CN109587169B - Service admission management method and device - Google Patents
Service admission management method and device Download PDFInfo
- Publication number
- CN109587169B CN109587169B CN201811643160.2A CN201811643160A CN109587169B CN 109587169 B CN109587169 B CN 109587169B CN 201811643160 A CN201811643160 A CN 201811643160A CN 109587169 B CN109587169 B CN 109587169B
- Authority
- CN
- China
- Prior art keywords
- service
- instance
- service instance
- registration
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
- G06F21/335—User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
A method of managing admission of a service, the method comprising: the service issuing direction sends a service admission token request for applying a service instance to the registration center; the registry approves the request for applying for service admission token; if the approval is passed, making a service admission token, and returning the service admission token to the service publisher; the service publisher sets the service admission token in the registration configuration information of the service instance, and then sends a service registration request of the service instance to the registration center; the registration center confirms and authenticates the service admission token in the registration configuration information carried in the service registration request; and if the authentication is successful, the registration center performs service registration on the service instance. The invention also discloses a management device for service access. The invention is mainly used for increasing a safety limit during service registration, only allowing approved service instances to be registered in a registration center, and improving the safety of the service.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a management method and a management device for service admission.
Background
Microservices are a framework style, with a large complex piece of software consisting of one or more microservices. Each microservice in the system can be deployed independently, with loose coupling between each microservice. Each microservice is only concerned with completing one task and well completing the task. In all cases, each task represents a small business capability.
With the popularity of micro-architecture, especially after the large-scale application of containers, the case of forming a relatively powerful application is increasing with the help of multiple micro-services. Service registration of service instances is an essential function in microservice architectures. The registry will automatically register the received service instance information (mainly including service instance name, service instance deployment network address, running status) according to the configuration. On the other hand, the micro-service architecture allows registration of duplicate name service instances, which would be treated as the entities of the same business capability service with the same name. When receiving the same service request of a service consumer, the API management system of the micro-service architecture distributes the service request to a plurality of service instances with the same service capability through the capability of load balancing.
Therefore, in the existing micro-service architecture, the service registration function has a same problem, namely, the service instance can be registered as long as the service instance conforms to the registration configuration of the registration center, and the service can be provided to the outside after the registration is successful. This problem may lead to two security risks: 1. the unauthorized registration service is provided for service consumers outside the gateway to use, and becomes a passage for bypassing the security protection of the gateway and entering the interior of the gateway. 2. Registering the impersonated service instance, and acquiring data information submitted when a service consumer accesses the service instance, so that information leakage is caused.
Therefore, a service admission management method and apparatus meeting security requirements are urgently needed.
Disclosure of Invention
The invention discloses a management method for service admission, which comprises the following steps:
the service issuing direction sends a service admission token request for applying a service instance to the registration center;
the registry approves the service admission token request of the application service instance;
if the approval is passed, the registration center makes the service admission token of the service instance according to the content carried in the service admission token request of the application service instance, generates and stores an approval record of the service admission token of the application service instance, and returns the service admission token of the service instance to the service publisher; if the approval fails, returning a refusal notice of the service admission token request of the application service instance to the service publisher;
after receiving the service admission token of the service instance, the service publisher sets the service admission token in the registration configuration information of the service instance, and then sends a service registration request of the service instance to the registration center;
the registration center confirms and authenticates the service admission token in the registration configuration information carried in the service registration request of the service instance; if the authentication is successful, the registration center performs service registration on the service instance according to registration configuration information carried in a service registration request of the service instance; otherwise, sending a refusal notice of the service registration request of the service instance to a service publisher.
Preferably, after the service registration is performed on the service instance by the registration center according to the registration configuration information carried in the service registration request of the service instance, the method further includes:
a service auditing party sends a service auditing request of a service instance to the registration center, wherein the service auditing request of the service instance carries contents including a service instance name and a service instance deployment network address;
the registration center uses the service instance name and the service instance deployment network address carried in the received service audit request to match the corresponding content in the approval record; if the matching is successful, the registration center returns an approval record of the service admission token applying the service instance to the service auditor, so that the service auditor can trace the service issuing party of the service instance; and otherwise, returning a refusal notice of the service audit request of the service instance to the service auditor.
Specifically, the service issuer sends a service admission token request for applying a service instance to the registry, where the service admission token request carries content including a service issuer account, a service instance name, and a service instance deployment network address.
Specifically, the method for the registry to approve the service admission token request applying for the service instance includes:
the registry matches the service instance name and the service instance deployment network address in the current service admission token examination and approval record set by using the service instance name and the service instance deployment network address contained in the service admission token request of the application service instance, and if the matching is unsuccessful, the examination and approval is passed; otherwise, the approval is not passed.
Specifically, the method for the registry to make the service admission token of the service instance according to the content carried in the service admission token request of the application service instance, and generate and store the approval record of the service admission token of the application service instance comprises the following steps:
the registration center generates and stores an approval record of the service admission token applying for the service instance, wherein the approval record comprises: the service admission token of the service instance, the service publisher account, the service instance name and the service instance deployment network address.
Specifically, the method for the registry to confirm and authenticate the service admission token in the registration configuration information carried in the service registration request of the service instance includes:
step one, the registry uses the service admission token carried in the service registration request of the service instance to match the corresponding content in the examination and approval record set of the current service admission token; if the matching is successful, executing the step two; otherwise, the authentication fails, and the registration center returns a rejection notice of the service registration request of the service instance to the service issuing party;
step two, if the matching in the step one is successful, the registration center deploys a network address according to the service instance name and the service instance in the service admission token approval record, initiates an http access request, and if the http protocol request return state is successful in access, the authentication is successful; otherwise, the authentication fails, and the registration center returns a refusal notice of the service registration request of the service instance to the service publisher.
The invention also discloses a management device for service access, which comprises a service release unit and a registration center, wherein:
the service release unit is used for sending a service admission token request for applying a service instance to the registration center; receiving a service admission token of the service instance returned by the registry, and then setting the service admission token in registration configuration information of the service instance, or receiving a rejection notification of a service admission token request of the application service instance sent by the registry; the service admission token is also used for sending a service registration request of the service instance to the registration center after the service admission token is set; the registry is also used for receiving a rejection notice of the service registration request of the service instance returned by the registry;
the registration center is used for receiving a service admission token request of the application service instance sent by the service release unit; examining and approving the service admission token request of the application service instance; if the approval is passed, making the service admission token of the service instance according to the content carried in the service admission token request of the application service instance, generating and storing an approval record of the service admission token of the application service instance, and returning the service admission token of the service instance to the service publishing unit; if the approval fails, returning a refusal notice of the service admission token request of the application service instance to the service release unit; the service issuing unit is further configured to receive a service registration request of the service instance sent by the service issuing unit, perform confirmation authentication on a service admission token in registration configuration information carried in the service registration request of the service instance, and perform service registration on the service instance according to the registration configuration information carried in the service registration request of the service instance if the authentication is successful; otherwise, sending a refusal notice of the service registration request of the service instance to the service publishing unit.
Specifically, the service publishing unit includes:
the token request processing module is used for sending a service admission token request for applying for a service instance to the registration center; receiving a service admission token of the service instance returned by the registration center; or receiving a rejection notification of the service admission token request of the application service instance returned by the registration center;
the token setting module is used for allowing the service obtained by the token request processing module to enter the token and setting the service in the registration configuration information of the service instance;
the service registration request processing module is used for sending a service registration request of a service instance to the registration center after receiving the service instance of the service admission token set by the token setting module; and the system is also used for receiving a rejection notification of the service registration request of the service instance returned by the registration center.
Specifically, the registry includes:
the token approval and production module is used for receiving a service admission token request for applying a service instance sent by the service release unit and approving the service admission token request for applying the service instance; if the approval is passed, making a service admission token of the service instance according to the content carried in the service admission token request of the application service instance; generating and storing an approval record of the service admission token of the application service instance, and returning the service admission token of the service instance to the service issuing unit; if the approval fails, returning a refusal notice of the service admission token request of the application service instance to the service release unit;
the examination and approval record content comprises: service admission token of a service instance, a service publisher account, a service instance name and a service instance deployment network address;
the authentication and registration module is used for receiving a service registration request of the service instance sent by the service publishing unit; confirming and authenticating the service admission token in the registration configuration information carried in the service registration request of the service instance; if the authentication is successful, performing service registration on the service instance according to registration configuration information carried in a service registration request of the service instance; and if the authentication fails, sending a refusal notice of the service registration request of the service instance to the service issuing unit.
Preferably, the apparatus further comprises:
the service auditing unit is used for sending a service auditing request of the service instance to the registration center, wherein the service auditing request of the service instance carries the content containing the service instance name and the service instance deployment network address; the system is also used for receiving an approval record of the service admission token of the service instance, which is returned by the registration center, or receiving a refusal notice of a service audit request of the service instance, which is returned by the registration center;
the registration center also comprises an audit request processing module which is used for receiving the service audit request of the service instance sent by the service audit unit; and deploying a network address by using the service instance name and the service instance carried in the received service audit request to match corresponding contents in the current approval record set; if the matching is successful, returning an approval record of the service admission token applying for the service instance to the service auditor, so that the service auditor can trace the service issuing party of the service instance; and otherwise, returning a refusal notice of the service audit request of the service instance to the service auditor.
Compared with the current situation that a service instance can be randomly registered to have major potential safety hazards in the prior art, the service instance, the service publisher and the service admission token are associated together by taking the applied, approved and issued service admission token as a key element of service admission management before service release; the technical method for confirming and authenticating the service admission token during service registration adds a safety limit during service registration, only allows the service instance carrying the approved and issued service admission token to be registered in the registration center, and improves the safety of service registration. Preferably, the invention also discloses a service auditing method, which can trace all service instances providing services to the outside to a service publisher and trace the unauthorized registration service instances and the registration counterfeit service instances.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a management method for service admission according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a method provided in the second embodiment of the present application;
fig. 3 is a schematic structural diagram of a service admission management apparatus according to a third embodiment of the present application;
fig. 4 is a schematic structural diagram of a device according to a fourth embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive effort based on the embodiments of the present invention, are within the scope of the present invention.
Referring to fig. 1, fig. 1 is a schematic flow chart of a service admission management method according to an embodiment of the present application, where the method includes:
step S101: and the service issuing party sends a service admission token request for applying for the service instance to the registration center.
The service publisher is responsible for deploying service instances in the micro-service architecture and requesting service registration for the service instances, and the service publisher account is a unique identifier of the service publisher.
After deploying the service instance and before requesting service registration, the service publisher needs to apply for a service admission token of the service instance.
The registry is an important component in the micro service architecture and is responsible for the service registration function in the micro service architecture.
When the service publishing party sends a service admission token request for applying a service instance to the registration center, the service publishing party needs to carry basic information and declare the identity of the service instance and the attribute of the service instance to the registration center, so that response and safety management can be conveniently received, such as an account number of the service publishing party, the name of the service instance and a deployment network address of the service instance.
Step S102: and the registry approves the service admission token request of the application service instance.
The method for the registry to approve the service admission token request of the application service instance comprises the following steps:
the registry matches the service instance name and the service instance deployment network address in the current service admission token examination and approval record set by using the service instance name and the service instance deployment network address contained in the service admission token request of the application service instance, and if the matching is unsuccessful, the examination and approval is passed; otherwise, the approval is not passed.
Considering that each service instance has unique identity attribute, namely a service instance name and a network deployment address, if the identity attribute information is unsuccessfully matched, the service instance is not issued with the service admission token, and therefore the service admission token can be issued after approval; otherwise, the service instance already obtains the service admission token, the approval is not passed, and the token is not repeatedly issued. The method can ensure the uniqueness of the service instance issued externally and provide basic guarantee for tracing and tracing the responsibility of service audit.
It should be noted that, an approval rule may also be added according to actual business requirements, for example, through an account white list of a service publisher, only an account within a trusted range may be allowed to perform service registration; and the service registration and the added service content can be limited by associating and opening a work order of the new service.
Step S103: and if the approval is passed, the registration center makes the service admission token of the service instance according to the content carried in the service admission token request of the application service instance, generates and stores an approval record of the service admission token of the application service instance, and returns the service admission token of the service instance to the service publisher.
The method for the registry to make the service admission token of the service instance according to the content carried in the service admission token request of the application service instance, and the method for generating and storing the approval record of the service admission token of the application service instance comprises the following steps:
the registry generates and stores an approval record of the service admission token applying for the service instance, wherein the approval record comprises: service admission token of a service instance, service publisher account, service instance name, and service instance deployment network address.
The method for making the service admission token of the service instance by the registry comprises the following steps: and taking out the service publisher account number, the service instance name and the network address of the service instance in the service admission token request content, and calculating by using a Hash algorithm to obtain the token. The service admission token has uniqueness; the service admission tokens correspond to the service instances one by one; meanwhile, the service admission token with uniqueness can be used as a uniqueness identifier of the approval record to provide basic guarantee for subsequent confirmation authentication and service audit; the service access token has irreversibility, and an illegal user cannot calculate the service publisher account number, the service instance name and the service instance deployment network address through the token in an inverse mode. Compared with the method of directly utilizing the service instance name and the service instance deployment network address to carry out comparison, the token serving as the security limiting means of service admission is more convenient and safer.
The approval record can be stored in a database, a file, a memory and other storage media.
It should be noted that, the contents of the approval record may also be added according to the actual business requirements, for example: the method comprises the steps of applying for service admission token request number of a service instance, applying for service admission token request initiation time of the service instance, applying for service admission token request approval time of the service instance, and applying for service admission token sending time of the service instance.
Step S104: if the approval fails, the registry returns a refusal notice of the service admission token request of the application service instance to the service publisher.
Step S105: and after receiving the service admission token of the service instance, the service publisher sets the service admission token in the registration configuration information of the service instance, and then sends a service registration request of the service instance to the registration center.
Step S106: and the registry confirms and authenticates the service admission token in the registration configuration information carried in the service registration request of the service instance.
The method for the registry to confirm and authenticate the service admission token in the registration configuration information carried in the service registration request of the service instance comprises the following steps:
step one, the registry uses the service admission token carried in the service registration request of the service instance to match the service admission token of the service instance in the examination and approval record set of the current service admission token; if the matching is successful, executing the step two; otherwise, the authentication fails, and the registration center returns a refusal notice of the service registration request of the service instance to the service publisher;
through the first step, the service registration request of the service instance of which the service admission token is not obtained can be rejected, and then whether the service admission token carried by the service registration application is issued after being examined and approved can be judged, and the forged service admission token can be screened.
And step two, if the matching in the step one is successful, the registration center deploys a network address according to the service instance name and the service instance recorded in the examination and approval record, initiates an http access request, and if the http protocol request return state is successful in access, the authentication is successful.
Through the second step, the service instance can be confirmed to be successfully deployed firstly, and then the name and the actual deployment network address of the service instance are confirmed to be consistent with the information applied for. The authentication can be successful only if the two steps are successful.
Step S107: and if the authentication is successful, the registration center performs service registration on the service instance according to the registration configuration information carried in the service registration request of the service instance.
The service registration is to maintain a service registry, that is, to register and cancel the service instance in the service registry according to the network address and the running state of the service instance. The service registry is a list containing network addresses of service instances, and only service instances in the service registry can provide services to the outside.
Step S108: and if the authentication fails, the registration center sends a refusal notice of the service registration request of the service instance to a service publisher.
Compared with the current situation that the service instance can be randomly registered and has great potential safety hazard in the prior art, the method manages the service registration. Before service release, the service admission token applied, approved and released is used as a key element of service admission management, and a service instance, a service release party and the service admission token are associated together; the technical method for confirming authentication of the service admission token during service registration adds a safety limit during service registration, only allows the service instance carrying the approved and issued service admission token to be registered in the registration center, and improves the safety of service registration.
Fig. 2 is a schematic flow chart of a second providing method according to an embodiment of the present application, where after a service instance provides a service to the outside through service registration, the service instance may also be audited by using a service admission token, and the method includes:
step S201: and the service publishing party sends a service admission token request for applying for the service instance to the registration center.
Step S202: and the registry approves the service admission token request applying for the service instance.
Step S203: and if the approval is passed, the registration center makes the service admission token of the service instance according to the content carried in the service admission token request of the application service instance, generates and stores an approval record of the service admission token of the application service instance, and returns the service admission token of the service instance to the service publisher.
Step S204: if the approval fails, the registry returns a refusal notice of the service admission token request of the application service instance to the service publisher.
Step S205: and after receiving the service admission token of the service instance, the service publisher sets the service admission token in the registration configuration information of the service instance, and then sends a service registration request of the service instance to the registration center.
Step S206: and the registry confirms and authenticates the service admission token in the registration configuration information carried in the service registration request of the service instance.
Step S207: and if the authentication is successful, the registration center performs service registration on the service instance according to the registration configuration information carried in the service registration request of the service instance.
Step S208: and if the authentication fails, the registration center sends a rejection notice of the service registration request of the service instance to a service publisher.
Step S209: and the service auditing party sends a service auditing request of the service instance to the registration center, wherein the service auditing request of the service instance carries the content containing the service instance name and the service instance deployment network address.
The service auditor is a third party independent of the service publisher and the registration center, and is mainly responsible for tracing the service publisher of a specific service instance which has completed the service registration and provides service to the outside.
Step 210: and the registry matches corresponding contents in the current examination and approval record set by using the service instance name and the service instance deployment network address carried in the received service audit request.
Because the service instances with the same name are not allowed to be deployed at the same network address, and the network address comprises an IP address and a port number, only one examination and approval record of the service admission token applying for the service instance can be matched by comparing the service instance name with the service instance deployment network address, and the account number of the service publisher is recorded in the examination and approval record. The service publisher can be traced through the account number of the service publisher.
Step 211: and if the matching is successful, the registration center returns an approval record of the service admission token applying the service instance to the service auditor, so that the service auditor can trace the service issuing party of the service instance.
Step 212: and if the matching fails, the registration center returns a refusal notice of the service audit request of the service instance to the service auditor.
Compared with the current situation that in the prior art, a service instance can be randomly registered and has great potential safety hazard, the method manages the service registration. Before service release, the service admission token applied, approved and released is used as a key element of service admission management, and a service instance, a service release party and the service admission token are associated together; the technical method for confirming and authenticating the service admission token during service registration adds a safety limit during service registration, only allows the service instance carrying the approved and issued service admission token to be registered in the registration center, and improves the safety of service registration. Service auditing is carried out on the successfully registered service instances, so that all the service instances providing services to the outside can be traced back to a service publisher; thereby realizing a safe and reliable traceable service admission management capability.
The third embodiment of the invention discloses a service admission management device, the structure of which is shown in figure 3:
the service issuing unit M1 is used for sending a service admission token request for applying a service instance to the registration center M2; receiving the service admission token of the service instance returned by the registry M2, and then setting the service admission token in the registration configuration information of the service instance, or receiving a reject notification of the service admission token request of the application service instance sent by the registry M2; the service admission token is also used for sending a service registration request of the service instance to the registration center M2 after the service admission token is set; and is further configured to receive a reject notification of the service registration request of the service instance returned by the registry M2.
The registration center M2 is used for receiving a service admission token request for applying a service instance, which is sent by the service issuing unit M1; examining and approving the service admission token request of the application service instance; if the approval is passed, according to the content carried in the service admission token request of the application service instance, making the service admission token of the service instance, generating and storing an approval record of the service admission token of the application service instance, and returning the service admission token of the service instance to the service publishing unit M1; if the approval fails, returning a refusal notice of the service admission token request of the application service instance to the service issuing unit M1; the service publishing unit M1 is further configured to receive the service registration request of the service instance sent by the service publishing unit M1, perform confirmation authentication on the service admission token in the registration configuration information carried in the service registration request of the service instance, and perform service registration on the service instance according to the registration configuration information carried in the service registration request of the service instance if the authentication is successful; otherwise, a reject notification of the service registration request of the service instance is sent to the service publishing unit M1.
The approval record can be stored in a database, a file, a memory and other storage media.
Preferably, the apparatus may further include a service auditing unit M3, configured to send a service auditing request of a service instance to the registration center M2, where the service auditing request of the service instance carries content including a service instance name and a service instance deployment network address; the system is also used for receiving an approval record of the service admission token of the application service instance returned by the registry M2 so as to trace back a service publisher of the service instance; or receiving a refusal notice of the service audit request of the service instance returned by the registration center M2.
The fourth embodiment of the present invention further discloses a service admission management device, which has a structure schematic as shown in fig. 4:
the service issuing unit M1 further includes:
the token request processing module M11 is configured to send a service admission token request for applying for a service instance to the token approval and production module M21; receiving a service admission token of the service instance returned by the token approval and production module M21; or receiving a rejection notification of the service admission token request of the application service instance returned by the token approval and production module M21;
a token setting module M12, configured to allow the service obtained from the token request processing module M11 to enter the token and set the token in the registration configuration information of the service instance;
the service registration request processing module M13, after receiving the service instance of the service admission token set by the token setting module M12, sends the service registration request of the service instance to the authenticated and registration module M22; and is also used for receiving the refusal notice of the service registration request of the service instance returned by the authentication and registration module M22.
The registry M2 further comprises:
the token approval and production module M21 is configured to receive a service admission token request for applying for a service instance sent by the token request processing module M11, and approve the service admission token request for applying for the service instance; if the approval is passed, making a service admission token of the service instance according to the content carried in the service admission token request of the application service instance; generating an approval record of the service admission token of the application service instance, storing the approval record in an approval record set DB, and returning the service admission token of the service instance to the token request processing module M11; if the examination and approval is not passed, returning a refusal notice of the service admission token request of the application service instance to the token request processing module M11;
the contents of the approval records comprise: the service admission token of the service instance, the service publisher account, the service instance name and the service instance deployment network address;
an authentication and registration module M22, configured to receive a service registration request of a service instance sent by the service registration request processing module M13; confirming and authenticating the service admission token in the registration configuration information carried in the service registration request of the service instance; if the authentication is successful, performing service registration on the service instance according to registration configuration information carried in a service registration request of the service instance; if the authentication fails, a reject notification of the service registration request of the service instance is sent to the service registration request processing module M13.
An audit request processing module M23, configured to receive a service audit request of a service instance sent by the service audit unit M3; and deploying a network address by using the service instance name and the service instance carried in the received service audit request to match the corresponding content in the approval record set DB; if the matching is successful, returning an approval record of the service admission token applying for the service instance to the service auditing unit M3, so that the service auditing party can trace the service issuing party of the service instance; otherwise, returning a refusal notice of the service audit request of the service instance to the service audit unit M3.
A service auditing unit M3, configured to send a service auditing request of a service instance to the registration center M2, where the service auditing request of the service instance carries a content including a service instance name and a service instance deployment network address; the system is also used for receiving an approval record of the service admission token of the application service instance returned by the registry M2 so as to trace back a service publisher of the service instance; or receiving a refusal notice of the service audit request of the service instance returned by the registration center M2.
It is clear to those skilled in the art that, for convenience and brevity of description, the foregoing method steps may be referred to for the specific corresponding working processes of the above-described systems, units and units, and are not described herein again.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for managing service admission, the method comprising:
the service issuing direction sends a service admission token request for applying for a service instance to the registration center;
the registry approves the service admission token request of the application service instance;
if the approval is passed, the registration center makes the service admission token of the service instance according to the content carried in the service admission token request of the application service instance, generates and stores an approval record of the service admission token of the application service instance, and returns the service admission token of the service instance to the service publisher; if the approval fails, returning a refusal notice of the service admission token request of the application service instance to the service publisher;
after receiving the service admission token of the service instance, the service publisher sets the service admission token in the registration configuration information of the service instance, and then sends a service registration request of the service instance to the registration center;
the registration center confirms and authenticates the service admission token in the registration configuration information carried in the service registration request of the service instance; if the authentication is successful, the registration center performs service registration on the service instance according to registration configuration information carried in a service registration request of the service instance; otherwise, sending a refusal notice of the service registration request of the service instance to a service publisher.
2. The method according to claim 1, wherein after the registry performs service registration on the service instance according to registration configuration information carried in the service registration request of the service instance, the method further comprises:
a service auditing party sends a service auditing request of a service instance to the registration center, wherein the service auditing request of the service instance carries contents including a service instance name and a service instance deployment network address;
the registration center uses the service instance name and the service instance deployment network address carried in the received service audit request to match the corresponding content in the approval record; if the matching is successful, the registration center returns an approval record of the service admission token applying the service instance to the service auditor, so that the service auditor can trace the service issuing party of the service instance; and otherwise, returning a refusal notice of the service audit request of the service instance to the service auditor.
3. The method according to claim 1 or 2, wherein the service admission token request sent by the service issuer to the registry for applying for the service instance carries contents including a service issuer account, a service instance name and a service instance deployment network address.
4. The method of claim 1 or 2, wherein the method for the registry to approve the service admission token request for the service instance comprises:
the registry uses the service instance name and the service instance deployment network address contained in the service admission token request of the application service instance to match the service instance name and the service instance deployment network address in the current service admission token examination and approval record set, if the matching is unsuccessful, the examination and approval is passed; otherwise, the approval is not passed.
5. The method according to claim 1 or 2, wherein the method for the registry to make the service admission token of the service instance according to the content carried in the service admission token request of the application service instance, and generating and storing the approval record of the service admission token of the application service instance comprises:
the registry generates and stores an approval record of the service admission token applying for the service instance, wherein the approval record comprises: the service admission token of the service instance, the service publisher account, the service instance name and the service instance deployment network address.
6. The method according to claim 1 or 2, wherein the method for the registry to confirm and authenticate the service admission token in the registration configuration information carried in the service registration request of the service instance comprises:
step one, the registry uses the service admission token carried in the service registration request of the service instance to match the corresponding content in the examination and approval record set of the current service admission token; if the matching is successful, executing the step two; otherwise, the authentication fails, and the registration center returns a refusal notice of the service registration request of the service instance to the service publisher;
step two, if the matching in the step one is successful, the registry deploys a network address according to the service instance name and the service instance in the service admission token approval record, initiates an http access request, and if the http protocol request return state is successful in access, the authentication is successful; otherwise, the authentication is failed, and the registration center returns a rejection notice of the service registration request of the service instance to the service issuer.
7. A management apparatus for service admission, comprising a service distribution unit and a registry, wherein:
the service release unit is used for sending a service admission token request for applying a service instance to the registration center; receiving a service admission token of the service instance returned by the registry, and then setting the service admission token in registration configuration information of the service instance, or receiving a rejection notification of a service admission token request of the application service instance sent by the registry; the service admission token is also used for sending a service registration request of the service instance to the registration center after the service admission token is set; the registry is also used for receiving a rejection notice of the service registration request of the service instance returned by the registry;
the registration center is used for receiving a service admission token request of the application service instance sent by the service release unit; examining and approving the service admission token request of the application service instance; if the approval is passed, making the service admission token of the service instance according to the content carried in the service admission token request of the application service instance, generating and storing an approval record of the service admission token of the application service instance, and returning the service admission token of the service instance to the service publishing unit; if the approval is not passed, returning a refusal notice of the service admission token request of the application service instance to the service issuing unit; the service issuing unit is further configured to receive a service registration request of the service instance sent by the service issuing unit, perform confirmation authentication on a service admission token in registration configuration information carried in the service registration request of the service instance, and perform service registration on the service instance according to the registration configuration information carried in the service registration request of the service instance if the authentication is successful; otherwise, sending a refusal notice of the service registration request of the service instance to the service publishing unit.
8. The apparatus of claim 7, wherein the service publishing unit comprises:
the token request processing module is used for sending a service admission token request for applying a service instance to the registration center; receiving a service admission token of the service instance returned by the registration center; or receiving a rejection notification of the service admission token request of the application service instance returned by the registration center;
the token setting module is used for allowing the service obtained by the token request processing module to enter the token and setting the service in the registration configuration information of the service instance;
the service registration request processing module is used for sending a service registration request of a service instance to the registration center after receiving the service instance of the service admission token which is set by the token setting module; and the system is also used for receiving a rejection notification of the service registration request of the service instance returned by the registration center.
9. The apparatus of claim 7, wherein the registry comprises:
the token approval and production module is used for receiving a service admission token request for applying a service instance sent by the service release unit and approving the service admission token request for applying the service instance; if the approval is passed, making a service admission token of the service instance according to the content carried in the service admission token request of the application service instance; generating and storing an approval record of the service admission token of the application service instance, and returning the service admission token of the service instance to the service issuing unit; if the approval fails, returning a refusal notice of the service admission token request of the application service instance to the service release unit;
the examination and approval record content comprises: the service admission token of the service instance, the service publisher account, the service instance name and the service instance deployment network address;
the authentication and registration module is used for receiving a service registration request of the service instance sent by the service publishing unit; confirming and authenticating the service admission token in the registration configuration information carried in the service registration request of the service instance; if the authentication is successful, performing service registration on the service instance according to registration configuration information carried in a service registration request of the service instance; and if the authentication fails, sending a rejection notice of the service registration request of the service instance to the service issuing unit.
10. The apparatus of claim 7, further comprising:
the service auditing unit is used for sending a service auditing request of the service instance to the registration center, wherein the service auditing request of the service instance carries the content containing the service instance name and the service instance deployment network address; the system is also used for receiving an approval record of the service admission token of the service instance, which is returned by the registry, or receiving a refusal notice of a service audit request of the service instance, which is returned by the registry;
the registration center also comprises an audit request processing module which is used for receiving the service audit request of the service instance sent by the service audit unit; matching corresponding contents in the current approval record set by using the service instance name and the service instance deployment network address carried in the received service audit request; if the matching is successful, returning an approval record of the service admission token applying for the service instance to the service auditor, so that the service auditor can trace the service issuer of the service instance; and otherwise, returning a refusal notice of the service audit request of the service instance to the service auditor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811643160.2A CN109587169B (en) | 2018-12-29 | 2018-12-29 | Service admission management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811643160.2A CN109587169B (en) | 2018-12-29 | 2018-12-29 | Service admission management method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109587169A CN109587169A (en) | 2019-04-05 |
| CN109587169B true CN109587169B (en) | 2022-12-13 |
Family
ID=65932801
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811643160.2A Active CN109587169B (en) | 2018-12-29 | 2018-12-29 | Service admission management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109587169B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110505219B (en) * | 2019-08-12 | 2021-10-26 | 南京莱斯信息技术股份有限公司 | Dubbo-based micro-service registration control management system and method |
| CN111245888A (en) * | 2019-12-24 | 2020-06-05 | 北京中盾安全技术开发公司 | Video image service management method |
| CN111984272B (en) * | 2020-09-08 | 2023-11-17 | 河北幸福消费金融股份有限公司 | Method, system, storage medium and computer equipment for automatic online application |
| CN112287329A (en) * | 2020-10-29 | 2021-01-29 | 平安科技(深圳)有限公司 | Service instance checking method and device, electronic equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106559389A (en) * | 2015-09-28 | 2017-04-05 | 阿里巴巴集团控股有限公司 | A kind of Service Source issue, call method, device, system and cloud service platform |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100407154C (en) * | 2004-04-29 | 2008-07-30 | 国际商业机器公司 | A system and method for modeling and dynamically deploying services into a distributed networking architecture |
| CN104125565A (en) * | 2013-04-23 | 2014-10-29 | 中兴通讯股份有限公司 | Method for realizing terminal authentication based on OMA DM, terminal and server |
| WO2015047439A1 (en) * | 2013-09-28 | 2015-04-02 | Mcafee, Inc. | Service-oriented architecture |
| US10516672B2 (en) * | 2016-08-05 | 2019-12-24 | Oracle International Corporation | Service discovery for a multi-tenant identity and data security management cloud service |
-
2018
- 2018-12-29 CN CN201811643160.2A patent/CN109587169B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106559389A (en) * | 2015-09-28 | 2017-04-05 | 阿里巴巴集团控股有限公司 | A kind of Service Source issue, call method, device, system and cloud service platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109587169A (en) | 2019-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109587169B (en) | Service admission management method and device | |
| CN109523362B (en) | Second-hand house transaction system and method based on 5G architecture and block chain | |
| CN102790674B (en) | Auth method, equipment and system | |
| CN102420690B (en) | Fusion and authentication method and system of identity and authority in industrial control system | |
| TWI796675B (en) | Blockchain-based identity verification method and related hardware | |
| WO2018044282A1 (en) | Biometric identification and verification among iot devices and applications | |
| CN104753674B (en) | A kind of verification method and equipment of application identity | |
| CN107204957B (en) | Account binding and service processing method and device | |
| CN109308416B (en) | Business service data processing method, device, system, storage medium and equipment | |
| TWI696133B (en) | Identity verification method, client, server and system | |
| CN111222841A (en) | Block chain-based data distribution method and equipment and storage medium thereof | |
| CN104469736B (en) | A kind of data processing method, server and terminal | |
| CN109743321A (en) | Block chain, application program, the user authen method of application program and system | |
| CN110674531A (en) | Residence information management method, device, server and medium based on block chain | |
| CN107256479B (en) | Transaction mode classification execution method and device | |
| CN112287311A (en) | Service implementation method and device based on block chain | |
| CN115277122A (en) | Cross-border data flow and supervision system based on block chain | |
| US10867326B2 (en) | Reputation system and method | |
| CN115292684A (en) | Block chain based inquiry letter data processing method and block chain system | |
| CN112446701B (en) | Identity authentication method, equipment and storage device based on blockchain | |
| WO2015076658A1 (en) | A system and method for secure transaction log for server logging | |
| CN107947934B (en) | Fingerprint identification and authentication system and method of mobile terminal based on bank system | |
| CN113541969A (en) | Data acquisition method and system | |
| CN110581820B (en) | Financial technology application system and method based on IPV6 and biological recognition technology | |
| CN111415174A (en) | Authentication information sending method and equipment based on block chain and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |