC) client and (RPC) server are interconnected in various frequency bands by means of respective transmission codes, wherein the client has an interface module and the server has an implementation module for operation. RPC can make full use of multi-processor environments with non-shared memory (for example, connecting multiple servers via LAN), which makes it easy to distribute applications across multiple servers. Applications are like running on a multiprocessor. The same on the computer. The technician can conveniently realize the process code sharing, improve the utilization of system resources, and can disperse the operation of processing a large amount of data into a cluster with strong processing capability, thereby reducing the burden on the single machine and also making better services. Processing.
在應用RPC技術的過程中,RPC框架中的Client需要調用Server,請求路由到哪台Server有不同的策略和實現方式。而基於請求路由技術如何實現環境隔離也是現有的RPC應用過程中所必不可少的一項內容。 In the process of applying the RPC technology, the client in the RPC framework needs to call the Server, and the server to which the request is routed has different policies and implementation manners. How to implement environmental isolation based on request routing technology is also an indispensable part of the existing RPC application process.
環境隔離就是指通過一定的手段(這裡指請求路由技術),完成對測試環境、生產環境的分散式調用服務、資料的區分,防止不同環境間分散式調用服務、資料的相互干擾和使用。現有技術一般通過修改請求來源標誌位元(IP)將請求隔離到指定機器上,或者是通過調整負載均衡的權重配置將請求隔離到指定機器或者集群中(可能存在隔離不乾淨的問題),亦或是通過配置混合路由的分組值將機器隔離到指定分組當中(要在服務端設置服務分組,區別於其他分組)。 Environmental segregation refers to the separation of decentralized calling services and data in the test environment and production environment through certain means (in this case, request routing technology), to prevent decentralized calling services and data interference and use between different environments. The prior art generally isolates the request to the specified machine by modifying the request source flag bit (IP), or isolates the request to the specified machine or cluster by adjusting the load balancing weight configuration (there may be a problem that the isolation is not clean), Or isolate the machine into the specified group by configuring the grouping value of the hybrid route (to set the service group on the server, different from other groups).
如圖2所示,為現有技術中基於請求路由的隔離架構示意圖。預先為生產環境中的不同APP對應配置了統一接入1、配置服務1以及通知等模組,而隔離環境中的APP則對應配置了與生產環境不同的統一接入2以及配置服務2等模組。然而無論是生產環境還是隔離環境,均通 過統一的管理平臺進行管理。由於基於請求路由的環境隔離需要修改客戶端請求標誌位元(IP)或者修改RPC路由設定檔,勢必造成需要發佈和重啟應用,操作成本很高,不能動態完成隔離,而且服務端也需要配置單獨的分組以支援隔離操作,而這些操作十分複雜,極易出錯,配置不對可能造成隔離不乾淨等問題,由於整體環境的波動等不確定因素,極易導致服務請求調用失敗,進而影響安全性和穩定性,所以現有技術中若需要通過環境隔離進行測試對比的話,一般需要部署一套相同應用,設置不同的路由配置和分組。而單獨部署的環境在真實性上有損失,同時也加重了操作人員運作負擔。 As shown in FIG. 2, it is a schematic diagram of an isolation architecture based on request routing in the prior art. The unified access 1, configuration service 1 and notification modules are configured in advance for different APPs in the production environment, and the APP in the isolated environment is configured with a unified access 2 and a configuration service 2 different from the production environment. group. However, both the production environment and the isolated environment are managed through a unified management platform. Because the environment isolation based on request routing needs to modify the client request flag bit (IP) or modify the RPC route profile, it is bound to cause the application to be released and restarted. The operation cost is high, the isolation cannot be done dynamically, and the server needs to be configured separately. The grouping is to support the isolation operation, and these operations are very complicated, extremely error-prone, and the configuration may be caused by the problem of unclear isolation. Due to uncertainties such as fluctuations in the overall environment, it is easy to cause the service request to fail, which in turn affects security and Stability, so if you need to test and compare through environmental isolation in the prior art, you generally need to deploy a set of the same application, set different routing configurations and grouping. The separately deployed environment has a loss of authenticity and also increases the operational burden on the operator.
在實現本發明的過程中,發明人發現現有的環境隔離方案存在著以下缺點: In the process of implementing the present invention, the inventors have found that the existing environmental isolation scheme has the following disadvantages:
(1)對應用侵入大 (1) Invasive application
常規的隔離技術不是需要對原應用代碼、分組、路由規則配置進行修改,就是需要對服務提供方的服務進行分組配置。對應用的侵入很大,而且配置複雜,極易出錯,修改的版本要單獨打分支,以後的維護成本也很大。 The conventional isolation technology does not need to modify the original application code, grouping, routing rule configuration, or the group configuration of the service provider's services. The intrusion to the application is very large, and the configuration is complicated and extremely error-prone. The modified version should be branched separately, and the maintenance cost in the future is also large.
(2)隔離後應用穩定性存在風險 (2) Risk of application stability after isolation
隔離後鏈路一旦出現穩定性問題,將直接導致上層依賴系統服務不可用的情況。常規的隔離技術並沒有鏈路可用性檢查功能,也並沒有考慮隔離後造成服務請求失敗的容災策略,由於其機制的原因,也無法快速進行容災。 Once the stability of the link is isolated, it will directly lead to the situation where the upper layer depends on the system service being unavailable. The conventional isolation technology does not have the link availability check function, and does not consider the disaster recovery policy that causes the service request to fail after the isolation. Due to the mechanism, the disaster recovery cannot be performed quickly.
(3)部署成本高 (3) High deployment cost
通過硬體路由實施隔離需要添加額外的設備,落地部署成本極高,使用上需要專業人員操作,開發和測試人員無法按需操作,更改隔離規則操作複雜,易出錯,一般使用不需要過多的附加功能,使用上存在浪費。 Implementing isolation through hardware routing requires the addition of additional equipment. The cost of landing deployment is extremely high. Professional use is required for use. Development and test personnel cannot operate as needed. Changing the isolation rules is complicated and error-prone. Generally, there is no need for excessive addition. Function, there is waste in use.
(4)隔離後的環境擬真性差 (4) Poor environmental immersibility after isolation
常規的基於請求路由的隔離需要修改設定檔或者單獨部署一套應用,因此在真實性上和原有生產環境有區別,在進行測試或者其他對比驗證的時候環境上存在一定差異,而隔離的目的是定向引流,並不是改變環境,同時存在後續維護成本高的缺點,因為生產環境的統一配置無法直接應用於隔離出的β環境。 The conventional request-based routing isolation needs to modify the configuration file or deploy a separate application. Therefore, the authenticity is different from the original production environment. There are certain differences in the environment when testing or other comparison verification, and the purpose of isolation. It is directed drainage, which does not change the environment, and has the disadvantage of high maintenance cost, because the unified configuration of the production environment cannot be directly applied to the isolated β environment.
(5)操作複雜,即時性差。常規的基於請求路由的隔離方案,由於對應用和配置的修改,勢必造成重新部署或者重啟應用,整體操作鏈路長,時間長,無法快速即時生效,要準備的配置多,維護配置可用性成本高。 (5) The operation is complicated and the immediacy is poor. The conventional request-based routing isolation scheme, due to the modification of the application and configuration, will inevitably result in redeployment or restart of the application. The overall operation link is long and takes a long time to be effective immediately. There are many configurations to be prepared, and the maintenance configuration cost is high. .
由此可見,如何在保證安全與穩定的前提下實現環境隔離,並同時降低隔離的成本以及隔離操作的複雜度,成為本領域技術人員亟待解決的技術問題。 It can be seen that how to achieve environmental isolation under the premise of ensuring security and stability, and at the same time reducing the cost of isolation and the complexity of isolation operation, has become a technical problem to be solved by those skilled in the art.
本發明公開了一種環境隔離方法,用以在提升環境隔離的即時性、安全性以及穩定性的前提下,儘量降低環境隔離的人工及硬體成本。該方法應用於RPC客戶端,預設與該RPC客戶端相連的環境隔離設備,該RPC客戶端 中的路由地址池按照預設的週期自動刷新預置的全量地址,該方法還包括:該RPC客戶端接收該環境隔離設備發送的環境隔離指示;該RPC客戶端停止自動刷新該路由地址池,並將該路由地址池中目前的地址替換為合併地址,該合併地址為該RPC客戶端根據該路由地址池中目前的地址以及預設的手動地址清單中的地址合併產生;當該RPC客戶端接收到用戶發送的服務調用請求時,根據該路由地址池中的合併地址產生有效的目標地址;該RPC客戶端將該服務調用請求發送至與該目標地址對應的RPC服務端,並將該RPC服務端返回的業務處理結果回饋至該用戶。 The invention discloses an environmental isolation method for minimizing the labor and hardware costs of environmental isolation under the premise of improving the immediacy, safety and stability of environmental isolation. The method is applied to the RPC client, and the environment isolation device connected to the RPC client is preset. The routing address pool in the RPC client automatically refreshes the preset full address according to a preset period, and the method further includes: the RPC The client receives the environment isolation indication sent by the environment isolation device; the RPC client stops automatically refreshing the routing address pool, and replaces the current address in the routing address pool with a merged address, where the merged address is the RPC client. The current address in the routing address pool and the address in the preset manual address list are combined; when the RPC client receives the service invocation request sent by the user, a valid target address is generated according to the merged address in the routing address pool; The RPC client sends the service invocation request to the RPC server corresponding to the target address, and returns the service processing result returned by the RPC server to the user.
優選地,該手動地址清單由參與環境隔離的RPC客戶端以及RPC服務端的地址組成,該RPC客戶端將該路由地址池中目前的地址替換為合併地址,具體為:從該手動地址清單中篩選可用於地址合併的第一子地址;將停止自動刷新後的該路由地址池中的地址作為第二子地址;根據預設的地址合併演算法,將該第一子地址以及該第二子地址合併為該合併地址;將該路由地址池中目前的地址刪除,並將該合併地址 添加至該路由地址池中。 Preferably, the manual address list is composed of an RPC client participating in the environment isolation and an address of the RPC server, and the RPC client replaces the current address in the routing address pool with the merged address, specifically: filtering from the manual address list The first sub-address that can be used for address merging; the address in the routing address pool after the auto-refresh is stopped as the second sub-address; and the first sub-address and the second sub-address are performed according to a preset address merging algorithm The merged address is merged; the current address in the routing address pool is deleted, and the merged address is added to the routing address pool.
優選地,該RPC客戶端根據該路由地址池中的合併地址產生有效的目標地址,具體為:查詢預設的路由規則,以及在該路由地址池中查詢可用的設備地址;根據該路由規則對查詢到的設備地址進行篩選;若存在符合該路由規則的設備地址,將該設備地址作為該目標地址;若不存在符合該路由規則的設備地址,向該用戶返回服用調用失敗回應。 Preferably, the RPC client generates a valid target address according to the merged address in the routing address pool, specifically: querying a preset routing rule, and querying the available device address in the routing address pool; according to the routing rule The device address is queried for filtering; if there is a device address that meets the routing rule, the device address is used as the target address; if there is no device address that meets the routing rule, a response to the call failure is returned to the user.
優選地,在該RPC客戶端將該路由地址池中目前的地址替換為合併地址之後,還包括:向該環境隔離設備返回環境隔離成功回應;當接收到該環境隔離設備發送的隔離狀態檢查指示時,查詢自身與各個下游RPC服務端之間的介面是否正常,並將查詢結果發送至該環境隔離設備,以使該環境隔離設備向該用戶回饋該查詢結果。 Preferably, after the RPC client replaces the current address in the routing address pool with the merged address, the method further includes: returning an environmental isolation success response to the environmental isolation device; and receiving an isolation status check indication sent by the environmental isolation device The interface between the query itself and each downstream RPC server is normal, and the query result is sent to the environment isolation device, so that the environment isolation device feeds back the query result to the user.
優選地,在該RPC客戶端將該路由地址池中目前的地址替換為合併地址之後,還包括:若接收到該環境隔離設備發送的環境隔離取消指示,將該路由地址池中的合併地址刷新為該全量地址,並使路由地址池按照預設的週期自動刷新預置的該全量地址。 Preferably, after the RPC client replaces the current address in the routing address pool with the merged address, the method further includes: if receiving the environment isolation cancellation indication sent by the environment isolation device, refreshing the merged address in the routing address pool For the full address, and the routing address pool automatically refreshes the preset full address according to a preset period.
相應地,本發明還提出了一種環境隔離方法,該方法應用於環境隔離設備,該環境隔離設備與該RPC客戶端 相連,該方法包括:根據用戶發送的環境隔離請求中所攜帶的地址資訊確定需要進行環境隔離的RPC客戶端,該RPC客戶端中的路由地址池按照預設的週期自動刷新預置的全量地址;向該RPC客戶端發送環境隔離指示,以使該RPC客戶端停止自動刷新該路由地址池以及將該路由地址池中目前的地址替換為合併地址,該合併地址為該RPC客戶端根據該路由地址池中目前的地址以及預設的手動地址清單中的地址合併產生。 Correspondingly, the present invention also provides an environment isolation method, which is applied to an environment isolation device, and the environment isolation device is connected to the RPC client, and the method includes: determining, according to the address information carried in the environment isolation request sent by the user. An RPC client that needs to be quarantined. The routing address pool in the RPC client automatically refreshes the preset full address according to a preset period. The environment isolation indication is sent to the RPC client, so that the RPC client stops automatically refreshing. The routing address pool and the current address in the routing address pool are replaced by a merged address, and the merged address is generated by combining the current address in the routing address pool and the address in the preset manual address list by the RPC client.
優選地,該地址資訊具體為源IP地址以及目標IP地址,根據用戶發送的環境隔離請求中所攜帶的地址資訊確定需要進行環境隔離的RPC客戶端,具體為:從該環境隔離請求中提取該地址資訊;通過查詢RPC服務端的介面獲取需要進行環境隔離的服務;將與該源IP地址對應的RPC客戶端作為該需要進行環境隔離的RPC客戶端。 Preferably, the address information is specifically a source IP address and a target IP address, and the RPC client that needs to be isolated by the environment is determined according to the address information carried in the environment isolation request sent by the user, specifically: extracting the environment isolation request from the environment isolation request The address information is obtained by querying the interface of the RPC server to obtain an environment isolation service. The RPC client corresponding to the source IP address is used as the RPC client that needs to be isolated by the environment.
優選地,在向該RPC客戶端發送環境隔離指示之後,還包括:若接收到該RPC客戶端發送的環境隔離成功回應,向該RPC客戶端發送隔離狀態檢查指示,並將該RPC客戶端返回的查詢結果回饋至該用戶;該狀態檢查指示用於使該RPC客戶端查詢自身與各個下游RPC服務端之間的介面是否正常,並將查詢結果發送至該環境隔離設備。 Preferably, after the sending the environment isolation indication to the RPC client, the method further includes: sending an isolation status check indication to the RPC client, and returning the RPC client, after receiving the environmental isolation success response sent by the RPC client. The query result is fed back to the user; the status check indication is used to make the interface between the RPC client query itself and each downstream RPC server normal, and send the query result to the environment isolation device.
優選地,在向該RPC客戶端發送環境隔離指示之後,還包括:若接收到該RPC客戶端發送的環境隔離成功回應,檢測該RPC客戶端的各下游RPC服務端的狀態是否正常,以及判斷該路由地址池中的合併地址在經過預設的路由規則篩選後是否為空;若存在狀態為異常的下游RPC服務端,或該路由地址池中的合併地址在經過預設的路由規則篩選後為空,向該用戶發送下游存活安全告警提示。 Preferably, after the sending the environment isolation indication to the RPC client, the method further includes: if the environment isolation success response sent by the RPC client is received, detecting whether the status of each downstream RPC server of the RPC client is normal, and determining the route Whether the merged address in the address pool is empty after being filtered by the default route rule. If the downstream RPC server is abnormal, or the merged address in the route address pool is filtered after the preset route rule is filtered, it is empty. Send a downstream survival security alert to the user.
優選地,在向該RPC客戶端發送環境隔離指示之後,還包括:當接收到該用戶發送的環境隔離取消請求時,向該RPC客戶端發送環境隔離取消指示,以使該RPC客戶端將該路由地址池中的合併地址刷新為該全量地址,並使路由地址池按照預設的週期自動刷新預置的該全量地址。 Preferably, after the environment isolation indication is sent to the RPC client, the method further includes: when receiving the environment isolation cancellation request sent by the user, sending an environment isolation cancellation indication to the RPC client, so that the RPC client The merged address in the routing address pool is refreshed to the full address, and the routing address pool automatically refreshes the preset full address according to a preset period.
相應地,本發明還提出了一種RPC客戶端,該RPC客戶端與預設的環境隔離設備相連,該RPC客戶端中的路由地址池按照預設的週期自動刷新預置的全量地址,該RPC客戶端還包括:接收模組,接收該環境隔離設備發送的環境隔離指示;替換模組,該RPC客戶端停止自動刷新該路由地址池,並將該路由地址池中目前的地址替換為合併地址,該合併地址為該RPC客戶端根據該路由地址池中目前的地 址以及預設的手動地址清單中的地址合併產生;產生模組,當該接收模組接收到用戶發送的服務調用請求時根據該路由地址池中的合併地址產生有效的目標地址;發送模組,將該服務調用請求發送至與該目標地址對應的RPC服務端,並將該RPC服務端返回的業務處理結果回饋至該用戶。 Correspondingly, the present invention also provides an RPC client, where the RPC client is connected to a preset environment isolation device, and the routing address pool in the RPC client automatically refreshes the preset full address according to a preset period, the RPC. The client further includes: a receiving module, receiving an environment isolation indication sent by the environment isolation device; and replacing the module, the RPC client stops automatically refreshing the routing address pool, and replaces the current address in the routing address pool with a merge address. The merged address is generated by the RPC client according to the current address in the routing address pool and the address in the preset manual address list; generating a module, when the receiving module receives the service call request sent by the user, according to the The merged address in the routing address pool generates a valid target address; the sending module sends the service invoking request to the RPC server corresponding to the target address, and feeds back the service processing result returned by the RPC server to the user. .
優選地,該手動地址清單由參與環境隔離的RPC客戶端以及RPC服務端的地址組成,該替換模組將該路由地址池中目前的地址替換為合併地址,具體為:從該手動地址清單中篩選可用於地址合併的第一子地址;將停止自動刷新後的該路由地址池中的地址作為第二子地址;根據預設的地址合併演算法,將該第一子地址以及該第二子地址合併為該合併地址;將該路由地址池中目前的地址刪除,並將該合併地址添加至該路由地址池中。 Preferably, the manual address list is composed of an RPC client participating in the environment isolation and an address of the RPC server, and the replacement module replaces the current address in the routing address pool with a merged address, specifically: filtering from the manual address list The first sub-address that can be used for address merging; the address in the routing address pool after the auto-refresh is stopped as the second sub-address; and the first sub-address and the second sub-address are performed according to a preset address merging algorithm The merged address is merged; the current address in the routing address pool is deleted, and the merged address is added to the routing address pool.
優選地,該產生模組具體用於:查詢預設的路由規則,以及在該路由地址池中查詢可用的設備地址;根據該路由規則對查詢到的設備地址進行篩選;若存在符合該路由規則的設備地址,將該設備地址作為該目標地址; 若不存在符合該路由規則的設備地址,向該用戶返回服用調用失敗回應。 Preferably, the generating module is configured to: query a preset routing rule, and query an available device address in the routing address pool; filter the queried device address according to the routing rule; if the routing rule is met The device address, the device address is used as the target address; if there is no device address that conforms to the routing rule, the user is returned with a call failure response.
優選地,還包括:回應模組,向該環境隔離設備返回環境隔離成功回應;查詢模組,當接收到該環境隔離設備發送的隔離狀態檢查指示時查詢自身與各個下游RPC服務端之間的介面是否正常,並將查詢結果發送至該環境隔離設備,以使該環境隔離設備向該用戶回饋該查詢結果。 Preferably, the method further includes: responding to the module, returning an environmental isolation success response to the environmental isolation device; and querying the module, when receiving the isolation status check indication sent by the environmental isolation device, querying between itself and each downstream RPC server Whether the interface is normal, and the query result is sent to the environment isolation device, so that the environment isolation device returns the query result to the user.
優選地,還包括:撤銷模組,在接收到該環境隔離設備發送的環境隔離取消指示時將該路由地址池中的合併地址刷新為該全量地址,並使路由地址池按照預設的週期自動刷新預置的該全量地址。 Preferably, the method further includes: the revocation module, when receiving the environmental isolation cancellation indication sent by the environmental isolation device, refreshing the merged address in the routing address pool to the full address, and automatically routing the routing address pool according to a preset period Refresh the preset full address.
相應地,本發明還提出了一種環境隔離設備,該環境隔離設備與該RPC客戶端相連,該環境隔離設備包括:確定模組,根據用戶發送的環境隔離請求中所攜帶的地址資訊確定需要進行環境隔離的RPC客戶端,該RPC客戶端中的路由地址池按照預設的週期自動刷新預置的全量地址;發送模組,向該RPC客戶端發送環境隔離指示,以使該RPC客戶端停止自動刷新該路由地址池以及將該路由地址池中目前的地址替換為合併地址,該合併地址為該RPC客戶端根據該路由地址池中目前的地址以及預設的手 動地址清單中的地址合併產生。 Correspondingly, the present invention also provides an environment isolation device, which is connected to the RPC client, and the environment isolation device includes: a determination module, which is determined according to the address information carried in the environmental isolation request sent by the user. The RPC client in the environment isolates the routing address pool in the RPC client to automatically refresh the preset full address according to a preset period; the sending module sends an environment isolation indication to the RPC client to stop the RPC client. Automatically refreshing the routing address pool and replacing the current address in the routing address pool with a merged address, where the merged address is generated by the RPC client according to the current address in the routing address pool and the address in the preset manual address list. .
優選地,該地址資訊具體為源IP地址以及目標IP地址,該確定模組具體用於:從該環境隔離請求中提取該地址資訊;通過查詢RPC服務端的介面獲取需要進行環境隔離的服務;將與該源IP地址對應的RPC客戶端作為該需要進行環境隔離的RPC客戶端。 Preferably, the address information is specifically a source IP address and a target IP address, and the determining module is specifically configured to: extract the address information from the environment isolation request; and obtain an environment isolation service by querying an interface of the RPC server; The RPC client corresponding to the source IP address serves as the RPC client that needs to be isolated by the environment.
優選地,還包括:第一檢測模組,在接收到該RPC客戶端發送的環境隔離成功回應時向該RPC客戶端發送隔離狀態檢查指示,並將該RPC客戶端返回的查詢結果回饋至該用戶;該狀態檢查指示用於使該RPC客戶端查詢自身與各個下游RPC服務端之間的介面是否正常,並將該查詢結果發送至該環境隔離設備。 Preferably, the method further includes: sending, by the first detecting module, an isolation status check indication to the RPC client when receiving the environmental isolation success response sent by the RPC client, and feeding back the query result returned by the RPC client to the The user check indicates that the RPC client queries the interface between itself and each downstream RPC server as normal, and sends the query result to the environment isolation device.
優選地,還包括:第二檢測模組,在接收到該RPC客戶端發送的環境隔離成功回應時檢測該RPC客戶端的各下游RPC服務端的狀態是否正常,以及判斷該路由地址池中的合併地址在經過預設的路由規則篩選後是否為空,並在存在狀態為異常的下游RPC服務端或該路由地址池中的合併地址在經過預設的路由規則篩選後為空時,向該用戶發送下游存活安全告警提示。 Preferably, the method further includes: detecting, by the second detecting module, whether the status of each downstream RPC server of the RPC client is normal, and determining a merged address in the routing address pool, when receiving the environmental isolation success response sent by the RPC client Whether it is empty after being filtered by a preset routing rule, and is sent to the user when the downstream RPC server or the merged address in the routing address pool is empty after being filtered by the preset routing rule. Downstream survival security alert.
優選地,還包括: 撤銷模組,當接收到該用戶發送的環境隔離取消請求時向該RPC客戶端發送環境隔離取消指示,以使該RPC客戶端將該路由地址池中的合併地址刷新為該全量地址,並使路由地址池按照預設的週期自動刷新預置的該全量地址。 Preferably, the method further includes: the revocation module, when receiving the environmental isolation cancellation request sent by the user, sending an environment isolation cancellation indication to the RPC client, so that the RPC client refreshes the merged address in the routing address pool to The full address and the routing address pool automatically refresh the preset full address according to a preset period.
由此可見,通過應用本發明的技術方案,預先令RPC客戶端中的路由地址池按照預設的週期自動刷新預置的全量地址,RPC客戶端接收環境隔離設備發送的環境隔離指示後停止自動刷新路由地址池,並將路由地址池中目前的地址替換為合併地址,後續當RPC客戶端接收到用戶發送的服務調用請求時,根據路由地址池中的合併地址產生有效的目標地址,將服務調用請求發送至與目標地址對應的RPC服務端,並將RPC服務端返回的業務處理結果回饋至用戶。從而在不對硬體進行修改的前提下,解決了在RPC調用過程中進行環境隔離所帶來的複雜度高、無法完全隔離等問題,保證了環境隔離的安全性以及穩定性。 It can be seen that, by applying the technical solution of the present invention, the routing address pool in the RPC client is automatically refreshed according to a preset period to automatically refresh the preset full address, and the RPC client stops receiving the environment isolation indication sent by the environment isolation device and stops automatically. The routing address pool is refreshed, and the current address in the routing address pool is replaced with the merged address. When the RPC client receives the service invocation request sent by the user, the RPC client generates a valid destination address according to the merged address in the routing address pool. The call request is sent to the RPC server corresponding to the target address, and the service processing result returned by the RPC server is fed back to the user. Therefore, without modifying the hardware, the problem of high complexity and incomplete isolation caused by environmental isolation during the RPC call process is solved, and the security and stability of the environment isolation are ensured.
810‧‧‧接收模組 810‧‧‧ receiving module
820‧‧‧替換模組 820‧‧‧Replacement module
830‧‧‧產生模組 830‧‧‧ generating module
840‧‧‧發送模組 840‧‧‧Transmission module
910‧‧‧確定模組 910‧‧‧Determining modules
920‧‧‧發送模組 920‧‧‧Transmission module
圖1為現有技術中的RPC原理示意圖;圖2為現有技術中基於請求路由的隔離架構示意圖;圖3為本發明提出的一種環境隔離方法的流程示意圖;圖4為本發明具體實施例提出的一種隔離優化方案示意圖; 圖5為本發明提出的另一種環境隔離方法的流程示意圖;圖6為本發明具體實施例中進行隔離的流程示意圖;圖7為本發明具體實施例中隔離的整體架構圖;圖8為本發明提出的一種RPC客戶端的結構示意圖圖9為本發明提出的一種環境隔離設備的結構示意圖。 1 is a schematic diagram of an RPC principle in the prior art; FIG. 2 is a schematic diagram of an isolation architecture based on request routing in the prior art; FIG. 3 is a schematic flowchart of an environment isolation method according to the present invention; FIG. 5 is a schematic flowchart of another environment isolation method according to the present invention; FIG. 6 is a schematic flowchart of isolation in a specific embodiment of the present invention; FIG. 7 is an overall architecture of isolation according to an embodiment of the present invention; FIG. 8 is a schematic structural diagram of an RPC client according to the present invention. FIG. 9 is a schematic structural diagram of an environment isolation device according to the present invention.
有鑒於背景技術中的問題,發明人在實現本發明的技術方案的過程中參考了現有的基於請求路由的隔離模型,針對現有的RPC請求路由模型提出了一種環境隔離方法,該方法應用於RPC客戶端,為了在用戶針對該RPC客戶端實現環境隔離,本發明額外設置了與該RPC客戶端相連的環境隔離設備,在本發明的優選實施例中,該環境隔離設備可結合視覺化平臺的功能設置為隔離控制台,該隔離控制台能夠將RPC客戶端與RPC服務端之間的上下游關係以及狀態進行視覺化展示,並且面向用戶(技術人員)提供隔離調用操作。除此之外,由於後續需要利用RPC客戶端中的路由地址池獲取地址,因此本發明的技術方案設置路由地址池按照預設的週期自動刷新預置的全量地址(現有的RPC客戶端中的路由地址池中的地址固定且無法修改)。該全量地址是為應用與目前所有設備上的地址(包括參與隔離的設備和不參與隔離的設備),預先 設置且地址固定。 In view of the problems in the background art, the inventor refers to the existing request routing based isolation model in the process of implementing the technical solution of the present invention, and proposes an environment isolation method for the existing RPC request routing model, which is applied to the RPC. The client additionally provides an environmental isolation device connected to the RPC client in order to implement environmental isolation for the RPC client. In a preferred embodiment of the present invention, the environment isolation device can be combined with a visualization platform. The function is set to isolate the console, which can visually display the upstream and downstream relationship and status between the RPC client and the RPC server, and provide an isolated call operation to the user (technician). In addition, since the routing address pool in the RPC client is used to obtain the address, the technical solution of the present invention sets the routing address pool to automatically refresh the preset full address according to the preset period (in the existing RPC client). The address in the routing address pool is fixed and cannot be modified). The full address is pre-set and fixed for the application and the addresses on all current devices (including devices participating in the isolation and devices not participating in the isolation).
如圖3所示,為本發明提出的一種環境隔離方法的流程示意圖,包括以下步驟: FIG. 3 is a schematic flowchart diagram of an environment isolation method according to the present invention, including the following steps:
S301,該RPC客戶端接收該環境隔離設備發送的環境隔離指示。 S301. The RPC client receives an environmental isolation indication sent by the environment isolation device.
為了保持隔離環境的真實性以及安全性,當用戶當需要發起環境隔離時,用戶將請求發送至環境隔離設備,環境隔離設備在根據請求中攜帶的地址資訊確定了相應的RPC客戶端之後,即向RPC客戶端發送環境隔離指示。 In order to maintain the authenticity and security of the isolated environment, when the user needs to initiate the environment isolation, the user sends the request to the environment isolation device, and after the environment isolation device determines the corresponding RPC client according to the address information carried in the request, Send an environmental isolation indication to the RPC client.
S302,該RPC客戶端停止自動刷新該路由地址池,並將該路由地址池中目前的地址替換為合併地址。 S302: The RPC client stops automatically refreshing the routing address pool, and replaces the current address in the routing address pool with a merged address.
有別于傳統隔離在路由規則上修改,本發明的技術方案主要針對RPC客戶端的路由地址池進行改進。為此本發明技術方案預設了手動地址清單,該手動地址清單由參與環境隔離的RPC客戶端以及RPC服務端的地址組成,該手動地址清單可通過環境隔離設備設置,技術人員也可以通過環境隔離設備對其進行修改。 Different from the traditional isolation, the routing rule is modified. The technical solution of the present invention is mainly for improving the routing address pool of the RPC client. To this end, the technical solution of the present invention presets a manual address list, which is composed of an RPC client participating in the environment isolation and an address of the RPC server. The manual address list can be set by the environment isolation device, and the technician can also be isolated by the environment. The device modifies it.
基於RPC客戶端路由地址池中目前的地址以及預設的手動地址清單中的地址,RPC客戶端將二者合併產生合併地址,並將該合併地址替換路由地址池中原有的地址,在本發明的優選實施例中,具體的步驟如下:步驟a)從該手動地址清單中篩選可用於地址合併的第一子地址;步驟b)將停止自動刷新後的該路由地址池中的地址 作為第二子地址;步驟c)根據預設的地址合併演算法,將該第一子地址以及該第二子地址合併為該合併地址;步驟d)將該路由地址池中目前的地址刪除,並將該合併地址添加至該路由地址池中。 Based on the current address in the RPC client routing address pool and the address in the preset manual address list, the RPC client combines the two to generate a merged address, and replaces the merged address with the original address in the routing address pool, in the present invention. In a preferred embodiment, the specific steps are as follows: step a) filtering the first sub-address available for address merging from the manual address list; and step b) taking the address in the routing address pool after stopping the auto-refresh as the second Sub-address; step c) merging the first sub-address and the second sub-address into the merged address according to a preset address merge algorithm; and step d) deleting the current address in the routing address pool, and The merged address is added to the routing address pool.
上述步驟通過地址合併演算法完成手動設置地址和自動刷新的全量地址快速有效合併,並且合併後不影響歸組情況,得到合併地址後,後續即可基於RPC請求路由的功能完成環境隔離,操作簡單、修改程度小,不觸碰路由層文件,避免出錯。 The above steps complete the fast and effective combination of the manually set address and the automatically refreshed full address by the address merge algorithm, and the merged does not affect the grouping situation. After the merged address is obtained, the subsequent environment isolation based on the RPC request routing function is completed, and the operation is simple. The degree of modification is small, and the routing layer file is not touched to avoid errors.
在執行完畢以上步驟後,為了使用戶知曉目前的環境隔離進度,本發明優選實施例令RPC客戶端向該環境隔離設備返回環境隔離成功回應。環境隔離設備在接收到該環境隔離成功回應後,一方面將其回饋至用戶,另一方面指示RPC客戶端對隔離狀態進行檢查,從而保證隔離環境的穩定。因此當RPC客戶端接收到該環境隔離設備發送的隔離狀態檢查指示時,查詢自身與各個下游RPC服務端之間的介面是否正常,並將查詢結果發送至該環境隔離設備,以使該環境隔離設備向該用戶回饋該查詢結果。 After the above steps are performed, in order to make the user aware of the current environmental isolation progress, the preferred embodiment of the present invention causes the RPC client to return an environmental isolation success response to the environmental isolation device. After receiving the environmental isolation success response, the environmental isolation device feeds back to the user on the one hand, and instructs the RPC client to check the isolation status on the other hand to ensure the stability of the isolation environment. Therefore, when the RPC client receives the isolation status check indication sent by the environment isolation device, it queries whether the interface between itself and each downstream RPC server is normal, and sends the query result to the environment isolation device to isolate the environment. The device returns the query result to the user.
S303,當該RPC客戶端接收到用戶發送的服務調用請求時,根據該路由地址池中的合併地址產生有效的目標地址。 S303. When the RPC client receives the service invocation request sent by the user, generating a valid target address according to the merged address in the routing address pool.
由於路由地址池中可能會存在多個合併地址,並且根據實際應用場景的不同也需要採用不同的路由規則(該路 由規則一般在客戶端中儲存,需要技術人員操作更新,與IP地址並非一一對應,但是與IP地址之間有一些泛化的匹配規則),因此在通過合併地址得到有效的目標地址的過程中,需要利用預設的路由規則對合併地址進行篩選。具體地,本發明優選實施例首先查詢預設的路由規則,以及在該路由地址池中查詢可用的設備地址,再根據該路由規則對查詢到的設備地址進行篩選,若存在符合該路由規則的設備地址,將該設備地址作為該目標地址;若不存在符合該路由規則的設備地址,向該用戶返回服用調用失敗回應。 A number of merged addresses may exist in the routing address pool, and different routing rules are required according to the actual application scenario. The routing rules are generally stored in the client. The technician needs to perform the update. The IP address is not one-by-one. Corresponding, but there are some general matching rules with the IP address. Therefore, in the process of obtaining a valid target address by merging the address, the merged address needs to be filtered by using a preset routing rule. Specifically, the preferred embodiment of the present invention first queries a preset routing rule, and queries the available address of the device in the routing address pool, and then filters the queried device address according to the routing rule, if there is a matching rule. The device address, the device address is used as the target address; if there is no device address that meets the routing rule, the user returns a call failure response.
結合圖4所示的隔離優化方案示意圖,該具體實施例的隔離優化方案流程如下: Referring to the schematic diagram of the isolation optimization scheme shown in FIG. 4, the isolation optimization scheme of the specific embodiment is as follows:
步驟a)客戶向RPC客戶端發起服務請求。RPC客戶端會查詢路由地址池中可用的合併地址和路由規則。 Step a) The client initiates a service request to the RPC client. The RPC client queries the merged address and routing rules available in the routing address pool.
步驟b)若用戶事先通過環境隔離設備開啟了隔離,RPC客戶端的路由地址池將會在之前關閉自動刷新且通過讀取手動設置的地址清單,以及將手動設置的地址清單和路由地址池中截至到自動刷新停止時的全量地址通過地址合併演算法進行快速合併。此時針對路由地址池中的合併地址經過各種路由規則的過濾後取得有效的目標地址,也可能由於條件不滿足(下游應用並不存在),合併後地址為空。 Step b) If the user opens the isolation through the environmental isolation device in advance, the RPC client's routing address pool will be turned off before the automatic refresh and read by manually reading the address list, and the manually set address list and routing address pool as of The full address to the automatic refresh stop is quickly merged by the address merge algorithm. At this time, the merged address in the routing address pool is filtered by various routing rules to obtain a valid target address, or the condition may not be satisfied (the downstream application does not exist), and the merged address is empty.
S304,該RPC客戶端將該服務調用請求發送至與該目標地址對應的RPC服務端,並將該RPC服務端返回的 業務處理結果回饋至該用戶。 S304: The RPC client sends the service call request to the RPC server corresponding to the target address, and feeds back the service processing result returned by the RPC server to the user.
通過S301-S304的環境隔離優化方案,有效地提升了隔離的即時性、安全性、穩定性和隔離環境的真實性,同時降低了成本以及簡化了操作。後續當用戶需要取消隔離時,用戶亦是通過環境隔離設備向RPC客戶端下達環境隔離取消指示。相應地,RPC客戶端在接收到環境隔離設備發送的環境隔離取消指示後,將該路由地址池中的合併地址刷新為該全量地址,並使路由地址池按照預設的週期自動刷新預置的該全量地址。 The environmental isolation optimization scheme of S301-S304 effectively improves the immediacy, security, stability and isolation of the authenticity of the isolation, while reducing costs and simplifying operations. When the user needs to cancel the isolation, the user also sends an environmental isolation cancellation indication to the RPC client through the environmental isolation device. Correspondingly, after receiving the environmental isolation cancellation indication sent by the environmental isolation device, the RPC client refreshes the merged address in the routing address pool to the full address, and automatically refreshes the preset address in the routing address pool according to a preset period. The full address.
在S303的具體實施例中,當確定了有效的目標地址後後,RPC客戶端即向服務端發送請求,並接受服務端的結果回饋,完成該次用戶的服務調用。後續若用戶需要取消隔離,那麼只需要恢復地址池的自動刷新即可,原有的地址將被刷新成全量地址,這樣下次請求就不會定向。換言之,環境隔離取消操作中不需要做任何清理工作,簡單高效。 In the specific embodiment of S303, after determining the valid target address, the RPC client sends a request to the server, and receives the result feedback from the server to complete the service call of the user. If the user needs to cancel the isolation, then only the automatic refresh of the address pool needs to be restored, and the original address will be refreshed to the full address, so that the next request will not be directed. In other words, there is no need to do any cleaning work in the environmental isolation cancellation operation, which is simple and efficient.
以上實施例以RPC客戶端的角度詳細闡述了環境隔離的具體實現方式以及細節。除此之外,本發明以環境隔離設備的角度,還提出了另一種環境隔離方法,該方法應用於環境隔離設備,且需要保證環境隔離設備與該RPC客戶端相連(實體連接或是邏輯連接均可),如圖5所示,該方法包括以下步驟: The above embodiment elaborates on the specific implementation manner and details of the environment isolation from the perspective of the RPC client. In addition, the present invention also proposes another environment isolation method from the perspective of an environmental isolation device, which is applied to an environmental isolation device, and needs to ensure that the environmental isolation device is connected to the RPC client (physical connection or logical connection). As shown in FIG. 5, the method includes the following steps:
S501,根據用戶發送的環境隔離請求中所攜帶的地址資訊確定需要進行環境隔離的RPC客戶端,該RPC客戶 端中的路由地址池按照預設的週期自動刷新預置的全量地址。 S501: The RPC client that needs to be quarantined according to the address information carried in the quarantine request sent by the user, and the routing address pool in the RPC client automatically refreshes the preset full address according to a preset period.
在本發明的優選實施例中,地址資訊可具體為源IP地址以及目標IP地址,基於這兩個詳細的IP地址,該步驟首先從該環境隔離請求中提取該地址資訊,隨後通過查詢RPC服務端的介面獲取需要進行環境隔離的服務,最終將與該源IP地址對應的RPC客戶端作為該需要進行環境隔離的RPC客戶端。 In a preferred embodiment of the present invention, the address information may be specifically a source IP address and a target IP address. Based on the two detailed IP addresses, the step first extracts the address information from the environment isolation request, and then queries the RPC service. The interface of the interface obtains the service that needs to be isolated from the environment. The RPC client corresponding to the source IP address is used as the RPC client that needs to be isolated from the environment.
S502,向該RPC客戶端發送環境隔離指示,以使該RPC客戶端停止自動刷新該路由地址池以及將該路由地址池中目前的地址替換為合併地址,該合併地址為該RPC客戶端根據該路由地址池中目前的地址以及預設的手動地址清單中的地址合併產生。 S502: Send an environment isolation indication to the RPC client, so that the RPC client stops automatically refreshing the routing address pool and replaces the current address in the routing address pool with a merged address, where the merged address is the RPC client. The current address in the routing address pool and the address in the default manual address list are combined.
正常情況下,本發明中的RPC客戶端在環境隔離初步完成後會向環境隔離設備返回回應,因此為了保證環境隔離後的穩定性,環境隔離設備可發起隔離狀態檢查以及下游服務可用檢查,相應流程如下: Under normal circumstances, the RPC client in the present invention returns a response to the environmental isolation device after the initial completion of the environmental isolation. Therefore, in order to ensure the stability after the environmental isolation, the environmental isolation device can initiate an isolation status check and a downstream service available check. The process is as follows:
(一)隔離狀態檢查 (1) Isolation status check
若接收到該RPC客戶端發送的環境隔離成功回應,向該RPC客戶端發送隔離狀態檢查指示,並將該RPC客戶端返回的查詢結果回饋至該用戶;該狀態檢查指示用於使該RPC客戶端查詢自身與各個下游RPC服務端之間的介面是否正常,並將查詢結果發送至該環境隔離設備。 If the quarantine success response sent by the RPC client is received, the quarantine status check indication is sent to the RPC client, and the query result returned by the RPC client is fed back to the user; the status check indication is used to make the RPC client The interface between the query itself and each downstream RPC server is normal, and the query result is sent to the environment isolation device.
(二)下游服務可用檢查 (2) Downstream service available inspection
若接收到該RPC客戶端發送的環境隔離成功回應,檢測該RPC客戶端的各下游RPC服務端的狀態是否正常,以及判斷該路由地址池中的合併地址在經過預設的路由規則篩選後是否為空; 若存在狀態為異常的下游RPC服務端,或該路由地址池中的合併地址在經過預設的路由規則篩選後為空,向該用戶發送下游存活安全告警提示。 If the RP is sent to the RPC client, the status of the downstream RPC server is normal, and whether the merged address in the routing address pool is empty after being filtered by the preset routing rule. If the downstream RPC server is in the abnormal state, or the merged address in the routing address pool is empty after being filtered by the preset routing rule, the downstream security alarm is sent to the user.
最終,在用戶需要取消環境隔離的時候,用戶會將環境隔離取消請求發送至環境隔離設備,當環境隔離設備接收到該用戶發送的環境隔離取消請求時,向該RPC客戶端發送環境隔離取消指示,以使該RPC客戶端將該路由地址池中的合併地址刷新為該全量地址,並使路由地址池按照預設的週期自動刷新預置的該全量地址。 Finally, when the user needs to cancel the environment isolation, the user sends an environmental isolation cancellation request to the environmental isolation device. When the environmental isolation device receives the environmental isolation cancellation request sent by the user, the environment isolation cancellation instruction is sent to the RPC client. Therefore, the RPC client refreshes the merged address in the routing address pool to the full address, and causes the routing address pool to automatically refresh the preset full address according to a preset period.
需要說明的是,上述的隔離流程中請求隔離以及指示的下發一般可通過REST協議交互。然而,在這些過程中密碼很可能被惡意的用戶劫持,發送惡意隔離請求。因此本發明的優選實施例通過Digest摘要認證方式設置過期時間30秒(該時間可以根據實際情況進行調整),從而有效防止密碼明文傳輸、重播攻擊、支持客戶端對伺服器驗證、有一定的防篡改能力,同時對用戶密碼加密,以避免密碼被盜用造成用戶的損失。Response加密演算法如下: It should be noted that the request isolation and the indicated delivery in the above isolation process can generally be performed through the REST protocol. However, in these processes the password is likely to be hijacked by a malicious user, sending a malicious quarantine request. Therefore, the preferred embodiment of the present invention sets the expiration time by 30 seconds in the Digest digest authentication mode (this time can be adjusted according to the actual situation), thereby effectively preventing the password plaintext transmission, replay attack, supporting the client to verify the server, and having certain defenses. Tampering ability, at the same time encrypting the user password to avoid the user's loss caused by the password being stolen. The Response encryption algorithm is as follows:
1.HA1=MD5(A1)=MD5(username:realm:password) 1.HA1=MD5(A1)=MD5(username:realm:password)
2.HA2=MD5(A2)=MD5(method:digestURI:MD5(entityBody)) 2.HA2=MD5(A2)=MD5(method:digestURI:MD5(entityBody))
3.Response=MD5(HA1:nonce:nonceCount:clientNonce:qop:HA2) 3.Response=MD5(HA1:nonce:nonceCount:clientNonce:qop:HA2)
以上實施例闡述了環境隔離設備如何配和RPC客戶端實現環境隔離以及環境隔離後如何實現用戶的服務調用請求,為了進一步闡述本發明的技術思想,現結合圖6所示的具體應用場景,對本發明的技術方案進行說明: The foregoing embodiment describes how the environment isolation device is configured to implement the environment isolation and the environment isolation of the RPC client, and how to implement the service invocation request of the user. To further illustrate the technical idea of the present invention, the specific application scenario shown in FIG. The technical solution of the invention is explained:
步驟1. 用戶通過流覽器向隔離控制台發起隔離請求,並向隔離控制台提供隔離源IP,目標IP。 Step 1. The user initiates an isolation request to the isolation console through the browser, and provides the isolation source IP and target IP to the isolation console.
步驟2. 隔離控制台通過源IP和目標IP查詢服務端介面,獲得要隔離的服務,再根據源IP向源IP所在的RPC客戶端發起隔離請求,並且傳遞目標IP參數。 Step 2. The isolated console obtains the service to be isolated by querying the server interface through the source IP address and the target IP address, and then initiates an isolation request to the RPC client where the source IP is located according to the source IP address, and delivers the target IP parameter.
步驟3. RPC客戶端獲取到上一步驟傳遞的目標IP地址後,停止地址池自動刷新,並且修改路由地址池裡的地址。具體地,通過地址合併演算法把手動設置的地址清單中的地址和原地址池中的地址進行有效合併。 Step 3. After the RPC client obtains the destination IP address delivered in the previous step, it stops the automatic refresh of the address pool and modifies the address in the routing address pool. Specifically, the address in the manually set address list and the address in the original address pool are effectively merged by the address merge algorithm.
步驟4. 上一步驟執行結束後,隔離控制台會向用戶發送執行成功或者失敗的回應。 Step 4. After the previous step is completed, the Quarantine Console will send a response to the user's success or failure.
步驟5. 若RPC客戶端成功執行請求路由定向,控制台會開啟隔離狀態檢查和下游存活安全檢查,隔離狀態檢查可以回饋鏈路隔離狀況,比如開啟隔離,關閉隔離亦或是狀態異常,下游存活安全檢查針對下游機器重啟或是通過路由規則篩選後最終地址為空的情況進行監控,防止因 為下游不可用造成上游穩定性問題,影響最終用戶。 Step 5. If the RPC client successfully performs the request routing direction, the console will enable the isolation status check and the downstream survival security check. The isolation status check can feedback the link isolation status, such as enabling isolation, shutting down the isolation or abnormal status, and surviving downstream. The security check monitors the downstream machine restart or the final address is empty after filtering by the routing rules to prevent upstream stability problems caused by downstream unavailability and affect the end user.
步驟6. 前五個步驟已經完成了環境隔離,這時客戶可以向RPC客戶端發起請求,RPC客戶端通過查詢路由地址池獲得合併地址,再經過中心、單元、同機房等過濾規則篩選後得到最終有效的目標地址(也可能合併後結果為空),將RPC客戶端的服務請求發送到指定的RPC服務端 Step 6. The first five steps have completed the environment isolation. At this time, the client can initiate a request to the RPC client. The RPC client obtains the merged address by querying the routing address pool, and then filters through the filtering rules of the center, the unit, and the same computer room to obtain the final result. A valid destination address (may also be null after the merge), sending the RPC client's service request to the specified RPC server.
步驟7. RPC服務端處理客戶端發來的請求,完成業務處理後,返回處理結果給RPC客戶端 Step 7. The RPC server processes the request sent by the client, and after completing the service processing, returns the processing result to the RPC client.
步驟8. RPC客戶端將結果展示給用戶。 Step 8. The RPC client presents the results to the user.
步驟9. 當用戶想取消隔離時,向隔離控制台發送取消隔離請求,隔離控制台根據源IP向源IP所在的RPC客戶端發起取消隔離請求。 Step 9. When the user wants to cancel the quarantine, the quarantine request is sent to the quarantine console. The quarantine console sends a quarantine request to the RPC client where the source IP address is based on the source IP address.
步驟10. RPC客戶端接收到取消請求後,恢復刷新機器地址池,並將執行結果返回隔離控制台。 Step 10. After receiving the cancellation request, the RPC client resumes refreshing the machine address pool and returns the execution result to the quarantine console.
步驟11. 在上一步驟執行結束後,隔離控制台會向客戶發送執行成功或者失敗的回應。 Step 11. After the execution of the previous step, the Quarantine Console will send a response to the client's success or failure.
基於上述流程,該具體實施例整體架構如上圖所示,特點如下:1. 不需要對應用做任何修改;2. 不需要單獨部署,運作;3. 即時生效;4. REST資料傳輸採用標準Digest摘要認證,過期時間30秒,有效防止密碼明文傳輸、重播攻擊、支持客戶 端對伺服器驗證、有一定的防篡改能力;5. 有服務狀態和下游存活安全檢查,穩定性高;6. 部署成本低,不需要特殊路由硬體支援;7. 操作簡單,技術人員可通過控制台視覺化進行操作,也可以通過REST協議直接發起請求;8. 隔離和取消隔離方便,取消隔離也不需要做任何清理工作。 Based on the above process, the overall architecture of the specific embodiment is as shown in the above figure, and the features are as follows: 1. No modification is required to the application; 2. No separate deployment and operation are required; 3. Immediate effect; 4. REST data transmission adopts standard Digest Digest authentication, expiration time 30 seconds, effectively prevent password plaintext transmission, replay attack, support client to server verification, have certain tamper resistance; 5. Service status and downstream survival security check, high stability; 6. Deployment Low cost, no special routing hardware support is required; 7. Simple operation, technicians can operate through console visualization, or can directly initiate requests through REST protocol; 8. Isolation and de-isolation are convenient, and no isolation is required. Any cleanup work.
為達到以上技術目的,本發明還提出了一種RPC客戶端,如圖8所示,該RPC客戶端與預設的環境隔離設備相連,該RPC客戶端中的路由地址池按照預設的週期自動刷新預置的全量地址,該RPC客戶端還包括:接收模組810,接收該環境隔離設備發送的環境隔離指示;替換模組820,該RPC客戶端停止自動刷新該路由地址池,並將該路由地址池中目前的地址替換為合併地址,該合併地址為該RPC客戶端根據該路由地址池中目前的地址以及預設的手動地址清單中的地址合併產生;產生模組830,當該接收模組接收到用戶發送的服務調用請求時根據該路由地址池中的合併地址產生有效的目標地址;發送模組840,將該服務調用請求發送至與該目標地址對應的RPC服務端,並將該RPC服務端返回的業務處理結果回饋至該用戶。 To achieve the above technical purpose, the present invention also provides an RPC client. As shown in FIG. 8, the RPC client is connected to a preset environment isolation device, and the routing address pool in the RPC client is automatically according to a preset period. Refreshing the preset full address, the RPC client further includes: a receiving module 810, receiving an environment isolation indication sent by the environment isolation device; replacing the module 820, the RPC client stops automatically refreshing the routing address pool, and the The current address in the routing address pool is replaced by a merged address, and the merged address is generated by combining the current address in the routing address pool and the address in the preset manual address list by the RPC client; generating a module 830, when the receiving When receiving the service invocation request sent by the user, the module generates a valid target address according to the merged address in the routing address pool; the sending module 840 sends the service invoking request to the RPC server corresponding to the target address, and The service processing result returned by the RPC server is fed back to the user.
在具體的應用場景中,該手動地址清單由參與環境隔 離的RPC客戶端以及RPC服務端的地址組成,該替換模組將該路由地址池中目前的地址替換為合併地址,具體為:從該手動地址清單中篩選可用於地址合併的第一子地址;將停止自動刷新後的該路由地址池中的地址作為第二子地址;根據預設的地址合併演算法,將該第一子地址以及該第二子地址合併為該合併地址;將該路由地址池中目前的地址刪除,並將該合併地址添加至該路由地址池中。 In a specific application scenario, the manual address list is composed of an RPC client that participates in the environment isolation and an address of the RPC server. The replacement module replaces the current address in the routing address pool with the merged address, specifically: from the manual The address list is used to filter the first sub-address that can be used for address merging; the address in the routing address pool after the auto-refresh is stopped as the second sub-address; according to the preset address merging algorithm, the first sub-address and the The second sub-address is merged into the merged address; the current address in the routing address pool is deleted, and the merged address is added to the routing address pool.
在具體的應用場景中,該產生模組具體用於:查詢預設的路由規則,以及在該路由地址池中查詢可用的設備地址;根據該路由規則對查詢到的設備地址進行篩選;若存在符合該路由規則的設備地址,將該設備地址作為該目標地址;若不存在符合該路由規則的設備地址,向該用戶返回服用調用失敗回應。 In a specific application scenario, the generating module is specifically configured to: query a preset routing rule, and query an available device address in the routing address pool; and filter the queried device address according to the routing rule; The device address that meets the routing rule is used as the target address; if there is no device address that meets the routing rule, the user is returned with a call failure response.
在具體的應用場景中,還包括:回應模組,向該環境隔離設備返回環境隔離成功回應;查詢模組,當接收到該環境隔離設備發送的隔離狀態檢查指示時查詢自身與各個下游RPC服務端之間的介面 是否正常,並將查詢結果發送至該環境隔離設備,以使該環境隔離設備向該用戶回饋該查詢結果。 In a specific application scenario, the method further includes: responding to the module, returning an environmental isolation success response to the environmental isolation device; and querying the module, querying itself and each downstream RPC service when receiving the isolation status check indication sent by the environmental isolation device Whether the interface between the terminals is normal, and the query result is sent to the environment isolation device, so that the environment isolation device feeds back the query result to the user.
在具體的應用場景中,還包括:撤銷模組,在接收到該環境隔離設備發送的環境隔離取消指示時將該路由地址池中的合併地址刷新為該全量地址,並使路由地址池按照預設的週期自動刷新預置的該全量地址。 In a specific application scenario, the method further includes: revoking a module, and refreshing the merged address in the routing address pool to the full address when receiving the environmental isolation cancellation indication sent by the environmental isolation device, and making the routing address pool according to the pre-preparation The set period automatically refreshes the preset full address.
相應地,本發明還提出了一種環境隔離設備,如圖9所示,該環境隔離設備與RPC客戶端相連,該環境隔離設備包括:確定模組910,根據用戶發送的環境隔離請求中所攜帶的地址資訊確定需要進行環境隔離的RPC客戶端,該RPC客戶端中的路由地址池按照預設的週期自動刷新預置的全量地址;發送模組920,向該RPC客戶端發送環境隔離指示,以使該RPC客戶端停止自動刷新該路由地址池以及將該路由地址池中目前的地址替換為合併地址,該合併地址為該RPC客戶端根據該路由地址池中目前的地址以及預設的手動地址清單中的地址合併產生。 Correspondingly, the present invention also provides an environment isolation device. As shown in FIG. 9, the environment isolation device is connected to an RPC client, and the environment isolation device includes: a determination module 910, which is carried according to an environment isolation request sent by the user. The address information determines the RPC client that needs to be quarantined. The routing address pool in the RPC client automatically refreshes the preset full address according to a preset period; the sending module 920 sends an environment isolation indication to the RPC client. The RPC client stops automatically refreshing the routing address pool and replaces the current address in the routing address pool with a merged address, where the merged address is the current address of the RPC client according to the routing address pool and a preset manual The addresses in the address list are merged to produce.
在具體的應用場景中,該地址資訊具體為源IP地址以及目標IP地址,該確定模組具體用於:從該環境隔離請求中提取該地址資訊;通過查詢RPC服務端的介面獲取需要進行環境隔離的服務; 將與該源IP地址對應的RPC客戶端作為該需要進行環境隔離的RPC客戶端。 In a specific application scenario, the address information is specifically a source IP address and a target IP address, and the determining module is specifically configured to: extract the address information from the environment isolation request; and obtain an environment isolation by querying an interface of the RPC server. The RPC client corresponding to the source IP address is used as the RPC client that needs to be isolated by the environment.
在具體的應用場景中,還包括:第一檢測模組,在接收到該RPC客戶端發送的環境隔離成功回應時向該RPC客戶端發送隔離狀態檢查指示,並將該RPC客戶端返回的查詢結果回饋至該用戶;該狀態檢查指示用於使該RPC客戶端查詢自身與各個下游RPC服務端之間的介面是否正常,並將該查詢結果發送至該環境隔離設備。 In a specific application scenario, the first detection module sends an isolation status check indication to the RPC client when receiving the environmental isolation success response sent by the RPC client, and returns the query returned by the RPC client. The result is fed back to the user; the status check indication is used to make the interface between the RPC client query itself and each downstream RPC server normal, and send the query result to the environment isolation device.
在具體的應用場景中,還包括:第二檢測模組,在接收到該RPC客戶端發送的環境隔離成功回應時檢測該RPC客戶端的各下游RPC服務端的狀態是否正常,以及判斷該路由地址池中的合併地址在經過預設的路由規則篩選後是否為空,並在存在狀態為異常的下游RPC服務端或該路由地址池中的合併地址在經過預設的路由規則篩選後為空時,向該用戶發送下游存活安全告警提示。 In a specific application scenario, the method further includes: detecting, by the second detecting module, whether the status of each downstream RPC server of the RPC client is normal, and determining the routing address pool when receiving the environmental isolation success response sent by the RPC client If the merged address in the downstream RPC server or the merged address in the routing address pool is empty after being filtered by the preset routing rule, Send a downstream survival security alert to the user.
在具體的應用場景中,還包括:撤銷模組,當接收到該用戶發送的環境隔離取消請求時向該RPC客戶端發送環境隔離取消指示,以使該RPC客戶端將該路由地址池中的合併地址刷新為該全量地址,並使路由地址池按照預設的週期自動刷新預置的該全量地址。 In a specific application scenario, the method includes: revoking a module, and sending an environment isolation cancellation indication to the RPC client when receiving the environment isolation cancellation request sent by the user, so that the RPC client in the routing address pool The merged address is refreshed to the full address, and the routing address pool automatically refreshes the preset full address according to a preset period.
通過應用本發明的技術方案,預先令RPC客戶端中 的路由地址池按照預設的週期自動刷新預置的全量地址,RPC客戶端接收環境隔離設備發送的環境隔離指示後停止自動刷新路由地址池,並將路由地址池中目前的地址替換為合併地址,後續當RPC客戶端接收到用戶發送的服務調用請求時,根據路由地址池中的合併地址產生有效的目標地址,將服務調用請求發送至與目標地址對應的RPC服務端,並將RPC服務端返回的業務處理結果回饋至用戶。從而在不對硬體進行修改的前提下,解決了在RPC調用過程中進行環境隔離所帶來的複雜度高、無法完全隔離等問題,保證了環境隔離的安全性以及穩定性。 By applying the technical solution of the present invention, the routing address pool in the RPC client is automatically refreshed according to a preset period to automatically refresh the preset full address. The RPC client stops receiving the automatic isolation routing address pool after receiving the environment isolation indication sent by the environment isolation device. And replacing the current address in the routing address pool with the merged address. When the RPC client receives the service call request sent by the user, the RPC client generates a valid target address according to the merged address in the routing address pool, and sends a service call request to the RPC client. The RPC server corresponding to the target address returns the service processing result returned by the RPC server to the user. Therefore, without modifying the hardware, the problem of high complexity and incomplete isolation caused by environmental isolation during the RPC call process is solved, and the security and stability of the environment isolation are ensured.
通過以上的實施方式的描述,本領域的技術人員可以清楚地瞭解到本發明可以通過硬體實現,也可以借助軟體加必要的通用硬體平臺的方式來實現。基於這樣的理解,本發明的技術方案可以以軟體產品的形式體現出來,該軟體產品可以儲存在一個非揮發性儲存介質(可以是CD-ROM,隨身碟,行動硬碟等)中,包括若干指令用以使得一台電腦設備(可以是個人電腦,伺服器,或者網路設備等)執行本發明各個實施場景該的方法。 Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by hardware, or by means of a software plus a necessary universal hardware platform. Based on the understanding, the technical solution of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which may be a CD-ROM, a flash drive, a mobile hard disk, etc.), including several The instructions are for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the method of various embodiments of the present invention.
本領域技術人員可以理解圖式只是一個優選實施場景的示意圖,圖式中的模組或流程並不一定是實施本發明所必須的。 Those skilled in the art can understand that the drawings are only a schematic diagram of a preferred implementation scenario, and the modules or processes in the drawings are not necessarily required to implement the present invention.
本領域技術人員可以理解實施場景中的裝置中的模組可以按照實施場景描述進行分佈於實施場景的裝置中,也可以進行相應變化位於不同於本實施場景的一個或多個裝 置中。上述實施場景的模組可以合併為一個模組,也可以進一步拆分成多個子模組。 Those skilled in the art can understand that the modules in the device in the implementation scenario may be distributed in the device that implements the scenario according to the implementation scenario description, or may be correspondingly changed in one or more devices different from the implementation scenario. The modules of the above implementation scenarios may be combined into one module, or may be further split into multiple sub-modules.
上述本發明序號僅僅為了描述,不代表實施場景的優劣。 The above-mentioned serial numbers of the present invention are merely for description, and do not represent the advantages and disadvantages of the implementation scenario.
以上公開的僅為本發明的幾個具體實施場景,但是,本發明並非局限於此,任何本領域的技術人員能思之的變化都應落入本發明的保護範圍。 The above disclosure is only a few specific implementation scenarios of the present invention, but the present invention is not limited thereto, and any changes that can be made by those skilled in the art should fall within the protection scope of the present invention.
Claims (20)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106102699A TWI717457B (en) | 2017-01-24 | 2017-01-24 | Environmental isolation method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106102699A TWI717457B (en) | 2017-01-24 | 2017-01-24 | Environmental isolation method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201828655A true TW201828655A (en) | 2018-08-01 |
| TWI717457B TWI717457B (en) | 2021-02-01 |
Family
ID=63960572
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW106102699A TWI717457B (en) | 2017-01-24 | 2017-01-24 | Environmental isolation method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI717457B (en) |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6434627B1 (en) * | 1999-03-15 | 2002-08-13 | Cisco Technology, Inc. | IP network for accomodating mobile users with incompatible network addressing |
| CN106911648B (en) * | 2015-12-23 | 2019-12-24 | 阿里巴巴集团控股有限公司 | Environment isolation method and equipment |
-
2017
- 2017-01-24 TW TW106102699A patent/TWI717457B/en active
Also Published As
| Publication number | Publication date |
|---|---|
| TWI717457B (en) | 2021-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2017107827A1 (en) | Method and apparatus for isolating environment | |
| US11615195B2 (en) | Systems and methods for providing multi-node resiliency for blockchain peers | |
| CN113169952B (en) | Container cloud management system based on block chain technology | |
| US10819701B2 (en) | Autonomous secrets management for a managed service identity | |
| CN104935672B (en) | Load balancing service high availability implementation method and equipment | |
| US10691790B2 (en) | Autonomous secrets management for a temporary shared access signature service | |
| US9992058B2 (en) | Redundant storage solution | |
| KR102117724B1 (en) | Managing distributed operating system physical resources | |
| CN112035215A (en) | Node autonomous method, system and device of node cluster and electronic equipment | |
| WO2019210580A1 (en) | Access request processing method, apparatus, computer device, and storage medium | |
| CN113489691B (en) | Network access method, network access device, computer readable medium and electronic equipment | |
| WO2020057445A1 (en) | Communication system, method, and device | |
| US11190359B2 (en) | Device and system for accessing a distributed ledger | |
| CN108366087B (en) | ISCSI service realization method and device based on distributed file system | |
| CN114363162A (en) | Block chain log generation method and device, electronic equipment and storage medium | |
| CN108600156A (en) | A kind of server and safety certifying method | |
| US20210319115A1 (en) | Performance standby nodes for a secure storage system | |
| CN113312059A (en) | Service processing system and method and cloud native system | |
| WO2016106661A1 (en) | Access control method for storage device, storage device, and control system | |
| US20230100519A1 (en) | Systems and methods of managing communication endpoints | |
| CN116346834A (en) | Session synchronization method, device, computing equipment and computer storage medium | |
| JP5736346B2 (en) | Virtualization device, virtualization control method, virtualization device control program | |
| TW201828655A (en) | Environment isolation method and device resolves the problem of high complexity and incomplete isolation carried at environmental isolation during the RPC call process | |
| Stanik et al. | Failover pattern with a self-healing mechanism for high availability cloud solutions | |
| CN111835872A (en) | Method for realizing decentralized distributed process daemon based on ad hoc network technology |