CN113672901A - Access request processing method, container cloud platform, electronic device and storage medium - Google Patents
Access request processing method, container cloud platform, electronic device and storage medium Download PDFInfo
- Publication number
- CN113672901A CN113672901A CN202111004681.5A CN202111004681A CN113672901A CN 113672901 A CN113672901 A CN 113672901A CN 202111004681 A CN202111004681 A CN 202111004681A CN 113672901 A CN113672901 A CN 113672901A
- Authority
- CN
- China
- Prior art keywords
- access
- micro
- micro service
- cloud platform
- service component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 14
- 238000013475 authorization Methods 0.000 claims abstract description 144
- 238000000034 method Methods 0.000 claims abstract description 42
- 238000012795 verification Methods 0.000 claims abstract description 25
- 238000012545 processing Methods 0.000 claims abstract description 14
- 230000002159 abnormal effect Effects 0.000 claims description 21
- 230000000694 effects Effects 0.000 claims description 16
- 230000009471 action Effects 0.000 claims description 13
- 230000004048 modification Effects 0.000 claims description 11
- 238000012986 modification Methods 0.000 claims description 11
- 238000001514 detection method Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 8
- 238000010200 validation analysis Methods 0.000 claims description 3
- 230000002547 anomalous effect Effects 0.000 claims 1
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses an access request processing method, which is applied to a container cloud platform and comprises the following steps: determining an access authorization policy; wherein the access authorization policy is code configuring access rights between micro service components, the micro service components running on the container cloud platform; validating the access authorization policy within the container cloud platform through an declarative API; and carrying out access authority verification on the access request sent between the micro service components by using the access authorization strategy, and executing corresponding processing operation on the access request according to an access authority verification result. According to the method and the device, the non-invasive micro-service room security access can be realized, and the security of the container cloud platform is improved. The application also discloses a container cloud platform, an electronic device and a storage medium, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to an access request processing method, a container cloud platform, an electronic device, and a storage medium.
Background
With the popularity of microservices, more and more businesses choose to migrate applications to microservice architectures. The micro-service architecture has the advantages of independent expansion, isolated service logic, independent life cycle management, simple distributed development and the like. However, the micro-service architecture has certain disadvantages, for example, after micro-service, the number of application components increases, so that each micro-service can be an attack target, and the attack area of the application is increased. If an intruder invades a certain micro-service component (namely, a micro-service application component), all micro-service applications can be attacked, thus the pressure of enterprise security protection work is increased invisibly, and at the moment, only the network boundary of the application is not enough to be protected, and the inside of the network also needs to be protected.
In order to ensure the security of each micro-service application component in the container cloud platform, a conventional implementation scheme in the related art generally needs to modify a service code to perform operations such as access authorization verification, and the like, and the process is complex and affects the normal operation of the container cloud platform.
Therefore, how to implement secure access between non-invasive microservices and improve the security of a container cloud platform is a technical problem to be solved by technical personnel in the field at present.
Disclosure of Invention
The application aims to provide an access request processing method, a container cloud platform, an electronic device and a storage medium, which can realize safe access between non-invasive micro-services and improve the safety of the container cloud platform.
In order to solve the above technical problem, the present application provides an access request processing method, which is applied to a container cloud platform, and the access request processing method includes:
determining an access authorization policy; wherein the access authorization policy is code configuring access rights between micro service components, the micro service components running on the container cloud platform;
validating the access authorization policy within the container cloud platform through an declarative API;
and carrying out access authority verification on the access request sent between the micro service components by using the access authorization strategy, and executing corresponding processing operation on the access request according to an access authority verification result.
Optionally, the performing access right verification on the access request sent between the micro service components by using the access authorization policy, and performing corresponding processing operation on the access request according to an access right verification result includes:
if an access request sent by a first micro service component to a second micro service component is detected, hijacking the access request; wherein the first micro-service component and the second micro-service component are micro-service components operating on the container cloud platform;
judging whether the first micro service component has the authority of accessing the second micro service component by using the access authorization strategy;
if so, forwarding the access request to the second micro-service component;
if not, returning error reporting information without access right to the first micro service component.
Optionally, after returning error information that does not have access to the first micro service component, the method further includes:
updating the number of times that the access information of the first micro-service component is rejected;
and if the times of refusing the access information of the first micro service component are greater than a preset value, marking the first micro service component as an abnormal component.
Optionally, the access authorization policy includes a request source, a request action, and a request condition;
correspondingly, the judging whether the first micro service component has the right to access the second micro service component by using the access authorization policy includes:
judging whether the access request sent by the first micro service component conforms to the authorization strategy or not;
if so, determining that the first micro service component has the authority to access the second micro service component;
if not, the first micro service component is judged not to have the authority of accessing the second micro service component.
Optionally, after the marking of the first micro service component as an abnormal component, the method further includes:
intercepting the information sent by the abnormal component and the received information, and carrying out attack detection on the abnormal component so as to judge whether the abnormal component is attacked or not according to an attack detection result.
Optionally, the determining the access authorization policy includes:
and receiving an authorization policy code issued by a user, and converting the authorization policy code into a preset format to obtain the access authorization policy.
Optionally, the method further includes:
if a policy adding instruction is received, determining a new access authorization policy according to the policy adding instruction, and enabling the new access authorization policy to take effect in the container cloud platform through an declarative API;
and if a strategy modification instruction is received, determining a target access authorization strategy according to the strategy modification instruction, and enabling the modified target access authorization strategy to take effect in the container cloud platform through an declarative API.
The application also provides a container cloud platform, which comprises:
the strategy determining module is used for determining an access authorization strategy; wherein the access authorization policy is code configuring access rights between micro service components, the micro service components running on the container cloud platform;
a policy validation module for validating the access authorization policy within the container cloud platform through an declarative API;
and the strategy execution module is used for carrying out access authority verification on the access request sent between the micro service components by using the access authorization strategy and executing corresponding processing operation on the access request according to an access authority verification result.
The present application also provides a storage medium having a computer program stored thereon, which when executed implements the steps performed by the above-described access request processing method.
The application also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps executed by the access request processing method when calling the computer program in the memory.
The application provides an access request processing method, which is applied to a container cloud platform and comprises the following steps: determining an access authorization policy; wherein the access authorization policy is code configuring access rights between micro service components, the micro service components running on the container cloud platform; validating the access authorization policy within the container cloud platform through an declarative API; and carrying out access authority verification on the access request sent between the micro service components by using the access authorization strategy, and executing corresponding processing operation on the access request according to an access authority verification result.
The access authorization policy is determined and validated within the container cloud platform through an declarative API. Because the access authorization policy is a code for configuring access rights among the micro service components, the access authorization policy is enabled to take effect through the declarative API, the access authorization policy can be deployed in the container cloud platform on the premise of not modifying the service code, and the access authorization among the micro service components is decoupled from specific services and is uniformly realized by the container cloud platform. According to the method and the system, the access authorization strategy is utilized to verify the access authority of the access request sent between the micro service components, so that non-invasive micro service security access can be realized, and the security of the container cloud platform is improved. The application also provides a container cloud platform, a storage medium and an electronic device, which have the beneficial effects and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of an access request processing method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a deployment system of an access authorization policy based on container cloud non-intrusive inter-microservice according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a container cloud platform according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of an access request processing method according to an embodiment of the present disclosure.
The specific steps may include:
s101: determining an access authorization policy;
the embodiment can be applied to a container cloud platform, and a plurality of micro-service components can be operated on the container cloud platform. The access authorization policy determined in this step is a code that configures access rights between microservices components. The access authorization policy may include the following three situations: (1) micro service components can access each other; (2) micro service components can only be accessed in one direction; (3) the micro service components are not accessible to each other.
The authorization policy may be an authorization policy issued by a user, and the process of determining the access authorization policy includes: and receiving an authorization policy code issued by a user, and converting the authorization policy code into a preset format to obtain the access authorization policy. That is, the present embodiment configures an access authorization policy between microservice components using a policy, i.e., code.
S102: validating the access authorization policy within the container cloud platform through an declarative API;
in this embodiment, the access authorization policy determined in S101 may be validated in the container cloud platform through an Application Programming Interface (API). Specifically, in this embodiment, the access authorization policy may be enabled to take effect at the control node in the container cloud platform through an declarative API, and the control node receives access requests sent by all the microservice components, and further determines whether the access is available based on the access authorization policy that has taken effect.
S103: and carrying out access authority verification on the access request sent between the micro service components by using the access authorization strategy, and executing corresponding processing operation on the access request according to an access authority verification result.
On the basis of the access authorization policy being in effect, the present embodiment may intercept an access request sent between micro service components, so as to perform access right verification on the access request sent between the micro service components by using the access authorization policy, and perform corresponding processing operations on the access request according to an access right verification result, for example: allowing the access request to pass or disallowing the access request to pass.
Further, the access authorization policy in this embodiment includes a request source, a request action, and a request condition; correspondingly, the process of checking the access authority of the access request sent between the microserver components by using the access authorization policy comprises the following steps: judging whether a request source, a request action and a request condition of the access request meet an access authorization strategy or not; if yes, judging that the micro service component has the access right; if not, the micro service component is judged not to have the access right. The request source refers to the micro service component Identification (ID) sending the access request, the request action includes the conditions of request URL, request method, request header, etc., and the request conditions include the conditions specified by configuration (such as response time, whether response information is returned, etc.).
The embodiment determines an access authorization policy and validates the access authorization policy in the container cloud platform through an declarative API. Because the access authorization policy is a code for configuring access rights among the micro service components, the access authorization policy is enabled to take effect through the declarative API, the access authorization policy can be deployed in the container cloud platform on the premise of not modifying the service code, and the access authorization among the micro service components is decoupled from specific services and is uniformly realized by the container cloud platform. In the embodiment, the access authorization policy is used for verifying the access authority of the access request sent between the micro service components, so that the embodiment can realize the safe access between the non-invasive micro services and improve the safety of the container cloud platform.
The embodiment may also have operations of adding a new access authorization policy and modifying an original access authorization policy, and the specific process is as follows: if a policy adding instruction is received, determining a new access authorization policy according to the policy adding instruction, and enabling the new access authorization policy to take effect in the container cloud platform through an declarative API; and if a strategy modification instruction is received, determining a target access authorization strategy according to the strategy modification instruction, and enabling the modified target access authorization strategy to take effect in the container cloud platform through an declarative API. By the method, the access authorization strategy of the container cloud platform can be flexibly added and modified
The access request handling scheme in the above embodiment is further described below by the process of a first micro-service component in the container cloud platform wanting to access a second micro-service component:
if an access request sent by a first micro service component to a second micro service component is detected, hijacking the access request; wherein the first micro-service component and the second micro-service component are micro-service components operating on the container cloud platform; judging whether the first micro service component has the authority of accessing the second micro service component by using the access authorization strategy; if so, forwarding the access request to the second micro-service component; if not, returning error reporting information without access right to the first micro service component.
In the process, an access request sent by the first micro service component to the second micro service component is intercepted, so that the access request sent by the first micro service component to the second micro service component cannot directly reach the second micro service component, when the container cloud platform judges that the first micro service component has the authority of accessing the second micro service component, the access request is forwarded to the second micro service component, and when the container cloud platform judges that the first micro service component does not have the authority of accessing the second micro service component, error reporting information is returned to the first micro service component.
As a possible implementation manner, after the error reporting information without access right is returned to the first micro service component, the number of times that the access information of the first micro service component is rejected can be updated; and if the times of refusing the access information of the first micro service component are greater than a preset value, marking the first micro service component as an abnormal component. It can be understood that when the number of times that the access information sent by the first micro service component is rejected is greater than the preset value, it indicates that the first micro service component sends an access request to a micro service component without access right, and at this time, the first micro service component may be hacked, so that the first micro service component may be marked as an abnormal component. Furthermore, after the first micro service component is marked as an abnormal component, the information sent by the abnormal component and the received information can be intercepted, and the abnormal component is subjected to attack detection, so that whether the abnormal component is attacked or not can be judged according to an attack detection result.
As a possible implementation manner, the access authorization policy includes a request source, a request action, and a request condition; the process of judging whether the first micro service component has the authority of accessing the second micro service component by using the access authorization strategy comprises the following steps: judging whether the access request sent by the first micro service component conforms to the authorization strategy or not; if so, determining that the first micro service component has the authority to access the second micro service component; if not, the first micro service component is judged not to have the authority of accessing the second micro service component.
The flow described in the above embodiment is explained below by an embodiment in practical use.
Referring to fig. 2, fig. 2 is a schematic structural diagram of an access authorization policy deployment system based on container cloud non-intrusive micro service according to an embodiment of the present application, where the system includes an access authorization policy control device, a request policy storage device, and a policy implementation device. A user can flexibly configure access authorization strategies among micro-services through the container cloud platform, and the access authorization among all micro-service components is decoupled from specific services and handed to the cloud platform to be uniformly realized. In addition to defining the specified target (grid, namespace, workload) and action (permission and rejection), the policy configuration also provides rich policy matching rules, such as conditions of source, target, path, request header, method and the like can be set, and even custom matching conditions are supported, so that the flexibility of the policy configuration can greatly meet the requirements of users.
The specific composition of the rule corresponding to the access authorization policy comprises the following parts: (1) policy action: enable or disable; (2) the request source is as follows: specifying the source of the request, and if not, allowing or disallowing all requests; (3) the request action is as follows: conditions including request url (Uniform Resource Locator), request method (post, get, etc.), request header, etc., and if not set, allowing or disallowing all requests; (4) the conditions of the request are as follows: configuring specified request conditions, and if not set, allowing or prohibiting all requests.
In the system, a micro-service authorization access control function can be started, and the container cloud platform correspondingly starts micro-service access control among components of the micro-service designated in the environment, so that the access security of east-west flow among micro-services in the network is ensured. A user configures a flexible micro-service access authorization strategy according to specific services in a mode of an explicit API (application programming interface), strategy or code. In the mutual calling process of each component of the microservice, the request can be intercepted by the strategy implementing device, and the access authorization judgment is carried out through the issued strategy so as to determine whether the request is successfully forwarded. The user can also change the existing micro-service access authorization strategy at any time, the strategy is updated in real time through the cloud platform, the access strategy control device monitors the strategy updating, translates the strategy into a configuration format which can be identified by the strategy implementation device, and then sends the configuration format to the strategy implementation device to execute the system to ensure the safety of the whole micro-service system through flexible and fine-grained access authorization control.
The specific implementation process of the corresponding embodiment of fig. 2 is as follows: the administrator creates the code of the access authorization policy through the ApiServer, the monitoring device monitors the code of the access authorization policy, translates the code into the access authorization policy, and sends the access authorization policy to the policy enforcement device. When a user accesses the micro service component B by using the micro service component A, the strategy implementation device carries out flow hijacking and authorization verification on an access request sent by the micro service component A, if the verification is passed, the access request is forwarded to the micro service component B for calling, and if the verification is not passed, an error is reported for quitting.
When a user starts an access authorization strategy among micro-services through a cloud platform, the cloud platform deploys infrastructure related to the micro-service access authorization strategy, including an access strategy control device, a strategy execution device and a strategy storage device, in a user-specified container cluster, and then the user can configure a flexible self-defined access authorization strategy according to service requirements. After a user creates an access authorization policy through the cloud platform, the policy control device monitors creation of a new policy in real time through a monitoring mechanism, and then translates the policy to generate and store a configuration which can be identified by the policy implementation device. When the strategy implementation device is initialized, the strategy control device is requested to pull all existing access request strategies, and then the strategy control device also issues the incremental updating configuration in real time, so that the strategy implementation device can execute the latest strategy control in real time. The user can modify and update the existing access authorization policy in real time through the cloud platform.
The embodiment supports flexible configuration of the user-defined micro-service security access strategy; the method supports the establishment of an declarative API and modifies the access authorization strategy in real time; the invention realizes zero-intrusion access strategy control without modifying service codes. In this embodiment, a user-defined micro-service security access control policy is configured through a cloud platform, so as to ensure security and controllability of east-west flow of all micro-service applications running in a container cloud platform, and this embodiment mainly includes the following steps:
step 1, when deploying and updating the micro-service application components through the cloud platform, the user-defined access authorization strategy can be selected to be started or closed, at the moment, the cloud platform deploys the basic environment and the control components corresponding to the access authorization strategy, and then step 2 is executed.
And 2, the user can realize the configuration of the access authorization strategy among the microservices through checking and interface configuration, and then execute the step 3.
And 3, when the access policy control device detects the configuration of the user, the access policy control device translates the configuration policy into the configuration which can be identified by the policy implementation device for storage and issue, and then the access policy control device executes the step 4.
Step 4, after the access control strategy between the micro services takes effect, the strategy implementation device can proxy and forward all requests between the micro services, and carries out request authorization identification and authentication, and when the requests accord with the access control, the step 5 is executed; if the request does not comply with the access request policy, step 6 is performed.
And 5, directly returning the unauthorized request error reporting information to the upstream micro-service component by the policy implementation device, and executing the request exit.
And 6, the strategy implementation device proxies and forwards the request to the downstream micro-service component, and the request is continuously transmitted downwards so that the downstream micro-service component returns a result.
In the embodiment, a flexible user-defined micro-service security access policy is supported through an explicit API, policy, that is, a code implementation manner, and user-defined security access policy configuration can be performed for a micro-service application running in a container platform, so that security of south-north traffic of the application is ensured, and meanwhile, security access control of east-west traffic inside the micro-service is realized without invasion. The embodiment provides a solution for non-intrusive secure access among micro services, and solves the problems of secure encryption of traffic among the micro services, secure access control of east-west traffic, and access control policy configuration based on interfaces and method levels, so that the secure access of the internal and external of data, endpoints, communication and platforms of an application is ensured, and the security of the whole application system is ensured.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a container cloud platform according to an embodiment of the present disclosure; this container cloud platform includes:
a policy determination module 301, configured to determine an access authorization policy; wherein the access authorization policy is code configuring access rights between micro service components, the micro service components running on the container cloud platform;
a policy validation module 302 for validating the access authorization policy within the container cloud platform through an declarative API;
and the policy execution module 303 is configured to perform access right verification on the access request sent between the micro service components by using the access authorization policy, and execute corresponding processing operation on the access request according to an access right verification result.
The embodiment determines an access authorization policy, and makes the access authorization policy take effect in the container cloud platform through an declarative API. Because the access authorization policy is a code for configuring access rights among the micro service components, the access authorization policy is enabled to take effect through the declarative API, the access authorization policy can be deployed in the container cloud platform on the premise of not modifying the service code, and the access authorization among the micro service components is decoupled from specific services and is uniformly realized by the container cloud platform. In the embodiment, the access authorization policy is used for verifying the access authority of the access request sent between the micro service components, so that the embodiment can realize the safe access between the non-invasive micro services and improve the safety of the container cloud platform. The embodiment provides a simpler, flexible and configurable method for creating an access policy among the microservices, and realizes the security control of the east-west flow in the microservices in a policy configuration and declarative API mode. The conventional implementation scheme needs to modify the service code to perform operations such as access authorization verification, and the like, and the embodiment does not need to modify the service code, realizes non-intrusive micro service access control, and supports interface and method-level access authorization implementation.
Further, the policy enforcement module 303 includes:
the request hijacking unit is used for hijacking an access request sent by the first micro service component to the second micro service component if the access request is detected; wherein the first micro-service component and the second micro-service component are micro-service components operating on the container cloud platform;
the permission judging unit is used for judging whether the first micro service component has the permission to access the second micro service component by utilizing the access authorization strategy; if so, forwarding the access request to the second micro-service component; if not, returning error reporting information without access right to the first micro service component.
Further, the method also comprises the following steps:
the abnormal component marking unit is used for updating the times of refusing the access information of the first micro service component after the error reporting information without access right is returned to the first micro service component; and the micro-service component is also used for marking the first micro-service component as an abnormal component if the times of refusing the access information of the first micro-service component are greater than a preset value.
Further, the access authorization policy comprises a request source, a request action and a request condition;
correspondingly, the permission judging unit is used for judging whether the access request sent by the first micro service component conforms to the authorization strategy or not; if so, determining that the first micro service component has the authority to access the second micro service component; if not, the first micro service component is judged not to have the authority of accessing the second micro service component.
Further, the method also comprises the following steps:
and the component detection unit is used for intercepting the information sent by the abnormal component and the received information after the first micro-service component is marked as the abnormal component, and carrying out attack detection on the abnormal component so as to judge whether the abnormal component is attacked or not according to an attack detection result.
Further, the policy determining module 301 is configured to receive an authorization policy code issued by a user, and convert the authorization policy code into a preset format to obtain the access authorization policy.
Further, the method also comprises the following steps:
the policy adding module is used for determining a new access authorization policy according to the policy adding instruction if the policy adding instruction is received, and enabling the new access authorization policy to take effect in the container cloud platform through an declarative API;
and the policy modification module is used for determining a target access authorization policy according to the policy modification instruction if the policy modification instruction is received, and enabling the modified target access authorization policy to take effect in the container cloud platform through an declarative API.
Since the embodiment of the container cloud platform portion corresponds to the embodiment of the method portion, please refer to the description of the embodiment of the method portion for the embodiment of the container cloud platform portion, which is not repeated here.
The present application also provides a storage medium having a computer program stored thereon, which when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application further provides an electronic device, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided by the foregoing embodiments when calling the computer program in the memory. Of course, the electronic device may also include various network interfaces, power supplies, and the like.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the container cloud platform disclosed in the embodiment, since the container cloud platform corresponds to the method disclosed in the embodiment, the description is simple, and the relevant points can be referred to the description of the method part. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. An access request processing method applied to a container cloud platform includes:
determining an access authorization policy; wherein the access authorization policy is code configuring access rights between micro service components, the micro service components running on the container cloud platform;
validating the access authorization policy within the container cloud platform through an declarative API;
and carrying out access authority verification on the access request sent between the micro service components by using the access authorization strategy, and executing corresponding processing operation on the access request according to an access authority verification result.
2. The method for processing the access request according to claim 1, wherein the access authorization policy is used to check the access permission of the access request sent between the microservices, and the corresponding processing operation is performed on the access request according to the result of the access permission check, including:
if an access request sent by a first micro service component to a second micro service component is detected, hijacking the access request; wherein the first micro-service component and the second micro-service component are micro-service components operating on the container cloud platform;
judging whether the first micro service component has the authority of accessing the second micro service component by using the access authorization strategy;
if so, forwarding the access request to the second micro-service component;
if not, returning error reporting information without access right to the first micro service component.
3. The method according to claim 2, wherein the access authorization policy includes a request source, a request action, and a request condition;
correspondingly, the judging whether the first micro service component has the right to access the second micro service component by using the access authorization policy includes:
judging whether the access request sent by the first micro service component conforms to the authorization strategy or not;
if so, determining that the first micro service component has the authority to access the second micro service component;
if not, the first micro service component is judged not to have the authority of accessing the second micro service component.
4. The method for processing the access request according to claim 2, further comprising, after returning error information of no access right to the first microservice component:
updating the number of times that the access information of the first micro-service component is rejected;
and if the times of refusing the access information of the first micro service component are greater than a preset value, marking the first micro service component as an abnormal component.
5. The method of claim 4, wherein after marking the first microservice component as an anomalous component, further comprising:
intercepting the information sent by the abnormal component and the received information, and carrying out attack detection on the abnormal component so as to judge whether the abnormal component is attacked or not according to an attack detection result.
6. The method of claim 1, wherein determining the access authorization policy comprises:
and receiving an authorization policy code issued by a user, and converting the authorization policy code into a preset format to obtain the access authorization policy.
7. The method of claim 1, further comprising:
if a policy adding instruction is received, determining a new access authorization policy according to the policy adding instruction, and enabling the new access authorization policy to take effect in the container cloud platform through an declarative API;
and if a strategy modification instruction is received, determining a target access authorization strategy according to the strategy modification instruction, and enabling the modified target access authorization strategy to take effect in the container cloud platform through an declarative API.
8. A container cloud platform, comprising:
the strategy determining module is used for determining an access authorization strategy; wherein the access authorization policy is code configuring access rights between micro service components, the micro service components running on the container cloud platform;
a policy validation module for validating the access authorization policy within the container cloud platform through an declarative API;
and the strategy execution module is used for carrying out access authority verification on the access request sent between the micro service components by using the access authorization strategy and executing corresponding processing operation on the access request according to an access authority verification result.
9. An electronic device, comprising a memory in which a computer program is stored and a processor, wherein the processor implements the steps of the access request processing method according to any one of claims 1 to 7 when calling the computer program in the memory.
10. A storage medium having stored thereon computer-executable instructions which, when loaded and executed by a processor, carry out the steps of the method of processing an access request according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111004681.5A CN113672901B (en) | 2021-08-30 | 2021-08-30 | Access request processing method, container cloud platform, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111004681.5A CN113672901B (en) | 2021-08-30 | 2021-08-30 | Access request processing method, container cloud platform, electronic device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113672901A true CN113672901A (en) | 2021-11-19 |
| CN113672901B CN113672901B (en) | 2024-03-29 |
Family
ID=78547387
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111004681.5A Active CN113672901B (en) | 2021-08-30 | 2021-08-30 | Access request processing method, container cloud platform, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113672901B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338133A (en) * | 2021-12-24 | 2022-04-12 | 中国联合网络通信集团有限公司 | Application access system, method, communication device and storage medium |
| CN114448668A (en) * | 2021-12-24 | 2022-05-06 | 苏州浪潮智能科技有限公司 | Method and device for realizing cloud platform docking security service |
| CN114785612A (en) * | 2022-05-10 | 2022-07-22 | 深信服科技股份有限公司 | Cloud platform management method, device, equipment and medium |
| WO2024131602A1 (en) * | 2022-12-19 | 2024-06-27 | 抖音视界有限公司 | Data access control method, apparatus and device, and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109756448A (en) * | 2017-11-02 | 2019-05-14 | 广东亿迅科技有限公司 | API gateway method for managing security and its system based on micro services |
| CN110781476A (en) * | 2019-10-15 | 2020-02-11 | 南京南瑞信息通信科技有限公司 | Flexible micro-service security access control method and system |
| CN110995450A (en) * | 2020-02-27 | 2020-04-10 | 中科星图股份有限公司 | Authentication and authorization method and system based on Kubernetes |
| WO2021022792A1 (en) * | 2019-08-02 | 2021-02-11 | 创新先进技术有限公司 | Authentication and service serving methods and apparatuses, and device |
| US20210250361A1 (en) * | 2020-02-07 | 2021-08-12 | Microsoft Technology Licensing, Llc | Authentication and authorization across microservices |
-
2021
- 2021-08-30 CN CN202111004681.5A patent/CN113672901B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109756448A (en) * | 2017-11-02 | 2019-05-14 | 广东亿迅科技有限公司 | API gateway method for managing security and its system based on micro services |
| WO2021022792A1 (en) * | 2019-08-02 | 2021-02-11 | 创新先进技术有限公司 | Authentication and service serving methods and apparatuses, and device |
| CN110781476A (en) * | 2019-10-15 | 2020-02-11 | 南京南瑞信息通信科技有限公司 | Flexible micro-service security access control method and system |
| US20210250361A1 (en) * | 2020-02-07 | 2021-08-12 | Microsoft Technology Licensing, Llc | Authentication and authorization across microservices |
| CN110995450A (en) * | 2020-02-27 | 2020-04-10 | 中科星图股份有限公司 | Authentication and authorization method and system based on Kubernetes |
Non-Patent Citations (1)
| Title |
|---|
| 刘一田;林亭君;刘士进;: "柔性微服务安全访问控制框架", 计算机系统应用, no. 10, 15 October 2018 (2018-10-15) * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338133A (en) * | 2021-12-24 | 2022-04-12 | 中国联合网络通信集团有限公司 | Application access system, method, communication device and storage medium |
| CN114448668A (en) * | 2021-12-24 | 2022-05-06 | 苏州浪潮智能科技有限公司 | Method and device for realizing cloud platform docking security service |
| CN114338133B (en) * | 2021-12-24 | 2023-07-07 | 中国联合网络通信集团有限公司 | Application access system, method, communication device and storage medium |
| CN114448668B (en) * | 2021-12-24 | 2023-07-14 | 苏州浪潮智能科技有限公司 | Method and device for realizing cloud platform docking security service |
| CN114785612A (en) * | 2022-05-10 | 2022-07-22 | 深信服科技股份有限公司 | Cloud platform management method, device, equipment and medium |
| WO2024131602A1 (en) * | 2022-12-19 | 2024-06-27 | 抖音视界有限公司 | Data access control method, apparatus and device, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113672901B (en) | 2024-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10949528B1 (en) | System and method for secure, policy-based access control for mobile computing devices | |
| CN113672901A (en) | Access request processing method, container cloud platform, electronic device and storage medium | |
| CN112422532B (en) | Service communication method, system and device and electronic equipment | |
| Scott-Hayward et al. | Operationcheckpoint: Sdn application control | |
| US20210136068A1 (en) | Telecom node control via blockchain | |
| EP1806674A2 (en) | Method and apparatus for protection domain based security | |
| US20040168173A1 (en) | Method and apparatus providing deception and/or altered execution of logic in an information system | |
| CN111259348B (en) | Method and system for safely running executable file | |
| US11665138B2 (en) | System and method for automatic WAF service configuration | |
| EP3042487B1 (en) | Secured mobile communications device | |
| CN111711631B (en) | Network access control method, device, equipment and storage medium | |
| US11556634B2 (en) | Systems and methods for event-based application control | |
| US20200267155A1 (en) | System and method for securing application behavior in serverless computing | |
| CN113542214B (en) | Access control method, device, equipment and machine-readable storage medium | |
| CN106339629A (en) | Application management method and device | |
| JP2006107505A (en) | Api for access authorization | |
| Fan et al. | Ruledger: Ensuring execution integrity in trigger-action IoT platforms | |
| Ulltveit‐Moe et al. | Enforcing mobile security with location‐aware role‐based access control | |
| Ryutov et al. | Dynamic authorization and intrusion response in distributed systems | |
| CN114003865A (en) | Data management and control method and system of zero-trust security container | |
| Akyol et al. | Transaction-based building controls framework, Volume 2: Platform descriptive model and requirements | |
| CN115795493A (en) | Access control policy deployment method, related device and access control system | |
| Zhou et al. | Logic bugs in IoT platforms and systems: A review | |
| CN112912879A (en) | Apparatus and method for inter-process secure messaging | |
| US20240250952A1 (en) | Techniques for preventing malware attacks in an operating system environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |