CN114398612B

CN114398612B - ICT virtual operation safety access control method based on micro-service

Info

Publication number: CN114398612B
Application number: CN202111489302.6A
Authority: CN
Inventors: 杨超; 胡博; 陈明辉; 田小蕾; 王丽霞; 郭孔明; 赵景宏; 李伟; 雷振江; 董世丹傑; 金垒; 刘冬
Original assignee: State Grid Corp of China SGCC; State Grid Information and Telecommunication Co Ltd; State Grid Liaoning Electric Power Co Ltd; Great Power Science and Technology Co of State Grid Information and Telecommunication Co Ltd
Current assignee: State Grid Corp of China SGCC; State Grid Information and Telecommunication Co Ltd; State Grid Liaoning Electric Power Co Ltd; Great Power Science and Technology Co of State Grid Information and Telecommunication Co Ltd
Priority date: 2021-12-08
Filing date: 2021-12-08
Publication date: 2024-05-03
Anticipated expiration: 2041-12-08
Also published as: CN114398612A

Abstract

The invention provides an ICT virtual operation safety access control method based on micro-services. The ICT virtual operation safety access control method based on the micro-service comprises the following operation steps: s1, after the connection between the micro service architecture system and the power grid terminal is established, the access control micro service unit is used for permitting or limiting the access capability of the power grid terminal. The invention provides an ICT virtual operation safety access control method based on micro-service, which is a method capable of developing a single application program into a group of small-sized services by using a micro-service architecture, so that each service operates in a process of the service, the inter-service communication adopts a lightweight communication mechanism, the service is constructed around service capability and can be independently deployed by a full-automatic deployment mechanism, and simultaneously, the expandability of a system and the high availability of authentication service are further improved when a large number of terminals are accessed, and a plurality of terminals need different authentication and authorization strategies and the like due to different service scenes.

Description

ICT virtual operation safety access control method based on micro-service

Technical Field

The invention relates to the field of power grid ICT, in particular to an ICT virtual operation safety access control method based on micro-services.

Background

The intelligent power grid built on the basis of the new generation information communication technology can realize the intellectualization of energy production, storage, transmission and sharing, is closely connected with society economy, assists the future development of intelligent traffic, intelligent communities, intelligent cities and the like, plays the role of a social public management service platform, represents the important direction of value innovation transformation of the power industry, integrates the modern communication information technology, the automatic control technology, the decision support technology and the advanced power technology, has the characteristics of informatization, automation and interactivity, and has the novel ICT technologies of cloud computing, big data, internet of things, mobility and the like, flexibly accesses and withdraws various power supplies and power utilization facilities, realizes user-friendly interaction, has intelligent response and system self-healing, and further improves the safety reliability and the operation efficiency of the power system.

With new power system reform and new technology breakthrough, the comprehensive energy service is a novel energy service form derived, the essence of the novel energy service form is that the novel energy service form is characterized in that the market is used as traction, multidimensional coordinated interaction is propelled by a digital technology, multiple targets such as energy efficiency, energy safety, service accuracy, ecological coordination, economy and the like are realized, the ICT virtual operation platform is the brain of the comprehensive energy service, the construction of the platform relates to the operational success and economic benefit of the project, the intelligent energy platform uses technologies such as big data, cloud computing and the like, intelligent analysis of user demands, load prediction, equipment management, informatization management, distribution operation and maintenance, demand response and the like are provided, and finally an intelligent and optimized solution is provided.

From the aspect of terminal access, the platform is required to support large-batch access of various intelligent terminals, in the prior art, in the scene of virtual operation of the power grid ICT, the method for terminal access authentication is not ideal in terms of system expandability, high availability of authentication service, easy deployment of service and various convenience performances such as different authentication and authorization strategies required by various terminals due to different service scenes when a large number of terminals are accessed, and further the system failure rate is high easily, and great challenges are brought to the safety of the whole power grid.

Therefore, it is necessary to provide an ICT virtual operation security access control method based on micro services to solve the above technical problems.

Disclosure of Invention

The invention provides an ICT virtual operation security access control method based on micro-services, which solves the problems of poor expandability of a system and poor high availability of authentication services when a mass of terminals are accessed.

In order to solve the technical problems, the ICT virtual operation security access control method based on the micro-service provided by the invention comprises the following operation steps:

S1, after a micro service architecture system is connected with a power grid terminal, access control is carried out on the power grid terminal resources by an access control micro service unit to grant or limit the access capability of the power grid terminal, and access control is carried out on the power grid terminal resources by the access control micro service unit by adopting a plurality of access control modes including an access control list, a capability list, autonomous access control, forced access control and role-based access control, wherein the micro service architecture system comprises a micro service gateway, a micro service module and a security policy management module, the micro service module is divided into a registration and discovery micro service unit, a terminal authentication micro service unit, an access control micro service unit and other service units, and the security policy management module comprises a digital certificate management unit and an authorization management unit;

S2, when the power grid terminal is accessed to a request, firstly, registering and finding out information of a micro service unit registration terminal, and providing the address and various information of the terminal, so that a caller of the service subscribes to the service through the provided address and various information, and then, the registration and finding out micro service unit sends a relevant address list of the service to the service caller, and the caller of the service finds out a target service;

S3, after the caller of the service enters the power grid terminal, the caller of the service is authenticated through the terminal authentication micro-service unit, after the authentication is passed, the caller of the service accesses the internal resource, otherwise, the caller of the service is not allowed to continue to access, and the micro-service module is used for controlling the service to be accessed, so that the normal operation of the access service is ensured.

Preferably, in the step S1, before the connection between the micro service architecture system and the power grid terminal is established, authentication needs to be performed on the micro service architecture system, and according to the digital certificate information embedded in the power grid terminal, a technology based on public key authentication is adopted, so that the power grid terminal performs identity authentication through an authentication server, and after the micro service architecture system passes the identity authentication of the power grid terminal, connection can be further established with the power grid terminal.

Preferably, after the micro service architecture system is built, the terminal authentication micro service unit adopts a technology based on public key authentication according to digital certificate information embedded in the power grid terminal, so that the power grid terminal performs identity authentication through an authentication server, and after the micro service architecture system passes the power grid terminal identity authentication, connection with the power grid terminal can be further established.

Preferably, the specific authentication process of the digital certificate of the terminal authentication micro service unit is as follows:

a. Verifying whether the public key of the issuer CA can correctly unlock the digital signature of the issuer in the client entity certificate, and after exchange transfer, unpacking the two certificates to see whether the two certificates can be unpacked or not, and if the two certificates can be correctly unlock, outputting the result as the public key of the user;

b. tracing back to the root of the trusted CA through a certificate chain to verify whether the CA issuing the user entity certificate is an authoritative trusted CA, wherein the requirement of the certificate chain verification is that each certificate in the path is valid from the final entity to the root certificate, and each certificate correctly corresponds to the authoritative trusted CA issuing the certificate;

c. Checking whether the serial number of the signing entity in the entity certificate is consistent with the serial number of the issuer certificate, verifying the authenticity of the certificate, wherein the verification operation process is as follows: the public key identification extension item certificate serial number in the user entity certificate, namely the serial number of the issuing certificate, checks the certificate serial number in the CA certificate and the certificate serial number, and the two are consistent, otherwise, the certificate is not issued by a trusted Certification Authority (CA);

d. The validity period verification is to check whether the date of using the user certificate is legal or not, and the specific method is as follows: the validity period of the user entity certificate and the validity period d of the private key are within the validity date of the CA certificate; the user entity certificate validity period has no date before the starting time of the private key validity period private key usagc period date of the CA certificate, otherwise, the certificate is unsafe;

e. The certificate revocation list inquiry is to check whether the user certificate is revoked and issue the certificate revocation list, and the CA issues the certificate in an X.500 format to a certificate library in real time through an LDAP standard protocol so as to perform open inquiry among entities during access;

f. That is, the setting of the certificate policy in the bridge CA system in the user entity certificate should be a list of certificate policies acknowledged by the CA, which is defined by a special extension domain to specify policies applicable to the user certificate, these policies should be explicitly specified in the CPS of the CA, the object identifier is not more than 200 characters, and the user certificate cannot be executed without the policy acknowledged by the CA;

g. and then the certificate of the internal administrator of the certification authority issued by the CA is distinguished from the end user entity certificate, so that the end user entity certificate is finally confirmed, and the certification is completed.

Preferably, in the method for accessing a control list in S1, each object is associated with an ACL, where a subject allowed to access the object and an allowed access operation thereof are recorded, which is equivalent to storing an access matrix by column, where the ACL method can easily check all subjects capable of accessing an object, and can easily revoke access rights of all subjects to the object; the capability list is a description of the access capabilities of the subjects, and each subject is associated with a CL according to the CL method, where the CL lists all objects that the subject is allowed to access and the corresponding access operations.

Preferably, in the step S1, the autonomous access control is a control policy for determining an access mode and defining access according to the identity and authorization of the visitor on the basis of confirming the identity of the subject and the group to which the subject belongs, and the DAC allows the subject having control rights to the subject to explicitly designate the access rights of other subjects to the subject, and the DAC allows the legitimate user to access the subject specified by the policy with the identity of the user or the group of users while preventing the unauthorized user from accessing the subject.

Preferably, in the step S1, the mandatory access control is to determine whether the subject has access to the object according to security levels of the subject and the object, the mandatory access control is essentially based on a rule, each process, each file and each IPC object in the system is assigned with a corresponding security attribute, and the access control based on the role is to grant the access to the object to the role instead of directly granting the user by introducing the concept of the role, then assign the role to the user, the user obtains the access to the object through the role, and the RBAC model associates the authority with the role through the role.

Preferably, the micro service gateway is used for shielding the internal service externally, and simultaneously has the functions of completing some current limiting and fault tolerance, monitoring logs and reversely mapping external requests to a specific micro service internally.

Preferably, the security policy management module operates in real time, and updates the security policy to the terminal identity authentication service unit and the access control micro service unit through the micro service interface according to the security plan manually formulated or triggered after the system receives the notification of the security situation awareness system, so as to update the real-time information of the system.

Preferably, the digital certificate management unit includes the following services: a. certificate status service, the certificate catalogue is updated and issued in real time, and the OCSP inquiry function is satisfied; b. the user certificate service meets the requirements of the whole-flow service of certificates such as certificate application, certificate downloading, certificate updating, certificate revocation, freezing/thawing, online unlocking and the like.

Compared with the related art, the ICT virtual operation security access control method based on the micro-service has the following beneficial effects:

The invention provides an ICT virtual operation safety access control method based on micro-service, which is a method capable of developing a single application program into a group of small-sized services by using a micro-service architecture, so that each service operates in a process of the service, the inter-service communication adopts a lightweight communication mechanism, the service is constructed around service capability and can be independently deployed by a full-automatic deployment mechanism, and further, each service is highly decoupled, no dependence on codes and deployment is caused, so that the failure rate is greatly reduced, meanwhile, flexible and rapid development can be realized in the actual development process, only a specific service function is concerned by adopting one micro-service, the service boundary is clear, the service is easy to maintain, in addition, each micro-service realizes high decoupling, each service is independently deployed, the deployment is simpler, and simultaneously, the expandability of a system, the easy deployment of the authentication service, the multiple terminals of the service, different authentication and authorization strategies and other convenience are further improved due to different service scenes, and the like when a large number of terminals are accessed, and further, the use requirements of people are better met.

Drawings

FIG. 1 is a diagram of a micro-service architecture in an ICT virtual operation security access control method based on micro-services provided by the invention;

FIG. 2 is a block diagram of service and registration operations in the ICT virtual operation security access control method based on micro-service provided by the invention;

FIG. 3 is a block diagram illustrating the operation of a service gateway in the security access control method for micro-service based ICT virtual operation provided by the present invention;

fig. 4 is a block diagram of operations performed when a load is uniform in the method for managing and controlling ICT virtual operation security access based on micro-services provided by the present invention.

Detailed Description

The invention will be further described with reference to the drawings and embodiments. Referring to fig. 1, fig. 2, fig. 3, and fig. 4 in combination, fig. 1 is a structural diagram of a micro-service architecture in an ICT virtual operation security access management and control method based on micro-service provided by the present invention; FIG. 2 is a block diagram of service and registration operations in the ICT virtual operation security access control method based on micro-service provided by the invention; FIG. 3 is a block diagram illustrating the operation of a service gateway in the security access control method for micro-service based ICT virtual operation provided by the present invention; fig. 4 is a block diagram of operations performed when a load is uniform in the method for managing and controlling ICT virtual operation security access based on micro-services provided by the present invention.

The ICT virtual operation safety access control method based on the micro-service comprises the following operation steps:

In the step S1, before the connection between the micro service architecture system and the power grid terminal is established in the step S1, the micro service architecture system needs to be authenticated, and according to the digital certificate information embedded in the power grid terminal, a public key authentication-based technology is adopted to enable the power grid terminal to perform identity authentication through an authentication server, and after the micro service architecture system passes the identity authentication of the power grid terminal, the connection with the power grid terminal can be established.

The specific authentication process of the digital certificate of the terminal authentication micro-service unit is as follows:

In the method for accessing the control list in S1, each object is associated with an ACL, and the subjects allowed to access the object and the allowed access operations thereof are recorded, which is equivalent to storing the access matrix in columns, and the ACL method can easily check all subjects capable of accessing one object and can easily revoke the access rights of all subjects to the object; the capability list is a description of the access capabilities of the subjects, and each subject is associated with a CL according to the CL method, where the CL lists all objects that the subject is allowed to access and the corresponding access operations.

The autonomous access control in S1 is a control policy for determining an access mode and defining access according to the identity and authorization of a visitor based on the identity and authorization of the subject, where the DAC allows the subject having control rights to the object to explicitly specify the access rights of other subjects to the object, and the DAC allows a legitimate user to access the object specified by the policy with the identity of the user or the group of users while preventing unauthorized users from accessing the object.

In the step S1, whether the subject has access right to the object or not is determined according to the security levels of the subject and the object, the forced access control is essentially based on the rule access control, each process, each file and each IPC object in the system are endowed with corresponding security attributes, the access control based on the role is realized by introducing the concept of the role, the access right to the object is endowed to the role rather than directly to the user, then the role is allocated to the user, the user obtains the access right through the role, and the RBAC model associates the right with the role.

The micro service gateway is used for shielding internal services externally, completing some current limiting and fault tolerance, monitoring logs and reversely mapping external requests to specific internal micro services.

And the security policy management module operates in real time, and updates the security policy to the terminal identity authentication service unit and the access control micro service unit through the micro service interface according to the security plan manually formulated or triggered after the system receives the notification of the security situation awareness system, so that the real-time information update of the system is realized.

10. The micro-service-based ICT virtual operation security access control method of claim 1, wherein the digital certificate management unit comprises the following services: a. certificate status service, the certificate catalogue is updated and issued in real time, and the OCSP inquiry function is satisfied; b. the user certificate service meets the requirements of the whole-flow service of certificates such as certificate application, certificate downloading, certificate updating, certificate revocation, freezing/thawing, online unlocking and the like.

The foregoing description is only illustrative of the present invention and is not intended to limit the scope of the invention, and all equivalent structures or equivalent processes or direct or indirect application in other related technical fields are included in the scope of the present invention.

Claims

1. The ICT virtual operation safety access control method based on the micro-service is characterized by comprising the following operation steps:

2. The method for managing and controlling ICT virtual operation security access based on micro service according to claim 1, wherein in S1, before the micro service architecture system establishes connection with the power grid terminal, authentication needs to be performed on the micro service architecture system, according to digital certificate information embedded in the power grid terminal, a public key authentication based technology is adopted, so that the power grid terminal performs identity authentication through an authentication server, and after the micro service architecture system passes the identity authentication of the power grid terminal, connection can be further established with the power grid terminal.

3. The method for managing and controlling the ICT virtual operation security access based on the micro-service according to claim 1, wherein after the micro-service architecture system is built, the terminal authentication micro-service unit uses a technology based on public key authentication according to digital certificate information embedded in the power grid terminal, so that the power grid terminal can perform identity authentication through an authentication server, and after the micro-service architecture system passes the identity authentication of the power grid terminal, connection can be further built with the power grid terminal.

4. The method for managing and controlling the secure access of the ICT virtual operation based on the micro service according to claim 3, wherein the specific authentication process of the digital certificate of the terminal authentication micro service unit is as follows:

5. The method for controlling access to an ICT virtual operation security based on micro-services according to claim 1, wherein in the method for accessing a control list in S1, each object is associated with an ACL, and a subject allowed to access the object and an allowed access operation thereof are recorded, which is equivalent to storing an access matrix by column, and the ACL method can easily check all subjects capable of accessing one object and easily revoke access rights of all subjects to the object; the capability list is a description of the access capabilities of the subjects, and each subject is associated with a CL according to the CL method, where the CL lists all objects that the subject is allowed to access and the corresponding access operations.

6. The method for controlling access to secure Information and Communication Technology (ICT) virtual operation based on micro-service according to claim 1, wherein the autonomous access control in S1 is a control policy for determining an access mode and defining access according to the identity and authorization of a visitor based on the identity and the authorization of the host, the DAC allows the host having control rights to the object to explicitly specify the access rights of other hosts to the object, and the DAC allows legal users to access the object specified by the policy with the identity of the user or the group of users while preventing unauthorized users from accessing the object.

7. The method for controlling security access to an ICT virtual operation based on micro-services according to claim 1, wherein the mandatory access control in S1 is to determine whether the subject has access to the object according to security levels of the subject and the object, the mandatory access control is essentially based on rule access control, each process, each file, each IPC object in the system is assigned with a corresponding security attribute, and the access control based on role is to grant access rights to the object to the role instead of directly to the user by introducing concept of role, then assign role to the user, the user obtains access rights by role, and the RBAC model associates rights with roles.

8. The method for controlling and managing secure access to an ICT virtual operation based on micro services according to claim 1, wherein the micro service gateway is configured to externally shield internal services, and simultaneously perform some current limiting and fault tolerance, log monitoring, and reverse mapping of external requests to specific internal micro services.

9. The method for managing and controlling ICT virtual operation safety access based on micro-service according to claim 1, wherein the safety strategy is updated to the terminal identity authentication service unit and the access control micro-service unit through the micro-service interface according to the safety plan triggered by the manual formulation or the system after receiving the notification of the safety situation awareness system by the safety strategy management module, thereby realizing the real-time information update of the system.