CN111786998A - Authority management method and device based on micro-service calling and storage medium - Google Patents
Authority management method and device based on micro-service calling and storage medium Download PDFInfo
- Publication number
- CN111786998A CN111786998A CN202010621594.3A CN202010621594A CN111786998A CN 111786998 A CN111786998 A CN 111786998A CN 202010621594 A CN202010621594 A CN 202010621594A CN 111786998 A CN111786998 A CN 111786998A
- Authority
- CN
- China
- Prior art keywords
- service
- micro
- client
- request
- calling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
- H04L67/63—Routing a service request depending on the request content or context
Abstract
The invention relates to the technical field of micro-service calling, and discloses a method, a device and a storage medium for managing permission based on micro-service calling, wherein the method comprises the following steps: acquiring a calling request which is sent by a client and used for calling the micro-service; acquiring a request Uniform Resource Locator (URL) according to the calling request; acquiring an IP address of a client, and determining a micro-service identity corresponding to the client according to the IP address; determining whether the client has an access right for accessing the micro service based on the micro service identity, the request URL and the service right configuration table corresponding to the client; the service authority configuration table is configured with at least one group corresponding to the micro-service identity and an interface address corresponding to each group in the at least one group. The invention can simply, conveniently and quickly complete the authority management of micro-service calling under the condition of no user information.
Description
Technical Field
The invention relates to the technical field of micro-service calling, in particular to a method and a device for managing authority based on micro-service calling and a storage medium.
Background
With the granularity of the micro-service being more and more fine and the cluster architecture being more and more large, the micro-service is more and more frequently called.
At present, the invocation among the micro services is mostly realized Based on a Role-Based Access Control (RBAC) model, user information is attached when the micro services are invoked, the invoked micro services acquire a Role set to which a user belongs through the user information, then acquire the authority of the user through the Role set, and finally judge whether to allow the invocation request of the user according to the authority of the user.
However, in some cases, since there is no user participating in the micro service architecture or there is a user participating in the micro service architecture but not logging in, the user information may not appear in the system, and the issue of managing the authority for invoking the micro service may be handled without the user information, which may make the authority management for invoking the micro service very cumbersome.
Disclosure of Invention
In order to solve the problem that the permission management problem of micro service calling is very troublesome in the prior art without user information, the invention aims to provide a permission management method, a device and a storage medium based on micro service calling so as to conveniently and quickly complete the permission management of micro service calling under the condition without user information.
In a first aspect, the present invention provides a method for managing permissions based on micro-service invocation, including:
acquiring a calling request which is sent by a client and used for calling the micro-service;
acquiring a request Uniform Resource Locator (URL) according to the calling request;
acquiring an IP address of the client, and determining a micro-service identity corresponding to the client according to the IP address;
determining whether the client has an access right for accessing the micro service based on the micro service identity corresponding to the client, the request URL and a service right configuration table;
at least one group corresponding to the micro-service identity and an interface address corresponding to each group in the at least one group are configured in the service authority configuration table.
Through the design, the micro-service identity corresponding to the client is determined according to the IP address, and whether the client has the access right for accessing the micro-service is determined according to the micro-service identity, the acquired request URL and the service right configuration table. The method and the device can simply, conveniently and quickly finish the authority management of the micro-service calling, simplify the authority management of the micro-service calling, improve the efficiency of the authority management of the micro-service calling, and avoid the problem that the authority management of the micro-service calling is very complicated due to the fact that no user information exists in the traditional scheme.
In one possible design, determining whether the client has an access right to access the microservice based on the microservice identity corresponding to the client, the request URL, and a service right configuration table includes:
according to the micro service identity corresponding to the client, determining a group corresponding to the micro service identity corresponding to the client from the service authority configuration table;
judging whether the interface address corresponding to the group contains the interface address included in the request URL or not;
and if so, determining that the client has the access right to access the microservice.
Based on the disclosure, by configuring the service authority configuration table, the judgment of whether the client has the access authority to access the micro-service can be completed under the condition that the calling request does not contain user information.
In one possible design, before obtaining the request uniform resource locator URL according to the invocation request, the method further includes:
judging whether the calling request carries user information or not;
and if the user information is not carried, acquiring the request URL according to the calling request.
In one possible design, the determining, according to the IP address, a micro-service identity corresponding to the client includes:
and determining the micro-service identity corresponding to the client from a registration center according to the IP address.
In one possible design, the obtaining the IP address of the request initiator includes:
and acquiring the IP address of the client based on the connection mode of establishing connection with the client.
Through the design, the IP address of the client can be acquired based on the connection mode with the client, and the IP address of the client can be accurately acquired even if the client is in a different connection mode.
In a second aspect, the present invention provides a rights management device based on micro service invocation, including:
the first acquisition unit is used for acquiring a calling request which is sent by a client and used for calling the micro service;
the second acquisition unit is used for acquiring a request Uniform Resource Locator (URL) according to the calling request;
a third obtaining unit, configured to obtain an IP address of the client, and determine, according to the IP address, a micro-service identity corresponding to the client;
the determining unit is used for determining whether the client has the access right for accessing the micro service based on the micro service identity corresponding to the client, the request URL and a service right configuration table;
at least one group corresponding to the micro-service identity and an interface address corresponding to each group in the at least one group are configured in the service authority configuration table.
In a possible design, when the determining unit is configured to determine whether the client has an access right to access the microservice based on a microservice identity corresponding to the client, the request URL, and a service right configuration table, the determining unit is specifically configured to:
according to the micro service identity corresponding to the client, determining a group corresponding to the micro service identity corresponding to the client from the service authority configuration table;
judging whether the interface address corresponding to the group contains the interface address included in the request URL or not; and
and when the interface address corresponding to the group contains the interface address included in the request URL, determining that the client has the access right to access the micro service.
In one possible design, the rights management device based on micro-service invocation further includes a determining unit, configured to determine whether the invocation request carries user information;
when the second obtaining unit is configured to obtain the request uniform resource locator URL according to the invocation request, the second obtaining unit is specifically configured to:
and acquiring the request URL according to the calling request under the condition that the calling request does not carry user information.
In one possible design, when the third obtaining unit is configured to determine, according to the IP address, a micro-service identity corresponding to the client, the third obtaining unit is specifically configured to:
and determining the micro-service identity corresponding to the client from a registration center according to the IP address.
In a possible design, when the third obtaining unit is configured to obtain the IP address of the request initiator, specifically, the third obtaining unit is configured to:
and acquiring the IP address of the client based on the connection mode of establishing connection with the client.
In a third aspect, the present invention provides a rights management device based on micro service invocation, including a memory, a processor and a transceiver, which are sequentially connected in communication, where the memory is used to store a computer program, the transceiver is used to transmit and receive messages, and the processor is used to read the computer program and execute the rights management method based on micro service invocation as described in any one of the above items.
In a fourth aspect, the present invention provides a computer-readable storage medium having stored thereon instructions which, when executed on a computer, perform the micro-service call based rights management method of the first aspect.
In a fifth aspect, the present invention provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the microservice call-based rights management method of the first aspect.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of an application environment of a rights management method, a rights management device and a storage medium based on micro service invocation according to the present invention.
Fig. 2 is a flowchart of a rights management method based on micro service invocation provided by the present invention.
Fig. 3 is a schematic structural diagram of a rights management device based on micro-service invocation provided by the invention.
Fig. 4 is a schematic structural diagram of another rights management device based on micro-service invocation provided by the present invention.
Detailed Description
The invention is further described with reference to the following figures and specific embodiments. It should be noted that the description of the embodiments is provided to help understanding of the present invention, but the present invention is not limited thereto. Specific structural and functional details disclosed herein are merely illustrative of example embodiments of the invention. This invention may, however, be embodied in many alternate forms and should not be construed as limited to the embodiments set forth herein.
It will be understood that, although the terms first, second, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, without departing from the scope of example embodiments of the present invention.
It should be understood that, for the term "and/or" as may appear herein, it is merely an associative relationship that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, B exists alone, and A and B exist at the same time; for the term "/and" as may appear herein, which describes another associative object relationship, it means that two relationships may exist, e.g., a/and B, may mean: a exists independently, and A and B exist independently; in addition, for the character "/" that may appear herein, it generally means that the former and latter associated objects are in an "or" relationship.
It will be understood that when an element is referred to herein as being "connected," "connected," or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may be present. Conversely, if a unit is referred to herein as being "directly connected" or "directly coupled" to another unit, it is intended that no intervening units are present. In addition, other words used to describe the relationship between elements should be interpreted in a similar manner (e.g., "between … …" versus "directly between … …", "adjacent" versus "directly adjacent", etc.).
It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments of the invention. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises," "comprising," "includes" and/or "including," when used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, numbers, steps, operations, elements, components, and/or groups thereof.
It should also be noted that, in some alternative implementations, the functions/acts noted may occur out of the order noted in the figures. For example, two figures shown in succession may, in fact, be executed substantially concurrently, or the figures may sometimes be executed in the reverse order, depending upon the functionality/acts involved.
It should be understood that specific details are provided in the following description to facilitate a thorough understanding of example embodiments. However, it will be understood by those of ordinary skill in the art that the example embodiments may be practiced without these specific details. For example, systems may be shown in block diagrams in order not to obscure the examples in unnecessary detail. In other instances, well-known processes, structures and techniques may be shown without unnecessary detail in order to avoid obscuring example embodiments.
Examples
In order to solve the problem of authority management of micro-service invocation under the condition of no user information, the embodiment of the application provides a method, a device and a storage medium for authority management based on micro-service invocation.
First, in order to more intuitively understand the scheme provided by the embodiment of the present application, a system architecture of the rights management scheme based on micro service invocation provided by the embodiment of the present application is described below with reference to fig. 1.
Fig. 1 is a schematic diagram of a rights management method, an apparatus and a storage medium application environment based on micro service invocation according to one or more embodiments of the present application. As shown in fig. 1, the client initiating the invocation request is communicatively connected to the requested server through the gateway for data exchange or communication. The client may be, but is not limited to, a smart phone, a Personal Computer (PC), a tablet computer, a Personal Digital Assistant (PDA), a server, and the like.
The rights management method based on micro service invocation provided by the embodiment of the application will be described in detail below.
The permission management method based on micro-service calling provided by the embodiment of the application can be applied to a requested server or a gateway. For convenience of description, the embodiments of the present application are described with respect to the requested server as the executing subject, unless otherwise specified.
It is to be understood that the described execution body does not constitute a limitation of the embodiments of the present application.
As shown in fig. 2, which is a flowchart of a rights management method based on micro service invocation provided in an embodiment of the present application, the rights management method based on micro service invocation may include the following steps:
step S201: and acquiring a calling request sent by the client for calling the micro-service.
In a microservice architecture, there are often many services required to complete a function, and thus there are often calls between microservices. In the calling process of some micro services, user information does not exist because the user does not need to participate, and the user information does not exist because the user does not log in when some micro services are called. The user information may be a user account for logging in the microservice.
In the embodiment of the application, when the micro service is called, the client sends a calling request for calling the micro service to the requested server, and the requested server obtains the calling request for calling the micro service sent by the client.
Step S202: and acquiring a request Uniform Resource Locator (URL) according to the calling request.
In the embodiment of the application, the calling request carries a Uniform Resource Locator (URL), and after the requested server obtains the calling request for calling the microservice sent by the client, the requested server can obtain the request URL carried in the calling request according to the calling request. The request URL may be used to indicate location information of the micro-service requested to be invoked, which can be found by the request URL.
In this embodiment, the format of the request URL may be based on a hypertext Transfer Protocol (HTTP), such as HTTP:// www.baidu.com/admin/user/region, may be based on a hypertext Transfer security Protocol (HTTPs), such as HTTPs:// www.baidu.com/admin/user/region, may be based on a custom Protocol, such as dubbo:// com _ baidu _ service/admin/user/region, and may also be some specific request paths, such as/com/baidu/admin/user/region, which is not specifically limited in this embodiment.
In obtaining the request URL, a filter, an interceptor, etc. may be employed, but are not limited thereto. For example, a filter javax. servlet. Filter can be used, and an interceptor HandlerInterreceptor can also be used.
In the embodiment of the application, before the request URL is obtained according to the call request, it may be determined whether the call request carries the user information, and the request URL is obtained according to the call request only when the call request does not carry the user information.
If the calling request carries user information, determining whether the client has an access right to access the microservice according to the existing technical scheme. Specifically, when determining whether the client has the access right to access the microservice, the role set to which the user of the client belongs can be directly obtained according to the user information, the permission of the user is obtained through the set, and whether the client has the access right to access the microservice can be judged according to the permission of the user.
It can be understood that, in some embodiments, if the invocation request carries the user information, it may also be determined, by the scheme provided in the embodiments of the present application, whether the client has an access right to access the microservice, that is, in a case where the invocation request carries the user information, the request URL may also be obtained according to the invocation request.
Step S203: and acquiring the IP address of the client, and determining the micro-service identity corresponding to the client according to the IP address.
In the micro service architecture, a gateway is an entrance for all requests of the whole micro service platform, all clients and consumption terminals can access the micro service through the unified gateway, and all non-service functions are processed in a gateway layer.
The registry is one of the basic services of the core, and the registry can be said to be an address book in a micro service architecture, records the mapping relation between micro services and service addresses, and micro services can be registered in the registry, and when one micro service needs to call other micro services, the address of the micro service can be found in the registry.
In the micro-service calling process, the requested server can acquire the IP address of the client, and the micro-service identity corresponding to the client is determined from the registration center through the gateway according to the acquired IP address.
It can be understood that, if the execution subject is a gateway, after the IP address of the client is obtained, the micro-service identity corresponding to the client can be directly determined from the registration center according to the obtained IP address.
When the IP address of the client is obtained, the IP address of the request initiator may be obtained in an obtaining manner corresponding to a connection manner established with the client according to the connection manner. For example, when connecting to the client in the HTTP/HTTPs manner, the IP address of the client may be obtained in the HTTP/HTTPs request header. When the client is connected in a TCP/IP mode, the IP address of the client can be obtained through the function of the Socket object.
For example, for a client, an HTTP request header contains the following:
x-forwarded-for=192.168.0.1
x-real-ip=192.168.1.1
user-agent=PostmanRuntime/7.26.1
accept=*/*
cache-control=no-cache
postman-token=f7f9fdb8-4b4f-4bf0-ab1f-73237d61f322
host=localhost:9005
accept-encoding=gzip,deflate,br
connection=keep-alive
the HTTP request header includes contents such as "x-forwarded-for ═ 192.168.0.1" and "x-real-IP ═ 192.168.1.1", and when the IP address of the client is acquired, the IP address of the client can be acquired as 192.168.1.1 from the x-real-IP field. It should be noted that, if the HTTP request header does not include the x-real-IP field, the first IP address of the x-forwarded-for field may be obtained, so as to obtain the IP address of the client.
Wherein, the micro service identity may be a number, a character string, etc. for identifying the identity of the micro service. For example, the microservice identity may be User, Info, etc.
It is understood that the above-mentioned manner of obtaining the IP address of the client is merely an example, and in some other embodiments, the IP address of the client may be obtained in other manners.
It is understood that the order of step S202 and step S203 is not limited.
Step S204: and determining whether the client has the access right for accessing the micro service or not based on the micro service identity, the request URL and the service right configuration table corresponding to the client.
The requested server side is preconfigured with a service authority configuration table for determining whether the client side has an access authority for accessing (requesting) the micro service, and after the micro service identity and the request URL corresponding to the client side are obtained, whether the client side has the access authority for accessing the micro service can be determined according to the micro service identity, the request URL and the service authority configuration table corresponding to the client side.
And at least one group corresponding to the micro-service identity corresponding to the client and an interface address corresponding to each group in the at least one group are configured in the service authority configuration table.
Specifically, when determining whether the client has an access right to access the micro service, a packet corresponding to the micro service identity corresponding to the client may be first found from the service right configuration table according to the micro service identity, and then it is determined whether an interface address included in the request URL is included in an interface address corresponding to the packet, if so, it is determined that the client has the access right to access the micro service, and if not, it is determined that the client does not have the access right to access the micro service.
Please refer to table 1, which is a diagram illustrating a service right configuration table.
TABLE 1
| Service | Grouping | Direction of rotation |
| User | User_login | Left side of |
| /admin/User/login | User_login | Right side |
| /admin/User/qq | User_login | Right side |
| Info | Info_passwd | Left side of |
| /admin/info/passwd | Info_passwd | Right side |
As shown in table 1, the service authority configuration table records services (micro service identities), groups corresponding to the micro service identities, interface addresses corresponding to the groups, a search sequence, and the like. Wherein the order of lookups is used to indicate whether to look up from left to right or from right to left when determining whether a client has permission to access a microservice. For example, for the micro service identity User, the corresponding packet User _ location may be found from left to right, and then the corresponding interface address/admin/User/location and/admin/User/qq in the packet User _ location may be found from the table from right to left. For the micro-service identity Info, the corresponding packet Info _ passd can be found from left to right, and then the interface address/admin/Info/passd corresponding to the packet Info _ passd can be found from the table from right to left.
The service right configuration table may not record the search order, and as shown in table 2, is a service right configuration table that does not record the search order.
TABLE 2
As shown in table 2, the service (micro service identity), the packet corresponding to the micro service identity, and the interface address corresponding to the packet are recorded in the service authority configuration table. For the micro service identity User1, the corresponding packet is User _ location, and then the corresponding interface address in the packet User _ location is found in the table as/admin/User/location and/admin/User/qq.
It will be appreciated that in other embodiments, when determining whether the client has access rights to access the microservice, there may be a case where there is no grouping in the service rights configuration table corresponding to the microservice identity, in which case it may be determined directly that the client does not have access rights to access the microservice.
The service authority configuration table is a single table, and it can be understood that in some other embodiments, the service authority configuration table may include two or more sub-tables. For example, the service right configuration table may include a first service right configuration sub-table configured with at least one packet corresponding to the micro service identity and a second service right configuration sub-table configured with an interface address corresponding to each packet in the at least one packet, where the at least one packet in the first service right configuration sub-table is equal in number and in one-to-one correspondence with the at least one packet in the second service right configuration sub-table.
In this case, when determining whether the client has the right to access the micro service, it may be first determined whether a first group corresponding to the micro service identity is configured in a first service right configuration sub-table of the service right configuration table, if not, it is directly determined that the client does not have the access right to access the micro service, if the first group corresponding to the micro service identity is configured in the first service right configuration sub-table, it is then determined whether an interface address corresponding to a second group corresponding to the first group in a second service right configuration sub-table includes an interface address included in the request URL, if so, it is determined that the client has the access right to access the micro service, and if not, it is determined that the client does not have the access right to access the micro service.
As shown in table 3 and table 4, schematic diagrams of the first service right configuration sub-table and the second service right configuration sub-table are shown, respectively.
TABLE 3
| Service | Grouping |
| User | User_login1 |
| Info | Info_passwd1 |
TABLE 4
| Grouping | Interface address |
| User_login2 | /admin/User/login |
| User_login2 | /admin/User/qq |
| Info_passwd2 | /admin/info/passwd |
Table 3 is a first service right configuration sub-table, and a micro service identity User is configured with a corresponding first packet User _ login1, and a micro service identity Info is configured with a corresponding first packet Info _ passswd 1. Table 4 is a second service permission configuration sub-table, which includes a second packet User _ location 2 and a second packet Info _ passswd 2, where the interface address corresponding to the second packet User _ location 2 is/admin/User/location and/admin/User/qq, and the interface address corresponding to the second packet Info _ passswd 2 is/admin/Info/swd, where the second packet User _ location 2 in the second service permission configuration sub-table corresponds to the first packet User _ location 1 in the first service permission configuration sub-table, and the second packet Info _ passswd 2 in the second service permission configuration sub-table corresponds to the first packet Info _ passswd 1 in the first service permission configuration sub-table. For example, for the micro service identity User, the first packet User _ location 1 corresponding to the micro service identity User may be found from the first service authority configuration sub-table, and then the corresponding interface address is/admin/User/location and/admin/User/qq may be found from the second packet User _ location 2 corresponding to the first packet User _ location 1 in the second service authority configuration sub-table.
According to the micro-service invocation-based permission management method provided by the embodiment of the application, under the condition that an invocation request does not contain user information, a requested server acquires a request URL of a micro service and acquires an IP address of a client to determine the identity of the micro service from a registration center, and then whether the client has an access permission to access the micro service is determined according to a group configured in a service permission configuration table and an interface address corresponding to the group. The permission management method based on micro-service calling provided by the embodiment of the application can complete permission management of service calling under the condition that a calling request does not contain user information, simplifies the permission management of micro-service calling, improves the permission management efficiency of micro-service calling, and avoids the problem that the permission management of micro-service calling is very complicated due to the fact that no user information exists in the traditional scheme.
In a second aspect, the present application provides a micro service invocation-based right management apparatus, which is applicable to a requested server or gateway. Referring to fig. 3, the rights management device based on micro service invocation includes:
the first acquisition unit is used for acquiring a calling request which is sent by a client and used for calling the micro service;
the second acquisition unit is used for acquiring a request Uniform Resource Locator (URL) according to the calling request;
a third obtaining unit, configured to obtain an IP address of the client, and determine, according to the IP address, a micro-service identity corresponding to the client;
the determining unit is used for determining whether the client has the access right for accessing the micro service based on the micro service identity corresponding to the client, the request URL and a service right configuration table;
at least one group corresponding to the micro-service identity and an interface address corresponding to each group in the at least one group are configured in the service authority configuration table.
In a possible design, when the determining unit is configured to determine whether the client has an access right to access the microservice based on a microservice identity corresponding to the client, the request URL, and a service right configuration table, the determining unit is specifically configured to:
according to the micro service identity corresponding to the client, determining a group corresponding to the micro service identity corresponding to the client from the service authority configuration table;
judging whether the interface address corresponding to the group contains the interface address included in the request URL or not; and
and when the interface address corresponding to the group contains the interface address included in the request URL, determining that the client has the access right to access the micro service.
In one possible design, the rights management device based on micro-service invocation further includes a determining unit, configured to determine whether the invocation request carries user information;
when the second obtaining unit is configured to obtain the request uniform resource locator URL according to the invocation request, the second obtaining unit is specifically configured to:
and acquiring the request URL according to the calling request under the condition that the calling request does not carry user information.
In one possible design, when the third obtaining unit is configured to determine, according to the IP address, a micro-service identity corresponding to the client, the third obtaining unit is specifically configured to:
and determining the micro-service identity corresponding to the client from a registration center according to the IP address.
In a possible design, when the third obtaining unit is configured to obtain the IP address of the request initiator, specifically, the third obtaining unit is configured to:
and acquiring the IP address of the client based on the connection mode of establishing connection with the client. .
As shown in fig. 4, a third aspect of the embodiments of the present application provides a rights management device based on micro service invocation, including a memory, a processor, and a transceiver, which are sequentially connected in a communication manner, where the memory is used to store a computer program, the transceiver is used to send and receive a message, and the processor is used to read the computer program and execute the rights management method based on micro service invocation according to the first aspect of the embodiments.
By way of specific example, the Memory may include, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Flash Memory (Flash Memory), a first-in-first-out Memory (FIFO), a first-in-last-out Memory (FILO), and/or the like; the processor may not be limited to a microprocessor of model number STM32F105, arm (advanced riscmachines), X86, or a processor of an integrated NPU (neutral-network processing unit); the transceiver may be, but is not limited to, a WiFi (wireless fidelity) wireless transceiver, a bluetooth wireless transceiver, a General Packet Radio Service (GPRS) wireless transceiver, a ZigBee protocol (ieee 802.15.4 standard-based low power local area network protocol), a 3G transceiver, a 4G transceiver, and/or a 5G transceiver, etc.
For the working process, the working details, and the technical effects of the apparatus provided in the third aspect of this embodiment, reference may be made to the first aspect of the embodiment, which is not described herein again.
A fourth aspect of the present embodiment provides a computer-readable storage medium storing instructions including the micro service call-based rights management method according to the first aspect of the present embodiment, that is, the computer-readable storage medium has instructions stored thereon, and when the instructions are executed on a computer, the micro service call-based rights management method according to the first aspect of the present invention is executed. The computer-readable storage medium refers to a carrier for storing data, and may include, but is not limited to, floppy disks, optical disks, hard disks, flash memories, flash disks and/or Memory sticks (Memory sticks), etc., and the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
For a working process, working details, and technical effects of the computer-readable storage medium provided in the fourth aspect of this embodiment, reference may be made to the first aspect of the embodiment, which is not described herein again.
A fifth aspect of the present embodiments provides a computer program product comprising instructions which, when run on a computer, are adapted to cause the computer to perform the method for microservice call-based rights management according to the first aspect of the embodiments, wherein the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus.
The embodiments described above are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a repository code combining means to execute the methods according to the embodiments or parts of the embodiments.
The invention is not limited to the above alternative embodiments, and any other various forms of products can be obtained by anyone in the light of the present invention, but any changes in shape or structure thereof, which fall within the scope of the present invention as defined in the claims, fall within the scope of the present invention.
Claims (10)
1. A permission management method based on micro-service invocation is characterized by comprising the following steps:
acquiring a calling request which is sent by a client and used for calling the micro-service;
acquiring a request Uniform Resource Locator (URL) according to the calling request;
acquiring an IP address of the client, and determining a micro-service identity corresponding to the client according to the IP address;
determining whether the client has an access right for accessing the micro service based on the micro service identity corresponding to the client, the request URL and a service right configuration table;
at least one group corresponding to the micro-service identity and an interface address corresponding to each group in the at least one group are configured in the service authority configuration table.
2. The method of claim 1, wherein determining whether the client has access rights to access the microservice based on a microservice identity corresponding to the client, the request URL, and a service rights configuration table comprises:
according to the micro service identity corresponding to the client, determining a group corresponding to the micro service identity corresponding to the client from the service authority configuration table;
judging whether the interface address corresponding to the group contains the interface address included in the request URL or not;
and if so, determining that the client has the access right to access the microservice.
3. The method of claim 1, wherein prior to obtaining a request Uniform Resource Locator (URL) from the invocation request, the method further comprises:
judging whether the calling request carries user information or not;
and if the user information is not carried, acquiring the request URL according to the calling request.
4. The method of claim 1, wherein determining the micro-service identity corresponding to the client according to the IP address comprises:
and determining the micro-service identity corresponding to the client from a registration center according to the IP address.
5. The method of claim 1, wherein the obtaining the IP address of the request originator comprises:
and acquiring the IP address of the client based on the connection mode of establishing connection with the client.
6. A rights management apparatus based on micro-service invocation, comprising:
the first acquisition unit is used for acquiring a calling request which is sent by a client and used for calling the micro service;
the second acquisition unit is used for acquiring a request Uniform Resource Locator (URL) according to the calling request;
a third obtaining unit, configured to obtain an IP address of the client, and determine, according to the IP address, a micro-service identity corresponding to the client;
the determining unit is used for determining whether the client has the access right for accessing the micro service based on the micro service identity corresponding to the client, the request URL and a service right configuration table;
at least one group corresponding to the micro-service identity and an interface address corresponding to each group in the at least one group are configured in the service authority configuration table.
7. The micro-service invocation-based rights management device according to claim 6, wherein when the determining unit is configured to determine whether the client has the access right to access the micro-service based on the micro-service identity corresponding to the client, the request URL and the service rights configuration table, the determining unit is specifically configured to:
according to the micro service identity corresponding to the client, determining a group corresponding to the micro service identity corresponding to the client from the service authority configuration table;
judging whether the interface address corresponding to the group contains the interface address included in the request URL or not; and
and when the interface address corresponding to the group contains the interface address included in the request URL, determining that the client has the access right to access the micro service.
8. The micro-service invocation-based rights management apparatus of claim 6, further comprising:
the judging unit is used for judging whether the calling request carries user information or not;
the second obtaining unit is used for obtaining the request URL according to the calling request under the condition that the calling request does not carry user information.
9. A permission management device based on micro-service calling is characterized in that: the micro-service call-based right management method comprises a memory, a processor and a transceiver which are sequentially connected in a communication mode, wherein the memory is used for storing a computer program, the transceiver is used for receiving and sending messages, and the processor is used for reading the computer program and executing the micro-service call-based right management method according to any one of claims 1-5.
10. A computer-readable storage medium characterized by: the computer readable storage medium stores instructions for executing the micro service call-based rights management method according to any one of claims 1 to 5 when the instructions are executed on a computer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010621594.3A CN111786998A (en) | 2020-06-30 | 2020-06-30 | Authority management method and device based on micro-service calling and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010621594.3A CN111786998A (en) | 2020-06-30 | 2020-06-30 | Authority management method and device based on micro-service calling and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111786998A true CN111786998A (en) | 2020-10-16 |
Family
ID=72760115
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010621594.3A Pending CN111786998A (en) | 2020-06-30 | 2020-06-30 | Authority management method and device based on micro-service calling and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111786998A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112637192A (en) * | 2020-12-17 | 2021-04-09 | 航天精一(广东)信息科技有限公司 | Authorization method and system for accessing micro-service |
| CN112637338A (en) * | 2020-12-22 | 2021-04-09 | 广州技象科技有限公司 | Internet of things node service management method, device, equipment and storage medium |
| CN112866217A (en) * | 2021-01-05 | 2021-05-28 | 交通银行股份有限公司 | Micro-application access authority control method and device based on token authentication |
| CN113055367A (en) * | 2021-03-08 | 2021-06-29 | 浪潮云信息技术股份公司 | Method and system for realizing micro-service gateway authentication |
| CN113472794A (en) * | 2021-07-05 | 2021-10-01 | 福州数据技术研究院有限公司 | Multi-application system authority unified management method based on micro-service and computer readable storage medium |
| CN113824712A (en) * | 2021-09-17 | 2021-12-21 | 上海浦东发展银行股份有限公司 | Request processing method and device based on micro service, electronic equipment and medium |
| CN113821743A (en) * | 2021-09-23 | 2021-12-21 | 猪八戒股份有限公司 | Dubbo service tracing method and device |
| CN114826749A (en) * | 2022-04-30 | 2022-07-29 | 济南浪潮数据技术有限公司 | Interface access control method, device and medium |
| CN115987683A (en) * | 2023-03-15 | 2023-04-18 | 中国信息通信研究院 | Node access control method, device, equipment and medium in block chain network |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180063143A1 (en) * | 2016-08-31 | 2018-03-01 | Oracle International Corporation | Data management for a multi-tenant identity cloud service |
| CN108809956A (en) * | 2018-05-23 | 2018-11-13 | 广州虎牙信息科技有限公司 | Method for authenticating, access request retransmission method based on micro services and device, system |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN109327477A (en) * | 2018-12-06 | 2019-02-12 | 泰康保险集团股份有限公司 | Authentication method, device and storage medium |
| CN109639687A (en) * | 2016-09-14 | 2019-04-16 | 甲骨文国际公司 | For providing system, method and the medium of identity based on cloud and access management |
| CN109995713A (en) * | 2017-12-30 | 2019-07-09 | 华为技术有限公司 | Service processing method and relevant device in a kind of micro services frame |
| CN110069941A (en) * | 2019-03-15 | 2019-07-30 | 深圳市买买提信息科技有限公司 | A kind of interface access authentication method, apparatus and computer-readable medium |
| CN111212099A (en) * | 2018-11-22 | 2020-05-29 | 青岛海信智能商用系统股份有限公司 | Micro-service management method and device |
| CN111277422A (en) * | 2018-12-04 | 2020-06-12 | 中国电信股份有限公司 | Method, device and system for processing microservice and computer readable storage medium |
| CN111327619A (en) * | 2020-02-26 | 2020-06-23 | 南方电网科学研究院有限责任公司 | Micro-service data exchange method and device |
-
2020
- 2020-06-30 CN CN202010621594.3A patent/CN111786998A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180063143A1 (en) * | 2016-08-31 | 2018-03-01 | Oracle International Corporation | Data management for a multi-tenant identity cloud service |
| CN109639687A (en) * | 2016-09-14 | 2019-04-16 | 甲骨文国际公司 | For providing system, method and the medium of identity based on cloud and access management |
| CN109995713A (en) * | 2017-12-30 | 2019-07-09 | 华为技术有限公司 | Service processing method and relevant device in a kind of micro services frame |
| CN108809956A (en) * | 2018-05-23 | 2018-11-13 | 广州虎牙信息科技有限公司 | Method for authenticating, access request retransmission method based on micro services and device, system |
| CN108901022A (en) * | 2018-06-28 | 2018-11-27 | 深圳云之家网络有限公司 | A kind of micro services universal retrieval method and gateway |
| CN111212099A (en) * | 2018-11-22 | 2020-05-29 | 青岛海信智能商用系统股份有限公司 | Micro-service management method and device |
| CN111277422A (en) * | 2018-12-04 | 2020-06-12 | 中国电信股份有限公司 | Method, device and system for processing microservice and computer readable storage medium |
| CN109327477A (en) * | 2018-12-06 | 2019-02-12 | 泰康保险集团股份有限公司 | Authentication method, device and storage medium |
| CN110069941A (en) * | 2019-03-15 | 2019-07-30 | 深圳市买买提信息科技有限公司 | A kind of interface access authentication method, apparatus and computer-readable medium |
| CN111327619A (en) * | 2020-02-26 | 2020-06-23 | 南方电网科学研究院有限责任公司 | Micro-service data exchange method and device |
Non-Patent Citations (1)
| Title |
|---|
| 孟庆菊: "《网络操作系统》", 28 February 2019 * |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112637192A (en) * | 2020-12-17 | 2021-04-09 | 航天精一(广东)信息科技有限公司 | Authorization method and system for accessing micro-service |
| CN112637192B (en) * | 2020-12-17 | 2023-10-03 | 广东精一信息技术有限公司 | Authorization method and system for accessing micro-service |
| CN112637338A (en) * | 2020-12-22 | 2021-04-09 | 广州技象科技有限公司 | Internet of things node service management method, device, equipment and storage medium |
| CN112637338B (en) * | 2020-12-22 | 2023-05-26 | 广州技象科技有限公司 | Method, device, equipment and storage medium for managing node service of Internet of things |
| CN112866217B (en) * | 2021-01-05 | 2022-12-09 | 交通银行股份有限公司 | Micro application access authority control method and device based on token authentication |
| CN112866217A (en) * | 2021-01-05 | 2021-05-28 | 交通银行股份有限公司 | Micro-application access authority control method and device based on token authentication |
| CN113055367A (en) * | 2021-03-08 | 2021-06-29 | 浪潮云信息技术股份公司 | Method and system for realizing micro-service gateway authentication |
| CN113055367B (en) * | 2021-03-08 | 2022-12-27 | 浪潮云信息技术股份公司 | Method and system for realizing micro-service gateway authentication |
| CN113472794A (en) * | 2021-07-05 | 2021-10-01 | 福州数据技术研究院有限公司 | Multi-application system authority unified management method based on micro-service and computer readable storage medium |
| CN113472794B (en) * | 2021-07-05 | 2023-08-15 | 福州数据技术研究院有限公司 | Multi-application system authority unified management method based on micro-service and storage medium |
| CN113824712A (en) * | 2021-09-17 | 2021-12-21 | 上海浦东发展银行股份有限公司 | Request processing method and device based on micro service, electronic equipment and medium |
| CN113821743A (en) * | 2021-09-23 | 2021-12-21 | 猪八戒股份有限公司 | Dubbo service tracing method and device |
| CN113821743B (en) * | 2021-09-23 | 2023-08-04 | 猪八戒股份有限公司 | Dubbo service tracing method and device |
| CN114826749A (en) * | 2022-04-30 | 2022-07-29 | 济南浪潮数据技术有限公司 | Interface access control method, device and medium |
| CN115987683A (en) * | 2023-03-15 | 2023-04-18 | 中国信息通信研究院 | Node access control method, device, equipment and medium in block chain network |
| CN115987683B (en) * | 2023-03-15 | 2023-07-28 | 中国信息通信研究院 | Node access control method, device, equipment and medium in block chain network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111786998A (en) | Authority management method and device based on micro-service calling and storage medium | |
| JP6629392B2 (en) | Device trigger | |
| KR102046700B1 (en) | Message bus service directory | |
| EP2633667B1 (en) | System and method for on the fly protocol conversion in obtaining policy enforcement information | |
| EP3170091B1 (en) | Method and server of remote information query | |
| CN107667550B (en) | Method for processing request through polling channel in wireless communication system and apparatus therefor | |
| JP2017509936A (en) | Facilitating third-party execution of batch processing of requests that require authorization from resource owners for repeated access to resources | |
| CN102377617A (en) | Systems, methods, and apparatus to monitor and authenticate mobile internet activity | |
| US20120058721A1 (en) | Method for transmitting virtualized data in cloud computing environment | |
| CN103812900A (en) | Data synchronization method, device and system | |
| EP2814217B1 (en) | Access control method for wifi device and wifi device thereof | |
| US10863347B2 (en) | Policy enhancement for mixed capability devices | |
| US9185148B1 (en) | Methods and systems for efficient discovery of devices in a peer-to-peer network | |
| CN113037888A (en) | Method and device for accelerating configuration of domain name, storage medium and electronic equipment | |
| WO2018227695A1 (en) | Subscription data sending and receiving method, device and system | |
| JP2024511907A (en) | Network function registration method, discovery method, equipment, device and medium | |
| US10268532B2 (en) | Application message processing system, method, and application device | |
| CN113966602B (en) | Distributed storage of blocks in a blockchain | |
| CN101753561B (en) | Business cluster processing method and cluster system | |
| CN111262779A (en) | Method, device, server and system for acquiring data in instant messaging | |
| CN113055350B (en) | Data transmission method, device, equipment and readable storage medium | |
| CN114615272A (en) | Media data forwarding server scheduling method and system | |
| CN112383617A (en) | Method, device, terminal equipment and medium for long connection | |
| WO2017215265A1 (en) | Vertical industry user system and device, and method for distributing identification number | |
| US9294434B1 (en) | Connectionless communications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201016 |