CN115189931A - Distributed key management method, device, equipment and storage medium - Google Patents
Distributed key management method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115189931A CN115189931A CN202210761017.3A CN202210761017A CN115189931A CN 115189931 A CN115189931 A CN 115189931A CN 202210761017 A CN202210761017 A CN 202210761017A CN 115189931 A CN115189931 A CN 115189931A
- Authority
- CN
- China
- Prior art keywords
- key
- cluster
- clusters
- identification
- generation request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000007726 management method Methods 0.000 title claims abstract description 58
- 238000012545 processing Methods 0.000 claims abstract description 28
- 238000000034 method Methods 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 16
- 230000001360 synchronised effect Effects 0.000 claims description 8
- 230000002159 abnormal effect Effects 0.000 claims description 5
- 238000012216 screening Methods 0.000 claims description 5
- 230000007246 mechanism Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 3
- 238000005265 energy consumption Methods 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000002054 transplantation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/31—Indexing; Data structures therefor; Storage structures
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application discloses a distributed key management method, a device, equipment and a storage medium, which relate to the technical field of security service and comprise the following steps: acquiring a key generation request sent by a client, and performing identification generation processing on the key generation request by using a main node of a main cluster to obtain a key identification corresponding to the key generation request; pushing the key generation request and the key identification to a cache queue so as to generate a corresponding key and store the key in a preset text database; synchronizing the keys to all standby nodes in the main cluster, and uploading the keys to other clusters synchronously in batches by calling key batch uploading interfaces of other clusters; and sending the key identification to the client so that the client queries the corresponding key from any cluster by using the key identification. The request cache queue is designed through the application, the high concurrency requests are cached in the cache queue, and the synchronization of the key among different nodes in a single cluster and the synchronization of the key among a plurality of clusters are realized through the key synchronization.
Description
Technical Field
The present invention relates to the field of security service technologies, and in particular, to a distributed key management method, apparatus, device, and storage medium.
Background
At present, a key management system is often introduced into a project related to an encrypted service to manage keys used by the encrypted service, so that a dependency relationship between the project and the key management system is generated, that is, the stability of the key management system directly affects the stability of the project, and particularly, the system service on which the project depends is often required to be highly available for some distributed projects with high requirements. Therefore, distributed key management needs to be introduced, and compared with a single-point key management system, the distributed key management system has a problem that key synchronization is difficult, and at this time, a database with a data self-synchronization mechanism needs to be introduced, however, such a database is usually a large database, performance loss of a server is large, and a key management system with a small data size becomes complex and bloated.
In summary, how to implement key management with automatic key synchronization, high service availability, high interface concurrency, high system portability and low energy consumption is a technical problem to be solved in the field.
Disclosure of Invention
In view of this, the present invention provides a distributed key management method, apparatus, device, and storage medium, which can implement key management with automatic key synchronization, high service availability, high interface concurrency, high system portability, and low energy consumption. The specific scheme is as follows:
in a first aspect, the present application discloses a distributed key management method, including:
acquiring a key generation request sent by a client, and performing identification generation processing on the key generation request by using a main node of a main cluster to obtain a key identification corresponding to the key generation request;
pushing the key generation request and the key identification to a cache queue so as to generate a corresponding key based on the key generation request and store the key in a preset text database;
synchronizing the keys to all standby nodes in the main cluster, and uploading the keys to other clusters synchronously in batches by calling key batch uploading interfaces of other clusters;
and sending the key identification to the client so that the client can inquire the corresponding key from any cluster by using the key identification.
Optionally, before the performing, by the master node of the master cluster, identification generation processing on the key generation request, the method further includes:
and determining a node from all nodes of the main cluster as a main node of the main cluster through a preset high-availability component, wherein other nodes except the main node are standby nodes.
Optionally, the determining, by a preset high-availability component, one node from all nodes of the master cluster as a master node of the master cluster, where other nodes except the master node are standby nodes, includes:
and if the preset high-availability component detects that the main node is abnormal, screening a target standby node from all the standby nodes, and increasing the target standby node to be the main node.
Optionally, the generating a corresponding key based on the key generation request and storing the key in a preset text database includes:
and generating a corresponding key based on the key generation request, assigning the key based on the cluster identification information of the main cluster, and storing the assigned key in a preset text database.
Optionally, the distributed key management method further includes:
synchronizing the key to all the standby nodes in the main cluster at preset time intervals; and synchronously uploading the key to the other clusters.
Optionally, the synchronously uploading the key to the other clusters includes:
receiving all keys sent by the main cluster, and removing the synchronized keys from all the keys;
and saving the unsynchronized keys to the text databases of the other clusters.
Optionally, the synchronizing the key to all the standby nodes in the master cluster, and uploading the key batch to other clusters by calling a key batch upload interface of the other clusters synchronously includes:
reading configuration information containing all the standby nodes and the other clusters from a system configuration file;
and synchronizing the keys to all the standby nodes in the main cluster by using the configuration information, and uploading the keys to other clusters synchronously in batches by calling key batch uploading interfaces of the other clusters.
In a second aspect, the present application discloses a distributed key management apparatus, comprising:
the system comprises an identification generation module, a key generation module and a key generation module, wherein the identification generation module is used for acquiring a key generation request sent by a client and utilizing a main node of a main cluster to perform identification generation processing on the key generation request so as to obtain a key identification corresponding to the key generation request;
the key generation and storage module is used for pushing the key generation request and the key identification to a cache queue so as to generate a corresponding key based on the key generation request and store the key in a preset text database;
the key synchronization module is used for synchronizing the keys to all the standby nodes in the main cluster and uploading the keys to other clusters synchronously in batches by calling key batch uploading interfaces of other clusters;
and the key application module is used for sending the key identification to the client so that the client can inquire the corresponding key from any cluster by using the key identification.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the distributed key management method disclosed in the foregoing.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program realizes the steps of the distributed key management method disclosed in the foregoing when executed by a processor.
Therefore, the application discloses a distributed key management method, which comprises the following steps: acquiring a key generation request sent by a client, and performing identification generation processing on the key generation request by using a main node of a main cluster to obtain a key identification corresponding to the key generation request; pushing the key generation request and the key identification to a cache queue so as to generate a corresponding key based on the key generation request and store the key in a preset text database; synchronizing the keys to all standby nodes in the main cluster, and uploading the keys to other clusters synchronously in batches by calling key batch uploading interfaces of other clusters; and sending the key identification to the client so that the client can inquire the corresponding key from any cluster by using the key identification. Therefore, the high concurrency request is cached in the cache queue by designing the request cache queue, and the background program sequentially pulls the requests from the cache queue for processing, so that the high concurrency of the system interface is realized; by introducing a preset text database and storing the key as a part of a system program, high portability and low performance loss of the system are realized; by designing key synchronization, the synchronization of keys among different nodes in a single cluster and the synchronization of keys among a plurality of clusters are realized; the low performance loss and the high portability of the key management system are realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a distributed key management method disclosed herein;
fig. 2 is a schematic diagram of a DKMS high availability as disclosed in the present application;
fig. 3 is a flow chart of a DKMS client request processing disclosed in the present application;
FIG. 4 is a flow chart of a specific distributed key management method disclosed herein;
FIG. 5 is a schematic diagram of key synchronization between nodes in a cluster according to the disclosure;
FIG. 6 is a schematic diagram of key synchronization between multiple clusters according to the present disclosure;
FIG. 7 is a flow chart of another specific distributed key management method disclosed herein;
fig. 8 is a schematic structural diagram of a distributed key management apparatus disclosed in the present application;
fig. 9 is a block diagram of an electronic device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, a key management system is often introduced into a project related to encrypted services to manage keys used by the encrypted services, so that a dependency relationship between the project and the key management system is generated, that is, the stability of the key management system directly affects the stability of the project, and especially for some distributed projects with high requirements and availability, system services on which the project depends are often required to be highly available. Therefore, distributed key management needs to be introduced, and compared with a single-point key management system, the distributed key management system has a problem that key synchronization is difficult, and at this time, a database with a data self-synchronization mechanism needs to be introduced, however, such a database is usually a large database, performance loss of a server is large, and a key management system with a small data size becomes complex and bloated.
Therefore, the application discloses a distributed key management scheme, which can realize key management with automatic key synchronization, high service availability, high interface concurrency, high system portability and low energy consumption.
Referring to fig. 1, an embodiment of the present invention discloses a distributed key management method, including:
step S11: acquiring a key generation request sent by a client, and performing identification generation processing on the key generation request by using a main node of a main cluster to obtain a key identification corresponding to the key generation request.
In this embodiment, a client sends a Key generation request to a DKMS (Distributed Key Management System), and then a master node of a DKMS cluster is responsible for receiving the client request, and after the request reaches the master node, the validity of the request information is checked, and if the Key generation request is satisfied, a unique ID is generated for the Key. For example: the client needs to generate a key with an algorithm of AES and a length of 256 bits, and the name of the key is key01, and then the sent key generation request information is as follows:
in this embodiment, a DKMS high availability schematic diagram is shown in fig. 2, a keepalived high availability component is selected, an IP address of a node 1 is 192.168.97.1, an IP address of a node 2 is 192.168.97.2, and so on, an IP address of a node n is 192.168.97.n, a virtual IP address of the DKMS is 192.168.97.110, a master node is the node 1, and when a client accesses the DKMS through the virtual IP, a key generation request is sent to the node 1.
Step S12: and pushing the key generation request and the key identification to a cache queue so as to generate a corresponding key based on the key generation request and store the key in a preset text database.
In this embodiment, the key ID and the request information are pushed to the cache queue, and then the key ID is returned to the client as a request return value, and the key generation module always detects the state of the request cache queue, and when the request information is found in the queue, pulls the request information from the request cache queue, generates a corresponding key according to the information content, and stores the key in the embedded database. For example: a schematic diagram of a DKMS client request processing flow is shown in fig. 3, where after receiving a key generation request, a DKMS master node generates a key ID and pushes key request information and the key ID to a request cache queue, where the request cache queue is used to cache a key generation request sent by a client to the DKMS, and a module in the DKMS system responsible for generating keys pulls key generation requests from the cache queue in sequence to perform key generation and key storage. And then, returning the key ID as a return value to the client, for example, if the key ID is 1, the message pushed to the request cache queue is:
the key generation module can detect the state of the request buffer queue all the time, when the key generation request information is found in the buffer queue, the key generation request information is pulled from the request buffer queue, and a corresponding key is generated according to the content of the key generation information and stored in the embedded database.
Step S13: and synchronizing the key to all the standby nodes in the main cluster, and uploading the key in batch to other clusters synchronously by calling key batch uploading interfaces of other clusters.
In this embodiment, key synchronization is divided into intra-cluster synchronization and inter-cluster synchronization, and it can be understood that the inter-cluster synchronization is that the master node remotely copies the database file to other standby nodes in the DKMS cluster. The synchronization among clusters is that the main node of the DKMS cluster uploads the key belonging to the cluster to other clusters by calling the key uploading interfaces of other DKMS clusters. For example: calling a key synchronization module to carry out key active synchronization, firstly reading configuration information of key synchronization from a system configuration file by the key synchronization module, wherein the configuration information comprises information of other nodes of the DKMS cluster and information of other DKMS, then carrying out intra-cluster key synchronization according to the read information of other nodes of the DKMS cluster, synchronizing the key to all standby nodes of the DKMS, carrying out inter-cluster key synchronization according to the read information of other DKMS, synchronizing the key to other DKMS, and if the read information of other DKMS is empty, indicating that the inter-cluster key synchronization is not needed. Therefore, the key synchronization module is designed, so that the synchronization of the key among different nodes in a single cluster and the synchronization of the key among a plurality of clusters are realized.
Step S14: and sending the key identification to the client so that the client can inquire the corresponding key from any cluster by using the key identification.
In this embodiment, after the client sends a key generation request to the DKMS system, the DKMS system is responsible for receiving the key generation module of the request to generate a key ID for the request, pushing the key request information and the key ID to the request cache queue, and then returning the key ID as a return value to the client, the key generation module in the system monitors the state of the request cache queue, and after finding that a request message is pushed to the queue, pulls the request information from the queue, and generates a key according to the request information, and then the user acquires the key from the system according to the key ID.
Therefore, the application discloses a distributed key management method, which comprises the following steps: acquiring a key generation request sent by a client, and performing identification generation processing on the key generation request by using a main node of a main cluster to obtain a key identification corresponding to the key generation request; pushing the key generation request and the key identification to a cache queue so as to generate a corresponding key based on the key generation request and store the key in a preset text database; synchronizing the keys to all standby nodes in the main cluster, and uploading the keys to other clusters synchronously in batches by calling key batch uploading interfaces of other clusters; and sending the key identification to the client so that the client can inquire the corresponding key from any cluster by using the key identification. Therefore, the high concurrency request is cached in the cache queue by designing the request cache queue, and the background program sequentially pulls the requests from the cache queue for processing, so that the high concurrency of the system interface is realized; by introducing a preset text database and storing the key as a part of a system program, high portability and low performance loss of the system are realized; by designing key synchronization, the synchronization of the key among different nodes in a single cluster and the synchronization of the key among a plurality of clusters are realized; the low performance loss and the high portability of the key management system are realized.
Referring to fig. 4, the embodiment of the present invention discloses a specific distributed key management method, and compared with the previous embodiment, the present embodiment further describes and optimizes the technical solution. Specifically, the method comprises the following steps:
step S21: and determining a node from all nodes of a main cluster as a main node of the main cluster through a preset high-availability component, wherein other nodes except the main node are all standby nodes.
In this embodiment, the DKMS cluster elects a certain node as a master node according to a high-availability component, and the master node is responsible for receiving a client request, where the high-availability component may specifically include but is not limited to keepalived, zookeeper, and the like; the high-availability component is independent from a DKMS system program, mainly monitors services on each node in a DKMS cluster, and when detecting that a master node is abnormal, a standby node in the cluster is increased to the master node to continuously provide services, so that continuous high availability of the DKMS system services is ensured. And if the preset high-availability component detects that the main node is abnormal, screening a target standby node from all the standby nodes, and upgrading the target standby node to the main node. For example: when the node 1 serving as the main node fails, the virtual IP can drift to some other standby node, and the corresponding standby node becomes a new main node to receive a client request.
Step S22: and acquiring a key generation request sent by a client, and performing identification generation processing on the key generation request by using a main node of the main cluster to obtain a key identification corresponding to the key generation request.
Step S23: and pushing the key generation request and the key identification to a cache queue so as to generate a corresponding key based on the key generation request and store the key in a preset text database.
Step S24: reading configuration information containing all the standby nodes and the other clusters from a system configuration file; and synchronizing the keys to all the standby nodes in the main cluster by using the configuration information, and uploading the keys to other clusters synchronously in batches by calling key batch uploading interfaces of the other clusters.
In this embodiment, the key synchronization module: the system is composed of 2 synchronization mechanisms of active synchronization and timing synchronization, and is responsible for synchronization of keys among nodes in a cluster and synchronization among different clusters. The active synchronization mechanism is to actively trigger synchronization when the key database changes, for example: when a new key is added, key synchronization is performed once immediately after the key is generated and stored in the database. The timing synchronization mechanism is that the system automatically triggers synchronization at intervals, and synchronizes the key to all the standby nodes in the main cluster at intervals of preset time; and synchronously uploading the key to other clusters. For example: the key synchronization is performed every 10 minutes at regular time, and the timing synchronization mechanism makes up the defects of the active synchronization mechanism, for example, the active synchronization fails due to network failure, the synchronization is completed through the timing synchronization after the subsequent network is recovered, or nodes are added in the already-running DKMS cluster, or other DKMS clusters needing to establish the key synchronization relationship are added, and the synchronization can be automatically completed through the timing synchronization mechanism. The key synchronization module firstly reads configuration information of key synchronization from a system configuration file, wherein the configuration information comprises information of other nodes of the DKMS cluster and information of other DKMSs, then performs intra-cluster key synchronization according to the read information of the other nodes of the DKMS cluster, synchronizes the key to all standby nodes of the DKMS, performs inter-cluster key synchronization according to the read information of the other DKMSs, synchronizes the key to the other DKMSs, and if the read information of the other DKMSs is empty, the inter-cluster key synchronization is not needed.
In this embodiment, referring to fig. 5, for example, the key synchronization configuration information:
localDKmsVip:192.168.97.110
localNodesIPs:192.168.97.1,192.168.97.2,…,192.168.97.n
remoteDKmsVips:192.168.98.110,192.168.99.110
wherein, the localDKmsVip parameter is the virtual IP of the local DKMS; the localnodesIPs parameter is all node IPs of the local DKMS cluster and is separated by commas; the remoteDKmsviss parameter is the virtual IP of the other DKMS clusters, separated by commas. As shown in fig. 4, after acquiring the IP of all the standby nodes, the master node key synchronization module executes a Linux system remote copy command (SCP command), copies the master node database file and covers the database files of all the standby nodes, thereby implementing the key synchronization in the DKMS cluster.
In this embodiment, as shown in fig. 6, after the key synchronization process between clusters is performed, the master node key synchronization module obtains virtual IPs of other DKMSs, and then calls key upload interfaces of the other DKMSs through the virtual IPs, respectively, and uploads the generated key to the other DKMSs, where uploaded key information needs to include a cluster identifier of the DKMS, for example, parameter information transmitted by an upload interface is:
after receiving the key uploading information, the master nodes of other DKMS clusters store the key into a database, the cluster mark is A, then the master nodes execute one time of synchronization in the DKMS cluster, and synchronize the uploaded key to all nodes of the DKMS cluster.
In this embodiment, the timing key synchronization mechanism also reads configuration information of key synchronization from a system configuration file, queries all IP addresses of the node, and if the value of the parameter localDKmsVip is included, it indicates that the node is a master node and needs to perform timing synchronization operation, otherwise, it indicates that the node is a standby node and does not need to perform timing synchronization operation; after determining that the timing synchronization operation needs to be executed, acquiring all backup node IPs of the DKMS cluster according to the parameter localNodesIPs, executing key synchronization in the cluster, acquiring virtual IPs of other DKMS clusters according to the parameter remoteDKmsps, executing key synchronization between the clusters, synchronizing with the active synchronization process, and when executing key synchronization between the clusters in timing synchronization, firstly, inquiring all keys belonging to the DKMS, such as inquiring all keys with cluster identifications of A, then calling key batch uploading interfaces of other DKMS clusters, and uploading the keys to other DKMS in batches, wherein for example, the parameter information transmitted by the batch uploading interfaces is as follows:
in this embodiment, in the key synchronization process, all keys sent by the master cluster are received, and synchronized keys are removed from all keys; and saving the unsynchronized keys to the text databases of the other clusters. It can be understood that after receiving the batch key upload information, the master nodes of other DKMS clusters first screen the batch key information, remove the key that has been synchronized to the DKMS before, then store the remaining keys that have not been synchronized into the database, where the cluster is identified as a, then perform one DKMS cluster internal synchronization, and synchronize the uploaded key to all nodes of the DKMS cluster.
Step S25: and sending the key identification to the client so that the client can inquire the corresponding key from any cluster by using the key identification.
For a more detailed processing procedure of steps S22, S23, and S25, reference is made to the foregoing disclosed embodiment, and details are not repeated herein.
Therefore, the embodiment realizes the synchronization of the key between the nodes in the single cluster and the synchronization between different clusters. And designing a key synchronization mechanism to complete automatic synchronization of keys in the cluster and among the clusters. The timeliness of key synchronization is realized. And a key active synchronization mechanism is designed to ensure that the key is synchronized immediately after the key is generated, so that the key can be synchronized at the first time. The scalability of multiple nodes in a single cluster and the scalability among multiple clusters are realized. The key timing synchronization mechanism is designed to automatically complete key synchronization when nodes are added in a single cluster or other DKMS clusters needing to establish key synchronization relationship are added.
Referring to fig. 7, the embodiment of the present invention discloses a specific distributed key management method, and compared with the previous embodiment, this embodiment further describes and optimizes the technical solution. Specifically, the method comprises the following steps:
step S31: acquiring a key generation request sent by a client, and performing identification generation processing on the key generation request by using a main node of a main cluster to obtain a key identification corresponding to the key generation request.
Step S32: and pushing the key generation request and the key identification to a cache queue.
Step S33: and generating a corresponding key based on the key generation request, assigning the key based on the cluster identification information of the main cluster, and storing the assigned key in a preset text database.
In this embodiment, a corresponding key is generated based on the key generation request, the key is assigned based on the cluster identification information of the master cluster, and the assigned key is stored in the preset text database, it can be understood that there is a cluster identification field in the database key table, and the key is assigned according to the cluster to which the key belongs when the key is stored, for example, if the DKMS cluster identification is a, the cluster identification of the key generated on the DKMS is a. The preset text data is an embedded text database, is used for storing a DKMS key, belongs to a part of a DKMS system program, and does not need to additionally start an independent database service process. The embedded text database may specifically include, but is not limited to: SQLite, berkeley DB, etc.; the embedded text database is used as a part of a DKMS system program, the reading and writing of the embedded text database are controlled by the DKMS system program, the embedded text database is used as a single text database, and the embedded text database only supports concurrent reading and does not support concurrent writing, so that a cache queue mechanism is designed, and the conflict problem that the embedded text database does not support concurrent writing is avoided.
Step S34: and synchronizing the key to all standby nodes in the main cluster, and uploading the key batch to other clusters synchronously by calling key batch uploading interfaces of other clusters.
Step S35: and sending the key identification to the client so that the client can inquire the corresponding key from any cluster by using the key identification.
For a more detailed processing procedure in steps S31, S32, S34, and S35, please refer to the embodiment disclosed above, and details are not repeated herein.
Therefore, the application designs a queue mechanism by utilizing the DKMS to ensure that the concurrent requests cannot simultaneously write data into the database, thereby solving the conflict problem that the concurrency of the DKMS interface and the embedded database cannot support concurrent writing. High concurrency of the interfaces is achieved. And a request cache queue module is designed to cache high-concurrency requests into a queue, so that the problem that the database file is preempted due to high concurrency is avoided, and high concurrency of the interface is realized. Low performance loss and high portability are realized. An embedded database is introduced as a part of the DKMS, so that a database service cluster is not required to be additionally deployed and maintained, the performance loss of the server is reduced, and the transplantation difficulty of the system is reduced.
Referring to fig. 8, an embodiment of the present invention discloses a specific distributed key management apparatus, including:
the identifier generation module 11 is configured to obtain a key generation request sent by a client, and perform identifier generation processing on the key generation request by using a master node of a master cluster to obtain a key identifier corresponding to the key generation request;
the key generation and storage module 12 is configured to push the key generation request and the key identifier to a cache queue, so as to generate a corresponding key based on the key generation request and store the key in a preset text database;
a key synchronization module 13, configured to synchronize the keys to all standby nodes in the master cluster, and upload the keys to other clusters in a batch synchronization manner by calling key batch upload interfaces of the other clusters;
and the key application module 14 is configured to send the key identifier to the client, so that the client queries the corresponding key from any cluster by using the key identifier.
Therefore, the application discloses a distributed key management method, which comprises the following steps: acquiring a key generation request sent by a client, and performing identification generation processing on the key generation request by using a main node of a main cluster to obtain a key identification corresponding to the key generation request; pushing the key generation request and the key identification to a cache queue so as to generate a corresponding key based on the key generation request and store the key in a preset text database; synchronizing the keys to all standby nodes in the main cluster, and uploading the keys to other clusters synchronously in batches by calling key batch uploading interfaces of other clusters; and sending the key identification to the client so that the client can inquire the corresponding key from any cluster by using the key identification. Therefore, the high concurrency request is cached in the cache queue by designing the request cache queue, and the background program sequentially pulls the requests from the cache queue for processing, so that the high concurrency of the system interface is realized; by introducing a preset text database and storing the key as a part of a system program, high portability and low performance loss of the system are realized; by designing key synchronization, the synchronization of the key among different nodes in a single cluster and the synchronization of the key among a plurality of clusters are realized; the low performance loss and the high portability of the key management system are realized.
In some specific embodiments, the identifier generating module 11 may specifically include:
and the master node determining submodule is used for determining a node from all nodes of the master cluster as a master node of the master cluster through a preset high-availability component, and all the nodes except the master node are standby nodes.
In some specific embodiments, the master node determining sub-module may specifically include:
and the standby node upgrading unit is used for screening a target standby node from all the standby nodes and upgrading the target standby node to the main node if the preset high-availability component detects that the main node is abnormal.
In some specific embodiments, the key generation and storage module 12 may specifically include:
and generating a corresponding key based on the key generation request, assigning the key based on the cluster identification information of the main cluster, and storing the assigned key in a preset text database.
In some embodiments, the distributed key management apparatus may specifically include:
the information synchronization module is used for synchronizing the key to all the standby nodes in the main cluster at intervals of a preset time period; and synchronously uploading the key to the other clusters.
In some specific embodiments, the information synchronization module may specifically include:
a key screening unit, configured to receive all keys sent by the master cluster, and remove a synchronized key from all keys; and saving the unsynchronized keys to the text databases of the other clusters.
In some specific embodiments, the key synchronization module 13 may specifically include:
the synchronization unit is used for reading configuration information containing all the standby nodes and other clusters from a system configuration file; and synchronizing the keys to all the standby nodes in the main cluster by using the configuration information, and uploading the keys to other clusters synchronously in batches by calling key batch uploading interfaces of the other clusters.
Further, an electronic device is disclosed in the embodiments of the present application, and fig. 9 is a block diagram of an electronic device 20 according to an exemplary embodiment, which should not be construed as limiting the scope of the application.
Fig. 9 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present disclosure. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. Wherein the memory 22 is used for storing a computer program, which is loaded and executed by the processor 21 to implement the relevant steps in the distributed key management method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in this embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide a working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to acquire external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
The processor 21 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 21 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 21 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 21 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 21 may further include an AI (Artificial Intelligence) processor for processing a calculation operation related to machine learning.
In addition, the storage 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the resources stored thereon may include an operating system 221, a computer program 222, etc., and the storage manner may be a transient storage or a permanent storage.
The operating system 221 is configured to manage and control each hardware device and the computer program 222 on the electronic device 20, so as to implement the operation and processing of the mass data 223 in the memory 22 by the processor 21, and may be Windows Server, netware, unix, linux, or the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the distributed key management method performed by the electronic device 20 disclosed in any of the foregoing embodiments. The data 223 may include data received by the electronic device and transmitted from an external device, or may include data collected by the input/output interface 25 itself.
Further, the present application also discloses a computer-readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the distributed key management method disclosed above. For the specific steps of the method, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated here.
In the present specification, the embodiments are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same or similar parts between the embodiments are referred to each other. The device disclosed in the embodiment corresponds to the method disclosed in the embodiment, so that the description is simple, and the relevant points can be referred to the description of the method part.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The above detailed description is provided for a distributed key management method, apparatus, device, and storage medium, and specific examples are applied herein to explain the principles and embodiments of the present invention, and the descriptions of the above embodiments are only used to help understanding the method and its core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A distributed key management method, comprising:
acquiring a key generation request sent by a client, and performing identification generation processing on the key generation request by using a main node of a main cluster to obtain a key identification corresponding to the key generation request;
pushing the key generation request and the key identification to a cache queue so as to generate a corresponding key based on the key generation request and store the key in a preset text database;
synchronizing the keys to all standby nodes in the main cluster, and uploading the keys to other clusters synchronously in batches by calling key batch uploading interfaces of other clusters;
and sending the key identification to the client so that the client can inquire the corresponding key from any cluster by using the key identification.
2. The distributed key management method of claim 1, wherein before performing the identification generation process on the key generation request by the master node of the master cluster, the method further comprises:
and determining a node from all nodes of the main cluster as a main node of the main cluster through a preset high-availability component, wherein other nodes except the main node are standby nodes.
3. The distributed key management method of claim 2, wherein if one node is determined from all nodes of the master cluster as the master node of the master cluster through a preset high-availability component, then all nodes except the master node are standby nodes, and the method comprises:
and if the preset high-availability component detects that the main node is abnormal, screening a target standby node from all the standby nodes, and increasing the target standby node to be the main node.
4. The distributed key management method of claim 1, wherein the generating and storing the corresponding key in a predetermined text database based on the key generation request comprises:
and generating a corresponding key based on the key generation request, assigning the key based on the cluster identification information of the main cluster, and storing the assigned key in a preset text database.
5. The distributed key management method of claim 1, further comprising:
synchronizing the key to all the standby nodes in the main cluster at preset time intervals; and synchronously uploading the key to the other clusters.
6. The distributed key management method of claim 5, wherein said synchronously uploading the key to the other clusters comprises:
receiving all keys sent by the main cluster, and removing the synchronized keys from all the keys;
and saving the unsynchronized keys to the text databases of the other clusters.
7. The distributed key management method of any of claims 1 to 6, wherein synchronizing the keys to all standby nodes in the master cluster and uploading the key batch to other clusters by calling key batch upload interfaces of the other clusters synchronously comprises:
reading configuration information containing all the standby nodes and the other clusters from a system configuration file;
and synchronizing the keys to all the standby nodes in the main cluster by using the configuration information, and uploading the keys to other clusters synchronously in batches by calling key batch uploading interfaces of the other clusters.
8. A distributed key management apparatus, comprising:
the system comprises an identification generation module, a key generation module and a key generation module, wherein the identification generation module is used for acquiring a key generation request sent by a client and utilizing a main node of a main cluster to perform identification generation processing on the key generation request so as to obtain a key identification corresponding to the key generation request;
the key generation and storage module is used for pushing the key generation request and the key identification to a cache queue so as to generate a corresponding key based on the key generation request and store the key in a preset text database;
the key synchronization module is used for synchronizing the keys to all the standby nodes in the main cluster and uploading the keys to other clusters synchronously in batches by calling key batch uploading interfaces of other clusters;
and the key application module is used for sending the key identification to the client so that the client can inquire the corresponding key from any cluster by using the key identification.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to carry out the steps of the distributed key management method according to any one of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program; wherein the computer program realizes the steps of the distributed key management method according to any one of claims 1 to 7 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210761017.3A CN115189931A (en) | 2022-06-30 | 2022-06-30 | Distributed key management method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210761017.3A CN115189931A (en) | 2022-06-30 | 2022-06-30 | Distributed key management method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115189931A true CN115189931A (en) | 2022-10-14 |
Family
ID=83515092
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210761017.3A Withdrawn CN115189931A (en) | 2022-06-30 | 2022-06-30 | Distributed key management method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115189931A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117176346A (en) * | 2023-11-01 | 2023-12-05 | 中电信量子科技有限公司 | Distributed quantum key link control method and key management system |
-
2022
- 2022-06-30 CN CN202210761017.3A patent/CN115189931A/en not_active Withdrawn
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117176346A (en) * | 2023-11-01 | 2023-12-05 | 中电信量子科技有限公司 | Distributed quantum key link control method and key management system |
| CN117176346B (en) * | 2023-11-01 | 2024-03-08 | 中电信量子科技有限公司 | Distributed quantum key link control method and key management system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11061924B2 (en) | Multi-region, multi-master replication of database tables | |
| CN110737442A (en) | edge application management method and system | |
| CN111143382B (en) | Data processing method, system and computer readable storage medium | |
| US10069942B2 (en) | Method and apparatus for changing configurations | |
| CN112445626B (en) | Data processing method and device based on message middleware | |
| CN107172214B (en) | Service node discovery method and device with load balancing function | |
| JP6405255B2 (en) | COMMUNICATION SYSTEM, QUEUE MANAGEMENT SERVER, AND COMMUNICATION METHOD | |
| WO2016082594A1 (en) | Data update processing method and apparatus | |
| CN102026228B (en) | Statistical method and equipment for communication network performance data | |
| CN115189931A (en) | Distributed key management method, device, equipment and storage medium | |
| US11210212B2 (en) | Conflict resolution and garbage collection in distributed databases | |
| CN112069152B (en) | Database cluster upgrading method, device, equipment and storage medium | |
| CN113079098A (en) | Method, device, equipment and computer readable medium for updating route | |
| CN113761052A (en) | Database synchronization method and device | |
| US10860580B2 (en) | Information processing device, method, and medium | |
| CN112804313B (en) | Data synchronization method, device, equipment and medium based on cross-domain edge node | |
| CN110661857B (en) | Data synchronization method and device | |
| CN113742376A (en) | Data synchronization method, first server and data synchronization system | |
| CN113761075A (en) | Method, device, equipment and computer readable medium for switching databases | |
| CN112948494A (en) | Data synchronization method and device, electronic equipment and computer readable medium | |
| KR101298852B1 (en) | Method of restoring file and system for the same | |
| CN116401317B (en) | Cache data synchronization method and device, electronic equipment and medium | |
| CN116991815B (en) | Log collection method, device, equipment and medium of distributed storage system | |
| CN117834421A (en) | Cluster configuration management method and system based on RocketMQ | |
| WO2016130825A1 (en) | Method and apparatus for changing configurations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20221014 |
|
| WW01 | Invention patent application withdrawn after publication |