CN112416528A - Method for realizing non-invasive micro-service room interface safe calling - Google Patents

Abstract

The invention relates to a method for realizing non-invasive micro-service interface safe calling.A main application MS _ A and a main application MS _ B are respectively deployed on different Kubernetes nodes Pod _ A and Pod _ B, and containers correspondingly loaded by the main application are respectively MSC _ A and MSC _ B; configuring an Init container and a companion container on two Pod nodes, and deploying a running function module MSCP on the companion container. The application publishing and deploying system records an application NAME MS _ NAME corresponding to the main application image, an application image MD5 value MS _ MD5, a communication KEY MS _ KEY and other application lists accessed by the application into the Config Server, and the MSCP reads the MD5 value of the main application image to compare with the MD5 value registered by the Config Server, verifies the identity of the main application and ensures that the application is not tampered; the MSCP adds the KEY of the MS _ A and the KEY of the MS _ B to form a combined KEY MS _ KEY _ A + MS _ KEY _ B, the MS _ B intercepts the encrypted message sent to the MS _ B by the MSCP from the MSCP service, checks the MD5 value of the MS _ B again, and forwards the decrypted message to the MS _ B. The invention realizes the application identity confirmation and prevents the main application from being counterfeited or tampered.

Description

Method for realizing non-invasive micro-service room interface safe calling

Technical Field

The invention relates to the technical field of computer micro-service development, in particular to a method for realizing non-invasive micro-service interface secure calling.

Background

Under the micro-service architecture, the system is divided into a plurality of micro-services with single responsibility according to the service. Each micro-service has its own set of API to provide other micro-service calls, so how to ensure the security of the micro-service API, that is, how to prevent the micro-service API interface from being randomly accessed without authorization, and avoid the security problems of counterfeiting, eavesdropping, tampering, replay attack and the like of the API calls among the micro-services.

The prior technical scheme has the following implementation modes:

1. the JWT or OAuth2 authentication mode is very similar in the two ideas, the two ideas are that the user provides information to an authentication server, the server performs validity authentication according to the transmitted information, if the authentication is successful, a token (the expiration time is set) is returned, then the user carries the token to access when accessing, and the protected interface performs authentication.

2. HTTPS link encryption mode: the micro-services are communicated through an HTTPS protocol, and the HTTPS encrypts a communication link, so that the safety of interface calling and data transmission is ensured.

The JWT or OAuth2 authentication method can only solve the authentication problem of calling between micro services, but cannot solve the problems of interception and falsification of interface message data, and the two authentication methods need to carry out certain invasive modification on micro service application or configuration.

Although the communication link can be encrypted by adopting the HTTPS mode, the method has certain influence on the calling performance of the interface, and if the caller needs to be authenticated, HTTPS bidirectional authentication needs to be used, which puts higher requirements on the performance and the deployment complexity.

Disclosure of Invention

In view of the above, an object of the present invention is to provide a method for implementing non-invasive interface security invocation between micro-services, which solves the problem of access control and data security of invocation between micro-services in a manner that both the intrusion and the perception of an application are small; the purpose of safety communication between applications can be realized by adopting a mode of transparent flow hijacking of an associated container and filtering and intercepting messages.

The invention is realized by adopting the following scheme: a method for realizing non-invasive micro-service room interface security calling comprises the following steps:

step S1: providing two microservice applications MS _ A and MS _ B, respectively deploying the microservice applications on two different Kubernets nodes Pod _ A and Pod _ B, wherein the correspondingly-loaded containers, namely main application containers, are MSC _ A and MSC _ B respectively; meanwhile, one companion container is deployed for each container of the master application on the Pod _ a and Pod _ B nodes, and the companion containers corresponding to the MSC _ A, MSC _ B are PXC _ A, PXC _ a respectively;

step S2: configuring a special container, namely an Init container, on a Pod node, namely nodes Pod _ a and Pod _ B, wherein the container runs before a main application container and a companion container are started, configuring and running an iptables command or script in the Init container, and realizing transparent flow hijacking by the companion container through the iptables command, namely configuring and forwarding an access flow of the main application container to an external micro service and an access flow of the external micro service to the main application container according to a global micro service address field and a port range to the companion container through the iptables command;

step S3: respectively deploying and operating a key function module, namely, a micro service communication proxy Module (MSCP) service on the two companion containers, so as to complete the processes from the step S4 to the step S7;

step S4: when the application publishing and deploying system of Kubernetes updates the main application mirror images of main application containers MSC _ A and MSC _ B every time, the application NAME MS _ NAME corresponding to the mirror image, the application mirror image MD5 value MS _ MD5, the communication KEY MS _ KEY and other application lists which can be accessed by the application are recorded in a Config Server of a micro service framework, the Config Server is used for synchronizing the information to all MSCP services, and then the global MSCP service can acquire the NAMEs, the mirror image MD5 values, the KEYs and the accessible target application lists of all the applications;

step S5: when MS _ A calls MS _ B, the MS _ A service generates a request message and sends the request message to the MS _ B service, and the MSCP service deployed on a companion container PXC _ A of the MS _ A intercepts the request message and performs validity check;

step S6: after confirming the validity and the access authority of the calling initiator main application MS _ A identity through step S5, the MSCP adds the KEY of MS _ A and the KEY of MS _ B to form a combined KEY MS _ KEY _ A + MS _ KEY _ B, then symmetrically encrypts the message by using the combined KEY, and is responsible for sending the encrypted request message to an opposite-end service, namely MS _ B;

step S7: MS _ B intercepts an encrypted message sent to MS _ B by MSCP of MS _ A corresponding to MSCP service deployed in an associated container, firstly performs authentication according to caller identification, decrypts the message by using a combined KEY MS _ KEY _ A + MS _ KEY _ B according to caller application identification after the authentication is passed, and finally forwards the decrypted message to MS _ B after checking the MD5 value of MS _ B again; i.e. a call between the MS _ a application and the MS _ B application is completed.

Further, the performing of the legal verification in step S5 specifically includes the following steps:

step SA: the MSCP reads the MD5 value of the main application mirror image to compare with the MD5 value registered by the main application in the Config Server, if the two MD5 values are consistent, the main application is not tampered, the step SB is continued, otherwise, the MSCP directly returns the error information that the application verification fails to pass to the MS _ A, and the whole process is ended;

step SB: and the MSCP verifies whether the MS _ A can access the MS _ B according to the service list which is recorded in the Config Server and can be accessed by the MS _ A, if the MS _ A can be accessed by the MS _ B, the step S6 is continued, otherwise, the MS _ A directly returns the information that the access authority check fails to pass, and the whole process is ended.

Compared with the prior art, the invention has the following beneficial effects:

(1) the method has no invasion to the application, and does not need any configuration and adaptation transformation of the application; the correspondence is completely transparent and the application does not perceive the presence of the system.

(2) The invention provides a framework security solution, which completely separates security implementation from a service system, and only needs to pay attention to the implementation of the service without paying attention to a security implementation mode.

(3) The invention adopts the transparent flow hijacking mode of the associated container, and realizes the purpose of safety communication between applications by filtering and intercepting the message.

(4) According to the invention, the main application is detected through the MD5, so that the application identity can be confirmed, and the main application is prevented from being counterfeited or tampered.

Drawings

FIG. 1 is a flow chart of an embodiment of the present invention.

Detailed Description

The invention is further explained below with reference to the drawings and the embodiments.

It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.

It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.

As shown in fig. 1, the present embodiment provides a method for implementing non-invasive interface security invocation between micro services, which is mainly oriented to a scenario in which a micro service application is deployed in a kubernets container in a mirror image mode, and mainly aims at a security problem that the micro service application is deployed inside a micro service gateway and invoked between micro services deployed on different kubernets Pod; the method comprises the following steps:

step S1: providing two microservice applications MS _ A and MS _ B, respectively deploying the microservice applications on two different Kubernets nodes Pod _ A and Pod _ B, wherein the correspondingly-loaded containers, namely main application containers, are MSC _ A and MSC _ B respectively; meanwhile, one companion container is deployed for each container of the master application on the Pod _ a and Pod _ B nodes, and the companion containers corresponding to the MSC _ A, MSC _ B are PXC _ A, PXC _ a respectively;

at this time, it can be understood that two containers (a primary application container and a companion container) on one Pod share resources such as storage, network and the like, and the Pod can be broadly understood as one host, and the two containers share host resources.

Step S2: configuring a special container, namely an Init container, on a Pod node, namely nodes Pod _ a and Pod _ B, wherein the container runs before a main application container and a companion container are started, configuring and running an iptables command or script in the Init container, and realizing transparent flow hijacking by the companion container through the iptables command, namely configuring and forwarding an access flow of the main application container to an external micro service and an access flow of the external micro service to the main application container according to a global micro service address field and a port range to the companion container through the iptables command;

step S3: respectively deploying and operating a key function module, namely, a micro service communication proxy Module (MSCP) service on the two companion containers, so as to complete the processes from the step S4 to the step S7;

the MSCP service realizes filtering, encryption and decryption of micro-service requests and response flow entering and exiting a main application container, namely, the calling authentication and safe transmission of the calling among the micro-services can be realized under the condition of no invasive transformation and no perception of the main application;

step S4: when updating the main application image (such as the image of MS _ A and MS _ B) of a main application container (such as Pod _ A and Pod _ B), the application publishing and deploying system of Kubernetes records the application NAME MS _ NAME, the application image MD5 value MS _ MD5, the communication KEY MS _ KEY and other application lists which can be accessed by the application corresponding to the image into a Config Server of a micro service framework, and the Config Server is used for synchronizing the information to all MSCP services, so that the global MSCP service can acquire the NAMEs, the image MD5 values, the KEYs and the accessible target application lists of all the applications;

step S5: when MS _ A calls MS _ B, the MS _ A service generates a request message and sends the request message to the MS _ B service, and the MSCP service deployed on a companion container PXC _ A of the MS _ A intercepts the request message and performs validity check;

step S6: after confirming the validity and the access authority of the calling initiator main application MS _ A identity through step S5, the MSCP adds the KEY of MS _ A and the KEY of MS _ B to form a combined KEY MS _ KEY _ A + MS _ KEY _ B, then symmetrically encrypts the message by using the combined KEY, and is responsible for sending the encrypted request message to an opposite-end service, namely MS _ B;

step S7: MS _ B intercepts an encrypted message sent to MS _ B by MSCP of MS _ A corresponding to MSCP service deployed in an associated container, firstly performs authentication according to caller identification, decrypts the message by using a combined KEY MS _ KEY _ A + MS _ KEY _ B according to caller application identification after the authentication is passed, and finally forwards the decrypted message to MS _ B after checking the MD5 value of MS _ B again; i.e. a call between the MS _ a application and the MS _ B application is completed.

As described above, a call between the MS _ a application and the MS _ B application is completed, while the authentication, and encryption/decryption involved therein is completely transparent to the master application.

In this embodiment, the performing the validity check in step S5 specifically includes the following steps:

step SA: the MSCP reads the MD5 value of the main application mirror image to compare with the MD5 value registered by the main application in the Config Server, if the two MD5 values are consistent, the main application is not tampered, the step SB is continued, otherwise, the MSCP directly returns the error information that the application verification fails to pass to the MS _ A, and the whole process is ended;

step SB: and the MSCP verifies whether the MS _ A can access the MS _ B according to the service list which is recorded in the Config Server and can be accessed by the MS _ A, if the MS _ A can be accessed by the MS _ B, the step S6 is continued, otherwise, the MS _ A directly returns the information that the access authority check fails to pass, and the whole process is ended.

The above description is only a preferred embodiment of the present invention, and all equivalent changes and modifications made in accordance with the claims of the present invention should be covered by the present invention.

Claims (2)

1. A method for realizing non-invasive micro-service room interface safe calling is characterized in that: the method comprises the following steps:

step S1: providing two microservice applications MS _ A and MS _ B, respectively deploying the microservice applications on two different Kubernets nodes Pod _ A and Pod _ B, wherein the correspondingly-loaded containers, namely main application containers, are MSC _ A and MSC _ B respectively; meanwhile, one companion container is deployed for each container of the master application on the Pod _ a and Pod _ B nodes, and the companion containers corresponding to the MSC _ A, MSC _ B are PXC _ A, PXC _ a respectively;

step S2: configuring a special container, namely an Init container, on a Pod node, namely nodes Pod _ a and Pod _ B, wherein the container runs before a main application container and a companion container are started, configuring and running an iptables command or script in the Init container, and realizing transparent flow hijacking by the companion container through the iptables command, namely configuring and forwarding an access flow of the main application container to an external micro service and an access flow of the external micro service to the main application container according to a global micro service address field and a port range to the companion container through the iptables command;

step S3: respectively deploying and operating a key function module, namely, a micro service communication proxy Module (MSCP) service on the two companion containers, so as to complete the processes from the step S4 to the step S7;

step S4: when the application publishing and deploying system of Kubernetes updates the main application mirror images of main application containers MSC _ A and MSC _ B every time, the application NAME MS _ NAME corresponding to the mirror image, the application mirror image MD5 value MS _ MD5, the communication KEY MS _ KEY and other application lists which can be accessed by the application are recorded in a Config Server of a micro service framework, the Config Server is used for synchronizing the information to all MSCP services, and then the global MSCP service can acquire the NAMEs, the mirror image MD5 values, the KEYs and the accessible target application lists of all the applications;

step S5: when MS _ A calls MS _ B, the MS _ A service generates a request message and sends the request message to the MS _ B service, and the MSCP service deployed on a companion container PXC _ A of the MS _ A intercepts the request message and performs validity check;

step S6: after confirming the validity and the access authority of the calling initiator main application MS _ A identity through step S5, the MSCP adds the KEY of MS _ A and the KEY of MS _ B to form a combined KEY MS _ KEY _ A + MS _ KEY _ B, then symmetrically encrypts the message by using the combined KEY, and is responsible for sending the encrypted request message to an opposite-end service, namely MS _ B;

step S7: MS _ B intercepts an encrypted message sent to MS _ B by MSCP of MS _ A corresponding to MSCP service deployed in an associated container, firstly performs authentication according to caller identification, decrypts the message by using a combined KEY MS _ KEY _ A + MS _ KEY _ B according to caller application identification after the authentication is passed, and finally forwards the decrypted message to MS _ B after checking the MD5 value of MS _ B again; i.e. a call between the MS _ a application and the MS _ B application is completed.

2. The method of claim 1, wherein the method further comprises the steps of: the legal verification in step S5 specifically includes the following steps:

step SA: the MSCP reads the MD5 value of the main application mirror image to compare with the MD5 value registered by the main application in the Config Server, if the two MD5 values are consistent, the main application is not tampered, the step SB is continued, otherwise, the MSCP directly returns the error information that the application verification fails to pass to the MS _ A, and the whole process is ended;

step SB: and the MSCP verifies whether the MS _ A can access the MS _ B according to the service list which is recorded in the Config Server and can be accessed by the MS _ A, if the MS _ A can be accessed by the MS _ B, the step S6 is continued, otherwise, the MS _ A directly returns the information that the access authority check fails to pass, and the whole process is ended.

Images