CN112217882B - Distributed gateway system for service opening - Google Patents
Distributed gateway system for service opening Download PDFInfo
- Publication number
- CN112217882B CN112217882B CN202011024686.XA CN202011024686A CN112217882B CN 112217882 B CN112217882 B CN 112217882B CN 202011024686 A CN202011024686 A CN 202011024686A CN 112217882 B CN112217882 B CN 112217882B
- Authority
- CN
- China
- Prior art keywords
- service
- management
- access
- control
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 claims abstract description 120
- 238000013500 data storage Methods 0.000 claims abstract description 56
- 238000013523 data management Methods 0.000 claims abstract description 55
- 230000004044 response Effects 0.000 claims abstract description 15
- 238000012795 verification Methods 0.000 claims description 28
- 230000003993 interaction Effects 0.000 claims description 2
- 238000013475 authorization Methods 0.000 description 10
- 238000010276 construction Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000000034 method Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 238000011217 control strategy Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000003339 best practice Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/133—Protocols for remote procedure calls [RPC]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
Abstract
The invention discloses a distributed gateway system for service opening, which comprises: the service data management control channel interface module generates related information for external service management and control; the service interface management and control data storage module stores related information of external service management and control; and the service calling data channel interface module judges the access authority of the calling service request based on the related information of external service management and control, and completes the response of the service request. The distributed gateway system for service opening reads the related information of external service management and control generated by the service data management and control channel interface module through the service call data channel interface module, realizes distributed transverse expansion, can be qualified for a scene of mass service opening management under a high concurrency scene, and meets the performance requirements of service opening such as a large number of service release, a large number of application and call services.
Description
Technical Field
The invention belongs to the technical field of gateways, and particularly relates to a distributed gateway system for service opening.
Background
With the development of the internet, cloud computing, micro-services, big data and artificial intelligence technologies, various companies and institutions accumulate a great deal of data resources, specific business thematic data analysis and general artificial intelligence perception capability due to long-term operation, and the value of the data and the technology needs to be maximized. The service open platform is relatively mature in technical development of cloud computing, micro-service and the like at the present stage, and provides enough support, so that the capability of data and technology is opened to the inside and the outside in a service mode, and huge value is brought to enterprises. Each large-scale internet enterprise aims at creating an open service ecology, so that a large number of service interfaces are released to a service open platform by developers inside and outside the enterprise, services are operated outwards, and economic benefits are generated.
In order to enable a service interface developer to pay more attention to the realization of the service field without paying excessive attention to the release management flow of the service, the authentication and authorization of the service open access and the operation acquisition analysis of the service access data, a gateway which is easy to dock and has high performance in a service open platform becomes a key component for the service. The conditions of a large number of service publications, a large number of applications, a large number of user subscriptions, service calling and the like often cause that the simply-realized open gateway performance is lower, cause longer delay loss for service callers, and bring bad performance experience.
Therefore, there is a particular need for a gateway that can meet the performance requirements of service open management such as a large number of service publications, a large number of applications, a large number of user subscriptions, and call services.
Disclosure of Invention
The invention aims to provide a distributed gateway system for service opening, which can meet the performance requirements of service opening such as a large number of service publications, a large number of applications, calling services and the like.
To achieve the above object, the present invention provides a distributed gateway system for service opening, comprising: the service data management control channel interface module generates external service management and control related information; the service interface management and control data storage module is connected with the service data management and control channel interface module and is used for storing the external service management and control related information; the service calling data channel interface module is connected with the service interface management and control data storage module, and judges the access right of a calling service request based on the external service management and control related information to complete the response of the service request.
Preferably, the external service management and control related information comprises created external release service basic information, created user side basic information, data information of access strategy and access right information; the service data management control channel interface module creates an external release service and stores the created basic information of the external release service in the service interface management control data storage module; creating a user side for issuing service externally, and storing the created user side basic information in the service interface management and control data storage module; setting an access strategy according to the strategy requirement of the external release service; associating the access strategy with the external release service according to the category, and storing the data information of the access strategy into a service interface management and control data storage module; and associating the user side with the access policy, generating access right information, and storing the access right information into a service interface management and control data storage module.
Preferably, the service call data channel interface module reads the external service management and control related information from the service interface management and control data storage module every preset time interval.
Preferably, the service call data channel interface module judges the access authority of the call service request based on the information related to external service management and control, including: the service calling data channel interface module verifies the user identity authentication of the calling service request based on the information of the calling service request and the information related to external service management and control; after the user identity authentication verification of the call service request is passed, verifying the access right of the call service request; and after the access authority verification of the call service request is passed, verifying the access-limited strategy of the call service request.
Preferably, after the policy check of the access limit of the call service request is passed, the call service request is transferred to a back-end service to complete service request response.
Preferably, the user identity authentication is performed using JWT verification criteria; and judging the access authority of the user by using a control list ACL and a JWT verification standard.
Preferably, the determination of access rights is made using OAUTH2 validation criteria.
Preferably, the access-defined policies include service access traffic restrictions, service access packet size restrictions, and service access black-and-white list control.
Preferably, the service data management control channel interface module, the service call data channel interface module and the service interface management data storage module are integrally arranged in a layered and hierarchical manner.
Preferably, the hierarchical setting is performed according to the access-defined policy.
The invention has the beneficial effects that: the distributed gateway system for service opening reads the external service management and control related information which is stored in the service interface management and control data storage module and generated by the service data management and control channel interface module through the service call data channel interface module, realizes distributed transverse expansion, can be qualified for a scene of mass service opening management under a high concurrency scene, and meets the performance requirements of service opening such as a large number of service release, a large number of application and call services.
The method of the present invention has other features and advantages which will be apparent from or are set forth in detail in the accompanying drawings and the following detailed description, which are incorporated herein, and which together serve to explain certain principles of the invention.
Drawings
The foregoing and other objects, features and advantages of the invention will be apparent from the following more particular descriptions of exemplary embodiments of the invention as illustrated in the accompanying drawings wherein like reference numbers generally represent like parts throughout the exemplary embodiments of the invention.
Fig. 1 shows a block diagram of a distributed gateway system for service opening according to one embodiment of the invention.
Fig. 2 shows a hierarchical set-up diagram of a distributed gateway system for service opening according to one embodiment of the present invention.
Description of the reference numerals
102. A service data management control channel interface module; 104. the service interface manages and controls the data storage module; 106 the service invokes the data channel interface module.
Detailed Description
Preferred embodiments of the present invention will be described in more detail below. While the preferred embodiments of the present invention are described below, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
A distributed gateway system for service opening according to the present invention includes: the service data management control channel interface module generates external service management and control related information; the service interface management and control data storage module is connected with the service data management and control channel interface module and is used for storing information related to external service management and control; the service calling data channel interface module is connected with the service interface management and control data storage module, and judges the access authority of the calling service request based on the information related to external service management and control, so that the response of the service request is completed.
Specifically, the distributed gateway is composed of a service data management control channel interface module, a service call data channel interface module and a service interface management control data storage module. The service data management control channel interface module and the service call data channel interface module can be composed of a plurality of examples, and are embodied in the gateway through a unified service interface; the service interface management data storage module is a service interface management data storage component shared by the service data management control channel interface module and the service call data channel interface module. The service data management control channel interface module performs reading and writing operation on the service interface management control data storage module; the service call data channel interface module performs read operation on the service interface control data storage module, reads basic information of the service interface and the user, service access control information and the like.
The service data management control channel interface module generates information related to external service management and control such as interface creation, user side management, authority control and the like of external release service and stores the information into the service interface management and control data storage module; the service call data channel interface module periodically reads/updates the external service management and control related information generated by the service data management and control channel interface module stored by the service interface management and control data storage module, and caches the data for judging service access authority, service route, service call data acquisition and the like; the service data management control channel interface module and the service call data channel interface module can be transversely expanded to improve concurrency performance, wherein the external service management control related information is stored in an external shared database or file, and the service call data channel interface module is periodically read and updated to realize service management data synchronization of each data access channel.
The service call data channel interface module external interface and the service data management control channel interface module external interface are respectively realized among different components, and can be independently and transversely expanded. The service call data channel interface module performs service access policy inspection, log acquisition and the like on the external component; the service data management control channel interface module realizes the release, user creation, user authority management and the like of the service. The service data management control channel interface module writes the published basic information, the strategy information of accessing the specific service by the user and the configuration information of data acquisition into the service interface management data storage module.
According to an exemplary embodiment, the distributed gateway system for service opening reads the external service management and control related information generated by the service data management and control channel interface module through the service call data channel interface module, and the external service management and control related information is stored in the service interface management and control data storage module, so that distributed lateral expansion is realized, a scene of mass service opening management under a high concurrency scene can be qualified, and the performance requirements of a large number of service openings such as service release, a large number of applications and call services are met.
As a preferred scheme, the external service management and control related information comprises created external release service basic information, created user side basic information, data information of an access strategy and access right information; the service data management control channel interface module creates an external release service and stores the created basic information of the external release service in the service interface management control data storage module; creating a user side for issuing service externally, and storing the created user side basic information in a service interface management and control data storage module; setting an access strategy according to the strategy requirement of the external release service; associating the access strategy with the external release service according to the category, and storing the data information of the access strategy into a service interface management and control data storage module; and associating the user side with the access policy, generating access right information, and storing the access right information into the service interface management and control data storage module.
Specifically, the service data management control channel interface module mainly realizes the function of realizing service open management and control according to the following flow:
(1) Creation of open-to-the-outside services
And creating a service interface which is released outwards through a service gateway by using the service which is required to be opened outwards by the back end. Specifically, the gateway interfaces the external release service, and the key points are a path, a service access protocol (http or https) for the external release service to access the back end, an IP address, a port number, a path and the like of the back end service. Basic information created for the open-outside service is stored in the service interface management and control data storage module. Specifically, the service interface management and control data storage module can be a database or a file. In a production environment with more service interfaces managed by the service open platform, the database is used for storage, and the test environment can be stored by files.
(2) Creation of users
And creating a unique identifier for an access application end of the external open service to which the open platform is connected, and identifying a corresponding user side, namely, a user side for creating the external release service. And stores basic information (user ID, user name, creation time, etc. generated by the gateway) of the user side (unique identification of the service access application side) into the service interface management data storage module.
(3) Service access policy control settings
In the service data management control channel interface module, an access strategy is set for a specific open service in the form of a plug-in according to different strategy requirements of the external open service. The access policy includes a user identity authentication policy; access authorization policies for particular services; a limit (restriction of the number of times per unit time of service access); packet size limitations for service access; a black-and-white list of application end IP addresses for service access, etc. And associating the access policies with the external open services according to the categories, and storing the data information of the access policies into a service interface management data storage module.
(4) User authorized settings
When a user needs to access a specific service, a user authorization module in the service data management control channel interface module is called to associate the created user side with a set access strategy, so that the specific service is used for realizing access authorization of the specific user, and authority information is stored in the service interface management control data storage module.
(5) Multi-instance time data synchronization
The main tasks of each module are different when the service data management control channel interface module is in a multi-instance scenario, i.e. when multiple modules have the functions of the service data management control channel interface module. When the service data management control channel interface is called, a certain example in the multiple examples of the service data management control channel interface module processes the request, if the example has cached the latest external service management control related information, the data is directly operated, and the result is written into the external service management control related information; if the latest external service control related information is not cached in the embodiment, the data is read from the service interface control data storage module in real time, then the operation is performed, the operation result is cached, and the external service control related information and the operation result are written into the service interface control data storage module.
Service data management control channel interface module multi-instance scene, each instance of each service data management control channel interface module periodically reads service management control data from the service data management control channel interface module, and service management control data consistency is maintained.
Preferably, the service call data channel interface module reads the information related to external service management and control from the service interface management and control data storage module every preset time interval.
As a preferred solution, the service call data channel interface module judges access rights of a call service request based on information related to external service management and control, including: the service calling data channel interface module is used for verifying user identity authentication of a calling service request based on information of the calling service request and information related to external service management and control; after the user identity authentication verification of the call service request is passed, verifying the access right of the call service request; and after the access authority verification of the call service request is passed, verifying the strategy limited by the access of the call service request.
The service call data channel interface module is based on the information of call service request and the related information of external service management and control, and mainly realizes the function of executing service response processing when the service access client calls the request service according to the following flow:
(1) And periodically reading the information related to external service management and control from the service interface management and control data storage module. Comprising the following steps:
accessing route basic information associated with the back-end service, namely an upstream service address, a port number, a back-end service path and the like, to the external open service;
the service accesses a specific scene control policy, such as flow limit policy data of a specific service, flow limit policy data of a certain service accessed by a certain user, black-and-white list policy data of an IP source address accessed by a certain service, and the like;
basic information for accessing specific service and authenticating and authorizing user. Mainly the information of specific service, user authentication type and authorization type. Authentication and authorization can be performed through a service access control list ACL, identity authentication can be performed through jwt, and authorization can be performed through oauth 2.
(2) And when the multiple instances are deployed, the service interface management and control data is read from the service interface management and control data storage module at a certain time interval periodically to update the cache data, so that the processing efficiency is improved. Optimally, the time interval for periodically reading data is 2 seconds.
(3) User identity authentication verification
The user identity authentication verification mainly refers to verifying a JWT token sent by a user when the user side access service authentication type is set as JWT.
When determining whether a user can access the authority of a specific service, the method can be respectively implemented for two scenes:
(a) When the JWT is used for identity authentication, whether a JWT token is valid or not is judged, whether a user is in an access control list ACL of a specific service or not is also required to be judged, when the user is in the access control list of the service, the permission judgment of the user for accessing the service is completed, the access service is given, and otherwise, the user is refused to access the service;
(b) When the authority determination is carried out by using the OAUTH2, the OAUTH2 TOKEN in the application sending request information is checked, so that whether the request can access the specific service or not can be determined.
(5) Service request routing to backend service addresses and responding to request
After the service access identities and authorities in the steps (3) and (4) are checked, access-limited policy decisions such as service access flow limitation, service access data packet size limitation, service access black-and-white list control and the like are carried out, and after the preset policy decisions are carried out, service requests can be routed to the back-end service, and finally service request responses are completed.
(6) Multi-instance scenario
When the service calls the multi-instance scene of the data channel interface module, that is, when a plurality of modules have the functions of the service calls the data channel interface module, the main tasks of each module are different. Under the multi-instance scene, the service interface management and control data is read from the service interface management and control data storage module at a certain time interval periodically, so that the computing capacities of identity authentication, authorization judgment, diary acquisition and the like can be expanded transversely, and the low-delay requirement of the data request response gateway processing capacity under the high-concurrency scene can be met.
And the service call data channel interface module reads the set strategy information from the external service management and control related information, and performs authority verification, service routing forwarding, log recording and the like when the service is called.
The service call data channel interface module and the service data management control channel interface module can realize the improvement of performance by simply adding the realization examples.
Preferably, after the policy check of the access limit of the calling service request is passed, the calling service request is transmitted to the back-end service, and the service request response is completed.
Specifically, after the policy check defined by the service call data channel interface module for the access of the call service request is passed, the call service request is transferred to the back-end service, and the back-end service is in butt joint with the corresponding external interface.
As a preferred scheme, the JWT verification standard is used for user identity authentication; and judging the access authority of the user by using a control list ACL and a JWT verification standard.
Preferably, OAUTH2 authentication criteria are used to determine access rights.
Specifically, JWT verification criteria are used for identity authentication. The access authority is judged in two ways, (1) when the JWT identity authentication is carried out, whether a JWT token (verification request) is valid or not is judged, and whether a user is in an access control list ACL of a specific service or not is also required to be judged, when the user is in the access control list of the service, the authority judgment of the user for accessing the service is completed, and the access service is given, otherwise, the user is refused to access the service; (2) When authority determination is performed by using OAUTH2 (authentication), verification is performed on OAUTH2 TOKEN (authentication request) in application transmission request information, so as to determine whether the request can access a specific service.
Preferably, the access-defined policies include service access traffic restrictions, service access packet size restrictions, and service access black-and-white list control.
As a preferred scheme, the service data management control channel interface module, the service call data channel interface module and the service interface management data storage module are integrally arranged in a layered and hierarchical mode.
Specifically, the service data management control channel interface module and the service call data channel interface module can be deployed in multiple instances, and the service is integrated to provide interface interaction between each component of the gateway. Specifically, best practices may container the service data management control channel interface module and the service invocation data channel interface module and use the container orchestration of kubernetes to provide interfaces to the outside in the form of services of kubernetes.
The gateway designed by the invention can be built in a layered manner, and the same layer can load the data of the access data request and the result response data to the gateway component closest to the back-end service according to an equilibrium strategy according to the access concurrency.
The service open gateway layered construction mainly comprises isolation of back-end business and independent construction; and the service access control strategy is sequentially built in series. Specifically, the service open gateway for the hierarchical 2 network topology construction is:
1) The outermost gateway can be directly oriented to a service caller/application client and can be built on a physical server with better performance to build a distributed gateway. The service data management control channel interface module, the service call data channel interface module and the service interface management data storage module 3 components of the outermost gateway are all deployed on the physical server. When the lateral expansion is needed, the physical host is added.
2) The gateway close to the server can be deployed on a cloud platform or a micro-service platform to realize more flexible expansion.
3) During service registration, two-stage registration is performed, namely, from a back-end service, a back-end gateway open service, an outer gateway, and a final open service, so that service opening is realized.
4) Specifically, from the back-end service to the back-end gateway to the back-end service release process of the back-end gateway open service, the similar service can be registered to the specific back-end gateway according to the setting principles of different business, concurrency, service access strategy and the like, so as to realize isolation among the released services. By doing so, it is possible to decide to register a certain service to a backend gateway according to the service access domain name, service user, service type, etc. of that backend gateway service. The isolation of the opened service is realized, and the expansion of the specific back-end gateway can be realized according to the concurrent access quantity, the delay of the gateway due to the verification of the access control strategy and the like.
5) After the back-end service is released at the innermost gateway, the back-end service is registered to the outer gateway, so that the service opening of the back-end gateway open service, the outer gateway, and the final open service is realized.
6) When the service access policy can be set, the access control policy of specific service can be realized in the outer gateway and the inner gateway respectively without passing through the access control policy, so as to achieve the quick verification of access control. For example, the service access IP black-and-white list, the user access flow control, the identity verification, the access authorization, the service call data acquisition and other policy control can be verified at gateways of different levels. For global implementation, such as service call data acquisition, service access IP black-and-white list, user access flow control and the like, policy verification is realized at an outer gateway; the identity verification and access authorization are realized by putting the judgment types set during the creation of each service into a back-end gateway with a certain calculated amount.
By the layered construction of the gateway, the gateway component expansion of different levels can be realized aiming at different strategy processing and calculation cost, so that the gateway can efficiently return the response of the back-end service.
Preferably, the hierarchical setting is performed according to access-defined policies.
Specifically, different access control policies of the unified service can be implemented at different levels; the realization of service call collection can be realized at the gateway layer closest to the back-end service, and the efficiency problems of multi-service open management and multi-user and multi-service concurrency are well solved. And judging different access control strategies at different levels, so that the processing efficiency is improved, and the delay of service access caused by gateway control is reduced.
Through layering construction of service gateways, service call access data channels are built in layers, services with smaller calculation cost such as a service access IP black-and-white list, service access current limiting and the like are placed on the outermost layer, functions with higher calculation cost such as service call user identity authentication, service request authority judgment, service call log analysis and the like are realized on the inner gateway, and time delay caused by gateway access control, data acquisition and the like of back-end service opening is reduced.
The service call data channel interface module and the service data management control channel interface module can be independently deployed, isolate service call requests and service management operations in a high concurrency scene, and realize distributed lateral expansion of the service call data channel and the service open management data control channel.
The service data management control channel interface module can write the data of service, user and authority management into external storage, usually an external database and a file, for a plurality of services to call the data channel interface module for reading. And then the service call data channel interface module caches the service management control related data, and periodically reads and updates the service management control related data from the external storage of the service management control, so that the service management control related data are updated by different service call data channels.
In order to increase the security of the service open distributed gateway, the service management interface of the service data management control channel interface module can be registered in the service call data channel interface module, and the access control authority of a specific management account is granted, so that the service data management control channel interface module is used as a service, and the service call data channel interface module is used for accessing, thereby simplifying the management of the distributed gateway and enhancing the security of the access of the service data management control channel interface.
The multiple instances of the service data management control channel interface module and the multiple instances of the service call data channel interface module can be registered to a registration center component, and the registration center can be realized through zookeeper, etcd and the like, so that the high availability of the service data management control channel interface module and the service call data channel interface module is realized. The request for the two components registers the load of the service through the registry to the back-end available data control channel instance or service data call management instance.
Example 1
Fig. 1 shows a block diagram of a distributed gateway system for service opening according to one embodiment of the invention. Fig. 2 shows a hierarchical set-up diagram of a distributed gateway system for service opening according to one embodiment of the present invention.
As shown in connection with fig. 1 and 2, the distributed gateway system for service opening includes: the service data management control channel interface module 102, the service data management control channel interface module 102 generates external service management and control related information; the service interface management and control data storage module 104 is connected with the service data management and control channel interface module 102, and the service interface management and control data storage module 104 stores external service management and control related information; the service call data channel interface module 106 is connected with the service interface management and control data storage module 104, and the service call data channel interface module 106 judges the access authority of the call service request based on the external service management and control related information, so as to complete the response of the service request.
The external service management and control related information comprises created external release service basic information, created user side basic information, data information of an access strategy and access right information; the service data management control channel interface module 102 creates an external release service and stores the created basic information of the external release service in the service interface management control data storage module 104; creating a user side for issuing service externally, and storing the created user side basic information in a service interface management and control data storage module 104; setting an access strategy according to the strategy requirement of the external release service; associating the access policies with the external release service according to categories, and storing data information of the access policies into the service interface management and control data storage module 104; the user side and the access policy are associated, access rights information is generated, and the access rights information is stored in the service interface management and control data storage module 104.
The service invocation data channel interface module 106 reads the external service management and control related information from the service interface management and control data storage module 104 every preset period.
The service invocation data channel interface module 106 determines, based on the information related to external service management and control, access rights of invoking the service request, including: the service call data channel interface module 106 verifies the user identity authentication of the call service request based on the information of the call service request and the information related to external service management and control; after the user identity authentication verification of the call service request is passed, verifying the access right of the call service request; and after the access authority verification of the call service request is passed, verifying the strategy limited by the access of the call service request.
And after the policy check of the access limit of the calling service request is passed, transmitting the calling service request to the back-end service to complete the service request response.
User identity authentication is performed by using a JWT (joint detection and wt) verification standard; and judging the access authority of the user by using a control list ACL and a JWT verification standard.
Wherein, OAUTH2 verification standard is used to judge the access authority.
Wherein the access-defined policies include service access traffic restrictions, service access packet size restrictions, and service access black-and-white list control.
The service data management control channel interface module, the service call data channel interface module and the service interface management data storage module are integrally arranged in a layered and hierarchical mode.
And performing hierarchical setting according to the access-defined strategy.
The foregoing description of embodiments of the invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the various embodiments described.
Claims (8)
1. A distributed gateway system for service opening, comprising:
the service data management control channel interface module generates external service management and control related information;
the service interface management and control data storage module is connected with the service data management and control channel interface module and is used for storing the external service management and control related information;
the service calling data channel interface module is connected with the service interface management and control data storage module, and judges the access right of a calling service request based on the external service management and control related information to complete the response of the service request;
the service data management control channel interface module and the service call data channel interface module can be deployed in multiple instances and integrate services to provide interaction between each component of the gateway; the service data management control channel interface module and the service call data channel interface module can be transversely expanded;
the service data management control channel interface module, the service call data channel interface module and the service interface management data storage module are arranged in a layered and hierarchical mode; performing hierarchical setting according to the access-defined strategy; the gateway component of the same layer can load the size of the access data request and the result response data into the gateway component closest to the back-end service according to an equilibrium strategy according to the access concurrency.
2. The distributed gateway system for service opening according to claim 1, wherein the external service management and control related information includes created external distribution service basic information, created user side basic information, data information of access policy, and access right information;
the service data management control channel interface module creates an external release service and stores the created basic information of the external release service in the service interface management control data storage module;
creating a user side for issuing service externally, and storing the created user side basic information in the service interface management and control data storage module;
setting an access strategy according to the strategy requirement of the external release service;
associating the access strategy with the external release service according to the category, and storing the data information of the access strategy into a service interface management and control data storage module;
and associating the user side with the access policy, generating access right information, and storing the access right information into a service interface management and control data storage module.
3. The distributed gateway system for service opening according to claim 2, wherein the service invocation data channel interface module reads the external service management and control related information from the service interface management and control data storage module every predetermined period of time.
4. The distributed gateway system for service opening according to claim 3, wherein the service invocation data channel interface module determining access rights for invoking a service request based on the external service management-related information comprises:
the service calling data channel interface module verifies the user identity authentication of the calling service request based on the information of the calling service request and the information related to external service management and control;
after the user identity authentication verification of the call service request is passed, verifying the access right of the call service request;
and after the access authority verification of the call service request is passed, verifying the access-limited strategy of the call service request.
5. The distributed gateway system for service opening according to claim 4, wherein after the policy check of the access limit of the call service request is passed, the call service request is transferred to a backend service to complete a service request response.
6. The distributed gateway system for service opening of claim 4,
user identity authentication is performed by using a JWT verification standard;
and judging the access authority of the user by using a control list ACL and a JWT verification standard.
7. The distributed gateway system for service opening according to claim 6, wherein the determination of access rights is made using OAUTH2 authentication criteria.
8. The distributed gateway system for service opening of claim 4, wherein the access-defined policies include service access traffic restrictions, service access packet size restrictions, and service access black-and-white list control.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011024686.XA CN112217882B (en) | 2020-09-25 | 2020-09-25 | Distributed gateway system for service opening |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011024686.XA CN112217882B (en) | 2020-09-25 | 2020-09-25 | Distributed gateway system for service opening |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112217882A CN112217882A (en) | 2021-01-12 |
| CN112217882B true CN112217882B (en) | 2024-03-26 |
Family
ID=74051179
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011024686.XA Active CN112217882B (en) | 2020-09-25 | 2020-09-25 | Distributed gateway system for service opening |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112217882B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013062352A1 (en) * | 2011-10-27 | 2013-05-02 | 인텔렉추얼디스커버리 주식회사 | Method and system for access control in cloud computing service |
| CN104333556A (en) * | 2014-11-14 | 2015-02-04 | 成都卫士通信息安全技术有限公司 | Distributed configuration management method of safety certificate gateways based on resource service management systems |
| CN106850549A (en) * | 2016-12-16 | 2017-06-13 | 北京江南博仁科技有限公司 | A kind of distributed cryptographic services gateway and implementation method |
| CN108121705A (en) * | 2016-11-28 | 2018-06-05 | 星际空间(天津)科技发展有限公司 | Multi-source two, three-dimensional geographic information data aggregate and the delivery system of a kind of opening |
| CN108521463A (en) * | 2018-04-11 | 2018-09-11 | 西安邮电大学 | A kind of service gateway system based on open data |
| CN110781476A (en) * | 2019-10-15 | 2020-02-11 | 南京南瑞信息通信科技有限公司 | Flexible micro-service security access control method and system |
| CN111198806A (en) * | 2019-12-17 | 2020-05-26 | 航天信息股份有限公司 | Service call data statistical analysis method and system based on service open platform |
| CN111416793A (en) * | 2019-01-08 | 2020-07-14 | 杭州海康威视数字技术股份有限公司 | Permission control method based on open platform and embedded equipment |
-
2020
- 2020-09-25 CN CN202011024686.XA patent/CN112217882B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013062352A1 (en) * | 2011-10-27 | 2013-05-02 | 인텔렉추얼디스커버리 주식회사 | Method and system for access control in cloud computing service |
| CN104333556A (en) * | 2014-11-14 | 2015-02-04 | 成都卫士通信息安全技术有限公司 | Distributed configuration management method of safety certificate gateways based on resource service management systems |
| CN108121705A (en) * | 2016-11-28 | 2018-06-05 | 星际空间(天津)科技发展有限公司 | Multi-source two, three-dimensional geographic information data aggregate and the delivery system of a kind of opening |
| CN106850549A (en) * | 2016-12-16 | 2017-06-13 | 北京江南博仁科技有限公司 | A kind of distributed cryptographic services gateway and implementation method |
| CN108521463A (en) * | 2018-04-11 | 2018-09-11 | 西安邮电大学 | A kind of service gateway system based on open data |
| CN111416793A (en) * | 2019-01-08 | 2020-07-14 | 杭州海康威视数字技术股份有限公司 | Permission control method based on open platform and embedded equipment |
| CN110781476A (en) * | 2019-10-15 | 2020-02-11 | 南京南瑞信息通信科技有限公司 | Flexible micro-service security access control method and system |
| CN111198806A (en) * | 2019-12-17 | 2020-05-26 | 航天信息股份有限公司 | Service call data statistical analysis method and system based on service open platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112217882A (en) | 2021-01-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11683300B2 (en) | Tenant-aware distributed application authentication | |
| KR102514325B1 (en) | Model training system and method, storage medium | |
| JP2022000757A5 (en) | ||
| US11683213B2 (en) | Autonomous management of resources by an administrative node network | |
| US8375360B2 (en) | Provision of services over a common delivery platform such as a mobile telephony network | |
| WO2020062131A1 (en) | Container cloud management system based on blockchain technology | |
| US20140344460A1 (en) | Brokering network resources | |
| US20060161991A1 (en) | Provision of services over a common delivery platform such as a mobile telephony network | |
| CN106789153A (en) | The log recording of self adaptation by all kinds of means of Internet of things system terminal device, output intent and system | |
| CN105516110A (en) | Mobile equipment secure data transmission method | |
| EA012640B1 (en) | Arrangement for using erp-system on, preferably, mobile devices | |
| CN105450750A (en) | Secure interaction method for intelligent terminal | |
| GB2422217A (en) | A system for providing services | |
| CN110278255A (en) | A kind of method and device of the Internet of Things IOT communication between devices based on block chain | |
| CN109088890A (en) | A kind of identity identifying method, relevant apparatus and system | |
| Chai et al. | BHE-AC: A blockchain-based high-efficiency access control framework for Internet of Things | |
| KR20210130989A (en) | api gateway accelerator system and methods | |
| CN111970162B (en) | Heterogeneous GIS platform service central control system under super-integration framework | |
| CN114679274A (en) | Cross-subnet interactive permission control method and device, electronic equipment and storage medium | |
| CN112217882B (en) | Distributed gateway system for service opening | |
| US8955155B1 (en) | Secure information flow | |
| CN111444524A (en) | Dynamic dual-access control mechanism based on alliance chain | |
| CN104753774B (en) | A kind of distributed enterprise comprehensive access gate | |
| CN115378645A (en) | Verification method and system based on unified authentication of electric power marketing management system | |
| CN114584940B (en) | Slice service processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |