CN114422183B - Micro-service access control method, system and device based on security attribute - Google Patents
Micro-service access control method, system and device based on security attribute Download PDFInfo
- Publication number
- CN114422183B CN114422183B CN202111521566.5A CN202111521566A CN114422183B CN 114422183 B CN114422183 B CN 114422183B CN 202111521566 A CN202111521566 A CN 202111521566A CN 114422183 B CN114422183 B CN 114422183B
- Authority
- CN
- China
- Prior art keywords
- micro
- user
- service
- security
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000013475 authorization Methods 0.000 claims abstract description 49
- 230000008569 process Effects 0.000 claims description 12
- 238000011217 control strategy Methods 0.000 claims description 10
- 238000004891 communication Methods 0.000 claims description 4
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000006872 improvement Effects 0.000 description 8
- 230000004044 response Effects 0.000 description 7
- 230000006399 behavior Effects 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 235000021438 curry Nutrition 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a micro-service access control method, a micro-service access control system and a micro-service access control device based on security attributes, which relate to the technical field of network security and comprise the following steps: receiving a micro-service access request of a user, wherein the micro-service access request comprises a micro-service name; inquiring and acquiring all corresponding security attributes and attribute values according to the micro-service name; acquiring attribute values of all security attributes of the micro-service corresponding to the user, and comparing the attribute values with the attribute values of all security attribute values of the micro-service to acquire an authorization result; if the authorization is allowed, the micro-service returns an access result to the user according to the access request. The beneficial effects of the invention are as follows: the user roles in the role-based access control provided by the k8s system are reserved, attributes are allocated for the users, and authority limit is carried out on the users according to the security attributes, so that the security management of the micro-service resource access is realized, and meanwhile, the dynamic and fine-grained management of the micro-service resource access is realized by following the dynamic and expandable principles.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a security attribute-based micro service access control method, system, and device.
Background
With the rapid development of internet technology, an access control technology is one of core means for ensuring network information security, and is widely applied to various application scenes, such as cloud computing, mobile computing and the like. With the popularity of Kubernetes in cloud computing, mobile computing, edge computing, and the development of trends in 5G networks, containerization, micro-servitization, providing a secure and reliable cloud computing platform is a problem that must be considered.
The authorization method in Kubernetes (same k8 s) system defaults to the RBAC policy, role-based access control (Role-Based Access Control): a concept of "Role" is introduced between users and rights, each user being associated with one or more roles, each Role being associated with one or more rights, so that very flexible rights management can be achieved. Roles can be flexibly created according to actual service requirements, so that the trouble that all rights are associated once for every new user is omitted. After the role is defined, the mode binds the access subject with the role through the role binding. API SERVER upon receipt of a request, the data in the request is read, an access policy object is generated, and if certain attributes are not included in the request, the values of the attributes are set to corresponding default values. The access policy object is then matched with all access policy objects in the authorization policy file one by one, and if at least one policy object is matched, the request is authenticated, otherwise an incorrect call code is returned to the client.
The method for protecting the safety of the system components provided by the Kubernetes system is limited in protection of micro-services deployed in the container cloud, if an attacker initiates a flow attack or other penetration attacks on one or more micro-services in the container cloud, the existing safety technical means of the Kubernetes cluster have limited capability of monitoring and intercepting the attacks, and the attacker easily bypasses the existing safety strategy to conduct various attacks on the micro-services of the system; moreover, the control granularity is not perfect enough, the authority range corresponding to the role is difficult to reserve, and the application of the edge cloud is very challenging; and the authorization method is static, can not dynamically sense the user behavior change decision, and has hidden danger in certain scenes. For example, a user may crazy initiate a request with some rights, and there is currently no corresponding countermeasure for this operation.
Disclosure of Invention
Aiming at the problems, the invention provides a micro-service access control method, a micro-service access control system and a micro-service access control device based on security attributes, wherein an access control strategy (ABAC) based on the attributes is taken as a core, a role is reserved on the basis of the original RBAC strategy of a Kubernetes system, the role is regarded as an attribute, then the security attributes are introduced to limit the attribute of the role, the security attributes are dynamically changed under the influence of the actions of micro-service or other users during access, the granularity and the dynamics are improved, and attribute definition and authority calculation are introduced, so that more attributes can be expanded, and the security control of micro-service access is improved.
In order to achieve the above object, the present invention discloses a security attribute-based micro service access control method, which includes:
receiving a micro-service access request of a user, wherein the micro-service access request comprises a micro-service name;
inquiring and acquiring all corresponding security attributes and attribute values according to the micro-service name;
acquiring attribute values of all security attributes of the micro-service corresponding to the user, comparing the attribute values with the attribute values of all security attribute values of the micro-service, and acquiring an authorization result;
And if the authorization is allowed, the micro-service returns an access result to the user according to the access request.
As a further improvement of the invention, the security attributes include a risk factor, a security level, and a user role, the risk factor and the risk level having a higher priority than the user role.
As a further improvement of the invention, when the user registers, the security attribute and the attribute value are distributed to the user according to the user management strategy.
As a further improvement of the invention, different resources in the micro-service have different security attributes;
The attribute value of the security attribute of the universal resource is fixedly allocated by the time of creation;
the user creates the security attribute of the resource in the process of accessing the micro-service, and the attribute value inherits the attribute value of the current security attribute of the user and changes dynamically.
As a further improvement of the invention, the access request also comprises user token information;
When receiving a micro-service access request of a user, firstly analyzing and verifying the token information of the user, ensuring that the user is a legal user, and simultaneously realizing current limitation.
As a further improvement of the invention, the attribute value of the user security attribute dynamically changes according to the access behavior and environment in the access process of the user.
As a further improvement of the present invention,
Presetting a safety control strategy;
Matching the security control strategy according to the comparison result of the attribute value of the security attribute of the micro service and the attribute value of the security attribute of the corresponding user;
If the matching is successful, the authorization is allowed, otherwise, the authorization is refused.
As a further improvement of the present invention, said security control policy comprises a plurality of requirements of said micro-services for said security attributes;
matching attribute values of the security attributes of the user and requirements of the micro service on the security attributes one by one according to the priority of the security attributes;
In the matching process, if one of the security attributes does not meet the requirement, authorization is refused.
The invention also provides a micro service access control system based on the security attribute, which comprises: the system comprises an identity center arranged in a remote cloud, an API gateway arranged in an edge cloud, an access control module, a k8s connection proxy module and a micro-service module;
the identity center is configured to:
the user registers identity information;
An administrator distributes security attributes and security attribute values to the users according to a management strategy;
The API gateway is configured to:
receiving an access request of a user;
analyzing and verifying the token information in the access request of the user, and ensuring that the user is a legal user;
transmitting request information of the user to the access control module;
Receiving and recording an authorization result of the access control module, if authorization is allowed, interacting with the k8s connection proxy module, and acquiring an execution right corresponding to the user;
forwarding the access request to a micro service corresponding to the micro service module according to the execution right;
The access control module is used for:
Inquiring and acquiring all corresponding security attributes and attribute values according to the micro-service name in the user access request;
acquiring attribute values of all security attributes of the micro-service corresponding to the user, comparing the attribute values with the attribute values of all security attribute values of the micro-service, and acquiring an authorization result;
The micro service module is used for:
and the corresponding micro service receives the access request and returns an access result to the user.
The invention also provides a micro-service access control device based on the security attribute, which comprises at least three electronic devices, wherein the electronic devices all comprise input, output, storage, control and communication units which are respectively used for setting an identity center, setting an API gateway and an access control module and setting a micro-service module.
Compared with the prior art, the invention has the beneficial effects that:
The invention distributes attributes for users, limits the authority of the users according to the security attributes, realizes the security management of the access to the micro-service resources, and simultaneously follows the principles of dynamic property and expansibility, and realizes the dynamic and fine-grained management of the access to the micro-service resources.
In the invention, the user roles in the role-based access control provided by the k8s system are reserved in the security attributes, authorization management is carried out according to the user roles, and other security attributes limit the authority of the user roles, so that the security management of micro-service resource access is enhanced, and meanwhile, the user roles are reserved as one of the attributes, so that the performance problem caused by excessive rules can be reduced.
The system adopts a cloud-edge cooperative mode, the remote cloud realizes public security service, the public security service comprises user identity management, service management and the like, the edge cloud is used as an execution point, only part of key information is needed to be stored, only the user identity information of the remote cloud is needed to be synchronized when an access request is received, and the execution of a business layer strategy can be focused more; therefore, the system has clear hierarchy and higher management efficiency.
Drawings
FIG. 1 is a flow chart of a security attribute-based micro service access control method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a security attribute-based micro service access control system according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an authorization module in an access control system according to an embodiment of the present invention;
FIG. 4 is a flow chart of a user requesting to read pod details as disclosed in one embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention is described in further detail below with reference to the attached drawing figures:
as shown in fig. 1, the method for controlling micro service access based on security attribute provided by the present invention includes:
s1, receiving a micro-service access request of a user, wherein the micro-service access request comprises a micro-service name;
Wherein,
The access request also comprises user token information;
When receiving a micro-service access request of a user, firstly analyzing and verifying token information of the user, ensuring that the user is a legal user, authenticating the legal user, refusing access by an illegal user, and realizing current limitation.
S2, inquiring and acquiring all corresponding security attributes and attribute values according to the micro-service name;
Wherein,
The database is configured with a micro-service resource attribute table for storing and maintaining all attribute information of the accessed subject (each micro-service) including security attributes.
The micro service resource attribute table mainly comprises judging attributes related to access control, and the fields comprise self-increment id, resource name (corresponding to the resource name of the resource table), risk coefficient and security level; the system only simplifies two attributes, and can be expanded to more attributes according to business requirements. Different resources in the micro-service have different security attributes;
The attribute value of the security attribute of the universal resource is fixedly allocated by the time of creation;
the user creates the security attribute of the resource in the process of accessing the micro-service, and the attribute value inherits the attribute value of the current security attribute of the user and changes dynamically.
Further, the method comprises the steps of,
The security attributes include a risk factor, a security level, and a user role, and the risk factor and the risk level have a higher priority than the user role.
S3, acquiring attribute values of all security attributes of the micro-service corresponding to the user, and comparing the attribute values with the attribute values of all security attribute values of the micro-service to acquire an authorization result;
Wherein,
And when the user registers, distributing security attributes and attribute values to the user according to the user management strategy.
The database is configured with a user attribute table for storing and maintaining all attribute information including security attributes of the access user;
The user attribute table mainly comprises security attributes related to access control, and fields comprise self-increment id, user name (corresponding to the user name of the users table), risk coefficient and security level. The system only simplifies two attributes, can be expanded to more attributes according to service requirements, and is exemplified as follows:
Meanwhile, the attribute value of the user security attribute dynamically changes according to the access behavior and environment in the user access process.
Further, the method comprises the steps of,
Presetting a security control strategy, wherein the strategy adopts a JSON format and is stored in a database in the form of key value pairs;
According to the comparison result of the attribute value of the security attribute of the micro service and the attribute value of the security attribute of the corresponding user, and matching the security control strategy;
judging whether the attribute value of the security attribute of the user meets the requirement of resources in micro service on each security attribute;
If the matching is successful, the authorization is allowed, otherwise, the authorization is refused.
Wherein,
The security control strategy comprises requirements of a plurality of micro-services on security attributes, and in the matching process, if one security attribute does not meet the requirements, authorization is refused.
For example: a unique ID number 1000087999 policy described by JSON specifies that only a user with an operator role and security class 10 in tenant ID 12335 can perform get, watch, list operation on microservice _01;
The process of obtaining the authorization result according to the security control policy includes:
(1) Judging whether the attribute provided by the access request is matched with the attribute required by the corresponding security control strategy;
The user attribute certificate is analyzed by calling checkUser (detecting the user) method, the information AuthConfig packaged during authentication is obtained, the UserConfig object is obtained by using the information and calling getUserConfig, and the attribute information of the user is contained in the object: calling checkAttributes (detection attribute) methods to carry out security attribute inspection on a role set and an attribute set (such as security level attribute) of a user, wherein the inspection process is matched with the security attribute requirements of a host object (the user and the micro-service) one by one, if the security attribute does not meet the requirements, the direct authorization fails, otherwise, the next step is carried out;
(2) Performing authority calculation;
and invoking checkRole (detecting roles) to match the request api with the rule list of the user roles, and allowing authorization if the matching passes the permission check.
And S4, if the authorization is allowed, the micro-service returns an access result to the user according to the access request.
As shown in fig. 2, the present invention further provides a micro service access control system based on security attribute, including: the system comprises an identity center arranged in a remote cloud, an API gateway arranged in an edge cloud, an access control module, a k8s connection proxy module and a micro-service module;
an identity center for:
the user registers identity information;
An administrator distributes security attributes and security attribute values to users according to a management strategy;
An API gateway for:
receiving an access request of a user;
analyzing and verifying the token information in the access request of the user, and ensuring that the user is a legal user;
transmitting request information of a user to an access control module;
receiving and recording an authorization result of the access control module, if authorization is allowed, interacting with the k8s connection proxy module, and acquiring the corresponding execution right of the user;
forwarding the access request to the micro service corresponding to the micro service module according to the execution right;
an access control module for:
inquiring and acquiring all corresponding security attributes and attribute values according to the micro-service name in the user access request;
acquiring attribute values of all security attributes of the micro-service corresponding to the user, and comparing the attribute values with the attribute values of all security attribute values of the micro-service to acquire an authorization result;
Wherein,
As shown in fig. 3, the access control module further includes an authorization module, where the authorization module mainly includes four parts including authorization attribute, authorization management, authorization decision and authorization execution, and the purposes of the authorization module are as follows:
(1) Authorization attributes: attribute information of the access subject, the operation, the access object, and the environment is collected, stored, and maintained, and the information is provided to the authorization decision module.
(2) And (3) authorization management: management of access control policy libraries, role management and rights management.
(3) Authorization decision: matching the access control strategy according to the attribute information provided by the authorization attribute module, performing authority calculation, and outputting a decision result.
(4) Authorization is performed: and correspondingly processing the access request according to the result of the authorization decision.
Further, the method comprises the steps of,
The method comprises the steps that a core idea of an attribute-based access control model (ABAC) is adopted in design, and description of a strategy and judgment of authority are carried out in an attribute combination mode; the user roles are taken as a subset of the attributes to avoid a large number of attribute definition, retrieval, and policy evaluation tasks.
Particularly, security attributes are introduced, and the priority is higher than that of a user role due to the influence of user behaviors, environments and the like in the access process, so that the authority of the user is limited to the highest degree, and the defect of insufficient granularity and dynamic property of the role in authority is overcome. For objects (micro service resources), there is also a security attribute set, for example, taking pod as the object, and the security level is a security attribute, and the object (user) can only access if the attribute value of the security attribute is greater than the attribute value of the pod security attribute; the design obeys the expansibility principle and can be expanded to more attributes according to business requirements.
A micro-service module for:
The corresponding micro service receives the access request and returns an access result to the user.
As shown in fig. 2, the configuration system in this figure was subjected to pressure testing, and the machine configurations were identical as follows:
The user request was simulated using Apache JMeter's pressure test tool to pressure test some interfaces of the system. Wherein the aggregate report presents data including average response time (average), 90% request response time (90% line), 95% request response time (95% line), 99% request response time (99% line), minimum response time (Min), maximum response time (Maximum), and Throughput per second. Some interfaces of the system were tested here by simulating the number of concurrent users per second 1000, 3000, 5000, respectively, where the remaining parameter units are ms except Throughput. The specific test results are shown in the following table:
From the table analysis, interfaces that interact with Kubernetes clusters, such as administrators authorizing users, reading Pod details, creating Pod, etc., generally have higher response times and lower throughput at high concurrency. The overall reaction from the above table shows that the concurrency of the system is very little different from 1000 per second at 3000 per second, and brings a larger pressure to the system at 5000 per second.
Analysis: the greatest disadvantage is that the access control module based on the attribute of the system is separated from the Kubernetes cluster, and interaction between the access control module and the Kubernetes cluster is realized through network communication, so that instability of the system is increased, and the system is easily limited by network performance; and the user and attribute resources are stored in the Mysql database table, the read-write performance is many orders of magnitude slower than the memory, so the throughput of the system is reduced after the new attribute access control is added. The optimization direction of this problem can be as follows: and under the high concurrency condition, similar multi-instance load balancing is carried out, and the database is divided into tables and the like.
The invention also provides a micro-service access control device based on the security attribute, which comprises at least three electronic devices, wherein the electronic devices all comprise an input unit, an output unit, a storage unit, a control unit and a communication unit, and the electronic devices are respectively used for setting an identity center, an API gateway, an access control module and a micro-service module.
Examples:
as shown in fig. 4, the user initiates an access request to the micro service resource Pod as follows:
After the user passes the JWT token verification of the gateway;
the request is forwarded to an interface (/ k8 s/pads/details) in the system that reads the Pod details;
the system analyzes two parameters of a name space (name) (podName) of the Pod which is carried in the request parameter and is wanted to be accessed;
The system will query the resouce attr table in the database for both the risk factor (DANGERLEVEL) and security level (securityLevel) of the resource based on the Pod name and query the user for both attribute values in attributes (attribute).
If the risk coefficient of the user is higher than that of the micro-service resource or the security level of the user is lower than that of the resource, the system refuses the request of the user;
After the user passes the attribute verification of the system, the system uses the related API (application programming interface) object of the user in K8sApiMap to access the interface of Kubernetes cluster for correspondingly reading Pod details.
Specifically, a user named Curry is created, and an administrator grants the user a right to read Pod (i.e., a user role) in the Kubernetes cluster. Setting the risk coefficient of Curry users to be 3, setting the security level to be 6, setting the resource risk coefficient of busybox under the default name space to be 2, and setting the security level to be 5; the resource risk factor named nginx-test-6 is 5 and the security level is 7.
According to the fine-grained access control based on the attribute of the system, the Curry user can not access busybox because of too high risk coefficient and can not access the nginx-test-6 because of too low security level, although the user has the authority to read the related resources in the Pod microservices in the cluster and one attribute meets the standard.
The invention has the advantages that:
(1) The invention distributes attributes for users, limits the authority of the users according to the security attributes, realizes the security management of the access to the micro-service resources, and simultaneously follows the principles of dynamic property and expansibility, and realizes the dynamic and fine-grained management of the access to the micro-service resources.
(2) In the invention, the user roles in the role-based access control provided by the k8s system are reserved in the security attributes, authorization management is carried out according to the user roles, and other security attributes limit the authority of the user roles, so that the security management of micro-service resource access is enhanced, and meanwhile, the user roles are reserved as one of the attributes, so that the performance problem caused by excessive rules can be reduced.
(3) The system adopts a cloud-edge cooperative mode, the remote cloud realizes public security service, the public security service comprises user identity management, service management and the like, the edge cloud is used as an execution point, only part of key information is needed to be stored, only the user identity information of the remote cloud is needed to be synchronized when an access request is received, and the execution of a business layer strategy can be focused more; therefore, the system has clear hierarchy and higher management efficiency.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (7)
1. A security attribute-based micro service access control method, comprising:
the role is regarded as an attribute, and security attribute is introduced to limit the attribute of the role;
receiving a micro-service access request of a user, wherein the micro-service access request comprises a micro-service name;
inquiring and acquiring all corresponding security attributes and attribute values according to the micro-service name;
Different resources in the micro service have different security attributes, the attribute values of all security attributes of the micro service corresponding to the user are obtained, and the attribute values of all security attributes of the micro service are compared to obtain an authorization result; comprising the following steps: presetting a safety control strategy; matching the security control strategy according to the comparison result of the attribute value of the security attribute of the micro service and the attribute value of the security attribute of the corresponding user; if the matching is successful, the authorization is allowed, otherwise, the authorization is refused; wherein the security control policy includes requirements of the security attributes by a plurality of the micro services; matching attribute values of the security attributes of the user and requirements of the micro service on the security attributes one by one according to the priority of the security attributes; in the matching process, if one of the security attributes does not meet the requirement, refusing the authorization; the attribute value of the user security attribute is dynamically changed according to the access behavior and environment in the user access process;
If authorization is allowed, the micro-service returns an access result to the user according to the access request;
the user creates the security attribute of the resource in the process of accessing the micro-service, and the attribute value inherits the attribute value of the current security attribute of the user and changes dynamically.
2. The micro service access control method according to claim 1, wherein: the security attributes include a risk factor, a security level, and a user role, the risk factor and security level having a higher priority than the user role.
3. The micro service access control method according to claim 1, wherein: and when the user registers, distributing security attributes and attribute values to the user according to the user management strategy.
4. The micro service access control method according to claim 1, wherein: in the micro-service
The attribute value of the security attribute of the universal resource is fixedly allocated by the time of creation.
5. The micro service access control method according to claim 1, wherein: the access request also comprises user token information;
When receiving a micro-service access request of a user, firstly analyzing and verifying the token information of the user, ensuring that the user is a legal user, and simultaneously realizing current limitation.
6. A system for implementing the micro service access control method according to any one of claims 1 to 5, comprising: the system comprises an identity center arranged in a remote cloud, an API gateway arranged in an edge cloud, an access control module, a k8s connection proxy module and a micro-service module;
the identity center is configured to:
the user registers identity information;
An administrator distributes security attributes and security attribute values to the users according to a management strategy;
The API gateway is configured to:
receiving an access request of a user;
analyzing and verifying the token information in the access request of the user, and ensuring that the user is a legal user;
transmitting request information of the user to the access control module;
Receiving and recording an authorization result of the access control module, if authorization is allowed, interacting with the k8s connection proxy module, and acquiring an execution right corresponding to the user;
forwarding the access request to a micro service corresponding to the micro service module according to the execution right;
The access control module is used for:
Inquiring and acquiring all corresponding security attributes and attribute values according to the micro-service name in the user access request;
acquiring attribute values of all security attributes of the micro-service corresponding to the user, comparing the attribute values with the attribute values of all security attribute values of the micro-service, and acquiring an authorization result;
The micro service module is used for:
and the corresponding micro service receives the access request and returns an access result to the user.
7. An apparatus for implementing the micro service access control system of claim 6, wherein: the system comprises at least three electronic devices, wherein the electronic devices comprise input, output, storage, control and communication units which are respectively used for setting an identity center, setting an API gateway, an access control module and setting a micro-service module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111521566.5A CN114422183B (en) | 2021-12-13 | 2021-12-13 | Micro-service access control method, system and device based on security attribute |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111521566.5A CN114422183B (en) | 2021-12-13 | 2021-12-13 | Micro-service access control method, system and device based on security attribute |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114422183A CN114422183A (en) | 2022-04-29 |
| CN114422183B true CN114422183B (en) | 2024-07-02 |
Family
ID=81265157
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111521566.5A Active CN114422183B (en) | 2021-12-13 | 2021-12-13 | Micro-service access control method, system and device based on security attribute |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114422183B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104333542A (en) * | 2014-10-23 | 2015-02-04 | 张勇平 | Cloud computing access control system and method |
| CN110858833A (en) * | 2018-08-22 | 2020-03-03 | 京东方科技集团股份有限公司 | Access control policy configuration method, device and system and storage medium |
| CN111431843A (en) * | 2019-01-10 | 2020-07-17 | 中国科学院电子学研究所 | Access control method based on trust and attribute in cloud computing environment |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8577885B2 (en) * | 2010-12-09 | 2013-11-05 | International Business Machines Corporation | Partitioning management of system resources across multiple users |
| CN103036726A (en) * | 2012-12-17 | 2013-04-10 | 北京网康科技有限公司 | Method and device for network user management |
| US10878079B2 (en) * | 2016-05-11 | 2020-12-29 | Oracle International Corporation | Identity cloud service authorization model with dynamic roles and scopes |
| CN110322261B (en) * | 2018-03-30 | 2022-10-28 | 腾讯科技(深圳)有限公司 | Method, device and computer readable storage medium for monitoring resource acquisition |
| CN111935131B (en) * | 2020-08-06 | 2024-06-07 | 中国工程物理研究院计算机应用研究所 | SaaS resource access control method based on resource authority tree |
| CN113098695B (en) * | 2021-04-21 | 2022-05-03 | 金陵科技学院 | Micro-service unified authority control method and system based on user attributes |
-
2021
- 2021-12-13 CN CN202111521566.5A patent/CN114422183B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104333542A (en) * | 2014-10-23 | 2015-02-04 | 张勇平 | Cloud computing access control system and method |
| CN110858833A (en) * | 2018-08-22 | 2020-03-03 | 京东方科技集团股份有限公司 | Access control policy configuration method, device and system and storage medium |
| CN111431843A (en) * | 2019-01-10 | 2020-07-17 | 中国科学院电子学研究所 | Access control method based on trust and attribute in cloud computing environment |
Non-Patent Citations (2)
| Title |
|---|
| 微服务环境下访问控制技术的研究与应用;何修宇;《中国优秀硕士学位论文全文数据库(电子期刊) 信息科技辑》;20181115(第11期);正文第46-47、53-55页 * |
| 支持组和属性层级的基于属性的访问控制模型;沈海波;《广东第二师范学院学报》;20181015;第38卷(第5期);81页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114422183A (en) | 2022-04-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2019206006B2 (en) | System and method for biometric protocol standards | |
| US8341707B2 (en) | Near real-time multi-party task authorization access control | |
| KR101076911B1 (en) | System and method for providing security to an application | |
| US9258320B2 (en) | System for testing computer application | |
| CN109889517B (en) | Data processing method, permission data set creating device and electronic equipment | |
| US20220224535A1 (en) | Dynamic authorization and access management | |
| CN116319024B (en) | Access control method and device of zero trust system and zero trust system | |
| CN113614718A (en) | Abnormal user session detector | |
| CN115701019A (en) | Access request processing method and device of zero trust network and electronic equipment | |
| CN111737232A (en) | Database management method, system, device, equipment and computer storage medium | |
| CN114138590A (en) | Operation and maintenance processing method and device for Kubernetes cluster and electronic equipment | |
| US8601544B1 (en) | Computer system employing dual-band authentication using file operations by trusted and untrusted mechanisms | |
| CN109802927A (en) | A kind of security service providing method and device | |
| Bürkle et al. | Evaluating the security of mobile agent platforms | |
| CN109726187B (en) | Hadoop-oriented adaptive permission control method and device | |
| CN114422183B (en) | Micro-service access control method, system and device based on security attribute | |
| CN114598500B (en) | Security service providing method, platform, electronic device, medium and program | |
| KR102430882B1 (en) | Method, apparatus and computer-readable medium for container work load executive control of event stream in cloud | |
| CN113645060B (en) | Network card configuration method, data processing method and device | |
| US12039042B2 (en) | Abnormal cross authorization detection systems | |
| CN114065183A (en) | Authority control method and device, electronic equipment and storage medium | |
| CN115795493A (en) | Access control policy deployment method, related device and access control system | |
| CN112970021A (en) | Method for realizing system state perception security policy | |
| US20220150277A1 (en) | Malware detonation | |
| US20220366039A1 (en) | Abnormally permissive role definition detection systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |