CN114070637A - Access control method and system based on attribute label, electronic device and storage medium - Google Patents
Access control method and system based on attribute label, electronic device and storage medium Download PDFInfo
- Publication number
- CN114070637A CN114070637A CN202111394831.8A CN202111394831A CN114070637A CN 114070637 A CN114070637 A CN 114070637A CN 202111394831 A CN202111394831 A CN 202111394831A CN 114070637 A CN114070637 A CN 114070637A
- Authority
- CN
- China
- Prior art keywords
- container
- computing node
- packet information
- attribute
- pod
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 130
- 230000008569 process Effects 0.000 claims abstract description 67
- 230000004044 response Effects 0.000 claims description 30
- 238000004590 computer program Methods 0.000 claims description 9
- 238000000605 extraction Methods 0.000 claims description 5
- 230000006854 communication Effects 0.000 description 20
- 238000004891 communication Methods 0.000 description 19
- 101100409014 Rhizobium meliloti (strain 1021) ppdK gene Proteins 0.000 description 18
- 238000010586 diagram Methods 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000003993 interaction Effects 0.000 description 6
- 239000000284 extract Substances 0.000 description 5
- 238000002955 isolation Methods 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000011217 control strategy Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000008033 biological extinction Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012856 packing Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000014616 translation Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Abstract
The embodiment of the application provides an access control method, system, electronic equipment and storage medium based on attribute tags, and relates to the technical field of network security. The method comprises the following steps: acquiring data packet information of a connection establishment request sent by a first container computing node and a second container computing node, wherein the data packet information comprises a first attribute label corresponding to a pod of the first container computing node; sending the data packet information to a corresponding agent end through an NFQ redirection rule; extracting the first attribute tag according to the data packet information; matching an inbound policy of the second container compute node by the first attribute tag; establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy. The method can realize the introduction of end-to-end identity identification between any two pod, simplify the access control configuration process and improve the efficiency of user configuration access control.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to an access control method and system based on an attribute tag, an electronic device, and a storage medium.
Background
Currently, virtualization technology has become a widely recognized way of sharing server resources, which can provide the system administrator with great flexibility in building an operating system instance on demand. Since hypervisor virtualization technology still has some performance and resource usage efficiency issues, a new type of virtualization technology called container has emerged to help solve these issues.
In the prior art, a traditional host firewall is based on an Iptables, which network segment is allowed to access a host, or which IP address or domain name is allowed to access when the host goes out of a station, and is based on a traditional quintuple and IP information. This model is currently inconvenient in a container environment because of the many NAT address translations in the container scenario. When data is sent out from a computing node, source address conversion is carried out, external communication is carried out by the IP of a host machine through the source address, NAT destination address conversion is carried out when the data is sent to a destination end, then the data is converted to a container of an opposite end to carry out communication, the communication is carried out through the traditional IP address, and the data is inconvenient.
Disclosure of Invention
An object of the embodiments of the present application is to provide an access control method, system, electronic device and storage medium based on an attribute tag, which can implement end-to-end identity identification introduced between any two pod, simplify an access control configuration process, and improve efficiency of user configuration access control.
In a first aspect, an embodiment of the present application provides an access control method based on an attribute tag, including:
acquiring data packet information of a connection establishment request sent by a first container computing node and a second container computing node, wherein the data packet information comprises a first attribute label corresponding to a pod of the first container computing node;
sending the data packet information to a corresponding agent end through an NFQ redirection rule;
extracting the first attribute tag according to the data packet information;
matching an inbound policy of the second container compute node by the first attribute tag;
establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy.
In the implementation process, the access control method based on the attribute label is an access control mode based on the attribute label, the mode of establishing connection through an IP address in the past is changed by extracting the attribute label of the container computing node and embedding the attribute label in a data information packet, the IP domain is converted into a label domain, and the related label and the attribute information of the container are extracted as identification information of access control in the safety protection process; therefore, the access control method based on the attribute label can realize the introduction of end-to-end identity identification between any two pod, simplify the access control configuration process and improve the efficiency of user configuration access control.
Further, the step of establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy comprises:
acquiring response data packet information returned by the second container computing node, wherein the response data packet information comprises a second attribute label corresponding to the pod of the second container computing node;
sending the response data packet information to a corresponding agent end through the NFQ redirection rule;
extracting the second attribute tag according to the response data packet information;
establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy and the second attribute label.
Further, the step of extracting the first attribute tag according to the packet information includes:
and extracting the first attribute label in a proxy mode, wherein the first attribute label is matched with the process pid, the user label and the process name of the first container computing node.
Further, the step of extracting the second attribute tag according to the response packet information includes:
and extracting the second attribute label in a proxy mode, wherein the second attribute label is matched with the process pid, the user label and the process name of the second container computing node.
In the implementation process, the attribute label of the container or pod is extracted in a proxy (agent) form, and the process pid, the user label, the process name and the like of the container or pod are matched with the attribute label, so that the access control method based on the attribute label is implemented.
Further, before the step of obtaining the response packet information returned by the second container computing node, the method further includes:
assigning the second attribute label to the pod of the second container compute node.
Further, before the step of obtaining the packet information of the connection establishment request with the second container computation node sent by the first container computation node, the method further includes:
assigning the first attribute label to a pod of the first container compute node.
Further, after the step of obtaining the packet information of the connection establishment request with the second container computation node sent by the first container computation node, the method further includes:
and when the data packet information is redirected by the NFQ, adding a Cgrop mark value to the data packet information through a core Cgrop.
In a second aspect, an embodiment of the present application provides an access control system based on an attribute tag, including:
a first obtaining module, configured to obtain data packet information of a request for establishing a connection with a second container computing node, where the data packet information includes a first attribute tag corresponding to a pod of a first container computing node;
the first redirection module is used for sending the data packet information to a corresponding proxy end through an NFQ redirection rule;
the first extraction module is used for extracting the first attribute tag according to the data packet information;
a matching module to match an inbound policy of the second container compute node with the first attribute tag;
a connection establishing module, configured to establish an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy.
Further, the system further comprises:
a second obtaining module, configured to obtain response packet information returned by the second container computing node, where the response packet information includes a second attribute tag corresponding to a pod of the second container computing node;
the second redirection module is used for sending the response data packet information to a corresponding agent end through the NFQ redirection rule;
the second extraction module is used for extracting the second attribute tag according to the response data packet information;
the connection establishing module is specifically configured to establish an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy and the second attribute tag.
Further, the first extracting module is specifically configured to extract the first attribute tag in a proxy manner, where the first attribute tag is matched with the process pid, the user tag, and the process name of the first container computing node.
Further, the second extracting module is specifically configured to extract the second attribute tag in a proxy manner, where the second attribute tag is matched with the process pid, the user tag, and the process name of the second container computing node.
Further, the system also includes a first assignment module to assign the first attribute tag to a pod of the first container compute node.
Further, the system also includes a second assignment module to assign the second attribute label to a pod of the second container compute node.
Further, the system further comprises an adding module, wherein the adding module is used for adding a Cgroup mark value to the data packet information through a kernel Cgroup when the data packet information is subjected to NFQ redirection.
In a third aspect, an electronic device provided in an embodiment of the present application includes: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any of the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium having instructions stored thereon, which, when executed on a computer, cause the computer to perform the method according to any one of the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a computer, causes the computer to perform the method according to any one of the first aspect.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the above-described techniques.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of an access control method based on an attribute tag according to an embodiment of the present application;
fig. 2 is a block diagram of a first container computing node according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of another access control method based on attribute tags according to an embodiment of the present application;
fig. 4 is a schematic diagram of a data packet information sending process in a connection establishment process according to an embodiment of the present application;
fig. 5 is a schematic diagram of a response packet information sending process in a connection establishment process according to an embodiment of the present application;
fig. 6 is a block diagram illustrating a structure of an access control system based on attribute tags according to an embodiment of the present application;
fig. 7 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
The embodiment of the application provides an access control method, system, electronic equipment and storage medium based on an attribute label, which can be applied to access control of two pods under a container environment; the access control method based on the attribute label is an access control mode based on the attribute label, changes the mode of establishing connection through an IP address in the past by extracting the attribute label of a container computing node and embedding the attribute label in a data information packet, converts an IP domain into a label domain, and extracts the related label and attribute information of a container as identification information of access control in the safety protection process; therefore, the access control method based on the attribute label can realize the introduction of end-to-end identity identification between any two pod, simplify the access control configuration process and improve the efficiency of user configuration access control.
Container technology can be regarded as a lightweight virtualization approach, packing applications and necessary execution environments into container images, so that applications can run relatively independently in a host (physical or virtual) directly. The container is used for application isolation at an operating system layer, and can run a plurality of independent application running environments on a host machine kernel. Compared with the traditional application test and deployment, the deployment of the container does not need to consider the compatibility problem of the running environment of the application in advance; compared with the traditional virtual machine, the container can run in the host machine without an independent operating system kernel, and higher running efficiency and resource utilization rate are realized.
With the continuous development of IT technology, the lightweight characteristic of the container enables the technology to be widely applied to cloud computing, and since the container belongs to a finer-grained identification unit and has no network attribute similar to that of a traditional hardware device like a virtual machine, the security between the containers is undoubtedly a great threat challenge. The container cluster provides multiple networking modes such as a bridge network, a MacVLAN (virtual local area network), an Overlay network (Overlay) and the like, network modes such as container interconnection in the same host, cross-host container interconnection, container cluster network and the like can be respectively realized, meanwhile, the container and the host share an operating system kernel, and security risks in the aspects of isolation between the container and the host and between the container and the container are introduced. The access control between containers can not perform security protection like the traditional access control strategy of five-tuple configuration, and multiple NAT conversions make IP addressing very complicated and access control very difficult to realize.
According to the access control method based on the attribute label, the access control based on the container identity label is based on the realization of end-to-end identity interaction, and higher-level connection information, namely the logical relationship between the container and the container, is extracted instead of the network relationship after network communication is established. The IP and port distribution scheme in the network is irrelevant to the interaction of container identities, identity information is equivalently embedded in transmission content and is carried and transmitted, and the interaction of the identities is higher than that of network information. With the identity interaction, the traditional IP domain access control is converted into the label domain based on the identity attribute, the access control does not depend on the information of a source, a destination and a port any more, but is raised to identify the container of the opposite terminal, and whether the data sent by the opposite terminal is received or not is controlled by checking the identity label.
Some technical terms relating to containers are introduced:
namespace: in order to ensure the resource isolation among container processes and avoid mutual influence and interference, a Namespaces (naming space) mechanism of a Linux kernel provides naming spaces of UTS, User, Mount, Network, PID, IPC and the like to realize six resource isolation functions of host names, User authorities, file systems, networks, process numbers, inter-process communication and the like. The isolation of the corresponding resource content can be realized by calling a clone () function and introducing corresponding system call parameters to create a container process.
Cgroup: in the container, there are allocated resources such as CPU, IO, memory, network, etc. in a specific proportion, which is a Controller group, abbreviated as Cgroup, for limiting and isolating the use of system resources by a group of processes. The specific management of different resources is completed by the division of labor of each subsystem.
pod: refers to the smallest unit that can be deployed and managed by kubernets, each pod is a running instance of an application, which can be understood as the smallest unit of access control, where containers share network addresses and file systems.
NFQ: is an abbreviation for NFQUEUE, which is an Iptables and ip6tables target that delegates packet decisions to the user space software. For example, the following rules would require that all packets destined for a packet be subject to the user's security plan decision. When a packet reaches a NFQUEUE target, it enters the queue corresponding to the number given by the queue num option. Namely NFQ is a technique to implement traffic redirection in the kernel.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic flowchart of an access control method based on attribute tags according to an embodiment of the present application, and fig. 2 is a block diagram of a first container computation node according to an embodiment of the present application; the access control method based on the attribute tags comprises the following steps:
s100: and acquiring data packet information of a connection establishment request sent by the first container computing node and the second container computing node, wherein the data packet information comprises a first attribute label corresponding to the pod of the first container computing node.
In the embodiment of the application, the access control based on the attribute label, in the embodiment of establishing the connection by the TCP protocol, the technical principle is as follows: on nodes at two ends of communication (a first container computing node and a second container computing node), a security service container top agent (existing product) is deployed, and the top agent includes a label control logic and a high-level defense function, and is used for managing an access control policy configured by the pod at two ends. The purpose of this embodiment is to establish a communication connection from an application podA of one compute node to access a database podB of another node, and the access control policies of the podA on the first container compute node and the podB on the second container compute node are configured in the form of labels.
It should be noted that the access control method based on the attribute tag provided in the embodiment of the present application is described with a top agent as an execution subject; exemplarily, corresponding security service container top agents are configured in the first container computing node and the second container computing node, respectively.
S200: and sending the data packet information to a corresponding agent end through the NFQ redirection rule.
Illustratively, before establishing an access connection, the podA of the first container computing node sends out the packet information with the first attribute tag, and the redirection is implemented by the NFQ of the underlying Iptables, that is, the packet information is redirected to the top agent on the second container computing node. As shown in fig. 2, Cgroup mark is a first attribute tag corresponding to podA of the first container compute node.
S300: and extracting the first attribute label according to the data packet information.
Illustratively, the top agent in the second container compute node extracts the first attribute tag.
S400: the inbound policy of the second container compute node is matched by the first attribute tag.
Illustratively, the top agent in the second container compute node matches the inbound policy of the PodB, from which it can decide whether to reject and, if so, continue sending the packet information to the PodB.
S500: an access connection between the pod of the first container computing node and the pod of the second container computing node is established according to the inbound policy.
In some embodiments, the access control method based on the attribute label is an access control mode based on the attribute label, the mode of establishing connection through an IP address in the past is changed by extracting the attribute label of the container computing node and embedding the attribute label in a data information packet, an IP domain is converted into a label domain, and the related label and the attribute information of the container are extracted as identification information of access control in the security protection process; therefore, the access control method based on the attribute label can realize the introduction of end-to-end identity identification between any two pod, simplify the access control configuration process and improve the efficiency of user configuration access control.
Referring to fig. 3 to fig. 5, fig. 3 is a schematic flowchart of another access control method based on an attribute tag according to an embodiment of the present application, fig. 4 is a schematic diagram of a data packet information sending process in a connection establishment process according to an embodiment of the present application, and fig. 5 is a schematic diagram of a response data packet information sending process in the connection establishment process according to an embodiment of the present application.
Exemplarily, S500: the step of establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy comprises:
s510: acquiring response data packet information returned by the second container computing node, wherein the response data packet information comprises a second attribute label corresponding to the pod of the second container computing node;
s520: sending the response data packet information to a corresponding agent end through an NFQ redirection rule;
s530: extracting a second attribute label according to the response data packet information;
s540: an access connection between the pod of the first container computing node and the pod of the second container computing node is established according to the inbound policy and the second attribute label.
Exemplarily, S300: the step of extracting the first attribute tag according to the data packet information comprises the following steps:
and extracting a first attribute label in a proxy mode, wherein the first attribute label is matched with the process pid, the user label and the process name of the first container computing node.
Exemplarily, S530: the step of extracting the second attribute tag according to the response data packet information comprises the following steps:
and extracting a second attribute label in a proxy mode, wherein the second attribute label is matched with the process pid, the user label and the process name of the second container computing node.
Illustratively, the attribute tag of the container or pod is extracted in the form of an agent (agent), so that the process pid, the user tag, the process name and the like of the container or pod are matched with the attribute tag, and further, the access control method based on the attribute tag is realized.
Exemplarily, S510: before the step of obtaining the reply packet information returned by the second container computation node, the method further includes:
assigning a second attribute label to the pod of the second container compute node.
Exemplarily, S100: before the step of obtaining the packet information of the connection establishment request with the second container computation node sent by the first container computation node, the method further comprises the following steps:
a first attribute label is assigned to the pod of the first container compute node.
Illustratively, at S110: after the step of obtaining the packet information of the connection establishment request with the second container computation node sent by the first container computation node, the method further includes:
when the data packet information is redirected by NFQ, adding a Cgroup mark value to the data packet information through a core Cgroup; in contrast, when the reply packet information is redirected by the NFQ, a Cgroup mark value is also added to the reply packet information by the kernel Cgroup.
With reference to fig. 1 to 5, in the access control method based on attribute tags provided in the embodiment of the present application, the pod processes (podA and podB) distributed in two computing nodes (a first container computing node and a second container computing node) are identified and found by a top agent in the same node after being started, and the top agent extracts relevant attribute tags of the pod through a tag extractor, including information such as a process pid, a user tag (a tag given by a user), and a process name; the top agent allocates a Cgroup mark (a first attribute label or a second attribute label) to the pod process in the corresponding node and issues a Cgroup strategy to the kernel, the strategy content is to require that the Cgroup mark value is written into a subdirectory of the process pid, the process of writing the mark value is completed in the Cgroup of the Linux kernel, namely the kernel Cgroup is in appointed association with the process, so that the flow corresponding to the process pid is marked with the Cgroup mark to mark all data packets after the process is started, and then all the data packets in the process are marked with the Cgroup mark; in other words, all packets under the progress of podA will be tagged with the first attribute, and all packets under the progress of podB will be tagged with the second attribute.
When connection is established, the podA sends out the data packet information with the first attribute tag, redirection is realized through NFQ of the bottom layer of the Iptables, the data packet information (syn, syn ack, ack and the like) is redirected into the top agent, the top agent is used as a safety protection component, an access control strategy is mastered, corresponding strategy matching can be carried out, and meanwhile, extraction of the attribute information of the pod tag is also completed in the top agent, so that matching of a corresponding relation of Cgram mark-process pid-access control strategy is realized.
And after the strategy interpretation is finished, the top agent adds the tag attribute information of the pod into the data packet information in a token form, and continuously transmits the tag attribute information to form a data packet with identity tag information, so that the access control based on the attribute tag independent of the IP address is realized. When mutual communication is carried out, outbound strategy and label matching and inbound strategy and label matching are respectively carried out at two ends of the podA and podB communication, and bidirectional label verification is the basic principle of access control in the application.
The method in the embodiment of the application is a method for controlling end-to-end access in the technical field of network security, the access control is closely related to a network environment, and new requirements are made on the network environment by changes of the network environment. In the traditional environment, the network is relatively static, and most network protection rules are based on static IP addresses and ports; the interior is credible by default, the network boundary is clear, and the access control mechanism is deployed at the network boundary; most of the network traffic will pass through the gateway. However, in the container environment, the addition and the extinction of the container always occur, and the IP allocation is frequently changed; multiple applications are deployed in a mixed mode, the boundary is not clear, the internal communication relation is extremely complex, and a safety protection strategy cannot be preset; the visibility of east-west flow among containers is poor, in order to detect and protect invisible flow, a network policy rule of a container platform is generally adopted, but 7-layer high-level access control cannot be realized; in the hybrid cloud mode, a universal technology is lacked to realize a uniform access control method across cloud platforms, such as end-to-end uniform access control from the arri cloud to the Tencent cloud.
With reference to fig. 4 and 5, a specific data communication process of the embodiment of the present application is as follows:
1) firstly, the podA sends data packet information of a connection establishing request to the podB; redirecting data packet information sent by the podA to a top agent of the first container computing node through an NFQ redirection rule of a bottom layer of Iptables, wherein the redirected data packet is marked with a Cgroup mark (a first attribute label) corresponding to a process pid of the podA;
2) after the top agent of the first container computing node receives the data packet information, the related attribute information of the podA, such as the process pid, can be found according to the first attribute label and the pod attribute information synchronized to the node before. The top agent of the first container computing node packs the attribute information of the podA, in this example, "app ═ web", as identity information, and attaches the identity information to the tail of the data packet information (syn), and sends out again, that is, constructs a data packet with the podA label information;
3) after the data packet (syn + tokenA) with the podA label information reaches an opposite end node (a second container computing node), the data packet is also redirected to a top agent of the second container computing node through NFQ by an Iptables rule of a kernel, and the top agent extracts the label attribute of 'app ═ web' in the syn + tokenA information;
4) at the moment, the top agent of the second container computing node is matched with the PodB inbound strategy, whether the top agent refuses or not can be determined according to the PodB inbound strategy, and if the top agent passes the PodB inbound strategy, the data packet is continuously sent to the PodB;
5) after receiving the syn packet, the podB replies a syn ack packet (response data packet), and then the syn ack packet is redirected to the top agent of the second container computing node by the NFQ, and at this time, the attribute information of the podB is also added to the syn ack packet, which is "app ═ db" in this example and is sent back as token;
6) after receiving syn ack + token B, the first container computing node redirects to a top agent of the first container computing node, and extracts label information 'app ═ db' in the token B;
7) at this time, in the top agent of the first container computing node, whether the outbound policy of the podA is allowed to the podB is judged according to the policy, and blocking or releasing is performed according to the policy.
Therefore, the data packet after the outbound judgment of the podA is continuously sent to the podB at the opposite end, the token adding operation is not carried out after the connection is established, the safe access connection is already established, and the two ends of the podA and the podB can normally communicate.
Therefore, the access control method based on the attribute tag provided by the embodiment of the application can achieve the following effects:
1. end-to-end identity recognition is introduced between any two pod processes, so that the access control configuration process is simplified, and the efficiency of user configuration access control is improved;
2. the access control based on the container identity label is realized, the security policy is separated from the network communication, the access control process does not need to relate to communication information such as IP addresses and the like, and the security risk caused by multiple IP conversion table lookup is reduced;
3. the process of adding and deleting the label does not need to modify the kernel, but modifies the data packet and adds the identity token through the collection of the process information, the whole access control process is realized through agent control, the system is not changed, the introduction of new security risks is avoided, and the defect that the bottom layer safety protection component and the bottom layer system often have to be fused and interacted in the network safety protection is avoided.
Referring to fig. 6, fig. 6 is a block diagram of a structure of an access control system based on an attribute tag according to an embodiment of the present application, where the access control system based on an attribute tag includes:
a first obtaining module 100, configured to obtain data packet information of a request for establishing a connection with a second container computing node, where the data packet information includes a first attribute tag corresponding to a pod of the first container computing node;
the first redirection module 200 is configured to send the packet information to a corresponding proxy end through an NFQ redirection rule;
a first extracting module 300, configured to extract a first attribute tag according to the packet information;
a matching module 400 for matching an inbound policy of a second container compute node via a first attribute tag;
a connection establishing module 500 for establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy.
Illustratively, the system further comprises:
the second obtaining module is used for obtaining response data packet information returned by the second container computing node, wherein the response data packet information comprises a second attribute label corresponding to the pod of the second container computing node;
the second redirection module is used for sending the response data packet information to the corresponding agent terminal through the NFQ redirection rule;
the second extraction module is used for extracting a second attribute label according to the response data packet information;
the connection establishing module is specifically configured to establish an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy and the second attribute tag.
Illustratively, the first extracting module 300 is specifically configured to extract, in the form of a proxy, a first attribute tag, where the first attribute tag is matched with a process pid, a user tag, and a process name of the first container computing node.
Illustratively, the second extracting module is specifically configured to extract a second attribute tag in a proxy form, where the second attribute tag is matched with the process pid, the user tag, and the process name of the second container computing node.
Illustratively, the attribute tag-based access control system further comprises a first assignment module for assigning the first attribute tag to a pod of the first container compute node.
Illustratively, the attribute tag-based access control system further comprises a second assigning module for assigning a second attribute tag to a pod of the second container compute node.
Illustratively, the access control system based on the attribute tag further comprises an adding module, wherein the adding module is used for adding a Cgroup mark value to the data packet information through the kernel Cgroup when the data packet information is redirected by the NFQ; when the response data packet information is redirected by NFQ, a Cgrop mark value is added to the response data packet information through the Cgrop of the kernel.
Fig. 7 shows a block diagram of an electronic device according to an embodiment of the present disclosure, where fig. 7 is a block diagram of the electronic device. The electronic device may include a processor 510, a communication interface 520, a memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used for realizing direct connection communication of these components. In this embodiment, the communication interface 520 of the electronic device is used for performing signaling or data communication with other node devices. Processor 510 may be an integrated circuit chip having signal processing capabilities.
The Processor 510 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 510 may be any conventional processor or the like.
The Memory 530 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like. The memory 530 stores computer readable instructions, which when executed by the processor 510, enable the electronic device to perform the steps involved in the method embodiments of fig. 1-5.
Optionally, the electronic device may further include a memory controller, an input output unit.
The memory 530, the memory controller, the processor 510, the peripheral interface, and the input/output unit are electrically connected to each other directly or indirectly, so as to implement data transmission or interaction. For example, these elements may be electrically coupled to each other via one or more communication buses 540. The processor 510 is used to execute executable modules stored in the memory 530, such as software functional modules or computer programs included in the electronic device.
The input and output unit is used for providing a task for a user to create and start an optional time period or preset execution time for the task creation so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 7 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 7 or have a different configuration than shown in fig. 7. The components shown in fig. 7 may be implemented in hardware, software, or a combination thereof.
The embodiment of the present application further provides a storage medium, where the storage medium stores instructions, and when the instructions are run on a computer, when the computer program is executed by a processor, the method in the method embodiment is implemented, and in order to avoid repetition, details are not repeated here.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. An access control method based on attribute tags, comprising:
acquiring data packet information of a connection establishment request sent by a first container computing node and a second container computing node, wherein the data packet information comprises a first attribute label corresponding to a pod of the first container computing node;
sending the data packet information to a corresponding agent end through an NFQ redirection rule;
extracting the first attribute tag according to the data packet information;
matching an inbound policy of the second container compute node by the first attribute tag;
establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy.
2. The method according to claim 1, wherein the step of establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy comprises:
acquiring response data packet information returned by the second container computing node, wherein the response data packet information comprises a second attribute label corresponding to the pod of the second container computing node;
sending the response data packet information to a corresponding agent end through the NFQ redirection rule;
extracting the second attribute tag according to the response data packet information;
establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy and the second attribute label.
3. The method according to claim 2, wherein the step of extracting the first attribute tag according to the packet information comprises:
and extracting the first attribute label in a proxy mode, wherein the first attribute label is matched with the process pid, the user label and the process name of the first container computing node.
4. The method according to claim 2, wherein the step of extracting the second attribute tag according to the response packet information comprises:
and extracting the second attribute label in a proxy mode, wherein the second attribute label is matched with the process pid, the user label and the process name of the second container computing node.
5. The method according to claim 2, further comprising, before the step of obtaining the response packet information returned by the second container computing node:
assigning the second attribute label to the pod of the second container compute node.
6. The method according to claim 1, further comprising, before the step of obtaining packet information of a connection establishment request with a second container computation node sent by a first container computation node, the following steps:
assigning the first attribute label to a pod of the first container compute node.
7. The method according to claim 1, further comprising, after the step of obtaining packet information of a connection establishment request with a second container computation node sent by a first container computation node, the following steps:
and when the data packet information is redirected by the NFQ, adding a Cgrop mark value to the data packet information through a core Cgrop.
8. An access control system based on attribute tags, comprising:
a first obtaining module, configured to obtain data packet information of a request for establishing a connection with a second container computing node, where the data packet information includes a first attribute tag corresponding to a pod of a first container computing node;
the first redirection module is used for sending the data packet information to a corresponding proxy end through an NFQ redirection rule;
the first extraction module is used for extracting the first attribute tag according to the data packet information;
a matching module to match an inbound policy of the second container compute node with the first attribute tag;
a connection establishing module, configured to establish an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy.
9. An electronic device, comprising: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the attribute tag based access control method according to any of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium having stored thereon instructions which, when run on a computer, cause the computer to perform the method of attribute tag-based access control of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111394831.8A CN114070637B (en) | 2021-11-23 | 2021-11-23 | Access control method, system, electronic equipment and storage medium based on attribute tag |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111394831.8A CN114070637B (en) | 2021-11-23 | 2021-11-23 | Access control method, system, electronic equipment and storage medium based on attribute tag |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114070637A true CN114070637A (en) | 2022-02-18 |
| CN114070637B CN114070637B (en) | 2024-01-23 |
Family
ID=80279424
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111394831.8A Active CN114070637B (en) | 2021-11-23 | 2021-11-23 | Access control method, system, electronic equipment and storage medium based on attribute tag |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114070637B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242856A (en) * | 2022-06-15 | 2022-10-25 | 飞诺门阵(北京)科技有限公司 | Cluster reconstruction method and system |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109522751A (en) * | 2018-12-17 | 2019-03-26 | 泰康保险集团股份有限公司 | Access right control method, device, electronic equipment and computer-readable medium |
| CN109857577A (en) * | 2019-01-28 | 2019-06-07 | 北京三快在线科技有限公司 | Access control method, device, medium and electronic equipment |
| CN110022294A (en) * | 2019-02-27 | 2019-07-16 | 广州虎牙信息科技有限公司 | A kind of proxy server, Docker system and its right management method, storage medium |
| CN110392053A (en) * | 2019-07-22 | 2019-10-29 | 中国工商银行股份有限公司 | Container access control method, device, client and server |
| CN110769075A (en) * | 2018-07-25 | 2020-02-07 | 中国电信股份有限公司 | Container communication method, system, controller and computer readable storage medium |
| CN111709023A (en) * | 2020-06-16 | 2020-09-25 | 全球能源互联网研究院有限公司 | Application isolation method and system based on trusted operating system |
| CN111709014A (en) * | 2020-05-27 | 2020-09-25 | 浪潮电子信息产业股份有限公司 | Application isolation method, system, equipment and computer readable storage medium |
| CN111726399A (en) * | 2020-06-08 | 2020-09-29 | 中国工商银行股份有限公司 | Docker container secure access method and device |
| CN111741010A (en) * | 2020-07-16 | 2020-10-02 | 北京升鑫网络科技有限公司 | Docker operation request processing method and device based on proxy and computing equipment |
| WO2021051933A1 (en) * | 2019-09-20 | 2021-03-25 | 平安科技(深圳)有限公司 | Container cloud platform-based available area construction method and apparatus, device and storage medium |
| CN113285885A (en) * | 2021-07-23 | 2021-08-20 | 阿里云计算有限公司 | Service grid-based edge flow control method, device and storage medium |
| CN113572838A (en) * | 2021-07-22 | 2021-10-29 | 北京金山云网络技术有限公司 | Network access method, device, equipment and medium based on Kubernetes |
-
2021
- 2021-11-23 CN CN202111394831.8A patent/CN114070637B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110769075A (en) * | 2018-07-25 | 2020-02-07 | 中国电信股份有限公司 | Container communication method, system, controller and computer readable storage medium |
| CN109522751A (en) * | 2018-12-17 | 2019-03-26 | 泰康保险集团股份有限公司 | Access right control method, device, electronic equipment and computer-readable medium |
| CN109857577A (en) * | 2019-01-28 | 2019-06-07 | 北京三快在线科技有限公司 | Access control method, device, medium and electronic equipment |
| CN110022294A (en) * | 2019-02-27 | 2019-07-16 | 广州虎牙信息科技有限公司 | A kind of proxy server, Docker system and its right management method, storage medium |
| CN110392053A (en) * | 2019-07-22 | 2019-10-29 | 中国工商银行股份有限公司 | Container access control method, device, client and server |
| WO2021051933A1 (en) * | 2019-09-20 | 2021-03-25 | 平安科技(深圳)有限公司 | Container cloud platform-based available area construction method and apparatus, device and storage medium |
| CN111709014A (en) * | 2020-05-27 | 2020-09-25 | 浪潮电子信息产业股份有限公司 | Application isolation method, system, equipment and computer readable storage medium |
| CN111726399A (en) * | 2020-06-08 | 2020-09-29 | 中国工商银行股份有限公司 | Docker container secure access method and device |
| CN111709023A (en) * | 2020-06-16 | 2020-09-25 | 全球能源互联网研究院有限公司 | Application isolation method and system based on trusted operating system |
| CN111741010A (en) * | 2020-07-16 | 2020-10-02 | 北京升鑫网络科技有限公司 | Docker operation request processing method and device based on proxy and computing equipment |
| CN113572838A (en) * | 2021-07-22 | 2021-10-29 | 北京金山云网络技术有限公司 | Network access method, device, equipment and medium based on Kubernetes |
| CN113285885A (en) * | 2021-07-23 | 2021-08-20 | 阿里云计算有限公司 | Service grid-based edge flow control method, device and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242856A (en) * | 2022-06-15 | 2022-10-25 | 飞诺门阵(北京)科技有限公司 | Cluster reconstruction method and system |
| CN115242856B (en) * | 2022-06-15 | 2024-01-23 | 飞诺门阵(北京)科技有限公司 | Cluster reconstruction method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114070637B (en) | 2024-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11003480B2 (en) | Container deployment method, communication method between services, and related apparatus | |
| CN108650182B (en) | Network communication method, system, device, equipment and storage medium | |
| US10187459B2 (en) | Distributed load balancing system, health check method, and service node | |
| CN107690800B (en) | Managing dynamic IP address allocation | |
| CN109802985B (en) | Data transmission method, device, equipment and readable storage medium | |
| CN106850324B (en) | Virtual network interface object | |
| CN111885075A (en) | Container communication method, device, network equipment and storage medium | |
| WO2016029821A1 (en) | Method and device for creating virtual network instance | |
| CN110035079B (en) | Honeypot generation method, device and equipment | |
| US20050021755A1 (en) | Virtual network environment | |
| CN112448856B (en) | Method and system for providing public network access for external through intranet kubernets | |
| CN112099913B (en) | Method for realizing virtual machine security isolation based on OpenStack | |
| US10609081B1 (en) | Applying computer network security policy using domain name to security group tag mapping | |
| CN106209741A (en) | A kind of fictitious host computer and partition method, resource access request processing method and processing device | |
| US10938619B2 (en) | Allocation of virtual interfaces to containers | |
| CN111327668B (en) | Network management method, device, equipment and storage medium | |
| EP4221103A1 (en) | Public cloud network configuration method, and related device | |
| CN102402466A (en) | Method and system for resolving multilateral conflicts of virtualization platform | |
| CN111885031B (en) | Fine-grained access control method and system based on session process | |
| CN106685860B (en) | Network virtualization method and device | |
| CN114070637B (en) | Access control method, system, electronic equipment and storage medium based on attribute tag | |
| CN110708309A (en) | Anti-crawler system and method | |
| CN113315848A (en) | Access control method, device and equipment | |
| CN112468476B (en) | Equipment management system and method for different types of terminals to access application | |
| CN113014680B (en) | Broadband access method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |