CN112995163B - Authentication method and device for resource access, storage medium and electronic equipment - Google Patents
Authentication method and device for resource access, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN112995163B CN112995163B CN202110184938.3A CN202110184938A CN112995163B CN 112995163 B CN112995163 B CN 112995163B CN 202110184938 A CN202110184938 A CN 202110184938A CN 112995163 B CN112995163 B CN 112995163B
- Authority
- CN
- China
- Prior art keywords
- resource
- target
- information
- authentication
- service request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
Abstract
The invention discloses a resource access authentication method and device, a storage medium and electronic equipment, and belongs to the field of cloud services. Wherein the method comprises the following steps: receiving a service request sent by a client and analyzing parameter entering information in the service request, wherein the service request is used for requesting to call an application program interface (AP I) to access a target resource in a target cloud service; splicing the resource identification of the target resource based on the entry information, wherein the resource identification is used for uniquely identifying the target resource in a cloud server of the cloud service; and authenticating the service request according to the resource identifier. According to the method and the device for the cloud service resource authentication, the technical problem of low authentication efficiency in the related technology is solved, the authentication efficiency is improved, the authentication speed and the response speed of the authentication server are further improved, and the security and the usability of the cloud service resource are improved from the authentication dimension.
Description
Technical Field
The invention relates to the field of cloud service, in particular to a resource access authentication method and device, a storage medium and electronic equipment.
Background
Cloud services in the related art are an increasing, usage and interaction pattern of internet-based related services, which generally involve providing dynamically extensible and often virtualized resources through the internet. Cloud services refer to obtaining a desired service in an on-demand, easily scalable manner over a network. Such services may be IT, software, internet related, or other services.
In the related art, a user first needs to perform authentication when using a cloud service or accessing resources provided by the cloud service. The gateway authentication server only performs the authority control of the interface dimension, does not perform the resource access authority control, and the authentication control of the resources is maintained by each service line. The maintenance comprises the following main contents: the console provides a resource authorization setting interface for the user, so that the resource authorization is conveniently carried out for the sub-user, the main account number can set which resources the sub-user can access for the sub-user, and authentication is carried out when the sub-user accesses. The service line independently maintains the access control cost of own resources. Meanwhile, products/services provided by the service lines are different, access control logic is not uniform, learning cost of users is high, and authentication efficiency is low.
In view of the above problems in the related art, no effective solution has been found yet.
Disclosure of Invention
The embodiment of the invention provides a resource access authentication method and device, a storage medium and electronic equipment.
According to an aspect of the embodiments of the present application, there is provided an authentication method for resource access, including: receiving a service request sent by a client and analyzing parameter entering information in the service request, wherein the service request is used for requesting to call an application program interface API to access a target resource in a target cloud service, and the resource identifier is used for uniquely identifying the target resource in a cloud server of the cloud service; splicing the resource identification of the target resource based on the parameter entering information; and authenticating the service request according to the resource identifier.
Further, splicing the resource identifier of the target resource based on the parameter entering information includes: analyzing the resource type of the target resource according to the parameter entering information; searching a target resource format matched with the resource type in a preset resource template library; and splicing the resource identification of the target resource according to the target resource format.
Further, resolving the resource type of the target resource according to the parameter-entering information includes: reading a specified parameter from the service request according to the interface type of the API, wherein the parameter attribute of the specified parameter is a resource ID; and searching the resource type matched with the resource ID in preset configuration parameters of the API.
Further, splicing the resource identifier of the target resource according to the target resource format includes: determining a filling field combination of the target resource format and filling positions of each filling field, wherein the filling fields comprise at least one of the following: service type, machine room location, account ID, resource type identification, resource ID; and filling field contents at corresponding filling positions for each filling field of the filling field combination so as to splice and generate the resource identification of the target resource.
Further, authenticating the service request according to the resource identifier includes: acquiring authority policy information of a cloud account, wherein the authority policy information comprises a resource white list which is allowed to be accessed by the cloud account, and the cloud account is logged on the client; judging whether the resource identifier hits the resource white list or not; if the resource identifier hits the resource white list, determining that authentication passes, and forwarding the service request to a cloud server of the target cloud service; and if the resource identifier does not hit the resource white list, determining authentication failure.
Further, before splicing the resource identifier of the target resource based on the parameter-entering information, the method further includes: configuring resource format information of the target cloud service by taking the service type of the cloud service as a unit; and storing the resource format information in a first buffer space of the authentication server.
Further, before splicing the resource identifier of the target resource based on the parameter-entering information, the method further includes: the API parameter information of the API is configured, wherein the API parameter information is used for indicating the authentication type of the service request and the analysis rule of the parameter entering information; and storing the API parameter information in a second buffer space of the authentication server.
According to another aspect of the embodiments of the present application, there is also provided an authentication apparatus for resource access, including: the system comprises an analysis module, a service request and a service request processing module, wherein the analysis module is used for receiving a service request sent by a client and analyzing parameter entering information in the service request, the service request is used for requesting to call an application program interface API to access a target resource in a target cloud service, and the resource identifier is used for uniquely identifying the target resource in a cloud server of the cloud service; the splicing module is used for splicing the resource identification of the target resource based on the parameter entering information; and the authentication module is used for authenticating the service request according to the resource identifier.
Further, the splicing module includes: the analysis unit is used for analyzing the resource type of the target resource according to the parameter entering information; the searching unit is used for searching a target resource format matched with the resource type in a preset resource template library; and the splicing unit is used for splicing the resource identifiers of the target resources according to the target resource format.
Further, the parsing unit includes: a reading subunit, configured to read a specified parameter from the service request according to an interface type of the API, where a parameter attribute of the specified parameter is a resource ID; and the searching subunit is used for searching the resource type matched with the resource ID in the preset configuration parameters of the API.
Further, the splicing unit comprises a determining subunit, configured to determine a combination of padding fields of the target resource format and a padding position of each of the padding fields, where the padding fields include at least one of: service type, machine room location, account ID, resource type identification, resource ID; and the splicing subunit is used for filling field contents at corresponding filling positions for each filling field of the filling field combination so as to splice and generate the resource identification of the target resource.
Further, the authentication module includes: the cloud account login method comprises the steps of acquiring authority policy information of a cloud account, wherein the authority policy information comprises a resource white list which is allowed to be accessed by the cloud account, and the cloud account is logged on the client; the judging unit is used for judging whether the resource identifier hits the resource white list or not; the authentication unit is used for determining that the authentication passes if the resource identifier hits the resource white list and forwarding the service request to the cloud server of the target cloud service; and if the resource identifier does not hit the resource white list, determining authentication failure.
Further, the apparatus further comprises: the first configuration module is used for configuring the resource format information of the target cloud service by taking the service type of the cloud service as a unit before the splicing module splices the resource identifier of the target resource based on the parameter entering information; and the first storage module is used for storing the resource format information in a first cache space of the authentication server.
Further, the apparatus further comprises: the second configuration module is used for configuring API parameter information of the API before the splicing module splices the resource identifier of the target resource based on the entry information, wherein the API parameter information is used for indicating the authentication type of the service request and the analysis rule of the entry information; and the second storage module is used for storing the API parameter information in a second cache space of the authentication server.
According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program that performs the steps described above when running.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus; wherein: a memory for storing a computer program; and a processor for executing the steps of the method by running a program stored on the memory.
Embodiments of the present application also provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the steps of the above method.
According to the invention, the service request sent by the client is received, the entry information in the service request is analyzed, the resource identification of the target resource is spliced based on the entry information, the service request is authenticated according to the resource identification, the resource identification of the target resource is spliced by adopting the entry information of the API, and the resource ID, the user account, the access interface and the like are simultaneously authenticated by the resource identification, so that the technical problem of low authentication efficiency in the related art is solved, the authentication efficiency is improved, the authentication speed and the response speed of the authentication server are further improved, and the security and the usability of the cloud service resource are improved from the authentication dimension.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a block diagram of the hardware architecture of a server according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method of authenticating resource access according to an embodiment of the invention;
FIG. 3 is a schematic diagram of a framework of an embodiment of the present invention;
fig. 4 is a block diagram of an authentication apparatus for resource access according to an embodiment of the present invention;
fig. 5 is a block diagram of an electronic device embodying an embodiment of the present invention.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments, the exemplary embodiments of the present application and the descriptions thereof are used to explain the present application and do not constitute undue limitations of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present application based on the embodiments herein.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another similar entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Example 1
The method embodiment provided in the first embodiment of the present application may be executed in a server (such as an authentication server, an access server, a network server, a cloud server, etc.), a computer, or a similar computing device. Taking the operation on a server as an example, fig. 1 is a block diagram of a hardware structure of a server according to an embodiment of the present invention. As shown in fig. 1, the server may include one or more (only one is shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those skilled in the art that the structure shown in fig. 1 is merely illustrative, and is not intended to limit the structure of the server described above. For example, the server may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a server program, for example, a software program of application software and a module, such as a server program corresponding to an authentication method for accessing resources in an embodiment of the present invention, and the processor 102 executes the server program stored in the memory 104, thereby performing various functional applications and data processing, that is, implementing the above-mentioned method. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely located with respect to the processor 102, which may be connected to a server via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of a server. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is configured to communicate with the internet wirelessly.
In this embodiment, a method for authenticating resource access is provided, and fig. 2 is a flowchart of a method for authenticating resource access according to an embodiment of the present invention, as shown in fig. 2, where the flowchart includes the following steps:
step S202, receiving a service request sent by a client and analyzing parameter entering information in the service request, wherein the service request is used for requesting to call an application program interface API to access a target resource in a target cloud service;
the cloud service of the embodiment may also be a cloud host, IP, cloud storage, etc., taking the cloud host as an example, including multiple instances, where the host instance is also called a cloud server instance, and is an independent virtual machine, and the computing environment may include basic computing components such as a CPU, a memory, an operating system, a bandwidth, a disk, and the like.
In this embodiment, a user uses a cloud account as a user account to log in on a client, where the client is a terminal that locally runs a cloud service instance. In some scenarios, the cloud account is divided into a primary account and a sub-account, where the primary account is an account registered by a user at a cloud service manufacturer, a plurality of sub-accounts may be created, each sub-account corresponds to a sub-user, which may also be referred to as an IAM (Identity and Access Management, identity and access control) user, an IAM user is an entity identity type of an IAM, has a certain identity ID and identity credentials, may be in one-to-one correspondence with a certain person or application program, is an authentication object of a minimum unit, may create a plurality of IAM user accounts under one user account (primary account), corresponds to staff, a system or an application program within an enterprise, and the IAM user does not have resources, and must log in a console or use an API to operate resources under the cloud account after obtaining authorization of the cloud account. When enterprises have various cloud resources, the authorization management function of the IAM is used, so that user rights and resource unified management can be realized.
Step S204, splicing the resource identification of the target resource based on the parameter entering information, wherein the resource identification is used for uniquely identifying the target resource in a cloud server of the cloud service;
optionally, the resource identifier is a unique resource identifier within the scope of a cloud service manufacturer, and includes the service information, the machine room information, the user information, the resource type information, the resource ID information (such as an access path, a domain name address, etc.), and the like.
Step S206, the service request is authenticated according to the resource identification.
The present embodiment authenticates a service request, and is used for determining whether the service request has Permission (Permission), so as to determine whether to allow a user to perform a certain operation on a target resource, where the Permission is divided into: allow (Allow) or reject (Deny).
Through the steps, the service request sent by the client is received, the entry information in the service request is analyzed, the resource identification of the target resource is spliced based on the entry information, the service request is authenticated according to the resource identification, the resource identification of the target resource is spliced through the entry information of the API, and the resource ID, the user account, the access interface and the like are simultaneously authenticated through the resource identification, so that the technical problem of low authentication efficiency in the related art is solved, the authentication efficiency is improved, the authentication speed and the response speed of an authentication server are further improved, and the security and the usability of the cloud service resource are improved from the authentication dimension.
In one implementation of this embodiment, the splicing the resource identifier of the target resource based on the parameter-entering information includes:
s11, analyzing the resource type of the target resource according to the parameter entering information;
in one embodiment, resolving the resource type of the target resource from the parameter-entering information includes: reading a specified parameter from the service request according to the interface type of the API, wherein the parameter attribute of the specified parameter is a resource ID; and searching the resource type matched with the resource ID in the preset configuration parameters of the API.
The interface type of the API can be obtained through analysis of an interface identifier of the API, the interface identifier is carried in the parameter entering information, and the parameter entering information can also carry machine room position information, account ID, resource ID or related information.
S12, searching a target resource format matched with the resource type in a preset resource template library;
s13, splicing the resource identifiers of the target resources according to the target resource format. Wherein the resource format corresponds to a resource stitching template.
In one embodiment, concatenating the resource identification of the target resource according to the target resource format includes: determining a filling field combination of the target resource format and filling positions of each filling field, wherein the filling fields comprise at least one of the following: service type, machine room location, account ID, resource type identification, resource ID; and filling field contents at corresponding filling positions for each filling field of the filling field combination so as to splice and generate the resource identification of the target resource.
In this embodiment, one resource type corresponds to one resource format, for example, if the target resource is an instance (instance), the target resource format is: krn ksc kec region Account-id: instance/instance-id, if the target resource is a virtual private network (vpc), the target resource format is: krn ksc vpc region account-id vpc/vpc-id, if the target resource is a snapshot (snapshot), the target resource format is: krn ksc kec region Account-id, snapshot/snapshot-id. The first two fields (knn, ksc) are universal fixed fields, the third field (kec, vpc) is a service type identification field, the fourth field (region) is a machine room location field (optional field), the fifth field (account-ID) is an account ID field (optional field), and the sixth field is a resource type identification and resource ID field.
In one example, the cloud service is vpc (virtual private network), the target resource is eip, the resource format of eip is krn:ksc:vpc:region:account-id:eip/eip-ID, the machine room location information and account ID are cn-shanghai-3, 2000090989, the resource type of eip is eip, the eip-ID is 5791a468-9cf3-432d-80f7-0ca01608c8be, and the resource is krn:ksc:vpc:cn-shanghai-3:2000090989:eip/5791a468-9cf3-432d-80f7-0ca01608c8be, respectively.
In one implementation of this embodiment, authenticating the service request according to the resource identifier includes: acquiring authority policy information of a cloud account, wherein the authority policy information comprises a resource white list which is allowed to be accessed by the cloud account, and the cloud account is logged on a client; judging whether the resource identifier hits the resource white list or not; if the resource identifier hits the resource white list, determining that authentication is passed, and forwarding a service request to a cloud server of the target cloud service; if the resource identifier does not hit the resource white list, determining that the authentication fails.
In one example, the resource whitelist is: "krn:ksc:tagv2:cn-shanghai-3:2000090989:eip/6d8fd865-c9dd-4342-a5ab-690d3c1dd8b5", "krn:ksc:tagv2:cn-shanghai-3:2000090989:eip/3f2921a2-6175-4fd5-950b-95ef61cf1f28", the spliced resources are identified as: krn ksc: tagv2: cn-shanghai-3:2000090989: eip/5791a468-9cf3-432d-80f7-0ca01608c8be, miss the resource whitelist, authentication failure.
The rights Policy information (Policy) of the present embodiment is a set of rights described by a syntax structure, and can accurately describe a set of authorized resources, a set of operations, and an authorization condition. One role (cloud account) may bind a set of rights policies. Roles without binding the rights policy may also exist, but without access to the resource. The Policy includes a plurality of fields, such as Version, status, SID, etc., each corresponding to a Policy element in the Policy, where the fields are explained and illustrated:
Version: an optional policy element (string) is in the form of "Version" which is used for explaining the Version of the policy document, wherein the Version of the policy document of a cloud service manufacturer can only have one value, 2015-11-01, and if the policy has no Version element, the default value is 2015-11-01;
state: a policy element (array) is selected, which is shaped as a main element of a policy, wherein the main element is used for describing specific authorization rules, and each policy element can contain a plurality of sentences, and each sentence is described in a bracketing way;
SID: optional elements (strings), like "SIDs": "1", statement identifiers of State may be omitted, requiring that uniqueness be maintained in one policy;
effect: an element (string) is selected, which is shaped like an element of an authorization rule of "Effect": allow ", and State, each authorization rule must include the element, and only two values of Allow or Deny respectively represent" display authorization "and" display rejection ";
action: an element (String) is a component element of an authorization rule of "IAM: createUser" and State, each authorization rule must include the element, and the value includes two parts of content: a service-name and an action-name, wherein the service-name is a namespace of cloud services (IAM, ks3, kec, etc.), the action-name is an operation name of each product, values of the service-name and the action-name are not case-specific, and the operation name may include a wild card;
Resource: the mandatory element (String) may be used to represent the whole resource object, and in this embodiment, a resource white list or a resource black list may be further set.
Optionally, before the splicing the resource identifier of the target resource based on the parameter entering information, the method further includes: configuring resource format information of a target cloud service by taking a service type of the cloud service as a unit; the resource format information is stored in a first buffer space of the authentication server.
Optionally, before the splicing the resource identifier of the target resource based on the parameter entering information, the method further includes: the resource type configuration table configures resource related information of each product line of the cloud service manufacturer, such as a resource name, a prefix, whether the resource is related to a user, whether multiple machine rooms are deployed, a resource identification format and the like.
Optionally, before the splicing the resource identifier of the target resource based on the parameter entering information, the method further includes: the method comprises the steps of configuring API parameter information of an API, wherein the API parameter information is used for indicating an authentication type of a service request and an analysis rule of parameter entering information; and storing the API parameter information in a second buffer space of the authentication server.
Alternatively, in addition to the API parameter information of the configuration API, attribute information of the API and the like may be configured at the API configuration center. Basic information defining APIs such as: name, whether read-write, authentication mode, flow control mode, parameter information, whether parameter information is sensitive, etc. Based on the API parameter information, the parameter name, the parameter description, whether filling is needed, the type, whether the resource ID is represented or not in the parameter information can be analyzed, and if the resource ID is the information of which resource, and the like.
Fig. 3 is a schematic diagram of a framework of an embodiment of the present invention, including a service line 2, a service line 1, and a service line 3, where each service line corresponds to a cloud service, such as a cloud host, IP, cloud storage, and the like, a client is a terminal that requests the cloud service, logs in a cloud account, and an authentication server is used to authenticate a request from the client, verify a request signature, determine an identity, and forward a legal request to a cloud server of the service line. Taking the resource type of the target resource as an eip as an example, the flow of the method is described, and the method comprises the following steps:
firstly, a service line configures resource information in a resource type configuration center;
the resource information includes a configuration format, and the format field includes:
1. chinese name of the resource;
2. english name of resource: english abbreviations (lowercase, containing multiple words using "-" separation);
3. describing resources;
4. krn (full network resource unique identifier, i.e. resource identification in the above embodiment) format related information:
a. home services (may be english acronyms for services accessing an authentication server);
b. a resource ID prefix;
c. contain properties (optional), options: machine room, user, etc.;
krn format configuration item description: for example, the belonging service vpc, the resource ID prefix vpn, krn has the following resource format: krn ksc vpc: { region }: { account }: { vpn/{ ID }.
And storing the related information of the resources into a cache of the authentication server.
Secondly, configuring parameter information of an API by a service line;
in the configuration table, if the open-API of the service line is authenticated by the resource granularity, the parameter attribute of the parameter is configured, and when the API parameter is configured by the interactive interface, the parameter representing resource id is selected and the corresponding resource type is selected.
The parameter information of the API is stored in a cache of the authentication server.
Third, configuring authority Policy information by sub-users, and configuring authority policies by users at a control console of access control; for example:
wherein, effect is that the alloy represents permission, action represents the name of the called interface, and Resource field describes the accessible Resource white list.
Taken together, this policy means that the authorized entity can invoke the interface of GetInstance, but that the only resources that can be accessed are "krn:ksc: tagv2: cn-shanghai-3:2000090989: eip/6d8fd865-c9dd-4342-a5ab-690d3c1dd8b5" and "krn:ksc: tagv2: cn-shanghai-3:2000090989: eip/3f2921a2-6175-4fd5-950b-95ef61cf1f28", if an attempt is made to access other resources, no errors in the rights will be reported.
And fourthly, authenticating the granularity of the resource.
When a user sends a service request to a client and calls an open-API, for example, an input value of the parameter Is Dkljklfqewurp (ID), an authentication server reads API information and resource type information in a cache, the authentication server analyzes that the instance_ID needs to carry out resource granularity authentication through the parameter of the API, analyzes that the type of the resource is eip through the API parameter information, analyzes that the type of the resource is krn format of the resource through the resource type information, and spells krn that krn:ksc: tagv2: cn-shanghai-3:2000090989:eip/5791a468-9cf3-432d-80f7-0ca01608c8be, then judges whether the krn is in a resource field list of a authority Policy, if the authority is in the list, otherwise, judges that the request is not authority, and the authentication server forwards the request to a service line. Here, there is a premise that Effect is an alloy, and the Resource field of Policy represents a blacklist if Effect is Deny.
By adopting the scheme of the embodiment, the parameters of the API are set for resource granularity authentication, and the authentication server splices krn through the setting information of the parameters of the API so as to perform access control. The authentication server completes the resource granularity authentication of the open-API through assembly krn and authority judgment by the resource type information, the API parameter information and the authority Policy information, and the maintenance workload of service lines and the learning cost of clients are reduced through unified management. The service line only needs simple configuration, and a user can realize the resource granularity access control management of the whole company and the whole product only by a console.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
Example 2
The embodiment also provides an authentication device for resource access, which is used for implementing the above embodiment and the preferred implementation, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 4 is a block diagram of an authentication apparatus for resource access according to an embodiment of the present invention, as shown in fig. 4, the apparatus includes: a parsing module 40, a stitching module 42, an authentication module 44, wherein,
the parsing module 40 is configured to receive a service request sent by a client, and parse parameter entering information in the service request, where the service request is used to request to call an application program interface API to access a target resource in a target cloud service;
a splicing module 42, configured to splice, based on the entry information, a resource identifier of the target resource, where the resource identifier is used to uniquely identify the target resource in a cloud server of the cloud service;
an authentication module 44, configured to authenticate the service request according to the resource identifier.
Optionally, the splicing module includes: the analysis unit is used for analyzing the resource type of the target resource according to the parameter entering information; the searching unit is used for searching a target resource format matched with the resource type in a preset resource template library; and the splicing unit is used for splicing the resource identifiers of the target resources according to the target resource format.
Optionally, the parsing unit includes: a reading subunit, configured to read a specified parameter from the service request according to an interface type of the API, where a parameter attribute of the specified parameter is a resource ID; and the searching subunit is used for searching the resource type matched with the resource ID in the preset configuration parameters of the API.
Optionally, the splicing unit includes a determining subunit, configured to determine a padding field combination of the target resource format and a padding position of each padding field, where the padding field includes at least one of: service type, machine room location, account ID, resource type identification, resource ID; and the splicing subunit is used for filling field contents at corresponding filling positions for each filling field of the filling field combination so as to splice and generate a resource identifier adopting the target resource.
Optionally, the authentication module includes: the cloud account login method comprises the steps of acquiring authority policy information of a cloud account, wherein the authority policy information comprises a resource white list which is allowed to be accessed by the cloud account, and the cloud account is logged on the client; the judging unit is used for judging whether the resource identifier hits the resource white list or not; the authentication unit is used for determining that the authentication passes if the resource identifier hits the resource white list and forwarding the service request to the cloud server of the target cloud service; and if the resource identifier does not hit the resource white list, determining authentication failure.
Optionally, the apparatus further includes: the first configuration module is used for configuring the resource format information of the target cloud service by taking the service type of the cloud service as a unit before the splicing module splices the resource identifier of the target resource based on the parameter entering information; and the first storage module is used for storing the resource format information in a first cache space of the authentication server.
Optionally, the apparatus further includes: the second configuration module is used for configuring API parameter information of the API before the splicing module splices the resource identifier of the target resource based on the entry information, wherein the API parameter information is used for indicating the authentication type of the service request and the analysis rule of the entry information; and the second storage module is used for storing the API parameter information in a second cache space of the authentication server.
It should be noted that each of the above modules may be implemented by software or hardware, and for the latter, it may be implemented by, but not limited to: the modules are all located in the same processor; alternatively, the above modules may be located in different processors in any combination.
Example 3
The embodiment of the application further provides an electronic device, and fig. 5 is a structural diagram of the electronic device according to the embodiment of the invention, as shown in fig. 5, including a processor 51, a communication interface 52, a memory 53 and a communication bus 54, where the processor 51, the communication interface 52, the memory 53 complete communication with each other through the communication bus 54, and the memory 53 is used for storing a computer program; the processor 51 is configured to execute a program stored in the memory 53, and implement the following steps: receiving a service request sent by a client and analyzing parameter entering information in the service request, wherein the service request is used for requesting to call an application program interface API to access a target resource in a target cloud service, and the resource identifier is used for uniquely identifying the target resource in a cloud server of the cloud service; splicing the resource identification of the target resource based on the parameter entering information; and authenticating the service request according to the resource identifier.
Further, splicing the resource identifier of the target resource based on the parameter entering information includes: analyzing the resource type of the target resource according to the parameter entering information; searching a target resource format matched with the resource type in a preset resource template library; and splicing the resource identification of the target resource according to the target resource format.
Further, resolving the resource type of the target resource according to the parameter-entering information includes: reading a specified parameter from the service request according to the interface type of the API, wherein the parameter attribute of the specified parameter is a resource ID; and searching the resource type matched with the resource ID in preset configuration parameters of the API.
Splicing the resource identifier of the target resource according to the target resource format comprises the following steps: determining a filling field combination of the target resource format and filling positions of each filling field, wherein the filling fields comprise at least one of the following: service type, machine room location, account ID, resource type identification, resource ID; and filling field contents at corresponding filling positions for each filling field of the filling field combination so as to splice and generate a resource identifier adopting the target resource.
Further, authenticating the service request according to the resource identifier includes: acquiring authority policy information of a cloud account, wherein the authority policy information comprises a resource white list which is allowed to be accessed by the cloud account, and the cloud account is logged on the client; judging whether the resource identifier hits the resource white list or not; if the resource identifier hits the resource white list, determining that authentication passes, and forwarding the service request to a cloud server of the target cloud service; and if the resource identifier does not hit the resource white list, determining authentication failure.
Further, before splicing the resource identifier of the target resource based on the parameter-entering information, the method further includes: configuring resource format information of the target cloud service by taking the service type of the cloud service as a unit; and storing the resource format information in a first buffer space of the authentication server.
Further, before splicing the resource identifier of the target resource based on the parameter-entering information, the method further includes: the API parameter information of the API is configured, wherein the API parameter information is used for indicating the authentication type of the service request and the analysis rule of the parameter entering information; and storing the API parameter information in a second buffer space of the authentication server.
The communication bus mentioned by the above terminal may be a peripheral component interconnect standard (Peripheral Component Interconnect, abbreviated as PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated as EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the terminal and other devices.
The memory may include random access memory (Random Access Memory, RAM) or non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (Digital Signal Processing, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
In yet another embodiment provided herein, there is also provided a computer readable storage medium having instructions stored therein that, when executed on a computer, cause the computer to perform the method of authenticating resource access described in any of the above embodiments.
In a further embodiment provided herein, there is also provided a computer program product containing instructions that, when run on a computer, cause the computer to perform the method of authenticating resource access as described in any of the above embodiments.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), etc.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the scope of the present application. Any modifications, equivalent substitutions, improvements, etc. that are within the spirit and principles of the present application are intended to be included within the scope of the present application.
The foregoing is merely a specific embodiment of the application to enable one skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (9)
1. An authentication method for resource access, comprising:
receiving a service request sent by a client and analyzing parameter entering information in the service request, wherein the service request is used for requesting to call an Application Program Interface (API) to access a target resource in a target cloud service;
splicing the resource identification of the target resource based on the entry information, wherein the resource identification is used for uniquely identifying the target resource in a cloud server of the cloud service;
Authenticating the service request according to the resource identifier;
the splicing the resource identification of the target resource based on the parameter entering information comprises the following steps:
analyzing the resource type of the target resource according to the parameter entering information;
searching a target resource format matched with the resource type in a preset resource template library;
and splicing the resource identification of the target resource according to the target resource format.
2. The method of claim 1, wherein resolving the resource type of the target resource based on the joining information comprises:
reading a specified parameter from the service request according to the interface type of the API, wherein the parameter attribute of the specified parameter is a resource ID;
and searching the resource type matched with the resource ID in preset configuration parameters of the API.
3. The method of claim 1, wherein concatenating the resource identification of the target resource in the target resource format comprises:
determining a filling field combination of the target resource format and filling positions of each filling field, wherein the filling fields comprise at least one of the following: service type, machine room location, account ID, resource type identification, resource ID;
And filling field contents at corresponding filling positions for each filling field of the filling field combination so as to splice and generate the resource identification of the target resource.
4. The method of claim 1, wherein authenticating the service request based on the resource identification comprises:
acquiring authority policy information of a cloud account, wherein the authority policy information comprises a resource white list which is allowed to be accessed by the cloud account, and the cloud account is logged on the client;
judging whether the resource identifier hits the resource white list or not;
if the resource identifier hits the resource white list, determining that authentication passes, and forwarding the service request to a cloud server of the target cloud service; and if the resource identifier does not hit the resource white list, determining authentication failure.
5. The method of claim 1, wherein prior to concatenating the resource identification of the target resource based on the joining information, the method further comprises:
configuring resource format information of the target cloud service by taking the service type of the cloud service as a unit;
and storing the resource format information in a first buffer space of the authentication server.
6. The method of claim 1, wherein prior to concatenating the resource identification of the target resource based on the joining information, the method further comprises:
the API parameter information of the API is configured, wherein the API parameter information is used for indicating the authentication type of the service request and the analysis rule of the parameter entering information;
and storing the API parameter information in a second buffer space of the authentication server.
7. An authentication apparatus for resource access, comprising:
the system comprises an analysis module, a service request processing module and a service request processing module, wherein the analysis module is used for receiving a service request sent by a client and analyzing parameter entering information in the service request, and the service request is used for requesting to call an application program interface API to access target resources in a target cloud service;
the splicing module is used for splicing the resource identification of the target resource based on the entry information, wherein the resource identification is used for uniquely identifying the target resource in a cloud server of the cloud service;
the authentication module is used for authenticating the service request according to the resource identifier;
wherein, splice module includes: the analysis unit is used for analyzing the resource type of the target resource according to the parameter entering information; the searching unit is used for searching a target resource format matched with the resource type in a preset resource template library; and the splicing unit is used for splicing the resource identifiers of the target resources according to the target resource format.
8. A storage medium comprising a stored program, wherein the program when run performs the method steps of any of the preceding claims 1 to 6.
9. An electronic device comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus; wherein:
a memory for storing a computer program;
a processor for executing the method steps of any one of claims 1 to 6 by running a program stored on a memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110184938.3A CN112995163B (en) | 2021-02-10 | 2021-02-10 | Authentication method and device for resource access, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110184938.3A CN112995163B (en) | 2021-02-10 | 2021-02-10 | Authentication method and device for resource access, storage medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112995163A CN112995163A (en) | 2021-06-18 |
| CN112995163B true CN112995163B (en) | 2023-05-05 |
Family
ID=76393118
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110184938.3A Active CN112995163B (en) | 2021-02-10 | 2021-02-10 | Authentication method and device for resource access, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112995163B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114095200B (en) * | 2021-09-28 | 2023-12-01 | 阿里巴巴(中国)有限公司 | Resource access authority management method and device, electronic equipment and medium |
| CN114090975A (en) * | 2021-10-28 | 2022-02-25 | 青岛海尔科技有限公司 | Cloud database resource processing method and device, electronic equipment and storage medium |
| CN114567678A (en) * | 2022-02-28 | 2022-05-31 | 天翼安全科技有限公司 | Resource calling method and device of cloud security service and electronic equipment |
| CN114884752B (en) * | 2022-07-11 | 2022-09-23 | 天津金城银行股份有限公司 | Inline gateway system, inline loan service docking method, apparatus, and medium |
| CN116627635A (en) * | 2023-05-11 | 2023-08-22 | 中电金信软件有限公司 | Resource use method and device and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103532981A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院信息工程研究所 | Identity escrow and authentication cloud resource access control system and method for multiple tenants |
| CN108229115A (en) * | 2016-12-21 | 2018-06-29 | 北京金山云网络技术有限公司 | A kind of method for authenticating and device |
| CN109510849A (en) * | 2017-09-14 | 2019-03-22 | 腾讯科技(深圳)有限公司 | The account number method for authenticating and device of cloud storage |
| CN112182524A (en) * | 2020-08-28 | 2021-01-05 | 苏州浪潮智能科技有限公司 | Resource authority management method and system based on cloud platform |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017138944A1 (en) * | 2016-02-11 | 2017-08-17 | Hewlett Packard Enterprise Development Lp | Cloud access rule translation for hybrid cloud computing environments |
-
2021
- 2021-02-10 CN CN202110184938.3A patent/CN112995163B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103532981A (en) * | 2013-10-31 | 2014-01-22 | 中国科学院信息工程研究所 | Identity escrow and authentication cloud resource access control system and method for multiple tenants |
| CN108229115A (en) * | 2016-12-21 | 2018-06-29 | 北京金山云网络技术有限公司 | A kind of method for authenticating and device |
| CN109510849A (en) * | 2017-09-14 | 2019-03-22 | 腾讯科技(深圳)有限公司 | The account number method for authenticating and device of cloud storage |
| CN112182524A (en) * | 2020-08-28 | 2021-01-05 | 苏州浪潮智能科技有限公司 | Resource authority management method and system based on cloud platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112995163A (en) | 2021-06-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112995163B (en) | Authentication method and device for resource access, storage medium and electronic equipment | |
| CN112995166B (en) | Authentication method and device for resource access, storage medium and electronic equipment | |
| CN112995165B (en) | Resource access authentication method and device, storage medium and electronic equipment | |
| US8713646B2 (en) | Controlling access to resources on a network | |
| CN110311929B (en) | Access control method and device, electronic equipment and storage medium | |
| WO2021057889A1 (en) | Data processing method and apparatus, electronic device, and storage medium | |
| US8102860B2 (en) | System and method of changing a network designation in response to data received from a device | |
| CN112491776B (en) | Security authentication method and related equipment | |
| CN113014593B (en) | Access request authentication method and device, storage medium and electronic equipment | |
| US20230354039A1 (en) | Network cyber-security platform | |
| CN112995164B (en) | Resource access authentication method and device, storage medium and electronic equipment | |
| CN109302397B (en) | Network security management method, platform and computer readable storage medium | |
| US20170034164A1 (en) | Multifactor authentication for mail server access | |
| CN112887260A (en) | Authorization method and device | |
| CN114221959A (en) | Service sharing method, device and system | |
| CN113489689A (en) | Access request authentication method and device, storage medium and electronic equipment | |
| CN110049106B (en) | Service request processing system and method | |
| US20220360586A1 (en) | Apparatus, methods, and computer programs | |
| CN115412294A (en) | Platform service-based access method and device, storage medium and electronic equipment | |
| CN114091077A (en) | Authentication method, device, equipment and storage medium | |
| EP3704843B1 (en) | Resource-based selection of identity provider | |
| CN113051035A (en) | Remote control method, device and system and host machine | |
| KR20150109233A (en) | method and server for performing log-in for application | |
| US11799856B2 (en) | Application identification | |
| WO2022222524A1 (en) | Access control method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |