CN117014226B - Service request authentication method, device, equipment, system and storage medium - Google Patents

Service request authentication method, device, equipment, system and storage medium Download PDF

Info

Publication number
CN117014226B
CN117014226B CN202311229830.7A CN202311229830A CN117014226B CN 117014226 B CN117014226 B CN 117014226B CN 202311229830 A CN202311229830 A CN 202311229830A CN 117014226 B CN117014226 B CN 117014226B
Authority
CN
China
Prior art keywords
service request
authentication
service
target service
field value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311229830.7A
Other languages
Chinese (zh)
Other versions
CN117014226A (en
Inventor
郑扬勇
宋中武
柳宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yunli Intelligent Technology Co ltd
Original Assignee
Yunli Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yunli Intelligent Technology Co ltd filed Critical Yunli Intelligent Technology Co ltd
Priority to CN202311229830.7A priority Critical patent/CN117014226B/en
Publication of CN117014226A publication Critical patent/CN117014226A/en
Application granted granted Critical
Publication of CN117014226B publication Critical patent/CN117014226B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a service request authentication method, a device, equipment, a system and a storage medium, relating to the technical field of computers, wherein the method comprises the following steps: acquiring a target service request received by a data service interface, wherein the target service request is from external service equipment and/or an internal service node; analyzing the target service request to obtain a field value of a preset identity authentication field in the target service request; determining whether to authenticate the target service request based on the field value; and under the condition that the authentication of the target service request is determined, invoking an authentication service to authenticate the target service request. The technical scheme provided by the invention can utilize a single service to consider the authentication requirements of two services, namely internal service and external service, thereby saving the resources of the Kubernetes cluster and reducing the cost.

Description

Service request authentication method, device, equipment, system and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a service request authentication method, apparatus, device, system, and storage medium.
Background
Kubernetes (K8 s for short) is a portable, extensible, open-source platform for managing containerized workloads and services that facilitates declarative configuration and automation. Kubernetes possess a large and rapidly growing ecology, providing a mechanism for application deployment, planning, updating, and maintenance, and a wide range of service, support, and tool uses.
The business services deployed on the Kubernetes cluster include data services, which are a class of services that perform processing operations on data. The data service does not require authentication for services inside the Kubernetes cluster, but for external services. In the related art, there is a need to develop an authentication service for authenticating an external service request, and a service without authentication for processing an internal service request. In the case of multiple data services in the Kubernetes cluster, since each data service needs to maintain and deploy two service procedures for the internal service and the external service authentication requirements, the resource waste and the cost increase are caused.
Disclosure of Invention
The invention provides a service request authentication method, a device, equipment, a system and a storage medium, which are used for solving the problems of resource waste and cost improvement caused by the need of maintaining and deploying two service programs aiming at the authentication requirements of internal service and external service respectively for each data service of a Kubernetes cluster in the prior art.
The invention provides a service request authentication method, which comprises the following steps:
acquiring a target service request received by a data service interface; the data service interface is used for receiving a service request sent by an internal service node and a service request after forced authentication conversion of the service request sent by external service equipment;
Analyzing the target service request to obtain a field value of a preset identity authentication field in the target service request;
determining whether to authenticate the target service request based on the field value;
and under the condition that the target service request is determined to be authenticated, invoking an authentication service to authenticate the target service request.
According to the service request authentication method provided by the invention, the determining whether to authenticate the target service request based on the field value comprises the following steps:
under the condition that the field value is a forced authentication field value, determining to authenticate the target service request;
and if the field value is an optional authentication field value, determining whether authority information exists in the target service request, and if the authority information exists in the target service request, determining to authenticate the target service request.
According to the service request authentication method provided by the invention, the target service request is a service request after forced authentication conversion of the service request sent by the external service equipment; the obtaining the target service request received by the data service interface includes:
Acquiring the target service request received by the data service interface from a proxy service node;
the proxy service node is configured to add the preset identity authentication field to a service request received from the external service device, and assign a field value of the added preset identity authentication field to the mandatory authentication field value, so as to generate the target service request.
The service request authentication method provided by the invention further comprises the following steps:
and responding to the request operation of the target service request under the condition that the authority information does not exist in the target service request.
According to the service request authentication method provided by the invention, under the condition that the target service request is a service request sent by the internal service node, the target service request is generated based on the target service and the field value after the internal service node determines the field value of the preset identity authentication field based on the attribute information of the target service to be accessed; the attribute information includes at least one of business service class information, business service type information, and business service identification information.
The invention also provides a service request authentication system, which comprises a Kubernetes cluster and external service equipment; the Kubernetes cluster comprises an internal service node and at least one data service node;
the data service node is used for acquiring a target service request received by a data service interface thereof, analyzing the target service request to obtain a field value of a preset identity authentication field in the target service request, and determining whether to authenticate the target service request or not based on the field value; under the condition that the target service request is determined to be authenticated, invoking an authentication service to authenticate the target service request;
the data service interface is used for receiving a service request sent by the internal service node and a service request after forced authentication conversion of the service request sent by the external service device.
According to the service request authentication system provided by the invention, the Kubernetes cluster further comprises a proxy service node;
the proxy service node is configured to add the preset identity authentication field to a service request received from the external service device, and assign a field value of the added preset identity authentication field to be a forced authentication field value, so as to generate the target service request.
The invention also provides a service request authentication device, which comprises:
the request acquisition module is used for acquiring a target service request received by the data service interface; the data service interface is used for receiving a service request sent by an internal service node and a service request after forced authentication conversion of the service request sent by external service equipment;
the field analysis module is used for analyzing the target service request to obtain a field value of a preset identity authentication field in the target service request;
an authentication determining module, configured to determine whether to authenticate the target service request based on the field value;
and the authentication module is used for calling an authentication service to authenticate the target service request under the condition that the target service request is determined to be authenticated.
The invention also provides service request authentication equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the service request authentication method according to any one of the above when executing the computer program.
The invention also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements a service request authentication method as described in any of the above.
The invention also provides a computer program product comprising a computer program which when executed by a processor implements a service request authentication method as described in any one of the above.
The service request authentication method, the device, the system and the storage medium provided by the invention are used for analyzing the target service request received by the data service interface to obtain the field value of the preset identity authentication field in the target service request, determining whether to authenticate the target service request or not based on the field value, and calling the authentication service to authenticate the target service request under the condition of determining to authenticate the target service request, wherein the data service interface is used for receiving the service request sent by the internal service node and the service request after forced authentication conversion of the service request sent by the external service device, so that the authentication requirements of the external service and the internal service can be realized by using one data service interface, whether the service request of the external service or the service request of the internal service can be judged according to the field value of the preset identity authentication field, and the authentication service is required to be invoked to authenticate when the authentication is required, namely, the authentication requirements of the internal service and the external service are considered by utilizing a single service, thereby saving the resources of the Kubertes cluster and reducing the cost.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a service request authentication method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a service request authentication system according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a service request authentication device according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a service request authentication device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that, in the present invention, the numbers of the described objects, such as "first", "second", etc., are only used to distinguish the described objects, and do not have any sequence or technical meaning.
The business services deployed on the Kubernetes cluster include data services, which are a class of services that perform processing operations on data. The data service does not require authentication for services inside the Kubernetes cluster, but for services outside the Kubernetes cluster. In the related art, it is required to develop an authentication service for authenticating an external service request, and to develop a service without authentication for processing an internal service request, that is, to process a request for an external service and a request for an internal service respectively using different services. In the case of multiple data services, since each data service needs to maintain and deploy two service procedures for the authentication requirements of the internal service and the external service, respectively, waste of resources and increase of cost are caused. Moreover, since two services for implementing two authentication requirements need to be deployed for each data service, upgrade and maintenance of the two services need to be operated simultaneously, but in actual operation, it is difficult to achieve complete simultaneous operation. In addition, since there are two services, once an incorrect service is accessed, there is a result that is difficult to estimate, and there is a safety hazard.
Based on this, the embodiment of the invention provides a service request authentication method, which uses a single service to consider the authentication requirements of external service and internal service. Specifically, the same data service interface can be used for receiving a service request sent by an internal service node and a service request after forced authentication conversion is carried out on a service request sent by external service equipment, then a field value of a preset identity authentication field in a target service request received by the data service interface is analyzed, whether the target service request is authenticated or not is determined based on the analyzed field value, and authentication service is called to authenticate the target service request when authentication is needed. Therefore, two authentication requirements can be considered by utilizing a single service, two services do not need to be developed for each data service, the resources of the Kubernetes cluster are saved, and the cost is reduced.
The service request authentication method of the present invention is described below with reference to fig. 1. The service request authentication method can be applied to the Kubernetes cluster, for example, can be applied to a data service node in the Kubernetes cluster, service request authentication equipment or service request authentication device which are independently arranged in the Kubernetes cluster.
Fig. 1 schematically illustrates a flow chart of a service request authentication method according to an embodiment of the present invention, and referring to fig. 1, the service request authentication method may include the following steps 110 to 140.
Step 110: and acquiring a target service request received by the data service interface.
The data service interface is used for receiving a service request sent by the internal service node and a service request after forced authentication conversion of the service request sent by the external service device.
For each data service node in the Kubernetes cluster, the data service node can receive a service request sent by an internal service node in the Kubernetes cluster through its own data service interface, and can also receive a service request after forced authentication conversion of the service request sent by an external service device through its own data service interface. The data service node is deployed with a data service, i.e. a service for processing data, and the data service node can be a data server or a resource module for executing data processing in a Kubernetes cluster.
For example, for a service request sent by an external service device, the service request may be forcedly converted into a format to be authenticated and then sent to the data service interface, where the format to be authenticated may be that a preset identity authentication field is added to the service request sent by the external service device, and a field value of the added preset identity authentication field is set to a preset forcedly authenticated field value.
Step 120: and analyzing the target service request to obtain a field value of a preset identity authentication field in the target service request.
After receiving the target service request through the data service interface, the data service node can analyze the target service request to obtain a field value of a preset identity authentication field in the target service request. The field value may be identification information, and may include at least one of a number, a letter, and the like, for example.
For example, the preset identity authentication field may be in any field location of the target service request, for example, the target service request may be a request message in hypertext transfer protocol (Hypertext Transfer Protocol, HTTP) format, and the preset identity authentication field may be in a request Header (Header) portion or an entity (Body) content portion. For another example, the target service request may be a request message in a remote procedure call (Remote Procedure Call, RPC) protocol format, and the preset identity authentication field may be in any sequence position of the target service request.
Step 130: it is determined whether to authenticate the target service request based on the field value.
The field value of the preset identity authentication field in the target service request can be used for identifying whether authentication is performed, that is, the field value is identification information of whether authentication is performed. After obtaining the field value of the preset identity authentication field in the target service request, whether to authenticate the target service request can be judged according to the field value.
For example, the field values of the preset identity authentication field may include a mandatory authentication field value for indicating that the target service request is to be forcibly authenticated and a non-authentication field value for indicating that the target service request is not to be authenticated.
Or, the field values of the preset identity authentication field may include a mandatory authentication field value and an optional authentication field value, where the mandatory authentication field value is used to indicate that the target service request is subjected to mandatory authentication, the optional authentication field value is used to characterize authentication as an optional state, and whether to perform authentication may be further determined in combination with other preset information in the request, for example, whether to perform authentication may be determined according to whether rights information exists in the request, and accordingly, the optional authentication field value is used to indicate that rights information detection is performed on the target service request. The rights information is Token information, for example.
Step 140: and under the condition that the authentication of the target service request is determined, invoking an authentication service to authenticate the target service request.
If the target service request is determined to be required to be authenticated, invoking an authentication service to carry out authority verification on the target service request, responding to the request operation of the target service request under the condition that verification is passed, and not allowing to access the service requested by the target service request under the condition that verification is not passed. If the target service request does not need to be authenticated, the request operation of the target service request can be directly responded.
The authentication service may provide a preset authentication mechanism to implement authority verification. It should be noted that, the embodiment of the present invention does not limit a specific authentication mechanism, that is, a permission checking mechanism when authentication is required.
According to the service request authentication method provided by the embodiment of the invention, the target service request received by the data service interface is analyzed to obtain the field value of the preset identity authentication field in the target service request, whether the target service request is authenticated or not is determined based on the field value, and under the condition that the target service request is authenticated, the authentication service is called to authenticate the target service request, wherein the data service interface is used for receiving the service request sent by the internal service node and the service request which is subjected to forced authentication conversion and is sent by the external service equipment, so that the authentication requirements of two services of external service and internal service can be realized by using one data service interface, whether the service request of the external service or the service request of the internal service is authenticated or not can be judged according to the field value of the preset identity authentication field, and the authentication service is called to authenticate when the authentication is required, namely, the authentication requirements of the two services of the internal service and the external service can be considered by utilizing a single service, thereby saving the resources of a Kubers cluster and reducing the cost. In addition, as the authentication requirements of the external service and the internal service can be met by using a single service, the system is simple to upgrade and maintain, and convenient to manage, compared with the service flow for realizing the authentication requirements of the external service and the internal service, the system can avoid the problem of accessing the wrong service flow, and reduce the potential safety hazard.
Based on the service request authentication method of the corresponding embodiment of fig. 1, in an example embodiment, the field values may include a mandatory authentication field value and an optional authentication field value, and accordingly, determining whether to authenticate the target service request based on the field values may include: under the condition that a field value of a preset identity authentication field in the target service request is a forced authentication field value, determining to authenticate the target service request; and under the condition that the field value of the preset identity authentication field in the target service request is an optional authentication field value, determining whether authority information exists in the target service request, and under the condition that the authority information exists in the target service request, determining to authenticate the target service request.
Further, the service request authentication method further comprises the following steps: and responding to the request operation of the target service request under the condition that the authority information does not exist in the target service request.
For example, taking the example that the preset identity authentication field is set in the Header (Header) portion, assuming that the preset identity authentication field is "x-authentication-policy", after the target service request is obtained, the target service request may be parsed to obtain the value of x-authentication-policy in the Header. If the value is the mandatory authentication field value "struct", enforcing permission verification on the target service request; if the value is an optional authentication field value 'optional', whether authority information, such as Token information, exists in the target service request is further detected, if so, authority verification is performed on the target service request based on the authority information, otherwise, the authority verification is skipped, and the request operation of the target service request is responded.
In an alternative embodiment, the target service request is a service request after forced authentication transformation of a service request sent by the external service device. Accordingly, obtaining the target service request received by the data service interface may include: acquiring a target service request received by a data service interface from a proxy service node; the proxy service node is used for adding a preset identity authentication field to a service request received from external service equipment, assigning the added field value of the preset identity authentication field as a forced authentication field value, and generating a target service request.
A proxy service node may be deployed in the Kubernetes cluster, which may run a K8s proxy service, acting as a firewall. For example, the Proxy service node may be a Proxy Server (Proxy Server), which operates primarily at the session layer of open systems interconnection (Open System Interconnect, OSI), and may be used to connect the Internet (Internet) and local area networks (Intranet). For example, the proxy service node can execute proxy service by using an HTTP protocol communication mode, so as to ensure the system security.
Assuming that the preset identity authentication field is "x-authentication-policy", and the value of the forced authentication field is "struct", the Kubernetes cluster may first force the field "x-authentication-policy" to be added to the service request by the K8s proxy service for the service request sent by the external service device, for example, add the field "x-authentication-policy" to the request header of the service request, and assign the added field value of the x-authentication-policy to be struct, that is, force the "x-authentication-policy=struct" to be added to the service request, so that the obtained target service request includes "x-authentication-policy=struct". After receiving the target service request through the data service interface, the data service node performs forced authentication on the target service request according to the x-authentication-policy=struct.
In this way, the proxy service node can forcedly inject the "x-authentication-policy=struct" into the service request from the external service device, so that the permission verification of the external service request can be ensured, and the requirement of external service authentication can be met.
Based on the service request authentication method of the corresponding embodiment in fig. 1, in an example embodiment, whether authentication is required or not may be configured according to specific service requirements, that is, the internal service may set a field value of a preset identity authentication field according to its own needs, for a service that must be authenticated, a field value of a preset identity authentication field of a service request that accesses the service may be set as a mandatory authentication field value, and for a service that may or may not be authenticated, a field value of a preset identity authentication field of a service request that accesses the service may be set as an optional authentication field value, so as to achieve the purpose of selecting whether authentication is required or not.
Specifically, in the case that the target service request is a service request sent by an internal service node, the target service request is generated based on the target service and a field value after the internal service node determines a field value of a preset identity authentication field based on attribute information of the target service to be accessed; wherein the attribute information includes at least one of business service class information, business service type information and business service identification information.
For example, the internal service may be classified, the service greater than or equal to a preset level may be determined as a service requiring forced authentication, and the service less than the preset level may be determined as an optional authentication service. Or, the internal business services can be divided according to the business service types, and different types of business services correspond to different authentication requirements. Or, the internal service may be differentiated according to service identifiers, where different service identifiers correspond to different authentication requirements.
When a certain target service is required to be accessed, if the target service is determined to be the service requiring forced authentication according to the attribute information of the target service, a field value of a preset identity authentication field in an access request of the target service can be set as a forced authentication field value to obtain a target service request. If the target service is determined to be the service with optional authentication according to the attribute information of the target service, the field value of the preset identity authentication field in the access request of the target service can be set to be the optional authentication field value, so that the target service request is obtained.
Thus, for internal services, whether authentication is required or not can be configured according to specific business service requirements.
The service request authentication system provided by the invention is described below, and the service request authentication system described below and the service request authentication method described above can be referred to correspondingly.
Fig. 2 is a schematic structural diagram of a service request authentication system according to an embodiment of the present invention, and referring to fig. 2, the service request authentication system may include a Kubernetes cluster 21 and an external service device 22, where the Kubernetes cluster 21 may include an internal service node 211 and at least one data service node 212.
The data service node 212 is configured to obtain a target service request received by the data service interface, parse the target service request to obtain a field value of a preset identity authentication field in the target service request, and determine whether to authenticate the target service request based on the field value; and under the condition that the authentication of the target service request is determined, invoking an authentication service to authenticate the target service request. The data service interface is configured to receive a service request sent by the internal service node 211 and a service request after the forced authentication conversion of the service request sent by the external service device 22.
Specifically, the data service node 212 may determine to authenticate the target service request when the field value of the preset identity authentication field in the target service request is the mandatory authentication field value; determining whether authority information exists in the target service request or not under the condition that a field value of a preset identity authentication field in the target service request is an optional authentication field value, and determining to authenticate the target service request under the condition that the authority information exists in the target service request; and responding to the request operation of the target service request under the condition that the authority information does not exist in the target service request.
By way of example, the external service device 22 may include at least one of a server and a terminal device, which may include a cell phone, a computer, a tablet computer, a wearable device, and the like.
In the case that the target service request is a service request sent by an internal service node, the target service request is generated after the service request sent by an external service device is forcedly converted into a format to be authenticated, and the format to be authenticated may be that a preset identity authentication field is added in the service request sent by the external service device and a field value of the added preset identity authentication field is set as a preset forceful authentication field value.
The Kubernetes cluster 21 may further include a proxy service node 213, where the proxy service node 213 is configured to add a preset identity authentication field to a service request received from the external service device 22, and assign a field value of the added preset identity authentication field to be a mandatory authentication field value, so as to generate a target service request. Illustratively, the proxy service node 213 is a K8s proxy service node.
The internal service node 211 may determine a field value of a preset identity authentication field based on attribute information of a target service to be accessed, generate a target service request based on the target service and the determined field value, and then transmit the service request to a data service interface of the data service node 212. Wherein the attribute information includes at least one of business service class information, business service type information and business service identification information.
Assuming that the preset identity authentication field is "x-authentication-policy", the forced authentication field value is "struct", and the optional authentication field value is "optional", according to the service request authentication system shown in fig. 2, the external service device 22 accesses the data service node 212 through the proxy service node 213, that is, when the service request sent by the external service device 22 passes through the proxy service node 213, the proxy service node 213 will forcedly add "x-authentication-policy=struct" to the service request, so as to obtain a target service request and send the target service request to the data service node 212, so that the requirement of authenticating the external service can be ensured. For the internal service in the Kubernetes cluster 21, the internal service node 211 may determine that the field value of the x-authentication-policy is struct or optional according to the attribute information of the target service to be accessed, and generate the target service request based on the target service and the determined field value, so as to achieve the purpose of forced authentication or optional authentication. After receiving a target service request sent by the internal service node 211 or receiving a target service request generated by forcibly adding "x-authentication-policy=struct" to a service request of the external service device 22 by the proxy service node 213, the data service interface of the data service node 212 analyzes the target service request to obtain a field value of the x-authentication-policy, if the field value is struct, forcible permission verification is performed, and if the field value is optional, whether permission information exists in the target service request is detected; if yes, performing permission verification based on the permission information, otherwise, skipping permission verification.
According to the service request authentication system provided by the embodiment of the invention, on one hand, the authentication requirements of two services, namely external service and internal service, can be realized by using one data service interface, whether the service request of the external service or the service request of the internal service is carried out or not can be judged according to the field value of the preset identity authentication field, and the authentication service is called for authentication when the authentication is needed, namely, the authentication requirements of the two services, namely the internal service and the external service, can be considered by using a single service, thereby saving the resources of the Kubernetes cluster and reducing the cost. On the other hand, as the authentication requirements of the external service and the internal service can be met by using a single service, the system is simple to upgrade and maintain, and convenient to manage, compared with the service flow for realizing the authentication requirements of the external service and the internal service, the system can avoid the problem of accessing the wrong service flow, and reduce the potential safety hazard.
The service request authentication device provided by the invention is described below, and the service request authentication device described below and the service request authentication method described above can be referred to correspondingly.
Fig. 3 is a schematic structural diagram schematically illustrating a service request authentication device according to an embodiment of the present invention, and referring to fig. 3, the service request authentication device may include:
a request acquisition module 310, configured to acquire a target service request received by the data service interface; the data service interface is used for receiving a service request sent by the internal service node and a service request after forced authentication conversion of the service request sent by the external service device;
the field parsing module 320 is configured to parse the target service request to obtain a field value of a preset identity authentication field in the target service request;
an authentication determining module 330 for determining whether to authenticate the target service request based on the field value;
the authentication module 340 is configured to invoke an authentication service to authenticate the target service request if it is determined to authenticate the target service request.
In an example embodiment, the authentication determination module 330 may include: a first authentication determining unit, configured to determine to authenticate the target service request if the field value is a mandatory authentication field value; and the second authentication determining unit is used for determining whether authority information exists in the target service request or not under the condition that the field value is an optional authentication field value, and determining to authenticate the target service request under the condition that the authority information exists in the target service request.
In an example embodiment, the target service request is a service request after forced authentication conversion of a service request sent by an external service device; accordingly, the request acquisition module 310 may be specifically configured to acquire the target service request received by the data service interface from the proxy service node. The proxy service node is used for adding a preset identity authentication field to a service request received from external service equipment, assigning the added field value of the preset identity authentication field as a forced authentication field value, and generating a target service request.
In an example embodiment, the authentication determination module 330 may further include: and the response unit is used for responding to the request operation of the target service request under the condition that the authority information does not exist in the target service request.
In an example embodiment, in a case that the target service request is a service request sent by an internal service node, the target service request is generated based on the target service and a field value after the internal service node determines a field value of a preset identity authentication field based on attribute information of the target service to be accessed; the attribute information includes at least one of business service class information, business service type information, and business service identification information.
Fig. 4 illustrates a schematic structure of a service request authentication device, and as shown in fig. 4, the service request authentication device may include: processor 410, communication interface (Communication Interface) 420, memory 430, and communication bus 440, wherein processor 410, communication interface 420, and memory 430 communicate with each other via communication bus 440. The processor 410 may invoke logic instructions in the memory 430 to perform the service request authentication method provided by any of the method embodiments described above, which may include, for example: acquiring a target service request received by a data service interface; analyzing the target service request to obtain a field value of a preset identity authentication field in the target service request; determining whether to authenticate the target service request based on the field value; under the condition that the target service request is determined to be authenticated, invoking an authentication service to authenticate the target service request; the data service interface is used for receiving the service request sent by the internal service node and the service request after forced authentication conversion of the service request sent by the external service device.
By way of example, the processor 410 may include a central processing unit (Central Processing Unit, CPU), microprocessor, network processor (Network Processor, NP), digital signal processor (Digital Signal Processing, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like.
By way of example, communication bus 440 may be an industry standard architecture (Industry Standard Architecture, ISA) bus, a peripheral component interconnect (Peripheral Component Interconnect, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others.
Further, the logic instructions in the memory 430 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, where the computer program product includes a computer program, where the computer program can be stored on a non-transitory computer readable storage medium, where the computer program when executed by a processor can perform a service request authentication method provided by any of the above method embodiments, where the method may include: acquiring a target service request received by a data service interface; analyzing the target service request to obtain a field value of a preset identity authentication field in the target service request; determining whether to authenticate the target service request based on the field value; under the condition that the target service request is determined to be authenticated, invoking an authentication service to authenticate the target service request; the data service interface is used for receiving the service request sent by the internal service node and the service request after forced authentication conversion of the service request sent by the external service device.
In yet another aspect, the present invention further provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform a service request authentication method provided by any of the above method embodiments, which may for example comprise: acquiring a target service request received by a data service interface; analyzing the target service request to obtain a field value of a preset identity authentication field in the target service request; determining whether to authenticate the target service request based on the field value; under the condition that the target service request is determined to be authenticated, invoking an authentication service to authenticate the target service request; the data service interface is used for receiving the service request sent by the internal service node and the service request after forced authentication conversion of the service request sent by the external service device.
By way of example, computer-readable storage media includes non-transitory computer-readable storage media.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (8)

1. A service request authentication method, applied to a data service node in a Kubernetes cluster, comprising:
acquiring a target service request received by a data service interface of the data service node; the data service interface is used for receiving a service request sent by an internal service node and a service request after forced authentication conversion of the service request sent by external service equipment;
analyzing the target service request to obtain a field value of a preset identity authentication field in the target service request; the field value is used for identifying whether authentication is performed or not;
determining whether to authenticate the target service request based on the field value;
Under the condition that the target service request is determined to be authenticated, invoking an authentication service to authenticate the target service request;
wherein the determining whether to authenticate the target service request based on the field value comprises:
under the condition that the field value is a forced authentication field value, determining to authenticate the target service request;
determining whether authority information exists in the target service request or not under the condition that the field value is an optional authentication field value, and determining to authenticate the target service request under the condition that the authority information exists in the target service request;
and responding to the request operation of the target service request under the condition that the authority information does not exist in the target service request.
2. The service request authentication method according to claim 1, wherein the target service request is a service request after forced authentication conversion of a service request sent by the external service device; the obtaining the target service request received by the data service interface includes:
acquiring the target service request received by the data service interface from a proxy service node;
The proxy service node is configured to add the preset identity authentication field to a service request received from the external service device, and assign a field value of the added preset identity authentication field to the mandatory authentication field value, so as to generate the target service request.
3. The service request authentication method according to claim 1, wherein in the case that the target service request is a service request sent by the internal service node, the target service request is generated based on the target service and the field value after the internal service node determines the field value of the preset identity authentication field based on attribute information of a target service to be accessed; the attribute information includes at least one of business service class information, business service type information, and business service identification information.
4. The service request authentication system is characterized by comprising a Kubernetes cluster and external service equipment; the Kubernetes cluster comprises an internal service node and at least one data service node;
the data service node is used for acquiring a target service request received by a data service interface of the data service node, analyzing the target service request to obtain a field value of a preset identity authentication field in the target service request, and determining whether to authenticate the target service request or not based on the field value; under the condition that the target service request is determined to be authenticated, invoking an authentication service to authenticate the target service request; the field value is used for identifying whether authentication is performed or not; wherein the determining whether to authenticate the target service request based on the field value comprises: under the condition that the field value is a forced authentication field value, determining to authenticate the target service request; determining whether authority information exists in the target service request or not under the condition that the field value is an optional authentication field value, and determining to authenticate the target service request under the condition that the authority information exists in the target service request; responding to the request operation of the target service request under the condition that the authority information does not exist in the target service request;
The data service interface is used for receiving a service request sent by the internal service node and a service request after forced authentication conversion of the service request sent by the external service device.
5. The service request authentication system of claim 4, wherein the Kubernetes cluster further comprises a proxy service node;
the proxy service node is configured to add the preset identity authentication field to a service request received from the external service device, and assign a field value of the added preset identity authentication field to be a forced authentication field value, so as to generate the target service request.
6. A service request authentication apparatus for use with a data service node in a Kubernetes cluster, the apparatus comprising:
the request acquisition module is used for acquiring a target service request received by a data service interface of the data service node; the data service interface is used for receiving a service request sent by an internal service node and a service request after forced authentication conversion of the service request sent by external service equipment;
the field analysis module is used for analyzing the target service request to obtain a field value of a preset identity authentication field in the target service request; the field value is used for identifying whether authentication is performed or not;
An authentication determining module, configured to determine whether to authenticate the target service request based on the field value;
the authentication module is used for calling an authentication service to authenticate the target service request under the condition that the target service request is determined to be authenticated;
wherein, the authentication determining module comprises:
a first authentication determining unit, configured to determine to authenticate the target service request if the field value is a mandatory authentication field value;
a second authentication determining unit, configured to determine whether rights information exists in the target service request if the field value is an optional authentication field value, and determine to authenticate the target service request if the rights information exists in the target service request;
and the response unit is used for responding to the request operation of the target service request under the condition that the authority information does not exist in the target service request.
7. A service request authentication device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the service request authentication method according to any one of claims 1 to 3 when executing the computer program.
8. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements a service request authentication method according to any one of claims 1 to 3.
CN202311229830.7A 2023-09-22 2023-09-22 Service request authentication method, device, equipment, system and storage medium Active CN117014226B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311229830.7A CN117014226B (en) 2023-09-22 2023-09-22 Service request authentication method, device, equipment, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311229830.7A CN117014226B (en) 2023-09-22 2023-09-22 Service request authentication method, device, equipment, system and storage medium

Publications (2)

Publication Number Publication Date
CN117014226A CN117014226A (en) 2023-11-07
CN117014226B true CN117014226B (en) 2024-01-12

Family

ID=88576543

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311229830.7A Active CN117014226B (en) 2023-09-22 2023-09-22 Service request authentication method, device, equipment, system and storage medium

Country Status (1)

Country Link
CN (1) CN117014226B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118503944B (en) * 2024-07-12 2024-10-08 宁波银行股份有限公司 Authentication method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021022792A1 (en) * 2019-08-02 2021-02-11 创新先进技术有限公司 Authentication and service serving methods and apparatuses, and device
WO2022022253A1 (en) * 2020-07-28 2022-02-03 北京金山云网络技术有限公司 Service authentication method, apparatus, device and system, and storage medium
CN116192483A (en) * 2023-01-16 2023-05-30 阿里巴巴(中国)有限公司 Authentication method, device, equipment and medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114679293A (en) * 2021-06-15 2022-06-28 腾讯云计算(北京)有限责任公司 Access control method, device and storage medium based on zero trust security

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021022792A1 (en) * 2019-08-02 2021-02-11 创新先进技术有限公司 Authentication and service serving methods and apparatuses, and device
WO2022022253A1 (en) * 2020-07-28 2022-02-03 北京金山云网络技术有限公司 Service authentication method, apparatus, device and system, and storage medium
CN116192483A (en) * 2023-01-16 2023-05-30 阿里巴巴(中国)有限公司 Authentication method, device, equipment and medium

Also Published As

Publication number Publication date
CN117014226A (en) 2023-11-07

Similar Documents

Publication Publication Date Title
US8661144B2 (en) Method and system for automated user authentication for a priority communication session
CN112995166B (en) Authentication method and device for resource access, storage medium and electronic equipment
KR101795592B1 (en) Control method of access to cloud service for business
US20160308849A1 (en) System and Method for Out-of-Ban Application Authentication
CN112491776B (en) Security authentication method and related equipment
CN117014226B (en) Service request authentication method, device, equipment, system and storage medium
CN113014593B (en) Access request authentication method and device, storage medium and electronic equipment
CN107770192A (en) Identity authentication method and computer-readable recording medium in multisystem
US20170019407A1 (en) Method and server for providing image captcha
CN111880919B (en) Data scheduling method, system and computer equipment
CN112448956B (en) Authority processing method and device of short message verification code and computer equipment
CN106713315B (en) Login method and device of plug-in application program
CN112953745A (en) Service calling method, system, computer device and storage medium
CN111800426A (en) Method, device, equipment and medium for accessing native code interface in application program
CN108092777B (en) Method and device for supervising digital certificate
CN113343196A (en) Internet of things security authentication method
CN114598750B (en) Data request processing method, device and storage medium
CN112804222B (en) Data transmission method, device, equipment and storage medium based on cloud deployment
CN111447273B (en) Cloud processing system and data processing method based on cloud processing system
CN109992298B (en) Examination and approval platform expansion method and device, examination and approval platform and readable storage medium
CN110784551A (en) Data processing method, device, equipment and medium based on multiple tenants
CN113901428A (en) Login method and device of multi-tenant system
CN110753062A (en) Authentication method, device, system and medium
CN115248912B (en) System login method and device based on cloud terminal and computer readable storage medium
CN115086393B (en) Interface calling method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant