CN114070637B - Access control method, system, electronic equipment and storage medium based on attribute tag - Google Patents
Access control method, system, electronic equipment and storage medium based on attribute tag Download PDFInfo
- Publication number
- CN114070637B CN114070637B CN202111394831.8A CN202111394831A CN114070637B CN 114070637 B CN114070637 B CN 114070637B CN 202111394831 A CN202111394831 A CN 202111394831A CN 114070637 B CN114070637 B CN 114070637B
- Authority
- CN
- China
- Prior art keywords
- computing node
- packet information
- container computing
- data packet
- pod
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 129
- 230000008569 process Effects 0.000 claims description 68
- 230000004044 response Effects 0.000 claims description 34
- 238000000605 extraction Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 9
- 238000004891 communication Methods 0.000 description 18
- 101100409014 Rhizobium meliloti (strain 1021) ppdK gene Proteins 0.000 description 17
- 238000010586 diagram Methods 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000003993 interaction Effects 0.000 description 7
- 238000002955 isolation Methods 0.000 description 6
- 238000006243 chemical reaction Methods 0.000 description 5
- 238000011217 control strategy Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000034994 death Effects 0.000 description 1
- 231100000517 death Toxicity 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000014616 translation Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Abstract
The embodiment of the application provides an access control method, an access control system, electronic equipment and a storage medium based on attribute tags, and relates to the technical field of network security. The method comprises the following steps: acquiring data packet information of a connection request established with a second container computing node and sent by a first container computing node, wherein the data packet information comprises a first attribute tag corresponding to a pod of the first container computing node; sending the data packet information to a corresponding proxy terminal through an NFQ redirection rule; extracting the first attribute tag according to the data packet information; matching inbound policies of the second container computing node by the first attribute tag; and establishing access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy. The method can realize the end-to-end identity identification of the introduction end between any two pod, simplify the access control configuration flow and improve the efficiency of the user configuration access control.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to an access control method, system, electronic device, and storage medium based on attribute tags.
Background
Currently, virtualization technology has become a widely accepted way of server resource sharing that provides great flexibility to system administrators in building operating system instances on demand. Since Hypervisor virtualization technology still presents some performance and resource usage efficiency issues, a new type of virtualization technology, known as a container, has emerged to help address these issues.
In the prior art, conventional host firewalls are based on Iptables, which network segment is allowed to access the host, or which IP address or domain name is allowed to be accessed when the host goes out, are based on conventional quintuple and IP information. This mode is currently inconvenient in the context of containers because there are many NAT address translations in the context of containers. When data is sent out from a computing node, source address conversion is carried out, the source address is used for carrying out external communication by using the IP of a host, then NAT destination address conversion is carried out at a destination end, then the mode of communication with a container at an opposite end is carried out after the conversion, the communication is carried out through a traditional IP address, firstly, when a data packet arrives at the destination end, the fact that the data packet is sent from the container or the pod cannot be judged, and because the original address is the host address, the actual end-to-end access control of the granularity of the container cannot be achieved.
Disclosure of Invention
The embodiment of the application aims to provide an access control method, an access control system, an electronic device and a storage medium based on attribute tags, which can realize end-to-end identity identification between any two pod, simplify an access control configuration flow and improve the efficiency of user configuration access control.
In a first aspect, an embodiment of the present application provides an access control method based on an attribute tag, including:
acquiring data packet information of a connection request established with a second container computing node and sent by a first container computing node, wherein the data packet information comprises a first attribute tag corresponding to a pod of the first container computing node;
sending the data packet information to a corresponding proxy terminal through an NFQ redirection rule;
extracting the first attribute tag according to the data packet information;
matching inbound policies of the second container computing node by the first attribute tag;
and establishing access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy.
In the implementation process, the access control method based on the attribute label is an access control mode based on the attribute label, the attribute label of the container computing node is extracted, and the attribute label is embedded in the data information packet, so that the mode of establishing connection through an IP address in the past is changed, an IP domain is converted into a label domain, and related labels and attribute information of the container are extracted as identification information of access control in the security protection process; therefore, the access control method based on the attribute tag can realize the end-to-end identity identification of the introduction between any two pod, simplify the access control configuration flow and improve the efficiency of the user configuration access control.
Further, the step of establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy comprises:
acquiring response data packet information returned by the second container computing node, wherein the response data packet information comprises a second attribute tag corresponding to the pod of the second container computing node;
sending the response data packet information to a corresponding proxy terminal through the NFQ redirection rule;
extracting the second attribute tag according to the response data packet information;
and establishing access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy and the second attribute tag.
Further, the step of extracting the first attribute tag according to the packet information includes:
and extracting the first attribute tag in a proxy mode, wherein the first attribute tag is matched with the process pid, the user tag and the process name of the first container computing node.
Further, the step of extracting the second attribute tag according to the response packet information includes:
and extracting the second attribute tag in the form of an agent, wherein the second attribute tag is matched with the process pid, the user tag and the process name of the second container computing node.
In the implementation process, the attribute tag of the container or the pod is extracted in the form of an agent, so that the process pid, the user tag, the process name and the like of the container or the pod are matched with the attribute tag, and further the access control method based on the attribute tag is realized.
Further, before the step of obtaining the response packet information returned by the second container computing node, the method further includes:
and distributing the second attribute label to the pod of the second container computing node.
Further, before the step of obtaining the data packet information of the connection request with the second container computing node sent by the first container computing node, the method further includes:
and distributing the first attribute label to the pod of the first container computing node.
Further, after the step of obtaining the packet information of the connection request with the second container computing node sent by the first container computing node, the method further includes:
and when the data packet information is subjected to NFQ redirection, adding a Cgroup mark value to the data packet information through a core Cgroup.
In a second aspect, an embodiment of the present application provides an access control system based on attribute tags, including:
the first acquisition module is used for acquiring data packet information of a connection request established with a second container computing node and sent by a first container computing node, wherein the data packet information comprises a first attribute tag corresponding to the pod of the first container computing node;
the first redirection module is used for sending the data packet information to the corresponding proxy end through the NFQ redirection rule;
the first extraction module is used for extracting the first attribute tag according to the data packet information;
a matching module for matching inbound policies of the second container computing node with the first attribute tag;
and the connection establishment module is used for establishing access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy.
Further, the system further comprises:
the second acquisition module is used for acquiring response data packet information returned by the second container computing node, wherein the response data packet information comprises a second attribute tag corresponding to the pod of the second container computing node;
the second redirection module is used for sending the response data packet information to the corresponding proxy end through the NFQ redirection rule;
the second extraction module is used for extracting the second attribute tag according to the response data packet information;
the connection establishment module is specifically configured to establish an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy and the second attribute tag.
Further, the first extraction module is specifically configured to extract the first attribute tag through a proxy, where the first attribute tag is matched with a process pid, a user tag, and a process name of the first container computing node.
Further, the second extracting module is specifically configured to extract the second attribute tag through a proxy, where the second attribute tag is matched with a process pid, a user tag, and a process name of the second container computing node.
Further, the system also includes a first allocation module for allocating the first attribute tag to a pod of the first container computing node.
Further, the system also includes a second allocation module for allocating the second attribute tags to the pod of the second container computing node.
Further, the system further includes an adding module, configured to add a Cgroup mark value to the packet information through a kernel Cgroup when the packet information is subjected to NFQ redirection.
In a third aspect, an electronic device provided in an embodiment of the present application includes: a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any one of the first aspects when the computer program is executed.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having instructions stored thereon, which when executed on a computer, cause the computer to perform the method according to any of the first aspects.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a computer, causes the computer to perform the method according to any one of the first aspects.
Additional features and advantages of the disclosure will be set forth in the description which follows, or in part will be obvious from the description, or may be learned by practice of the techniques disclosed herein.
In order to make the above objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an access control method based on attribute tags according to an embodiment of the present application;
FIG. 2 is a block diagram of a first container computing node according to an embodiment of the present application;
fig. 3 is a flow chart of another access control method based on attribute tags according to an embodiment of the present application;
fig. 4 is a schematic diagram of a packet information sending process in a connection establishment process according to an embodiment of the present application;
fig. 5 is a schematic diagram of a response packet information sending process in a connection establishment process according to an embodiment of the present application;
FIG. 6 is a block diagram of an access control system based on attribute tags according to an embodiment of the present application;
fig. 7 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
The embodiment of the application provides an access control method, an access control system, electronic equipment and a storage medium based on attribute tags, which can be applied to access control of two pod in a container environment; the access control method based on the attribute label is an access control mode based on the attribute label, the attribute label of the container computing node is extracted, and the attribute label is embedded in a data information packet, so that the mode of establishing connection through an IP address in the past is changed, an IP domain is converted into a label domain, and related labels and attribute information of the container are extracted as identification information of access control in the security protection process; therefore, the access control method based on the attribute tag can realize the end-to-end identity identification of the introduction between any two pod, simplify the access control configuration flow and improve the efficiency of the user configuration access control.
Illustratively, container technology can be viewed as a lightweight way of virtualizing, packaging applications with the necessary execution environments into container images, so that applications can run relatively independently directly in the host machine (physical machine or virtual machine). The container is used for application isolation at an operating system layer, and can run a plurality of independent application running environments on a host kernel. Compared with the traditional application test and deployment, the container is deployed without considering the running environment compatibility problem of the application in advance; compared with the traditional virtual machine, the container can run in the host machine without an independent operating system kernel, and higher running efficiency and resource utilization rate are realized.
With the continuous development of IT technology, the lightweight characteristic of the containers makes the technology widely applied to cloud computing, and because the containers belong to identification units with finer granularity, the containers do not have similar network properties as the traditional hardware equipment like virtual machines, and the security among the containers is certainly a huge threat challenge. The container cluster provides a plurality of networking modes such as bridging network, macVLAN, overlay network (Overlay), and the like, can respectively realize network modes such as container interconnection in the same host machine, cross-host machine container interconnection, container cluster network, and the like, and meanwhile, the container shares an operating system kernel with the host machine, and introduces security risks in terms of container-host machine isolation and container-container isolation. The access control between containers can not be safeguarded like the traditional five-tuple access control strategy configuration, and the IP addressing is very complex and the access control is very difficult to realize due to multiple NAT conversions.
According to the access control method based on the attribute tag, the access control based on the container identity tag is based on the fact that end-to-end identity interaction is achieved, and after network communication is established, higher-level connection information, namely logical relations among containers, rather than network relations, is extracted. The IP and port allocation scheme in the network is irrelevant to the identity interaction of the container, the identity information is carried and transmitted in the transmission content, and the identity interaction is higher than the network information interaction. With identity interaction, traditional IP domain access control is converted into a tag domain based on identity attribute, the access control is not dependent on information of a source, a destination and a port any more, and rises to identify the opposite-end container, and whether the data sent by the opposite end is received is controlled by checking the identity tag.
Description of some technical terms regarding the container:
namespace: in order to ensure the resource isolation between container processes and avoid mutual influence and interference, a Namespace mechanism of a Linux kernel provides a UTS, user, mount, network, PID, IPC name space and the like to realize six resource isolation functions of host names, user rights, file systems, networks, process numbers, inter-process communication and the like. Isolation of corresponding resource content can be achieved by calling clone () function and passing in corresponding system call parameters to create a container process.
Cgroup: in the container, there are allocated resources such as CPU, IO, memory, network, etc. in a specific proportion, which is a Controller group, abbreviated as Cgroup, for limiting and isolating the use of system resources by a group of processes. Specific management of different resources is accomplished by the division of work for each subsystem.
pod: referring to the smallest unit that can be deployed and managed by Kubernetes, each pod is a running instance of an application, and can be understood as the smallest unit of access control, where containers share network addresses and file systems.
NFQ: is an abbreviation for nfquue, which is an Iptables and ip6tables object that delegates packet decisions to user space software. For example, the following rules would require all packets destined for a packet to be informed of the decision of the user's security plan. When a packet reaches an NFQUEUE destination, it enters the queue corresponding to the number given by the-queue-num option. That is, NFQ is a technique to achieve traffic redirection in the kernel.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic flow chart of an access control method based on an attribute tag according to an embodiment of the present application, and fig. 2 is a block diagram of a first container computing node according to an embodiment of the present application; the access control method based on the attribute tag comprises the following steps:
s100: and acquiring data packet information of a connection request which is sent by the first container computing node and is established with the second container computing node, wherein the data packet information comprises a first attribute label corresponding to the pod of the first container computing node.
In the embodiment of establishing a connection according to a TCP protocol, the technical principle is as follows: on the communication two-end nodes (the first container computing node and the second container computing node), a security service container top agent (existing product) is deployed, wherein the top agent comprises tag control logic and advanced defense function and is used for managing the access control strategy configured by the two-end pod. The aim of this embodiment is to establish a communication connection from an application podA of one computing node to a database podB of another node, and the access control policies of podA on the first container computing node and podB on the second container computing node are configured in the form of labels.
It should be noted that, in the access control method based on the attribute tag provided in the embodiment of the present application, a top agent is used as an execution body to describe the access control method; illustratively, a corresponding security service container top agent is configured at the first container computing node and the second container computing node, respectively.
S200: and sending the data packet information to the corresponding proxy end through the NFQ redirection rule.
Illustratively, before the access connection is established, the podA of the first container computing node sends out the packet information with the first attribute tag, and the redirection is implemented through the NFQ of the underlying Iptables, that is, the packet information is redirected to the top agent on the second container computing node. As shown in fig. 2, the Cgroup mark is a first attribute tag corresponding to the podA of the first container computing node.
S300: and extracting the first attribute tag according to the data packet information.
Illustratively, a top agent in the second container computing node extracts the first attribute tag.
S400: the inbound policy of the second container computing node is matched by the first attribute tag.
Illustratively, the top agent in the second container computing node matches the inbound policy of the PodB, from which it may be decided whether to reject, and if so, the packet information is continued to be sent to the PodB.
S500: an access connection is established between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy.
In some embodiments, the access control method based on the attribute label is an access control mode based on the attribute label, and the attribute label of the container computing node is extracted and embedded in the data information packet, so that the mode of establishing connection through an IP address in the past is changed, an IP domain is converted into a label domain, and related labels and attribute information of the container are extracted as identification information of access control in the security protection process; therefore, the access control method based on the attribute tag can realize the end-to-end identity identification of the introduction between any two pod, simplify the access control configuration flow and improve the efficiency of the user configuration access control.
Referring to fig. 3 to 5, fig. 3 is a flowchart of another access control method based on an attribute tag according to an embodiment of the present application, fig. 4 is a schematic diagram of a packet information sending process in a connection establishment process according to an embodiment of the present application, and fig. 5 is a schematic diagram of a response packet information sending process in a connection establishment process according to an embodiment of the present application.
Illustratively, S500: a step of establishing an access connection between a pod of a first container computing node and a pod of a second container computing node according to an inbound policy, comprising:
s510: acquiring response data packet information returned by the second container computing node, wherein the response data packet information comprises a second attribute tag corresponding to the pod of the second container computing node;
s520: transmitting response data packet information to a corresponding proxy terminal through the NFQ redirection rule;
s530: extracting a second attribute tag according to the response data packet information;
s540: an access connection is established between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy and the second attribute tag.
Illustratively, S300: the step of extracting the first attribute tag according to the data packet information comprises the following steps:
and extracting a first attribute tag in the form of an agent, wherein the first attribute tag is matched with the process pid, the user tag and the process name of the first container computing node.
Illustratively, S530: the step of extracting the second attribute tag according to the response data packet information comprises the following steps:
and extracting a second attribute tag in the form of an agent, wherein the second attribute tag is matched with the process pid, the user tag and the process name of the second container computing node.
Illustratively, the attribute tag of the container or pod is extracted in the form of an agent (agent), so that the process pid, the user tag, the process name and the like of the container or pod are matched with the attribute tag, and further, the access control method based on the attribute tag is realized.
Illustratively, S510: before the step of acquiring the response data packet information returned by the second container computing node, the method further comprises the following steps:
and assigning a second attribute tag to the pod of the second container computing node.
Illustratively, S100: before the step of acquiring the data packet information of the connection request which is sent by the first container computing node and is established with the second container computing node, the method further comprises the following steps:
the first attribute tag is assigned to the pod of the first container computing node.
Illustratively, at S110: after the step of obtaining the data packet information of the connection request with the second container computing node sent by the first container computing node, the method further includes:
when the data packet information is subjected to NFQ redirection, adding a Cgroup mark value to the data packet information through a core Cgroup; in contrast, when the reply packet information is redirected through NFQ, the Cgroup mark value is added to the reply packet information through the core Cgroup as well.
Referring to fig. 1 to fig. 5, after the pod processes (podA and podB) distributed in two computing nodes (a first container computing node and a second container computing node) are started, the pod processes are identified and found by a top agent in the node, and the top agent extracts relevant attribute tags of the pod through a tag extractor, including information such as a process pid, a user tag (tag label given by a user), a process name, and the like; the top agent allocates a Cgroup mark (a first attribute tag or a second attribute tag) to a pod process in a corresponding node, and issues a Cgroup policy to the kernel, wherein the policy content is that a Cgroup mark value is required to be written into a sub-directory of the process pid, the process of writing the mark value is completed in the Cgroup of the Linux kernel, namely the kernel Cgroup can be associated with the process in a specified way, so that traffic corresponding to the pid of the process is marked with the Cgroup mark, all data packets after the process is started are marked, and then all data packets under the process are marked with the Cgroup mark; in other words, all packets under the process of podA will be tagged with the first attribute, and all packets under the process of podB will be tagged with the second attribute.
When connection is established, the podA sends out the data packet information with the first attribute label, redirection is realized through the NFQ of the bottom layer Iptables, the data packet information (syn, synack, ack and the like) is redirected into the top agent, the top agent is used as a safety protection component, the access control strategy is mastered, corresponding strategy matching can be performed, meanwhile, extraction of the point label attribute information is completed in the top agent, and accordingly, matching of the corresponding relation of Cgroup mark-process pid-access control strategy is realized.
And after the strategy interpretation is finished, the top agent adds the tag attribute information of the pod into the data packet information in a token form, and continues to transmit, so that the data packet with the identity tag information is formed, and the access control based on the attribute tag without depending on the IP address is realized. When the two ends of the podA and the podB communicate with each other, the outbound policy and the tag match and the inbound policy and the tag match will be performed respectively, and two-way tag verification is a basic principle of access control in the application.
The method of the embodiment of the application is a method for controlling end-to-end access in the technical field of network security, the access control is closely related to the network environment, and the change of the network environment will put new requirements on the network environment. In a traditional environment, the network is relatively static, and most network protection rules are based on static IP addresses and ports; the inside is trusted by default, the network boundary is clear, and the access control mechanism is deployed at the network boundary; most of the network traffic will pass through the gateway. However, in the container environment, container additions and deaths always occur, and IP allocation changes frequently; the multi-application hybrid deployment has unclear boundary, extremely complex internal communication relationship and incapability of presetting a safety protection strategy; the visibility of the flow in the east-west direction between containers is poor, in order to detect and protect the invisible flow, a network policy rule carried by a container platform is generally adopted, but the advanced access control of 7 layers cannot be achieved; in the hybrid cloud mode, a universal technology is lacking to realize a unified access control method across cloud platforms, such as end-to-end unified access control from the ali cloud to the messenger cloud.
With reference to fig. 4 and 5, a specific data communication procedure in the embodiment of the present application is as follows:
1) Firstly, a podA sends data packet information of a connection establishment request to a podB; redirecting the data packet information sent by the podA to a top agent of a first container computing node through an NFQ redirection rule of bottom-layer Itables, wherein the redirected data packet is marked with a Cgroup mark (first attribute tag) corresponding to a process pid of the podA;
2) After the top agent of the first container computing node receives the data packet information, according to the first attribute tag and the pod attribute information synchronized into the node before, the related attribute information of the pod, such as a process pid, can be searched. The top agent of the first container computing node packages the attribute information of the podA, in this example, "app=web", the user tag is used as identity information, and is attached to the tail of the data packet information (syn) and resends the data packet information, namely, a data packet with the podA tag information is constructed;
3) After the data packet (syn+token) with the podA tag information reaches the opposite node (second container computing node), the data packet is redirected to the top agent of the second container computing node by the Iptables rule of the kernel through the NFQ, and the top agent extracts the tag attribute of "app=web" in the syn+token information;
4) At this time, matching an inbound policy of the PodB in the top agent of the second container computing node, according to which the policy can decide whether to reject, if so, then the data packet continues to be sent to the PodB;
5) After the podB receives the syn packet, the syn ack packet (response data packet) is replied, and then the syn ack packet is redirected to the top agent of the second container computing node by the NFQ, and then the attribute information of the podB is added to the syn ack packet, which is "app=db" in this example, and is sent back as a token;
6) After receiving synack+token b, the first container computing node redirects the synack+token to a top agent of the first container computing node, and extracts tag information "app=db" in the token b;
7) At this time, in the top agent of the first container computing node, it is determined according to the policy whether the outbound policy of the podA allows the pop b, and blocking or releasing is performed according to the policy.
Therefore, the data packet after the podA outbound judgment is continuously sent to the opposite terminal podB, the token adding operation is not carried out after the connection is established, the safe access connection is established, and the two ends of the podA and the podB can normally communicate.
Therefore, the access control method based on the attribute tag provided by the embodiment of the application can realize the following effects:
1. the end-to-end identity identification is introduced between any two pod processes, so that the access control configuration flow is simplified, and the efficiency of user configuration access control is improved;
2. the access control based on the container identity label is realized, the security policy is separated from the network communication, the access control process does not need to relate to communication information such as IP addresses, and the security risk introduced by multiple IP conversion table lookup is reduced;
3. the process of adding and deleting the label does not need to modify the kernel, but modifies the data packet by collecting the process information, and adds the identity token, the whole access control process is realized by agent control, the system is not changed, the new security risk is avoided, and the defect that the bottom security protection component and the bottom system often have to be fused and interacted in network security protection is avoided.
Referring to fig. 6, fig. 6 is a block diagram of a structure of an access control system based on an attribute tag according to an embodiment of the present application, where the access control system based on an attribute tag includes:
a first obtaining module 100, configured to obtain, from a first container computing node, packet information of a connection request for establishing a connection with a second container computing node, where the packet information includes a first attribute tag corresponding to a pod of the first container computing node;
a first redirection module 200, configured to send the packet information to a corresponding proxy end through an NFQ redirection rule;
a first extracting module 300, configured to extract a first attribute tag according to the packet information;
a matching module 400 for matching inbound policies of the second container computing node with the first attribute tags;
a connection establishment module 500 for establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy.
Illustratively, the system further comprises:
the second acquisition module is used for acquiring response data packet information returned by the second container computing node, wherein the response data packet information comprises a second attribute tag corresponding to the pod of the second container computing node;
the second redirection module is used for sending the response data packet information to the corresponding proxy end through the NFQ redirection rule;
the second extraction module is used for extracting a second attribute tag according to the response data packet information;
the connection establishment module is specifically configured to establish an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy and the second attribute tag.
Illustratively, the first extracting module 300 is specifically configured to extract, in the form of an agent, a first attribute tag, where the first attribute tag matches a process pid, a user tag, and a process name of the first container computing node.
The second extraction module is specifically configured to extract, by using a proxy, a second attribute tag, where the second attribute tag matches a process pid, a user tag, and a process name of the second container computing node.
The attribute tag based access control system further comprises a first allocation module for allocating the first attribute tag to the pod of the first container computing node.
The attribute tag based access control system further comprises a second allocation module for allocating a second attribute tag to a pod of the second container computing node.
The attribute tag-based access control system further comprises an adding module, wherein the adding module is used for adding a Cgroup mark value to the data packet information through a kernel Cgroup when the data packet information is subjected to NFQ redirection; and when the response data packet information is redirected through the NFQ, adding a Cgroup mark value to the response data packet information through the core Cgroup.
The application further provides an electronic device, please refer to fig. 7, and fig. 7 is a block diagram of an electronic device according to an embodiment of the application. The electronic device may include a processor 510, a communication interface 520, a memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used to enable direct connection communication for these components. The communication interface 520 of the electronic device in the embodiment of the present application is used for performing signaling or data communication with other node devices. Processor 510 may be an integrated circuit chip with signal processing capabilities.
The processor 510 may be a general-purpose processor, including a central processing unit (CPU, central Processing Unit), a network processor (NP, network Processor), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 510 may be any conventional processor or the like.
The Memory 530 may be, but is not limited to, random access Memory (RAM, random Access Memory), read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable Read Only Memory (EEPROM, electric Erasable Programmable Read-Only Memory), and the like. The memory 530 has stored therein computer readable instructions which, when executed by the processor 510, may cause an electronic device to perform the various steps described above in relation to the method embodiments of fig. 1-5.
Optionally, the electronic device may further include a storage controller, an input-output unit.
The memory 530, the memory controller, the processor 510, the peripheral interface, and the input/output unit are electrically connected directly or indirectly to each other, so as to realize data transmission or interaction. For example, the elements may be electrically coupled to each other via one or more communication buses 540. The processor 510 is configured to execute executable modules stored in the memory 530, such as software functional modules or computer programs included in the electronic device.
The input-output unit is used for providing the user with the creation task and creating the starting selectable period or the preset execution time for the task so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 7 is merely illustrative, and that the electronic device may also include more or fewer components than those shown in fig. 7, or have a different configuration than that shown in fig. 7. The components shown in fig. 7 may be implemented in hardware, software, or a combination thereof.
The embodiment of the application further provides a storage medium, where instructions are stored, and when the instructions run on a computer, the computer program is executed by a processor to implement the method described in the method embodiment, so that repetition is avoided, and no further description is given here.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (7)
1. An access control method based on attribute tags, comprising:
acquiring data packet information of a connection request established with a second container computing node and sent by a first container computing node, wherein the data packet information comprises a first attribute tag corresponding to a pod of the first container computing node;
sending the data packet information to a corresponding proxy terminal through an NFQ redirection rule;
extracting the first attribute tag according to the data packet information;
matching inbound policies of the second container computing node by the first attribute tag;
establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy;
the step of establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy comprises:
acquiring response data packet information returned by the second container computing node, wherein the response data packet information comprises a second attribute tag corresponding to the pod of the second container computing node;
sending the response data packet information to a corresponding proxy terminal through the NFQ redirection rule;
extracting the second attribute tag according to the response data packet information;
establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy and the second attribute tag;
the step of extracting the first attribute tag according to the data packet information includes:
extracting the first attribute tag in a proxy mode, wherein the first attribute tag is matched with a process pid, a user tag and a process name of the first container computing node;
the step of extracting the second attribute tag according to the response data packet information includes:
and extracting the second attribute tag in the form of an agent, wherein the second attribute tag is matched with the process pid, the user tag and the process name of the second container computing node.
2. The attribute tag-based access control method of claim 1, further comprising, prior to the step of obtaining reply packet information returned by the second container computing node:
and distributing the second attribute label to the pod of the second container computing node.
3. The access control method based on attribute tags according to claim 1, further comprising, before the step of obtaining the packet information of the connection request with the second container computing node sent by the first container computing node:
and distributing the first attribute label to the pod of the first container computing node.
4. The access control method based on attribute tags according to claim 1, further comprising, after the step of obtaining the packet information of the connection request with the second container computing node sent by the first container computing node:
and when the data packet information is subjected to NFQ redirection, adding a Cgroup mark value to the data packet information through a core Cgroup.
5. An access control system based on attribute tags, comprising:
the first acquisition module is used for acquiring data packet information of a connection request established with a second container computing node and sent by a first container computing node, wherein the data packet information comprises a first attribute tag corresponding to the pod of the first container computing node;
the first redirection module is used for sending the data packet information to the corresponding proxy end through the NFQ redirection rule;
the first extraction module is used for extracting the first attribute tag according to the data packet information;
a matching module for matching inbound policies of the second container computing node with the first attribute tag;
a connection establishment module for establishing an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy;
the system further comprises:
the second acquisition module is used for acquiring response data packet information returned by the second container computing node, wherein the response data packet information comprises a second attribute tag corresponding to the pod of the second container computing node;
the second redirection module is used for sending the response data packet information to the corresponding proxy end through the NFQ redirection rule;
the second extraction module is used for extracting the second attribute tag according to the response data packet information;
the connection establishment module is specifically configured to establish an access connection between the pod of the first container computing node and the pod of the second container computing node according to the inbound policy and the second attribute tag;
the first extraction module is specifically configured to extract the first attribute tag in a proxy form, where the first attribute tag is matched with a process pid, a user tag, and a process name of the first container computing node;
the second extraction module is specifically configured to extract the second attribute tag in a proxy form, where the second attribute tag is matched with a process pid, a user tag, and a process name of the second container computing node.
6. An electronic device, comprising: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the attribute tag based access control method of any one of claims 1 to 4 when the computer program is executed.
7. A computer readable storage medium having instructions stored thereon which, when run on a computer, cause the computer to perform the attribute tag based access control method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111394831.8A CN114070637B (en) | 2021-11-23 | 2021-11-23 | Access control method, system, electronic equipment and storage medium based on attribute tag |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111394831.8A CN114070637B (en) | 2021-11-23 | 2021-11-23 | Access control method, system, electronic equipment and storage medium based on attribute tag |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114070637A CN114070637A (en) | 2022-02-18 |
| CN114070637B true CN114070637B (en) | 2024-01-23 |
Family
ID=80279424
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111394831.8A Active CN114070637B (en) | 2021-11-23 | 2021-11-23 | Access control method, system, electronic equipment and storage medium based on attribute tag |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114070637B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115242856B (en) * | 2022-06-15 | 2024-01-23 | 飞诺门阵(北京)科技有限公司 | Cluster reconstruction method and system |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109522751A (en) * | 2018-12-17 | 2019-03-26 | 泰康保险集团股份有限公司 | Access right control method, device, electronic equipment and computer-readable medium |
| CN109857577A (en) * | 2019-01-28 | 2019-06-07 | 北京三快在线科技有限公司 | Access control method, device, medium and electronic equipment |
| CN110022294A (en) * | 2019-02-27 | 2019-07-16 | 广州虎牙信息科技有限公司 | A kind of proxy server, Docker system and its right management method, storage medium |
| CN110392053A (en) * | 2019-07-22 | 2019-10-29 | 中国工商银行股份有限公司 | Container access control method, device, client and server |
| CN110769075A (en) * | 2018-07-25 | 2020-02-07 | 中国电信股份有限公司 | Container communication method, system, controller and computer readable storage medium |
| CN111709023A (en) * | 2020-06-16 | 2020-09-25 | 全球能源互联网研究院有限公司 | Application isolation method and system based on trusted operating system |
| CN111709014A (en) * | 2020-05-27 | 2020-09-25 | 浪潮电子信息产业股份有限公司 | Application isolation method, system, equipment and computer readable storage medium |
| CN111726399A (en) * | 2020-06-08 | 2020-09-29 | 中国工商银行股份有限公司 | Docker container secure access method and device |
| CN111741010A (en) * | 2020-07-16 | 2020-10-02 | 北京升鑫网络科技有限公司 | Docker operation request processing method and device based on proxy and computing equipment |
| WO2021051933A1 (en) * | 2019-09-20 | 2021-03-25 | 平安科技(深圳)有限公司 | Container cloud platform-based available area construction method and apparatus, device and storage medium |
| CN113285885A (en) * | 2021-07-23 | 2021-08-20 | 阿里云计算有限公司 | Service grid-based edge flow control method, device and storage medium |
| CN113572838A (en) * | 2021-07-22 | 2021-10-29 | 北京金山云网络技术有限公司 | Network access method, device, equipment and medium based on Kubernetes |
-
2021
- 2021-11-23 CN CN202111394831.8A patent/CN114070637B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110769075A (en) * | 2018-07-25 | 2020-02-07 | 中国电信股份有限公司 | Container communication method, system, controller and computer readable storage medium |
| CN109522751A (en) * | 2018-12-17 | 2019-03-26 | 泰康保险集团股份有限公司 | Access right control method, device, electronic equipment and computer-readable medium |
| CN109857577A (en) * | 2019-01-28 | 2019-06-07 | 北京三快在线科技有限公司 | Access control method, device, medium and electronic equipment |
| CN110022294A (en) * | 2019-02-27 | 2019-07-16 | 广州虎牙信息科技有限公司 | A kind of proxy server, Docker system and its right management method, storage medium |
| CN110392053A (en) * | 2019-07-22 | 2019-10-29 | 中国工商银行股份有限公司 | Container access control method, device, client and server |
| WO2021051933A1 (en) * | 2019-09-20 | 2021-03-25 | 平安科技(深圳)有限公司 | Container cloud platform-based available area construction method and apparatus, device and storage medium |
| CN111709014A (en) * | 2020-05-27 | 2020-09-25 | 浪潮电子信息产业股份有限公司 | Application isolation method, system, equipment and computer readable storage medium |
| CN111726399A (en) * | 2020-06-08 | 2020-09-29 | 中国工商银行股份有限公司 | Docker container secure access method and device |
| CN111709023A (en) * | 2020-06-16 | 2020-09-25 | 全球能源互联网研究院有限公司 | Application isolation method and system based on trusted operating system |
| CN111741010A (en) * | 2020-07-16 | 2020-10-02 | 北京升鑫网络科技有限公司 | Docker operation request processing method and device based on proxy and computing equipment |
| CN113572838A (en) * | 2021-07-22 | 2021-10-29 | 北京金山云网络技术有限公司 | Network access method, device, equipment and medium based on Kubernetes |
| CN113285885A (en) * | 2021-07-23 | 2021-08-20 | 阿里云计算有限公司 | Service grid-based edge flow control method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114070637A (en) | 2022-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111885075B (en) | Container communication method, device, network equipment and storage medium | |
| US11652793B2 (en) | Dynamic firewall configuration | |
| CN109964451B (en) | Method and system for providing virtual network authentication service | |
| EP3080707B1 (en) | Identity and access management-based access control in virtual networks | |
| CN106850324B (en) | Virtual network interface object | |
| US6766371B1 (en) | Virtual network environment | |
| CN109076065B (en) | System and method for providing network connectivity according to a secure resource-based policy | |
| CN110035079B (en) | Honeypot generation method, device and equipment | |
| US10609081B1 (en) | Applying computer network security policy using domain name to security group tag mapping | |
| US11064017B2 (en) | Peripheral device enabling virtualized computing service extensions | |
| US10938619B2 (en) | Allocation of virtual interfaces to containers | |
| US10178068B2 (en) | Translating network attributes of packets in a multi-tenant environment | |
| US11520530B2 (en) | Peripheral device for configuring compute instances at client-selected servers | |
| EP4221103A1 (en) | Public cloud network configuration method, and related device | |
| CN106685860B (en) | Network virtualization method and device | |
| CN114070637B (en) | Access control method, system, electronic equipment and storage medium based on attribute tag | |
| CN111885031A (en) | Fine-grained access control method and system based on session process | |
| CN112468476B (en) | Equipment management system and method for different types of terminals to access application | |
| CN113014680B (en) | Broadband access method, device, equipment and storage medium | |
| CN113904871B (en) | Access method of network slice, PCF entity, terminal and communication system | |
| CN115604103A (en) | Configuration method and device of cloud computing system, storage medium and electronic equipment | |
| CN115185637A (en) | Communication method and device for PaaS component management end and virtual machine agent | |
| KR101572025B1 (en) | Policy Management System and Method Based on Virtual Machine Logical Group | |
| US20160248596A1 (en) | Reflecting mdns packets | |
| CN107483520B (en) | Method and device for processing network attached storage instance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |