CN117454339A - Rights management and control method, device, equipment and medium based on Sidecar - Google Patents

Rights management and control method, device, equipment and medium based on Sidecar Download PDF

Info

Publication number
CN117454339A
CN117454339A CN202311424283.8A CN202311424283A CN117454339A CN 117454339 A CN117454339 A CN 117454339A CN 202311424283 A CN202311424283 A CN 202311424283A CN 117454339 A CN117454339 A CN 117454339A
Authority
CN
China
Prior art keywords
service
sidecar
response information
user
send
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311424283.8A
Other languages
Chinese (zh)
Inventor
王永刚
范雍祺
翁庭峰
王翔
汪振威
邢健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202311424283.8A priority Critical patent/CN117454339A/en
Publication of CN117454339A publication Critical patent/CN117454339A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

The application belongs to the technical field of computers, and particularly relates to a method, a device, equipment and a medium for authority management and control based on Sidecar. The method comprises the steps of obtaining an access request sent by a user terminal, sending the access request to a first Sidecar service corresponding to a front-end application program, controlling the first Sidecar service to send a user ID and identification information of the front-end application program to a permission authentication center, enabling the permission authentication center to check access permission of a user, generating first response information after the permission authentication center is successful, feeding back the first response information to the first Sidecar service, and controlling the first Sidecar service to send the access request to the front-end application program after the first Sidecar service receives the first response information, so that the front-end application program authorizes the user, and therefore the problem that service needs to be deployed again when authentication logic is changed is solved.

Description

Rights management and control method, device, equipment and medium based on Sidecar
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a medium for rights management and control based on Sidecar.
Background
At present, the authority control of an application is mostly achieved by introducing an access service package corresponding to an authority service provider to a service side to be accessed. However, when the method is used for controlling access by the authorities, not only is the configuration of the service side to be accessed required to be subjected to invasive modification and additional addition, but also the authority service provider is required to provide access service packages corresponding to development languages for different applications of the service side, so that the cost and difficulty of controlling access by the authorities are increased.
Along with development of a cloud primary architecture, the prior art proposes a method for completing proxy authority management access by using a Sidecar service (Sidecar) in a cloud primary environment, and the proxy authority access is completed by running Sidecar authentication logic and business service in the same scheduling unit (Pod) and using the Sidecar.
However, the existing agent authority management and control method based on the Sidecar needs to redeploy the Pod to upgrade the service when the authentication logic is changed each time, and the method cannot meet the authority management and control access requirements of different service variances due to the difference of authority management and control granularity and methods of different service sides.
Disclosure of Invention
The application provides a method, a device, equipment and a medium for managing and controlling rights based on Sidecar, which are used for solving the problems that Pod is required to be redeployed to upgrade services and the access requirements of managing and controlling rights of different service variances cannot be met when authentication logic is changed each time in the conventional proxy rights management and control method.
In a first aspect, the present application provides a method for managing and controlling rights based on Sidecar, applied to a rights management system, where the method includes:
acquiring an access request sent by a user terminal, and sending the access request to a first Sidecar service corresponding to a front-end application program, wherein the access request comprises a user ID of the user terminal and identification information of the front-end application program;
the first Sidecar service is controlled to send the user ID and the identification information of the front-end application program to a right authentication center, so that the right authentication center checks the access right of the user to the front-end application program, and after the user access right is checked successfully, first response information is generated and fed back to the first Sidecar service;
and after the first Sidecar service receives the first response information, controlling the first Sidecar service to send the access request to the front-end application program so that the front-end application program can conduct authorization processing on the user.
Optionally, the method further comprises: controlling the front-end application program to send the access request to a second Sidecar service corresponding to a first back-end service, wherein the first back-end service is the back-end service corresponding to the front-end application program;
the second Sidecar service is controlled to send the user ID and the identification information of the first back-end service to the authority authentication center, so that the authority authentication center checks the access authority of the user to the first back-end service, and after the verification is successful, second response information is generated and fed back to the second Sidecar service;
and after the second Sidecar service receives the second response information, controlling the second Sidecar service to send the access request to the first back-end service so that the first back-end service performs authorization processing on the user.
Optionally, the method further comprises: controlling the first back-end service to send the access request to a third Sidecar service corresponding to a second back-end service, wherein a calling relationship exists between the second back-end service and the first back-end service;
the third Sidecar service is controlled to send the user ID and the identification information of the second back-end service to the authority authentication center, so that the authority authentication center checks the access authority of the user to the second back-end service, and after the verification is successful, third response information is generated and fed back to the third Sidecar service;
And after the third Sidecar service receives the third response information, controlling the second Sidecar service to send the access request to the second back-end service so that the second back-end service performs authorization processing on the user.
Optionally, the method further comprises: after the second back-end service receives the access request which is successfully verified, the second back-end service is controlled to carry out authorization processing on the user and generate first authorization response information corresponding to the second back-end service,
controlling the second back-end service to send the first authorization response information to the third Sidecar service;
and after the third Sidecar service receives the first authorization response information sent by the second back-end service, controlling the third Sidecar service to send the first authorization response information to the second Sidecar service so that the second Sidecar service processes the first authorization response information.
Optionally, the method further comprises: when the second Sidecar service receives the first authorization response information sent by the third Sidecar service, the second Sidecar service is controlled to combine the first authorization response information and second authorization response information to obtain third authorization response information, the third authorization response information is processed, and the second authorization response information is generated corresponding to the first back-end service after the first back-end service performs authorization processing on the user;
And controlling the second Sidecar service to send the third authorization response information to the first Sidecar service so that the first Sidecar service feeds back an access right result to the user terminal.
In a second aspect, the present application provides a rights management and control apparatus based on Sidecar, applied to a rights management system, the apparatus comprising:
the acquisition module is used for acquiring an access request sent by the user terminal;
the sending module is used for sending the access request to a first Sidecar service corresponding to a front-end application program, wherein the access request comprises a user ID of the user terminal and identification information of the front-end application program;
the control module is used for controlling the first Sidecar service to send the user ID and the identification information of the front-end application program to a right authentication center so that the right authentication center can check the access right of the user to the front-end application program, and after the user access right is checked successfully, first response information is generated and fed back to the first Sidecar service;
and the control module is further configured to control the first Sidecar service to send the access request to the front-end application program after the first Sidecar service receives the first response information, so that the front-end application program performs authorization processing on the user.
Optionally, the control module is further configured to control the front-end application to send the access request to a second Sidecar service corresponding to a first back-end service, where the first back-end service is a back-end service corresponding to the front-end application;
the control module is further configured to control the second Sidecar service to send the user ID and the identification information of the first backend service to the authority authentication center, so that the authority authentication center checks an access authority of the user to access the first backend service, and after the verification is successful, generates second response information, and feeds back the second response information to the second Sidecar service;
and the control module is further configured to control the second Sidecar service to send the access request to the first backend service after the second Sidecar service receives the second response information, so that the first backend service performs authorization processing on the user.
Optionally, the control module is further configured to control the first backend service to send the access request to a third Sidecar service corresponding to a second backend service, where a call relationship exists between the second backend service and the first backend service;
The control module is further configured to control the third Sidecar service to send the user ID and the identification information of the second backend service to the authority authentication center, so that the authority authentication center checks an access authority of the user to access the second backend service, and after the verification is successful, generate third response information, and feed back the third response information to the third Sidecar service;
and the control module is further configured to control the second Sidecar service to send the access request to the second backend service after the third Sidecar service receives the third response information, so that the second backend service performs authorization processing on the user.
Optionally, the apparatus further comprises: a generating module;
the control module is further configured to control the second back-end service to perform authorization processing on the user after the second back-end service receives the access request that is successfully authenticated,
the generating module is used for generating first authorization response information corresponding to the second back-end service,
the control module is further configured to control the second backend service to send the first authorization response information to the third Sidecar service;
The control module is further configured to control the third Sidecar service to send the first authorization response information to the second Sidecar service after the third Sidecar service receives the first authorization response information sent by the second back-end service, so that the second Sidecar service processes the first authorization response information.
Optionally, the apparatus further includes: a processing module;
the control module is further configured to control, when the second Sidecar service receives the first authorization response information sent by the third Sidecar service, the second Sidecar service to combine the first authorization response information with second authorization response information to obtain third authorization response information, where the second authorization response information is generated by the first back-end service after the authorization processing is performed on the user, and corresponds to the first back-end service;
the processing module is used for processing the third authorization response information;
the control module is further configured to control the second Sidecar service to send the third authorization response information to the first Sidecar service, so that the first Sidecar service feeds back an access authority result to the user terminal.
In a third aspect, the present application provides a rights management and control apparatus based on Sidecar, including:
a memory;
a processor;
wherein the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the Sidecar-based rights management method as described in the above first aspect and the various possible implementations of the first aspect.
In a fourth aspect, the present application provides a computer storage medium having stored thereon a computer program for execution by a processor to implement the Sidecar-based rights management method as described in the first aspect and the various possible implementations of the first aspect.
According to the authority management and control method based on the Sidecar, an access request sent by a user terminal is obtained and sent to a first Sidecar service corresponding to a front-end application program, the access request comprises a user ID of the user terminal and identification information of the front-end application program, the first Sidecar service is controlled to send the user ID and the identification information of the front-end application program to an authority authentication center, so that the authority authentication center checks the access authority of the user to the front-end application program, after the verification is successful, first response information is generated, the first response information is fed back to the first Sidecar service, after the first response information is received by the first Sidecar service, the first Sidecar service is controlled to send the access request to the front-end application program, the front-end application program is enabled to conduct authorization processing on the user, and the problem that the authority of a dispatching unit needs to be deployed again when authentication logic is changed during management and control is solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is an application scenario schematic diagram of a Sidecar-based rights management and control method provided in the present application;
FIG. 2 is a flowchart I of a Sidecar-based rights management and control method provided herein;
FIG. 3 is a second flowchart of the Sidecar-based rights management and control method provided in the present application;
fig. 4 is a flowchart III of a Sidecar-based rights management and control apparatus provided in the present application;
fig. 5 is a schematic structural diagram of a Sidecar-based rights management and control apparatus provided in the present application;
fig. 6 is a schematic structural diagram of a Sidecar-based rights management and control apparatus provided in the present application.
Specific embodiments thereof have been shown by way of example in the drawings and will herein be described in more detail. These drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but to illustrate the concepts of the present application to those skilled in the art by reference to specific embodiments.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the present application will be clearly and completely described below with reference to the drawings in the present application, and it is apparent that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein.
In the embodiments of the present application, words such as "exemplary" or "such as" are used to mean examples, illustrations, or descriptions. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
First, terms related to the present application will be explained.
Pod: the minimum dispatching units in the container cluster management system can start one or more containers inside each minimum dispatching unit, and the minimum dispatching units are access parties of authority services.
Container: a container, running in Pod, is an instance of execution created based on a mirror image, in which one or more applications can be run.
Sidecar: the side car service is used for calling the verification request and forwarding the access request passing the verification so as to realize authority management and control access.
SSO/Auth Server: the authority authentication center is a provider of authority service and is used for checking the access request according to the authority checking logic so as to determine the access authority.
WebAPP: is an application developed based on Web technology, and can be accessed and used by a user through a browser without downloading and installing.
API (Application Programming Interface): an application programming interface.
At present, the authority control access of an application is mostly finished by introducing an access service package corresponding to an authority service provider to a service side to be accessed so as to finish the authority control butt joint. However, when the method is used for controlling access by the authorities, not only is the configuration of the service side to be accessed required to be subjected to invasive modification and additional addition, but also the authority service provider is required to provide access service packages corresponding to development languages for different applications of the service side, so that the cost and difficulty of controlling access by the authorities are increased.
With the development of a cloud native architecture, the prior art proposes a method for completing proxy access by using a Sidecar service (Sidecar) in a cloud native environment, and the Sidecar is used for completing proxy access by running Sidecar authentication logic and business service in the same scheduling unit (Pod).
However, in the existing agent authority access method based on the Sidecar, pod needs to be redeployed to upgrade service when authentication logic is changed each time, and differentiation exists between various business services of a service side, and if the differentiation needs to be adapted, codes of an authority agent side need to be updated, so that an authority provider is frequently upgraded; the method is only suitable for authentication, and cannot meet complex authority management and control, because response data sets expected by the same interface under fine-granularity authority management and control are different, and a simple forwarding request cannot meet variable service scene requirements. In summary, the granularity and method of authority control of different service servers are different, and the existing agent authority access method based on Sidecar cannot meet the authority control access requirement of different service variance.
In view of the above problems, the present application provides a method for managing rights based on Sidecar, and fig. 1 is a schematic application scenario diagram of the method for managing rights based on Sidecar provided in the present application. It should be noted that fig. 1 is only an example of an application scenario in which the Sidecar-based rights management method of the present application may be applied, so as to help those skilled in the art understand the technical content of the present application, but does not mean that the embodiments of the present application may not be used in other devices, systems, environments, or scenarios.
As shown in fig. 1, the rights management system is composed of a scheduling unit Pod 1, a scheduling unit Pod 2, a scheduling unit Pod 3, and a rights authentication center, where two containers are operated in the scheduling unit Pod 1: a first Container (Container 1) and a second Container (Container 2), wherein the second Container runs a WebAPP front-end application for providing front-end resources for users, and a first Sidecar service corresponding to the WebAPP front-end application in the second Container is run in the first Container; the scheduling unit Pod 2 is provided with two containers, the second container is provided with a back-end service A for providing data service logic for the corresponding front-end application, and the first container is provided with a second Sidecar service corresponding to the back-end service A in the second container; the scheduling unit Pod 3 is provided with two containers, the second container is provided with a back-end service B, and the second container is provided with a third Sidecar service corresponding to the back-end service B in the second container, wherein the third Sidecar service is used for providing data service logic for the corresponding front-end application and receiving the call of the back-end service a.
In the rights management system, webAPP front-end application, back-end service a and back-end service B all have corresponding Sidecar services, namely a first Sidecar service, a second Sidecar service and a third Sidecar service, and each Sidecar service and the corresponding service are deployed in the same Pod together, namely Pod 1, pod 2 and Pod 3.Pod 1, pod 2 and Pod 3 only expose corresponding Sidecar service ports to the outside, all external accesses interact with Sidecar service and not directly interact with the business application running in the second Container (Container 2) in each Pod, as shown in FIG. 1, pod 2 and Pod 3 can interact with the rights authentication center through the corresponding Sidecar service ports for checking the access rights through the rights authentication center.
Thus, each Sidecar service is responsible for only invoking verification requests and forwarding verification-passed access requests. The authority management system decouples the authority verification logic from the Sidecar service by locating the specific authority verification logic on one side of the authority authentication center, and only the authority authentication center is required to be redeployed and upgraded after the authority verification logic is changed, so that the Sidecar service corresponding to the service application in each Pod does not need to be redeployed and upgraded.
After the authority management system receives an access request sent by a user terminal, the access request is sent to a first Sidecar service in Pod 1, and after the access request is received, the first Sidecar service forwards the access request to an authority authentication center for verification, wherein the access request comprises the ID of the current user. If the verification fails, rejecting the user access; if the verification is passed, the first Sidecar service passes the access request and forwards the access request to the WebApp front-end application in the second container in the Pod 1 for authorization processing.
It can be understood that Pod 1, pod 2, and Pod3 are scenarios of front-end and back-end service separation, at this time, the second Sidecar service corresponding to the back-end service a in Pod 2 may interact with the authority authentication center through a port corresponding to the Sidecar service, so as to obtain an access authority result obtained after the verification by the authority authentication center, and when the verification passes, forward the corresponding access request to the back-end service a in the second container in Pod 2, so that the back-end service a performs authorization processing.
And the third Sidecar service corresponding to the back-end service B in the Pod 3 can also interact with the authority authentication center through a port corresponding to the Sidecar service to acquire an access authority result obtained after the verification of the authority authentication center, and when the verification is passed, the corresponding access request is released and forwarded to the back-end service B in the third container in the Pod 3 so as to enable the back-end service B to carry out authorization processing.
Meanwhile, the authority management system also supports fine-grained authority management and control, namely different users access the same request, and the obtained response result sets are different according to the difference of authority allocation. As shown in fig. 1, after processing the request, the third Sidecar service returns the response result set to the last service caller, that is, after the back-end service a, the second Sidecar service bound by the back-end service a may perform operations such as secondary processing, filtering, screening, etc. on the result set to implement authority management and control with finer granularity.
According to the method for managing and controlling the authorities based on the Sidecar, the authority authentication center is decoupled from the Sidecar application, the authority verification logic is arranged on one side of the authority authentication center, the Sidecar is only responsible for calling verification requests and forwarding access requests passing verification, sidecar service and business application are deployed in the same Pod, ports of the Sidecar service are only exposed to the outside, all external accesses interact with the Sidecar service and do not interact with the business application directly, and therefore the problem that the service in an upgrade scheduling unit needs to be deployed again when the authentication logic is changed every time authority management and control is solved; meanwhile, after the response result set is returned to the last service calling party after the access request is processed, the corresponding Sidecar service can carry out secondary processing on the response result set to realize finer-granularity authority control, so that the method can also meet the authority control access requirements of different service variances.
The following describes the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 2 is a flowchart one of a method for managing and controlling rights based on Sidecar according to an embodiment of the present application. The execution subject of the present embodiment may be, for example, a rights management system as shown in the embodiment of fig. 1. As shown in fig. 2, the method for managing and controlling rights based on Sidecar provided in this embodiment includes:
s101, acquiring an access request sent by a user terminal, and sending the access request to a first Sidecar service corresponding to a front-end application program, wherein the access request comprises a user ID of the user terminal and identification information of the front-end application program.
The access request is used for indicating to acquire front-end resources corresponding to a front-end application program, the first Sidecar service is used as a side car service of the front-end application program and is bound to the front-end application program in a light application mode, the front-end application program and the first Sidecar service are deployed in the same scheduling unit but run in different containers, and in this way, in the process of managing and controlling authority access, the front-end application program does not need to carry out additional configuration because of accessing an authority nano tube, and meanwhile, the first Sidecar service can independently run and is not influenced by the front-end application program.
In this step, after receiving the access request sent by the user terminal, the rights management system forwards the access request to the first Sidecar service, so that the first Sidecar service invokes the rights authentication center to perform rights authentication.
S102, controlling the first Sidecar service to send the user ID and the identification information of the front-end application program to a right authentication center, so that the right authentication center checks the access right of the user to the front-end application program, and after the user access right is checked successfully, generating first response information, and feeding back the first response information to the first Sidecar service.
The first response information is used for indicating that the access permission verification of the user corresponding to the access request to the front-end application program is successful.
The authority management system controls the first Sidecar service to communicate with the authority authentication center by calling a verification API interface of the authority authentication center, so that an authority server in the authority authentication center carries out verification of access authorities on user IDs (identity) included in access requests forwarded by the first Sidecar service and identification information of the front-end application program according to internally deployed authority verification logic, and generates first response information when the verification is successful, and feeds the first response information back to the first Sidecar service; when the verification fails, the user is proved to have no access right to the front-end application program, and the user is refused to access the front-end application program.
And S103, after the first Sidecar service receives the first response information, controlling the first Sidecar service to send the access request to the front-end application program so that the front-end application program can authorize the user.
And after the first Sidecar service receives the first response information, the authority management system controls the first Sidecar service to forward the access request to the front-end application program in the scheduling unit through the API interface corresponding to the front-end application program.
It may be appreciated that when the first Sidecar service receives the first response information, the first response information is used to prove that the access request is verified successfully, and it is proved that the API of the first Sidecar service is authorized to access the front-end application, and the first Sidecar service and the front-end application are deployed in the same scheduling unit, so that the first Sidecar service may forward the access request to the front-end application.
According to the method for managing and controlling the authority based on the Sidecar, the access request sent by the user terminal is obtained and sent to the first Sidecar service corresponding to the front-end application program, the access request comprises the user ID of the user terminal and the identification information of the front-end application program, the first Sidecar service is controlled to send the user ID and the identification information of the front-end application program to the authority authentication center, the authority authentication center is enabled to check the access authority of the user to the front-end application program, after the verification is successful, first response information is generated, the first response information is fed back to the first Sidecar service, after the first response information is received by the first Sidecar service, the first Sidecar service is controlled to send the access request to the front-end application program, and accordingly the front-end application program is enabled to conduct authorization processing on the user, and the problem that the authority of the user needs to be replaced when the logic of authentication and control is changed is solved.
Fig. 3 is a flowchart two of a method for managing and controlling rights based on Sidecar according to an embodiment of the present application. The embodiment is based on the embodiment of fig. 2, and a rights management and control method based on Sidecar is described in detail. As shown in fig. 3, the method for managing and controlling rights based on Sidecar provided in this embodiment includes:
s201, acquiring an access request sent by a user terminal, and sending the access request to a first Sidecar service corresponding to a front-end application program, wherein the access request comprises a user ID of the user terminal and identification information of the front-end application program.
Step S201 is similar to step S101 described above, and will not be described again.
S202, controlling the first Sidecar service to send the user ID and the identification information of the front-end application program to a right authentication center, so that the right authentication center checks the access right of the user to the front-end application program, and after the user access right is checked successfully, generating first response information, and feeding back the first response information to the first Sidecar service.
Step S202 is similar to step S102 described above, and will not be described again.
And S203, after the first Sidecar service receives the first response information, controlling the first Sidecar service to send the access request to the front-end application program so that the front-end application program can authorize the user.
Step S203 is similar to step S103 described above, and will not be described again.
And S204, controlling the front-end application program to send the access request to a second Sidecar service corresponding to the first back-end service.
The first back-end service is a back-end service corresponding to the front-end application program.
When the front-end application program passes the authority authentication of the front-end application program after the access request passes the access front-end application program, the front-end application program needs to call the corresponding first back-end service to acquire the data service logic provided by the first back-end service.
And S205, controlling the second Sidecar service to send the user ID and the identification information of the first back-end service to the authority authentication center.
The purpose of the rights management system controlling the second Sidecar service to send the user ID and the identification information of the first backend service to the rights authentication center is to enable the rights authentication center to verify the access rights of the user to access the first backend service, and after the verification is successful, generate second response information, and feed the second response information back to the second Sidecar service; if the verification fails, the access to the first back-end service is refused, and the second Sidecar service is controlled to feed back the verification failure result to the user terminal.
S206, after the second Sidecar service receives the second response information, the second Sidecar service is controlled to send the access request to the first back-end service.
And after the second Sidecar service receives the second response information, the right management system controls the second Sidecar service to forward the access request to the first back-end service in the scheduling unit through the API interface corresponding to the first back-end service.
It may be appreciated that, when the second Sidecar service receives the second response information, the second response information is used to prove that the access request is verified successfully, and then it is proved that the API of the second Sidecar service is authorized to access the first backend service, and the second Sidecar service and the first backend service are deployed in the same scheduling unit, so that the second Sidecar service may forward the access request to the first backend service, and the first backend service performs authorization processing on the user.
And S207, controlling the first back-end service to send the access request to a third Sidecar service corresponding to the second back-end service.
And the second back-end service and the first back-end service have a calling relationship.
It can be appreciated that in a micro service architecture with separated front and back ends, multiple services may need to be invoked to provide complete services for users, for example, an order service needs to take user data, and then the user service needs to be invoked, so that the back end services can be invoked mutually, that is, a calling relationship exists between the second back end service and the first back end service.
When the first back-end service receives an access request sent by a second Sidecar service, in order to completely respond to the access request, the right management system controls the first back-end service to forward the access request to a third Sidecar service corresponding to the second back-end service.
And S208, controlling the third Sidecar service to send the user ID and the identification information of the second back-end service to the authority authentication center.
After receiving the user ID and the identification information of the second backend service, the rights authentication center may verify the access rights of the user to access the second backend service according to rights verification logic, and after the verification is successful, generate third response information, and feed back the third response information to the third Sidecar service; and if the verification fails, refusing to access the second back-end service, and controlling the third Sidecar service to feed back a verification failure result to the user terminal.
And S209, after the third Sidecar service receives the third response information, controlling the second Sidecar service to send the access request to the second back-end service.
And when the third Sidecar service receives the third response information, the right management system controls the third Sidecar service to forward the access request to the second back-end service in the scheduling unit through the API interface corresponding to the second back-end service.
It may be appreciated that, when the third Sidecar service receives the third response information, the third response information is used to prove that the access request is verified successfully, and then it is proved that the API of the third Sidecar service is authorized to access the second backend service, and the third Sidecar service and the second backend service are deployed in the same scheduling unit, so that the third Sidecar service may forward the access request to the second backend service, and the second backend service performs authorization processing on the user.
According to the authority management and control method based on the Sidecar, after the front-end application program performs authorization processing on the user, the front-end application program is controlled to send the access request to the second Sidecar service corresponding to the first back-end service, the second Sidecar service is controlled to send the user ID and the identification information of the first back-end service to the authority authentication center, after the second Sidecar service receives the second response information, the second Sidecar service is controlled to send the access request to the first back-end service, the first back-end service is controlled to send the access request to the third Sidecar service corresponding to the second back-end service, the third Sidecar service is controlled to send the user ID and the identification information of the second back-end service to the authority authentication center, after the third Sidecar service receives the third response information, the second Sidecar service is controlled to send the access request to the second back-end service, and the authority management and control method is not suitable for the service to be updated each time when the service is changed in a service, and the authority management and control method is changed.
Fig. 4 is a flowchart III of a method for managing and controlling rights based on Sidecar according to an embodiment of the present application. The embodiment is a method for feeding back a response result set to a user terminal after performing authorization processing of an access request by a service server based on a Sidecar authority control method based on the embodiment of fig. 3. As shown in fig. 4, the method for managing and controlling rights based on Sidecar provided in this embodiment includes:
and S301, after the second back-end service receives the access request which is successfully verified, controlling the second back-end service to carry out authorization processing on the user, and generating first authorization response information corresponding to the second back-end service.
The first authorization response information is used for indicating that the second back-end service completes authorization processing of the user according to the user ID included in the access request, that is, the access request corresponding to the user can access the second back-end service through an API interface of the second back-end service, so as to obtain data service logic corresponding to the second back-end service.
S302, the second back-end service is controlled to send the first authorization response information to the third Sidecar service.
The right management system can control the second back-end service to send the first authorization response information to the third Sidecar service through an API interface corresponding to the third Sidecar service.
And S303, after the third Sidecar service receives the first authorization response information sent by the second back-end service, controlling the third Sidecar service to send the first authorization response information to the second Sidecar service.
The third Sidecar service and the second Sidecar service interact through the ports exposed by each other, so that the rights management system can control the third Sidecar service to send the first authorization response information to the second Sidecar service, so that the second Sidecar service processes the first authorization response information, such as filtering, screening and the like.
And S304, when the second Sidecar service receives the first authorization response information sent by the third Sidecar service, controlling the second Sidecar service to combine the first authorization response information and the second authorization response information to obtain third authorization response information, and processing the third authorization response information.
The second authorization response information is authorization response information corresponding to the first back-end service, which is generated after the first back-end service performs authorization processing on the user.
It can be understood that the rights management system may control the second Sidecar service to combine the second authorization response information generated by the first backend service in the same scheduling unit with the first authorization response information sent by the third Sidecar service, generate a corresponding response result set, that is, third authorization response information, and process, such as screening, filtering, etc., the rights information in the third authorization response information.
The purpose of this step is to enable the rights management system to provide fine-grained rights management services for different business servers in different business scenarios.
And S305, controlling the second Sidecar service to send the third authorization response information to the first Sidecar service.
The right management system can control the second Sidecar service to send the processed third authorization response information transmitted from bottom to top to the first Sidecar service, so that the first Sidecar service feeds back an access right result to the user terminal.
According to the method for managing and controlling authority based on the Sidecar, after the second back-end service receives the access request with successful verification, the second back-end service is controlled to conduct authorization processing on the user, first authorization response information corresponding to the second back-end service is generated, the second back-end service is controlled to send the first authorization response information to the third Sidecar service, after the third Sidecar service receives the first authorization response information sent by the second back-end service, the third Sidecar service is controlled to send the first authorization response information to the second Sidecar service, when the second Sidecar service receives the first authorization response information sent by the third Sidecar service, the second Sidecar service is controlled to conduct combination processing on the first authorization response information and the second authorization response information, third authorization response information is obtained, processing is conducted on the third authorization response information, the second Sidecar service is controlled to send the second authorization response information to the second service, and the second service with the same granularity as the second service meets the requirement of the service for managing and controlling authority of the access to meet the requirement of the second service.
Fig. 5 is a schematic structural diagram of a rights management and control device based on Sidecar provided in the present application, which is applied to a rights management system. As shown in fig. 5, the Sidecar-based rights management and control apparatus 400 provided in this embodiment includes:
an obtaining module 401, configured to obtain an access request sent by a user terminal;
a sending module 402, configured to send the access request to a first Sidecar service corresponding to a front-end application, where the access request includes a user ID of the user terminal and identification information of the front-end application;
the control module 403 is configured to control the first Sidecar service to send the user ID and the identification information of the front-end application to a permission authentication center, so that the permission authentication center checks an access permission of the user to access the front-end application, and after the verification is successful, generate first response information, and feed back the first response information to the first Sidecar service;
the control module 403 is further configured to control the first Sidecar service to send the access request to the front-end application after the first Sidecar service receives the first response information, so that the front-end application performs authorization processing on the user.
Optionally, the control module 403 is further configured to control the front-end application to send the access request to a second Sidecar service corresponding to a first back-end service, where the first back-end service is a back-end service corresponding to the front-end application;
the control module 403 is further configured to control the second Sidecar service to send the user ID and the identification information of the first backend service to the authority authentication center, so that the authority authentication center checks an access authority of the user to access the first backend service, and after the verification is successful, generate second response information, and feed back the second response information to the second Sidecar service;
the control module 403 is further configured to control the second Sidecar service to send the access request to the first backend service after the second Sidecar service receives the second response information, so that the first backend service performs authorization processing on the user.
Optionally, the control module 403 is further configured to control the first backend service to send the access request to a third Sidecar service corresponding to a second backend service, where a call relationship exists between the second backend service and the first backend service;
The control module 403 is further configured to control the third Sidecar service to send the user ID and the identification information of the second backend service to the authority authentication center, so that the authority authentication center checks an access authority of the user to access the second backend service, and after the verification is successful, generate third response information, and feed back the third response information to the third Sidecar service;
the control module 403 is further configured to control the second Sidecar service to send the access request to the second backend service after the third Sidecar service receives the third response information, so that the second backend service performs authorization processing on the user.
Optionally, the apparatus further comprises: a generation module 404;
the control module 403 is further configured to, after the second back-end service receives the access request with successful authentication, control the second back-end service to perform authorization processing on the user,
the generating module 404 is configured to generate first authorization response information corresponding to the second backend service,
the control module 403 is further configured to control the second backend service to send the first authorization response information to the third Sidecar service;
The control module 403 is further configured to control the third Sidecar service to send the first authorization response information to the second Sidecar service after the third Sidecar service receives the first authorization response information sent by the second backend service, so that the second Sidecar service processes the first authorization response information.
Optionally, the apparatus further includes: a processing module 405;
the control module 403 is further configured to control, when the second Sidecar service receives the first authorization response information sent by the third Sidecar service, the second Sidecar service to combine the first authorization response information with second authorization response information to obtain third authorization response information, where the second authorization response information is generated by the first back-end service after performing authorization processing on the user and corresponds to the first back-end service;
the processing module 405 is configured to process the third authorization response information;
the control module 403 is further configured to control the second Sidecar service to send the third authorization response information to the first Sidecar service, so that the first Sidecar service feeds back an access authority result to the user terminal.
Fig. 6 is a schematic structural diagram of a Sidecar-based rights management and control apparatus provided in the present application. As shown in fig. 6, the present application provides a Sidecar-based rights management and control apparatus 500, including: a receiver 501, a transmitter 502, a processor 503 and a memory 504.
A receiver 501 for receiving instructions and data;
a transmitter 502 for transmitting instructions and data;
memory 504 for storing computer-executable instructions;
a processor 503, configured to execute computer-executable instructions stored in the memory 504, to implement the steps executed by the Sidecar-based rights management method in the above embodiment. See in particular the description of the embodiments of the Sidecar-based rights management and control method described above.
Alternatively, the memory 504 may be separate or integrated with the processor 503.
When the memory 504 is provided separately, the electronic device further comprises a bus for connecting the memory 504 and the processor 503.
The application also provides a computer storage medium, in which computer execution instructions are stored, and when a processor executes the computer execution instructions, the method for managing and controlling the rights based on the Sidecar, which is executed by the device for managing and controlling the rights based on the Sidecar, is realized.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the present application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A method for managing and controlling rights based on Sidecar, applied to a rights management system, the method comprising:
acquiring an access request sent by a user terminal, and sending the access request to a first Sidecar service corresponding to a front-end application program, wherein the access request comprises a user ID of the user terminal and identification information of the front-end application program;
The first Sidecar service is controlled to send the user ID and the identification information of the front-end application program to a right authentication center, so that the right authentication center checks the access right of the user to the front-end application program, and after the user access right is checked successfully, first response information is generated and fed back to the first Sidecar service;
and after the first Sidecar service receives the first response information, controlling the first Sidecar service to send the access request to the front-end application program so that the front-end application program can conduct authorization processing on the user.
2. The method according to claim 1, wherein the method further comprises:
controlling the front-end application program to send the access request to a second Sidecar service corresponding to a first back-end service, wherein the first back-end service is the back-end service corresponding to the front-end application program;
the second Sidecar service is controlled to send the user ID and the identification information of the first back-end service to the authority authentication center, so that the authority authentication center checks the access authority of the user to the first back-end service, and after the verification is successful, second response information is generated and fed back to the second Sidecar service;
And after the second Sidecar service receives the second response information, controlling the second Sidecar service to send the access request to the first back-end service so that the first back-end service performs authorization processing on the user.
3. The method according to claim 2, wherein the method further comprises:
controlling the first back-end service to send the access request to a third Sidecar service corresponding to a second back-end service, wherein a calling relationship exists between the second back-end service and the first back-end service;
the third Sidecar service is controlled to send the user ID and the identification information of the second back-end service to the authority authentication center, so that the authority authentication center checks the access authority of the user to the second back-end service, and after the verification is successful, third response information is generated and fed back to the third Sidecar service;
and after the third Sidecar service receives the third response information, controlling the second Sidecar service to send the access request to the second back-end service so that the second back-end service performs authorization processing on the user.
4. A method according to claim 3, characterized in that the method further comprises:
after the second back-end service receives the access request which is successfully verified, the second back-end service is controlled to carry out authorization processing on the user and generate first authorization response information corresponding to the second back-end service,
controlling the second back-end service to send the first authorization response information to the third Sidecar service;
and after the third Sidecar service receives the first authorization response information sent by the second back-end service, controlling the third Sidecar service to send the first authorization response information to the second Sidecar service so that the second Sidecar service processes the first authorization response information.
5. The method according to claim 4, wherein the method further comprises:
when the second Sidecar service receives the first authorization response information sent by the third Sidecar service, the second Sidecar service is controlled to combine the first authorization response information and second authorization response information to obtain third authorization response information, the third authorization response information is processed, and the second authorization response information is generated corresponding to the first back-end service after the first back-end service performs authorization processing on the user;
And controlling the second Sidecar service to send the third authorization response information to the first Sidecar service so that the first Sidecar service feeds back an access right result to the user terminal.
6. A Sidecar-based rights management and control apparatus for use in a rights management system, the apparatus comprising:
the acquisition module is used for acquiring an access request sent by the user terminal;
the sending module is used for sending the access request to a first Sidecar service corresponding to a front-end application program, wherein the access request comprises a user ID of the user terminal and identification information of the front-end application program;
the control module is used for controlling the first Sidecar service to send the user ID and the identification information of the front-end application program to a right authentication center so that the right authentication center can check the access right of the user to the front-end application program, and after the user access right is checked successfully, first response information is generated and fed back to the first Sidecar service;
and the control module is further configured to control the first Sidecar service to send the access request to the front-end application program after the first Sidecar service receives the first response information, so that the front-end application program performs authorization processing on the user.
7. The apparatus of claim 6, wherein the device comprises a plurality of sensors,
the control module is further configured to control the front-end application to send the access request to a second Sidecar service corresponding to a first back-end service, where the first back-end service is a back-end service corresponding to the front-end application;
the control module is further configured to control the second Sidecar service to send the user ID and the identification information of the first backend service to the authority authentication center, so that the authority authentication center checks an access authority of the user to access the first backend service, and after the verification is successful, generates second response information, and feeds back the second response information to the second Sidecar service;
and the control module is further configured to control the second Sidecar service to send the access request to the first backend service after the second Sidecar service receives the second response information, so that the first backend service performs authorization processing on the user.
8. The apparatus of claim 7, wherein the device comprises a plurality of sensors,
the control module is further configured to control the first backend service to send the access request to a third Sidecar service corresponding to a second backend service, where a call relationship exists between the second backend service and the first backend service;
The control module is further configured to control the third Sidecar service to send the user ID and the identification information of the second backend service to the authority authentication center, so that the authority authentication center checks an access authority of the user to access the second backend service, and after the verification is successful, generate third response information, and feed back the third response information to the third Sidecar service;
and the control module is further configured to control the second Sidecar service to send the access request to the second backend service after the third Sidecar service receives the third response information, so that the second backend service performs authorization processing on the user.
9. A Sidecar-based rights management and control apparatus comprising:
a memory;
a processor;
wherein the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the Sidecar-based rights management method of any of claims 1-5.
10. A computer storage medium having stored therein computer executable instructions which when executed by a processor are for implementing the Sidecar based rights management method of any of claims 1-5.
CN202311424283.8A 2023-10-30 2023-10-30 Rights management and control method, device, equipment and medium based on Sidecar Pending CN117454339A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311424283.8A CN117454339A (en) 2023-10-30 2023-10-30 Rights management and control method, device, equipment and medium based on Sidecar

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311424283.8A CN117454339A (en) 2023-10-30 2023-10-30 Rights management and control method, device, equipment and medium based on Sidecar

Publications (1)

Publication Number Publication Date
CN117454339A true CN117454339A (en) 2024-01-26

Family

ID=89579521

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311424283.8A Pending CN117454339A (en) 2023-10-30 2023-10-30 Rights management and control method, device, equipment and medium based on Sidecar

Country Status (1)

Country Link
CN (1) CN117454339A (en)

Similar Documents

Publication Publication Date Title
CN111865598B (en) Identity verification method and related device for network function service
CN109815683B (en) Authority verification method and related device
US9118653B2 (en) System and method of secure sharing of resources which require consent of multiple resource owners using group URI's
CN107426711B (en) Method, device and system for binding or unbinding mobile phone number
EP2589179B1 (en) Apparatus and method for controlling access to multiple services
KR102040755B1 (en) Method and system for processing voice communication, electronic device and storage medium
US20230379161A1 (en) Techniques for using signed nonces to secure cloud shells
CN110300133B (en) Cross-domain data transmission method, device, equipment and storage medium
CN112543169B (en) Authentication method, authentication device, terminal and computer readable storage medium
CN114025021B (en) Communication method, system, medium and electronic equipment crossing Kubernetes cluster
CN110209416A (en) Application software update method, device, terminal and storage medium
CN107835181B (en) Authority management method, device and medium of server cluster and electronic equipment
CN110659100B (en) Container management method, device and equipment
CN111526111B (en) Control method, device and equipment for logging in light application and computer storage medium
CN110008690A (en) Right management method, device, equipment and the medium of terminal applies
CN112184196A (en) Data processing method, device, server and storage medium
US10115092B1 (en) Service composition in a mobile communication device application framework
CN112350978A (en) Service processing method, system, device and storage medium
WO2019134494A1 (en) Verification information processing method, communication device, service platform, and storage medium
CN111259356A (en) Authorization method, auxiliary authorization component, management server and computer readable medium
US20180337922A1 (en) Method and device for controlling smart device, server and storage medium
EP4087206A1 (en) Internet-of-things device registration method and apparatus, device and storage medium
CN110149211B (en) Service authentication method, service authentication device, medium, and electronic device
CN117454339A (en) Rights management and control method, device, equipment and medium based on Sidecar
CN115174162B (en) Authorization method, device, system and storage medium based on OAuth protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination