CN115987547A - Multi-platform interconnection cloud connector system - Google Patents
Multi-platform interconnection cloud connector system Download PDFInfo
- Publication number
- CN115987547A CN115987547A CN202211360497.9A CN202211360497A CN115987547A CN 115987547 A CN115987547 A CN 115987547A CN 202211360497 A CN202211360497 A CN 202211360497A CN 115987547 A CN115987547 A CN 115987547A
- Authority
- CN
- China
- Prior art keywords
- message
- user
- server
- module
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000010354 integration Effects 0.000 claims abstract description 124
- 238000012545 processing Methods 0.000 claims abstract description 44
- 238000000034 method Methods 0.000 claims abstract description 42
- 230000006870 function Effects 0.000 claims abstract description 35
- 238000004519 manufacturing process Methods 0.000 claims abstract description 35
- 238000012790 confirmation Methods 0.000 claims description 25
- 230000008569 process Effects 0.000 claims description 25
- 230000004044 response Effects 0.000 claims description 20
- 238000012795 verification Methods 0.000 claims description 19
- 230000015654 memory Effects 0.000 claims description 16
- 238000007726 management method Methods 0.000 claims description 14
- 238000012217 deletion Methods 0.000 claims description 12
- 230000037430 deletion Effects 0.000 claims description 12
- 230000007246 mechanism Effects 0.000 claims description 9
- 238000011217 control strategy Methods 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 claims description 4
- 101000741965 Homo sapiens Inactive tyrosine-protein kinase PRAG1 Proteins 0.000 claims description 3
- 102100038659 Inactive tyrosine-protein kinase PRAG1 Human genes 0.000 claims description 3
- 238000005538 encapsulation Methods 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 230000000737 periodic effect Effects 0.000 claims description 3
- 230000002159 abnormal effect Effects 0.000 claims description 2
- 230000002688 persistence Effects 0.000 claims description 2
- 238000003860 storage Methods 0.000 claims description 2
- 238000011161 development Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 8
- 230000006978 adaptation Effects 0.000 description 4
- 238000013475 authorization Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000004927 fusion Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000011144 upstream manufacturing Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a multi-platform interconnection cloud connector system, and relates to the technical field of automobile manufacturing. The method comprises the following steps: the gateway module realizes the functions of user identity authentication, access control, token generation, load balancing and the like; the user module realizes user information, attribute information query and user information query; the access control module performs access control, access policy management and resource management; the authentication module checks the user information, packages and generates and issues a token; and the asynchronous processing module registers a corresponding message queue aiming at the tasks with asynchronous requirements in the data integration content or the service integration content, and sets a task listener to monitor the message queue. The invention realizes interconnection and intercommunication integration of various cloud platforms, development of data/service resources among the multiple platforms, unified management of resources, data sharing and service cooperation, breaks the isolated state of data, and conveniently realizes data sharing, service sharing and resource coordination.
Description
Technical Field
The invention relates to the technical field of automobile manufacturing, in particular to a multi-platform interconnection cloud connector system.
Background
At present, the relation between automobile industry value chains is gradually enhanced, business development among multiple chains is increasingly close, business cooperation among the value chains needs longitudinal cooperation between a core manufacturing enterprise and enterprises on the upstream and downstream of the core manufacturing enterprise, and also needs transverse cross-chain cooperation of multiple chain type value chains to form a value chain cooperation alliance of a mesh structure containing longitudinal and transverse cooperative relations.
However, in the multi-value chain collaboration of the automobile industry at present, both core manufacturing enterprises and upstream and downstream enterprises are provided with respective data cloud platforms and service cloud platforms, and multiple problems of low allocation efficiency of data, services, resources and the like and data isolated islands and the like exist among the cloud platforms, multi-source heterogeneous data sharing, service sharing and resource coordination cannot be well realized, and in the process of realizing the multi-source heterogeneous data sharing, service sharing and resource coordination, related data contents, service contents and resources are easy to leak, so that the problems of content tampering, incapability of tracing and the like are caused, and the low allocation efficiency and the data isolated islands are further deepened.
Disclosure of Invention
In view of the above problems, the invention provides a multi-platform interconnection cloud connector system, which can effectively improve the security of data content, service content and resource content, improve deployment efficiency, and break a data island.
The embodiment of the invention provides a multi-platform interconnection cloud connector system, which comprises: a plurality of cloud platforms and cloud connectors, wherein a plurality of the cloud platforms include: the system comprises an automobile manufacturing enterprise informatization cloud platform, a third party multi-value chain cooperation cloud platform and an automobile group enterprise multi-base value chain cooperation cloud platform;
the cloud connector includes: the system comprises a gateway module, a user module, an access control module, an authentication module and an asynchronous processing module;
the gateway module integrates a plurality of external interfaces and a plurality of internal interfaces, the gateway module is connected with a plurality of data integration servers and a plurality of service integration servers by using the plurality of external interfaces, and the gateway module is combined with an Eureka Server to realize user registration micro-service, registration micro-service of the plurality of data integration servers and registration micro-service of the plurality of service integration servers;
the gateway module is connected with the user terminal by using the external interface to realize user identity authentication, management and monitoring services;
the gateway module is connected with the user module, the access control module, the authentication module and the asynchronous processing module by utilizing a plurality of internal interfaces to realize message asynchronous processing, access control and token generation;
the gateway module realizes a load balancing algorithm by using a ribbon to perform load balancing on the request of the user;
the user module is combined with the gateway module and the user terminal to realize the addition, the update, the deletion, the attribute information query and the user information query of user information;
the access control module is combined with the gateway module and the authentication module, verifies the access authority of a user to a resource, which passes the user information verification, and performs access control, and is also provided with access strategies, the access strategies of each resource are added, deleted and updated, and the release, inquiry, deletion and update of the resource are realized;
the authentication module is combined with the gateway module and the user terminal, realizes a user authentication function based on OAuth2.0, verifies user information, and encapsulates, generates and issues a token according to user registration information;
the asynchronous processing module is combined with the gateway module, the user terminal, the data integration servers and the service integration servers, registers corresponding message queues aiming at tasks with asynchronous requirements in data integration contents or service integration contents, and sets a task monitor to monitor the message queues;
wherein, the data integration server and the service integration server refer to: classifying respective contents of the automobile manufacturing enterprise information cloud platform, the third-party multi-value chain cooperation cloud platform and the automobile group enterprise multi-base value chain cooperation cloud platform according to data types and service types to obtain data integration contents and service integration contents, storing the data integration contents in a plurality of data integration servers, storing the service integration contents in a plurality of service integration servers, and deploying the data integration servers and the service integration servers in a distributed mode.
Optionally, a plurality of the data integration servers and a plurality of the service integration servers form a server cluster;
in the initial stage of operation, uniformly sending requests sent by users to each server in the corresponding server cluster for processing by using a polling-based mode;
after a certain running time, the gateway module periodically obtains the load and resource condition of each server in the server cluster by using a ribbon, calculates the score of each server, and performs the load balancing based on the scores, specifically including:
acquiring the performance condition of each server, calculating the average performance, and obtaining a reference CPU performance value P a Size of memory M a Network bandwidth value B a ;
Defining a performance vector p for each server i ,m i ,b i ]Wherein p is i =P i /P a ,m i =M i /M a ,b i =B i /B a ,i=1,2,3…,N,P i 、M i 、B i Respectively representing the CPU dominant frequency, the memory size and the network bandwidth of the ith server;
obtaining the CPU load rate L (C) of each server i ) Memory occupancy rate L (M) i ) Network occupancy rate L (B) i ) N is the number of servers in the server cluster;
calculating an overall performance score S1 of each server according to the performance vector of each server i :
S1 i =k 1 *p i *(1-L(M i ))+k 2 *m i *(1-L(M i ))+k 3 *b i *(1-L(M i )),i=1,2,3…,N (1)
Wherein k is 1 +k 2 +k 3 =1,k 1 ,k 2 ,k 3 Representing the weight of each index.
Obtaining average response time TimeAvg of each server i And total response time TimeTotal of all servers:
S2 i =TimeTotal-TimeAvg i ,i=1,2,3…,N (2)
wherein, S2 i The response time of each server is inversely proportional, and the higher the response speed is, the higher the score is;
calculating a score S of the ith server based on the scores calculated by the equations (1) and (2) i :
S i =a*S1 i +b*S2 i ,i=1,2,3…,N (3)
Obtaining a score set including all current servers according to the formula (3), and mapping all scores in the score set into a ScoreSet:
ScoreSet={a*S1 i +b*S2 i },i=1,2,3…,N (4)
where a + b =1, a, b represents the weight of each index.
Optionally, the gateway module implements a load balancing algorithm by using a ribbon, and the specific step of performing load balancing on the request of the user includes:
initializing a timing task, and specifying the starting time and the periodic execution time of the timing task, wherein the timing task is responsible for periodically maintaining the node number and the performance data of the server cluster;
when a user request arrives, if the Scoreset of any server is empty, returning to the next available server address based on a polling mode;
periodically collecting the performance and load indexes of each server when the timing task starts, wherein the performance and load indexes are as follows: the method comprises the steps of CPU, memory size, bandwidth size, CPU occupancy rate, memory occupancy rate, bandwidth occupancy rate and average response time of each server;
calculating the performance score S1 of each server according to the formula (1) and the formula (2) i And a response time score S2 i ;
Calculating a weighted score result S based on equation (3) i And the scores of all the current available servers are integrated to obtain a new Scoreset list;
when a new user request arrives, the Scoreset is not empty at the moment, a total score TotalScore is calculated, the scores of all the servers are mapped to an interval [0, totalScore ], so that all the servers obtain an interval with a corresponding length according to the scores of the servers to obtain a random number random in the interval, and the server in the range of the random number random is the result of load balancing.
Optionally, the specific steps of the authentication module, in combination with the gateway module and the user terminal, implementing, based on oauth2.0, generating and issuing a token by encapsulation according to the information of user registration include:
a user initiates an authentication request, the authentication request carries a user name and a password, and the gateway module routes the authentication request to an authentication center;
the authentication center utilizes the user micro service provided by the Eureka Server to inquire the user information and verify the user information;
and if the verification is passed, generating a JWT token as a carrier of the token according to the attribute information of the user, returning the token identification to the user, and storing the JWT token into the redis.
Optionally, the access control module combines the gateway module and the authentication module, verifies the access right of the user to the resource, which is verified by the user information, and the specific step of performing access control includes:
when a user accesses resources, a resource access request is sent to the gateway module, the resource access request carries a token, and the resources refer to: data integration content or integration content for services;
the authentication module performs a verification of the token with an access control service, the verification comprising: verifying the validity of the token and verifying the expiration time;
after the verification is correct, the authentication module analyzes the carrier of the token to acquire the attribute information of the user and then verifies the integrity of the attribute information of the user;
the access control module inquires an access strategy corresponding to the resource information according to the resource information of the resource access request;
the access control module calls an attribute-based access control method to check whether the attribute information of the user accords with the access strategy of the corresponding resource information;
the access control module returns the inspection result to the gateway module;
and the gateway module performs passing or refusing operation on the resource access request based on the verification result.
Optionally, the access policy is implemented based on a CP-ABE encryption scheme, and associates a private decryption key of a user with a set of attribute information of the user, and associates the access policy with data integration content or service integration content, where the attribute information of the user includes: at least one platform ID, at least one enterprise ID, and at least one type of enterprise, wherein the platform ID refers to: the cloud connector provides the ID of any one of a plurality of cloud platforms for user operation and use to a user, the platform ID is the coarsest division granularity, and the enterprise ID refers to: an ID of all enterprises providing data integrated content and service integrated content for the cloud connector system, the enterprise ID being a finest granularity;
the access strategy is a group of tree structures and is represented in a character string form during storage, wherein the value of a non-leaf node is represented in a character string k of n, n represents the number of child nodes, and k represents at least the number of child nodes required to be met;
when the node value is 1of n, an OR gate is represented, the attribute in the child node can meet one of the attributes, when the node value is n of n, the AND gate is represented, true can be returned only when all the child nodes meet the condition, the leaf node represents the corresponding attribute and value, and all the values matched with the current attribute are represented by a value;
take platform ID as an example: * Represents a set of all platform IDs { P01, P02. }, P01 represents a specific ID of one cloud platform, and P02 represents a specific ID of another cloud platform;
take enterprise ID as an example: * Represents a set of all enterprises { C01, C02. } under a specified platform ID, C01 represents a specific ID of an enterprise that provides data integrated contents and service integrated contents for the cloud platform P01, and C02 represents a specific ID of another enterprise that provides data integrated contents and service integrated contents for the cloud platform P01;
taking the enterprise type as an example: * The method comprises the steps that a set of all enterprise types { T01, T02. } under a specified platform ID is represented, wherein T01 represents an enterprise type of an enterprise which provides data integration content and service integration content for the cloud platform P02, and T02 represents an enterprise type of another enterprise which provides data integration content and service integration content for the cloud platform P02;
only if each node in the tree structure satisfies the condition will the access control result for the resource return true, otherwise false will be returned.
Optionally, the process of performing access control includes:
and (3) an encryption algorithm initialization stage: generating a system public key PK and a system master key MK by inputting a security parameter k, wherein the PK is disclosed in the cloud connector system and is used for attribute encryption by a user, and the MK is kept secret by the cloud connector system;
and a key generation stage: executing during user registration, and generating an attribute private key for a user by the cloud connector system according to the system master key MK and the attribute information of the user;
and (3) resource release stage: setting access strategies for external interfaces corresponding to data integration and service integration respectively through an attribute encryption algorithm, wherein M is plaintext information of the external interfaces, and performing attribute encryption on M according to the access control strategies to generate a ciphertext CT by inputting the M, the system public key PK and the access control strategies T;
and a resource acquisition stage: the method is used for judging whether the authority of the user accords with the access strategy of the resource information or not, and decrypting the attribute of the user into the private key SK attr And the ciphertext CT is used as input, the attribute information contained in the private key is used for trying to decrypt the access strategy structure T contained in the ciphertext CT, if the decryption is successful, the result is returned to the gateway module to release the resource access request, otherwise, the gateway module refuses the operation if the decryption is failed.
Optionally, in the process of processing the asynchronous demand task by the asynchronous processing module, three roles are defined: the system comprises a production end, a message queue and a consumption end, so that the message has reliability in the delivery process;
for the production end: a message confirmation mechanism is started at the production end, a unique identifier is generated for each message, the message identifier, the message content and the delivered message queue are stored in Redis before message delivery is carried out, and then actual message delivery is carried out;
if the message is delivered to the appointed message queue, the message queue returns a confirmation to the production end, the confirmation comprises the unique identifier of the message, and the message temporarily stored in the Redis is deleted through the unique identifier;
if the message delivery fails, the production end receives the confirmation of delivery errors, the confirmation comprises a specified message identifier, and the message stored in the Redis is taken out again through the message identifier to be delivered again, so that the message sent by the production end is ensured not to be lost;
for the message queue: when the switch is established, the switch is persisted, the message queue metadata is persisted, and when the message is delivered, the message is persisted to a local disk, so that the message queue metadata and the message which is not consumed in time are prevented from being lost when a message middleware goes down;
for the consumer end: confirming each message by starting a manual confirmation mode at the consumption end, returning ACK after the consumption end successfully processes the message, and deleting the corresponding message after the message queue receives the confirmation;
and if the processing of the consumption end fails, returning NACK, so that the message is re-consumed in the message queue, and the message is ensured not to be lost when an exception occurs in the service processing process.
Compared with the prior art, the multi-platform interconnection cloud connector system provided by the invention combines respective cloud platforms of multi-party enterprises related to the automobile industry by using the cloud connector, and the cloud connector system is used as a cross-platform message bus and provides functions such as a message transmission mechanism, cross-platform data format conversion, a function adaptation interface and the like. Aiming at multi-source heterogeneous automobile industry big data, multi-platform distributed data integration and service integration based on a cloud connector comprise key technologies such as data mode association network, service synchronization and coordination, interconnection and intercommunication integration of multiple types of cloud platforms are achieved, multi-value chain service flow fusion and system integration are supported, data/service resource development among multiple platforms, unified management of resources, data sharing among multiple platforms and service cooperation are achieved, a data isolation state is broken, data sharing, service sharing and resource coordination are achieved conveniently, requirements of content on non-tampering, traceability and the like are met, and the method can be used for well serving wide automobile manufacturing core enterprises and related enterprises.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a diagram of a load balancing architecture in an embodiment of the present invention;
FIG. 2 is a schematic diagram of an access control policy in an embodiment of the invention;
fig. 3 is a schematic structural diagram of an overall functional module of the cloud connector according to the embodiment of the present invention;
fig. 4 is a schematic structural diagram of overall functional modules of the cloud connector in the embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below. It should be understood that the specific embodiments described herein are merely illustrative of the invention, but do not limit the invention to only some, but not all embodiments.
The invention provides a multi-platform interconnection cloud connector system, comprising: a plurality of cloud platforms and cloud connector, wherein, a plurality of cloud platforms include: the system comprises an automobile manufacturing enterprise informatization cloud platform, a third party multi-value chain cooperation cloud platform, an automobile group enterprise multi-base value chain cooperation cloud platform and the like. That is, as long as the cloud platform related to the automobile industry or a website or a platform built by an enterprise itself can be regarded as a plurality of cloud platforms.
The cloud connector serves as a cross-platform message bus and provides functions of a message transmission mechanism, cross-platform data format conversion, a function adaptation interface and the like. Aiming at multi-source heterogeneous manufacturing big data, multi-platform distributed data integration and service integration based on a cloud connector are achieved. The cloud connector adopts key technologies such as data mode associated network, service synchronization and coordination and the like to realize interconnection and intercommunication integration of multiple types of platforms. For example, the plurality of platforms illustratively include: the system comprises a third-party multi-value chain collaborative cloud service platform, a group enterprise multi-base value chain collaborative cloud service platform and an enterprise informatization platform.
The cloud connector supports multi-value chain business process fusion and system integration, integrates data content and service content of the platforms together, and achieves data/service resource development among the platforms, unified management of resources, data sharing among the platforms and service collaboration.
In order to better explain and explain the cloud connector system according to the embodiment of the present invention, the overall structure is illustrated by taking the general architecture diagram of the cloud connector shown in fig. 1 as an example. In fig. 1, the cloud connector is connected with a third-party multi-value chain collaborative cloud service platform, a group enterprise multi-base value chain collaborative cloud service platform and an enterprise informatization platform, receives data of the platforms, performs cross-platform data format conversion, performs a message transmission mechanism, performs load balancing, and provides a function adaptation interface.
Through the functions and the interfaces, the calling interface, the load balance, the identity management and the access control for externally providing data integration and service integration are realized. Wherein load balancing includes but is not limited to: the server resources and the resource occupancy rates are comprehensively considered, and the response time in the actual operating condition is comprehensively considered, the score is calculated based on the indexes, and the load balancing is performed according to the score. Identity management and access control includes, but is not limited to: fine grain access control based on attribute and unified identity management. And finally, the aims of development of respective resources of data/services, resource (data resources and service resources) unification, data sharing, service cooperation and identity and authority authentication are fulfilled.
In an embodiment of the present invention, a cloud connector includes: the system comprises a gateway module, a user module, an access control module, an authentication module and an asynchronous processing module. The gateway module integrates a plurality of external interfaces and a plurality of internal interfaces, and the gateway module is connected with a plurality of data integration servers and a plurality of service integration servers by using the plurality of external interfaces. Here, the data integration server and the service integration server refer to: the method comprises the steps of classifying the contents of various platforms according to data types and service types to obtain data integration contents and service integration contents, storing the data integration contents in a plurality of data integration servers, storing the service integration contents in a plurality of service integration servers, and deploying the data integration servers and the service integration servers in a distributed mode.
Data integration and service integration are used as core services provided by the interconnection module, and the core services need to have the characteristics of high availability, high performance and the like, so that the data integration and service integration functions are provided by a plurality of servers simultaneously by adopting a distributed mode for deployment, and the problem of single-point failure is avoided.
The gateway module is also combined with the Eureka Server to realize the registration microservices of the user, the registration microservices of a plurality of data integration servers and the registration microservices of a plurality of service integration servers; the gateway module is connected with the user terminal by using an external interface to realize user identity authentication, management and monitoring services; the gateway module is connected with the user module, the access control module, the authentication module and the asynchronous processing module by utilizing a plurality of internal interfaces to realize message asynchronous processing, access control and token generation;
the gateway module also utilizes a ribbon to realize a load balancing algorithm to carry out load balancing on the request of the user. For example, take the load balancing architecture diagram shown in fig. 2 as an example: data integration and service integration, and a service gateway (i.e., a gateway module) and the like are registered in the Eureka Server in a microservice manner. Under distributed deployment, since multiple servers (the service integration server 1, the data integration server 1, and the data integration server 2 are exemplarily shown in fig. 2) may have different performances due to different deployment environments or resources such as CPUs, memories, bandwidths, and the like of the servers, embodiments of the present invention employ a load balancing algorithm, comprehensively consider server resource and resource occupancy rates, and response times in actual operating conditions, calculate scores based on these indices, and perform load balancing according to the scores.
In the embodiment of the present invention, it may be considered that a plurality of data integration servers and a plurality of service integration servers form a server cluster; in the initial stage of operation, the load of the server is relatively low, so that the load condition of the server is not considered in the initial stage, and the request sent by the user is uniformly sent to each server in the corresponding server cluster for processing by using a polling mode.
After a certain running time, the gateway module periodically obtains the load and resource condition of each server in the server cluster by using a ribbon, calculates the score of each server, and performs load balancing based on the scores, specifically including:
acquiring the performance condition of each server, calculating the average performance, and obtaining a reference CPU performance value P a Size of memory M a Network bandwidth value B a ;
Defining a performance vector p for each server i ,m i ,b i ]Wherein p is i =P i /P a ,m i =M i /M a ,b i =B i /B a ,i=1,2,3…,N,P i 、M i 、B i Respectively representing the CPU dominant frequency, the memory size and the network bandwidth of the ith server;
obtaining the CPU load rate L (C) of each server i ) Memory occupancy rate L (M) i ) Network occupancy rate L (B) i ) N is the number of the servers in the server cluster;
calculating an overall performance score S1 of each server according to the performance vector of each server i :
S1 i =k 1 *p i *(1-L(M i ))+k 2 *m i *(1-L(M i ))+k 3 *b i *(1-L(M i )),i=1,2,3…,N (1)
Wherein k is 1 +k 2 +k 3 =1,k 1 ,k 2 ,k 3 Representing the weight of each index.
Obtaining average response time TimeAvg of each server i And total response time TimeTotal of all servers:
S2 i =TimeTotal-TimeAvg i ,i=1,2,3…,N (2)
wherein, S2 i The response time of each server is inversely proportional, and the higher the response speed is, the higher the score is;
calculating the score S of the ith server based on the scores calculated by the equations (1) and (2) i :
S i =a*S1 i +b*S2 i ,i=1,2,3…,N (3)
Obtaining a score set including all current servers according to the formula (3), and mapping all scores in the score set into a ScoreSet:
ScoreSet={a*S1 i +b*S2 i },i=1,2,3…,N (4)
where a + b =1, a, b represents the weight of each index.
In the embodiment of the present invention, the gateway module uses a ribbon to implement a load balancing algorithm, and the specific steps of load balancing the request of the user include:
step S1: initializing a timing task, and specifying the starting time and the periodic execution time of the timing task, wherein the timing task is responsible for periodically maintaining the node number and the performance data of the server cluster;
step S2: when the user request arrives, if the Scoreset of any server is empty, which indicates that the score of each server is not calculated, returning to the next available server address based on a polling mode;
and step S3: when the timing task starts, the performance and load indexes of each server are periodically collected, and the performance and load indexes are as follows: the method comprises the steps of CPU, memory size, bandwidth size, CPU occupancy rate, memory occupancy rate, bandwidth occupancy rate and average response time of each server;
and step S4: calculating the performance score S1 of each server according to the formula (1) and the formula (2) i And a response time score S2 i ;
Step S5: calculating a weighted score result S based on equation (3) i And the scores of all the current available servers are integrated to obtain a new Scoreset list;
step S6: when a new user request arrives, at the moment, the score set is not empty, a total score TotalScore is calculated, the scores of all the servers are mapped to an interval [0, totalScore ], so that all the servers obtain an interval with a corresponding length according to the scores of the servers, a random number random in the interval is obtained, and the server in the range of the random number random is the result of load balancing.
In the embodiment of the invention, the user module is combined with the gateway module and the user terminal to realize the addition, the update, the deletion, the attribute information query and the user information query of the user information.
In the embodiment of the invention, the access control module combines the gateway module and the authentication module, verifies the access authority of the user to one resource through user information verification, performs access control, is simultaneously provided with the access strategy, adds, deletes and updates the access strategy of each resource, and realizes the release, inquiry, deletion and update of the resource.
In the multi-platform interconnection and intercommunication process, a large amount of important data of an enterprise supply/marketing/service value chain, such as information of accessory purchasing, warehousing, distribution and the like, and in data sharing and service cooperation, the problems of repeated authentication of users, complicated access management and the like exist.
Aiming at the problems, the embodiment of the invention adopts unified identity management and a fine-grained access control mechanism based on attribute-based encryption to provide credible identity management and authorization for data integration and service integration among multivalent value chain platforms. Meanwhile, a stateless authority authentication mechanism based on the token is adopted, so that the safety risk during authority distribution is reduced, and the authority authentication efficiency of data integration and service integration is improved.
For identity authentication: the authentication module combines the gateway module and the user terminal, realizes the user authentication function based on OAuth2.0, verifies the user information, and encapsulates and generates and releases the token according to the user registration information, and the identity authentication comprises the following specific steps:
step T1: the user initiates an authentication request, the authentication request carries a user name and a password, and the gateway module routes the authentication request to an authentication center;
step T2: the authentication center queries user information by using user micro-service provided by the Eureka Server and verifies the user information;
step T3: if the verification is passed, generating a JWT token as a carrier of the token according to the attribute information of the user, returning the token identification to the user, and storing the JWT token in the redis.
For access control, authentication and authorization are combined to realize access control. The specific steps of performing access control include:
step V1: when a user accesses resources, a resource information access request is sent to a gateway module, the resource access request carries a token, and the resources refer to: data-integrated content or integrated content for a service;
and V2: the authentication module performs a verification of the token with the access control service, the verification including: verifying the validity of the token and verifying the expiration time;
step V3: after the verification is correct, the authentication module analyzes the carrier of the token to acquire the attribute information of the user and then verifies the integrity of the attribute information of the user;
step V4: the access control module inquires an access strategy corresponding to the resource information according to the resource information of the resource access request;
step V5: the access control module calls an attribute-based access control method to check whether the attribute information of the user conforms to the access strategy of the corresponding resource information;
step V6: the access control module returns the inspection result to the gateway module;
step V7: and the gateway module performs releasing or refusing operation on the resource access request based on the verification result.
In the embodiment of the invention, the external interfaces of service integration and data integration are subjected to access control in a CP-ABE mode, and the ciphertext can be successfully decrypted only when an access user has an attribute structure meeting a policy.
The data sharing is realized by that automobile manufacturing enterprises or manufacturers providing services issue idle capacity information to potential demand customers, and enterprises participating in the sharing in multiple platforms comprise all links of the ecology of the whole automobile industry. In data sharing, an enterprise is a basic unit participating in data sharing, and therefore attribute information of a user includes: at least one platform ID, at least one business type. Wherein the platform ID refers to: the cloud connector provides the ID of any one of the plurality of cloud platforms used by the user operation to the user, and the platform ID is the coarsest division granularity. The business ID refers to: the ID of all enterprises providing data integrated contents and service integrated contents for the cloud connector system, the enterprise ID attribute being the finest granularity.
The selectable range of attribute definition for capacity data sharing in the embodiment of the present invention is shown in table 1 below:
table 1 data sharing attribute definition table
Table 1 above is merely exemplary for better explanation of the present invention and does not represent that the data sharing attribute definition may be in such a form only, or consist of only these contents.
In a CP-ABE based encryption scheme, a user's private decryption key is associated with a set of attributes, while an access policy is associated with the data. An access policy is a set of tree structured rules that are built for data resources based on attribute values. The access policy may be formed by any combination of attributes such as the platform ID, the enterprise ID, and the enterprise type mentioned in table 1, and the access policy may include all attributes in the attribute information of the user, or may include some attributes in the attribute information of the user.
For example, taking the access control policy diagram shown in fig. 3 as an example: defining the policy P as accessible to an enterprise with an enterprise type T01 in the platform P01, the attribute information (platforms P01, C01, T01) of the user A conforms to the policy to access the resource, and the attribute information (platforms P02, C01, T01) of the user B does not conform to the platform ID attribute, so that the access is denied.
It can be seen that the access policy is a set of tree structures, and is represented in a form of character strings when being stored, wherein values of non-leaf nodes are represented by character strings k of n, where n represents the number of child nodes, and k represents at least the number of child nodes that need to be satisfied;
when the node value is 1of n, an OR gate is represented, the attribute in the child node can meet one of the attributes, when the node value is n of n, the AND gate is represented, true can be returned only when all the child nodes meet the condition, the leaf node represents the corresponding attribute and value, and all the values matched with the current attribute are represented by a value;
taking platform ID as an example: * Represents a set of all platform IDs { P01, P02. }, wherein P01 represents a specific ID of one cloud platform, and P02 represents a specific ID of another cloud platform;
take enterprise ID as an example: * Represents a set of all enterprises { C01, C02. } under a specified platform ID, C01 represents a specific ID of an enterprise that provides data integrated contents and service integrated contents for the cloud platform P01, and C02 represents a specific ID of another enterprise that provides data integrated contents and service integrated contents for the cloud platform P01;
taking the enterprise type as an example: * Represents a set of all enterprise types { T01, T02. } under a specified platform ID, where T01 represents an enterprise type of an enterprise providing data integrated content and service integrated content for the cloud platform P02, and T02 represents an enterprise type of another enterprise providing data integrated content and service integrated content for the cloud platform P02;
only if each node in the tree structure satisfies the condition will the access control result for the resource return true, otherwise false will be returned.
In the embodiment of the present invention, the access control process includes the following stages:
initialization encryption algorithm phase Setup (k) → (PK, MK): generating a system public key PK and a system master key MK by inputting a security parameter k, wherein the PK is disclosed in the cloud connector system and is used for attribute encryption by a user, and the MK is kept secret by the cloud connector system;
key Generation phase KeyGen (MK, S) attr )→SK attr : executed during user registration, the cloud connector system generates a user according to the system master key MK and the attribute information of the userForming an attribute private key;
resource release phase Encrypt (PK, M, T) → CT: setting access strategies for external interfaces corresponding to data integration and service integration respectively through an attribute encryption algorithm, wherein M is plaintext information of the external interfaces, and performing attribute encryption on M according to the access control strategies through inputting M, a system public key PK and the access control strategies T to generate ciphertext CT;
resource acquisition phase Decrypt (SK) attr CT) → M: used for judging whether the authority of the user accords with the access strategy of the resource information or not, and decrypting the attribute of the user into the private key SK attr And the ciphertext CT is used as input, the attribute information contained in the private key is used for trying to decrypt the access strategy structure T contained in the ciphertext CT, if the decryption is successful, the result is returned to the gateway module to release the resource access request, otherwise, the gateway module refuses the operation.
In the embodiment of the invention, the asynchronous processing module is combined with the gateway module, the user terminal, the plurality of data integration servers and the plurality of service integration servers, registers the corresponding message queue aiming at the task with asynchronous requirement in the data integration content or the service integration content, and sets the task monitor to monitor the message queue.
The asynchronous processing module provides an asynchronous processing function, can strip out the function aiming at asynchronous demand tasks in data integration and service integration, registers a corresponding message queue, and sets a task monitor to monitor the message queue. When the specific task is processed, the internal interface of asynchronous processing can be directly called to designate the delivered switch, the route key and the message content, and then other tasks are continuously processed without blocking to wait for the completion of the tasks. The asynchronous processing interface after receiving the message is used as a producer of the message to deliver the message, then the message is forwarded to a designated queue by the message middleware, and when a consumer serving as a listener receives the message, the asynchronous processing of the task can be completed.
In the embodiment of the invention, in the process of processing the asynchronous demand task by the asynchronous processing module, three roles are defined: the system comprises a production end, a message queue and a consumption end, so that the message has reliability in the delivery process;
for the production end: a message confirmation mechanism is started at a production end, a unique identifier is generated for each message, the message identifier, the message content and a delivered message queue are stored in Redis before message delivery is carried out, and then actual message delivery is carried out;
if the message is delivered to the appointed message queue, the message queue returns a confirmation to the production end, the confirmation comprises the unique identifier of the message, and the message temporarily stored in the Redis is deleted through the unique identifier;
if the message delivery fails, the production end receives the confirmation of delivery errors, the confirmation comprises a specified message identifier, and the message stored in the Redis is taken out again through the message identifier to be delivered again, so that the message sent by the production end is ensured not to be lost;
for a message queue: when the switch is established, the switch is persisted, the message queue metadata is persisted, and when the message is delivered, the message is persisted to a local disk, so that the message queue metadata and the message which is not consumed in time are prevented from being lost when a message middleware goes down;
for the consumer end: confirming each message by starting a manual confirmation mode at the consumption end, returning ACK after the consumption end successfully processes the message, and deleting the corresponding message after the message queue receives the confirmation;
if the consumption end fails to process, NACK is returned, the message is returned to the message queue to be consumed again, and the message is ensured not to be lost when abnormity occurs in the service processing process.
For the message processing flow, it may specifically include:
step X1: predefining a corresponding switch, a message queue name and a routing method, setting a monitor to monitor the message queue, and integrating codes of asynchronous demand tasks into the monitor when the asynchronous demand tasks need to be accessed into the message queue;
step X2: calling an internal interface of a corresponding asynchronous processing module in a feignclient mode, and appointing a delivered switch, a routing key and message content to continue to process other tasks;
step X3: after receiving the messages, the internal interface of the asynchronous processing module generates a unique identifier for each message, then encapsulates the message content, the delivered switch and the route key into a map, stores the map into Redis in a key-hash mode, and then delivers the message to the corresponding switch;
step X4: after receiving the message, the message middleware firstly carries out persistence on the message and then the switch delivers the message to a specified message queue according to the route key;
step X5: the monitor continuously detects whether a message arrives at a corresponding queue, acquires the message from the message queue when a new message exists, executes a specific asynchronous demand task, and manually returns a confirmation message or a failure message to the message queue after the execution is finished, wherein the monitor can be designated as a consumption end;
step X6: in the whole message processing flow, if the message delivery fails, the message stored in Redis is taken out again for redelivery;
step X7: if the message middleware is down, the messages which are persisted in the local disk can be automatically recovered after the message middleware is restarted;
step X8: if the task execution of the consumption end is abnormal, the designated message returns to the queue again and is consumed again;
step X9: if the consumption end successfully processes the message, the production end deletes the message temporarily stored in the Redis according to the message identifier carried in the confirmation, and meanwhile, the message queue can clear the message content which is durably stored in the local hard disk.
The production end described in the above may be a terminal used by a person such as an enterprise related to the automobile industry, and the consumption end may be a terminal used by a consumer.
In the following, in order to explain the cloud connector system of the present invention more clearly, the respective modules of the cloud connector are described by taking a preferred structural design and interface design as examples.
The gateway module is mainly integrated with an external interface comprising data integration and service integration, and an external interface comprising unified identity authentication and authorization, user management, monitoring service and the like in the cloud connector.
The internal interface in the gateway module includes: the interface for message asynchronous processing in the asynchronous processing module, the access control interface, the token issuing interface and the like.
The gateway module registers interfaces of user service, authentication service, identity authentication service and data integration and service integration, is exposed to the outside in a unified mode and is responsible for routing and forwarding of the interfaces. Meanwhile, the token bucket algorithm is used in the gateway module to limit the flow of the request, so that the overload of the request is avoided. In addition, a plurality of data integration and service integration micro services are registered in combination with an EurekaServer registration center, a self-defined load balancing algorithm is realized in a gateway module based on ribbon, and load balancing is carried out on a request sent by a user. The structural diagram of the overall functional modules of the cloud connector is shown in fig. 4, and in fig. 4, for simplicity of illustration, partial functions of each module are exemplarily shown, and the entire functions of each module can be referred to the foregoing explanation.
Wherein, the message asynchronous processing interface:
the functions are as follows: appointing the name of the switch to be delivered, the route key and the message content, delivering the message to the appointed message queue, and realizing the asynchronization, peak clipping and decoupling of the request processing.
The access mode is as follows: GET/synthanler
Request parameters:
| parameter name | Type (B) | Description of the parameters |
| exchange | String | Switch name |
| message | Map | Message content |
| routingkey | String | Routing key |
Returning parameters:
none.
The user module is responsible for adding, updating and deleting the user information and inquiring the user information. On one hand, the authentication module is provided with an inquiry interface of user information by matching with the authentication function, and simultaneously, a user management interface is provided for the page.
(1) User information query
The functions are as follows: querying information according to user name
The access mode is as follows: GET/user/{ username }
Request parameters:
| parameter name | Type (B) | Description of the parameters |
| usemame | String | User name |
And returning parameters:
returning the specified User information, user class, containing the User's detailed information, such as:
wherein, flag represents success or failure, code is a status code, message is included character string information, and data is specific data information.
(2) User addition
The functions are as follows: adding users
The access mode is as follows: POST/user
Request parameters:
| parameter name | Type (B) | Description of the parameters |
| user | User | Class of user details |
And returning parameters:
if true is returned by checking, otherwise false is returned.
(3) User deletion
The functions are as follows: deleting user information according to user name
The access mode is as follows: DELETE/user/{ username }
Request parameters:
| parameter name | Type (B) | Description of the parameters |
| username | String | User name |
Returning parameters:
and returning true if the deletion is successful, and otherwise, returning false.
(4) User updates
The functions are as follows: updating user details
The access mode is as follows: PUT/user
Request parameters:
and returning parameters:
if the update is successful, return true, otherwise return false.
The access control module provides an access control interface for verifying the access authority of a user on one resource, the gateway module is mainly used in a gathering mode, the interface can be called to carry out access control when the gateway module requests to pass through the gateway, and meanwhile, the access strategy of each resource can be added, deleted and updated.
(1) Resource publishing
The functions are as follows: adding access policies to specified resources
The access mode is as follows: POST/resource
Request parameters:
| parameter name | Type (B) | Description of the parameters |
| resource | Resource | Detailed information of resources |
Returning parameters:
if the addition is successful, true is returned, otherwise false is returned.
(2) Resource query
The functions are as follows: adding access policies to specified resources
The access mode is as follows: GET/resource/{ id }
Request parameters:
| parameter name | Types of | Description of the parameters |
| id | Integer | Resource id |
Returning parameters:
and returning the detailed information of the resource.
(3) Resource deletion
The functions are as follows: adding access policies to specified resources
The access mode comprises the following steps: DELETE/resource/{ id }
Request parameters:
| parameter name | Type (B) | Description of the parameters |
| id | Integer | Resource id |
Returning parameters:
and returning true if the deletion is successful, and otherwise, returning false.
(4) Resource update
The functions are as follows: adding access policies to specified resources
The access mode is as follows: PUT/resource
Request parameters:
| parameter name | Type (B) | Description of the parameters |
| resource | Resource | Detailed information of resources |
Returning parameters:
and returning true if the updating is successful, and otherwise, returning false.
(5) Access control
The functions are as follows: inquiring corresponding access strategy according to attribute information and access resource id carried in the user token, and judging whether the user has the authority to access the resource according to the strategy
The access mode is as follows: GET/resource/access
Request parameters:
| parameter name | Types of | Description of the parameters |
| resourceId | String | Resource id |
| jwt | String | Token |
And returning parameters:
if true is returned by checking, otherwise false is returned.
(6) Access policy deletion
The functions are as follows: deleting access policies for specified resources
The access mode is as follows: DELETE/resource/policy
Request parameters:
| parameter name | Types of | Description of the parameters |
| resourceid | Integer | Resource id |
And returning parameters:
if the deletion succeeds, true is returned, otherwise false is returned.
(7) Access policy update
The functions are as follows: updating access policies for specified resources
The access mode is as follows: PUT/resource/policy
Request parameters:
returning parameters:
if the update is successful, return true, otherwise return false.
(8) Access policy addition
The functions are as follows: adding access policies to specified resources
The access mode is as follows: POST/resource/policy
Request parameters:
returning parameters:
if the addition succeeds, true is returned, otherwise false is returned.
(9) Access policy query
The functions are as follows: inquiring and analyzing the access strategy of the appointed resource, loading the user attribute information, converting the user attribute information into a format displayed in a front-end drop-down box, and returning the selected condition of the access strategy in the user attribute
The access mode is as follows: GET/resource/policy
Request parameters:
| parameter name | Type (B) | Description of the parameters |
| id | Integer | Resource id |
The authentication module realizes a user authentication function based on OAuth2.0, checks user information, and can generate a token by encapsulation according to the user information.
(1) Identity authentication
The functions are as follows: verifying the user identity according to the information of the user name, the password and the like, and returning a token identifier
The access mode is as follows: GET/oauth/login
Request parameters:
| parameter name | Type (B) | Description of the parameters |
| username | String | Task type id to which it belongs |
| password | String | Address information |
Returning parameters:
a token identification is returned.
(2) Token issuance
The functions are as follows: generating token, packaging user attribute information, and returning token identification and token body
The access mode is as follows: GET/oauth/token
Request parameters:
| parameter name | Types of | Description of the parameters |
| grant_type | String | Authorization mode |
| client_id | String | Client id |
| client_secret | String | Client side key |
Returning parameters:
and returning jti token identification and jwt token body.
In summary, the cloud connector system for interconnection and intercommunication among multiple platforms provided by the present invention combines respective cloud platforms of multiple enterprises related to the automobile industry by using cloud connectors, which serve as a cross-platform message bus to provide functions such as a message transmission mechanism, cross-platform data format conversion, and a function adaptation interface. Aiming at multi-source heterogeneous automobile industry big data, multi-platform distributed data integration and service integration based on a cloud connector comprise key technologies such as data mode association network, service synchronization and coordination, interconnection and intercommunication integration of multiple types of cloud platforms are achieved, multi-value chain service flow fusion and system integration are supported, data/service resource development among multiple platforms, unified management of resources, data sharing among multiple platforms and service cooperation are achieved, a data isolation state is broken, data sharing, service sharing and resource coordination are achieved conveniently, requirements of content on non-tampering, traceability and the like are met, and the method can be used for well serving wide automobile manufacturing core enterprises and related enterprises.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
While the present invention has been described with reference to the particular illustrative embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but is intended to cover various modifications, equivalent arrangements, and equivalents thereof, which may be made by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A multi-platform interworking cloud connector system, the cloud connector system comprising: a plurality of cloud platforms and cloud connectors, wherein a plurality of the cloud platforms include: the system comprises an automobile manufacturing enterprise informatization cloud platform, a third party multi-value chain cooperation cloud platform and an automobile group enterprise multi-base value chain cooperation cloud platform;
the cloud connector includes: the system comprises a gateway module, a user module, an access control module, an authentication module and an asynchronous processing module;
the gateway module integrates a plurality of external interfaces and a plurality of internal interfaces, the gateway module is connected with a plurality of data integration servers and a plurality of service integration servers by using the plurality of external interfaces, and the gateway module is combined with an Eureka Server to realize user registration micro-service, registration micro-service of the plurality of data integration servers and registration micro-service of the plurality of service integration servers;
the gateway module is connected with the user terminal by using the external interface to realize user identity authentication, management and monitoring services;
the gateway module is connected with the user module, the access control module, the authentication module and the asynchronous processing module by utilizing a plurality of internal interfaces to realize message asynchronous processing, access control and token generation;
the gateway module realizes a load balancing algorithm by using a ribbon to carry out load balancing on the request of the user;
the user module is combined with the gateway module and the user terminal to realize the addition, the update, the deletion, the attribute information query and the user information query of user information;
the access control module is combined with the gateway module and the authentication module, verifies the access authority of a user to a resource, which passes the user information verification, and performs access control, and is also provided with access strategies, the access strategies of each resource are added, deleted and updated, and the release, inquiry, deletion and update of the resource are realized;
the authentication module is combined with the gateway module and the user terminal, realizes a user authentication function based on OAuth2.0, verifies user information, and encapsulates the user information according to user registration information to generate and send a token;
the asynchronous processing module is combined with the gateway module, the user terminal, the data integration servers and the service integration servers, registers corresponding message queues aiming at tasks with asynchronous requirements in data integration contents or service integration contents, and sets a task monitor to monitor the message queues;
wherein, the data integration server and the service integration server refer to: classifying respective contents of the automobile manufacturing enterprise information cloud platform, the third-party multi-value chain cooperation cloud platform and the automobile group enterprise multi-base value chain cooperation cloud platform according to data types and service types to obtain data integration contents and service integration contents, storing the data integration contents in a plurality of data integration servers, storing the service integration contents in a plurality of service integration servers, and deploying the data integration servers and the service integration servers in a distributed mode.
2. The cloud connector system of claim 1, wherein a plurality of the data integration servers and a plurality of the service integration servers form a server cluster;
in the initial stage of operation, uniformly sending requests sent by users to each server in the corresponding server cluster for processing by using a polling-based mode;
after a certain running time, the gateway module periodically obtains the load and resource condition of each server in the server cluster by using a ribbon, calculates the score of each server, and performs the load balancing based on the scores, specifically including:
acquiring the performance condition of each server, calculating the average performance, and obtaining a reference CPU performance value P a Memory size M a Network bandwidth value B a ;
Defining a performance vector p for each server i ,m i ,b i ]Wherein p is i =P i /P a ,m i =M i /M a ,b i =B i /B a ,i=1,2,3…,N,P i 、M i 、B i Respectively representing the CPU main frequency, the memory size and the network bandwidth of the ith server;
obtaining the CPU load rate L (C) of each server i ) Memory occupancy rate L (M) i ) Network occupancy rate L (B) i ) N is the number of servers in the server cluster;
calculating an overall performance score S1 of each server according to the performance vector of each server i :
S1 i =k 1 *p i *(1-L(M i ))+k 2 *m i *(1-L(M i ))+k 3 *b i *(1-L(M i )),i=1,2,3…,N (1)
Wherein k is 1 +k 2 +k 3 =1,k 1 ,k 2 ,k 3 A weight representing each index;
obtaining average response time TimeAvg of each server i And total response time TimeTotal of all servers:
S2 i =TimeTotal-TimeAvg i ,i=1,2,3…,N (2)
wherein, S2 i The response time of each server is inversely proportional, and the higher the response speed is, the higher the score is;
calculating the score S of the ith server based on the scores calculated by the equations (1) and (2) i :
S i =a*S1 i +b*S2 i ,i=1,2,3…,N (3)
Obtaining a score set including all current servers according to the formula (3), and mapping all scores in the score set into a ScoreSet:
ScoreSet={a*S1 i +b*S2 i },i=1,2,3…,N (4)
where a + b =1, a, b represents the weight of each index.
3. The cloud connector system of claim 2, wherein the gateway module implements a load balancing algorithm using a ribbon, and wherein the specific steps of load balancing the user's request include:
initializing a timing task, and specifying the starting time and the periodic execution time of the timing task, wherein the timing task is responsible for periodically maintaining the number of nodes and performance data of the server cluster;
when a user request arrives, if the Scoreset of any server is empty, returning to the next available server address based on a polling mode;
periodically collecting the performance and load indexes of each server when the timing task starts, wherein the performance and load indexes are as follows: the method comprises the steps of CPU, memory size, bandwidth size, CPU occupancy rate, memory occupancy rate, bandwidth occupancy rate and average response time of each server;
calculating the performance score S1 of each server according to the formula (1) and the formula (2) i And a response time score S2 i ;
Calculating a weighted score result S based on equation (3) i Integrating scores of all current available servers to obtain a new Scoreset list;
when a new user request arrives, the score set is not empty at the moment, a total score TotalScore is calculated, the score of each server is mapped to an interval [0, totalScore ], so that all servers obtain an interval with a corresponding length according to the scores of the servers, a random number random in the interval is obtained, and the server in the range of the random number random is the result of load balancing.
4. The cloud connector system according to claim 1, wherein the authentication module, in combination with the gateway module and the user terminal, implements, based on oauth2.0, the specific steps of generating and issuing a token by encapsulation according to user registration information, including:
a user initiates an authentication request, the authentication request carries a user name and a password, and the gateway module routes the authentication request to an authentication center;
the authentication center utilizes the user micro service provided by the Eureka Server to inquire the user information and verify the user information;
if the verification is passed, generating a JWT token as a carrier of the token according to the attribute information of the user, returning the token identification to the user, and storing the JWT token in the redis.
5. The cloud connector system of claim 4, wherein the access control module, in combination with the gateway module and the authentication module, verifies the user's access rights to a resource that pass user information verification, and performs access control by:
when a user accesses resources, a resource access request is sent to the gateway module, the resource access request carries a token, and the resources refer to: data integration content or integration content for services;
the authentication module performs a verification of the token with an access control service, the verification comprising: verifying the validity of the token and verifying the expiration time;
after the verification is correct, the authentication module analyzes the carrier of the token to acquire the attribute information of the user and verifies the integrity of the attribute information of the user;
the access control module inquires an access strategy corresponding to the resource information according to the resource information of the resource access request;
the access control module calls an attribute-based access control method to check whether the attribute information of the user conforms to the access strategy of the corresponding resource information;
the access control module returns the inspection result to the gateway module;
and the gateway module performs passing or refusing operation on the resource access request based on the verification result.
6. The cloud connector system of claim 5, wherein the access policy is implemented based on a CP-ABE encryption scheme, associating a private decryption key of a user with a set of attribute information of the user, the access policy being associated with data integration content or service integration content, the attribute information of the user comprising: at least one platform ID, at least one enterprise ID, and at least one type of enterprise, wherein the platform ID refers to: the cloud connector provides the ID of any one of a plurality of cloud platforms for user operation and use to a user, the platform ID is the coarsest division granularity, and the enterprise ID refers to: an ID of all enterprises providing data integration content and service integration content for the cloud connector system, the enterprise ID being a finest granularity;
the access strategy is a group of tree structures and is represented in a character string mode during storage, wherein the value of a non-leaf node is represented in a character string k of n mode, n represents the number of child nodes, and k represents at least the number of child nodes needing to be met;
when the node value is 1of n, an OR gate is represented, the attribute in the child node can meet one of the attributes, when the node value is n of n, the AND gate is represented, true can be returned only when all the child nodes meet the condition, the leaf node represents the corresponding attribute and value, and all the values matched with the current attribute are represented by a value;
taking platform IDs as an example, a set { P01, P02. } formed by all the platform IDs is represented, wherein P01 represents a specific ID of one cloud platform, and P02 represents a specific ID of the other cloud platform;
take enterprise ID as an example, indicate all enterprise sets { C01, C02. } under a specified platform ID, C01 indicates a specific ID of an enterprise providing data integrated content and service integrated content for cloud platform P01, and C02 indicates a specific ID of another enterprise providing data integrated content and service integrated content for cloud platform P01;
the enterprise type is taken as an example, the enterprise type is a set of all enterprise types { T01, T02. } under a specified platform ID, T01 represents the enterprise type of an enterprise providing data integration content and service integration content for the cloud platform P02, and T02 represents the enterprise type of another enterprise providing data integration content and service integration content for the cloud platform P02;
only if each node in the tree structure satisfies the condition will the access control result for the resource return true, otherwise false will be returned.
7. The cloud connector system of claim 6, wherein the process of performing access control comprises:
and (3) an encryption algorithm initialization stage: generating a system public key PK and a system master key MK by inputting a security parameter k, wherein the PK is disclosed in the cloud connector system and is used for attribute encryption by a user, and the MK is kept secret by the cloud connector system;
and a key generation stage: executing during user registration, and generating an attribute private key for a user by the cloud connector system according to the system master key MK and the attribute information of the user;
and a resource release stage: setting access strategies for external interfaces corresponding to data integration and service integration respectively through an attribute encryption algorithm, wherein M is plaintext information of the external interfaces, and performing attribute encryption on M according to the access control strategies to generate a ciphertext CT by inputting the M, the system public key PK and the access control strategies T;
and a resource acquisition stage: access for determining whether a user's permissions comply with resource informationInquiring strategy, decrypting private key SK from user's attribute attr And the ciphertext CT is used as input, the attribute information contained in the private key is used for trying to decrypt the access strategy structure T contained in the ciphertext CT, if the decryption is successful, the result is returned to the gateway module to release the resource access request, otherwise, the gateway module refuses the operation if the decryption is failed.
8. The cloud connector system of claim 7, wherein the asynchronous processing module defines three roles in processing the asynchronous demand task: the system comprises a production end, a message queue and a consumption end, so that the message has reliability in the delivery process;
for the production end: a message confirmation mechanism is started at the production end, a unique identifier is generated for each message, the message identifier, the message content and a delivered message queue are stored in Redis before message delivery is carried out, and then actual message delivery is carried out;
if the message is delivered to the appointed message queue, the message queue returns a confirmation to the production end, the confirmation comprises the unique identifier of the message, and the message temporarily stored in the Redis is deleted through the unique identifier;
if the message delivery fails, the production end receives the confirmation of delivery errors, the confirmation comprises a specified message identifier, and the message stored in the Redis is taken out again through the message identifier to be delivered again, so that the message sent by the production end is ensured not to be lost;
for the message queue: when the switch is established, the switch is persisted, the message queue metadata is persisted, and when the message is delivered, the message is persisted to a local disk, so that the message queue metadata and the message which is not consumed in time are prevented from being lost when a message middleware goes down;
for the consumer end: confirming each message by starting a manual confirmation mode at the consumption end, returning ACK after the consumption end successfully processes the message, and deleting the corresponding message after the message queue receives the confirmation;
and if the processing of the consumption end fails, returning NACK, so that the message is returned to the message queue to be consumed again, and the message is ensured not to be lost when an exception occurs in the service processing process.
9. The cloud connector system of claim 7, wherein the message processing flow specifically includes:
predefining a corresponding switch, a message queue name and a routing method, setting a monitor to monitor the message queue, and integrating a code of an asynchronous demand task into the monitor when the asynchronous demand task needs to be accessed into the message queue;
calling an internal interface corresponding to the asynchronous processing module in a feignclient mode, and appointing a delivered switch, a routing key and message content to continue to process other tasks;
after receiving the messages, the internal interface of the asynchronous processing module generates a unique identifier for each message, then encapsulates the message content, the delivered switch and the route key into a map, stores the map in Redis in a key-hash manner, and then delivers the message to the corresponding switch;
after receiving the message, the message middleware firstly carries out persistence on the message and then the switch delivers the message to a specified message queue according to the route key;
the listener continuously detects whether a message arrives at a corresponding queue, acquires the message from the message queue when a new message exists, executes a specific asynchronous demand task, and manually returns a confirmation message or a failure message to the message queue after the execution is finished, wherein the listener can be designated as a consumption end;
in the whole message processing flow, if the message delivery fails, the message stored in Redis is taken out again for redelivery;
if the message middleware is down, the messages which are persisted to the local disk can be automatically recovered after the message middleware is restarted;
if the task execution of the consumption end is abnormal, the designated message returns to the queue again and is consumed again;
if the consumption end successfully processes the message, the production end deletes the message temporarily stored in the Redis according to the message identifier carried in the confirmation, and meanwhile, the message queue can clear the message content which is persisted in the local hard disk.
10. The cloud connector system of claim 6, wherein the access policy consists of the platform ID, the enterprise ID, or a random combination of the enterprise types;
the access strategy comprises all attribute information in the attribute information of the user; or,
the access policy includes part of attribute information in the attribute information of the user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211360497.9A CN115987547A (en) | 2022-11-02 | 2022-11-02 | Multi-platform interconnection cloud connector system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211360497.9A CN115987547A (en) | 2022-11-02 | 2022-11-02 | Multi-platform interconnection cloud connector system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115987547A true CN115987547A (en) | 2023-04-18 |
Family
ID=85972720
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211360497.9A Pending CN115987547A (en) | 2022-11-02 | 2022-11-02 | Multi-platform interconnection cloud connector system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115987547A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116566844A (en) * | 2023-07-06 | 2023-08-08 | 湖南马栏山视频先进技术研究院有限公司 | Data management and control method based on multi-cloud fusion and multi-cloud fusion management platform |
| CN117688265A (en) * | 2023-12-02 | 2024-03-12 | 广州劲源科技发展股份有限公司 | Cross-platform information integration and collection system |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108650262A (en) * | 2018-05-09 | 2018-10-12 | 聚龙股份有限公司 | A kind of cloud platform extended method and system based on micro services framework |
| US20190058709A1 (en) * | 2017-08-16 | 2019-02-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Tenant management method and system in a cloud computing environment |
| CN109819055A (en) * | 2019-03-15 | 2019-05-28 | 四川长虹电器股份有限公司 | Method that is a kind of while supporting Ribbon and Eureka to realize load balancing |
| CN111865920A (en) * | 2020-06-18 | 2020-10-30 | 多加网络科技(北京)有限公司 | Gateway authentication and identity authentication platform and method thereof |
| CN112039909A (en) * | 2020-09-03 | 2020-12-04 | 平安科技(深圳)有限公司 | Authentication method, device, equipment and storage medium based on unified gateway |
| US11032160B1 (en) * | 2020-07-31 | 2021-06-08 | Boomi, Inc. | Serverless elastic scale API gateway management system and method of an API service control plane system |
| CN113098695A (en) * | 2021-04-21 | 2021-07-09 | 金陵科技学院 | Micro-service unified authority control method and system based on user attributes |
| US20210336788A1 (en) * | 2020-04-24 | 2021-10-28 | Netapp, Inc. | Management services api gateway |
| CN114840329A (en) * | 2022-01-21 | 2022-08-02 | 浪潮软件科技有限公司 | Cloud and native hybrid integration method based on block chain |
-
2022
- 2022-11-02 CN CN202211360497.9A patent/CN115987547A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190058709A1 (en) * | 2017-08-16 | 2019-02-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Tenant management method and system in a cloud computing environment |
| CN108650262A (en) * | 2018-05-09 | 2018-10-12 | 聚龙股份有限公司 | A kind of cloud platform extended method and system based on micro services framework |
| CN109819055A (en) * | 2019-03-15 | 2019-05-28 | 四川长虹电器股份有限公司 | Method that is a kind of while supporting Ribbon and Eureka to realize load balancing |
| US20210336788A1 (en) * | 2020-04-24 | 2021-10-28 | Netapp, Inc. | Management services api gateway |
| CN111865920A (en) * | 2020-06-18 | 2020-10-30 | 多加网络科技(北京)有限公司 | Gateway authentication and identity authentication platform and method thereof |
| US11032160B1 (en) * | 2020-07-31 | 2021-06-08 | Boomi, Inc. | Serverless elastic scale API gateway management system and method of an API service control plane system |
| CN112039909A (en) * | 2020-09-03 | 2020-12-04 | 平安科技(深圳)有限公司 | Authentication method, device, equipment and storage medium based on unified gateway |
| CN113098695A (en) * | 2021-04-21 | 2021-07-09 | 金陵科技学院 | Micro-service unified authority control method and system based on user attributes |
| CN114840329A (en) * | 2022-01-21 | 2022-08-02 | 浪潮软件科技有限公司 | Cloud and native hybrid integration method based on block chain |
Non-Patent Citations (2)
| Title |
|---|
| P. M. SINGH, M. VAN SINDEREN AND R. WIERINGA,: "Reference Architecture for Integration Platforms", 《2017 IEEE 21ST INTERNATIONAL ENTERPRISE DISTRIBUTED OBJECT COMPUTING CONFERENCE (EDOC)》, 13 October 2017 (2017-10-13) * |
| 徐楚风: "云平台下面向微服务的高性能API网关设计与实现", 《中国优秀硕士毕业论文数据库》, no. 01, 15 January 2022 (2022-01-15) * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116566844A (en) * | 2023-07-06 | 2023-08-08 | 湖南马栏山视频先进技术研究院有限公司 | Data management and control method based on multi-cloud fusion and multi-cloud fusion management platform |
| CN116566844B (en) * | 2023-07-06 | 2023-09-05 | 湖南马栏山视频先进技术研究院有限公司 | Data management and control method based on multi-cloud fusion and multi-cloud fusion management platform |
| CN117688265A (en) * | 2023-12-02 | 2024-03-12 | 广州劲源科技发展股份有限公司 | Cross-platform information integration and collection system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11171789B2 (en) | System and method for implementing a resolver service for decentralized identifiers | |
| US11336465B2 (en) | Sending cross-chain authenticatable messages | |
| CN115987547A (en) | Multi-platform interconnection cloud connector system | |
| US10965772B2 (en) | Interface invocation method and apparatus for hybrid cloud | |
| US11336451B2 (en) | Cross-blockchain resource transmission | |
| CN110009494B (en) | Method and device for monitoring transaction content in block chain | |
| US8341715B2 (en) | System and method for shared resource owner based access control | |
| CN101043478B (en) | Service gateway and method for realizing message safe process | |
| CN110086755B (en) | Method for realizing service of Internet of things, application server, Internet of things equipment and medium | |
| WO2020258847A1 (en) | Method and apparatus for cross-chain transmission of authenticable message based on processing module | |
| JP2024505692A (en) | Data processing methods, devices and computer equipment based on blockchain networks | |
| TW202046221A (en) | Method and device for creating block chain account and verifying block chain transaction | |
| WO2023020242A1 (en) | Blockchain-based data processing method and apparatus, computer device, computer-readable storage medium, and computer program product | |
| CN113271311A (en) | Digital identity management method and system in cross-link network | |
| CN105991596A (en) | Access control method and system | |
| US20230325833A1 (en) | Blockchain-based data processing method and apparatus, device, storage medium, and program product | |
| EP2096569A1 (en) | System and method for shared resource owner based access control | |
| CN114338682A (en) | Flow identity mark transmission method and device, electronic equipment and storage medium | |
| Lee et al. | Implementation of tinyhash based on hash algorithm for sensor network | |
| CN112615838B (en) | Extensible block chain cross-chain communication method | |
| CN111222989B (en) | Transaction method of multi-channel blockchain, electronic equipment and storage medium | |
| CN110266475A (en) | A kind of cloud storage data safety auditing method | |
| CN115412557A (en) | Block chain resource management method and device based on multi-chain cooperation | |
| CN110597466B (en) | Control method and device of block chain node, storage medium and computer equipment | |
| CN114331441A (en) | Data tracing and circulating method and system based on network trust |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |