CN116760595A - Access method, computing device and computer storage medium - Google Patents

Access method, computing device and computer storage medium Download PDF

Info

Publication number
CN116760595A
CN116760595A CN202310707920.6A CN202310707920A CN116760595A CN 116760595 A CN116760595 A CN 116760595A CN 202310707920 A CN202310707920 A CN 202310707920A CN 116760595 A CN116760595 A CN 116760595A
Authority
CN
China
Prior art keywords
access
edge
node
gateway
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310707920.6A
Other languages
Chinese (zh)
Inventor
斯云
张振华
王忠杰
吴旭东
王希维
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Alibaba China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd filed Critical Alibaba China Co Ltd
Priority to CN202310707920.6A priority Critical patent/CN116760595A/en
Publication of CN116760595A publication Critical patent/CN116760595A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/563Data redirection of data network streams

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides an access method, computing equipment and a computer storage medium. The access method is applied to a central gateway, the central gateway is deployed at a central node, and the method comprises the following steps: receiving an access request for requesting access to a target access interface, wherein the target access interface is deployed at the central node, and the access request is sent by an edge gateway deployed at an edge node; determining whether the edge node has access rights of the target access interface; and forwarding the access request to the target access interface under the condition that the edge node has the access right of the target access interface. The technical scheme provided by the embodiment of the application realizes the technical effects of improving the access security of the center node and avoiding the center node from being attacked by the network from the edge node.

Description

Access method, computing device and computer storage medium
Technical Field
Embodiments of the present application relate to the field of communications technologies, and in particular, to an access method, a computing device, and a computer storage medium.
Background
With the continuous development of the internet and the internet of things, the emerging technologies such as distributed computing, cloud computing, edge computing and the like gradually become trend. For these emerging technologies, they typically have the advantages of flexibility, scalability, and high availability, so many applications and services are migrated to the cloud, i.e., the central node, for management and operation.
Because of the data processing capability of the central node, the central node is generally deployed in a centralized manner, and is far away from the user, so that network delay is high when the user side accesses the central node. For this case, the edge node may be deployed at the user side, so that the user may reduce network latency by accessing the edge node and then accessing the cloud service access interface deployed in the central node by way of the edge node.
Therefore, how to improve the security of access to the central node and avoid the central node from being attacked by the network from the edge node is a technical problem to be solved.
Disclosure of Invention
The embodiment of the invention provides an access method, an access device, a computing device and a computer storage medium.
In a first aspect, an embodiment of the present invention provides an access method, applied to a central gateway, where the central gateway is disposed in a central node, the method includes:
receiving an access request for requesting access to a target access interface, wherein the target access interface is deployed at the central node, and the access request is sent by an edge gateway deployed at an edge node;
determining whether the edge node has access rights of the target access interface;
And forwarding the access request to the target access interface under the condition that the edge node has the access right of the target access interface.
In a second aspect, an embodiment of the present invention provides an access method, applied to an edge gateway, where the edge gateway is deployed at an edge node, the method includes:
sending an access request for a target access interface to a central gateway deployed at a central node, so that the central gateway determines whether the edge node has access rights of the target access interface; and forwarding the access request to the target access interface under the condition that the edge node has the access right of the target access interface.
In a third aspect, an embodiment of the present invention provides an access method, applied to an edge application, where the edge application is deployed on an edge node, and an edge gateway is further deployed on the edge node, where the method includes:
sending an access request for a target access interface deployed on a central node to the edge gateway, so that the edge gateway forwards the access request to the central gateway, and the central gateway determines whether the edge node has access authority of the target access interface; and forwarding the access request to the target access interface under the condition that the edge node has the access right of the target access interface.
In a fourth aspect, an embodiment of the present invention provides an access method, applied to a target access interface, where the target access interface is deployed on a central node, and a central gateway is further deployed on the central node, where the method includes:
receiving an access request sent by the central gateway, and determining whether the edge node has the access right of the target access interface after the access request sent by the edge gateway deployed on the edge node is received by the central gateway; and sending the data to the target access node under the condition that the edge node has the access authority of the target access interface.
In a fifth aspect, an embodiment of the present invention provides an access device, which is applied to a central gateway, where the central gateway is disposed in a central node, and the method includes:
the first request receiving module is used for receiving an access request for requesting to access a target access interface, the target access interface is deployed at the central node, and the access request is sent by an edge gateway deployed at an edge node;
the permission determination module is used for determining whether the edge node has the access permission of the target access interface;
And the request forwarding module is used for forwarding the access request to the target access interface under the condition that the edge node has the access right of the target access interface.
In a sixth aspect, an embodiment of the present invention provides an access device, which is applied to an edge gateway, where the edge gateway is disposed at an edge node, and the method includes:
the first request sending module is used for sending an access request aiming at a target access interface to a central gateway deployed at a central node so that the central gateway can determine whether the edge node has the access right of the target access interface or not; and forwarding the access request to the target access interface under the condition that the edge node has the access right of the target access interface.
In a seventh aspect, in an embodiment of the present invention, an access device is provided, where the access device is applied to an edge application, where the edge application is deployed on an edge node, and an edge gateway is further deployed on the edge node, and the method includes:
a second request sending module, configured to send an access request for a target access interface deployed on a central node to the edge gateway, so that the edge gateway forwards the access request to the central gateway, and the central gateway determines whether the edge node has access rights of the target access interface; and forwarding the access request to the target access interface under the condition that the edge node has the access right of the target access interface.
In an eighth aspect, in an embodiment of the present invention, an access device is provided, where the access device is applied to a target access interface, where the target access interface is disposed on a central node, and a central gateway is further disposed on the central node, and the method includes:
the second request receiving module is used for receiving an access request sent by the central gateway, and determining whether the edge node has the access authority of the target access interface after the access request sent by the edge gateway deployed on the edge node is received by the central gateway; and sending the data to the target access node under the condition that the edge node has the access authority of the target access interface.
In a ninth aspect, in an embodiment of the present invention, a computing device includes a processing component and a storage component;
the storage component stores one or more computer instructions; the one or more computer instructions are used for being invoked and executed by the processing component to realize the access method provided by the embodiment of the invention.
In a tenth aspect, in an embodiment of the present invention, there is provided a computer storage medium storing a computer program, where the computer program, when executed by a computer, implements an access method provided in the embodiment of the present invention.
The embodiment of the invention provides an access method, which is applied to a central gateway deployed at a central node, wherein the access request for requesting to access a target access interface is received, the target access interface is deployed at the central node, and the access request is sent by an edge gateway deployed at an edge node; determining whether the edge node has access rights of the target access interface; according to the technical scheme, when the edge node has the access right of the target access interface, the access request is forwarded to the target access interface, so that the access request for requesting to access the center node is received by the center gateway first, and when the center gateway judges that the edge node for sending the access request has the access right, the access request is forwarded to the center node, the security of the access of the center node is improved, and the center node is prevented from being attacked by the network from the edge node.
These and other aspects of the invention will be more readily apparent from the following description of the embodiments.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 schematically illustrates a flow chart of an access method provided by one embodiment of the invention;
FIG. 2 schematically illustrates a schematic diagram of an access method provided by an embodiment of the present invention;
fig. 3 schematically illustrates a schematic diagram of configuring identity information for an edge gateway by a central gateway in an embodiment of the present invention;
FIG. 4 schematically illustrates a schematic diagram of an access method provided by an embodiment of the present invention;
FIG. 5 schematically illustrates a block diagram of an access device provided by one embodiment of the present invention;
FIG. 6 schematically illustrates a block diagram of a computing device provided by one embodiment of the invention.
Detailed Description
In order to enable those skilled in the art to better understand the present invention, the following description will make clear and complete descriptions of the technical solutions according to the embodiments of the present invention with reference to the accompanying drawings.
In some of the flows described in the specification and claims of the present invention and in the foregoing figures, a plurality of operations occurring in a particular order are included, but it should be understood that the operations may be performed out of order or performed in parallel, with the order of operations such as 101, 102, etc., being merely used to distinguish between the various operations, the order of the operations themselves not representing any order of execution. In addition, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first" and "second" herein are used to distinguish different messages, devices, modules, etc., and do not represent a sequence, and are not limited to the "first" and the "second" being different types.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present invention are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region, and provide corresponding operation entries for the user to select authorization or rejection.
With the continuous development of the internet and the internet of things, the emerging technologies such as distributed computing, cloud computing, edge computing and the like gradually become trend. For these emerging technologies, they typically have the advantages of flexibility, scalability, and high availability, so many applications and services are migrated to the cloud, i.e., the central node, for management and operation.
Because of the data processing capability of the central node, the central node is generally deployed in a centralized manner, and is far away from the user, so that network delay is high when the user side accesses the central node. For this case, the edge node may be deployed at the user side, so that the user may reduce network latency by accessing the edge node and then accessing the cloud service access interface deployed in the central node by way of the edge node.
Therefore, how to improve the security of access to the central node and avoid the central node from being attacked by the network from the edge node is a technical problem to be solved.
In order to solve the technical problems in the prior art, the embodiment of the invention provides an access method which is applied to a central gateway deployed at a central node, wherein the access request for requesting to access a target access interface is received, the target access interface is deployed at the central node, and the access request is sent by an edge gateway deployed at an edge node; determining whether the edge node has access rights of the target access interface; according to the technical scheme, when the edge node has the access right of the target access interface, the access request is forwarded to the target access interface, so that the access request for requesting to access the center node is received by the center gateway first, and when the center gateway judges that the edge node for sending the access request has the access right, the access request is forwarded to the center node, the security of the access of the center node is improved, and the center node is prevented from being attacked by the network from the edge node.
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
Fig. 1 schematically illustrates a flowchart of an access method according to an embodiment of the present invention, where the access method is applied to a central gateway, and the central gateway is deployed at a central node, as shown in fig. 1, and the access method may include the following steps:
101, receiving an access request for requesting access to a target access interface, wherein the target access interface is deployed at a central node, and the access request is sent by an edge gateway deployed at an edge node;
102, determining whether the edge node has the access right of the target access interface;
103, in case the edge node has access rights to the target access interface, forwarding the access request to the target access interface.
According to embodiments of the present invention, the target access interface may provide the hub node with an interface for other nodes in the distributed system, such as edge nodes, to access, invoke services or resources provided by the hub node. The target access interface may be implemented through Web API (Web ApplicationProgrammingInterface, web application program interface), RPC (Remote Procedure Call ) or the like.
According to the embodiment of the invention, when the edge node initiates the access request, the access request carries the identification information or the access address of the target access interface, the access request is sent to the edge gateway, and the edge gateway forwards the access request to the central gateway.
According to the embodiment of the invention, the central gateway can perform unified security control on the access request for requesting access to the central node, specifically, the central gateway can judge whether the initiator of the access request has the central node and the access authority of at least one access interface in the central node, and forward the access request to the central node under the condition that the initiator of the access request has the access authority of the central node, if the initiator of the access request does not have the access authority of the central node, the central gateway can have the access of this time, so that the central node is prevented from being accessed by the edge node without the access authority.
According to one embodiment of the invention, a pre-maintained access control list (Access Control List, ACL) may be utilized to determine whether an edge node has access rights to a target access interface. Specifically, the edge node may be registered in the ACL in advance by an administrator, and then the access right of the edge node to the target access interface is specified in the ACL. Therefore, after receiving the access request of the edge node, whether the edge node has the access right of the target access interface can be determined by inquiring the ACL.
According to the embodiment of the invention, the central gateway and the edge gateway are respectively deployed in advance on the central node and the edge node, a safe and reliable communication channel can be established between the central node and the edge node, and the access rights of the edge gateway to the central node can be transmitted through the pre-established communication channel, so that the safety of the access of the central node is improved, and the technical effect of preventing the central node from being attacked by the network from the edge node is realized.
According to one embodiment of the invention, validation of rights to access requests may also be achieved using a virtual private network (Virtual Private Network, VPN). Specifically, the edge node with the access right of the center node and the center node can be pre-established with a VPN to connect the trusted edge node and the center node to form a virtual private network, so that safety protection is provided for communication between the edge node and the center node.
The inventor finds that in the process of implementing the inventive concept, a plurality of cloud services can be deployed on a central node generally, so the central node may provide an access interface for each cloud service, and the authority requirements of each access interface on visitors may be different. If a secure channel between the edge node and the central node is established by using the VPN, the trusted edge node may directly obtain access rights of all access interfaces provided by the central node, and may not realize rights control of granularity of the access interfaces.
According to an embodiment of the present invention, determining whether an edge node has access rights of a target access interface may be specifically implemented as:
determining whether the edge node has the access right of the center node or not based on the encrypted identity information carried in the access request;
in the case of determining whether the edge node has access to the central node, it is determined whether the edge node has access to the target access interface based on the access request.
According to the embodiment of the invention, when the central node confirms the access authority, whether the edge node has the access authority of the central node can be determined first, and in the case that the edge node is determined to have the access authority of the central node, whether the edge node has the access authority of at least one access interface provided by the central node can be further determined. If the edge node is determined not to have the access right of the center node, whether the edge node has the access right of at least one access interface provided by the center node or not is not needed to be judged continuously, and the access can be directly refused.
According to the embodiment of the invention, the access request from the edge node is subjected to two times of authority confirmation, so that the access control of the interface granularity can be performed on the request of the protocol under the condition that the central node is not suffered from the network attack from the edge node, and the access security of the access interface is further improved.
According to an embodiment of the invention, the encrypted identity information is generated by encrypting the identity information of the edge gateway based on a preset encryption scheme.
According to the embodiment of the invention, the central gateway can configure identity information for the edge gateway in advance. Specifically, the trusted edge node may be registered with the central node in advance, and after the registration is successful, identity information uniquely corresponding to the edge gateway is generated, and then the identity information is sent to the edge gateway. The edge gateway may store the identity information locally after receiving the identity information.
According to the embodiment of the invention, when the edge gateway sends the access request to the center gateway, the pre-stored identity information can be encrypted according to the preset encryption mode to obtain the encrypted identity information, and then the encrypted identity information is added to the access request so as to send the access request carrying the encrypted identity information to the center gateway, so that the center gateway can identify the identity of the edge gateway based on the encrypted identity information and judge whether the center gateway has the access right of the center node.
According to an embodiment of the present invention, the preset encryption algorithm may include, for example, a symmetric encryption algorithm, an asymmetric encryption algorithm, and the like. The implementation mode of the specific encryption algorithm can be flexibly set by a person skilled in the art according to the actual application requirement, and the implementation mode of the encryption algorithm is not specifically limited by the invention.
According to the embodiment of the invention, determining whether the edge node has the access right of the central node based on the authentication information carried in the access request can be specifically realized as follows:
decrypting the encrypted identity information according to a preset decryption mode corresponding to the preset encryption mode to obtain the identity information;
acquiring pre-stored verification identity information;
verifying the identity information by using the verification identity information;
and under the condition that the verification is passed, determining that the edge node has the access right of the center node.
According to the embodiment of the invention, when the encryption mode for encrypting the identity information is determined, the decryption mode corresponding to the encryption mode can be determined at the same time. For example, decrypting the encrypted identity information may be accomplished by a key. When the identity information is encrypted, if a symmetric encryption algorithm is adopted, a corresponding key can be generated, and the symmetric encryption algorithm uses the same key to carry out encryption and decryption operation, so that the central gateway can decrypt by using the key used in encryption. When encrypting the identity information, if an asymmetric encryption algorithm is adopted, a pair of keys, namely a public key and a private key, needs to be generated when encrypting the identity information, wherein the public key is used for encrypting data, and the private key is used for decrypting the data.
According to the embodiment of the invention, after the encrypted identity information is decrypted, the original identity information can be obtained.
According to the embodiment of the invention, after the edge gateway is successfully registered in the central gateway, the central gateway can synchronously store the identity information of one edge gateway as verification identity information.
According to the embodiment of the invention, when the identity information is verified by using the verification information, the verification identity information and the identity information can be compared, if the verification identity information is consistent with the identity information, the verification is passed, and otherwise, the verification is not passed.
According to the embodiment of the invention, after the edge gateway receives the access request sent by the edge application deployed in the edge node, the access request is forwarded to the central gateway by the edge gateway, and the access request also carries the application information of the edge application.
Fig. 2 schematically illustrates a schematic diagram of an access method provided by an embodiment of the present invention.
As shown in fig. 2, 201 may represent a center node, 2011 may represent a center gateway deployed on the center node, 202 may represent an edge node, and 2021 may represent an edge gateway deployed on the edge node.
Edge node 202 may also have an edge application running therein, which may be an application running on edge node 202 to bring computing resources and services closer to end users and devices, reducing latency, in accordance with embodiments of the present invention.
According to an embodiment of the present invention, a cloud service may be running in the central node 201, and the cloud service may provide resources such as storage, data, and the like for running the edge application. For example, the data may be collected by an edge application and then transmitted to a cloud service running in a central node for computation or storage; as another example, an edge application may obtain data from a cloud service running from central node 201 to provide services to users based on the data.
According to an embodiment of the present invention, the target access interface provided by the central node 201 may be an interface for the edge node to access the cloud service.
According to an embodiment of the invention, the access request may be generated in case the edge application requests access to the target access interface.
According to the embodiment of the invention, when the edge application needs to access the target access interface, the edge application can firstly send the access request to the edge gateway, then the edge gateway sends the access request to the central gateway, and the central gateway performs authority verification.
According to an embodiment of the present invention, determining whether an edge node has an access right of a target access interface based on an access request may be specifically implemented as:
acquiring an access white list, wherein target application information of at least one target application allowed to access a target access node is stored in the access white list;
Judging whether the application information is matched with at least one target application information;
and determining that the edge node has the access right of the target access interface under the condition that the application information is matched with at least one target application information.
Fig. 3 schematically illustrates a schematic diagram of configuring identity information for an edge gateway by a central gateway in an embodiment of the present invention.
As shown in fig. 3, during the initialization phase, a registration request may be sent by the edge gateway to the center gateway.
After receiving the registration request, the central gateway can perform security verification on the edge gateway, register the edge gateway to the central gateway after the verification is passed, and generate identity information uniquely corresponding to the edge gateway.
After the identity information of the edge gateway is generated, the identity information may be sent to the edge gateway.
Furthermore, the edge gateway can apply for authority for the edge application running on the edge node, so that the edge application can have access authority for accessing the target access interface provided by the center node. Specifically, the edge gateway may send a permission application request to the central gateway with application information of the edge application, and after receiving the permission application request, the central gateway may add the application information of the edge application to the white list, and after adding the application information of the edge application to the white list, the edge gateway indicates that the edge application has access permission of the target access interface.
According to the embodiment of the invention, based on the information, after the central gateway receives the access request, the application information carried in the access request can be matched with the target application information stored in the white list, and if the white list records the target application information which is the same as the application information, the target application information indicates that the edge application is a trusted application and has the access right of the target access interface.
According to the embodiment of the invention, when the edge application wants to access the target access interface, the information such as the address, the port and the protocol of the target access interface is generally required to be acquired, then a request message is constructed by using the information such as the address, the port and the protocol, and the request message is sent to the target access interface to realize the access to the target access interface.
The inventor finds that in the process of implementing the inventive concept, in the above access method, information such as an address, a port, a protocol and the like of the target access interface needs to be exposed to the edge node or the edge application to implement the access of the edge application and the edge node to the target access interface, however, exposure of the address, the port and the protocol increases the risk that the target access interface is subject to network attack.
According to an embodiment of the present invention, forwarding an access request to a target access interface may be specifically implemented as:
Acquiring an interface identifier of a target access interface carried in an access request;
searching an access address of a target access interface based on the interface identification;
the access request is forwarded to the target access interface based on the access address.
According to the embodiment of the invention, when the edge application wants to access the target access interface, the interface identifier of the target access interface which requests access can be written into the access request, and then the access request is sent to the edge gateway.
According to an embodiment of the invention, the edge gateway may forward the access request to the center gateway after receiving the access request.
According to the embodiment of the invention, the interface identification of the access interface and the corresponding relation of the access information, such as the access address, the port and the protocol, can be maintained in the central gateway, so that after the central gateway receives the access request, the access information of the target access interface can be searched based on the interface identification, and then the access request is forwarded to the target access interface based on the searched information of the address, the port, the protocol and the like.
In the embodiment of the invention, the central gateway and the edge gateway are respectively deployed at the central node and the edge node, so that exposure of access information such as addresses, ports, protocols and the like of the central node can be avoided, the port details of the edge node and the central node are shielded, and the attack surface is reduced.
According to the embodiment of the invention, after receiving the access request, the edge gateway can firstly perform preliminary verification on the access request before forwarding the access request to the central gateway, for example, whether the access request carries the interface identifier of the target access interface and the application information of the edge application, and forwarding the access interface under the condition that the access request carries the interface identifier of the target access interface and the application information of the edge application.
According to an embodiment of the present invention, the access method further includes:
and responding to the permission configuration instruction, and releasing the access permission of the edge gateway carrying the identity information to the center node so that the center gateway refuses the access of the edge gateway to the center node.
According to the embodiment of the invention, under the condition that the edge node is detected to suffer from hacking and the like, namely the edge node is at risk, the access authority of the edge gateway to the center node can be relieved through authority configuration of the edge gateway, the center node is prevented from being accessed by the edge node at risk, and the security of the center node is improved.
According to the embodiment of the invention, the edge gateway is deployed at the edge node, so that the edge gateway can trace and audit the access traffic of the edge node in an online and offline log mode.
Fig. 4 schematically illustrates a schematic diagram of an access method provided by an embodiment of the present invention.
As shown in fig. 4, edge applications and edge gateways may be deployed at edge nodes, and a central gateway and target access interface may be deployed at a central node.
When the edge application wants to access the target access interface, the edge application can firstly carry the identification information of the target access interface to access the edge gateway, the edge gateway checks the access request of the edge application aiming at the target access interface, after the verification is passed, the access request is encrypted, and then the encrypted access request is sent to the central gateway.
After the central gateway receives the access request, the access request can be checked to verify whether the edge application has the access right of the target access interface, and under the condition that whether the edge application has the access right of the target access interface is determined, the access request is decrypted to obtain the identification information of the target access interface, then the central gateway searches the access address of the target access interface based on the identification information, and forwards the access request to the target access interface based on the access address.
According to the embodiment of the present invention, the above embodiment is the security access control performed by the central gateway and the edge gateway when the edge application running in the edge node accesses the target access interface, and it can be understood that, when the target access interface requests to access the edge application, the security access control may also be performed by the central gateway and the edge gateway, which is not described herein again.
The invention also provides an access method, which is applied to the edge gateway, wherein the edge gateway is deployed at the edge node, and the method can be realized as follows:
sending an access request for a target access interface to a central gateway deployed at a central node so that the central gateway determines whether an edge node has access rights for the target access interface; in case the edge node has access rights to the target access interface, the access request is forwarded to the target access interface.
According to an embodiment of the present invention, the access method further includes:
receiving an access request sent by an edge application deployed in an edge node;
sending an access request for a target access interface to a central gateway deployed at a central node includes:
and forwarding the received access request to the central gateway.
According to an embodiment of the present invention, forwarding the received access request to the central gateway may be specifically implemented as:
encrypting the identity information of the edge gateway according to a preset encryption mode to obtain encrypted identity information;
and forwarding the access request carrying the encrypted identity information to the central gateway so that the central gateway determines whether the edge node has access rights to the central node based on the encrypted identity.
According to an embodiment of the present invention, forwarding the received access request to the central gateway may be specifically implemented as:
analyzing the access request, and determining whether the access request carries the identity information of the edge application or not and the interface identification of the target access interface;
and forwarding the access request to the central gateway under the condition that the access request carries the identity information of the edge application and the interface identification of the target access interface.
The invention also provides an access method, which is applied to the edge application, the edge application is deployed on the edge node, the edge node is also deployed with the edge gateway, and the access method can be realized as follows:
sending an access request for a target access interface deployed on the central node to the edge gateway, so that the edge gateway forwards the access request to the central gateway, and the central gateway determines whether the edge node has access rights for the target access interface; in case the edge node has access rights to the target access interface, the access request is forwarded to the target access interface.
The invention also provides an access method, which is applied to the target access interface, wherein the target access interface is deployed on a central node, and a central gateway is deployed on the central node, and the access method can be realized as follows:
And receiving an access request sent by the central gateway, determining whether the edge node has the access right of the target access interface after the access request is received by the central gateway and sent by the edge gateway deployed on the edge node, and sending the access request to the target access interface under the condition that the edge node is determined to have the access right of the target access interface.
Fig. 5 schematically illustrates a block diagram of an access device 500 according to an embodiment of the present invention, where the access device 500 is applied to a central gateway, and the central gateway is disposed in a central node, and the access device 500 may include:
a first request receiving module 501, configured to receive an access request for requesting access to a target access interface, where the target access interface is disposed at a central node, and the access request is sent by an edge gateway disposed at an edge node;
a permission determining module 502, configured to determine whether the edge node has an access permission of the target access interface;
a request forwarding module 503, configured to forward the access request to the target access interface if the edge node has access rights of the target access interface.
According to an embodiment of the invention, the rights determination module 502 comprises:
the first permission determination submodule is used for determining whether the edge node has the access permission of the center node or not based on the encryption identity information carried in the access request;
And the second permission determination submodule is used for determining whether the edge node has the access permission of the target access interface or not based on the access request under the condition that whether the edge node has the access permission of the central node or not is determined.
According to an embodiment of the invention, the encrypted identity information is generated by encrypting the identity information of the edge gateway based on a preset encryption scheme.
According to an embodiment of the present invention, the first authority determination submodule includes:
the decryption unit is used for decrypting the encrypted identity information according to a preset decryption mode corresponding to the preset encryption mode to obtain the identity information;
the verification information acquisition unit is used for acquiring prestored verification identity information;
the identity verification unit is used for verifying the identity information by utilizing the verification identity information;
and the first authority confirming unit is used for determining that the edge node has the access authority of the center node under the condition that verification is passed.
According to the embodiment of the invention, the access request is forwarded to the central gateway after the access request sent by the edge application deployed in the edge node is received by the edge gateway, and the access request also carries application information of the edge application.
According to an embodiment of the invention, the second rights determination submodule includes:
The white list acquisition unit is used for acquiring an access white list, and the access white list stores target application information of at least one target application which is allowed to access the target access node;
the information matching unit is used for judging whether the application information is matched with at least one target application information;
and the second permission confirming unit is used for determining that the edge node has the access permission of the target access interface under the condition that the application information is matched with at least one piece of target application information.
According to an embodiment of the present invention, the request forwarding module 503 includes:
the identification acquisition unit is used for acquiring an interface identification of a target access interface carried in the access request;
the address searching unit is used for searching the access address of the target access interface based on the interface identification;
and the forwarding unit is used for forwarding the access request to the target access interface based on the access address.
According to an embodiment of the present invention, the access device 500 further includes:
and the permission releasing module is used for responding to the permission configuration instruction and releasing the access permission of the edge gateway carrying the identity information to the center node so that the center gateway refuses the access of the edge gateway to the center node.
The access device of fig. 5 may perform the access method of the embodiment shown in fig. 1, and its implementation principle and technical effects are not repeated. The specific manner in which the individual modules, units, and operations of the access device in the above embodiments are performed has been described in detail in connection with the embodiments of the method, and will not be described in detail here.
Another embodiment of the present invention further provides an access device, where the access device may be applied to an edge gateway, and the edge gateway is disposed at an edge node, and the access device includes:
the first request sending module is used for sending an access request aiming at the target access interface to a central gateway deployed at the central node so that the central gateway can determine whether the edge node has the access right of the target access interface or not; in case the edge node has access rights to the target access interface, the access request is forwarded to the target access interface.
According to an embodiment of the present invention, the access device further includes:
a third request receiving module, configured to receive an access request sent by an edge application deployed in an edge node;
according to an embodiment of the present invention, the first request transmitting module includes:
and the first request sending submodule is used for forwarding the received access request to the central gateway.
According to an embodiment of the present invention, the first request-sending submodule includes:
the encryption unit is used for encrypting the identity information of the edge gateway according to a preset encryption mode to obtain encrypted identity information;
and the first forwarding unit is used for forwarding the access request carrying the encrypted identity information to the central gateway so that the central gateway can determine whether the edge node has access rights to the central node or not based on the encrypted identity.
According to an embodiment of the present invention, the first request-sending submodule includes:
the analyzing unit is used for analyzing the access request and determining whether the access request carries the identity information of the edge application and the interface identifier of the target access interface;
and the second forwarding unit is used for forwarding the access request to the central gateway under the condition that the access request carries the identity information of the edge application and the interface identifier of the target access interface.
The present invention also provides an access device, which can be applied to an edge application, the edge application is deployed on an edge node, and an edge gateway is deployed on the edge node, and the access device includes:
the second request sending module is used for sending an access request aiming at a target access interface deployed on the central node to the edge gateway so that the edge gateway forwards the access request to the central gateway, and the central gateway determines whether the edge node has the access right of the target access interface or not; in case the edge node has access rights to the target access interface, the access request is forwarded to the target access interface.
The present invention also provides an access device, which can be applied to a target access interface, wherein the target access interface is deployed at a central node, and a central gateway is deployed on the central node, and the access device includes:
The second request receiving module is used for receiving an access request sent by the central gateway, and determining whether the edge node has the access right of the target access interface after the access request sent by the edge gateway deployed on the edge node is received by the central gateway; and sending to the target access node in the case that the edge node has the access right of the target access interface.
In one possible design, the access apparatus provided by the embodiments of the present invention may be implemented as a computing device, which may include a storage component 601 and a processing component 602, as shown in fig. 6;
the storage component 601 stores one or more computer instructions, where the one or more computer instructions are called by the processing component 602 for execution, to implement an access method provided by an embodiment of the present invention.
Of course, the computing device may necessarily include other components, such as input/output interfaces, communication components, and the like. The input/output interface provides an interface between the processing component and a peripheral interface module, which may be an output device, an input device, etc. The communication component is configured to facilitate wired or wireless communication between the computing device and other devices, and the like.
The computing device may be a physical device or an elastic computing host provided by the cloud computing platform, and at this time, the computing device may be a cloud server, and the processing component, the storage component, and the like may be a base server resource rented or purchased from the cloud computing platform.
When the computing device is a physical device, the computing device may be implemented as a distributed cluster formed by a plurality of servers or terminal devices, or may be implemented as a single server or a single terminal device.
The embodiment of the invention also provides a computer readable storage medium which stores a computer program, and the computer program can realize the access method provided by the embodiment of the invention when being executed by a computer.
The embodiment of the invention also provides a computer program product, which comprises a computer program, wherein the computer program can realize the access method provided by the embodiment of the invention when being executed by a computer.
Wherein the processing components of the respective embodiments above may include one or more processors to execute computer instructions to perform all or part of the steps of the methods described above. Of course, the processing component may also be implemented as one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors or other electronic elements for executing the methods described above.
The storage component is configured to store various types of data to support operation in the device. The memory component may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (14)

1. An access method, applied to a central gateway, the central gateway being deployed at a central node, the method comprising:
receiving an access request for requesting access to a target access interface, wherein the target access interface is deployed at the central node, and the access request is sent by an edge gateway deployed at an edge node;
determining whether the edge node has access rights of the target access interface;
and forwarding the access request to the target access interface under the condition that the edge node has the access right of the target access interface.
2. The method of claim 1, wherein the determining whether the edge node has access to the target access interface comprises:
determining whether the edge node has the access right of the center node or not based on the encrypted identity information carried in the access request;
in the case of determining whether the edge node has access to the central node, determining whether the edge node has access to the target access interface based on the access request.
3. The method according to claim 2, wherein the encrypted identity information is generated by encrypting the identity information of the edge gateway based on a preset encryption scheme;
The determining whether the edge node has the access right of the central node based on the authentication information carried in the access request comprises the following steps:
decrypting the encrypted identity information according to a preset decryption mode corresponding to the preset encryption mode to obtain the identity information;
acquiring pre-stored verification identity information;
verifying the identity information by utilizing the verification identity information;
and under the condition that verification is passed, determining that the edge node has the access right of the central node.
4. A method according to claim 3, wherein the access request is forwarded by the edge gateway to the central gateway after the edge gateway receives an access request sent by an edge application deployed in the edge node, the access request further carrying application information of the edge application;
the determining whether the edge node has access rights to the target access interface based on the access request includes:
acquiring an access white list, wherein target application information of at least one target application allowed to access the target access node is stored in the access white list;
Judging whether the application information is matched with at least one piece of target application information;
and under the condition that the application information is matched with at least one piece of target application information, determining that the edge node has the access right of the target access interface.
5. The method of claim 1, wherein forwarding the access request to the target access interface comprises:
acquiring an interface identifier of the target access interface carried in the access request;
searching an access address of the target access interface based on the interface identifier;
forwarding the access request to the target access interface based on the access address.
6. A method according to claim 3, characterized in that the method further comprises:
and responding to an authority configuration instruction, and releasing the access authority of the edge gateway carrying the identity information to the center node so that the center gateway refuses the access of the edge gateway to the center node.
7. An access method, applied to an edge gateway, where the edge gateway is deployed at an edge node, the method comprising:
sending an access request for a target access interface to a central gateway deployed at a central node, so that the central gateway determines whether the edge node has access rights of the target access interface; and forwarding the access request to the target access interface under the condition that the edge node has the access right of the target access interface.
8. The method of claim 7, wherein the method further comprises:
receiving the access request sent by the edge application deployed in the edge node;
the sending the access request for the target access interface to the central gateway deployed at the central node includes:
and forwarding the received access request to the central gateway.
9. The method of claim 8, wherein forwarding the received access request to the central gateway comprises:
encrypting the identity information of the edge gateway according to a preset encryption mode to obtain encrypted identity information;
and forwarding the access request carrying the encrypted identity information to the central gateway so that the central gateway can determine whether the edge node has access rights to the central node based on the encrypted identity.
10. The method of claim 8, wherein forwarding the received access request to the central gateway comprises:
analyzing the access request, and determining whether the access request carries the identity information of the edge application and the interface identifier of the target access interface;
And forwarding the access request to the central gateway under the condition that the access request carries the identity information of the edge application and the interface identification of the target access interface.
11. An access method, applied to an edge application, the edge application deployed on an edge node, the edge node further deployed with an edge gateway, the method comprising:
sending an access request for a target access interface deployed on a central node to the edge gateway, so that the edge gateway forwards the access request to the central gateway, and the central gateway determines whether the edge node has access authority of the target access interface; and forwarding the access request to the target access interface under the condition that the edge node has the access right of the target access interface.
12. An access method, applied to a target access interface, where the target access interface is deployed on a central node, and a central gateway is further deployed on the central node, the method includes:
and after receiving the access request sent by the central gateway, the central gateway determines whether the edge node has the access right of the target access interface or not and sends the access request to the target access interface under the condition that the edge node is determined to have the access right of the target access interface.
13. A computing device comprising a processing component and a storage component;
the storage component stores one or more computer instructions; the one or more computer instructions are to be invoked by the processing component to perform the access method of any one of claims 1 to 6, or the access method of any one of claims 7 to 10, or the access method of claim 11, or the access method of claim 12.
14. A computer storage medium, characterized in that a computer program is stored, which, when being executed by a computer, implements the access method of any one of claims 1 to 6, or implements the access method of any one of claims 7 to 10, or implements the access method of claim 11, or implements the access method of claim 12.
CN202310707920.6A 2023-06-14 2023-06-14 Access method, computing device and computer storage medium Pending CN116760595A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310707920.6A CN116760595A (en) 2023-06-14 2023-06-14 Access method, computing device and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310707920.6A CN116760595A (en) 2023-06-14 2023-06-14 Access method, computing device and computer storage medium

Publications (1)

Publication Number Publication Date
CN116760595A true CN116760595A (en) 2023-09-15

Family

ID=87952710

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310707920.6A Pending CN116760595A (en) 2023-06-14 2023-06-14 Access method, computing device and computer storage medium

Country Status (1)

Country Link
CN (1) CN116760595A (en)

Similar Documents

Publication Publication Date Title
US11949656B2 (en) Network traffic inspection
US10958662B1 (en) Access proxy platform
US9621355B1 (en) Securely authorizing client applications on devices to hosted services
CN112422532B (en) Service communication method, system and device and electronic equipment
US9237021B2 (en) Certificate grant list at network device
US20200186358A1 (en) Persistent network device authentication
US11457040B1 (en) Reverse TCP/IP stack
RU2676896C2 (en) Method and system related to authentication of users for accessing data networks
CN104054321A (en) Security management for cloud services
US9325697B2 (en) Provisioning and managing certificates for accessing secure services in network
US10516653B2 (en) Public key pinning for private networks
CN112231692A (en) Security authentication method, device, equipment and storage medium
CN107040501B (en) Authentication method and device based on platform as a service
CN115277168A (en) Method, device and system for accessing server
Brock et al. Toward a framework for cloud security
US20170295142A1 (en) Three-Tiered Security and Computational Architecture
CN116633562A (en) Network zero trust security interaction method and system based on WireGuard
WO2018145742A1 (en) Private key updating
US11177958B2 (en) Protection of authentication tokens
CN114338091B (en) Data transmission method, device, electronic equipment and storage medium
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
CN116760595A (en) Access method, computing device and computer storage medium
CN114189370A (en) Access method and device
CN112242976B (en) Identity authentication method and device
US11171786B1 (en) Chained trusted platform modules (TPMs) as a secure bus for pre-placement of device capabilities

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Wang Tao

Inventor after: Zhang Zhenhua

Inventor after: Wang Zhongjie

Inventor after: Wu Xudong

Inventor after: Wang Xiwei

Inventor before: Si Yun

Inventor before: Zhang Zhenhua

Inventor before: Wang Zhongjie

Inventor before: Wu Xudong

Inventor before: Wang Xiwei