CN113326540B - Micro-service calling authority control method, device, server, system and medium - Google Patents

Micro-service calling authority control method, device, server, system and medium Download PDF

Info

Publication number
CN113326540B
CN113326540B CN202110732757.XA CN202110732757A CN113326540B CN 113326540 B CN113326540 B CN 113326540B CN 202110732757 A CN202110732757 A CN 202110732757A CN 113326540 B CN113326540 B CN 113326540B
Authority
CN
China
Prior art keywords
service
approval
call
micro
calling
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110732757.XA
Other languages
Chinese (zh)
Other versions
CN113326540A (en
Inventor
刁宇辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Century Frontier Quantitative Technology Co ltd
Shenzhen Lian Intellectual Property Service Center
Original Assignee
Shenzhen Century Frontier Quantitative Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Century Frontier Quantitative Technology Co ltd filed Critical Shenzhen Century Frontier Quantitative Technology Co ltd
Priority to CN202110732757.XA priority Critical patent/CN113326540B/en
Publication of CN113326540A publication Critical patent/CN113326540A/en
Application granted granted Critical
Publication of CN113326540B publication Critical patent/CN113326540B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to the field of micro services and provides a micro service calling authority control method, a micro service calling authority control device, a micro service calling authority control server, a micro service calling authority control system and a micro service calling authority control medium, wherein the micro service calling authority control method comprises the following steps: acquiring call authority information of micro-services of which call authorities are to be configured; sending an approval request for calling the authority information to an approval system, and acquiring an approval result of the calling the authority information returned by the approval system based on the approval request; and when the approval result is that the approval passes, the calling authority information is sent to the distributed storage system for storage, so that when the micro server detects the service calling request, the service calling request is checked based on the corresponding calling authority information, and if the service calling request passes the check, the service calling request is responded. The method improves the call security of the micro-service. The present application also relates to the field of blockchain, and the computer readable storage medium described above may store data created from the use of blockchain nodes.

Description

Micro-service calling authority control method, device, server, system and medium
Technical Field
The present disclosure relates to the field of micro services, and in particular, to a method, an apparatus, a server, a system, and a medium for controlling call permission of a micro service.
Background
The micro-service has the advantages of independent deployment, accurate scaling of components or services in the micro-service and high expandability, so that the micro-service is widely applied by various large enterprises to establish an external business system or an internal system. However, the number of micro services in the system is large, the calling relationship among the micro services is chaotic, the service provider cannot know all the dependent calling parties, and the security risk of illegal calling exists.
Disclosure of Invention
The embodiment of the application provides a micro-service calling authority control method, a micro-service calling authority control device, a micro-service calling authority control server, a micro-service calling authority control system and a micro-service calling authority control medium, and aims to improve micro-service calling safety.
In a first aspect, an embodiment of the present application provides a method for controlling invocation authority of a micro service, where the method is applied to a server, and the method includes:
acquiring call authority information of micro-services of which call authorities are to be configured;
sending an approval request of the call authority information to an approval system, and acquiring an approval result of the call authority information returned by the approval system based on the approval request;
and when the approval result is that the approval is passed, the calling authority information is sent to a distributed storage system for storage, so that when the micro server detects a service calling request of a service calling party, the service calling request is checked based on the corresponding calling authority information in the distributed storage system, and if the service calling request passes the check, the service calling request is responded.
In a second aspect, an embodiment of the present application further provides a method for controlling invocation authority of a micro service, where the method is applied to a micro service end, and the method includes:
intercepting a service call request sent by a service calling party through a preset SDK, wherein the service call request is used for requesting to call a service provider, and the service call request comprises service call information;
acquiring calling authority information of the service provider from a distributed storage system through the preset SDK;
determining whether the service caller has the authority to call the service provider according to the call authority information and the service call information;
if the service calling party has the authority of calling the service provider, responding to the service calling request;
and if the service calling party does not have the authority to call the service provider, sending call exception information to a server.
In a third aspect, an embodiment of the present application further provides a device for controlling a right to invoke a micro service, where the device for controlling a right to invoke a micro service includes:
the acquisition module is used for acquiring the call authority information of the micro service of which the call authority is to be configured;
the sending module is used for sending an approval request of the calling authority information to an approval system;
The acquisition module is further used for acquiring an approval result of the calling authority information returned by the approval system based on the approval request;
and the sending module is further used for sending the calling authority information to the distributed storage system for storage when the approval result is approval passing, so that when the micro server detects a service calling request of a service calling party, the service calling request is checked based on the corresponding calling authority information in the distributed storage system, and if the service calling request passes the check, the service calling request is responded.
In a fourth aspect, embodiments of the present application further provide a server, where the server includes a processor, a memory, and a computer program stored on the memory and executable by the processor, where the computer program, when executed by the processor, implements the steps of the method for controlling call authority of a micro service as described above.
In a fifth aspect, an embodiment of the present application further provides a micro-service invocation permission control system, where the micro-service invocation permission control system includes a distributed storage system, a micro-service cluster, and a server as described above, where the distributed storage system is respectively in communication connection with the micro-service cluster and the server, and the server is in communication connection with the micro-service cluster.
In a sixth aspect, embodiments of the present application further provide a computer readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the call authority control method for micro services as described above.
The embodiment of the application provides a method, a device, a server, a system and a medium for controlling call authority of micro-services, wherein the method for controlling call authority is used for checking a service call request based on corresponding call authority information in a distributed storage system when a service call request sent by a service calling party is detected by the micro-service end, and responding to the service call request to call the corresponding micro-services if the service call request passes the check, so that illegal call of the micro-services is avoided, and call safety of the micro-services is greatly improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a network structure for implementing a method for controlling call authority of a micro service according to an embodiment of the present application;
FIG. 2 is a flowchart illustrating a method for controlling call authority of a micro service according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating a method for controlling call authority of another micro service according to an embodiment of the present application;
FIG. 4 is a schematic block diagram of a micro-service invocation authority control device provided in an embodiment of the present application;
FIG. 5 is a schematic block diagram of another micro-service call authority control device provided by an embodiment of the present application;
FIG. 6 is a schematic block diagram of another micro-service call authority control device provided by an embodiment of the present application;
FIG. 7 is a schematic block diagram of a server according to an embodiment of the present application;
Fig. 8 is a schematic block diagram of a micro-service call authority control system according to an embodiment of the present application.
The realization, functional characteristics and advantages of the present application will be further described with reference to the embodiments, referring to the attached drawings.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The flow diagrams depicted in the figures are merely illustrative and not necessarily all of the elements and operations/steps are included or performed in the order described. For example, some operations/steps may be further divided, combined, or partially combined, so that the order of actual execution may be changed according to actual situations. Some embodiments of the present application are described in detail below with reference to the accompanying drawings. The following embodiments and features of the embodiments may be combined with each other without conflict.
At present, the micro-server has the advantages of independent deployment, accurate scaling of components or services in the micro-server and high expandability, so that the micro-server is widely applied by large enterprises to establish an external service system or an internal system. However, the number of micro-service ends in the system is large, the calling relationship among the micro-service ends is chaotic, the service provider cannot know all the dependent calling parties, and the security risk of illegal calling exists.
In order to solve the above problems, the embodiments of the present application provide a method, an apparatus, a server, a system, and a medium for controlling call permission of a micro service, where the call permission control method obtains a call permission configuration request including call permission information of the micro service, then sends an approval request of the call permission information to an approval system, the approval system approves the call permission information in the approval request to obtain an approval result of the call permission information, finally obtains the approval result of the call permission information sent by the approval system, and sends the call permission information to a distributed storage system to store when the approval result is approved, so that when a service call request sent by a service caller is detected by the micro service end, the service call request can be checked based on the corresponding call permission information in the distributed storage system, and if the service call request passes the check, the service call request is responded to call the corresponding micro service, thereby avoiding illegal call of the micro service, and greatly improving call security of the micro service.
Referring to fig. 1, fig. 1 is a schematic diagram of a network structure for implementing a method for controlling call authority of a micro service according to an embodiment of the present application. As shown in fig. 1, the network structure includes a server 11, an approval system 12, a distributed storage system 13 and a micro service cluster 14, wherein the server 100 is respectively in communication connection with the approval system 12, the distributed storage system 13 and the micro service cluster 14, and the distributed storage system 13 is in communication connection with the micro service cluster 14. The micro service cluster 14 includes a plurality of micro services, the server 11 is configured to configure, change, and delete the call authority information of the micro services, the approval system 12 is configured to approve the call authority information of the micro services, and the distributed storage system is configured to store the call authority information configured for the micro services.
In one embodiment, the server 11 obtains the call authority information of the micro service to be configured with the call authority, and sends an approval request of the call authority information to the approval system 12; after receiving the approval request sent by the server 11, the approval system 12 approves the call authority information in the approval request, and returns an approval result of the call authority information to the server 11; the server 11 acquires an approval result sent by the approval system, and sends the calling authority information to the distributed storage system 13 for storage when the approval result is approval passing; when detecting a service call request of a service caller, the micro server checks the service call request based on the corresponding call authority information in the distributed storage system 13, and if the service call request passes the check, the micro server responds to the service call request.
In an embodiment, a micro server intercepts a service call request sent by a service calling party through a preset SDK, wherein the service call request is used for requesting to call a service provider, and the service call request comprises service call information; acquiring calling authority information of a service provider (namely micro-service installed on a micro-server) from the distributed storage system 13 through a preset SDK; determining whether the service calling party has the authority for calling the service provider according to the calling authority information and the service calling information; if the service calling party has the authority of calling the service provider, responding to the service calling request; and if the service calling party does not have the authority for calling the service provider, sending abnormal calling information to the server.
Hereinafter, a method for controlling call authority of a micro service provided in an embodiment of the present application will be described in detail with reference to a network structure in fig. 1. It should be noted that, the network structure in fig. 1 is only used to explain the method for controlling the call authority of the micro service provided in the embodiment of the present application, but does not form a limitation on the application scenario of the method for controlling the call authority of the micro service provided in the embodiment of the present application.
Referring to fig. 2, fig. 2 is a schematic flow chart of a method for controlling call authority of a micro service according to an embodiment of the present application. The method for controlling the calling authority of the micro-service provided by the embodiment can be applied to a server.
As shown in fig. 2, the call authority control method of the micro service includes steps S101 to S103.
Step S101, acquiring calling authority information of the micro service of which the calling authority is to be configured.
The calling authority information comprises a micro service identifier of a micro service (service provider) of the calling authority to be configured, a micro service identifier of at least one service calling party, and an interface identifier of at least one interface used by the at least one service calling party to call the service provider. It is understood that the call authority of different micro services may be the same or different, which is not specifically limited in this embodiment.
The terminal equipment displays a calling authority configuration page of the micro service; responding to the calling authority information input by the user in the calling authority configuration page; responding to the triggering operation of the user to the confirmation key in the permission configuration page, and sending the permission information to the server; the server acquires calling authority information sent by the terminal equipment.
Step S102, an approval request for calling the authority information is sent to an approval system, and an approval result of the calling the authority information returned by the approval system based on the approval request is obtained.
The approval system acquires call authority information to be approved from the approval request, and determines a target approval chain of the call authority information; based on the target approval chain, approving the calling authority information; judging whether the approval of the calling authority information is finished or not at regular time, and if the approval of the calling authority information is confirmed, acquiring an approval result of each approval node in the target approval chain on the calling authority information; and determining a final approval result of the calling authority information according to the approval result of each approval node on the calling authority information, and sending the approval result of the calling authority information to the server.
For example, the manner in which the approval system determines the target approval chain of the call permission information may be: the approval system counts the number of service invokers in the invocation permission information to obtain the number of service invokers; and determining a target approval chain of the call authority information from a plurality of preset approval chains according to the number of the service call parties. The number of approval nodes in the target approval chain is greater as the number of service invokers is greater, and the number of approval nodes in the target approval chain is smaller as the number of service invokers is greater, so that the preset approval chain can be set based on actual conditions.
The method for determining the target approval chain of the call authority information from the preset multiple approval chains by the approval system according to the number of the service call parties may be: the approval system determines a preset quantity range in which the quantity of the service calling parties is located, and acquires a mapping relation between a pre-stored quantity range and an approval chain; and determining a target approval chain of the calling authority information from a plurality of preset approval chains according to the mapping relation and the preset quantity range of the quantity of the service calling parties. The mapping relationship between the pre-stored number range and the approval chain can be set by the user, which is not particularly limited in this embodiment.
In one embodiment, the server determines an approval level of the call permission information before sending an approval request to the approval system; determining a target approval chain for calling authority information from a plurality of preset approval chains according to the approval level; and generating an approval request according to the calling authority information and the target approval chain. The approval request comprises call authority information of to-be-approved and a target approval chain, the number of approval nodes in the target approval chain is increased as the approval level is higher, and the number of approval nodes in the target approval chain is also decreased as the approval level is higher.
The approval system acquires call authority information and a target approval chain to be approved from the approval request; based on the target approval chain, approving the calling authority information; judging whether the approval of the calling authority information is finished or not at regular time, and if the approval of the calling authority information is confirmed, acquiring an approval result of each approval node in the target approval chain on the calling authority information; and determining a final approval result of the calling authority information according to the approval result of each approval node on the calling authority information, and sending the approval result of the calling authority information to the server.
For example, the manner in which the server determines the approval level of the call permission information may be: determining the number of service invokers in the invocation permission information to obtain the number of service invokers, and/or determining the importance level of each service invoker in the invocation permission information; and determining the approval level of the calling authority information according to the number of the service calling parties and/or the importance level of each service calling party.
For example, according to the number of service invokers, the manner of determining the approval level of the invocation permission information may be: the server determines a preset number range in which the number of service calling parties is located, and acquires a mapping relation between a pre-stored number range and an approval level; and determining the approval level of the calling authority information according to the mapping relation and the preset quantity range of the quantity of the service calling parties.
For example, according to the importance level of each service caller, the manner of determining the approval level of the call authority information may be: comparing the importance level of each service caller to obtain the highest importance level; and determining the approval level of the calling authority information based on the highest importance level and the mapping relation between the prestored importance level and the approval level.
For example, according to the number of service invokers and the importance level of each service invoker, the manner of determining the approval level of the invocation permission information may be: determining a first trial class of the calling authority information according to the number of the service calling parties; determining a second trial class of the calling authority information according to the importance level of each service calling party; if the first approval level is greater than the second approval level, determining the first approval level as the approval level of the calling authority information; and if the first approval level is smaller than the second approval level, determining the second approval level as the approval level of the calling authority information.
And step S103, when the approval result is that the approval is passed, the calling authority information is sent to the distributed storage system for storage.
The distributed storage system is used for storing calling authority information of a plurality of micro services, and the micro service end is in communication connection with the distributed storage system, so that the micro service end can acquire the configured calling authority information from the distributed storage system. Alternatively, the distributed storage system may be a Zookeeper.
In an embodiment, if the micro server detects a service call request sent by a service caller (other micro service), the service call request is verified based on call authority information of the micro service installed by the micro server in the distributed storage system, if the service call request passes the verification, the service call request is responded to, the micro service is called, and if the service call request does not pass the verification, call exception information is sent to the server. Wherein the remote procedure call (Remote Procedure Call, RPC) between micro services comprises a Feign call, i.e. the service call request comprises a Feign call request. The Feign is a calling framework of the service consumption end in the spring group, so that HTTP API can be called more quickly and gracefully.
Illustratively, each micro server as a service provider is provided with a preset Software Development Kit (SDK) for intercepting a service call request sent by the micro server as a service caller and acquiring configured call authority information from a distributed storage system.
The micro server intercepts a service call request sent by a service calling party through a preset SDK, and acquires call authority information of the service provider from a distributed storage system through the preset SDK; acquiring service calling information from the service calling request, and determining whether a service calling party has the authority of calling a service provider according to the calling authority information and the service calling information; if the service calling party has the authority of calling the service provider, responding to the service calling request; and if the service calling party does not have the authority to call the service provider, sending call exception information to the server.
In an embodiment, a server acquires service call information sent by any micro service, wherein the service call information comprises a first micro service identifier of a service provider and a second micro service identifier of the service caller; acquiring calling authority information corresponding to the first micro-service identifier from a distributed storage system; determining whether the service calling party has the authority for calling the service provider according to the acquired calling authority information and the service calling information; if the service calling party does not have the authority for calling the service provider, the preset alarm information is sent to the terminal equipment corresponding to the service calling party, so that the terminal equipment outputs the preset alarm information. The preset alarm information is used for prompting the user to have illegally called micro-services.
The service calling information further comprises a first interface identifier of an interface used by the service calling party for calling the service provider, and the calling authority information of the service provider comprises a third micro service identifier of at least one service calling party and a second interface identifier of at least one interface used by the service calling party for calling the service provider.
Illustratively, determining whether the at least one third micro-service identifier includes a second micro-service identifier, and determining whether the at least one second interface identifier includes a first interface identifier; if at least one third micro service identifier comprises a second micro service identifier and at least one second interface identifier comprises a first interface identifier, determining that the service calling party has the authority of calling the service provider; and if the at least one third micro service identifier does not contain the second micro service identifier or the at least one second interface identifier does not contain the first interface identifier, determining that the service caller does not have the authority to call the service provider.
According to the call authority control method provided by the embodiment, the call authority configuration request containing the call authority information of the micro-service is obtained, then the approval request of the call authority information is sent to the approval system, the approval system approves the call authority information in the approval request to obtain the approval result of the call authority information, finally the approval result of the call authority information sent by the approval system is obtained, and when the approval result is approval passing, the call authority information is sent to the distributed storage system to be stored, so that when the micro-service end detects the service call request sent by the service calling party, the service call request can be checked based on the corresponding call authority information in the distributed storage system, and if the service call request passes the check, the service call request is responded to call the corresponding micro-service, thereby avoiding illegal call of the micro-service and greatly improving the call safety of the micro-service.
Referring to fig. 3, fig. 3 is a flowchart illustrating a procedure of another method for controlling call authority of a micro service according to an embodiment of the present application. The call authority control method provided by the embodiment is applied to the micro server.
As shown in fig. 3, the call authority control method of the micro service includes steps S201 to S205.
Step S201, intercepting a service call request sent by a service calling party through a preset SDK.
The service call request is used for requesting to call the service provider, the service call request comprises service call information of the service caller, the service call information comprises a first micro-service identifier of the service provider, a second micro-service identifier of the service caller and a first interface identifier of an interface used by the service caller for calling the service provider, each micro-service end serving as the service provider is provided with a preset Software Development Kit (SDK) used for intercepting the service call request sent by the micro-service serving as the service caller and acquiring configured call authority information from the distributed storage system.
Step S202, call authority information of a service provider is obtained from a distributed storage system through a preset SDK.
The distributed storage system stores a plurality of calling authority information of micro services serving as service providers. Alternatively, the distributed storage system may be a Zookeeper. The call authority information of the service provider includes a third micro service identification of the at least one service caller and a second interface identification of the at least one interface used by the at least one service caller to invoke the service provider.
Step S203, determining whether the service caller has the authority to call the service provider according to the call authority information and the service call information.
Illustratively, determining whether the at least one third micro-service identifier includes a second micro-service identifier, and determining whether the at least one second interface identifier includes a first interface identifier; if at least one third micro service identifier comprises a second micro service identifier and at least one second interface identifier comprises a first interface identifier, determining that the service calling party has the authority of calling the service provider; and if the at least one third micro service identifier does not contain the second micro service identifier or the at least one second interface identifier does not contain the first interface identifier, determining that the service caller does not have the authority to call the service provider.
Step S204, if the service calling party has the authority to call the service provider, responding to the service calling request.
Illustratively, the manner of responding to the service invocation request may be: calling a micro-service end serving as a service provider based on the second micro-service identifier and the second interface identifier of the service provider to obtain response data, and sending the response data to the micro-service end serving as the service caller based on the first micro-service identifier of the service caller.
Step S205, if the service calling party does not have the authority to call the service provider, the calling exception information is sent to the server.
The calling exception information comprises a micro-service identifier of a service calling party, a micro-service identifier of a service provider, an interface identifier of an interface used by the service calling party for calling the service provider and a calling exception identifier, wherein the calling exception identifier is used for indicating that calling of the micro-service serving as the service calling party is abnormal.
According to the micro-service calling authority control method provided by the embodiment, the service provider acquires the calling authority information of the service provider from the distributed storage system by intercepting the service calling request sent by the service caller, and then determines whether the service caller has the authority to call the service provider or not based on the calling authority information and the service calling information in the service calling request, so that when the service caller has the authority to call the service provider, the service calling request is responded, and when the service caller does not have the authority to call the service provider, the service calling request is not responded, and calling abnormal information is sent to the server, so that illegal calling of the micro-service is avoided, and the calling safety of the micro-service is greatly improved.
Referring to fig. 4, fig. 4 is a schematic block diagram of a micro service call authority control device according to an embodiment of the present application.
As shown in fig. 4, the call authority control device 300 of the micro service includes:
an obtaining module 310, configured to obtain call authority information of a micro service to which call authority is to be configured;
a sending module 320, configured to send an approval request of the invoking authority information to an approval system;
the obtaining module 310 is further configured to obtain an approval result of the call permission information returned by the approval system based on the approval request;
the sending module 320 is further configured to send the call permission information to a distributed storage system for storage when the approval result is approval passing, so that when the micro server detects a service call request of a service caller, the micro server checks the service call request based on the corresponding call permission information in the distributed storage system, and if the service call request passes the check, the micro server responds to the service call request.
In one embodiment, as shown in fig. 5, the micro service call authority control device 300 further includes:
a determining module 330, configured to determine an approval level of the call authority information;
The determining module 330 is further configured to determine, according to the approval level, a target approval chain of the call authority information from a plurality of preset approval chains;
and the generating module 340 is configured to generate the approval request according to the call authority information and the target approval chain.
In an embodiment, the determining module 330 is further configured to:
determining the number of service invokers in the invocation permission information to obtain the number of service invokers, and/or determining the importance level of each service invoker in the invocation permission information;
and determining the approval level of the calling authority information according to the number of the service calling parties and/or the importance level of each service calling party.
In an embodiment, the obtaining module 310 is further configured to obtain service invocation information sent by any micro service, where the service invocation information includes a first micro service identifier of a service provider and a second micro service identifier of the service caller;
the obtaining module 310 is further configured to obtain, from the distributed storage system, the call permission information corresponding to the first micro service identifier;
the determining module 330 is further configured to determine, according to the obtained call authority information and the service call information, whether the service caller has an authority to call the service provider;
The sending module 320 is further configured to send preset alert information to a terminal device corresponding to the service caller if the service caller does not have the authority to invoke the service provider.
In an embodiment, the service invocation information further includes a first interface identifier of an interface used by the service caller to invoke the service provider, the invocation authority information includes a third micro service identifier of at least one service caller and a second interface identifier of at least one interface used by the service caller to invoke the service provider, and the determining module 330 is further configured to:
determining whether at least one third micro service identifier comprises the second micro service identifier or not, and determining whether at least one second interface identifier comprises the first interface identifier or not;
if at least one third micro service identifier comprises the second micro service identifier and at least one second interface identifier comprises the first interface identifier, determining that the service calling party has the authority to call the service provider;
and if at least one third micro service identifier does not contain the second micro service identifier or at least one second interface identifier does not contain the first interface identifier, determining that the service caller does not have the authority to call the service provider.
Referring to fig. 6, fig. 6 is a schematic block diagram of another micro service call authority control device according to an embodiment of the present application.
As shown in fig. 6, the call authority control device 400 of the micro service includes:
an interception module 410, configured to intercept a service call request sent by a service caller, where the service call request is used to request to call a service provider, and the service call request includes service call information;
an obtaining module 420, configured to obtain, from a distributed storage system through the preset SDK, call permission information of the service provider;
a determining module 430, configured to determine, according to the call authority information and the service call information, whether the service caller has an authority to call the service provider;
a response module 440, configured to respond to the service call request if the service caller has the authority to call the service provider;
and the sending module 450 is configured to send call exception information to a server if the service caller does not have the authority to call the service provider.
It should be noted that, for convenience and brevity of description, specific working processes of the above-described apparatus and modules and units may refer to corresponding processes in the foregoing embodiments of the micro-service invocation authority control method, which are not described herein again.
Referring to fig. 7, fig. 7 is a schematic block diagram of a server according to an embodiment of the present application.
As shown in fig. 7, the server includes a processor, a memory, and a network interface connected by a system bus, wherein the memory may include a storage medium and an internal memory.
The storage medium may store an operating system and a computer program. The computer program includes program instructions that, when executed, cause the processor to perform any of the call authority control methods for the micro-services.
The processor is used to provide computing and control capabilities, supporting the operation of the entire server.
The network interface is used for network communication such as transmitting assigned tasks and the like. It will be appreciated by those skilled in the art that the structure shown in fig. 7 is merely a block diagram of a portion of the structure associated with the present application and is not limiting of the server to which the present application applies, and that a particular server may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
It should be appreciated that the processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field-programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Wherein, in an embodiment, the processor is configured to execute a computer program stored in the memory to implement the steps of:
acquiring call authority information of micro-services of which call authorities are to be configured;
sending an approval request of the call authority information to an approval system, and acquiring an approval result of the call authority information returned by the approval system based on the approval request;
and when the approval result is that the approval is passed, the calling authority information is sent to a distributed storage system for storage, so that when the micro server detects a service calling request of a service calling party, the service calling request is checked based on the corresponding calling authority information in the distributed storage system, and if the service calling request passes the check, the service calling request is responded.
In an embodiment, before implementing the approval request for sending the call permission information to the approval system, the processor is further configured to implement:
determining the approval level of the calling authority information;
determining a target approval chain of the calling authority information from a plurality of preset approval chains according to the approval grade;
and generating the approval request according to the calling authority information and the target approval chain.
In an embodiment, the processor, when implementing determining the approval level of the call permission information, is configured to implement:
determining the number of service invokers in the invocation permission information to obtain the number of service invokers, and/or determining the importance level of each service invoker in the invocation permission information;
and determining the approval level of the calling authority information according to the number of the service calling parties and/or the importance level of each service calling party.
In an embodiment, the distributed storage system stores call authority information of a plurality of the micro services, and the processor is further configured to implement the following steps:
acquiring service calling information sent by any micro service, wherein the service calling information comprises a first micro service identifier of a service provider and a second micro service identifier of the service caller;
acquiring the calling authority information corresponding to the first micro-service identifier from the distributed storage system;
determining whether the service calling party has the authority for calling the service provider according to the acquired calling authority information and the service calling information;
and if the service calling party does not have the authority to call the service provider, sending preset alarm information to the terminal equipment corresponding to the service calling party.
In an embodiment, the service calling information further includes a first interface identifier of an interface used by the service caller to call the service provider, the calling authority information includes a third micro service identifier of at least one service caller and a second interface identifier of at least one interface used by the service caller to call the service provider, and the processor is configured to, when implementing determining whether the service caller has authority to call the service provider according to the obtained calling authority information and the service calling information:
determining whether at least one third micro service identifier comprises the second micro service identifier or not, and determining whether at least one second interface identifier comprises the first interface identifier or not;
if at least one third micro service identifier comprises the second micro service identifier and at least one second interface identifier comprises the first interface identifier, determining that the service calling party has the authority to call the service provider;
and if at least one third micro service identifier does not contain the second micro service identifier or at least one second interface identifier does not contain the first interface identifier, determining that the service caller does not have the authority to call the service provider.
It should be noted that, for convenience and brevity of description, a specific working process of the server described above may refer to a corresponding process in the foregoing embodiment of the method for controlling call authority of the micro service, which is not described herein again.
From the above description of embodiments, it will be apparent to those skilled in the art that the present application may be implemented in software plus a necessary general purpose hardware platform. Based on such understanding, the technical solutions of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions to cause a server (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in the embodiments or some parts of the embodiments of the present application.
Referring to fig. 8, fig. 8 is a schematic block diagram of a micro-service invocation authority control system according to an embodiment of the present application.
As shown in fig. 8, the call authority control system 500 of the micro service includes: the distributed storage system 510, the micro service cluster 520 and the server 530, wherein the distributed storage system 510 is respectively connected with the micro service cluster 520 and the server 530, and the server 530 is in communication connection with the micro service cluster 520. Wherein the micro service cluster 520 includes a plurality of micro services.
It should be noted that, for convenience and brevity of description, a specific working process of the above-described micro service invocation permission control system may refer to a corresponding process in the foregoing micro service invocation permission control method embodiment, which is not described herein again.
Embodiments of the present application further provide a computer readable storage medium, where a computer program is stored, where the computer program includes program instructions, and a method implemented when the program instructions are executed may refer to embodiments of a method for controlling call authority of a microservice according to the present application.
Wherein the computer readable storage medium may be volatile or nonvolatile. The computer readable storage medium may be an internal storage unit of the server according to the foregoing embodiment, for example, a hard disk or a memory of the server. The computer readable storage medium may also be an external storage device of the server, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like, which are provided on the server.
Further, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created from the use of blockchain nodes, and the like.
The blockchain referred to in the application is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm and the like. The Blockchain (Blockchain), which is essentially a decentralised database, is a string of data blocks that are generated by cryptographic means in association, each data block containing a batch of information of network transactions for verifying the validity of the information (anti-counterfeiting) and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, an application services layer, and the like.
It is to be understood that the terminology used in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments. While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the invention. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (7)

1. A call authority control method of a micro service, which is applied to a server, the method comprising:
acquiring call authority information of micro-services of which call authorities are to be configured;
determining the approval level of the calling authority information, wherein the determining the approval level of the calling authority information comprises: determining the number of service invokers in the invocation permission information to obtain the number of service invokers, and/or determining the importance level of each service invoker in the invocation permission information; determining approval levels of the calling authority information according to the number of the service calling parties and/or the importance level of each service calling party;
determining a target approval chain of the calling authority information from a plurality of preset approval chains according to the approval grade;
generating an approval request of the call authority information according to the call authority information and the target approval chain, wherein the approval request comprises the call authority information to be approved and the target approval chain, the higher the approval level is, the more the number of approval nodes in the target approval chain is, and the lower the approval level is, the lower the number of approval nodes in the target approval chain is;
Sending an approval request of the call authority information to an approval system, and acquiring an approval result of the call authority information returned by the approval system based on the approval request;
and when the approval result is that the approval is passed, the calling authority information is sent to a distributed storage system for storage, so that when the micro server detects a service calling request of a service calling party, the service calling request is checked based on the corresponding calling authority information in the distributed storage system, and if the service calling request passes the check, the service calling request is responded.
2. The call right control method according to claim 1, wherein the distributed storage system stores call right information of a plurality of the micro services, the method further comprising:
acquiring service calling information sent by any micro service, wherein the service calling information comprises a first micro service identifier of a service provider and a second micro service identifier of the service caller;
acquiring the calling authority information corresponding to the first micro-service identifier from the distributed storage system;
determining whether the service calling party has the authority for calling the service provider according to the acquired calling authority information and the service calling information;
And if the service calling party does not have the authority to call the service provider, sending preset alarm information to the terminal equipment corresponding to the service calling party.
3. The call right control method according to claim 2, wherein the service call information further includes a first interface identifier of an interface used by the service caller to call the service provider, the call right information includes a third micro service identifier of at least one service caller and a second interface identifier of at least one interface used by the service caller to call the service provider, and the determining whether the service caller has a right to call the service provider according to the acquired call right information and the service call information includes:
determining whether at least one third micro service identifier comprises the second micro service identifier or not, and determining whether at least one second interface identifier comprises the first interface identifier or not;
if at least one third micro service identifier comprises the second micro service identifier and at least one second interface identifier comprises the first interface identifier, determining that the service calling party has the authority to call the service provider;
And if at least one third micro service identifier does not contain the second micro service identifier or at least one second interface identifier does not contain the first interface identifier, determining that the service caller does not have the authority to call the service provider.
4. A call authority control device of a micro service, characterized in that the call authority control device of the micro service comprises:
the acquisition module is used for acquiring the call authority information of the micro service of which the call authority is to be configured;
the determining module is configured to determine an approval level of the call permission information, and determine a target approval chain of the call permission information from a plurality of preset approval chains according to the approval level, where determining the approval level of the call permission information includes: determining the number of service invokers in the invocation permission information to obtain the number of service invokers, and/or determining the importance level of each service invoker in the invocation permission information; determining approval levels of the calling authority information according to the number of the service calling parties and/or the importance level of each service calling party;
the generation module is used for generating an approval request of the calling authority information according to the calling authority information and the target approval chain, wherein the approval request comprises the calling authority information to be approved and the target approval chain, the higher the approval level is, the more the number of approval nodes in the target approval chain is, and the lower the approval level is, the lower the number of approval nodes in the target approval chain is;
The sending module is used for sending an approval request of the calling authority information to an approval system;
the acquisition module is further used for acquiring an approval result of the calling authority information returned by the approval system based on the approval request;
and the sending module is further used for sending the calling authority information to the distributed storage system for storage when the approval result is approval passing, so that when the micro server detects a service calling request of a service calling party, the service calling request is checked based on the corresponding calling authority information in the distributed storage system, and if the service calling request passes the check, the service calling request is responded.
5. A server comprising a processor, a memory, and a computer program stored on the memory and executable by the processor, wherein the computer program, when executed by the processor, implements the steps of the call authority control method of a micro service according to any one of claims 1 to 3.
6. A micro-service call authority control system, wherein the micro-service call authority control system comprises a distributed storage system, a micro-service cluster and the server according to claim 5, the distributed storage system is respectively in communication connection with the micro-service cluster and the server, and the server is in communication connection with the micro-service cluster.
7. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program, wherein the computer program, when executed by a processor, implements the steps of the call authority control method of a micro service according to any one of claims 1 to 3.
CN202110732757.XA 2021-06-29 2021-06-29 Micro-service calling authority control method, device, server, system and medium Active CN113326540B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110732757.XA CN113326540B (en) 2021-06-29 2021-06-29 Micro-service calling authority control method, device, server, system and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110732757.XA CN113326540B (en) 2021-06-29 2021-06-29 Micro-service calling authority control method, device, server, system and medium

Publications (2)

Publication Number Publication Date
CN113326540A CN113326540A (en) 2021-08-31
CN113326540B true CN113326540B (en) 2023-12-22

Family

ID=77423409

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110732757.XA Active CN113326540B (en) 2021-06-29 2021-06-29 Micro-service calling authority control method, device, server, system and medium

Country Status (1)

Country Link
CN (1) CN113326540B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114666387A (en) * 2022-03-25 2022-06-24 广州方硅信息技术有限公司 Interface management system, method, storage medium and computer device

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105844170A (en) * 2015-01-16 2016-08-10 阿里巴巴集团控股有限公司 File processing method and device
CN108256721A (en) * 2017-11-16 2018-07-06 中国平安财产保险股份有限公司 A kind of method for scheduling task, terminal device and medium
CN108874619A (en) * 2018-05-14 2018-11-23 平安普惠企业管理有限公司 A kind of information monitoring method, storage medium and server
CN109948356A (en) * 2019-03-25 2019-06-28 江苏电力信息技术有限公司 One kind is based on service call authority control method under micro services framework
WO2020042290A1 (en) * 2018-08-28 2020-03-05 卫盈联信息技术(深圳)有限公司 Risk management method, and apparatus and computer-readable storage medium
CN111160803A (en) * 2019-12-31 2020-05-15 上海分布信息科技有限公司 Business process safety and management method and system based on block chain
CN111310151A (en) * 2020-01-20 2020-06-19 广东金赋科技股份有限公司 Distributed permission set-based permission management method, device and storage medium
CN111447222A (en) * 2020-03-26 2020-07-24 广东电网有限责任公司 Distributed system authority authentication system and method based on micro-service architecture
CN112100593A (en) * 2020-09-21 2020-12-18 珠海格力电器股份有限公司 Authority management method and device of approval system, electronic equipment and storage medium
CN112416616A (en) * 2020-11-12 2021-02-26 北京字跳网络技术有限公司 Micro-service calling method and device, electronic equipment and storage medium
CN112905364A (en) * 2021-03-31 2021-06-04 重庆度小满优扬科技有限公司 Calling method of micro service and electronic equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10348858B2 (en) * 2017-09-15 2019-07-09 Oracle International Corporation Dynamic message queues for a microservice based cloud service

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105844170A (en) * 2015-01-16 2016-08-10 阿里巴巴集团控股有限公司 File processing method and device
CN108256721A (en) * 2017-11-16 2018-07-06 中国平安财产保险股份有限公司 A kind of method for scheduling task, terminal device and medium
CN108874619A (en) * 2018-05-14 2018-11-23 平安普惠企业管理有限公司 A kind of information monitoring method, storage medium and server
WO2020042290A1 (en) * 2018-08-28 2020-03-05 卫盈联信息技术(深圳)有限公司 Risk management method, and apparatus and computer-readable storage medium
CN109948356A (en) * 2019-03-25 2019-06-28 江苏电力信息技术有限公司 One kind is based on service call authority control method under micro services framework
CN111160803A (en) * 2019-12-31 2020-05-15 上海分布信息科技有限公司 Business process safety and management method and system based on block chain
CN111310151A (en) * 2020-01-20 2020-06-19 广东金赋科技股份有限公司 Distributed permission set-based permission management method, device and storage medium
CN111447222A (en) * 2020-03-26 2020-07-24 广东电网有限责任公司 Distributed system authority authentication system and method based on micro-service architecture
CN112100593A (en) * 2020-09-21 2020-12-18 珠海格力电器股份有限公司 Authority management method and device of approval system, electronic equipment and storage medium
CN112416616A (en) * 2020-11-12 2021-02-26 北京字跳网络技术有限公司 Micro-service calling method and device, electronic equipment and storage medium
CN112905364A (en) * 2021-03-31 2021-06-04 重庆度小满优扬科技有限公司 Calling method of micro service and electronic equipment

Also Published As

Publication number Publication date
CN113326540A (en) 2021-08-31

Similar Documents

Publication Publication Date Title
CN112446785B (en) Cross-chain transaction method, system, device, equipment and storage medium
CN107135073B (en) Interface calling method and device
CN113468602B (en) Data inspection method, device and equipment
CN108197913B (en) Payment method, system and computer readable storage medium based on block chain
CN112016106B (en) Authentication calling method, device and equipment of open interface and readable storage medium
CN111770199B (en) Information sharing method, device and equipment
US9942047B2 (en) Controlling application access to mobile device functions
CN110400217B (en) Rule change processing method and device for intelligent contract
CN108200077B (en) Method and device for calling interface
CN112953745B (en) Service calling method, system, computer device and storage medium
CN111770112B (en) Information sharing method, device and equipment
CN110247897B (en) System login method, device, gateway and computer readable storage medium
CN114422139B (en) API gateway request security verification method, device, electronic equipment and computer readable medium
CN111880919A (en) Data scheduling method, system and computer equipment
Marforio et al. Hardened setup of personalized security indicators to counter phishing attacks in mobile banking
CN112367164A (en) Service request processing method and device, computer equipment and storage medium
CN114493862A (en) Verification method, device, electronic equipment, system and storage medium for cross-chain transaction
CN113326540B (en) Micro-service calling authority control method, device, server, system and medium
CN111783051A (en) Identity authentication method and device and electronic equipment
CN110955905A (en) Block chain based asset transfer method, device, equipment and readable storage medium
US20230403254A1 (en) Decentralized identifier determination by a registry operator or registrar
CN113379577A (en) Transaction auditing method, device and equipment
CN113472781B (en) Service acquisition method, server and computer readable storage medium
CN114331442B (en) Calling method and device of intelligent contracts in block chain
CN114430428B (en) Client interface unifying method, service system, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20231124

Address after: Building 3, Huangdu Plaza, No. 3008 Yitian Road, Huanggang Community, Futian Street, Futian District, Shenzhen City, Guangdong Province, 518000, 1114D7

Applicant after: Shenzhen Century Frontier Quantitative Technology Co.,Ltd.

Address before: 518000 Room 202, block B, aerospace micromotor building, No.7, Langshan No.2 Road, Xili street, Nanshan District, Shenzhen City, Guangdong Province

Applicant before: Shenzhen LIAN intellectual property service center

Effective date of registration: 20231124

Address after: 518000 Room 202, block B, aerospace micromotor building, No.7, Langshan No.2 Road, Xili street, Nanshan District, Shenzhen City, Guangdong Province

Applicant after: Shenzhen LIAN intellectual property service center

Address before: 518000 Room 201, building A, No. 1, Qian Wan Road, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong (Shenzhen Qianhai business secretary Co., Ltd.)

Applicant before: PING AN PUHUI ENTERPRISE MANAGEMENT Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant