WO2021139788A1 - Cloud gateway configuration method, system, apparatus, and computer readable storage medium - Google Patents

Cloud gateway configuration method, system, apparatus, and computer readable storage medium Download PDF

Info

Publication number
WO2021139788A1
WO2021139788A1 PCT/CN2021/070925 CN2021070925W WO2021139788A1 WO 2021139788 A1 WO2021139788 A1 WO 2021139788A1 CN 2021070925 W CN2021070925 W CN 2021070925W WO 2021139788 A1 WO2021139788 A1 WO 2021139788A1
Authority
WO
WIPO (PCT)
Prior art keywords
api
gateway
target node
component
service
Prior art date
Application number
PCT/CN2021/070925
Other languages
French (fr)
Chinese (zh)
Inventor
梁党卫
臧磊
Original Assignee
深圳壹账通智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳壹账通智能科技有限公司 filed Critical 深圳壹账通智能科技有限公司
Publication of WO2021139788A1 publication Critical patent/WO2021139788A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0813Configuration setting characterised by the conditions triggering a change of settings
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0876Aspects of the degree of configuration automation
    • H04L41/0886Fully automatic configuration

Definitions

  • the embodiments of the present application relate to the field of cloud technology, and in particular, to a cloud gateway configuration method, system, device, and computer-readable storage medium.
  • cloud gateway refers to the cloud storage gateway in cloud storage technology, which allows users to access cloud services provided by cloud service providers without changing the interface design and using the original access method.
  • the cloud gateway can provide various services such as voice, video, information security, information management, and information monitoring.
  • the cloud gateway can be used to receive user-side requests, request the cloud service provider for the content required by the user-side according to the user-side request, and can also be used to provide cloud service providers with signature authentication, log records, and other various types. service.
  • the inventor realizes that there is currently no connection solution based on an open cloud gateway, and the degree of integration of the systems of the connected parties is low.
  • the cloud gateway configuration method includes: monitoring gateway configuration data stored in a tree structure in a collaborative service cluster, wherein the tree structure includes multiple One API corresponds to multiple nodes; determine whether the multiple nodes include at least one target node, wherein the at least one target node includes a data change node and/or a new node; if the multiple nodes include The at least one target node updates the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API; and configures the gateway processing according to the latest network configuration of each API Logical model.
  • the cloud gateway configuration system includes a monitoring module for monitoring gateway configuration data stored in a tree structure in a collaborative service cluster, wherein the tree
  • the state structure includes multiple nodes corresponding to multiple APIs one-to-one; a judging module is used to judge whether the multiple nodes include at least one target node, wherein the at least one target node includes a data change node and/or a new Adding a node; an update module, configured to update the gateway configuration of the API corresponding to each target node in the at least one target node if the at least one target node is included in the plurality of nodes, so as to obtain the latest network of each API Configuration;
  • the configuration module is used to configure the gateway processing logic model according to the latest network configuration of each API.
  • An aspect of the embodiments of the present application further provides a computer device.
  • the computer device includes a memory, a processor, and a computer program stored in the memory and running on the processor, wherein the processor executes the computer
  • the program is used to implement the following steps:
  • Monitoring gateway configuration data stored in a tree structure in the collaborative service cluster where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one;
  • the multiple nodes include at least one target node, where the at least one target node includes a data change node and/or a newly added node;
  • the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API
  • the gateway processing logic model is configured.
  • An aspect of the embodiments of the present application further provides a computer-readable storage medium having a computer program stored in the computer-readable storage medium, and the computer program may be executed by at least one processor, so that the at least one The processor performs the following steps:
  • Monitoring gateway configuration data stored in a tree structure in the collaborative service cluster where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one;
  • the multiple nodes include at least one target node, where the at least one target node includes a data change node and/or a newly added node;
  • the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API
  • the gateway processing logic model is configured.
  • FIG. 1 schematically shows an application environment diagram of a cloud gateway configuration method according to Embodiment 1 of the present application
  • FIG. 2 schematically shows a flowchart of a cloud gateway configuration method according to Embodiment 1 of the present application
  • FIG. 3 schematically shows a newly added flowchart of a cloud gateway configuration method according to Embodiment 1 of the present application
  • Fig. 4 schematically shows a block diagram of a cloud gateway configuration system according to the second embodiment of the present application.
  • Fig. 5 schematically shows a schematic diagram of a hardware architecture of a computer device suitable for implementing a cloud gateway configuration method according to the third embodiment of the present application.
  • Fig. 1 schematically shows an environmental application diagram of the cloud gateway configuration method according to the first embodiment of the present application.
  • the environmental application diagram includes a computer device 2, a collaborative service cluster 4, a gateway management platform 6, a service consumer 8 and a service provider 10. among them:
  • Computer equipment 2 is a cloud gateway or an electronic device with cloud gateway function, used as an export of enterprise data and services, and can provide various services such as voice, video, information security, information management, and information monitoring.
  • Cooperative service cluster 4 can be a zookeeper cluster.
  • zookeeper is developed by Yahoo, mainly used to support distributed systems, used to solve the coordination of distributed systems (coordinating tasks), by providing general functions, so that application developers can focus on their own business functions, Instead of paying attention to the coordination of distributed systems.
  • the zookeeper cluster is used to provide coordination services for users' distributed applications.
  • the gateway management platform 6 may be used to receive user operations, and the user operations include API (Application Programming Interface, application programming interface) management, configuration, testing, release, offline, etc.
  • API Application Programming Interface
  • application programming interface application programming interface
  • Service consumer 8 which can be a smart phone, a tablet personal computer (tablet personal computer), laptop computer (laptop computer), desktop computers, workstations, virtual reality devices, game devices, set-top boxes, digital streaming media devices, vehicle terminals, smart TVs, set-top boxes, e-book readers and other electronic devices, can also be virtualized computing instances.
  • the service provider 10 is used to provide services for service consumers.
  • the service provider 10 may be a rack server, a blade server, a tower server or a cabinet server (including an independent server or a server cluster composed of multiple servers).
  • the service provider 10 provides an API interface for real-time calling.
  • the service provider 10 may be various enterprise servers, such as banks and other financial institutions, technology companies, and so on.
  • Fig. 2 schematically shows a flowchart of a cloud gateway configuration method according to Embodiment 1 of the present application. It can be understood that the flowchart in this method embodiment is not used to limit the order of execution of the steps. The following exemplarily describes the computer device 2 as the execution subject.
  • the cloud gateway configuration method may include steps S200 to S206, where:
  • Step S200 Monitor the gateway configuration data stored in a tree structure in the collaborative service cluster 4, where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one.
  • the collaborative service cluster 4 stores gateway configuration data through a tree structure, for example: /gateway/org/group/api; if a certain API changes, update the version information of the corresponding node in the tree structure to complete The event registration operation of the API change event.
  • the computer equipment 2 is connected to the collaborative service cluster 4 and the gateway management platform 6 respectively.
  • the gateway management platform 6 will modify the API parameters of the corresponding API, or add an API, etc.
  • the gateway management platform 6 will initiate an API change event and send the API change event to the collaborative service cluster 4.
  • the collaborative service cluster 4 After the collaborative service cluster 4 receives the API change event sent by the gateway management platform 6, it will modify the version information of the corresponding node in the tree structure to update the gateway configuration data, that is, update the corresponding node in the data structure. Version information to complete event registration.
  • the changed API is the API whose interface description, interface address, request method, request parameter, etc. have changed.
  • Step S202 Determine whether the plurality of nodes include at least one target node, where the at least one target node includes a data change node and/or a newly added node.
  • the computer device 2 can monitor whether the gateway configuration data in the collaborative service cluster 4 has changed through an event listener, for example, monitor whether the collaborative service cluster 4 has a new registration event, and determine the target according to the new registration event node.
  • the API change event indicates that the API in the gateway management platform 6 has changed or added API.
  • the step S202 may include the following steps: detecting whether the version information of each of the multiple nodes has changed; and if the node includes a node whose version information has changed, then The node whose version information has changed is determined as the target node.
  • Step S204 If the at least one target node is included in the multiple nodes, update the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API.
  • the computer device 2 can obtain the network configuration of the API corresponding to each target node in various ways, such as sending a download request directly.
  • a management platform interface is configured in the gateway management platform 6 through which relevant information can be obtained. Therefore, the computer device 2 can request the gateway management platform 6 to feed back the corresponding network configuration according to the node information of the target node (for example, the identification number of the API corresponding to the target node, etc.).
  • the step S204 may include the following steps: sending a gateway configuration update request to the gateway management platform 6, so that the gateway management platform 6 returns the latest gateway configuration of the API corresponding to each target node; and receiving the gateway management platform 6 The latest gateway configuration of the API corresponding to each target node is returned; and according to the latest gateway configuration of the API corresponding to each target node, the current gateway configuration of the API corresponding to the target node is updated.
  • Step S206 Configure the gateway processing logic model according to the latest network configuration of each API.
  • the computer device 2 may load the latest network configuration of each API into the memory, and configure the gateway processing logic model: configure a filter chain for each API and filter the Multiple filters in the filter chain are instantiated to obtain multiple corresponding instances. That is, each API can only have at least one filter chain. Each filter chain can include multiple instances, and each instance corresponds to a business logic.
  • the so-called filter chain includes multiple filters in a sequential order to achieve layer-by-layer filtering. Specifically: It is used to perform filtering operations on user requests according to the order defined in the filter chain, that is, to do some pre-processing/post-processing on application requests or responses.
  • the filter chain can be used for authentication/authorization/logging, etc.
  • the so-called instance can include priority attribute, assertion attribute and run method.
  • the priority attribute is used to determine the order in which each instance is executed in the filter chain; the assertion attribute is used to determine whether the instance is executed; the run method is used to start or create threads for processing business logic, such as signatures Verification, authorization verification, concurrent current limiting, URI rewriting, etc.
  • the instance needs to rely on the component or call the component to complete the corresponding operation.
  • the computer device 2 may be configured for multiple components to be invoked by the multiple instances.
  • the multiple components include one or more of the following: a routing component, a parameter conversion component, an API orchestration component, a current limiting protection component, a fuse protection component, a service degradation component, an encryption signature component, an authorization verification component, a logging component, etc.
  • the computer device 2 may be configured with a plug-in component, and the plug-in may be abstractly defined according to various business rules.
  • Each plug-in corresponds to a business rule, for example: plug-in 1, which authorizes each service consumer 8 according to the time zone; plug-in 2, which authorizes each service consumer 8 according to the number of calls; this plug-in 1 and plug-in 2 are based on different The authorization rules are defined.
  • the instance is used to execute business logic according to pre-defined rules, and its specific business level can be completed by calling one or more plug-ins.
  • business logic and business rules can be unbound, thereby facilitating configuration and combination.
  • the computer device 2 may be configured with an API orchestration component.
  • the API orchestration component is configured to: according to the orchestration JSON template provided by the gateway service platform, call various API services in order for user requests.
  • the gateway service platform 6 performs an orchestration operation on the API according to user operations, and generates an orchestration JSON template.
  • the layout JSON template includes: a, calling methods: serial calling and parallel calling; b, setting parameter conversion and processing logic for each API.
  • the computer device 2 processes serial arrangement one by one in order, and each call includes pre-processing, routing and post-processing; for parallel arrangement, it uses thread pool to process each in parallel.
  • a proxy service is called, and then the aggregation result is returned to the service consumer8. That is, when the computer device 2 receives a user request, it will call multiple API services according to the orchestration operation to obtain feedback data from the service provider 10, and process the feedback data (for example, integrate the feedback data), and Return the integrated data to the service consumer8.
  • the computer device 2 may be configured with a current limiting protection component.
  • the current limit protection component is configured to monitor the request count of the request count window based on the sliding window algorithm to obtain the request count of the current window, and determine whether to execute the limit according to the request count of the current window and the request count of the previous window. Stream operations.
  • the current limiting protection component is configured to perform the following steps: taking N seconds as a request counting window, monitoring the request count of each request counting window based on a sliding window algorithm; when a request arrives, calculating according to the request time In the proportion of the current window, the request count of the previous window and the current window is accumulated and counted according to the weight. If it does not exceed the limit, it will be processed normally, otherwise it will directly refuse to process and return the current limit response code.
  • the current limiting protection component can be used to avoid service downtime of the service provider 10 caused by a sudden increase in the amount of requests.
  • the above request count based on the sliding window algorithm is only one of the measures for current limiting protection.
  • Some values of IP, interface, user dimension, and request parameters can also be used as decision parameters for current limiting protection.
  • the computer device 2 may be equipped with a fuse protection component.
  • the fuse protection component includes a closed state, a half-open state, and an open state, and is configured to enter the half-open state if the number of failed API calls within a preset time window reaches a preset threshold if it is in the closed state; if In the half-open state, if each call to the API is successful, it will be restored from the half-open state to the closed state; if it is in the open state, the timer operation will be started, and when the timer reaches the predetermined time, it will be restored from the open state to the half-open state status.
  • the computer device 2 may adopt a fuse model, and configure the fuse to be configured with three state machines: closed, half-open, and open.
  • the fuse is further configured as:
  • the service efficiency of the service provider 10 can be effectively improved, and a system avalanche that may be caused by service overload can be avoided.
  • the fuse protection is used to: when the service provider 10 is overloaded or the interface is unavailable, the service consumer 8 may continue to send requests due to request failures, resulting in an avalanche of the service provider 10. When the fuse is in the disconnected state, the fuse blocks the service consumer's access to the service provider 10, and directly returns a failure message to the service consumer 8 or returns a degraded response.
  • the computer device 2 may be configured with a service degradation component.
  • the service degradation component is configured to stop data processing and return a degraded return code or message when the service state of the service provider is in a degraded state.
  • the service degradation component may be configured to: through the service status and a custom degraded return code and message, when the service status is in the degraded state, no service is processed and the degraded return code and message are directly returned.
  • the computer device 2 may be configured with a cryptographic signature component.
  • the cryptographic signature component is configured as:
  • Step S300 Receive an encryption request carrying the first signature private key SK1 sent by the service consumer 8.
  • the encryption request carrying the signature private key SK1 is obtained based on the service consumer identification number and the first signature private key SK1.
  • the service consumer 8 obtains the corresponding service consumer identification number (ID) and the first signature private key SK1 by registering the application of the service provider; when the service consumer 8 wants to access the service provider 10, the service parameter And ID are arranged in a natural order and then hashed to generate signature content, the signature content is cryptographically signed with the first signature private key SK1 to generate the encryption request carrying the first signature private key SK1; and The encryption request carrying the first signature private key SK1 is sent to the computer device 2 through the HTTPS protocol.
  • ID service consumer identification number
  • SK1 service consumer identification number
  • the service consumer 8 obtains the corresponding service consumer identification number (ID) and the first signature private key SK1 by registering the application of the service provider; when the service consumer 8 wants to access the service provider 10, the service parameter And ID are arranged in a natural order and then hashed to generate signature content, the signature content is cryptographically signed with the first signature private key SK1 to generate the encryption request carrying the first signature private key SK1; and The encryption request carrying the
  • the service parameters depend on the scenario. Taking face authentication as an example, the service parameters include ID number, face image, and system parameters, such as calling agency code, service agency code, and so on.
  • the gateway can be applied to various scenarios, which will not be repeated here.
  • Step S302 Perform signature verification with the first signature public key PK1 corresponding to the first signature private key SK1 to obtain the decrypted service parameters and the service consumer identification number.
  • Step S304 encrypt the decrypted service parameters and the service consumer identification number according to the second signature private key SK2, and generate an encryption request carrying the second signature private key SK2.
  • the second signature private key SK2 is predefined by the API, and it corresponds to the second signature public key PK2 of the service provider 10; the service provider 10 creates an API group, registers the API, and obtains the second signature public key of the API PK2;
  • Step S306 Forward the encryption request carrying the second signature private key SK2 to the service provider 10, so that the service provider 10 performs a decryption operation through the second signature public key PK2 to carry the second signature private key
  • the encryption request of SK2 performs the corresponding operation.
  • the service provider 10 determines that the encryption request carrying the second signature private key SK2 comes from the computer device 2, the corresponding processing operation is executed according to the service parameters; if it is determined that the second signature private key SK2 is carried If the encryption request does not come from the computer device 2, the encryption request carrying the second signature private key SK2 is rejected.
  • the computer device 2 may be configured with an authorization verification component.
  • the authorization verification component is configured to verify authorization according to a preset authorization rule through the authorization filter, and return a code value that rejects the request when the authorization is invalid; the preset authorization rule includes call time, call times, and/or Concurrent number.
  • the authorization filter will verify the authorization according to the preset authorization rules, and when the authorization is invalid, the code value that rejects the request will be returned;
  • the preset authorization rules are configured by the service provider 10 on the gateway management platform 6, the The preset authorization rules include call time, call times, concurrent numbers, etc.; when the computer device 2 receives an API docking request from the service consumer 8, it performs authorization verification on the request according to the preset authorization rule.
  • the computer device 2 may be configured with a logging component.
  • the log recording component is configured to generate a serial number for each call event, and asynchronously send the associated information associated with the call event to the message platform.
  • the log recording component may be configured to generate a transNo serial number according to each call event, and asynchronously send information such as appId, signature, response code, and error message to the message platform, so that the log audit system can record ; According to the request status, parameter processing, flow restriction, business processing, billing status, etc., different response codes are returned, so that, for example, the audit billing system can calculate according to business rules.
  • the embodiment of the present application can implement an open gateway configuration for the computer device 2 through the integrated architecture between the collaborative service cluster 4, the gateway management platform 6 and the computer device 2.
  • financial institutions and technology companies can develop apps according to their own needs and modify or add APIs on the gateway management platform 6.
  • the gateway management platform 6 will synchronize all API modifications or new messages to the tree structure of the collaborative service cluster 4.
  • the computer device 2 can obtain the latest network configuration of each API from the gateway management platform 4 in real time according to the node information of each node.
  • each service provider can write the network configuration of the API developed or modified by itself into the computer device 2, and each party can use the computer device 2 as the center to call a third-party API to meet its own business needs, that is, each party The computer equipment 2 can be used as the center for integration to improve the degree of integration of all connected systems.
  • the embodiment of the application can obtain the modified or newly added information of the API in real time by monitoring the collaborative service cluster, and then obtain the latest network configuration of each node, so that the API developed or modified by each service provider can be automatically configured to the cloud in an open manner.
  • the gateway the open configuration of the cloud gateway is realized.
  • each service provider can write the network configuration of the API developed or modified by itself into the cloud gateway, so that all parties can integrate with the cloud gateway as the center, and improve the degree of integration of the systems of all parties connected.
  • Fig. 4 schematically shows a block diagram of a cloud gateway configuration system according to Embodiment 2 of the present application.
  • the cloud gateway configuration system can be divided into one or more program modules, and the one or more program modules are stored in a storage medium, It is executed by one or more processors to complete the embodiments of the present application.
  • the program module referred to in the embodiment of the present application refers to a series of computer program instruction segments that can complete specific functions. The following description will specifically introduce the function of each program module in this embodiment.
  • the cloud gateway configuration system 400 may include a monitoring module 410, a judgment module 420, an update module 430, and a configuration module 440, where:
  • the monitoring module 410 is configured to monitor gateway configuration data stored in a tree structure in the collaborative service cluster, where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one.
  • the determining module 420 is configured to determine whether the plurality of nodes includes at least one target node, where the at least one target node includes a data change node and/or a newly added node.
  • the update module 430 is configured to, if the at least one target node is included in the plurality of nodes, update the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API.
  • the configuration module 440 is configured to configure the gateway processing logic model according to the latest network configuration of each API.
  • the judging module 420 is further configured to: detect whether the version information of each node among the multiple nodes has changed; if the node includes a node whose version information has changed, use the version The node whose information has changed is determined as the target node.
  • the version information of each node is updated according to an API change event sent by a gateway management platform connected to the collaborative service cluster, and the API change event indicates that an API in the gateway management platform is changed or an API is added.
  • the update module 430 is further configured to: send a gateway configuration update request to the gateway management platform, so that the gateway management platform returns the latest gateway configuration of the API corresponding to each target node; The latest gateway configuration of the API corresponding to each target node returned by the management platform; and, according to the latest gateway configuration of the API corresponding to each target node, update the current gateway configuration of the API corresponding to the target node.
  • the configuration module 440 is further used to: load the latest network configuration of each API into the memory, configure the gateway processing logic model: configure a filter chain for each API, and Multiple filters in the filter chain are instantiated to obtain corresponding multiple instances.
  • the configuration module 440 is further configured to: configure multiple components for the multiple instances to call; the multiple components include one or more of the following: routing components, parameter conversion components, API orchestration component, current limiting protection component, fuse protection component, service degradation component, cryptographic signature component, authorization verification component, and logging component; wherein: the API orchestration component is configured to: according to the orchestration provided by the gateway service platform The JSON template calls each API service in order for user requests; the current limiting protection component is configured to monitor the request count of the request count window based on the sliding window algorithm to obtain the request count of the current window, and the request count of the current window And the request count of the previous window to determine whether to perform the current limiting operation; the fuse protection component, including the closed state, the half-open state, and the open state, is configured to: if it is in the closed state, the API will be processed within a preset time window.
  • the service degradation component is configured to: when the service state of the service provider is in the degraded state, stop data processing and return a degraded return code or message;
  • the authorization verification component is configured to verify authorization according to preset authorization rules through the authorization filter, and return a code value that rejects the request when the authorization is invalid;
  • the preset authorization rules include call time, call times, and/or Concurrent number;
  • the logging component is configured to generate a serial number for each call event, and asynchronously send the associated information associated with the call event to the message platform.
  • the encryption signature component is configured to: receive an encryption request carrying a first signature private key sent by a service consumer, and the encryption request carrying a signature private key is based on the service consumer identification number and the first signature private key.
  • a signature private key is obtained; signature verification is performed through the first signature public key corresponding to the first signature private key, and the decrypted service parameters and service consumer identification number are obtained; the decrypted service parameters are obtained according to the second signature private key
  • the service parameters and the service consumer identification number are encrypted to generate an encryption request carrying the second signature private key; and the encryption request carrying the second signature private key is forwarded to the service provider so that the service provider can pass the second signature private key
  • the signature public key performs a decryption operation to perform a corresponding operation according to the encryption request carrying the second signature private key.
  • the configuration module 440 is further configured to: configure multiple plug-ins for invocation of the multiple instances, wherein each plug-in corresponds to one business rule.
  • FIG. 5 schematically shows a schematic diagram of the hardware architecture of a computer device 2 suitable for implementing the cloud gateway configuration method according to the third embodiment of the present application.
  • the computer device 2 is a device that can automatically perform numerical calculation and/or information processing in accordance with pre-set or stored instructions.
  • it can be a rack server, a blade server, a tower server, or a cabinet server (including an independent server or a server cluster composed of multiple servers) with a gateway function.
  • the computer device 6 at least includes but is not limited to: a memory 510, a processor 520, and a network interface 530 that can communicate with each other through a system bus. among them:
  • the memory 510 may be volatile or non-volatile.
  • the memory 510 includes at least one type of computer-readable storage medium.
  • the readable storage medium includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.), random access memory (RAM), and static random access memory.
  • SRAM read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • PROM programmable read-only memory
  • magnetic memory magnetic disks, optical disks, etc.
  • the memory 510 may be an internal storage module of the computer device 2, for example, the hard disk or memory of the computer device 2.
  • the memory 510 may also be an external storage device of the computer device 2, for example, a plug-in hard disk equipped on the computer device 2, a smart memory card (Smart Media Card, referred to as SMC), and a secure digital (Secure Digital). Digital, abbreviated as SD) card, flash card (Flash Card), etc.
  • the memory 510 may also include both the internal storage module of the computer device 2 and its external storage device.
  • the memory 510 is generally used to store the operating system and various application software installed in the computer device 2, such as the program code of the cloud gateway configuration method.
  • the memory 510 may also be used to temporarily store various types of data that have been output or will be output.
  • the processor 520 may be a central processing unit (Central Processing Unit) in some embodiments. Processing Unit, referred to as CPU), controller, microcontroller, microprocessor, or other data processing chip.
  • the processor 520 is generally used to control the overall operation of the computer device 2, for example, to perform data interaction or communication-related control and processing with the computer device 2.
  • the processor 520 is configured to run program codes stored in the memory 510 or process data.
  • the network interface 530 may include a wireless network interface or a wired network interface, and the network interface 530 is generally used to establish a communication link between the computer device 2 and other computer devices.
  • the network interface 530 is used to connect the computer device 2 to an external terminal through a network, and to establish a data transmission channel and a communication link between the computer device 2 and the external terminal.
  • the network can be an intranet (Intranet), the Internet (Internet), a global system of mobile communications (Global System of Mobile communication, GSM for short), Wideband Code Division Multiple Access (WCDMA for short), 4G network, 5G network, Bluetooth, Wi-Fi and other wireless or wired networks.
  • FIG. 5 only shows a computer device with components 510-530, but it should be understood that it is not required to implement all the components shown, and more or fewer components may be implemented instead.
  • the cloud gateway configuration method stored in the memory 510 can also be divided into one or more program modules and executed by one or more processors (the processor 520 in this embodiment) to complete Examples of this application.
  • This embodiment also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
  • Monitoring gateway configuration data stored in a tree structure in the collaborative service cluster where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one;
  • the multiple nodes include at least one target node, where the at least one target node includes a data change node and/or a newly added node;
  • the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API
  • the gateway processing logic model is configured.
  • the computer-readable storage medium may be volatile or non-volatile.
  • Computer-readable storage media include flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.), random access memory (RAM), static random access memory (SRAM), read-only memory (ROM), electronic memory Erase programmable read-only memory (EEPROM), programmable read-only memory (PROM), magnetic memory, magnetic disks, optical disks, etc.
  • the computer-readable storage medium may be an internal storage unit of a computer device, such as a hard disk or memory of the computer device.
  • the computer-readable storage medium may also be an external storage device of the computer device, such as a plug-in hard disk or a smart memory card (Smart Memory Card) equipped on the computer device.
  • Media Card referred to as SMC
  • Secure Digital Secure Digital
  • SD Secure Digital
  • flash memory card Flash Card
  • the computer-readable storage medium may also include both the internal storage unit and the external storage device of the computer device.
  • the computer-readable storage medium is generally used to store the operating system and various application software installed in the computer device, such as the program code of the cloud gateway configuration method in the embodiment.
  • the computer-readable storage medium can also be used to temporarily store various types of data that have been output or will be output.
  • modules or steps of the embodiments of the present application described above can be implemented by a general computing device, and they can be concentrated on a single computing device or distributed among multiple computing devices.
  • they can be implemented by the program code executable by the computing device, so that they can be stored in the storage device for execution by the computing device, and in some cases, they can be different from here
  • the steps shown or described are executed in the order of, or they are respectively fabricated into individual integrated circuit modules, or multiple modules or steps of them are fabricated into a single integrated circuit module to achieve. In this way, the embodiments of the present application are not limited to any specific combination of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Automation & Control Theory (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An embodiment of the present application provides a cloud gateway configuration method. The cloud gateway configuration method comprises: monitoring gateway configuration data stored as a tree structure in a cooperative service cluster, wherein the tree structure comprises multiple nodes in one-to-one correspondence with multiple APIs; determining whether the multiple nodes comprise one or more target nodes, wherein the one or more target nodes comprise a data change node and/or an addition node; if the multiple nodes comprise the one or more target nodes, updating a gateway configuration of APIs corresponding to each of the one or more target nodes to obtain an up-to-date network configuration for each API; and configuring a gateway processing logic model according to the up-to-date network configuration for each API. The embodiment of the present application enables open configuration of cloud gateways and improves the level of integration for various systems accessing the cloud gateways.

Description

云网关配置方法、系统、设备及计算机可读存储介质Cloud gateway configuration method, system, equipment and computer readable storage medium
本申请要求于2020年01月09日提交中国专利局、申请号为CN202010023851.3、名称为“云网关配置方法和系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is CN202010023851.3, and the name is "Cloud Gateway Configuration Method and System" on January 9, 2020, the entire content of which is incorporated into this application by reference .
技术领域Technical field
本申请实施例涉及云技术领域,尤其涉及一种云网关配置方法、系统、设备及计算机可读存储介质。The embodiments of the present application relate to the field of cloud technology, and in particular, to a cloud gateway configuration method, system, device, and computer-readable storage medium.
背景技术Background technique
随着互联网的快速发展,更多企业完成了企业内部的API(application programming interface,应用程序接口)化,但在企业供应链和社会化开放数据和能力的强烈需求下,安全、隔离、共享等方面成为重要需求,云网关因此成为了连接企业内部和外部服务的重要角色。所谓云网关是指云存储技术中的云存储网关,其使得用户无需改变接口设计,使用原有的访问方式,就能访问由云服务提供商提供的云服务。With the rapid development of the Internet, more companies have completed their internal API (application Programming interface, application program interface), but under the strong demand of enterprise supply chain and social open data and capabilities, security, isolation, sharing and other aspects have become important requirements. Therefore, cloud gateways have become important for connecting internal and external services of enterprises. Character. The so-called cloud gateway refers to the cloud storage gateway in cloud storage technology, which allows users to access cloud services provided by cloud service providers without changing the interface design and using the original access method.
云网关作为企业数据和服务的对外出口,可以提供语音、视频、信息安全、信息管理、信息监控等各类服务。如,云网关可以用于接收用户侧的请求,根据所用户侧的请求向云服务提供商请求用户侧所需的内容,还可以用于为云服务提供商提供签名认证、日志记录等各类服务。As the export of enterprise data and services, the cloud gateway can provide various services such as voice, video, information security, information management, and information monitoring. For example, the cloud gateway can be used to receive user-side requests, request the cloud service provider for the content required by the user-side according to the user-side request, and can also be used to provide cloud service providers with signature authentication, log records, and other various types. service.
技术问题technical problem
发明人意识到,目前还没有基于开放云网关的连接方案,且对接入的各方系统的融合程度低下。The inventor realizes that there is currently no connection solution based on an open cloud gateway, and the degree of integration of the systems of the connected parties is low.
技术解决方案Technical solutions
本申请实施例的一个方面提供了一种云网关配置方法,所述云网关配置方法包括:监听协同服务集群中以树状结构存储的网关配置数据,其中,所述树状结构中包括与多个API一一对应的多个节点;判断所述多个节点中是否包括至少一个目标节点,其中,所述至少一个目标节点包括数据变更节点和/新增节点;如果所述多个节点中包括所述至少一个目标节点,则更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,以得到各个API的最新网络配置;及根据所述各个API的最新网络配置,配置网关处理逻辑模型。An aspect of the embodiments of the present application provides a cloud gateway configuration method. The cloud gateway configuration method includes: monitoring gateway configuration data stored in a tree structure in a collaborative service cluster, wherein the tree structure includes multiple One API corresponds to multiple nodes; determine whether the multiple nodes include at least one target node, wherein the at least one target node includes a data change node and/or a new node; if the multiple nodes include The at least one target node updates the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API; and configures the gateway processing according to the latest network configuration of each API Logical model.
本申请实施例的一个方面又提供了一种云网关配置系统,所述云网关配置系统包括:监听模块,用于监听协同服务集群中以树状结构存储的网关配置数据,其中,所述树状结构中包括与多个API一一对应的多个节点;判断模块,用于判断所述多个节点中是否包括至少一个目标节点,其中,所述至少一个目标节点包括数据变更节点和/新增节点;更新模块,用于如果所述多个节点中包括所述至少一个目标节点,则更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,以得到各个API的最新网络配置;配置模块,用于根据所述各个API的最新网络配置,配置网关处理逻辑模型。An aspect of the embodiments of the present application further provides a cloud gateway configuration system. The cloud gateway configuration system includes a monitoring module for monitoring gateway configuration data stored in a tree structure in a collaborative service cluster, wherein the tree The state structure includes multiple nodes corresponding to multiple APIs one-to-one; a judging module is used to judge whether the multiple nodes include at least one target node, wherein the at least one target node includes a data change node and/or a new Adding a node; an update module, configured to update the gateway configuration of the API corresponding to each target node in the at least one target node if the at least one target node is included in the plurality of nodes, so as to obtain the latest network of each API Configuration; The configuration module is used to configure the gateway processing logic model according to the latest network configuration of each API.
本申请实施例的一个方面又提供了一种计算机设备,所述计算机设备包括存储器、处理器以及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述计算机程序时用于实现如下步骤:An aspect of the embodiments of the present application further provides a computer device. The computer device includes a memory, a processor, and a computer program stored in the memory and running on the processor, wherein the processor executes the computer The program is used to implement the following steps:
监听协同服务集群中以树状结构存储的网关配置数据,其中,所述树状结构中包括与多个API一一对应的多个节点;Monitoring gateway configuration data stored in a tree structure in the collaborative service cluster, where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one;
判断所述多个节点中是否包括至少一个目标节点,其中,所述至少一个目标节点包括数据变更节点和/新增节点;Judging whether the multiple nodes include at least one target node, where the at least one target node includes a data change node and/or a newly added node;
如果所述多个节点中包括所述至少一个目标节点,则更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,以得到各个API的最新网络配置;及If the at least one target node is included in the plurality of nodes, updating the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API; and
根据所述各个API的最新网络配置,配置网关处理逻辑模型。According to the latest network configuration of each API, the gateway processing logic model is configured.
本申请实施例的一个方面又提供了一种计算机可读存储介质,所述计算机可读存储介质内存储有计算机程序,所述计算机程序可被至少一个处理器所执行,以使所述至少一个处理器执行如下步骤:An aspect of the embodiments of the present application further provides a computer-readable storage medium having a computer program stored in the computer-readable storage medium, and the computer program may be executed by at least one processor, so that the at least one The processor performs the following steps:
监听协同服务集群中以树状结构存储的网关配置数据,其中,所述树状结构中包括与多个API一一对应的多个节点;Monitoring gateway configuration data stored in a tree structure in the collaborative service cluster, where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one;
判断所述多个节点中是否包括至少一个目标节点,其中,所述至少一个目标节点包括数据变更节点和/新增节点;Judging whether the multiple nodes include at least one target node, where the at least one target node includes a data change node and/or a newly added node;
如果所述多个节点中包括所述至少一个目标节点,则更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,以得到各个API的最新网络配置;及If the at least one target node is included in the plurality of nodes, updating the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API; and
根据所述各个API的最新网络配置,配置网关处理逻辑模型。According to the latest network configuration of each API, the gateway processing logic model is configured.
附图说明Description of the drawings
图1示意性示出了根据本申请实施例一的云网关配置方法的应用环境图;FIG. 1 schematically shows an application environment diagram of a cloud gateway configuration method according to Embodiment 1 of the present application;
图2示意性示出了根据本申请实施例一的云网关配置方法的流程图;FIG. 2 schematically shows a flowchart of a cloud gateway configuration method according to Embodiment 1 of the present application;
图3示意性示出了根据本申请实施例一的云网关配置方法的新增流程图;FIG. 3 schematically shows a newly added flowchart of a cloud gateway configuration method according to Embodiment 1 of the present application;
图4示意性示出了根据本申请实施例二的云网关配置系统的框图;以及Fig. 4 schematically shows a block diagram of a cloud gateway configuration system according to the second embodiment of the present application; and
图5示意性示出了根据本申请实施例三的适于实现云网关配置方法的计算机设备的硬件架构示意图。Fig. 5 schematically shows a schematic diagram of a hardware architecture of a computer device suitable for implementing a cloud gateway configuration method according to the third embodiment of the present application.
本发明的实施方式Embodiments of the present invention
为了使本申请实施例的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请实施例进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请实施例,并不用于限定本申请实施例。基于本申请实施例中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请实施例保护的范围。In order to make the objectives, technical solutions, and advantages of the embodiments of the present application clearer, the following further describes the embodiments of the present application in detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the embodiments of the present application, and are not used to limit the embodiments of the present application. Based on the embodiments in the embodiments of the present application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the embodiments of the present application.
需要说明的是,在本申请实施例中涉及“第一”、“第二”等的描述仅用于描述目的,而不能理解为指示或暗示其相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。另外,各个实施例之间的技术方案可以相互结合,但是必须是以本领域普通技术人员能够实现为基础,当技术方案的结合出现相互矛盾或无法实现时应当认为这种技术方案的结合不存在,也不在本申请实施例要求的保护范围之内。It should be noted that the descriptions related to "first", "second", etc. in the embodiments of this application are only for descriptive purposes, and cannot be understood as indicating or implying their relative importance or implicitly specifying the indicated technical features quantity. Therefore, the features defined with "first" and "second" may explicitly or implicitly include at least one of the features. In addition, the technical solutions between the various embodiments can be combined with each other, but it must be based on what can be achieved by a person of ordinary skill in the art. When the combination of technical solutions is contradictory or cannot be achieved, it should be considered that this combination of technical solutions does not exist. , Also does not fall within the scope of protection required by the embodiments of this application.
图1示意性示出了根据本申请实施例一的云网关配置方法的环境应用示意图。在示例性的实施例中,所述环境应用示意图中包括计算机设备2、协同服务集群4、网关管理平台6、服务消费方8和服务提供方10。其中:Fig. 1 schematically shows an environmental application diagram of the cloud gateway configuration method according to the first embodiment of the present application. In an exemplary embodiment, the environmental application diagram includes a computer device 2, a collaborative service cluster 4, a gateway management platform 6, a service consumer 8 and a service provider 10. among them:
计算机设备2,为云网关或具有云网关功能的电子设备,用于作为企业数据和服务的对外出口,可以提供语音、视频、信息安全、信息管理、信息监控等各类服务。Computer equipment 2 is a cloud gateway or an electronic device with cloud gateway function, used as an export of enterprise data and services, and can provide various services such as voice, video, information security, information management, and information monitoring.
协同服务集群4,可以是zookeeper集群。其中,zookeeper是由Yahoo公司开发的,主要用于支持分布式系统,用于解决分布式系统的协调工作(coordinating task),通过提供通用的功能,让应用开发者可以专注于自身的业务功能,而不用关注分布式系统的协调。zookeeper集群是用于对用户的分布式应用程序提供协调服务的。Cooperative service cluster 4 can be a zookeeper cluster. Among them, zookeeper is developed by Yahoo, mainly used to support distributed systems, used to solve the coordination of distributed systems (coordinating tasks), by providing general functions, so that application developers can focus on their own business functions, Instead of paying attention to the coordination of distributed systems. The zookeeper cluster is used to provide coordination services for users' distributed applications.
网关管理平台6,可以用于接收用户操作,所述用户操作包括API(Application Programming Interface,应用程序编程接口)管理、配置、测试、发布、下线等。The gateway management platform 6 may be used to receive user operations, and the user operations include API (Application Programming Interface, application programming interface) management, configuration, testing, release, offline, etc.
服务消费方8,可以是智能手机、平板个人计算机(tablet personal computer)、膝上型计算机(laptop computer)、台式计算机、工作站、虚拟现实设备,游戏设备、机顶盒、数字流媒体设备、车辆终端、智能电视、机顶盒、电子书阅读器等电子设备,也可以是虚拟化的计算实例。Service consumer 8, which can be a smart phone, a tablet personal computer (tablet personal computer), laptop computer (laptop computer), desktop computers, workstations, virtual reality devices, game devices, set-top boxes, digital streaming media devices, vehicle terminals, smart TVs, set-top boxes, e-book readers and other electronic devices, can also be virtualized computing instances.
服务提供方10,用于为服务消费方提供服务。所述服务提供方10可以是机架式服务器、刀片式服务器、塔式服务器或机柜式服务器(包括独立的服务器,或者多个服务器所组成的服务器集群)等。所述服务提供方10提供有API接口,供实时调用。所述服务提供方10可以是各类企业服务器,如银行等金融机构、科技公司等。The service provider 10 is used to provide services for service consumers. The service provider 10 may be a rack server, a blade server, a tower server or a cabinet server (including an independent server or a server cluster composed of multiple servers). The service provider 10 provides an API interface for real-time calling. The service provider 10 may be various enterprise servers, such as banks and other financial institutions, technology companies, and so on.
实施例一Example one
图2示意性示出了根据本申请实施例一的云网关配置方法的流程图。可以理解,本方法实施例中的流程图不用于对执行步骤的顺序进行限定。下面以计算机设备2为执行主体进行示例性描述。Fig. 2 schematically shows a flowchart of a cloud gateway configuration method according to Embodiment 1 of the present application. It can be understood that the flowchart in this method embodiment is not used to limit the order of execution of the steps. The following exemplarily describes the computer device 2 as the execution subject.
如图2所示,该云网关配置方法可以包括步骤S200~S206,其中:As shown in Figure 2, the cloud gateway configuration method may include steps S200 to S206, where:
步骤S200,监听协同服务集群4中以树状结构存储的网关配置数据,其中,所述树状结构中包括与多个API一一对应的多个节点。Step S200: Monitor the gateway configuration data stored in a tree structure in the collaborative service cluster 4, where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one.
协同服务集群4是通过树状结构来存储网关配置数据的,例如:/gateway/org/group/api;如果某个API发生改变,则更新所述树状结构中相应节点的版本信息,以完成所述API变更事件的事件注册操作。The collaborative service cluster 4 stores gateway configuration data through a tree structure, for example: /gateway/org/group/api; if a certain API changes, update the version information of the corresponding node in the tree structure to complete The event registration operation of the API change event.
所述计算机设备2分别与协同服务集群4、网关管理平台6连接。The computer equipment 2 is connected to the collaborative service cluster 4 and the gateway management platform 6 respectively.
如果接收到来自服务提供方10提交的API修改信息或API新增信息,所述网关管理平台6会修改相应API的API参数,或者新增API等。所述网关管理平台6中的API发生变动或新增API时,所述网关管理平台6会启动一个API变更事件并将该API变更事件发送给所述协同服务集群4。所述协同服务集群4接收到所述网关管理平台6发送的API变更事件之后,会修改树状结构中对应节点的版本信息以更新所述网关配置数据,即更新所述数据结构中相应节点的版本信息,以完成事件注册。If the API modification information or API addition information submitted from the service provider 10 is received, the gateway management platform 6 will modify the API parameters of the corresponding API, or add an API, etc. When an API in the gateway management platform 6 is changed or an API is added, the gateway management platform 6 will initiate an API change event and send the API change event to the collaborative service cluster 4. After the collaborative service cluster 4 receives the API change event sent by the gateway management platform 6, it will modify the version information of the corresponding node in the tree structure to update the gateway configuration data, that is, update the corresponding node in the data structure. Version information to complete event registration.
所述发生变动的API,即接口描述、接口地址、请求方法、请求参数等发生变动的API。The changed API is the API whose interface description, interface address, request method, request parameter, etc. have changed.
步骤S202,判断所述多个节点中是否包括至少一个目标节点,其中,所述至少一个目标节点包括数据变更节点和/新增节点。Step S202: Determine whether the plurality of nodes include at least one target node, where the at least one target node includes a data change node and/or a newly added node.
所述计算机设备2可以通过事件监听器监听所述协同服务集群4中的网关配置数据是否发生变动,如,监听所述协同服务集群4是否有新的注册事件,根据该新的注册事件确定目标节点。The computer device 2 can monitor whether the gateway configuration data in the collaborative service cluster 4 has changed through an event listener, for example, monitor whether the collaborative service cluster 4 has a new registration event, and determine the target according to the new registration event node.
由于所述各个节点的版本信息是根据与所述协同服务集群4连接的网关管理平台发送的API变更事件更新的,所述API变更事件表示所述网关管理平台6中的API发生变动或新增API。在示例性的实施例中,所述步骤S202可以包括如下步骤:检测所述多个节点中的各个节点的版本信息是否发生改变;及如果所述节点中包括版本信息发生改变的节点,则将该版本信息发生改变的节点确定为目标节点。Since the version information of each node is updated according to the API change event sent by the gateway management platform connected to the collaborative service cluster 4, the API change event indicates that the API in the gateway management platform 6 has changed or added API. In an exemplary embodiment, the step S202 may include the following steps: detecting whether the version information of each of the multiple nodes has changed; and if the node includes a node whose version information has changed, then The node whose version information has changed is determined as the target node.
步骤S204,如果所述多个节点中包括所述至少一个目标节点,则更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,以得到各个API的最新网络配置。Step S204: If the at least one target node is included in the multiple nodes, update the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API.
所述计算机设备2可以通过各类方式获取各个目标节点对应的API的网络配置,如直接发出下载请求等。在示例性的实施例中,网关管理平台6中配置有管理平台接口,通过该管理平台接口可以获取相关信息。因此,计算机设备2可以根据目标节点的节点信息(如,目标节点对应的API的标识号等)请求网关管理平台6反馈相应的网络配置。具体的,所述步骤S204可以包括如下步骤:将网关配置更新请求发送至网关管理平台6,以使所述网关管理平台6返回各个目标节点对应的API的最新网关配置;接收所述网关管理平台6返回的各个目标节点对应的API的最新网关配置;及根据所述各个目标节点对应的API的最新网关配置,更新所述目标节点对应的API的当前网关配置。The computer device 2 can obtain the network configuration of the API corresponding to each target node in various ways, such as sending a download request directly. In an exemplary embodiment, a management platform interface is configured in the gateway management platform 6 through which relevant information can be obtained. Therefore, the computer device 2 can request the gateway management platform 6 to feed back the corresponding network configuration according to the node information of the target node (for example, the identification number of the API corresponding to the target node, etc.). Specifically, the step S204 may include the following steps: sending a gateway configuration update request to the gateway management platform 6, so that the gateway management platform 6 returns the latest gateway configuration of the API corresponding to each target node; and receiving the gateway management platform 6 The latest gateway configuration of the API corresponding to each target node is returned; and according to the latest gateway configuration of the API corresponding to each target node, the current gateway configuration of the API corresponding to the target node is updated.
步骤S206,根据所述各个API的最新网络配置,配置网关处理逻辑模型。Step S206: Configure the gateway processing logic model according to the latest network configuration of each API.
在示例性的实施例中,所述计算机设备2可以将所述各个API的最新网络配置载入到内存中,配置所述网关处理逻辑模型:为每个API配置过滤器链以及对所述过滤器链中的多个过滤器进行实例化以得到对应的多个实例。即,每个API可以只要至少一个过滤器链。每个过滤器链可以包括多个实例,每个实例对应一个业务逻辑。In an exemplary embodiment, the computer device 2 may load the latest network configuration of each API into the memory, and configure the gateway processing logic model: configure a filter chain for each API and filter the Multiple filters in the filter chain are instantiated to obtain multiple corresponding instances. That is, each API can only have at least one filter chain. Each filter chain can include multiple instances, and each instance corresponds to a business logic.
所谓过滤器链,包括具有先后顺序的多个过滤器,用于实现逐层过滤。具体的:用于将用户请求根据过滤器链中定义的顺序执行过滤操作,即用于对应用程序的请求或响应做一些预处理/后处理。所述过滤器链可以用于认证/授权/记录日志等。The so-called filter chain includes multiple filters in a sequential order to achieve layer-by-layer filtering. Specifically: It is used to perform filtering operations on user requests according to the order defined in the filter chain, that is, to do some pre-processing/post-processing on application requests or responses. The filter chain can be used for authentication/authorization/logging, etc.
所谓实例,可以包括优先级别属性、断言属性以及run方法。所述优先级别属性用于确定各个实例在过滤器链中的被执行顺序;断言属性用于决定该实例是否被执行;run方法用来用于启动或创建线程,用于处理业务逻辑,如签名验证、授权校验,并发限流,URI重写等。The so-called instance can include priority attribute, assertion attribute and run method. The priority attribute is used to determine the order in which each instance is executed in the filter chain; the assertion attribute is used to determine whether the instance is executed; the run method is used to start or create threads for processing business logic, such as signatures Verification, authorization verification, concurrent current limiting, URI rewriting, etc.
实例需要依赖组件或调用组件,来完成相应的操作。The instance needs to rely on the component or call the component to complete the corresponding operation.
在示例性的实施例中,所述计算机设备2可以配置用于供所述多个实例调用的多个组件。所述多个组件包括以下一个或多个:路由组件、参数转换组件、API编排组件、限流保护组件、熔断保护组件、服务降级组件、加密签名组件、授权校验组件以及日志记录组件等。In an exemplary embodiment, the computer device 2 may be configured for multiple components to be invoked by the multiple instances. The multiple components include one or more of the following: a routing component, a parameter conversion component, an API orchestration component, a current limiting protection component, a fuse protection component, a service degradation component, an encryption signature component, an authorization verification component, a logging component, etc.
在示例性的实施例中,所述计算机设备2可以配置插件组件,所述插件可以根据各种业务规则抽象定义得到的。In an exemplary embodiment, the computer device 2 may be configured with a plug-in component, and the plug-in may be abstractly defined according to various business rules.
每个插件对应一个业务规则,例如:插件1,根据时间区段对各个服务消费方8进行授权;插件2,根据调用次数为各个服务消费方8进行授权;此插件1和插件2即按照不同授权规则定义得到的。Each plug-in corresponds to a business rule, for example: plug-in 1, which authorizes each service consumer 8 according to the time zone; plug-in 2, which authorizes each service consumer 8 according to the number of calls; this plug-in 1 and plug-in 2 are based on different The authorization rules are defined.
其中,实例用于根据预先定义的规则执行业务逻辑,其具体业务层面则可以通过调用一个或多个插件完成。Among them, the instance is used to execute business logic according to pre-defined rules, and its specific business level can be completed by calling one or more plug-ins.
通过实例和插件的结合方式,可以将业务逻辑和业务规则进行解绑,从而方便配置和组合。Through the combination of instances and plug-ins, business logic and business rules can be unbound, thereby facilitating configuration and combination.
在示例性的实施例中,所述计算机设备2可以配置API编排组件。所述API编排组件被配置为:根据所述网关服务平台提供的编排JSON模板对用户请求依顺序调用各个API服务。In an exemplary embodiment, the computer device 2 may be configured with an API orchestration component. The API orchestration component is configured to: according to the orchestration JSON template provided by the gateway service platform, call various API services in order for user requests.
所述网关服务平台6根据用户操作对API进行编排操作,生成编排JSON模板。所述编排JSON模板包括:a,调用方式:串行调用和并行调用;b,为每个API设置参数转换和处理逻辑。The gateway service platform 6 performs an orchestration operation on the API according to user operations, and generates an orchestration JSON template. The layout JSON template includes: a, calling methods: serial calling and parallel calling; b, setting parameter conversion and processing logic for each API.
所述计算机设备2根据网关服务平台6提供的编排JSON模板,对于串行编排按照顺序逐个处理,每个调用包括前置、路由和后置处理;对于并行编排,采用线程池的方式并行处理每个代理服务的调用,然后聚合结果返回给服务消费方8。即,当计算机设备2接收到一个用户请求时,会根据编排操作调用多个API服务以从服务提供方10中获取反馈数据,并对反馈数据进行处理(如,对反馈数据进行整合),并将整合之后的数据返回给服务消费方8。According to the arrangement JSON template provided by the gateway service platform 6, the computer device 2 processes serial arrangement one by one in order, and each call includes pre-processing, routing and post-processing; for parallel arrangement, it uses thread pool to process each in parallel. A proxy service is called, and then the aggregation result is returned to the service consumer8. That is, when the computer device 2 receives a user request, it will call multiple API services according to the orchestration operation to obtain feedback data from the service provider 10, and process the feedback data (for example, integrate the feedback data), and Return the integrated data to the service consumer8.
在示例性的实施例中,所述计算机设备2可以配置限流保护组件。所述限流保护组件被配置为:基于滑动窗口算法监测请求计数窗口的请求计数,以得到当前窗口的请求计数,根据所述当前窗口的请求计数和前一个窗口的请求计数,确定是否执行限流操作。In an exemplary embodiment, the computer device 2 may be configured with a current limiting protection component. The current limit protection component is configured to monitor the request count of the request count window based on the sliding window algorithm to obtain the request count of the current window, and determine whether to execute the limit according to the request count of the current window and the request count of the previous window. Stream operations.
在本实施例中,所述限流保护组件被配置执行以下步骤:以N秒为一个请求计数窗口,基于滑动窗口算法监测每个请求计数窗口的请求计数;当请求到达时,根据请求时间计算在当前窗口所占比例,然后按照权重累积统计前一个窗口和当前窗口的请求计数,如果未超限正常处理,否则直接拒绝处理返回限流响应码。In this embodiment, the current limiting protection component is configured to perform the following steps: taking N seconds as a request counting window, monitoring the request count of each request counting window based on a sliding window algorithm; when a request arrives, calculating according to the request time In the proportion of the current window, the request count of the previous window and the current window is accumulated and counted according to the weight. If it does not exceed the limit, it will be processed normally, otherwise it will directly refuse to process and return the current limit response code.
所述限流保护组件可以用于避免服务提供方10因请求量突增导致的服务宕机。上述基于滑动窗口算法的请求计数仅是限流保护的措施之一,IP、接口、用户维度、请求参数中的某些值也可以作为限流保护的决策参数。The current limiting protection component can be used to avoid service downtime of the service provider 10 caused by a sudden increase in the amount of requests. The above request count based on the sliding window algorithm is only one of the measures for current limiting protection. Some values of IP, interface, user dimension, and request parameters can also be used as decision parameters for current limiting protection.
例如,对请求进行分等级,在请求量突增时,保障对高优先级请求的处理,拒绝对低优先级请求的处理。For example, to classify requests, guarantee the processing of high-priority requests and reject the processing of low-priority requests when the amount of requests increases suddenly.
在示例性的实施例中,所述计算机设备2可以配置熔断保护组件。所述熔断保护组件,包括闭合状态、半开状态和断开状态,被配置为:如果处于闭合状态,在预设时间窗口内对API调用失败次数达到预设阈值,则进入半开状态;如果处于半开状态,如果每次对API调用均成功,则从半开状态恢复到闭合状态;如果处于断开状态,则启动计时器操作,在计时器达到预定时间从断开状态恢复为半开状态。In an exemplary embodiment, the computer device 2 may be equipped with a fuse protection component. The fuse protection component includes a closed state, a half-open state, and an open state, and is configured to enter the half-open state if the number of failed API calls within a preset time window reaches a preset threshold if it is in the closed state; if In the half-open state, if each call to the API is successful, it will be restored from the half-open state to the closed state; if it is in the open state, the timer operation will be started, and when the timer reaches the predetermined time, it will be restored from the open state to the half-open state status.
所述计算机设备2可以采用熔断器模型,将熔断器配置闭合、半开和断开三种状态机。所述熔断器被进一步配置为:The computer device 2 may adopt a fuse model, and configure the fuse to be configured with three state machines: closed, half-open, and open. The fuse is further configured as:
a,在给定时间窗口内如果对API调用失败次数达到预设阈值,自动进入半开状态,即允许一定数量的调用;a. If the number of failed calls to the API reaches the preset threshold within a given time window, it will automatically enter the half-open state, that is, a certain number of calls are allowed;
b,在半开状态下,如果每次对API调用均成功,则从半开状态恢复到闭合状态;b. In the half-open state, if every API call is successful, the half-open state will be restored to the closed state;
c,如果所述熔断器处于断开状态,则启动计时器操作,在计时器达到预定时间从断开状态恢复为半开状态。c. If the fuse is in the disconnected state, start the timer operation, and restore from the disconnected state to the half-open state when the timer reaches a predetermined time.
通过以上配置,可以有效提升服务提供方10的服务效率,并避免服务过载而可能导致的系统雪崩。Through the above configuration, the service efficiency of the service provider 10 can be effectively improved, and a system avalanche that may be caused by service overload can be avoided.
所述熔断保护用于:当服务提供方10负载过大或接口不通时,服务消费方8可能会因请求失败而持续发出请求,从而导致服务提供方10的雪崩。当熔断器处于断开状态时,所述熔断器阻断服务消费方对服务提供方10的访问,并直接返回给服务消费方8失败信息或返回一个降级的应答。The fuse protection is used to: when the service provider 10 is overloaded or the interface is unavailable, the service consumer 8 may continue to send requests due to request failures, resulting in an avalanche of the service provider 10. When the fuse is in the disconnected state, the fuse blocks the service consumer's access to the service provider 10, and directly returns a failure message to the service consumer 8 or returns a degraded response.
在示例性的实施例中,所述计算机设备2可以配置服务降级组件。所述服务降级组件被配置为:当服务提供方的服务状态处于降级状态时,则停止数据处理并返回降级返回码或消息。In an exemplary embodiment, the computer device 2 may be configured with a service degradation component. The service degradation component is configured to stop data processing and return a degraded return code or message when the service state of the service provider is in a degraded state.
所述服务降级,当服务提供方10负载过大的情况下,根据当前业务情况及流量对一些服务和页面有策略的降级,以此释放服务资源以保证核心任务的正常运行。所述服务降级组件可以被配置为:通过服务状态和自定义降级返回码和消息,当服务状态处于降级状态时,不处理业务并且直接返回降级返回码和消息。In the service degradation, when the service provider 10 is overloaded, some services and pages are strategically degraded according to current business conditions and traffic, so as to release service resources to ensure the normal operation of core tasks. The service degradation component may be configured to: through the service status and a custom degraded return code and message, when the service status is in the degraded state, no service is processed and the degraded return code and message are directly returned.
在示例性的实施例中,所述计算机设备2可以配置加密签名组件。如图3所示,所述加密签名组件被配置为:In an exemplary embodiment, the computer device 2 may be configured with a cryptographic signature component. As shown in Figure 3, the cryptographic signature component is configured as:
步骤S300,接收服务消费方8发送的携带第一签名私钥SK1的加密请求,所述携带签名私钥加密请求是根据服务消费方标识号和第一签名私钥SK1得到的。Step S300: Receive an encryption request carrying the first signature private key SK1 sent by the service consumer 8. The encryption request carrying the signature private key SK1 is obtained based on the service consumer identification number and the first signature private key SK1.
所述服务消费方8通过注册服务提供方的应用程序,获取相应的服务消费方标识号(ID)和第一签名私钥SK1;当服务消费方8要访问服务提供方10时,将业务参数和ID按照自然顺序排列后进行哈希运算以生成签名内容,对所述签名内容通过第一签名私钥SK1进行加密签名以生成所述携带第一签名私钥SK1的加密请求;并将所述携带第一签名私钥SK1的加密请求通过HTTPS协议发送至所述计算机设备2中。The service consumer 8 obtains the corresponding service consumer identification number (ID) and the first signature private key SK1 by registering the application of the service provider; when the service consumer 8 wants to access the service provider 10, the service parameter And ID are arranged in a natural order and then hashed to generate signature content, the signature content is cryptographically signed with the first signature private key SK1 to generate the encryption request carrying the first signature private key SK1; and The encryption request carrying the first signature private key SK1 is sent to the computer device 2 through the HTTPS protocol.
所述业务参数视场景而定。以人脸认证为例,所述业务参数包括身份证号、人脸图像以及系统参数,如调用机构代号、服务机构代号等。作为平台方,网关可以适用于各类场景中,在此不赘述。The service parameters depend on the scenario. Taking face authentication as an example, the service parameters include ID number, face image, and system parameters, such as calling agency code, service agency code, and so on. As the platform side, the gateway can be applied to various scenarios, which will not be repeated here.
步骤S302,通过与所述第一签名私钥SK1对应的第一签名公钥PK1进行签名验证,得到解密后的业务参数和服务消费方标识号。Step S302: Perform signature verification with the first signature public key PK1 corresponding to the first signature private key SK1 to obtain the decrypted service parameters and the service consumer identification number.
步骤S304,根据第二签名私钥SK2对解密后的业务参数和服务消费方标识号进行加密,生成携带第二签名私钥SK2的加密请求。Step S304, encrypt the decrypted service parameters and the service consumer identification number according to the second signature private key SK2, and generate an encryption request carrying the second signature private key SK2.
第二签名私钥SK2是API预先定义的,其与服务提供方10的第二签名公钥PK2为对应关系;所述服务提供方10创建API分组,注册API并获取API的第二签名公钥PK2;The second signature private key SK2 is predefined by the API, and it corresponds to the second signature public key PK2 of the service provider 10; the service provider 10 creates an API group, registers the API, and obtains the second signature public key of the API PK2;
步骤S306,将携带第二签名私钥SK2的加密请求转发至所述服务提供方10,以便所述服务提供方10通过第二签名公钥PK2执行解密操作以根据携带所述第二签名私钥SK2的加密请求执行相应的操作。Step S306: Forward the encryption request carrying the second signature private key SK2 to the service provider 10, so that the service provider 10 performs a decryption operation through the second signature public key PK2 to carry the second signature private key The encryption request of SK2 performs the corresponding operation.
例如:如果服务提供方10确定所述携带第二签名私钥SK2的加密请求来自所述计算机设备2,则根据所述业务参数执行相应的处理操作;如果确定所述携带第二签名私钥SK2的加密请求不是来自所述计算机设备2,则拒绝处理该携带第二签名私钥SK2的加密请求。For example: if the service provider 10 determines that the encryption request carrying the second signature private key SK2 comes from the computer device 2, the corresponding processing operation is executed according to the service parameters; if it is determined that the second signature private key SK2 is carried If the encryption request does not come from the computer device 2, the encryption request carrying the second signature private key SK2 is rejected.
在示例性的实施例中,所述计算机设备2可以配置授权校验组件。所述授权校验组件被配置为:通过授权过滤器将按照预设授权规则校验授权,当授权无效时返回拒绝请求的码值;所述预设授权规则包括调用时间,调用次数和/或并发数。In an exemplary embodiment, the computer device 2 may be configured with an authorization verification component. The authorization verification component is configured to verify authorization according to a preset authorization rule through the authorization filter, and return a code value that rejects the request when the authorization is invalid; the preset authorization rule includes call time, call times, and/or Concurrent number.
具体的:通过授权过滤器将按照预设授权规则校验授权,授权无效时,返回拒绝请求的码值;所述预设授权规则为服务提供方10在网关管理平台6上配置的,所述预设授权规则包括调用时间,调用次数,并发数等;当计算机设备2接收到服务消费方8申请API对接请求时,则根据所述预设授权规则对所述请求进行授权校验。Specifically: the authorization filter will verify the authorization according to the preset authorization rules, and when the authorization is invalid, the code value that rejects the request will be returned; the preset authorization rules are configured by the service provider 10 on the gateway management platform 6, the The preset authorization rules include call time, call times, concurrent numbers, etc.; when the computer device 2 receives an API docking request from the service consumer 8, it performs authorization verification on the request according to the preset authorization rule.
在示例性的实施例中,所述计算机设备2可以配置日志记录组件。In an exemplary embodiment, the computer device 2 may be configured with a logging component.
所述日志记录组件被配置为:为每个调用事件生成一个流水号,并将与所述调用事件关联的关联信息异步发送至消息平台。The log recording component is configured to generate a serial number for each call event, and asynchronously send the associated information associated with the call event to the message platform.
具体的,所述日志记录组件可以被配置为:根据每个调用事件生成一个transNo流水号,并将appId、签名、响应码、错误消息等信息以异步发送到消息平台,以便日志审计系统进行记录;根据请求状态、参数处理、流量限制、业务处理、计费状态等返回不同的响应码,以便诸如审计计费系统按照业务规则进行计算。Specifically, the log recording component may be configured to generate a transNo serial number according to each call event, and asynchronously send information such as appId, signature, response code, and error message to the message platform, so that the log audit system can record ; According to the request status, parameter processing, flow restriction, business processing, billing status, etc., different response codes are returned, so that, for example, the audit billing system can calculate according to business rules.
本申请实施例可以通过协同服务集群4、网关管理平台6和计算机设备2之间的整合架构,实施对计算机设备2的开放式网关配置。其中,金融机构、科技公司可以根据自身需求开发APP并在网关管理平台6上修改或新增API,网关管理平台6会将所有API修改或新增消息同步至协同服务集群4的树状结构中,以方便计算机设备2监听树状结构中的各个节点,从而使得计算机设备2可以根据各个节点的节点信息从网关管理平台4中实时获取各个API的最新网络配置。The embodiment of the present application can implement an open gateway configuration for the computer device 2 through the integrated architecture between the collaborative service cluster 4, the gateway management platform 6 and the computer device 2. Among them, financial institutions and technology companies can develop apps according to their own needs and modify or add APIs on the gateway management platform 6. The gateway management platform 6 will synchronize all API modifications or new messages to the tree structure of the collaborative service cluster 4. , In order to facilitate the computer device 2 to monitor each node in the tree structure, so that the computer device 2 can obtain the latest network configuration of each API from the gateway management platform 4 in real time according to the node information of each node.
另外,鉴于各服务提供方均可以将自己开发或修改的API的网络配置写入计算机设备2中,并且各方可以以计算机设备2为中心通过调用第三方API来满足自身业务需求,即各方可以以计算机设备2为中心进行融合,提升接入的各方系统的融合程度。In addition, in view of the fact that each service provider can write the network configuration of the API developed or modified by itself into the computer device 2, and each party can use the computer device 2 as the center to call a third-party API to meet its own business needs, that is, each party The computer equipment 2 can be used as the center for integration to improve the degree of integration of all connected systems.
本申请实施例可以通过监听协同服务集群实时获取API的修改或新增信息,进而获取各个节点的最新网络配置,实现了各服务提供方开发或修改的API均可以开放式地自动被配置到云网关中,即实现云网关的开放式配置。另外,鉴于各服务提供方均可以将自己开发或修改的API的网络配置写入云网关中,使得各方以云网关为中心进行融合,提升接入的各方系统的融合程度。The embodiment of the application can obtain the modified or newly added information of the API in real time by monitoring the collaborative service cluster, and then obtain the latest network configuration of each node, so that the API developed or modified by each service provider can be automatically configured to the cloud in an open manner. In the gateway, the open configuration of the cloud gateway is realized. In addition, in view of the fact that each service provider can write the network configuration of the API developed or modified by itself into the cloud gateway, so that all parties can integrate with the cloud gateway as the center, and improve the degree of integration of the systems of all parties connected.
实施例二Example two
图4示意性示出了根据本申请实施例二的云网关配置系统的框图,该云网关配置系统可以被分割成一个或多个程序模块,一个或者多个程序模块被存储于存储介质中,并由一个或多个处理器所执行,以完成本申请实施例。本申请实施例所称的程序模块是指能够完成特定功能的一系列计算机程序指令段,以下描述将具体介绍本实施例中各程序模块的功能。Fig. 4 schematically shows a block diagram of a cloud gateway configuration system according to Embodiment 2 of the present application. The cloud gateway configuration system can be divided into one or more program modules, and the one or more program modules are stored in a storage medium, It is executed by one or more processors to complete the embodiments of the present application. The program module referred to in the embodiment of the present application refers to a series of computer program instruction segments that can complete specific functions. The following description will specifically introduce the function of each program module in this embodiment.
如图4所示,该云网关配置系统400可以包括监听模块410、判断模块420更新模块430和配置模块440,其中:As shown in FIG. 4, the cloud gateway configuration system 400 may include a monitoring module 410, a judgment module 420, an update module 430, and a configuration module 440, where:
监听模块410,用于监听协同服务集群中以树状结构存储的网关配置数据,其中,所述树状结构中包括与多个API一一对应的多个节点。The monitoring module 410 is configured to monitor gateway configuration data stored in a tree structure in the collaborative service cluster, where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one.
判断模块420,用于判断所述多个节点中是否包括至少一个目标节点,其中,所述至少一个目标节点包括数据变更节点和/新增节点。The determining module 420 is configured to determine whether the plurality of nodes includes at least one target node, where the at least one target node includes a data change node and/or a newly added node.
更新模块430,用于如果所述多个节点中包括所述至少一个目标节点,则更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,以得到各个API的最新网络配置。The update module 430 is configured to, if the at least one target node is included in the plurality of nodes, update the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API.
配置模块440,用于根据所述各个API的最新网络配置,配置网关处理逻辑模型。The configuration module 440 is configured to configure the gateway processing logic model according to the latest network configuration of each API.
在示例性的实施例中,判断模块420,还用于:检测所述多个节点中的各个节点的版本信息是否发生改变;如果所述节点中包括版本信息发生改变的节点,则将该版本信息发生改变的节点确定为目标节点。In an exemplary embodiment, the judging module 420 is further configured to: detect whether the version information of each node among the multiple nodes has changed; if the node includes a node whose version information has changed, use the version The node whose information has changed is determined as the target node.
所述各个节点的版本信息是根据与所述协同服务集群连接的网关管理平台发送的API变更事件更新的,所述API变更事件表示所述网关管理平台中的API发生变动或新增API。The version information of each node is updated according to an API change event sent by a gateway management platform connected to the collaborative service cluster, and the API change event indicates that an API in the gateway management platform is changed or an API is added.
在示例性的实施例中,更新模块430,还用于:将网关配置更新请求发送至网关管理平台,以使所述网关管理平台返回各个目标节点对应的API的最新网关配置;接收所述网关管理平台返回的各个目标节点对应的API的最新网关配置;及根据所述各个目标节点对应的API的最新网关配置,更新所述目标节点对应的API的当前网关配置。In an exemplary embodiment, the update module 430 is further configured to: send a gateway configuration update request to the gateway management platform, so that the gateway management platform returns the latest gateway configuration of the API corresponding to each target node; The latest gateway configuration of the API corresponding to each target node returned by the management platform; and, according to the latest gateway configuration of the API corresponding to each target node, update the current gateway configuration of the API corresponding to the target node.
在示例性的实施例中,配置模块440,还用于:将所述各个API的最新网络配置载入到内存中,配置所述网关处理逻辑模型:为每个API配置过滤器链以及对所述过滤器链中多个过滤器进行实例化以得到相应的多个实例。In an exemplary embodiment, the configuration module 440 is further used to: load the latest network configuration of each API into the memory, configure the gateway processing logic model: configure a filter chain for each API, and Multiple filters in the filter chain are instantiated to obtain corresponding multiple instances.
在示例性的实施例中,配置模块440,还用于:配置用于供所述多个实例调用的多个组件;所述多个组件包括以下一个或多个:路由组件、参数转换组件、API编排组件、限流保护组件、熔断保护组件、服务降级组件、加密签名组件、授权校验组件以及日志记录组件;其中:所述API编排组件被配置为:根据所述网关服务平台提供的编排JSON模板对用户请求依顺序调用各个API服务;所述限流保护组件被配置为:基于滑动窗口算法监测请求计数窗口的请求计数,以得到当前窗口的请求计数,根据所述当前窗口的请求计数和前一个窗口的请求计数,确定是否执行限流操作;所述熔断保护组件,包括闭合状态、半开状态和断开状态,被配置为:如果处于闭合状态,在预设时间窗口内对API调用失败次数达到预设阈值,则进入半开状态;如果处于半开状态,如果每次对API调用均成功,则从半开状态恢复到闭合状态;如果处于断开状态,则启动计时器操作,在计时器达到预定时间从断开状态恢复为半开状态;所述服务降级组件被配置为:当服务提供方的服务状态处于降级状态时,则停止数据处理并返回降级返回码或消息;所述授权校验组件被配置为:通过授权过滤器将按照预设授权规则校验授权,当授权无效时返回拒绝请求的码值;所述预设授权规则包括调用时间,调用次数和/或并发数;所述日志记录组件被配置为:为每个调用事件生成一个流水号,并将与所述调用事件关联的关联信息异步发送至消息平台。In an exemplary embodiment, the configuration module 440 is further configured to: configure multiple components for the multiple instances to call; the multiple components include one or more of the following: routing components, parameter conversion components, API orchestration component, current limiting protection component, fuse protection component, service degradation component, cryptographic signature component, authorization verification component, and logging component; wherein: the API orchestration component is configured to: according to the orchestration provided by the gateway service platform The JSON template calls each API service in order for user requests; the current limiting protection component is configured to monitor the request count of the request count window based on the sliding window algorithm to obtain the request count of the current window, and the request count of the current window And the request count of the previous window to determine whether to perform the current limiting operation; the fuse protection component, including the closed state, the half-open state, and the open state, is configured to: if it is in the closed state, the API will be processed within a preset time window. If the number of call failures reaches the preset threshold, it will enter the half-open state; if it is in the half-open state, if every API call is successful, it will be restored from the half-open state to the closed state; if it is in the open state, the timer operation will be started After the timer reaches a predetermined time, it is restored from the disconnected state to the half-open state; the service degradation component is configured to: when the service state of the service provider is in the degraded state, stop data processing and return a degraded return code or message; The authorization verification component is configured to verify authorization according to preset authorization rules through the authorization filter, and return a code value that rejects the request when the authorization is invalid; the preset authorization rules include call time, call times, and/or Concurrent number; the logging component is configured to generate a serial number for each call event, and asynchronously send the associated information associated with the call event to the message platform.
在示例性的实施例中,所述加密签名组件被配置为:接收服务消费方发送的携带第一签名私钥的加密请求,所述携带签名私钥加密请求是根据服务消费方标识号和第一签名私钥得到的;通过与所述第一签名私钥对应的第一签名公钥进行签名验证,得到解密后的业务参数和服务消费方标识号;根据第二签名私钥对解密后的业务参数和服务消费方标识号进行加密,生成携带第二签名私钥的加密请求;及将携带第二签名私钥的加密请求转发至所述服务提供方,以便所述服务提供方通过第二签名公钥执行解密操作以根据携带所述第二签名私钥的加密请求执行相应的操作。In an exemplary embodiment, the encryption signature component is configured to: receive an encryption request carrying a first signature private key sent by a service consumer, and the encryption request carrying a signature private key is based on the service consumer identification number and the first signature private key. A signature private key is obtained; signature verification is performed through the first signature public key corresponding to the first signature private key, and the decrypted service parameters and service consumer identification number are obtained; the decrypted service parameters are obtained according to the second signature private key The service parameters and the service consumer identification number are encrypted to generate an encryption request carrying the second signature private key; and the encryption request carrying the second signature private key is forwarded to the service provider so that the service provider can pass the second signature private key The signature public key performs a decryption operation to perform a corresponding operation according to the encryption request carrying the second signature private key.
在示例性的实施例中,配置模块440,还用于:配置用于供所述多个实例调用的多个插件,其中,每个插件对应一个业务规则。In an exemplary embodiment, the configuration module 440 is further configured to: configure multiple plug-ins for invocation of the multiple instances, wherein each plug-in corresponds to one business rule.
实施例三Example three
图5示意性示出了根据本申请实施例三的适于实现云网关配置方法的计算机设备2的硬件架构示意图。本实施例中,计算机设备2是一种能够按照事先设定或者存储的指令,自动进行数值计算和/或信息处理的设备。例如,可以是具有网关功能的机架式服务器、刀片式服务器、塔式服务器或机柜式服务器(包括独立的服务器,或者多个服务器所组成的服务器集群)等。如图5所示,计算机设备6至少包括但不限于:可通过系统总线相互通信链接存储器510、处理器520、网络接口530。其中:FIG. 5 schematically shows a schematic diagram of the hardware architecture of a computer device 2 suitable for implementing the cloud gateway configuration method according to the third embodiment of the present application. In this embodiment, the computer device 2 is a device that can automatically perform numerical calculation and/or information processing in accordance with pre-set or stored instructions. For example, it can be a rack server, a blade server, a tower server, or a cabinet server (including an independent server or a server cluster composed of multiple servers) with a gateway function. As shown in FIG. 5, the computer device 6 at least includes but is not limited to: a memory 510, a processor 520, and a network interface 530 that can communicate with each other through a system bus. among them:
存储器510可以是易失性的,也可以是非易失性的。存储器510至少包括一种类型的计算机可读存储介质,可读存储介质包括闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、随机访问存储器(RAM)、静态随机访问存储器(SRAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、可编程只读存储器(PROM)、磁性存储器、磁盘、光盘等。在一些实施例中,存储器510可以是计算机设备2的内部存储模块,例如该计算机设备2的硬盘或内存。在另一些实施例中,存储器510也可以是计算机设备2的外部存储设备,例如该计算机设备2上配备的插接式硬盘,智能存储卡(Smart Media Card,简称为SMC),安全数字(Secure Digital,简称为SD)卡,闪存卡(Flash Card)等。当然,存储器510还可以既包括计算机设备2的内部存储模块也包括其外部存储设备。本实施例中,存储器510通常用于存储安装于计算机设备2的操作系统和各类应用软件,例如云网关配置方法的程序代码等。此外,存储器510还可以用于暂时地存储已经输出或者将要输出的各类数据。The memory 510 may be volatile or non-volatile. The memory 510 includes at least one type of computer-readable storage medium. The readable storage medium includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.), random access memory (RAM), and static random access memory. (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read-only memory (PROM), magnetic memory, magnetic disks, optical disks, etc. In some embodiments, the memory 510 may be an internal storage module of the computer device 2, for example, the hard disk or memory of the computer device 2. In other embodiments, the memory 510 may also be an external storage device of the computer device 2, for example, a plug-in hard disk equipped on the computer device 2, a smart memory card (Smart Media Card, referred to as SMC), and a secure digital (Secure Digital). Digital, abbreviated as SD) card, flash card (Flash Card), etc. Of course, the memory 510 may also include both the internal storage module of the computer device 2 and its external storage device. In this embodiment, the memory 510 is generally used to store the operating system and various application software installed in the computer device 2, such as the program code of the cloud gateway configuration method. In addition, the memory 510 may also be used to temporarily store various types of data that have been output or will be output.
处理器520在一些实施例中可以是中央处理器(Central Processing Unit,简称为CPU)、控制器、微控制器、微处理器、或其他数据处理芯片。该处理器520通常用于控制计算机设备2的总体操作,例如执行与计算机设备2进行数据交互或者通信相关的控制和处理等。本实施例中,处理器520用于运行存储器510中存储的程序代码或者处理数据。The processor 520 may be a central processing unit (Central Processing Unit) in some embodiments. Processing Unit, referred to as CPU), controller, microcontroller, microprocessor, or other data processing chip. The processor 520 is generally used to control the overall operation of the computer device 2, for example, to perform data interaction or communication-related control and processing with the computer device 2. In this embodiment, the processor 520 is configured to run program codes stored in the memory 510 or process data.
网络接口530可包括无线网络接口或有线网络接口,该网络接口530通常用于在计算机设备2与其他计算机设备之间建立通信链接。例如,网络接口530用于通过网络将计算机设备2与外部终端相连,在计算机设备2与外部终端之间的建立数据传输通道和通信链接等。网络可以是企业内部网(Intranet)、互联网(Internet)、全球移动通讯系统(Global System of Mobile communication,简称为GSM)、宽带码分多址(Wideband Code Division Multiple Access,简称为WCDMA)、4G网络、5G网络、蓝牙(Bluetooth)、Wi-Fi等无线或有线网络。The network interface 530 may include a wireless network interface or a wired network interface, and the network interface 530 is generally used to establish a communication link between the computer device 2 and other computer devices. For example, the network interface 530 is used to connect the computer device 2 to an external terminal through a network, and to establish a data transmission channel and a communication link between the computer device 2 and the external terminal. The network can be an intranet (Intranet), the Internet (Internet), a global system of mobile communications (Global System of Mobile communication, GSM for short), Wideband Code Division Multiple Access (WCDMA for short), 4G network, 5G network, Bluetooth, Wi-Fi and other wireless or wired networks.
需要指出的是,图5仅示出了具有部件510-530的计算机设备,但是应理解的是,并不要求实施所有示出的部件,可以替代的实施更多或者更少的部件。It should be pointed out that FIG. 5 only shows a computer device with components 510-530, but it should be understood that it is not required to implement all the components shown, and more or fewer components may be implemented instead.
在本实施例中,存储于存储器510中的云网关配置方法还可以被分割为一个或者多个程序模块,并由一个或多个处理器(本实施例为处理器520)所执行,以完成本申请实施例。In this embodiment, the cloud gateway configuration method stored in the memory 510 can also be divided into one or more program modules and executed by one or more processors (the processor 520 in this embodiment) to complete Examples of this application.
实施例四Example four
本实施例还提供一种计算机可读存储介质,计算机可读存储介质其上存储有计算机程序,计算机程序被处理器执行时实现以下步骤:This embodiment also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
监听协同服务集群中以树状结构存储的网关配置数据,其中,所述树状结构中包括与多个API一一对应的多个节点;Monitoring gateway configuration data stored in a tree structure in the collaborative service cluster, where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one;
判断所述多个节点中是否包括至少一个目标节点,其中,所述至少一个目标节点包括数据变更节点和/新增节点;Judging whether the multiple nodes include at least one target node, where the at least one target node includes a data change node and/or a newly added node;
如果所述多个节点中包括所述至少一个目标节点,则更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,以得到各个API的最新网络配置;及If the at least one target node is included in the plurality of nodes, updating the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API; and
根据所述各个API的最新网络配置,配置网关处理逻辑模型。According to the latest network configuration of each API, the gateway processing logic model is configured.
本实施例中,所述计算机可读存储介质可以是易失性的,也可以是非易失性的。计算机可读存储介质包括闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、随机访问存储器(RAM)、静态随机访问存储器(SRAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、可编程只读存储器(PROM)、磁性存储器、磁盘、光盘等。在一些实施例中,计算机可读存储介质可以是计算机设备的内部存储单元,例如该计算机设备的硬盘或内存。在另一些实施例中,计算机可读存储介质也可以是计算机设备的外部存储设备,例如该计算机设备上配备的插接式硬盘,智能存储卡(Smart Media Card,简称为SMC),安全数字(Secure Digital,简称为SD)卡,闪存卡(Flash Card)等。当然,计算机可读存储介质还可以既包括计算机设备的内部存储单元也包括其外部存储设备。本实施例中,计算机可读存储介质通常用于存储安装于计算机设备的操作系统和各类应用软件,例如实施例中云网关配置方法的程序代码等。此外,计算机可读存储介质还可以用于暂时地存储已经输出或者将要输出的各类数据。In this embodiment, the computer-readable storage medium may be volatile or non-volatile. Computer-readable storage media include flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.), random access memory (RAM), static random access memory (SRAM), read-only memory (ROM), electronic memory Erase programmable read-only memory (EEPROM), programmable read-only memory (PROM), magnetic memory, magnetic disks, optical disks, etc. In some embodiments, the computer-readable storage medium may be an internal storage unit of a computer device, such as a hard disk or memory of the computer device. In other embodiments, the computer-readable storage medium may also be an external storage device of the computer device, such as a plug-in hard disk or a smart memory card (Smart Memory Card) equipped on the computer device. Media Card, referred to as SMC), Secure Digital (Secure Digital, referred to as SD) card, flash memory card (Flash Card) and so on. Of course, the computer-readable storage medium may also include both the internal storage unit and the external storage device of the computer device. In this embodiment, the computer-readable storage medium is generally used to store the operating system and various application software installed in the computer device, such as the program code of the cloud gateway configuration method in the embodiment. In addition, the computer-readable storage medium can also be used to temporarily store various types of data that have been output or will be output.
显然,本领域的技术人员应该明白,上述的本申请实施例的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本申请实施例不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that the modules or steps of the embodiments of the present application described above can be implemented by a general computing device, and they can be concentrated on a single computing device or distributed among multiple computing devices. Optionally, they can be implemented by the program code executable by the computing device, so that they can be stored in the storage device for execution by the computing device, and in some cases, they can be different from here The steps shown or described are executed in the order of, or they are respectively fabricated into individual integrated circuit modules, or multiple modules or steps of them are fabricated into a single integrated circuit module to achieve. In this way, the embodiments of the present application are not limited to any specific combination of hardware and software.
以上仅为本申请实施例的优选实施例,并非因此限制本申请实施例的专利范围,凡是利用本申请实施例说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请实施例的专利保护范围内。The above are only the preferred embodiments of the embodiments of the application, and do not limit the scope of the patents of the embodiments of the application. Any equivalent structure or equivalent process transformation made by using the description and drawings of the embodiments of the application, or directly or indirectly used In other related technical fields, the same is included in the scope of patent protection of the embodiments of this application.

Claims (20)

  1. 一种云网关配置方法,其中,所述方法包括: A cloud gateway configuration method, wherein the method includes:
    监听协同服务集群中以树状结构存储的网关配置数据,其中,所述树状结构中包括与多个API一一对应的多个节点;Monitoring gateway configuration data stored in a tree structure in the collaborative service cluster, where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one;
    判断所述多个节点中是否包括至少一个目标节点,其中,所述至少一个目标节点包括数据变更节点和/新增节点;Judging whether the multiple nodes include at least one target node, where the at least one target node includes a data change node and/or a newly added node;
    如果所述多个节点中包括所述至少一个目标节点,则更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,以得到各个API的最新网络配置;及If the at least one target node is included in the plurality of nodes, updating the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API; and
    根据所述各个API的最新网络配置,配置网关处理逻辑模型。According to the latest network configuration of each API, the gateway processing logic model is configured.
  2. 根据权利要求1所述的云网关配置方法,其中,判断所述多个节点中是否包括至少一个目标节点,包括: The cloud gateway configuration method according to claim 1, wherein determining whether at least one target node is included in the plurality of nodes comprises:
    检测所述多个节点中的各个节点的版本信息是否发生改变;及Detecting whether the version information of each of the multiple nodes has changed; and
    如果所述节点中包括版本信息发生改变的节点,则将该版本信息发生改变的节点确定为目标节点。If the node includes a node whose version information has changed, the node whose version information has changed is determined as the target node.
  3. 根据权利要求1所述的云网关配置方法,其中,更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,包括: The cloud gateway configuration method according to claim 1, wherein updating the gateway configuration of the API corresponding to each of the at least one target node comprises:
    将网关配置更新请求发送至网关管理平台,以使所述网关管理平台返回各个目标节点对应的API的最新网关配置;Sending the gateway configuration update request to the gateway management platform, so that the gateway management platform returns the latest gateway configuration of the API corresponding to each target node;
    接收所述网关管理平台返回的各个目标节点对应的API的最新网关配置;及Receiving the latest gateway configuration of the API corresponding to each target node returned by the gateway management platform; and
    根据所述各个目标节点对应的API的最新网关配置,更新所述目标节点对应的API的当前网关配置。According to the latest gateway configuration of the API corresponding to each target node, update the current gateway configuration of the API corresponding to the target node.
  4. 根据权利要求1所述的云网关配置方法,其中,根据所述各个API的最新网络配置,配置网关处理逻辑模型,包括: The cloud gateway configuration method according to claim 1, wherein, according to the latest network configuration of each API, configuring the gateway processing logic model comprises:
    将所述各个API的最新网络配置载入到内存中,配置所述网关处理逻辑模型:Load the latest network configuration of each API into the memory, and configure the gateway processing logic model:
    为每个API配置过滤器链以及对所述过滤器链中多个过滤器进行实例化以得到相应的多个实例。Configure a filter chain for each API and instantiate multiple filters in the filter chain to obtain corresponding multiple instances.
  5. 根据权利要求4所述的云网关配置方法,其中,配置所述网关处理逻辑模型的步骤,还包括: The cloud gateway configuration method according to claim 4, wherein the step of configuring the gateway processing logic model further comprises:
    配置用于供所述多个实例调用的多个组件;Configure multiple components for the multiple instances to call;
    所述多个组件包括以下一个或多个:路由组件、参数转换组件、API编排组件、限流保护组件、熔断保护组件、服务降级组件、加密签名组件、授权校验组件以及日志记录组件;其中:The multiple components include one or more of the following: a routing component, a parameter conversion component, an API orchestration component, a current limiting protection component, a fuse protection component, a service degradation component, an encryption signature component, an authorization verification component, and a logging component; wherein :
    所述API编排组件被配置为:根据所述网关服务平台提供的编排JSON模板对用户请求依顺序调用各个API服务;The API orchestration component is configured to: according to the orchestration JSON template provided by the gateway service platform, call each API service in order for user requests;
    所述限流保护组件被配置为:基于滑动窗口算法监测请求计数窗口的请求计数,以得到当前窗口的请求计数;根据所述当前窗口的请求计数和前一个窗口的请求计数,确定是否执行限流操作;The current limit protection component is configured to monitor the request count of the request count window based on the sliding window algorithm to obtain the request count of the current window; and determine whether to execute the limit according to the request count of the current window and the request count of the previous window. Stream operation
    所述熔断保护组件,包括闭合状态、半开状态和断开状态,被配置为:如果处于闭合状态,在预设时间窗口内对API调用失败次数达到预设阈值,则进入半开状态;如果处于半开状态,如果每次对API调用均成功,则从半开状态恢复到闭合状态;如果处于断开状态,则启动计时器操作,在计时器达到预定时间从断开状态恢复为半开状态;The fuse protection component includes a closed state, a half-open state, and an open state, and is configured to enter the half-open state if the number of failed API calls within a preset time window reaches a preset threshold if it is in the closed state; if In the half-open state, if each call to the API is successful, it will be restored from the half-open state to the closed state; if it is in the open state, the timer operation will be started, and when the timer reaches the predetermined time, it will be restored from the open state to the half-open state status;
    所述服务降级组件被配置为:当服务提供方的服务状态处于降级状态时,则停止数据处理并返回降级返回码或消息;The service degradation component is configured to: when the service state of the service provider is in a degraded state, stop data processing and return a degraded return code or message;
    所述授权校验组件被配置为:通过授权过滤器将按照预设授权规则校验授权,当授权无效时返回拒绝请求的码值;所述预设授权规则包括调用时间,调用次数和/或并发数;The authorization verification component is configured to verify authorization according to a preset authorization rule through the authorization filter, and return a code value that rejects the request when the authorization is invalid; the preset authorization rule includes call time, call times, and/or Concurrent number;
    所述日志记录组件被配置为:为每个调用事件生成一个流水号,并将与所述调用事件关联的关联信息异步发送至消息平台。The log recording component is configured to generate a serial number for each call event, and asynchronously send the associated information associated with the call event to the message platform.
  6. 根据权利要求5所述的云网关配置方法,其中,所述加密签名组件被配置为: The cloud gateway configuration method according to claim 5, wherein the cryptographic signature component is configured to:
    接收服务消费方发送的携带第一签名私钥的加密请求,所述携带签名私钥加密请求是根据服务消费方标识号和第一签名私钥得到的;Receiving an encryption request carrying the first signature private key sent by the service consumer, where the encryption request carrying the signature private key is obtained based on the service consumer identification number and the first signature private key;
    通过与所述第一签名私钥对应的第一签名公钥进行签名验证,得到解密后的业务参数和服务消费方标识号;Perform signature verification by using the first signature public key corresponding to the first signature private key to obtain the decrypted service parameters and service consumer identification number;
    根据第二签名私钥对解密后的业务参数和服务消费方标识号进行加密,生成携带第二签名私钥的加密请求;及Encrypt the decrypted service parameters and service consumer identification number according to the second signature private key, and generate an encryption request carrying the second signature private key; and
    将携带第二签名私钥的加密请求转发至所述服务提供方,以便所述服务提供方通过第二签名公钥执行解密操作以根据携带所述第二签名私钥的加密请求执行相应的操作。Forward the encryption request carrying the second signature private key to the service provider, so that the service provider performs a decryption operation through the second signature public key to perform corresponding operations according to the encryption request carrying the second signature private key .
  7. 根据权利要求4所述的云网关配置方法,其中,配置所述网关处理逻辑模型的步骤,还包括: The cloud gateway configuration method according to claim 4, wherein the step of configuring the gateway processing logic model further comprises:
    配置用于供所述多个实例调用的多个插件,其中,每个插件对应一个业务规则。Configure multiple plug-ins for the multiple instances to call, wherein each plug-in corresponds to a business rule.
  8. 一种云网关配置系统,其中,包括: A cloud gateway configuration system, which includes:
    监听模块,用于监听协同服务集群中以树状结构存储的网关配置数据,其中,所述树状结构中包括与多个API一一对应的多个节点;The monitoring module is used to monitor the gateway configuration data stored in a tree structure in the collaborative service cluster, wherein the tree structure includes multiple nodes corresponding to multiple APIs one-to-one;
    判断模块,用于判断所述多个节点中是否包括至少一个目标节点,其中,所述至少一个目标节点包括数据变更节点和/新增节点;A judging module, configured to judge whether the multiple nodes include at least one target node, wherein the at least one target node includes a data change node and/or a newly added node;
    更新模块,用于如果所述多个节点中包括所述至少一个目标节点,则更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,以得到各个API的最新网络配置;及The update module is configured to update the gateway configuration of the API corresponding to each target node in the at least one target node if the at least one target node is included in the plurality of nodes to obtain the latest network configuration of each API; and
    配置模块,用于根据所述各个API的最新网络配置,配置网关处理逻辑模型。The configuration module is used to configure the gateway processing logic model according to the latest network configuration of each API.
  9. 一种计算机设备,所述计算机设备包括存储器、处理器以及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述计算机程序时用于实现如下步骤: A computer device comprising a memory, a processor, and a computer program stored in the memory and running on the processor, wherein the processor is used to implement the following steps when the computer program is executed:
    监听协同服务集群中以树状结构存储的网关配置数据,其中,所述树状结构中包括与多个API一一对应的多个节点;Monitoring gateway configuration data stored in a tree structure in the collaborative service cluster, where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one;
    判断所述多个节点中是否包括至少一个目标节点,其中,所述至少一个目标节点包括数据变更节点和/新增节点;Judging whether the multiple nodes include at least one target node, where the at least one target node includes a data change node and/or a newly added node;
    如果所述多个节点中包括所述至少一个目标节点,则更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,以得到各个API的最新网络配置;及If the at least one target node is included in the plurality of nodes, updating the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API; and
    根据所述各个API的最新网络配置,配置网关处理逻辑模型。According to the latest network configuration of each API, the gateway processing logic model is configured.
  10. 根据权利要求9所述的计算机设备,其中,判断所述多个节点中是否包括至少一个目标节点,包括: The computer device according to claim 9, wherein determining whether at least one target node is included in the plurality of nodes comprises:
    检测所述多个节点中的各个节点的版本信息是否发生改变;及Detecting whether the version information of each of the multiple nodes has changed; and
    如果所述节点中包括版本信息发生改变的节点,则将该版本信息发生改变的节点确定为目标节点。If the node includes a node whose version information has changed, the node whose version information has changed is determined as the target node.
  11. 根据权利要求9所述的计算机设备,其中,更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,包括: The computer device according to claim 9, wherein updating the gateway configuration of the API corresponding to each of the at least one target node comprises:
    将网关配置更新请求发送至网关管理平台,以使所述网关管理平台返回各个目标节点对应的API的最新网关配置;Sending the gateway configuration update request to the gateway management platform, so that the gateway management platform returns the latest gateway configuration of the API corresponding to each target node;
    接收所述网关管理平台返回的各个目标节点对应的API的最新网关配置;及Receiving the latest gateway configuration of the API corresponding to each target node returned by the gateway management platform; and
    根据所述各个目标节点对应的API的最新网关配置,更新所述目标节点对应的API的当前网关配置。According to the latest gateway configuration of the API corresponding to each target node, update the current gateway configuration of the API corresponding to the target node.
  12. 根据权利要求9所述的计算机设备,其中,根据所述各个API的最新网络配置,配置网关处理逻辑模型,包括: The computer device according to claim 9, wherein, according to the latest network configuration of each API, configuring the gateway processing logic model comprises:
    将所述各个API的最新网络配置载入到内存中,配置所述网关处理逻辑模型:Load the latest network configuration of each API into the memory, and configure the gateway processing logic model:
    为每个API配置过滤器链以及对所述过滤器链中多个过滤器进行实例化以得到相应的多个实例。Configure a filter chain for each API and instantiate multiple filters in the filter chain to obtain corresponding multiple instances.
  13. 根据权利要求12所述的计算机设备,其中,配置所述网关处理逻辑模型的步骤,还包括: The computer device according to claim 12, wherein the step of configuring the gateway processing logic model further comprises:
    配置用于供所述多个实例调用的多个组件;Configure multiple components for the multiple instances to call;
    所述多个组件包括以下一个或多个:路由组件、参数转换组件、API编排组件、限流保护组件、熔断保护组件、服务降级组件、加密签名组件、授权校验组件以及日志记录组件;其中:The multiple components include one or more of the following: a routing component, a parameter conversion component, an API orchestration component, a current limiting protection component, a fuse protection component, a service degradation component, an encryption signature component, an authorization verification component, and a logging component; wherein :
    所述API编排组件被配置为:根据所述网关服务平台提供的编排JSON模板对用户请求依顺序调用各个API服务;The API orchestration component is configured to: according to the orchestration JSON template provided by the gateway service platform, call each API service in order for user requests;
    所述限流保护组件被配置为:基于滑动窗口算法监测请求计数窗口的请求计数,以得到当前窗口的请求计数;根据所述当前窗口的请求计数和前一个窗口的请求计数,确定是否执行限流操作;The current limit protection component is configured to monitor the request count of the request count window based on the sliding window algorithm to obtain the request count of the current window; and determine whether to execute the limit according to the request count of the current window and the request count of the previous window. Stream operation
    所述熔断保护组件,包括闭合状态、半开状态和断开状态,被配置为:如果处于闭合状态,在预设时间窗口内对API调用失败次数达到预设阈值,则进入半开状态;如果处于半开状态,如果每次对API调用均成功,则从半开状态恢复到闭合状态;如果处于断开状态,则启动计时器操作,在计时器达到预定时间从断开状态恢复为半开状态;The fuse protection component includes a closed state, a half-open state, and an open state, and is configured to enter the half-open state if the number of failed API calls within a preset time window reaches a preset threshold if it is in the closed state; if In the half-open state, if each call to the API is successful, it will be restored from the half-open state to the closed state; if it is in the open state, the timer operation will be started, and when the timer reaches the predetermined time, it will be restored from the open state to the half-open state status;
    所述服务降级组件被配置为:当服务提供方的服务状态处于降级状态时,则停止数据处理并返回降级返回码或消息;The service degradation component is configured to: when the service state of the service provider is in a degraded state, stop data processing and return a degraded return code or message;
    所述授权校验组件被配置为:通过授权过滤器将按照预设授权规则校验授权,当授权无效时返回拒绝请求的码值;所述预设授权规则包括调用时间,调用次数和/或并发数;The authorization verification component is configured to verify authorization according to a preset authorization rule through the authorization filter, and return a code value that rejects the request when the authorization is invalid; the preset authorization rule includes call time, call times, and/or Concurrent number;
    所述日志记录组件被配置为:为每个调用事件生成一个流水号,并将与所述调用事件关联的关联信息异步发送至消息平台。The log recording component is configured to generate a serial number for each call event, and asynchronously send the associated information associated with the call event to the message platform.
  14. 根据权利要求13所述的计算机设备,其中,所述加密签名组件被配置为: The computer device of claim 13, wherein the cryptographic signature component is configured to:
    接收服务消费方发送的携带第一签名私钥的加密请求,所述携带签名私钥加密请求是根据服务消费方标识号和第一签名私钥得到的;Receiving an encryption request carrying the first signature private key sent by the service consumer, where the encryption request carrying the signature private key is obtained based on the service consumer identification number and the first signature private key;
    通过与所述第一签名私钥对应的第一签名公钥进行签名验证,得到解密后的业务参数和服务消费方标识号;Perform signature verification by using the first signature public key corresponding to the first signature private key to obtain the decrypted service parameters and service consumer identification number;
    根据第二签名私钥对解密后的业务参数和服务消费方标识号进行加密,生成携带第二签名私钥的加密请求;及Encrypt the decrypted service parameters and service consumer identification number according to the second signature private key, and generate an encryption request carrying the second signature private key; and
    将携带第二签名私钥的加密请求转发至所述服务提供方,以便所述服务提供方通过第二签名公钥执行解密操作以根据携带所述第二签名私钥的加密请求执行相应的操作。Forward the encryption request carrying the second signature private key to the service provider, so that the service provider performs a decryption operation through the second signature public key to perform corresponding operations according to the encryption request carrying the second signature private key .
  15. 根据权利要求12所述的计算机设备,其中,配置所述网关处理逻辑模型的步骤,还包括: The computer device according to claim 12, wherein the step of configuring the gateway processing logic model further comprises:
    配置用于供所述多个实例调用的多个插件,其中,每个插件对应一个业务规则。Configure multiple plug-ins for the multiple instances to call, wherein each plug-in corresponds to a business rule.
  16. 一种计算机可读存储介质,所述计算机可读存储介质内存储有计算机程序,所述计算机程序可被至少一个处理器所执行,以使所述至少一个处理器执行如下步骤: A computer-readable storage medium in which a computer program is stored, and the computer program can be executed by at least one processor, so that the at least one processor executes the following steps:
    监听协同服务集群中以树状结构存储的网关配置数据,其中,所述树状结构中包括与多个API一一对应的多个节点;Monitoring gateway configuration data stored in a tree structure in the collaborative service cluster, where the tree structure includes multiple nodes corresponding to multiple APIs one-to-one;
    判断所述多个节点中是否包括至少一个目标节点,其中,所述至少一个目标节点包括数据变更节点和/新增节点;Judging whether the multiple nodes include at least one target node, where the at least one target node includes a data change node and/or a newly added node;
    如果所述多个节点中包括所述至少一个目标节点,则更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,以得到各个API的最新网络配置;及If the at least one target node is included in the plurality of nodes, updating the gateway configuration of the API corresponding to each target node in the at least one target node to obtain the latest network configuration of each API; and
    根据所述各个API的最新网络配置,配置网关处理逻辑模型。According to the latest network configuration of each API, the gateway processing logic model is configured.
  17. 根据权利要求16所述的计算机可读存储介质,其中,判断所述多个节点中是否包括至少一个目标节点,包括: The computer-readable storage medium according to claim 16, wherein determining whether at least one target node is included in the plurality of nodes comprises:
    检测所述多个节点中的各个节点的版本信息是否发生改变;及Detecting whether the version information of each of the multiple nodes has changed; and
    如果所述节点中包括版本信息发生改变的节点,则将该版本信息发生改变的节点确定为目标节点。If the node includes a node whose version information has changed, the node whose version information has changed is determined as the target node.
  18. 根据权利要求16所述的计算机可读存储介质,其中,更新所述至少一个目标节点中的各个目标节点对应的API的网关配置,包括: The computer-readable storage medium according to claim 16, wherein updating the gateway configuration of the API corresponding to each of the at least one target node comprises:
    将网关配置更新请求发送至网关管理平台,以使所述网关管理平台返回各个目标节点对应的API的最新网关配置;Sending the gateway configuration update request to the gateway management platform, so that the gateway management platform returns the latest gateway configuration of the API corresponding to each target node;
    接收所述网关管理平台返回的各个目标节点对应的API的最新网关配置;及Receiving the latest gateway configuration of the API corresponding to each target node returned by the gateway management platform; and
    根据所述各个目标节点对应的API的最新网关配置,更新所述目标节点对应的API的当前网关配置。According to the latest gateway configuration of the API corresponding to each target node, update the current gateway configuration of the API corresponding to the target node.
  19. 根据权利要求16所述的计算机可读存储介质,其中,根据所述各个API的最新网络配置,配置网关处理逻辑模型,包括: The computer-readable storage medium according to claim 16, wherein, according to the latest network configuration of each API, configuring the gateway processing logic model comprises:
    将所述各个API的最新网络配置载入到内存中,配置所述网关处理逻辑模型:Load the latest network configuration of each API into the memory, and configure the gateway processing logic model:
    为每个API配置过滤器链以及对所述过滤器链中多个过滤器进行实例化以得到相应的多个实例。Configure a filter chain for each API and instantiate multiple filters in the filter chain to obtain corresponding multiple instances.
  20. 根据权利要求19所述的计算机可读存储介质,其中,配置所述网关处理逻辑模型的步骤,还包括: The computer-readable storage medium of claim 19, wherein the step of configuring the gateway processing logic model further comprises:
    配置用于供所述多个实例调用的多个组件;Configure multiple components for the multiple instances to call;
    所述多个组件包括以下一个或多个:路由组件、参数转换组件、API编排组件、限流保护组件、熔断保护组件、服务降级组件、加密签名组件、授权校验组件以及日志记录组件;其中:The multiple components include one or more of the following: a routing component, a parameter conversion component, an API orchestration component, a current limiting protection component, a fuse protection component, a service degradation component, an encryption signature component, an authorization verification component, and a logging component; wherein :
    所述API编排组件被配置为:根据所述网关服务平台提供的编排JSON模板对用户请求依顺序调用各个API服务;The API orchestration component is configured to: according to the orchestration JSON template provided by the gateway service platform, call each API service in order for user requests;
    所述限流保护组件被配置为:基于滑动窗口算法监测请求计数窗口的请求计数,以得到当前窗口的请求计数;根据所述当前窗口的请求计数和前一个窗口的请求计数,确定是否执行限流操作;The current limit protection component is configured to monitor the request count of the request count window based on the sliding window algorithm to obtain the request count of the current window; and determine whether to execute the limit according to the request count of the current window and the request count of the previous window. Stream operation
    所述熔断保护组件,包括闭合状态、半开状态和断开状态,被配置为:如果处于闭合状态,在预设时间窗口内对API调用失败次数达到预设阈值,则进入半开状态;如果处于半开状态,如果每次对API调用均成功,则从半开状态恢复到闭合状态;如果处于断开状态,则启动计时器操作,在计时器达到预定时间从断开状态恢复为半开状态;The fuse protection component includes a closed state, a half-open state, and an open state, and is configured to enter the half-open state if the number of failed API calls within a preset time window reaches a preset threshold if it is in the closed state; if In the half-open state, if each call to the API is successful, it will be restored from the half-open state to the closed state; if it is in the open state, the timer operation will be started, and when the timer reaches the predetermined time, it will be restored from the open state to the half-open state status;
    所述服务降级组件被配置为:当服务提供方的服务状态处于降级状态时,则停止数据处理并返回降级返回码或消息;The service degradation component is configured to stop data processing and return a degraded return code or message when the service state of the service provider is in a degraded state;
    所述授权校验组件被配置为:通过授权过滤器将按照预设授权规则校验授权,当授权无效时返回拒绝请求的码值;所述预设授权规则包括调用时间,调用次数和/或并发数;The authorization verification component is configured to verify authorization according to a preset authorization rule through the authorization filter, and return a code value that rejects the request when the authorization is invalid; the preset authorization rule includes call time, call times, and/or Concurrent number;
    所述日志记录组件被配置为:为每个调用事件生成一个流水号,并将与所述调用事件关联的关联信息异步发送至消息平台。The log recording component is configured to generate a serial number for each call event, and asynchronously send the associated information associated with the call event to the message platform.
PCT/CN2021/070925 2020-01-09 2021-01-08 Cloud gateway configuration method, system, apparatus, and computer readable storage medium WO2021139788A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010023851.3A CN111049695A (en) 2020-01-09 2020-01-09 Cloud gateway configuration method and system
CN202010023851.3 2020-01-09

Publications (1)

Publication Number Publication Date
WO2021139788A1 true WO2021139788A1 (en) 2021-07-15

Family

ID=70244260

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/070925 WO2021139788A1 (en) 2020-01-09 2021-01-08 Cloud gateway configuration method, system, apparatus, and computer readable storage medium

Country Status (2)

Country Link
CN (1) CN111049695A (en)
WO (1) WO2021139788A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113839961A (en) * 2021-11-25 2021-12-24 北京华电众信技术股份有限公司 Method and apparatus for controlling gateway device, and computer-readable storage medium

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111049695A (en) * 2020-01-09 2020-04-21 深圳壹账通智能科技有限公司 Cloud gateway configuration method and system
CN112260876B (en) * 2020-10-26 2022-08-16 欧冶云商股份有限公司 Dynamic gateway route configuration method, platform, computer equipment and storage medium
CN112543118A (en) * 2020-11-25 2021-03-23 浪潮云信息技术股份公司 Method for realizing API gateway interface arrangement based on configuration
CN112615786B (en) * 2020-12-04 2023-04-04 北京神州泰岳软件股份有限公司 Route determining method and device, electronic equipment and computer readable storage medium
CN112527701A (en) * 2020-12-11 2021-03-19 深圳航天智慧城市系统技术研究院有限公司 Multi-system linkage control method, device, equipment and computer readable storage medium
CN112799734B (en) * 2021-01-07 2024-04-19 广州虎牙科技有限公司 Flow management method, image processing method, and corresponding platform and device thereof
CN112948856B (en) * 2021-03-03 2022-11-15 电信科学技术第五研究所有限公司 Tamper-proof credible network collaborative control system and implementation method
CN113110887B (en) * 2021-03-31 2023-07-21 联想(北京)有限公司 Information processing method, device, electronic equipment and storage medium
CN113132114B (en) * 2021-04-22 2023-03-10 广州市品高软件股份有限公司 Method, device, medium and equipment for realizing multi-cloud-pipe unified interface gateway
CN113452617B (en) * 2021-06-24 2023-12-19 上海豹云网络信息服务有限公司 Dynamic gateway route management method, device and storage medium
CN113765701B (en) * 2021-08-02 2024-02-20 中企云链(北京)金融信息服务有限公司 Gateway control method based on permanent memory cache
CN114448786B (en) * 2021-12-27 2024-06-07 天翼云科技有限公司 Gateway configuration processing method, device, system and computer equipment
CN114726773B (en) * 2022-03-23 2024-07-02 阿里云计算有限公司 Cloud network system, message forwarding method, chip and cloud gateway equipment
CN115225493B (en) * 2022-07-11 2023-11-28 上海焜耀网络科技有限公司 Configuration generation method and device of networking node based on wireless
CN115865670B (en) * 2023-02-27 2023-06-16 灵长智能科技(杭州)有限公司 Method and device for adjusting concurrency performance of WEB security gateway based on kernel tuning

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9936005B1 (en) * 2017-07-28 2018-04-03 Kong Inc. Systems and methods for distributed API gateways
CN108234653A (en) * 2018-01-03 2018-06-29 马上消费金融股份有限公司 Method and device for processing service request
US20190018670A1 (en) * 2017-07-13 2019-01-17 Vmware, Inc. Method to deploy new version of executable in node based environments
CN110149364A (en) * 2019-04-15 2019-08-20 厦门市美亚柏科信息股份有限公司 Method, apparatus, the storage medium of micro services are provided based on data service platform
CN111049695A (en) * 2020-01-09 2020-04-21 深圳壹账通智能科技有限公司 Cloud gateway configuration method and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9477936B2 (en) * 2012-02-09 2016-10-25 Rockwell Automation Technologies, Inc. Cloud-based operator interface for industrial automation
CN105827446B (en) * 2016-03-31 2019-04-30 深圳市金溢科技股份有限公司 A kind of intelligent transportation API gateway and intelligent transportation operation system
CN106533944B (en) * 2016-12-29 2020-04-28 金蝶软件(中国)有限公司 Distributed API gateway, management method and management system
CN108965007B (en) * 2018-07-19 2021-08-27 北京车和家信息技术有限公司 API gateway interface configuration updating method and device
CN109582441A (en) * 2018-11-30 2019-04-05 北京百度网讯科技有限公司 For providing system, the method and apparatus of container service
CN110493067B (en) * 2019-09-05 2022-02-18 中国银联股份有限公司 Method and device for updating API gateway service

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190018670A1 (en) * 2017-07-13 2019-01-17 Vmware, Inc. Method to deploy new version of executable in node based environments
US9936005B1 (en) * 2017-07-28 2018-04-03 Kong Inc. Systems and methods for distributed API gateways
CN108234653A (en) * 2018-01-03 2018-06-29 马上消费金融股份有限公司 Method and device for processing service request
CN110149364A (en) * 2019-04-15 2019-08-20 厦门市美亚柏科信息股份有限公司 Method, apparatus, the storage medium of micro services are provided based on data service platform
CN111049695A (en) * 2020-01-09 2020-04-21 深圳壹账通智能科技有限公司 Cloud gateway configuration method and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113839961A (en) * 2021-11-25 2021-12-24 北京华电众信技术股份有限公司 Method and apparatus for controlling gateway device, and computer-readable storage medium

Also Published As

Publication number Publication date
CN111049695A (en) 2020-04-21

Similar Documents

Publication Publication Date Title
WO2021139788A1 (en) Cloud gateway configuration method, system, apparatus, and computer readable storage medium
US11271948B2 (en) System, method, and computer program for verifying virtual network function (VNF) package and/or network service definition integrity
CN109417576B (en) System and method for providing transmission of compliance requirements for cloud applications
US11418532B1 (en) Automated threat modeling using machine-readable threat models
CN111108733B (en) System, method and computer program for providing security in Network Function Virtualization (NFV) -based communication networks and Software Defined Networks (SDNS)
JP7228322B2 (en) Auto-commit transaction management in blockchain networks
US20180217871A1 (en) Discovering and publishing api information
US9774541B1 (en) System, method, and computer program for generating an orchestration data tree utilizing a network function virtualization orchestrator (NFV-O) data model
US9794160B1 (en) System, method, and computer program for testing composite services in a communication network utilizing test data
US9912573B1 (en) System, method, and computer program for testing a network service associated with a communications network
US20170279611A1 (en) Cryptographically assured zero-knowledge cloud services for elemental transactions
US10282461B2 (en) Structure-based entity analysis
US20170019455A1 (en) Service onboarding
US20220321602A1 (en) Frictionless supplementary multi-factor authentication for sensitive transactions within an application session
WO2023051232A1 (en) Computing cluster system, security authentication method, node device and storage medium
US10192262B2 (en) System for periodically updating backings for resource requests
AU2015404396B2 (en) Federated marketplace portal
US10027569B1 (en) System, method, and computer program for testing virtual services
US10013237B2 (en) Automated approval
CN115878259A (en) Protecting instances of resources of a container orchestration platform from inadvertent deletion
US11924112B2 (en) Real-time data transaction configuration of network devices
US20200252451A1 (en) Hybrid cloud compliance and remediation services
Rahman et al. Blockchain-enabled SLA compliance for crowdsourced edge-based network function virtualization
US11595471B1 (en) Method and system for electing a master in a cloud based distributed system using a serverless framework
US10387183B1 (en) System, method, and computer program for reducing common work of components in a network function virtualization (NFV) based communication network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21738334

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 09/11/2022)

122 Ep: pct application non-entry in european phase

Ref document number: 21738334

Country of ref document: EP

Kind code of ref document: A1