CN110809011A - Access control method and system, and storage medium - Google Patents
Access control method and system, and storage medium Download PDFInfo
- Publication number
- CN110809011A CN110809011A CN202010016010.XA CN202010016010A CN110809011A CN 110809011 A CN110809011 A CN 110809011A CN 202010016010 A CN202010016010 A CN 202010016010A CN 110809011 A CN110809011 A CN 110809011A
- Authority
- CN
- China
- Prior art keywords
- service request
- service
- access
- api
- response data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000012795 verification Methods 0.000 claims abstract description 39
- 230000004044 response Effects 0.000 claims description 65
- 238000012216 screening Methods 0.000 claims description 9
- 230000000977 initiatory effect Effects 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 2
- 230000007246 mechanism Effects 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 9
- 238000012545 processing Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 5
- 238000012550 audit Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000000126 substance Substances 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure relates to the field of computer technologies, and in particular, to an access control method, an access control system, and a storage medium. The method comprises the following steps: responding to a service request initiated by a service request terminal, and carrying out access token verification on the service request; when the access token is successfully verified, utilizing the access control list to verify the API authority of the service request; and when the API authority is successfully verified, forwarding the service request to a target service executed by the corresponding private cloud. The method can provide a safer and more controllable access control management mechanism.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an access control method, an access control processing system, and a storage medium.
Background
The hybrid cloud integrates public cloud and private cloud, and is a main mode and development direction of cloud computing in recent years. In the hybrid cloud mode, important and private data are generally stored in a private cloud, and how to manage the security of the private cloud data is particularly important.
In order to ensure the security of network and data, the prior art generally adopts a firewall network or a bastion machine. The above scheme does not achieve one hundred percent data security. In addition, the above scheme cannot guarantee the controllability and auditability of data transmission.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The invention aims to provide an access control method, an access control system and a storage medium, which can improve the security of private cloud data. And thereby overcome one or more of the problems due to the limitations and disadvantages of the related art, at least to some extent.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to a first aspect of the present disclosure, there is provided an access control method including:
responding to a service request initiated by a service request terminal, and carrying out access token verification on the service request;
when the access token is successfully verified, utilizing the access control list to verify the API authority of the service request;
and when the API authority is successfully verified, forwarding the service request to a target service executed by the corresponding private cloud.
In an exemplary embodiment of the present disclosure, before the service request initiated by the service request end, the method includes:
receiving a token application request initiated by the service request terminal; wherein the token application request includes an application ID and a key;
carrying out validity check on the application ID and the secret key, and issuing an access token to the service request end when the check is successful; the access token includes identity information, validity period information, and cryptographic signature information.
In an exemplary embodiment of the disclosure, the checking the access token for the service request includes:
sequentially verifying encrypted signature information, validity period information and identity information contained in the access token according to a preset sequence, and judging that the access token is successfully verified when the encrypted signature information, the validity period information and the identity information are successfully verified respectively; or
And if any one of the encrypted signature information, the validity period information and the identity information fails to be verified, judging that the access token fails to be verified so as to reject the service request.
In an exemplary embodiment of the present disclosure, the service request includes identity information, target API information; the performing API permission check on the service request by using the access control list includes:
and inquiring the access control list from a database according to the identity information to determine whether the target API is an API which is allowed to be called and corresponds to the identity information.
In an exemplary embodiment of the disclosure, when the API permission check is successful, the method further includes:
acquiring the current flow of a corresponding target API, and judging whether the current flow exceeds a preset threshold value;
when the current flow corresponding to the target API is smaller than a preset threshold value, forwarding the service request to a target service executed by a corresponding private cloud; or
And when the current flow corresponding to the target API is greater than or equal to a preset threshold value, rejecting the service request.
In an exemplary embodiment of the present disclosure, the method further comprises:
receiving service response data generated by the target service in response to the service request, and forwarding the service response data to the service request end; and
and generating and storing log data according to the service response data.
In an exemplary embodiment of the present disclosure, the receiving of the service response data generated by the target service in response to the service request forwards the service response data to the service request end; and generating log data according to the service response data and storing the log data, wherein the log data comprises:
analyzing the service response data to acquire original response data, screening the original response data according to a preset rule, and forwarding the service response data to the service request end when the data screening is out; and
and generating log data based on the original response data and storing the log data.
According to a second aspect of the present disclosure, there is provided another access control method including:
the service request end sends a service request to the access gateway;
the access gateway receives the service request and carries out access token verification on the service request;
when the access token is successfully verified, utilizing the access control list to verify the API authority of the service request;
when the API authority is successfully verified, forwarding the service request to a target service executed by a corresponding private cloud;
the target service receives the service request, generates corresponding service response data based on the service request, and sends the service response data to an access gateway;
and the access gateway receives the service response data and forwards the service response data to the service request terminal.
According to a third aspect of the present disclosure, there is provided another access control system comprising:
the service request terminal is used for initiating a service request to the access gateway;
the access gateway is used for receiving a service request initiated by a service request end and carrying out access token verification and API (application program interface) permission verification on the service request; when the access token is verified and the API authority is verified successfully, the service request is forwarded to a target service executed by the corresponding private cloud; and forwarding the service data fed back by the target service to the service request terminal;
and the private cloud is used for bearing the target service, responding to the service request, generating service response data and sending the service response data to the access gateway.
According to a fourth aspect of the present disclosure, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the access control method described in the above embodiments.
In the access control method provided by an embodiment of the present disclosure, multiple verifications are performed on a service request initiated by each service request end by using an access gateway, and the service request is sent to a corresponding private cloud target service only after the verification is successful. The method and the device realize that the private cloud access is packaged into an API form and registered to the access gateway for external calling. And the access gateway is used for carrying out multiple checks on the service request, so that the safety of data in each private cloud is further improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
Fig. 1 schematically illustrates a flow diagram of an access control method in an exemplary embodiment of the disclosure;
FIG. 2 schematically illustrates a flow chart of a method of controlling based on flow rate in an exemplary embodiment of the disclosure;
FIG. 3 schematically illustrates a flow diagram of an access control method in an exemplary embodiment of the disclosure;
FIG. 4 schematically illustrates a flow diagram of an access control method in an exemplary embodiment of the disclosure;
FIG. 5 is a schematic diagram illustrating an access control device in an exemplary embodiment of the present disclosure;
FIG. 6 schematically illustrates a composition diagram of an access control system in an exemplary embodiment of the disclosure;
FIG. 7 schematically illustrates a composition diagram of an electronic device in an exemplary embodiment of the disclosure;
fig. 8 schematically illustrates a schematic diagram of a program product in an exemplary embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
The present exemplary embodiment first provides an access control method, which can be applied to management of a private cloud. Referring to fig. 1, the above-described access control method may include the steps of:
step S11, responding to a service request initiated by a service request terminal, and carrying out access token verification on the service request;
step S12, when the access token is successfully verified, utilizing the access control list to perform API authority verification on the service request;
and step S13, when the API authority is successfully verified, forwarding the service request to a target service executed by a corresponding private cloud.
In the access control method provided by the present exemplary embodiment, an access gateway is configured, and multiple verifications are performed on a service request initiated by each service request end by using the access gateway, and the service request is sent to a corresponding private cloud target service only after the verification is successful. The method and the device realize that the private cloud access is packaged into an API form and registered to the access gateway for external calling. And the access gateway is used for carrying out multiple checks on the service request, so that the safety of data in each private cloud is further improved.
Hereinafter, each step in the access control method in the present exemplary embodiment will be described in more detail with reference to the drawings and examples.
Step S11, responding to a service request initiated by a service request end, and performing access token verification on the service request.
In this exemplary embodiment, a gateway may be provided, where the gateway may correspond to a plurality of private clouds, and each private cloud may correspond to a plurality of APIs (Application Programming interfaces) allowing access. And simultaneously receiving an access request or a service request of each service request end to each private cloud. For example, the access gateway may be built in a public cloud, so that each service request end can access a private cloud through the access gateway executed in the public cloud; or the access gateway may operate as a plug-in. The service request terminal may be a client terminal or a private cloud running an application. The form of the service request end is not particularly limited in this disclosure.
Specifically, the service request initiated by the service request end may include identity information of the service initiating end, an access token, API information corresponding to a private cloud to be accessed, and the like. The service request described above may be a specific API request. The access gateway may first authenticate the access token after receiving the service request.
In particular, before a service request is initiated by a service requester, an access token, i.e. a certificate representing a legitimate identity, needs to be obtained first. Thus, the service originator may first send a token application request to the access gateway. The token application request may include, among other things, an application ID and a key. The issuance of the access token requires the service requester to submit the application ID and the key.
And the access gateway checks the validity of the application ID and the secret key and issues an access token to the service request terminal when the check is successful. The issued access token may be an access token in jwt (json Web token) format accompanied by identity information, validity period information, and accompanied by one-way encrypted signature information.
When the access gateway verifies the access token, the validity of the encryption signature of the access token can be verified firstly, if the verification of the encryption signature fails, the service request can be rejected, the access gateway generates access rejection information and feeds the access rejection information back to the service request end, and the network connection is disconnected. After the encryption signature is successfully verified, the validity period of the access token can be checked to check, whether the access token is expired or not is judged, and the expired access token can be rejected and disconnected. And after the validity period information is successfully verified, verifying the identity information of the access token, and judging whether the identity information is listed in a preset shielding list. If the screening list contains the current identity information, the service request is rejected and the connection is disconnected.
Of course, in other exemplary embodiments of the present disclosure, other verification sequences may be configured to verify the cryptographic signature, the validity period, and the identity information of the access token. For example, identity information, validity period, and cryptographic signature are checked in turn, and so on. The verification sequence of the above items is not particularly limited in this disclosure.
And step S12, when the access token is successfully verified, utilizing the access control list to perform API authority verification on the service request.
In the present exemplary embodiment, after the Access token authentication is completed, ACL (Access control list) authentication may be performed. The ACL can be used to control whether the caller has the right to call the API. For example, the ACL rights check may include verification of the identity information, the target API information. In addition, verification of the calling method may also be included. The ACL may be applied to an administrator and automatically validated at the access gateway after approval. In the ACL, identity information and an application ID corresponding to the service request end, information and a calling mode of a plurality of APIs with access rights corresponding to the identity information, and the like may be stored. The API information may be identification information such as an interface ID.
In particular, the validated ACLs may be stored in a database. After verifying the validity of the access token, the access gateway can query the database by using the identity information, the API information and the calling method. And if the query result is empty or partially wrong, determining that the verification fails. For example, if the identity information verification exists but the API information currently requested to be accessed does not exist, the verification is determined to be failed; or if the identity information and the API information exist in verification, but the calling method is wrong, the verification is determined to be failed. And simultaneously feeding back rejection information to the service request terminal and disconnecting the network connection. And only if the identity information, the API information and the calling method are inquired and matched successfully, judging that the ACL authority verification is successful, and forwarding the service request to the target service.
And step S13, when the API authority is successfully verified, forwarding the service request to a target service executed by a corresponding private cloud.
In this example embodiment, after the access token and the API permission are successfully verified, the access gateway may forward the service request to the private cloud where the corresponding target service is located. The service request is received and processed by the target service.
Based on the above, in the present exemplary embodiment, after the API permission verification is successful, the flow information of the target API may also be verified and controlled. Specifically, as shown in fig. 2, the method may include:
step S21, acquiring the current flow of the corresponding target API, and judging whether the current flow exceeds a preset threshold value;
step S22, when the current flow corresponding to the target API is smaller than a preset threshold value, the service request is forwarded to the target service executed by the corresponding private cloud; or
Step S23, rejecting the service request when the current flow corresponding to the target API is greater than or equal to a preset threshold.
For example, the traffic information of each API may include uplink traffic statistics and downlink traffic statistics. The user can customize the warning threshold value for the uplink flow and the downlink flow of each API in advance.
After the API permission is successfully verified, the current flow corresponding to the target API may be compared with a preset threshold. And if the current flow is smaller than the threshold value, forwarding the service request to the target service. Alternatively, if the current flow exceeds a set threshold, the request may be denied and the connection disconnected. Meanwhile, generating flow warning prompt information, sending the flow warning prompt information to a designated mail address or short message information, and giving a prompt to an administrator.
Furthermore, in this example embodiment, as shown with reference to fig. 3, the method described above may further include:
step S14, receiving service response data generated by the target service in response to the service request, and forwarding the service response data to the service request end; and
and generating and storing log data according to the service response data.
Specifically, the target service generates service response data and sends the service response data to the access gateway, and the access gateway forwards the service response data to the service initiator. Meanwhile, after the API is called, the service response data fed back by the target service is generally transmitted in a blocking mode, and the data content cannot be directly viewed. After receiving the service response data, the access gateway can analyze the service response data to obtain original response data, and then stores the original response data into a local storage space or an external storage space; and generating corresponding log information according to the complete content of the original response data for storage.
In addition, the access gateway can also generate log data according to the API request process and record the complete content of the service request. For example, the log fields may include: time, source, target, request length, return length, elapsed time, etc.
By generating and storing logs for the complete content requested and returned and generating and storing log data based on the original response data, detailed log data and transmission content can be recorded, and the subsequent statistical analysis and audit of the content can be facilitated.
In addition, in other exemplary embodiments of the present disclosure, after acquiring the original response data, the access gateway may further perform data screening on the original response data according to a preset rule, and forward the service response data to the service request end when the data screening is over; or stopping forwarding the service response data to the service initiating terminal when the data screening is failed. For example, the keywords for screening may be configured in advance, and the form or the content may be screened for the sensitive words. And after the sensitive words are inquired, judging whether the service request end has the authority information of the data again. Thereby deciding whether to forward the service response data to the service request terminal. And further realizing the safety control of the private data in the private cloud.
There is also provided in this exemplary embodiment an access control method, as shown in fig. 4, the access control method described above may include the steps of:
step S31, the service request end sends a service request to the access gateway;
step S32, the access gateway receives the service request and checks the access token of the service request;
step S33, when the access token is successfully verified, utilizing the access control list to perform API authority verification on the service request;
step S34, when the API authority is successfully verified, the service request is forwarded to a target service executed by a corresponding private cloud;
step S35, the target service receives the service request, generates corresponding service response data based on the service request, and sends the service response data to an access gateway;
step S36, the access gateway receives the service response data and forwards the service response data to the service request end.
According to the access control method provided by the disclosure, an access gateway is configured, the access gateway is utilized to authorize service requests called by all APIs (application program interfaces) of a service request end, and the service requests are subjected to verification of access tokens and ACL check; the private cloud function is provided for external calling in an API mode, so that the condition that basic service is directly exposed to the external calling is avoided, and a safer and more controllable access control management mechanism is provided. In addition, the access gateway is used for monitoring the flow and storing the log of the complete data, so that the flow threshold is set by the API granularity to prevent the flow from exceeding the limit; and the detailed content of API call is saved, and comprehensive data support is provided for post audit. And the stored data is the transmission content analyzed by the access gateway, so that the efficiency of data content audit can be effectively improved.
It is to be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the method according to an exemplary embodiment of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Further, referring to fig. 5, an access control device 50 according to an embodiment of the present example may include: an access token validation module 501, an API rights validation module 502, and a data forwarding module 503. Wherein the content of the first and second substances,
the access token verification module 501 may be configured to perform access token verification on a service request initiated by a service request end in response to the service request.
The API permission verification module 502 may be configured to perform API permission verification on the service request by using the access control list when the access token verification is successful.
The data forwarding module 503 may be configured to forward the service request to a target service executed by a corresponding private cloud when the API permission verification is successful.
Further, referring to fig. 6, an access control system 600 according to an embodiment of the present example is further provided, and may include: a service requester 601, an access gateway 603, and a private cloud 604. Wherein the content of the first and second substances,
the service request terminal 601 may be configured to initiate a service request to the access gateway.
The access gateway 603 may be configured to receive a service request initiated by a service request end, and perform access token verification and API permission verification on the service request; when the access token is verified and the API authority is verified successfully, the service request is forwarded to a target service executed by the corresponding private cloud; and forwarding the service data fed back by the target service to the service request terminal.
The private cloud 604 may be configured to carry a target service, generate service response data in response to the service request, and send the service response data to the access gateway.
Referring to the system network architecture shown in fig. 6, the service request terminals (601, 607) may be a plurality of terminals, such as computers, mobile phones, and the like. Data transmission is made with the access gateway 603 through the network 602. The access gateway 603 may interface with multiple private clouds (604, 605, 606) over the network 602 and perform the transmission of data.
The specific details of each module in the access control device 50 and the access control system 600 are already described in detail in the corresponding access control method, and therefore are not described herein again.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 700 according to this embodiment of the invention is described below with reference to fig. 7. The electronic device 700 shown in fig. 7 is only an example and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 7, electronic device 700 is embodied in the form of a general purpose computing device. The components of the electronic device 700 may include, but are not limited to: the at least one processing unit 710, the at least one memory unit 720, and a bus 730 that couples various system components including the memory unit 720 and the processing unit 710.
Wherein the storage unit stores program code that is executable by the processing unit 710 such that the processing unit 710 performs the steps according to various exemplary embodiments of the present invention as described in the above section "exemplary method" of the present specification. For example, the processing unit 710 may perform the method steps as shown in fig. 1.
The storage unit 720 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM) 7201 and/or a cache memory unit 7202, and may further include a read only memory unit (ROM) 7203.
The storage unit 720 may also include a program/utility 7204 having a set (at least one) of program modules 7205, such program modules 7205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The electronic device 700 may also communicate with one or more external devices 70 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 700, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 700 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 750. Also, the electronic device 700 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 760. As shown, the network adapter 760 communicates with the other modules of the electronic device 700 via the bus 730. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 700, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
Referring to fig. 8, a program product 800 for implementing the above method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is to be limited only by the terms of the appended claims.
Claims (10)
1. An access control method, comprising:
responding to a service request initiated by a service request terminal, and carrying out access token verification on the service request;
when the access token is successfully verified, utilizing the access control list to verify the API authority of the service request;
and when the API authority is successfully verified, forwarding the service request to a target service executed by the corresponding private cloud.
2. The method according to claim 1, wherein before the service request initiated by the service request terminal, the method comprises:
receiving a token application request initiated by the service request terminal; wherein the token application request includes an application ID and a key;
carrying out validity check on the application ID and the secret key, and issuing an access token to the service request end when the check is successful; the access token includes identity information, validity period information, and cryptographic signature information.
3. The method of claim 1 or 2, wherein the checking the service request for the access token comprises:
sequentially verifying encrypted signature information, validity period information and identity information contained in the access token according to a preset sequence, and judging that the access token is successfully verified when the encrypted signature information, the validity period information and the identity information are successfully verified respectively; or
And if any one of the encrypted signature information, the validity period information and the identity information fails to be verified, judging that the access token fails to be verified so as to reject the service request.
4. The method of claim 1, wherein the service request comprises identity information, target API information;
the performing API permission check on the service request by using the access control list includes:
and inquiring the access control list from a database according to the identity information to determine whether the target API is an API which is allowed to be called and corresponds to the identity information.
5. The method of claim 1, wherein when the API permission check is successful, the method further comprises:
acquiring the current flow of a corresponding target API, and judging whether the current flow exceeds a preset threshold value;
when the current flow corresponding to the target API is smaller than a preset threshold value, forwarding the service request to a target service executed by a corresponding private cloud; or
And when the current flow corresponding to the target API is greater than or equal to a preset threshold value, rejecting the service request.
6. The method of claim 1, further comprising:
receiving service response data generated by the target service in response to the service request, and forwarding the service response data to the service request end; and
and generating and storing log data according to the service response data.
7. The method according to claim 6, wherein the receiving the service response data generated by the target service in response to the service request forwards the service response data to the service request end; and generating log data according to the service response data and storing the log data, wherein the log data comprises:
analyzing the service response data to acquire original response data, screening the original response data according to a preset rule, and forwarding the service response data to the service request end when the data screening is out; and
and generating log data based on the original response data and storing the log data.
8. An access control method, comprising:
the service request end sends a service request to the access gateway;
the access gateway receives the service request and carries out access token verification on the service request;
when the access token is successfully verified, utilizing the access control list to verify the API authority of the service request;
when the API authority is successfully verified, forwarding the service request to a target service executed by a corresponding private cloud;
the target service receives the service request, generates corresponding service response data based on the service request, and sends the service response data to an access gateway;
and the access gateway receives the service response data and forwards the service response data to the service request terminal.
9. An access control system, comprising:
the service request terminal is used for initiating a service request to the access gateway;
the access gateway is used for receiving a service request initiated by a service request end and carrying out access token verification and API (application program interface) permission verification on the service request; when the access token is verified and the API authority is verified successfully, the service request is forwarded to a target service executed by the corresponding private cloud; and forwarding the service data fed back by the target service to the service request terminal;
and the private cloud is used for bearing the target service, responding to the service request, generating service response data and sending the service response data to the access gateway.
10. A storage medium having stored thereon a computer program which, when executed by a processor, implements an access control method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010016010.XA CN110809011B (en) | 2020-01-08 | 2020-01-08 | Access control method and system, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010016010.XA CN110809011B (en) | 2020-01-08 | 2020-01-08 | Access control method and system, and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110809011A true CN110809011A (en) | 2020-02-18 |
| CN110809011B CN110809011B (en) | 2020-06-19 |
Family
ID=69493422
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010016010.XA Active CN110809011B (en) | 2020-01-08 | 2020-01-08 | Access control method and system, and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110809011B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111355743A (en) * | 2020-03-11 | 2020-06-30 | 成都卓杭网络科技股份有限公司 | Management method and system based on API gateway |
| CN111447228A (en) * | 2020-03-27 | 2020-07-24 | 四川虹美智能科技有限公司 | Intelligent household appliance access request processing method and system, cloud server and intelligent air conditioner |
| CN111787008A (en) * | 2020-06-30 | 2020-10-16 | 北京指掌易科技有限公司 | Access control method, device, electronic equipment and computer readable storage medium |
| CN112217738A (en) * | 2020-11-04 | 2021-01-12 | 成都中科大旗软件股份有限公司 | Flow control method, system, storage medium and terminal for text and travel data service |
| CN112416616A (en) * | 2020-11-12 | 2021-02-26 | 北京字跳网络技术有限公司 | Micro-service calling method and device, electronic equipment and storage medium |
| CN112671859A (en) * | 2020-12-15 | 2021-04-16 | 中国人寿保险股份有限公司 | Hybrid cloud management method and hybrid cloud system |
| CN113315634A (en) * | 2021-05-21 | 2021-08-27 | 广州大学 | Lightweight access control method, device and system for Internet of things |
| CN113572759A (en) * | 2021-07-21 | 2021-10-29 | 华控清交信息科技(北京)有限公司 | Data management method and device, electronic equipment and storage medium |
| CN113810468A (en) * | 2021-08-13 | 2021-12-17 | 济南浪潮数据技术有限公司 | Method, system, device and storage medium for distributing request by gateway under K8s architecture |
| CN114244525A (en) * | 2021-12-13 | 2022-03-25 | 中国农业银行股份有限公司 | Request data processing method, device, equipment and storage medium |
| CN114615203A (en) * | 2022-01-30 | 2022-06-10 | 阿里云计算有限公司 | Access control method, device, storage medium and processor |
| CN114760133A (en) * | 2022-04-15 | 2022-07-15 | 中国电信股份有限公司 | RESTful interface authentication method, device, system, equipment and medium |
| CN115134113A (en) * | 2022-05-13 | 2022-09-30 | 山东鲁软数字科技有限公司 | Platform data security authentication method, system, terminal and storage medium |
| CN115277207A (en) * | 2022-07-28 | 2022-11-01 | 联想(北京)有限公司 | Access control method and electronic equipment |
| CN115633197A (en) * | 2022-09-15 | 2023-01-20 | 海南乾唐视联信息技术有限公司 | Service data distribution system, method, device, electronic equipment and medium |
| WO2024051195A1 (en) * | 2022-09-08 | 2024-03-14 | 上海派拉软件股份有限公司 | Data calling method and apparatus, and serving gateway and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102378170A (en) * | 2010-08-27 | 2012-03-14 | 中国移动通信有限公司 | Method, device and system of authentication and service calling |
| CN103188344A (en) * | 2013-02-22 | 2013-07-03 | 浪潮电子信息产业股份有限公司 | Method for safely invoking REST API (representational state transfer, application programming interface) |
| CN103441857A (en) * | 2013-09-18 | 2013-12-11 | Tcl集团股份有限公司 | Value-added service integration method and system for network television user |
| CN104754009A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团广东有限公司 | Service acquisition and invocation method, device, client-side and server |
| US10104068B2 (en) * | 2004-04-15 | 2018-10-16 | Facebook, Inc. | Service provider invocation |
| US10142107B2 (en) * | 2015-12-31 | 2018-11-27 | Microsoft Technology Licensing, Llc | Token binding using trust module protected keys |
| CN109802835A (en) * | 2019-01-25 | 2019-05-24 | 北京中电普华信息技术有限公司 | A kind of safety certifying method, system and API gateway |
-
2020
- 2020-01-08 CN CN202010016010.XA patent/CN110809011B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10104068B2 (en) * | 2004-04-15 | 2018-10-16 | Facebook, Inc. | Service provider invocation |
| CN102378170A (en) * | 2010-08-27 | 2012-03-14 | 中国移动通信有限公司 | Method, device and system of authentication and service calling |
| CN103188344A (en) * | 2013-02-22 | 2013-07-03 | 浪潮电子信息产业股份有限公司 | Method for safely invoking REST API (representational state transfer, application programming interface) |
| CN103441857A (en) * | 2013-09-18 | 2013-12-11 | Tcl集团股份有限公司 | Value-added service integration method and system for network television user |
| CN104754009A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团广东有限公司 | Service acquisition and invocation method, device, client-side and server |
| US10142107B2 (en) * | 2015-12-31 | 2018-11-27 | Microsoft Technology Licensing, Llc | Token binding using trust module protected keys |
| CN109802835A (en) * | 2019-01-25 | 2019-05-24 | 北京中电普华信息技术有限公司 | A kind of safety certifying method, system and API gateway |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111355743B (en) * | 2020-03-11 | 2021-07-06 | 成都卓杭网络科技股份有限公司 | Management method and system based on API gateway |
| CN111355743A (en) * | 2020-03-11 | 2020-06-30 | 成都卓杭网络科技股份有限公司 | Management method and system based on API gateway |
| CN111447228A (en) * | 2020-03-27 | 2020-07-24 | 四川虹美智能科技有限公司 | Intelligent household appliance access request processing method and system, cloud server and intelligent air conditioner |
| CN111787008A (en) * | 2020-06-30 | 2020-10-16 | 北京指掌易科技有限公司 | Access control method, device, electronic equipment and computer readable storage medium |
| CN111787008B (en) * | 2020-06-30 | 2023-01-20 | 北京指掌易科技有限公司 | Access control method, device, electronic equipment and computer readable storage medium |
| CN112217738A (en) * | 2020-11-04 | 2021-01-12 | 成都中科大旗软件股份有限公司 | Flow control method, system, storage medium and terminal for text and travel data service |
| CN112416616A (en) * | 2020-11-12 | 2021-02-26 | 北京字跳网络技术有限公司 | Micro-service calling method and device, electronic equipment and storage medium |
| CN112416616B (en) * | 2020-11-12 | 2023-12-12 | 北京字跳网络技术有限公司 | Micro-service calling method and device, electronic equipment and storage medium |
| CN112671859A (en) * | 2020-12-15 | 2021-04-16 | 中国人寿保险股份有限公司 | Hybrid cloud management method and hybrid cloud system |
| CN113315634A (en) * | 2021-05-21 | 2021-08-27 | 广州大学 | Lightweight access control method, device and system for Internet of things |
| CN113315634B (en) * | 2021-05-21 | 2022-04-08 | 广州大学 | Lightweight access control method, device and system for Internet of things |
| CN113572759A (en) * | 2021-07-21 | 2021-10-29 | 华控清交信息科技(北京)有限公司 | Data management method and device, electronic equipment and storage medium |
| CN113810468A (en) * | 2021-08-13 | 2021-12-17 | 济南浪潮数据技术有限公司 | Method, system, device and storage medium for distributing request by gateway under K8s architecture |
| CN114244525A (en) * | 2021-12-13 | 2022-03-25 | 中国农业银行股份有限公司 | Request data processing method, device, equipment and storage medium |
| CN114244525B (en) * | 2021-12-13 | 2024-03-01 | 中国农业银行股份有限公司 | Request data processing method, device, equipment and storage medium |
| CN114615203A (en) * | 2022-01-30 | 2022-06-10 | 阿里云计算有限公司 | Access control method, device, storage medium and processor |
| CN114760133A (en) * | 2022-04-15 | 2022-07-15 | 中国电信股份有限公司 | RESTful interface authentication method, device, system, equipment and medium |
| CN114760133B (en) * | 2022-04-15 | 2023-10-03 | 中国电信股份有限公司 | RESTful interface authentication method, device, system, equipment and medium |
| CN115134113A (en) * | 2022-05-13 | 2022-09-30 | 山东鲁软数字科技有限公司 | Platform data security authentication method, system, terminal and storage medium |
| CN115134113B (en) * | 2022-05-13 | 2024-04-09 | 山东鲁软数字科技有限公司 | Platform data security authentication method, system, terminal and storage medium |
| CN115277207A (en) * | 2022-07-28 | 2022-11-01 | 联想(北京)有限公司 | Access control method and electronic equipment |
| WO2024051195A1 (en) * | 2022-09-08 | 2024-03-14 | 上海派拉软件股份有限公司 | Data calling method and apparatus, and serving gateway and storage medium |
| CN115633197A (en) * | 2022-09-15 | 2023-01-20 | 海南乾唐视联信息技术有限公司 | Service data distribution system, method, device, electronic equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110809011B (en) | 2020-06-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110809011B (en) | Access control method and system, and storage medium | |
| US9560033B2 (en) | Method and system for authenticating user identity | |
| US9756055B2 (en) | Method and apparatus for controlling resources access | |
| US11019068B2 (en) | Quorum-based access management | |
| US20220394026A1 (en) | Network identity protection method and device, and electronic equipment and storage medium | |
| CN110365684B (en) | Access control method and device for application cluster and electronic equipment | |
| CN110569658A (en) | User information processing method and device based on block chain network, electronic equipment and storage medium | |
| CN111526111B (en) | Control method, device and equipment for logging in light application and computer storage medium | |
| CN113742676B (en) | Login management method, login management device, login management server, login management system and storage medium | |
| US11777942B2 (en) | Transfer of trust between authentication devices | |
| CN113225351A (en) | Request processing method and device, storage medium and electronic equipment | |
| CN116319024A (en) | Access control method and device of zero trust system and zero trust system | |
| CN114662071A (en) | Data access control method and device, storage medium and electronic equipment | |
| CN113393239A (en) | Transaction processing method, system, device, electronic equipment and storage medium | |
| CN116170234B (en) | Single sign-on method and system based on virtual account authentication | |
| CN114584324B (en) | Identity authorization method and system based on block chain | |
| CN115001840B (en) | Agent-based authentication method, system and computer storage medium | |
| KR101622514B1 (en) | Prevention of forgery of web requests to a server | |
| CN111030816A (en) | Authentication method and device for access platform of evidence obtaining equipment and storage medium | |
| CN114491489A (en) | Request response method and device, electronic equipment and storage medium | |
| CN112511565B (en) | Request response method and device, computer readable storage medium and electronic equipment | |
| CN114553570B (en) | Method, device, electronic equipment and storage medium for generating token | |
| US20240152633A1 (en) | Systems for time dependent data access authorization | |
| CN116305321A (en) | Authority verification method and device | |
| CN115333797A (en) | Evaluation method and system of charging pile system and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |