CN117424726A - Method for integrating keylock and ladon to carry out authority management - Google Patents
Method for integrating keylock and ladon to carry out authority management Download PDFInfo
- Publication number
- CN117424726A CN117424726A CN202311316942.6A CN202311316942A CN117424726A CN 117424726 A CN117424726 A CN 117424726A CN 202311316942 A CN202311316942 A CN 202311316942A CN 117424726 A CN117424726 A CN 117424726A
- Authority
- CN
- China
- Prior art keywords
- ladon
- authority
- management
- keylock
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000007726 management method Methods 0.000 claims description 70
- 238000011160 research Methods 0.000 claims description 18
- 238000012550 audit Methods 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 11
- 238000012795 verification Methods 0.000 claims description 5
- 238000013475 authorization Methods 0.000 claims description 4
- 230000008859 change Effects 0.000 claims description 3
- 230000008030 elimination Effects 0.000 claims description 2
- 238000003379 elimination reaction Methods 0.000 claims description 2
- 210000001503 joint Anatomy 0.000 claims description 2
- 230000008569 process Effects 0.000 claims description 2
- 238000011161 development Methods 0.000 abstract description 3
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention relates to the technical field of computer networks and information security, in particular to a method for integrating keylock and ladon to carry out authority management, which comprises the following steps: an IAM system, keycloak and Ladon are deployed on a server, and Keycloak and Ladon service addresses and basic role authority information are configured; the external interface provided by the self-grinding IAM system is called uniformly, and different services are processed by the IAM system, including user authentication, function authority control and resource access control; the beneficial effects are as follows: the method for integrating keyloak and ladon to carry out authority management flexibly meets various service requirements by self-researching system management roles and authorities, and recombines and integrates the advantages of different open source projects by using a powerful authentication function of keyloak and a more perfect authority control function of ladon, thereby giving consideration to development cost and perfect system functions and having very important use value.
Description
Technical Field
The invention relates to the technical field of computer networks and information security, in particular to a method for integrating keylock and ladon to perform authority management.
Background
Rights management is an important issue in modern applications. The conventional rights management method often has some limitations, such as insufficient granularity of rights control, complex rights management, and the like.
In the prior art, keycloak is an open-source identity and access management solution, provides identity authentication and authorization management functions, and can be used for interfacing an existing user system of a client side in a non-invasive manner based on the above capabilities of Keycloak, so that a project system can be deployed and popularized at low cost and more quickly; ladon is a lightweight access control solution, can realize fine-grained authority control, and is a powerful authority management system, which can help a system administrator realize safe access control to system resources and ensure that only authorized users can access specific resources.
However, in common application systems, either the rights management system is fully self-developed or a third party open source application using keylaak or ladon tradeoffs between flexibility and development costs.
Disclosure of Invention
The invention aims to provide a method for integrating keylock and ladon to carry out authority management so as to solve the problems in the background technology.
In order to achieve the above purpose, the present invention provides the following technical solutions: a method of integrating keylock and ladon for rights management, the method comprising the steps of:
an IAM system, keycloak and Ladon are deployed on a server, and Keycloak and Ladon service addresses and basic role authority information are configured;
and uniformly calling an external interface provided by the self-research IAM system, and processing different services by the IAM system, wherein the external interface comprises user authentication, function authority control and resource access control.
Preferably, user authentication, according to the configured authentication mode, the self-research IAM calls a keylock corresponding API, uniformly processes the result, and returns an authentication result;
the self-research IAM system judges whether the current service request has corresponding function authority according to the role and the authority configuration, and returns a verification result;
and after the self-research IAM system acquires the user and the resource information, assembling the request to enter the parameters, calling Ladon api to check, uniformly processing the results, and returning the resource access check result.
Preferably, the IAM system is a self-research system, performs role and authority management, and performs audit and log recording as a unified entry for interfacing with the service system.
Preferably, role authority management is provided with basic roles and authority management, so that function authority control is realized;
customizing scene realization, realizing authority management under certain scenes according to business needs, including configuration and authority verification functions; for example, the tenant management, tenant-role relation, role template and other scenes of a hierarchy on the role authority are realized according to the actual service requirements, so that the functions have complete flexibility in configuration interfaces, management modes and use modes;
audit and log record, which provides audit and log record function as unified entrance to record user access behavior and authority change and other corresponding information, to facilitate later audit and fault elimination;
and the unified entrance is that each business system carries out authority management on the whole application through the self-research IAM system, including login authentication, user related information inquiry, function authority and data authority control, the self-research IAM system completes corresponding logic processing of role authority based on business needs, then invokes keylock or ladon corresponding api to complete realization of corresponding functions, and returns to the business system or front-end application after unified processing of return results.
Preferably, the Keycloak system bears the functions of user authentication, user management and client management.
Preferably, the user authentication comprises a plurality of authentication modes, including user name password authentication, third party authentication and single sign-on;
the keyloak system provides functions of creating, editing, deleting and disabling users, supports user attribute customization, and adds additional user information according to requirements; the user management function of the keylock system is used for realizing data unification under various authentication modes, so that the complexity and maintainability of the system are reduced;
the Keycloak system allows for the creation and management of client applications, providing support for a variety of client types, including Web applications, mobile applications, and server applications, through which independent authentication and authorization rules are configured for each application.
Preferably, the Ladon system bears the function of data authority access control, and specifically comprises the functions of fine-granularity access control and policy management.
Preferably, fine-grained access control is performed, the Ladon system performs accurate authority control on each resource, and a user defines different authority rules for each resource according to needs to realize fine-grained control on the resource;
policy management, ladon system allows defining policy for controlling application range and condition of access control rule, and controlling effective condition of access control rule more flexibly through policy management.
Compared with the prior art, the invention has the beneficial effects that:
the method for integrating keyloak and ladon to carry out authority management flexibly meets various service requirements by self-researching system management roles and authorities, and recombines and integrates the advantages of different open source projects by using a powerful authentication function of keyloak and a more perfect authority control function of ladon, thereby giving consideration to development cost and perfect system functions and having very important use value.
Drawings
FIG. 1 is a diagram of a system architecture of the present invention.
Detailed Description
In order to make the objects, technical solutions, and advantages of the present invention more apparent, the embodiments of the present invention will be further described in detail with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are some, but not all, embodiments of the present invention, are intended to be illustrative only and not limiting of the embodiments of the present invention, and that all other embodiments obtained by persons of ordinary skill in the art without making any inventive effort are within the scope of the present invention.
Referring to fig. 1, the present invention provides a technical solution: a method of integrating keylock and ladon for rights management, the method comprising the steps of:
an IAM system, keycloak and Ladon are deployed on a server, and Keycloak and Ladon service addresses and basic role authority information are configured;
and uniformly calling an external interface provided by the self-research IAM system, and processing different services by the IAM system, wherein the external interface comprises user authentication, function authority control and resource access control.
1. Self-grinding IAM system
The system is a self-research system, performs role and authority management and customizing functions in special scenes, performs audit and log recording, and is used as a unified entry to be in butt joint with a business system.
Role rights management: the method has the basic roles and authority management, and realizes the function authority control.
Custom scene implementation: rights management in certain scenarios is implemented according to business needs, including configuration and rights verification functions. For example, the role authority can be implemented according to actual service requirements in the scenes of tenant management, tenant-to-role relationship (global role and tenant-under-proprietary role), role templates and the like, so that the functions have complete flexibility in configuration interfaces, management modes and use modes.
Audit and log record: and the audit and log recording function is provided as a unified entry, so that the corresponding information such as the access behavior and authority change of the user can be recorded, and the later audit and fault removal are facilitated.
Unified entry: the business systems carry out authority management on the whole application through the self-research IAM system, wherein the authority management comprises login authentication, user related information inquiry, function authority, data authority control and the like. Based on service requirement, self-research IAM system completes corresponding logic processing of role authority, then invokes key or ladon corresponding api to complete realization of corresponding function, and returns returned result to service system or front end application after unified processing.
The system achieves the purpose of complete flexibility in configuration interface, management mode and use mode through a self-developed mode.
Keycloak System
In the rights management, the Keycloak system takes on functions of user authentication, user management and client management.
User authentication: including various authentication methods including username-password authentication, third party authentication (e.g., google, facebook, etc.), single Sign On (SSO), etc.
User management: keylock provides user creation, editing, deletion, disabling, etc. functions that support user attribute customization, and additional user information may be added as needed. Through the user management function of keylak, data unification under various authentication modes can be realized, and the complexity and maintainability of the system are reduced.
And (3) client management: keycloak allows client applications to be created and managed. It provides support for a variety of client types including Web applications, mobile applications, server applications, and the like. Independent authentication and authorization rules may be configured for each application through client management.
In addition, the keylock provides various security enhancement functions, including multi-factor authentication, password strategy, session management, security audit and the like, ensures the security requirements of the functions, and improves the security and protection capability of the system.
Ladon system
Ladon in the system bears the function of data authority access control, and specifically comprises the functions of fine granularity access control and policy management.
Fine granularity access control: ladon can perform accurate authority control on each resource. The user can define different authority rules for each resource according to the needs, so as to realize fine granularity control of the resources.
Policy management: ladon allows defining policies for controlling the scope and conditions of application of access control rules. Through policy management, the effective conditions of the access control rules can be controlled more flexibly.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (8)
1. A method for integrating keylock and ladon to carry out authority management is characterized in that: the method comprises the following steps:
an IAM system, keycloak and Ladon are deployed on a server, and Keycloak and Ladon service addresses and basic role authority information are configured;
and uniformly calling an external interface provided by the self-research IAM system, and processing different services by the IAM system, wherein the external interface comprises user authentication, function authority control and resource access control.
2. The method for integrating keylock and ladon for rights management as recited in claim 1, wherein: user authentication, namely according to a configured authentication mode, the self-research IAM calls an API corresponding to keylock, uniformly processes the result and returns an authentication result;
the self-research IAM system judges whether the current service request has corresponding function authority according to the role and the authority configuration, and returns a verification result;
and after the self-research IAM system acquires the user and the resource information, assembling the request to enter the parameters, calling Ladon api to check, uniformly processing the results, and returning the resource access check result.
3. The method for integrating keylock and ladon for rights management as recited in claim 1, wherein: the IAM system is a self-research system, performs role and authority management and customization functions in special scenes, performs audit and log recording, and is used as a unified entry to be in butt joint with the service system.
4. A method of integrating keylock and ladon for rights management as recited in claim 3, wherein: role authority management, which has basic roles and authority management and realizes function authority control;
customizing scene realization, realizing authority management under certain scenes according to business needs, including configuration and authority verification functions; for example, the tenant management, tenant-role relation, role template and other scenes of a hierarchy on the role authority are realized according to the actual service requirements, so that the functions have complete flexibility in configuration interfaces, management modes and use modes;
audit and log record, which provides audit and log record function as unified entrance to record user access behavior and authority change and other corresponding information, to facilitate later audit and fault elimination;
and the unified entrance is that each business system carries out authority management on the whole application through the self-research IAM system, including login authentication, user related information inquiry, function authority and data authority control, the self-research IAM system completes corresponding logic processing of role authority based on business needs, then invokes keylock or ladon corresponding api to complete realization of corresponding functions, and returns to the business system or front-end application after unified processing of return results.
5. The method for integrating keylock and ladon for rights management as recited in claim 1, wherein: the Keycloak system bears the functions of user authentication, user management and client management.
6. The method for integrating keylock and ladon for rights management as recited in claim 5, wherein: user authentication comprises a plurality of authentication modes including user name password authentication, third party authentication and single sign-on;
the keyloak system provides functions of creating, editing, deleting and disabling users, supports user attribute customization, and adds additional user information according to requirements; the user management function of the keylock system is used for realizing data unification under various authentication modes, so that the complexity and maintainability of the system are reduced;
the Keycloak system allows for the creation and management of client applications, providing support for a variety of client types, including Web applications, mobile applications, and server applications, through which independent authentication and authorization rules are configured for each application.
7. The method for integrating keylock and ladon for rights management as recited in claim 1, wherein: the Ladon system bears the function of data authority access control, and specifically comprises a fine-grained access control and policy management function.
8. The method for integrating keylock and ladon for rights management as recited in claim 7, wherein: fine granularity access control, wherein the Ladon system performs accurate authority control on each resource, and a user defines different authority rules for each resource according to the needs to realize fine granularity control on the resource;
policy management, ladon system allows defining policy for controlling application range and condition of access control rule, and controlling effective condition of access control rule more flexibly through policy management.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311316942.6A CN117424726A (en) | 2023-10-12 | 2023-10-12 | Method for integrating keylock and ladon to carry out authority management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311316942.6A CN117424726A (en) | 2023-10-12 | 2023-10-12 | Method for integrating keylock and ladon to carry out authority management |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117424726A true CN117424726A (en) | 2024-01-19 |
Family
ID=89527600
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311316942.6A Pending CN117424726A (en) | 2023-10-12 | 2023-10-12 | Method for integrating keylock and ladon to carry out authority management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117424726A (en) |
-
2023
- 2023-10-12 CN CN202311316942.6A patent/CN117424726A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11151254B2 (en) | Secure communications gateway for trusted execution and secure communications | |
| US20210136068A1 (en) | Telecom node control via blockchain | |
| US10897466B2 (en) | System and method for externally-delegated access control and authorization | |
| US10148637B2 (en) | Secure authentication to provide mobile access to shared network resources | |
| KR20170107967A (en) | Identity infrastructure as a service | |
| US20190050557A1 (en) | Methods and systems for managing password usage in a system for secure usage of shared accounts | |
| US10579810B2 (en) | Policy protected file access | |
| CN111130990A (en) | Mobile comprehensive office system | |
| US11570181B2 (en) | Secure resource authorization for external identities using remote principal objects | |
| CN115203653A (en) | Associating user accounts with enterprise workspaces | |
| US11233800B2 (en) | Secure resource authorization for external identities using remote principal objects | |
| US20210021440A1 (en) | Presenter server for brokering presenter clients | |
| US20220188431A1 (en) | Api access to security-sensitive computing system | |
| Ding et al. | An access control model and its application in blockchain | |
| CN110717176A (en) | Method and device for changing application embedded privileged account on line | |
| US20220247774A1 (en) | Methods and Systems for Accurately Assessing Application Access Risk | |
| US11443029B2 (en) | Password hint policies on a user provided device | |
| CN109726187B (en) | Hadoop-oriented adaptive permission control method and device | |
| US20230216892A1 (en) | Artificial intelligence (ai) devices control based on policies | |
| US20240031356A1 (en) | A smart password implementation method, apparatus, electronic device and computer-readable medium | |
| CN115174177B (en) | Rights management method, device, electronic apparatus, storage medium, and program product | |
| CN117424726A (en) | Method for integrating keylock and ladon to carry out authority management | |
| US20220171842A1 (en) | Persistent source values for assumed alternative identities | |
| Ghani et al. | Cloud storage architecture: research challenges and opportunities | |
| CN111064695A (en) | Authentication method and authentication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |