CN116527316A - Service calling method and device, electronic equipment and machine-readable storage medium - Google Patents

Service calling method and device, electronic equipment and machine-readable storage medium Download PDF

Info

Publication number
CN116527316A
CN116527316A CN202310313207.3A CN202310313207A CN116527316A CN 116527316 A CN116527316 A CN 116527316A CN 202310313207 A CN202310313207 A CN 202310313207A CN 116527316 A CN116527316 A CN 116527316A
Authority
CN
China
Prior art keywords
service
proxy
call request
key
proxy service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310313207.3A
Other languages
Chinese (zh)
Inventor
张振华
聂百川
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Alibaba China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd filed Critical Alibaba China Co Ltd
Priority to CN202310313207.3A priority Critical patent/CN116527316A/en
Publication of CN116527316A publication Critical patent/CN116527316A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

One or more embodiments of the present specification provide a service invocation method, apparatus, electronic device, and machine-readable storage medium. The service calling method is applied to a public cloud platform in a trusted environment; the public cloud platform is operated with key services provided for users based on key data assets; the method comprises the following steps: deploying a proxy service for the critical service on the public cloud platform and synchronizing at least some of the critical data assets to the proxy service; responding to a first call request initiated by a user in an untrusted environment aiming at the key service, and calling the proxy service to obtain a call result corresponding to the first call request; wherein the call result is derived by the proxy service based on the at least part of the key data assets stored by the proxy service; and returning the calling result to the user.

Description

Service calling method and device, electronic equipment and machine-readable storage medium
Technical Field
One or more embodiments of the present disclosure relate to the field of cloud services, and in particular, to a service calling method, a device, an electronic apparatus, and a machine-readable storage medium.
Background
Public cloud service providers can typically provide critical services to users in a trusted environment based on the critical data assets they maintain. Wherein the trusted environment may refer to a physical environment controlled and managed by a public cloud service provider, and may be considered as a secure operating environment. Accordingly, an untrusted environment may refer to a physical environment that is not controlled and managed by a public cloud service provider, may be considered an unsafe operating environment, and may face a wide variety of attacks.
Since key services are usually provided only for users in a trusted environment, the security level is generally low, and security protection capabilities such as authentication, authorization, encryption and the like may be lacking, and even security holes exist.
In order to expand the boundary of the distributed cloud, currently, each public cloud service provider centers on the public cloud and provides dedicated public cloud service for the public cloud service in a local machine room of a client through various product forms. However, the client local machine room belongs to an untrusted environment, if the public cloud platform provides key services for users in the untrusted environment, and malicious users in the untrusted environment attack the public cloud by using the distributed cloud, the key data assets may be revealed or tampered, which has serious negative effects on the safe production of the public cloud.
Disclosure of Invention
The application provides a service calling method, which is applied to a public cloud platform in a trusted environment; the public cloud platform is operated with key services provided for users based on key data assets; the method comprises the following steps:
deploying a proxy service for the critical service on the public cloud platform and synchronizing at least some of the critical data assets to the proxy service;
responding to a first call request initiated by a user in an untrusted environment aiming at the key service, and calling the proxy service to obtain a call result corresponding to the first call request; wherein the call result is derived by the proxy service based on the at least part of the key data assets stored by the proxy service;
and returning the calling result to the user.
The application also provides a service calling device which is applied to the public cloud platform in the trusted environment; the public cloud platform is operated with key services provided for users based on key data assets; the device comprises:
a deployment unit configured to deploy proxy services for the critical services on the public cloud platform and synchronize at least some of the critical data assets to the proxy services;
A calling unit, configured to respond to a first call request initiated by a user in an untrusted environment for the key service, and call the proxy service to obtain a call result corresponding to the first call request; wherein the call result is derived by the proxy service based on the at least part of the key data assets stored by the proxy service;
and the return unit is used for returning the calling result to the user.
The application also provides electronic equipment, which comprises a communication interface, a processor, a memory and a bus, wherein the communication interface, the processor and the memory are connected with each other through the bus;
the memory stores machine readable instructions and the processor performs the method by invoking the machine readable instructions.
The present application also provides a machine-readable storage medium storing machine-readable instructions that, when invoked and executed by a processor, implement the above-described methods.
By the above embodiment, the proxy service is deployed for the key service in the trusted environment, and the proxy service provides the service for the user based on the data copy of the key data asset (that is, at least part of the key data asset synchronized to the proxy service), so that the call request initiated by the user in the untrusted environment for the key service is terminated in the proxy service, the call request initiated by the user in the untrusted environment for the key service can be prevented from touching the key service, that is, the attack threat of the malicious user in the untrusted environment for the key service can be avoided, and the security of the key data asset is ensured.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an architecture of a service invocation system, shown in an exemplary embodiment;
FIG. 2 is a schematic diagram of the architecture of another service invocation system, shown in an exemplary embodiment;
FIG. 3 is a schematic diagram of the architecture of another service invocation system shown in an exemplary embodiment;
FIG. 4 is a flowchart of a service invocation method shown in an exemplary embodiment;
FIG. 5 is a schematic diagram of an architecture of another service invocation system, shown in an exemplary embodiment;
FIG. 6 is a schematic diagram of an electronic device in which a service invocation apparatus is located, according to an exemplary embodiment;
fig. 7 is a block diagram of a service invocation apparatus as illustrated in an exemplary embodiment.
Detailed Description
In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.
It should be noted that: in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; while various steps described in this specification may be combined into a single step in other embodiments.
A data asset (data asset) refers to an electronically or physically recorded data asset that is owned or controlled by an individual or business to bring about future economic benefits.
In the cloud service technology field, a key data asset may refer to a data resource owned or controlled by a core application of the public cloud itself. For example, the key data assets may include, but are not limited to, core management and control service data, CMDB (Configuration Management Database ) data, account data, cloud service keys, and other sensitive information.
Public cloud service providers can provide critical services to users based on the critical data assets they maintain. Wherein the key service refers to a cloud service for maintaining key data assets or providing services to users based on the key data assets.
For example, referring to fig. 1, fig. 1 is a schematic architecture diagram of a service invocation system according to an exemplary embodiment. As shown in fig. 1, the critical services may be deployed on a public cloud platform in a trusted environment; a user in a trusted environment may initiate an access request for a critical service deployed on a public cloud platform to perform data read-write operations on critical data assets maintained by the critical service.
Wherein the trusted environment may refer to a physical environment controlled and managed by a public cloud service provider, and may be considered as a secure operating environment. Accordingly, an untrusted environment may refer to a physical environment that is not controlled and managed by a public cloud service provider, may be considered an unsafe operating environment, and may face a wide variety of attacks; for example, for public cloud service providers, a room controlled and managed by a customer or operator of a cloud service belongs to an untrusted environment.
It should be noted that, since the key service is generally only provided for the user in the trusted environment, the security level is generally low, and may lack security protection capabilities such as authentication, authorization, encryption, and the like, and even have security holes.
In order to expand the boundary of the distributed cloud, currently, each public cloud service provider centers on the public cloud and provides dedicated public cloud service for the public cloud service in a local machine room of a client through various product forms. For example, through a public cloud localization deployment service, a public cloud service provider can provide a product experience consistent with the public cloud for users, and the requirements of local deployment of client data, nearby processing of mass data, low service delay and the like are met. For another example, a public cloud service provider can deploy public cloud computing, storage and network hardware to a customer-specified data center, construct IaaS (Infrastructure as a Service ), paaS (Platform as a Service, platform as a service) and SaaS (Software as aService ) on a hardware infrastructure according to a public cloud technology stack, and the users obtain product experiences consistent with the public cloud, so that the requirements of enterprise users for mastering exclusive infrastructure, hardware-specific isolation, on-site computing scenes, security privacy and the like are met.
However, the client local machine room belongs to an untrusted environment, if the public cloud platform provides key services for users in the untrusted environment, and malicious users in the untrusted environment attack the public cloud by using the distributed cloud, the key data assets may be revealed or tampered, which has serious negative effects on the safe production of the public cloud.
For example, referring to fig. 2, fig. 2 is a schematic diagram illustrating an architecture of another service invocation system according to an exemplary embodiment. As shown in fig. 2, a user in an untrusted environment may initiate an access request for a key service deployed on a public cloud platform, so as to perform a data read-write operation on a key data asset maintained by the key service; meanwhile, malicious users in the untrusted environment can attack the key service through forging, spoofing, counterfeiting, tampering, override, dos attack (Denial of Service, denial of service attack) and other means, so that key data assets maintained by the key service are revealed or tampered.
In the related art, a Web firewall may be added to an access path between the public cloud platform and the client room to implement capabilities such as data encryption transmission, ACL (Access Control List ) filtering, and the like.
For example, referring to fig. 3, fig. 3 is a schematic diagram illustrating an architecture of another service invocation system according to an exemplary embodiment. As shown in fig. 3, the access request from the untrusted environment needs to first pass through the Web firewall, and the Web firewall can filter the access request initiated by the malicious user according to the pre-configured ACL.
It follows that in the embodiment shown above, once a Web firewall presents a configuration vulnerability, or a critical service has a 0day vulnerability (Zero-Day Vulnerability, zero vulnerability) that can be exploited, a malicious user in an untrusted environment initiates an access request that would still reach the critical service, resulting in the critical service being attacked, the critical data asset being compromised or tampered with.
In view of this, the present disclosure aims to propose a security protection mechanism, so that when a public cloud platform in a trusted environment provides a key service for a user in an untrusted environment, the security of key data assets can be ensured.
When the method is realized, key services provided for users based on key data assets are operated on a public cloud platform in a trusted environment; the public cloud platform may deploy a proxy service for the critical service in a trusted environment and may synchronize at least some of the critical data assets to the proxy service; further, in response to a first call request initiated by a user in an untrusted environment for the critical service, the public cloud platform may call the proxy service to obtain a call result corresponding to the first call request, where the call result is obtained by the proxy service based on the at least part of the critical data assets stored by the proxy service; further, the public cloud platform can return the calling result to the user.
Therefore, in the technical scheme in the specification, the proxy service is deployed for the key service in the trusted environment, and the proxy service provides services for the user based on the data copy of the key data asset (namely, at least part of the key data asset synchronized to the proxy service), so that the call request initiated by the user in the untrusted environment for the key service is terminated in the proxy service, the call request initiated by the user in the untrusted environment for the key service can be prevented from touching the key service, namely, the attack threat of the malicious user in the untrusted environment for the key service can be avoided, and the security of the key data asset is ensured.
The following describes the present application through specific embodiments and in connection with specific application scenarios.
Referring to fig. 4, fig. 4 is a flow chart illustrating a service invocation method according to an exemplary embodiment. The service calling method can be applied to a public cloud platform in a trusted environment; the public cloud platform may have key services provided to users based on key data assets running thereon. As shown in fig. 4, the service invocation method may perform the steps of:
step 402: a proxy service is deployed for the critical services on the public cloud platform and at least some of the critical data assets are synchronized to the proxy service.
For example, a public cloud platform in a trusted environment may be running a critical services server_A, which stores critical DATA assets DATA; the proxy service ProxyServer_A can be deployed for the key service Server_A on the public cloud platform; the subset DATA of the critical DATA asset DATA may also be synchronized to the proxy server_a, that is, the proxy server proxyserver_a may store a copy of the DATA of the subset DATA.
It should be noted that, in the step 402, there is a unidirectional data flow between the key service and the proxy service from the former to the latter; and the proxy service cannot call the interface of the key service, so that the access initiated by the external user to the key service can be ensured to be ended in the proxy service, and the key service cannot be reached.
In the step 402, the key service may configure one proxy service for a plurality of untrusted environments, or may configure one proxy service for each untrusted environment.
In one embodiment shown, because users in different untrusted environments may not trust each other, it is desirable to prevent malicious users in the untrusted environments from attacking at least some of the critical data assets stored by the proxy service in addition to the critical data assets stored by the critical service, to ensure that at least some of the data assets accessed by users in the respective untrusted environments are isolated from each other.
In this case, the deploying a proxy service for the key service on the public cloud platform may specifically include: deploying each proxy service corresponding to each untrusted environment on the public cloud platform; wherein the proxy services are isolated from each other.
For example, referring to fig. 5, fig. 5 is a schematic diagram illustrating an architecture of another service invocation system according to an exemplary embodiment. As shown in fig. 5, the user servercient_a1 is located in the untrusted environment 1, the user servercient_a2 is located in the untrusted environment 2, corresponding proxy services proxyserver_a1 and proxyserver_a2 can be deployed for the untrusted environment 1 and the untrusted environment 2 respectively, and the key DATA asset DATA1 and the key DATA asset DATA2 can be synchronized to the proxy services proxyserver_a1 and proxyserver_a2 respectively, wherein the key DATA asset DATA1 and the key DATA asset DATA2 are subsets of the key DATA asset DATA.
Because the proxy service proxyServer_a1 and the proxy service proxyServer_a2 are isolated from each other, the data copy of the key data asset data1 accessed by the user serverclient_a1 and the data copy of the key data asset data2 accessed by the user serverclient_a2 are also isolated from each other and invisible from each other.
It should be noted that in the embodiments shown above, the subsets of the individual key data assets that are synchronized by the key service to different proxy services, respectively, may be identical or different.
In one embodiment shown, the subsets of the individual key data assets that are synchronized by the key service to the different proxy services, respectively, may be determined separately from the service domains of the individual untrusted environments, and may be different from each other. In this case, said synchronizing at least some of said critical data assets to said proxy service may comprise in particular: determining at least part of key data assets corresponding to the service domains of the non-trusted environments respectively from the key data assets according to the service domains of the non-trusted environments; at least a portion of the critical data assets respectively corresponding to the service domains of the respective untrusted environments are synchronized to the respective proxy services.
For example, the critical DATA asset DATA may contain subsets respectively corresponding to different service domains; in the process of deploying proxy service proxyServer_A1 for key service Server_A aiming at untrusted environment 1, according to the service domain of untrusted environment 1 (or the service domain registered according to user ServerClient_A1), determining a subset DATA1 corresponding to the service domain of untrusted environment 1 from key DATA asset DATA, and synchronizing the determined subset DATA1 to proxy service proxyServer_A1; based on a similar procedure, a subset DATA2 corresponding to the service domain of the untrusted environment 2 may also be determined from the key DATA asset DATA according to the service domain of the untrusted environment 2, and the determined subset DATA2 may be synchronized to the proxy service proxyserver_a2. The service areas of the respective untrusted environments may be divided according to geographic locations, such as north China, east China, south China, etc., or may be divided according to other standards, which are not particularly limited in this specification.
It should be noted that in the embodiment shown above, it is advantageous to control the extent of data that may be compromised or tampered with by configuring different proxy services for different untrusted environments, respectively, and determining the subset of data that needs to be synchronized to each proxy service, respectively.
In some possible embodiments, configuration data on which the public cloud localization deployment service in each untrusted environment depends may also be determined to require synchronization to at least some of the critical data assets of each proxy service in conjunction with the actual needs of the user in each untrusted environment, thereby further controlling the range of data that may be compromised or tampered with.
In step 402, the present specification does not limit the specific form of serving the proxy. For example, separate proxy service instances may be deployed separately for each untrusted environment through a full-hosted micro-service platform.
Step 404: responding to a first call request initiated by a user in an untrusted environment aiming at the key service, and calling the proxy service to obtain a call result corresponding to the first call request; wherein the call result is derived by the proxy service based on the at least some key data assets stored by the proxy service.
For example, after deploying proxy server_a for critical service server_a on the public cloud platform and synchronizing the subset DATA of critical DATA asset DATA to proxy server_a, proxy server_a may be invoked in response to a first invocation request initiated by user Server client_a in the untrusted environment for critical service server_a, so that proxy Server proxyserver_a obtains an invocation result corresponding to the first invocation request based on its stored DATA copy of subset DATA of critical DATA asset DATA.
Therefore, in the technical scheme of the specification, by deploying the proxy service for the key service, the key service can be prevented from being directly exposed to an untrusted environment, the proxy service and the key service are mutually isolated, the stability of the key service is not affected even if the proxy service is attacked, and meanwhile, only the subset copy stored by the proxy service is possibly leaked or tampered, so that the damage range of the key data asset when the key data asset is attacked can be effectively controlled.
Wherein in the step 404, the public cloud platform may store a first correspondence between a domain name of the key service and an IP (Internet Protocol ) address of the key service. For example, the domain name of the key service server_a is domain_a, and the IP address of the key service server_a is ip_a; referring to table 1, table 1 is a domain name resolution table shown in an exemplary embodiment,
The public cloud platform may maintain the first correspondence based on a domain name resolution table as shown in table 1.
In the related art, in response to a call request initiated by a user in an untrusted environment for the key service, the public cloud platform may determine, according to the first correspondence, an IP address of the key service corresponding to a domain name of the key service carried in the call request, and may return the IP address of the key service to the user, so that the user redirects the call request to the key service according to the IP address of the key service, and further the key service may provide services for the user based on the key data asset stored in the key service.
In one embodiment shown, in order to reduce the invasiveness of the security transformation process to the key service and the user, the security transformation cost is reduced, the normal operation of the key service is avoided being influenced, and the call request originally aiming at the key service can be redirected to the proxy service deployed for the key service in a domain name hijacking mode.
In this case, the method may further include: and updating the first corresponding relation to a second corresponding relation between the domain name of the key service and the IP address of the proxy service based on the IP address of the proxy service.
Accordingly, the responding to the first call request initiated by the user in the untrusted environment for the key service, and calling the proxy service to obtain a call result corresponding to the first call request may specifically include: responding to a first call request initiated by a user in an untrusted environment for the key service, and determining an IP address of a proxy service corresponding to a domain name of the key service carried in the first call request according to the second corresponding relation; returning the determined IP address of the proxy service to the user; receiving a second call request initiated by the user for the proxy service according to the IP address of the proxy service; and responding to the second call request, calling the proxy service to obtain a call result corresponding to the second call request, and taking the call result corresponding to the second call request as a call result corresponding to the first call request.
For example, in the case where one proxy service is deployed for a critical service, after deploying proxy service proxyserver_a for critical service server_a, the "IP address of critical service server_a" in the domain name resolution table may be updated to the "IP address of proxy service proxyserver_a". Responding to a first call request initiated by a user servercient_A in an untrusted environment 1 aiming at a key service servicer_A, determining an IP address of a proxy service corresponding to a domain name domain_A of the key service carried in the first call request according to an updated domain name resolution table, and returning the determined IP address of the proxy service to the user servercient_A; further, a second call request initiated by the user servercient_a for the proxy service proxyserver_a may be received; in response to the second call request, the proxy service proxyserver_a may be called to obtain a call result corresponding to the second call request based on the subset data stored in the proxy service proxyserver_a, and the call result corresponding to the second call request may be used as a call result corresponding to the first call request.
In another embodiment shown, each proxy service corresponding to each untrusted environment is deployed on the public cloud platform; the public cloud platform also stores a third correspondence between the IP address of the proxy service and the service domain identification of the untrusted environment. In this case, before returning the determined address of the IP of the proxy service to the user, the method further includes: and determining the IP address of the proxy service corresponding to the service domain identifier of the un-trusted environment carried in the first call request from the IP addresses of the proxy services according to the third corresponding relation.
For example, the IP address of the proxy proxyserver_a1 is ip_a1, and the IP address of the proxy proxyserver_a2 is ip_a2; the service domain of the untrusted environment 1 is identified as region1, and the service domain of the untrusted environment 2 is identified as region2; after deploying proxy service proxyserver_a1, proxy service proxyserver_a2 for critical service server_a, respectively, please refer to table 2, table 2 is an updated domain name resolution table shown in an exemplary embodiment,
the public cloud platform may maintain the second and third correspondences based on the updated domain name resolution table as shown in table 2. Responding to a first call request initiated by a user serviceclient_a1 in an untrusted environment 1 for a key service servicerA, determining that the IP address of a proxy service corresponding to a domain name domain_A and a service domain identification region1 of the key service carried in the first call request is ProxyservicerA 1 according to the updated domain name resolution table, and returning the determined IP address ProxyservicerA 1 of the proxy service to the user servicerclient_a1; further, a second call request initiated by the user servercient_a1 for the proxy service proxyserver_a1 can be received; in response to the second call request, the proxy service proxyserver_a1 can be called to obtain a call result corresponding to the second call request based on the stored subset data1, and the call result corresponding to the second call request can be used as a call result corresponding to the first call request.
In some possible embodiments, a domain name resolution service (DNS server as shown in fig. 5) may be deployed in a trusted environment, thereby ensuring mutual trust between the domain name resolution service and critical services.
It should be noted that, in the embodiment shown above, by means of domain name hijacking, the domain name resolution address is pointed to the proxy service configured for the critical service, and only the proxy service may be exposed to the untrusted environment, but the critical service itself may not be exposed to the untrusted environment; moreover, for users in an untrusted environment, after the security mechanism is adopted, the configuration is not required to be changed, and a call request for key services is still initiated.
Step 406: and returning the calling result to the user.
For example, after obtaining a DATA copy of the subset DATA of the key DATA asset DATA that proxy server_a stores based on, the call result corresponding to the first call request, the call result may be returned to user server client_a in the untrusted environment.
In one embodiment shown, the critical service may be specifically a data access service; the first call request may be for requesting a read operation or a write operation for a critical data asset stored by the data access service. To further secure critical data assets, to avoid tampering with critical data assets or subset copies of critical data assets, a read-write separation architecture may be employed to provide services in a read-only mode to users in an untrusted environment.
In this case, the calling the proxy service to obtain a calling result corresponding to the first calling request in response to a first calling request initiated by a user in the untrusted environment for the key service may specifically include: if the first call request is used for requesting to perform a read operation on the key data assets stored by the data access service, the proxy service is called to perform the read operation on at least part of the key data assets stored by the proxy service, and a call result corresponding to the first call request is obtained; the first call request is denied if the first call request is for requesting a write operation to a critical data asset stored by the data access service.
For example, if a first call request initiated by the user serviceclient_a1 in the untrusted environment 1 is used to request a read operation for the key DATA asset DATA stored by the key service server_a, the proxy service proxyserver_a1 deployed for the untrusted environment 1 may be invoked to perform a read operation for the subset DATA1 stored by the proxy service proxyserver_a1, so as to obtain a call result corresponding to the first call request.
For another example, if the first call request initiated by the user servercient_a1 in the untrusted environment 1 is used to request a write operation for the key DATA asset DATA stored by the key service server_a, the first call request may be directly discarded, or a rejection response corresponding to the first call request may be returned to the user servercient_a1 in the untrusted environment 1.
In one embodiment shown, proxy services deployed for the critical services may also provide critical services for users in a trusted environment. In this case, the method may further include: responding to a third call request initiated by a user in the trusted environment for the key service, and calling the proxy service to obtain a call result corresponding to the third call request; wherein the call result is derived by the proxy service based on the at least some key data assets stored by the proxy service.
In some possible embodiments, the key service may be specifically a data access service; the third call request may be for requesting a read operation or a write operation for a critical data asset stored by the data access service. The calling the proxy service to obtain a calling result corresponding to the third calling request may specifically include: if the third call request is used for requesting to perform a read operation on the key data assets stored by the data access service, the proxy service is called to perform a read operation on at least part of the key data assets stored by the proxy service, and a call result corresponding to the third call request is obtained; and if the third call request is used for requesting writing operation on the key data assets stored by the data access service, calling the proxy service to perform writing operation on at least part of the key data assets stored by the proxy service, and obtaining a call result corresponding to the third call request.
In this specification, the user in the trusted environment may also directly call the key service to perform a read-write operation on the key data asset stored in the key service, which is not limited in this specification.
It should be noted that, in the above embodiment, the proxy service provides services for users in the trusted environment, and compared to the implementation manner in which the key service provides services for users in the trusted environment, the security and stability of the key data asset may be further ensured.
In addition, the proxy service can further enhance security on the basis of ensuring compatibility, such as introducing four layers of ACL control, seven layers of WAF security capability of HTTP, and the like, which is not limited in the specification.
According to the technical scheme, the proxy service is deployed for the key service in the trusted environment, and the proxy service provides services for the user based on the data copy of the key data asset (namely, at least part of the key data asset synchronized to the proxy service), so that the call request initiated by the user in the untrusted environment for the key service is terminated in the proxy service, the call request initiated by the user in the untrusted environment for the key service can be prevented from touching the key service, namely, the attack threat of a malicious user in the untrusted environment for the key service can be avoided, and the security of the key data asset is ensured.
The present specification also provides an embodiment of a service invocation system, and an embodiment of a service invocation apparatus, corresponding to the embodiment of the service invocation method.
Referring to fig. 6, fig. 6 is a hardware configuration diagram of an electronic device where a service calling device is located in an exemplary embodiment. At the hardware level, the device includes a processor 602, an internal bus 604, a network interface 606, memory 608, and non-volatile storage 610, although other hardware requirements are possible. One or more embodiments of the present description may be implemented in a software-based manner, such as by the processor 602 reading a corresponding computer program from the non-volatile memory 610 into the memory 608 and then running. Of course, in addition to software implementation, one or more embodiments of the present disclosure do not exclude other implementation manners, such as a logic device or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but may also be hardware or a logic device.
Referring to fig. 7, fig. 7 is a block diagram illustrating a service invocation apparatus according to an exemplary embodiment. The service calling device can be applied to the electronic equipment shown in fig. 6 to realize the technical scheme of the specification. The device is applied to a public cloud platform in a trusted environment; the public cloud platform is operated with key services provided for users based on key data assets; the device comprises:
A deployment unit 702 configured to deploy proxy services for the critical services on the public cloud platform, and synchronize at least some of the critical data assets to the proxy services;
a calling unit 704, configured to respond to a first call request initiated by a user in an untrusted environment for the key service, and call the proxy service to obtain a call result corresponding to the first call request; wherein the call result is derived by the proxy service based on the at least part of the key data assets stored by the proxy service;
and the returning unit 706 is configured to return the calling result to the user.
In this embodiment, the deployment unit 702 is specifically configured to:
deploying each proxy service corresponding to each untrusted environment on the public cloud platform; wherein the proxy services are isolated from each other.
In this embodiment, the deployment unit 702 is specifically configured to:
determining at least part of key data assets corresponding to the service domains of the non-trusted environments respectively from the key data assets according to the service domains of the non-trusted environments;
at least a portion of the critical data assets respectively corresponding to the service domains of the respective untrusted environments are synchronized to the respective proxy services.
In this embodiment, the public cloud platform stores a first correspondence between a domain name of the key service and an IP address of the key service;
the apparatus further comprises:
an updating unit, configured to update the first correspondence to a second correspondence between a domain name of the key service and an IP address of the proxy service based on the IP address of the proxy service;
the calling unit 704 is specifically configured to:
responding to a first call request initiated by a user in an untrusted environment for the key service, and determining an IP address of a proxy service corresponding to a domain name of the key service carried in the first call request according to the second corresponding relation;
returning the determined IP address of the proxy service to the user;
receiving a second call request initiated by the user for the proxy service according to the IP address of the proxy service;
and responding to the second call request, calling the proxy service to obtain a call result corresponding to the second call request, and taking the call result corresponding to the second call request as a call result corresponding to the first call request.
In this embodiment, each proxy service corresponding to each untrusted environment is deployed on the public cloud platform; the public cloud platform also stores a third corresponding relation between the IP address of the proxy service and the service domain identifier of the non-trusted environment;
the calling unit 704 is specifically further configured to:
and determining the IP address of the proxy service corresponding to the service domain identifier of the un-trusted environment carried in the first call request from the IP addresses of the proxy services according to the third corresponding relation.
In this embodiment, the key service is a data access service; the first call request is used for requesting to perform a read operation or a write operation on key data assets stored by the data access service;
the calling unit 704 is specifically configured to:
if the first call request is used for requesting to perform a read operation on the key data assets stored by the data access service, the proxy service is called to perform the read operation on at least part of the key data assets stored by the proxy service, and a call result corresponding to the first call request is obtained;
the first call request is denied if the first call request is for requesting a write operation to a critical data asset stored by the data access service.
In this embodiment, the calling unit 704 is specifically further configured to:
responding to a third call request initiated by a user in the trusted environment for the data access service, and if the third call request is used for requesting to perform a read operation on key data assets stored by the data access service, invoking the proxy service to perform the read operation on at least part of the key data assets stored by the proxy service, so as to obtain a call result corresponding to the third call request;
and if the third call request is used for requesting writing operation on the key data assets stored by the data access service, calling the proxy service to perform writing operation on at least part of the key data assets stored by the proxy service, and obtaining a call result corresponding to the third call request.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are illustrative only, in that the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present description. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
User information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to herein are both user-authorized or fully authorized information and data by parties, and the collection, use and processing of relevant data requires compliance with relevant laws and regulations and standards of the relevant country and region, and is provided with corresponding operation portals for user selection of authorization or denial.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The foregoing description of the preferred embodiment(s) is (are) merely intended to illustrate the embodiment(s) of the present invention, and it is not intended to limit the embodiment(s) of the present invention to the particular embodiment(s) described.

Claims (10)

1. A service invocation method, the method being applied to a public cloud platform in a trusted environment; the public cloud platform is operated with key services provided for users based on key data assets; the method comprises the following steps:
deploying a proxy service for the critical service on the public cloud platform and synchronizing at least some of the critical data assets to the proxy service;
responding to a first call request initiated by a user in an untrusted environment aiming at the key service, and calling the proxy service to obtain a call result corresponding to the first call request; wherein the call result is derived by the proxy service based on the at least part of the key data assets stored by the proxy service;
and returning the calling result to the user.
2. The method of claim 1, the deploying proxy services for the critical services on the public cloud platform comprising:
deploying each proxy service corresponding to each untrusted environment on the public cloud platform; wherein the proxy services are isolated from each other.
3. The method of claim 2, the synchronizing at least some of the critical data assets to the proxy service, comprising:
determining at least part of key data assets corresponding to the service domains of the non-trusted environments respectively from the key data assets according to the service domains of the non-trusted environments;
at least a portion of the critical data assets respectively corresponding to the service domains of the respective untrusted environments are synchronized to the respective proxy services.
4. The method of claim 1, the public cloud platform storing a first correspondence between a domain name of the critical service and an IP address of the critical service;
the method further comprises the steps of:
updating the first corresponding relation to a second corresponding relation between the domain name of the key service and the IP address of the proxy service based on the IP address of the proxy service;
The responding to a first call request initiated by a user in an untrusted environment aiming at the key service, calling the proxy service to obtain a call result corresponding to the first call request, and comprises the following steps:
responding to a first call request initiated by a user in an untrusted environment for the key service, and determining an IP address of a proxy service corresponding to a domain name of the key service carried in the first call request according to the second corresponding relation;
returning the determined IP address of the proxy service to the user;
receiving a second call request initiated by the user for the proxy service according to the IP address of the proxy service;
and responding to the second call request, calling the proxy service to obtain a call result corresponding to the second call request, and taking the call result corresponding to the second call request as a call result corresponding to the first call request.
5. The method of claim 4, deploying respective proxy services on the public cloud platform that correspond to respective untrusted environments; the public cloud platform also stores a third corresponding relation between the IP address of the proxy service and the service domain identifier of the non-trusted environment;
Before returning the determined address of the IP of the proxy service to the user, the method further includes:
and determining the IP address of the proxy service corresponding to the service domain identifier of the un-trusted environment carried in the first call request from the IP addresses of the proxy services according to the third corresponding relation.
6. The method of claim 1, the critical service being a data access service; the first call request is used for requesting to perform a read operation or a write operation on key data assets stored by the data access service;
the responding to a first call request initiated by a user in an untrusted environment aiming at the key service, calling the proxy service to obtain a call result corresponding to the first call request, and comprises the following steps:
if the first call request is used for requesting to perform a read operation on the key data assets stored by the data access service, the proxy service is called to perform the read operation on at least part of the key data assets stored by the proxy service, and a call result corresponding to the first call request is obtained;
the first call request is denied if the first call request is for requesting a write operation to a critical data asset stored by the data access service.
7. The method of claim 6, the method further comprising:
responding to a third call request initiated by a user in the trusted environment for the data access service, and if the third call request is used for requesting to perform a read operation on key data assets stored by the data access service, invoking the proxy service to perform the read operation on at least part of the key data assets stored by the proxy service, so as to obtain a call result corresponding to the third call request;
and if the third call request is used for requesting writing operation on the key data assets stored by the data access service, calling the proxy service to perform writing operation on at least part of the key data assets stored by the proxy service, and obtaining a call result corresponding to the third call request.
8. A service invocation apparatus applied to a public cloud platform in a trusted environment; the public cloud platform is operated with key services provided for users based on key data assets; the device comprises:
a deployment unit configured to deploy proxy services for the critical services on the public cloud platform and synchronize at least some of the critical data assets to the proxy services;
A calling unit, configured to respond to a first call request initiated by a user in an untrusted environment for the key service, and call the proxy service to obtain a call result corresponding to the first call request; wherein the call result is derived by the proxy service based on the at least part of the key data assets stored by the proxy service;
and the return unit is used for returning the calling result to the user.
9. An electronic device comprises a communication interface, a processor, a memory and a bus, wherein the communication interface, the processor and the memory are connected with each other through the bus;
the memory stores machine readable instructions, and the processor performs the method of any of claims 1-7 by invoking the machine readable instructions.
10. A machine-readable storage medium storing machine-readable instructions which, when invoked and executed by a processor, implement the method of any one of claims 1-7.
CN202310313207.3A 2023-03-24 2023-03-24 Service calling method and device, electronic equipment and machine-readable storage medium Pending CN116527316A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310313207.3A CN116527316A (en) 2023-03-24 2023-03-24 Service calling method and device, electronic equipment and machine-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310313207.3A CN116527316A (en) 2023-03-24 2023-03-24 Service calling method and device, electronic equipment and machine-readable storage medium

Publications (1)

Publication Number Publication Date
CN116527316A true CN116527316A (en) 2023-08-01

Family

ID=87405500

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310313207.3A Pending CN116527316A (en) 2023-03-24 2023-03-24 Service calling method and device, electronic equipment and machine-readable storage medium

Country Status (1)

Country Link
CN (1) CN116527316A (en)

Similar Documents

Publication Publication Date Title
JP7055206B2 (en) Asset management systems, methods, equipment, and electronic devices
JP7030981B2 (en) Asset management methods and equipment, and electronic devices
JP7111814B2 (en) ASSET MANAGEMENT METHOD AND APPARATUS AND ELECTRONIC DEVICE
JP7090709B2 (en) Asset management methods and equipment, as well as electronic devices
JP2021512380A (en) Asset management methods and equipment, as well as electronic devices
EP2941729B1 (en) Protection and confidentiality of trusted service manager data
US20200327244A1 (en) System for database access restrictions using ip addresses
US9049186B1 (en) Trusted security zone re-provisioning and re-use capability for refurbished mobile devices
WO2018089318A1 (en) Anonymous containers
US20080141338A1 (en) Secure policy description method and apparatus for secure operating system
US11509691B2 (en) Protecting from directory enumeration using honeypot pages within a network directory
CN110876144B (en) Mobile application method, device and system for identity certificate
US20140366110A1 (en) Methods and systems for single sign-on while protecting user privacy
CN116484338A (en) Database access method and device
CN111783051A (en) Identity authentication method and device and electronic equipment
US8601544B1 (en) Computer system employing dual-band authentication using file operations by trusted and untrusted mechanisms
WO2021188716A1 (en) Systems and methods for protecting a folder from unauthorized file modification
WO2017153990A1 (en) System and method for device authentication using hardware and software identifiers
US11671422B1 (en) Systems and methods for securing authentication procedures
CN116527316A (en) Service calling method and device, electronic equipment and machine-readable storage medium
US8635680B2 (en) Secure identification of intranet network
US9240988B1 (en) Computer system employing dual-band authentication
US10812537B1 (en) Using network locality to automatically trigger arbitrary workflows
JP6619690B2 (en) Processing device, access control system, access control method, and access control program
US11882123B2 (en) Kernel level application data protection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination