WO2022126968A1 - Micro-service access method, apparatus and device, and storage medium - Google Patents

Micro-service access method, apparatus and device, and storage medium Download PDF

Info

Publication number
WO2022126968A1
WO2022126968A1 PCT/CN2021/090256 CN2021090256W WO2022126968A1 WO 2022126968 A1 WO2022126968 A1 WO 2022126968A1 CN 2021090256 W CN2021090256 W CN 2021090256W WO 2022126968 A1 WO2022126968 A1 WO 2022126968A1
Authority
WO
WIPO (PCT)
Prior art keywords
microservice
target
access request
preset
access
Prior art date
Application number
PCT/CN2021/090256
Other languages
French (fr)
Chinese (zh)
Inventor
陈忠平
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2022126968A1 publication Critical patent/WO2022126968A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time

Definitions

  • the present application relates to the field of gateway control, and in particular, to a microservice access method, apparatus, device and storage medium.
  • the authorization control of the authentication and application interface API and menu generally adopts a public jar package, and the microservices requiring authorization control introduce the authorization package and adapt it on the basis; or separately for each Permission management module corresponding to application development.
  • the existing permission control scheme has serious intrusion on microservices. Generally, it is necessary to create a corresponding permission-related table in the microservice, store permission-related data in the local database, and then adapt the local database to the interface in the jar package. At the same time, due to the lack of unified management of permissions, the inventor realized that when a system has multiple sub-microservices, it is necessary to synchronize the permission data between each sub-microservice, which may easily lead to inconsistency of the permission data. In addition, each sub-service needs to implement permission verification rules, and each sub-microservice needs to invest a lot of development and testing when accessing permissions, resulting in low permission verification efficiency for microservice clusters and low microservice access accuracy.
  • the main purpose of this application is to solve the problems of low authorization verification efficiency of microservice clusters and low access accuracy of microservices.
  • a first aspect of the present application provides a microservice access method, including: intercepting a microservice access request through a preset microservice gateway to obtain an access request address and a target user token, the preset microservice gateway It is a request interceptor implemented based on a preset route filtering object; obtains the current time and the expiration time of the target user token, and judges whether the expiration time is greater than the current time; if the expiration time is less than or equal to the current time , then obtain a new user token, send a permission acquisition request to the target permission management service according to the new user token, obtain a target user permission list, and write the target user permission list according to the new user token
  • the session information entered into the in-memory database, the target rights management service is used to instruct the micro-service authorization operation for multiple tenants; if the expiration time is greater than the current time, the in-memory database is queried according to the target user token Session information in, obtain the tenant identification value and cached permission list data,
  • a second aspect of the present application provides a microservice access device, comprising a memory, a processor, and computer-readable instructions stored on the memory and executable on the processor, and the processor executes the computer-readable instructions
  • the following steps are implemented: intercepting the microservice access request through a preset microservice gateway, and obtaining the access request address and the target user token, the preset microservice gateway is a request interceptor implemented based on a preset route filtering object; obtaining The current time and the expiration time of the target user token, and determine whether the expiration time is greater than the current time; if the expiration time is less than or equal to the current time, obtain a new user token, according to the new The user token sends a permission acquisition request to the target permission management service, obtains the target user permission list, and writes the target user permission list to the session information in the memory database according to the new user token, and the target permission management
  • the service is used to instruct multiple tenants to perform microservice authorization operations; if the expiration time is greater than the current time, query the
  • a third aspect of the present application provides a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium, and when the computer instructions are executed on a computer, the computer is caused to perform the following steps: by presetting a microservice The gateway intercepts the microservice access request, and obtains the access request address and the target user token, and the preset microservice gateway is a request interceptor implemented based on the preset route filtering object; obtains the current moment and the expiration moment of the target user token, and Determine whether the expiration time is greater than the current time; if the expiration time is less than or equal to the current time, obtain a new user token, and send a permission acquisition request to the target rights management service according to the new user token , obtain the target user authority list, and write the target user authority list into the session information in the memory database according to the new user token, and the target authority management service is used to instruct multiple tenants to perform microservice authorization operation; if the expiration time is greater than the current time, query the session information in the memory database according to the target user
  • the access request address exists; if the access request address does not exist in the cached permission list data, the operation log information is generated according to the target user token and the tenant identification value, and the warning information is obtained and displayed.
  • the warning information is used to indicate that the microservice access request is restricted; if the access request address exists in the cached permission list data, the target microservice cluster is determined based on the tenant identification value, and the Access the target system microservices in the target microservice cluster to obtain the access results.
  • a fourth aspect of the present application provides a microservice access device, including: an interception module configured to intercept a microservice access request through a preset microservice gateway to obtain an access request address and a target user token, the preset microservice gateway It is a request interceptor implemented based on a preset route filtering object; a judgment module is used to obtain the current time and the expiration time of the target user token, and judge whether the expiration time is greater than the current time; the writing module, if the If the expiration time is less than or equal to the current time, it is used to obtain a new user token, and according to the new user token, a permission acquisition request is sent to the target rights management service to obtain the target user rights list, and according to the new user token The user token writes the target user permission list to the session information in the memory database, and the target permission management service is used to instruct the microservice authorization operation for multiple tenants; the query module, if the expiration time is greater than the At the current moment, it is used to query the session information in the memory database according to the target
  • a microservice access request is intercepted by a preset microservice gateway, and an access request address and a target user token are obtained, and the preset microservice gateway is a request interceptor implemented based on a preset route filtering object; Obtain the current time and the expiration time of the target user token, and determine whether the expiration time is greater than the current time; if the expiration time is less than or equal to the current time, obtain a new user token, according to the new The user token of the new user token sends a permission acquisition request to the target permission management service, obtains the target user permission list, and writes the target user permission list to the session information in the memory database according to the new user token, and the target permission list
  • the management service is used to instruct multiple tenants to perform microservice authorization operations; if the expiration time is greater than the current time, query the session information in the in-memory database according to the target user token to obtain the tenant identification value and cached permissions list data, to determine whether the access request address exists in the cached
  • the target microservice cluster accesses the target system microservice in the target microservice cluster according to the access request address, and obtains an access result.
  • the microservice access request is intercepted by the preset microservice gateway, and the access request address and the target user token are obtained; after the user token expires, the target user is obtained and cached from the target rights management service according to the new user token Permission list; the target microservice cluster is determined based on the tenant identification value within the expiration time, and the system microservices in the target microservice cluster are accessed according to the access request address, which improves the permission verification efficiency of the microservice cluster and the accuracy of microservice access.
  • FIG. 1 is a schematic diagram of an embodiment of a microservice access method in an embodiment of the present application
  • FIG. 2 is a schematic diagram of another embodiment of a microservice access method in an embodiment of the present application.
  • FIG. 3 is a schematic diagram of an embodiment of a microservice access device in an embodiment of the present application.
  • FIG. 4 is a schematic diagram of another embodiment of a microservice access device in an embodiment of the present application.
  • FIG. 5 is a schematic diagram of an embodiment of a microservice access device in an embodiment of the present application.
  • the embodiments of the present application provide a microservice access method, device, device, and storage medium, which are used to determine a target microservice cluster based on a tenant identification value within an expiration time, and to access system microservices in the target microservice cluster according to an access request address Access to improve the permission verification efficiency of the microservice cluster and the accuracy of microservice access.
  • an embodiment of the microservice access method in the embodiment of the present application includes:
  • the preset microservice gateway is used as the main entrance of the entire microservice front-end traffic. All access to the microservice must pass through the preset microservice gateway.
  • the preset microservice gateway intercepts all microservice access requests and calls the permission service for authentication. check. Specifically, the terminal intercepts the microservice access request sent by the terminal through the preset microservice gateway; the terminal extracts the corresponding access request address url and target user token token from the microservice access request.
  • the access request address is stored in the blockchain database, which is not specifically limited here.
  • the execution subject of this application may be a microservice access device, or may be a terminal or a server, which is not specifically limited here.
  • the embodiments of the present application take a terminal as an execution subject as an example for description.
  • Each target user token has an expiration time, and its expiration time is consistent with the expiration time of the user's session information in the memory database.
  • the terminal generates the current time according to the preset time generation function (for example, the preset time generation function is time()); the terminal reads the expiration time of the target user token from the preset data configuration table according to the target user token; The terminal performs a difference operation between the expired time and the current time to obtain the difference; the terminal determines whether the difference is greater than 0; if the difference is greater than 0, the terminal determines that the expired time is greater than the current time, and executes step 104; if the difference is less than or equal to 0 , the terminal determines that the expiration time is less than or equal to the current time, and executes step 103 .
  • the preset time generation function is time()
  • the expiration time is less than or equal to the current time, obtain a new user token, send a permission acquisition request to the target permission management service according to the new user token, obtain the target user permission list, and assign the target user token according to the new user token.
  • the user permission list is written to the session information in the in-memory database, and the target permission management service is used to instruct microservice authorization operations for multiple tenants.
  • the terminal updates the expiration time, and sends a permission acquisition request to the target authority management service according to the user token, so that the target authority management service searches and returns the user authority list according to the user token, and the terminal matches the returned user authority according to the user token.
  • the list is rewritten to the session information in the in-memory database. That is, the terminal searches the in-memory database to see if the url for which the token is authorized contains the url of the current request, and if so, routes it to the corresponding microservice. Since the memory database has an expiration time, when the terminal detects that the expiration time is less than or equal to the current time, the terminal loads and caches the user's rights list from the target rights management service.
  • the target rights management service identifies the corresponding user and the tenant corresponding to the user according to the token, and then queries the user's rights list and returns it to the gateway service.
  • the target permission management service is a microservice built based on the preset framework springboot.
  • the terminal sends a login request to the server, the server creates session information and the target user token, and after mapping the session information and the target user token, sends the associated session information and target user token to the terminal.
  • session information includes permission list data.
  • the target user token is included, and the target user token is used to indicate the unique identification information of the user.
  • the interceptor validates each microservice access request and establishes a security context by validating the target user token and access request address.
  • the security context describes the user principal and its roles.
  • the terminal uses the security context to obtain the user's session information in the in-memory database, and reads the tenant ID value corresponding to the target user token and the cached permission resource list from the session information.
  • the terminal if there is no access request address in the cached permission list data, the terminal generates operation log information based on the target user token and the tenant identification value, and stores the operation log information in the memory database. Further, the terminal stores the memory database Perform data persistence processing or data backup processing to prevent data loss and ensure data security. Then the terminal obtains the preset template from the memory database, and the terminal generates warning information according to the preset template, and the warning information is used to indicate that the access request of the microservice is limited (that is, the user does not have access rights).
  • the target microservice cluster is determined based on the tenant identification value, and the target system microservice in the target microservice cluster is accessed according to the access request address to obtain an access result.
  • the system microservice may be an asset management system, an order management system, or a financial system or a sales management system, which is not specifically limited here.
  • a tenant may include multiple users, and different tenants have their own corresponding system service groups. It is understandable that each table in the preset system service has a field tenantId (tenant identification value), which is used to mark the tenant to which the data belongs, and the microservice access request needs to carry this field as a microservice access after authentication. Condition, all data in the preset system service is marked with the tenant to which it belongs.
  • tenantId tenant identification value
  • the microservice access request is intercepted by the preset microservice gateway, and the access request address and the target user token are obtained; after the user token expires, the target user is obtained and cached from the target rights management service according to the new user token Permission list; the target microservice cluster is determined based on the tenant identification value within the expiration time, and the system microservices in the target microservice cluster are accessed according to the access request address, which improves the permission verification efficiency of the microservice cluster and the accuracy of microservice access.
  • FIG. 2 another embodiment of the microservice access method in the embodiment of the present application includes:
  • 201 Receive a microservice access request, intercept and parse the microservice access request through a preset microservice gateway, and obtain request header information, where the preset microservice gateway is a request interceptor implemented based on a preset route filtering object zuulfilter.
  • request RequestContext.getCurrentContext( ), where request is used to indicate the request header information obtained by the terminal.
  • the terminal adds a new tenant through the target rights management service, and configures corresponding tenant information for the tenant; the terminal obtains a configuration file containing multiple user information, and imports the configuration file into the target rights management service, In order to associate and bind multiple user information with the tenant respectively; the terminal adds at least one system microservice to the tenant, and creates resource item information for each system microservice, and the resource item information includes menu resources and interface buttons; Role tree, set resource item information for each role in the role tree, and assign the role data in the role tree to multiple users associated with the tenant. That is, the terminal controls the access rights of tenants and users to microservices through the target permission service, and the tenant and user are in a one-to-many relationship, and the target permission service can manage multiple tenants.
  • the access request address and the target user token from the request header information according to the preset parameter name, where the target user token is a string set when the user successfully logs in to the microservice.
  • the terminal obtains the access request address url and the target user token token from the request header information request.
  • the default route filter object is zuulfilter.
  • the terminal also needs to build an in-memory database in advance to cache the session information of the preset microservice gateway.
  • the in-memory database can be the remote service dictionary redis service or other databases, which are not limited here. ; Then the terminal pre-deploys and presets the package of the micro-service gateway; secondly, the terminal pre-deploys the database cluster based on the object-relational database management system pgsql, so as to be the database of the rights management service; finally, the terminal deploys the pre-configured rights service package .
  • step 203 The execution process of step 203 is similar to that of step 102, and details are not repeated here.
  • the expiration time is less than or equal to the current time, obtain a new user token, send a permission acquisition request to the target permission management service according to the new user token, obtain the target user permission list, and assign the target user permission according to the new user token.
  • the user permission list is written to the session information in the in-memory database, and the target permission management service is used to instruct microservice authorization operations for multiple tenants.
  • the target rights management service is used to provide management, role management, authorization management, and authentication service functions of rights resources.
  • the target rights management service adds the concept of tenants to the Role-Based Access Control (RBAC) model.
  • RBAC Role-Based Access Control
  • a business system can include multiple microservices for a tenant, including a set of permission data.
  • the permission control data is completely isolated, and the relationship between the token and the tenant is established when logging in.
  • the permission types are divided into operation permission, management permission and authorization permission. Among them, the operation permission is used to control the access and invocation of url, interface buttons and elements, and the permission list returned to the gateway is only the operation permission. Administrative permissions are used to manage the url itself, such as adding, deleting, and modifying.
  • Authorization authority is used to control the grant control of operation and management authority.
  • the target permission management service uses the token to query the corresponding user and tenant from the session, then obtains the user's role list in the tenant, and queries the permission list according to the role list.
  • the terminal calls the preset login page to guide the user to log in again, and obtains the login result; when the login result is the preset value, the terminal determines that the user login is successful, and obtains a new user password.
  • the new user token and the user's session information are mapped and stored in the memory database; the terminal obtains the user's unique ID and tenant ID value from the user's session information according to the new user token, and Send a permission acquisition request to the target rights management service based on the user unique ID and the tenant ID value, so that the target rights management service searches and returns the target user rights list according to the user unique ID and the tenant ID value.
  • the target rights management service is used to instruct multiple The tenant performs the microservice authorization operation; the terminal receives the target user permission list, updates the target user permission list to the session information in the memory database based on the new user token, obtains the update result, and determines whether to send the microservice access request according to the update result.
  • the cached permission list data includes a tenant corresponding to the user, a role ID with all permissions, and a resource ID with all permissions.
  • the target permission management service queries the user information based on the user name, the user information includes the user's tenant ID value, and then queries the user's role relationship table and role resource relationship table respectively. All role identifiers, resource identifiers and urls are stored in the terminal, and then the terminal saves these information in the user's session information to obtain the cached permission list data.
  • the terminal sets the target user token as the target key, queries the session information in the memory database according to the target key, and obtains the target value.
  • the obtained user permission list data that is, the terminal stores the permission list data in the current session session, and the expiration of the cached data is consistent with the session.
  • the terminal When the target value is not null, the terminal obtains the tenant identification value and the cached permission list data from the target value; the terminal calls the preset search function to retrieve the cached permission list data according to the access request address, and obtains the retrieval result; if the retrieval result is not is the preset target value, the terminal determines that there is no access request address in the cached permission list data, and the terminal generates prompt information, which is used to indicate that the microservice access request is abnormal; if the retrieval result is the preset target value, the terminal determines The access request address exists in the cached permission list data.
  • the terminal determines that the microservice access request is abnormal.
  • the terminal if there is no access request address in the cached permission list data, the terminal generates operation log information according to the target user token and tenant identification value, and updates the operation log information to the memory database; the terminal generates the operation log information according to the preset template. Warning information, the warning information is displayed through a preset prompt box, and the warning information is used to indicate that the access request of the microservice is limited.
  • the terminal displays the operation log information in reverse order of time, so that the target person obtains the process information of the microservice access according to the actual needs.
  • the preset microservice gateway directly transparently transmits the control list of the elements in the terminal by the target rights management service, and then the H5 page in the terminal makes the rights judgment.
  • Elements in the terminal are preset with unique numbers. The unique number is associated with the new permission resource in the corresponding system microservice under the corresponding tenant in the target permission management service, and role authorization is performed on the permission resource.
  • the terminal returns the queried resource list of the current user with rights to the terminal, and the terminal performs rights control according to the resource list.
  • the terminal queries the preset data table based on the tenant identification value to obtain the target microservice cluster, where the target microservice cluster is used to indicate the list data of the container to which the system microservice belongs;
  • the terminal obtains a random number (for example, random()), and modulates the number of containers to which the system microservice belongs according to the random number to obtain the target remainder;
  • the terminal sets the target remainder as the index of the container to which the system microservice belongs, according to the access request address and
  • the index of the container to which the system microservice belongs makes a service call to the target system microservice in the target microservice cluster, and obtains the access result.
  • the access result includes access success and access failure.
  • the server accesses the target system microservice whose index is 9 to obtain the access result.
  • the microservice access request is intercepted by the preset microservice gateway, and the access request address and the target user token are obtained; after the user token expires, the target user is obtained and cached from the target rights management service according to the new user token Permission list; the target microservice cluster is determined based on the tenant identification value within the expiration time, and the system microservices in the target microservice cluster are accessed according to the access request address, which improves the permission verification efficiency of the microservice cluster and the accuracy of microservice access.
  • an embodiment of the microservice access device in the embodiment of the present application includes:
  • the interception module 301 is configured to intercept the microservice access request through a preset microservice gateway to obtain an access request address and a target user token, and the preset microservice gateway is a request interceptor implemented based on a preset route filtering object;
  • the judgment module 302 is used to obtain the current time and the expiration time of the target user token, and judge whether the expiration time is greater than the current time;
  • Writing module 303 if the expiration time is less than or equal to the current time, it is used to obtain a new user token, send a permission acquisition request to the target rights management service according to the new user token, obtain a list of target user rights, and according to the new user token
  • the user token writes the target user permission list to the session information in the in-memory database, and the target permission management service is used to instruct the microservice authorization operation for multiple tenants;
  • the query module 304 if the expiration time is greater than the current time, is used to query the session information in the memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and determine whether there is an access request address in the cached permission list data. ;
  • the processing module 305 if the access request address does not exist in the cached permission list data, is used to generate operation log information according to the target user token and the tenant identification value, obtain and display warning information, and the warning information is used to indicate that the microservice access request is accepted. limit;
  • the access request address is stored in the blockchain database, which is not specifically limited here.
  • the microservice access request is intercepted by the preset microservice gateway, and the access request address and the target user token are obtained; after the user token expires, the target user is obtained and cached from the target rights management service according to the new user token Permission list; the target microservice cluster is determined based on the tenant identification value within the expiration time, and the system microservices in the target microservice cluster are accessed according to the access request address, which improves the permission verification efficiency of the microservice cluster and the accuracy of microservice access.
  • FIG. 4 another embodiment of the apparatus for accessing microservices in the embodiment of the present application includes:
  • the interception module 301 is configured to intercept the microservice access request through a preset microservice gateway to obtain an access request address and a target user token, and the preset microservice gateway is a request interceptor implemented based on a preset route filtering object;
  • the judgment module 302 is used to obtain the current time and the expiration time of the target user token, and judge whether the expiration time is greater than the current time;
  • Writing module 303 if the expiration time is less than or equal to the current time, it is used to obtain a new user token, send a permission acquisition request to the target rights management service according to the new user token, obtain a list of target user rights, and according to the new user token
  • the user token writes the target user permission list to the session information in the in-memory database, and the target permission management service is used to instruct the microservice authorization operation for multiple tenants;
  • the query module 304 if the expiration time is greater than the current time, is used to query the session information in the memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and determine whether there is an access request address in the cached permission list data. ;
  • the processing module 305 if the access request address does not exist in the cached permission list data, is used to generate operation log information according to the target user token and the tenant identification value, obtain and display warning information, and the warning information is used to indicate that the microservice access request is accepted. limit;
  • the interception module 301 can also be specifically used for:
  • the preset microservice gateway is a request interceptor implemented based on the preset routing filter object zuulfilter;
  • the target user token is the string set when the user successfully logs in to the microservice.
  • the writing module 303 can also be specifically used for:
  • the preset login page is called to guide the user to log in again, and the login result is obtained;
  • the login result is the preset value
  • it is determined that the user has successfully logged in and a new user token and the user's session information are obtained, and the new user token and the user's session information are associated and mapped and stored in the memory database;
  • Receive the target user permission list update the target user permission list to the session information in the in-memory database based on the new user token, obtain the update result, and determine whether to send a microservice access request according to the update result.
  • the query module 304 can also be specifically used for:
  • the session information is the user permission list obtained by calling the preset permission service when the user logs in for the first time. data;
  • the retrieval result is not the preset target value, it is determined that there is no access request address in the cached permission list data, and prompt information is generated, and the prompt information is used to indicate that the microservice access request is abnormal;
  • the retrieval result is the preset target value, it is determined that there is an access request address in the cached permission list data.
  • processing module 305 can also be specifically used for:
  • the operation log information is generated according to the target user token and tenant identification value, and the operation log information is updated to the in-memory database;
  • the warning information is generated according to the preset template, and the warning information is displayed through the preset prompt box.
  • the warning information is used to indicate that the access request of the microservice is limited.
  • the access module 306 can also be specifically used for:
  • the microservice access device further includes:
  • a configuration module 307 configured to add a tenant through the target rights management service, and configure corresponding tenant information for the tenant;
  • an import module 308 configured to obtain a configuration file containing multiple user information, and import the configuration file into the target rights management service, so that the multiple user information is associated and bound with the tenant respectively;
  • a new module 309 configured to add at least one system microservice to the tenant, and create resource item information for each system microservice, where the resource item information includes menu resources and interface buttons;
  • the allocation module 310 is configured to create a role tree for the tenant, set resource item information for each role in the role tree, and allocate role data in the role tree to multiple users associated and bound with the tenant.
  • the microservice access request is intercepted by the preset microservice gateway, and the access request address and the target user token are obtained; after the user token expires, the target user is obtained and cached from the target rights management service according to the new user token Permission list; the target microservice cluster is determined based on the tenant identification value within the expiration time, and the system microservices in the target microservice cluster are accessed according to the access request address, which improves the permission verification efficiency of the microservice cluster and the accuracy of microservice access.
  • FIGS 3 and 4 above describe in detail the microservice access device in the embodiment of the present application from the perspective of modularity, and the microservice access device in the embodiment of the present application is described in detail below from the perspective of hardware processing.
  • the microservice access device 500 may vary greatly due to different configurations or performance, and may include one or more central processing units (central processing units). , CPU) 510 (eg, one or more processors) and memory 520, one or more storage media 530 (eg, one or more mass storage devices) storing application programs 533 or data 532. Among them, the memory 520 and the storage medium 530 may be short-term storage or persistent storage.
  • the program stored in the storage medium 530 may include one or more modules (not shown in the figure), and each module may include a series of instruction operations in the microservice access device 500 .
  • the processor 510 may be configured to communicate with the storage medium 530 to execute a series of instruction operations in the storage medium 530 on the microservice access device 500 .
  • Microservice access device 500 may also include one or more power supplies 540, one or more wired or wireless network interfaces 550, one or more input and output interfaces 560, and/or, one or more operating systems 531, such as Windows Server , Mac OS X, Unix, Linux, FreeBSD and more.
  • operating systems 531 such as Windows Server , Mac OS X, Unix, Linux, FreeBSD and more.
  • FIG. 5 does not constitute a limitation on the microservice access device, and may include more or less components than the one shown, or combine some components, or different Component placement.
  • the present application also provides a computer-readable storage medium.
  • the computer-readable storage medium may be a non-volatile computer-readable storage medium.
  • the computer-readable storage medium may also be a volatile computer-readable storage medium. Instructions are stored in the computer-readable storage medium, and when the instructions are executed on the computer, the computer performs the following steps:
  • a new user token is obtained, and a permission acquisition request is sent to the target rights management service according to the new user token to obtain a target user rights list, and according to the new user token
  • the user token of the user token writes the target user authority list to the session information in the in-memory database, and the target authority management service is used to instruct the microservice authorization operation to be performed on multiple tenants;
  • the present application further provides a micro-service access device, the micro-service access device includes a memory and a processor, and instructions are stored in the memory, and when the instructions are executed by the processor, the processor executes the above-mentioned steps in the above embodiments.
  • the steps of the microservice access method includes a memory and a processor, and instructions are stored in the memory, and when the instructions are executed by the processor, the processor executes the above-mentioned steps in the above embodiments. The steps of the microservice access method.
  • the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function, and the like; The data created by the use of the node, etc.
  • the blockchain referred to in this application is a new application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm.
  • Blockchain essentially a decentralized database, is a series of data blocks associated with cryptographic methods. Each data block contains a batch of network transaction information to verify its Validity of information (anti-counterfeiting) and generation of the next block.
  • the blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as an independent product, may be stored in a computer-readable storage medium.
  • the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes .

Abstract

The present application relates to the technical field of information security. Disclosed are a micro-service access method, apparatus and device, and a storage medium, which are used for improving the accuracy of micro-service access. The micro-service access method comprises: intercepting a micro-service access request by means of a preset micro-service gateway, so as to obtain an access request address and a target user token; if the expiration moment is less than or equal to the current moment, sending a permission acquisition request to a target permission management service according to a new user token, so as to obtain a target user permission list; if the expiration moment is greater than the current moment, acquiring a tenant identification value and cached permission list data according to the target user token; if the access request address is not present in the cached permission list data, generating warning information; and if the access request address is present in the cached permission list data, accessing a target system micro-service on the basis of the tenant identification value and the access request address. In addition, the present application further relates to blockchain technology, and an access request address can be stored in a blockchain node.

Description

微服务访问方法、装置、设备及存储介质Microservice access method, apparatus, device and storage medium
本申请要求于2020年12月15日提交中国专利局、申请号为202011476001.5、发明名称为“微服务访问方法、装置、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在申请中。This application claims the priority of the Chinese patent application with the application number 202011476001.5 and the invention titled "Microservice Access Method, Apparatus, Equipment and Storage Medium" filed with the China Patent Office on December 15, 2020, the entire contents of which are incorporated by reference in application.
技术领域technical field
本申请涉及网关控制领域,尤其涉及一种微服务访问方法、装置、设备及存储介质。The present application relates to the field of gateway control, and in particular, to a microservice access method, apparatus, device and storage medium.
背景技术Background technique
在现有的单体应用中认证与应用接口API、菜单的权限控制一般采用一个公共的jar包,需要权限控制的微服务引入权限的包,在其基础上进行适配;或者单独为每个应用开发对应的权限管理模块。In the existing single application, the authorization control of the authentication and application interface API and menu generally adopts a public jar package, and the microservices requiring authorization control introduce the authorization package and adapt it on the basis; or separately for each Permission management module corresponding to application development.
现有的权限控制方案对微服务的入侵比较严重,一般需要在微服务内新建对应的权限相关表,在本地数据库存储权限相关的数据,再将本地数据库与jar包中的接口进行适配。同时由于权限缺乏统一的管理,发明人意识到,当一个系统具有多个子微服务时,每个子微服务之间需要进行权限数据的同步,容易引起权限数据的不一致。并且每一个子服务都需要执行权限校验规则,每一个子微服务在接入权限时都需要投入大量开发测试,导致微服务集群的权限验证效率低和微服务访问准确率低的问题。The existing permission control scheme has serious intrusion on microservices. Generally, it is necessary to create a corresponding permission-related table in the microservice, store permission-related data in the local database, and then adapt the local database to the interface in the jar package. At the same time, due to the lack of unified management of permissions, the inventor realized that when a system has multiple sub-microservices, it is necessary to synchronize the permission data between each sub-microservice, which may easily lead to inconsistency of the permission data. In addition, each sub-service needs to implement permission verification rules, and each sub-microservice needs to invest a lot of development and testing when accessing permissions, resulting in low permission verification efficiency for microservice clusters and low microservice access accuracy.
发明内容SUMMARY OF THE INVENTION
本申请的主要目的在于解决微服务集群的权限验证效率低和微服务访问准确率低的问题。The main purpose of this application is to solve the problems of low authorization verification efficiency of microservice clusters and low access accuracy of microservices.
为实现上述目的,本申请第一方面提供了一种微服务访问方法,包括:通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,所述预设微服务网关为基于预设路由过滤对象实现的请求拦截器;获取当前时刻和目标用户令牌的过期时刻,并判断所述过期时刻是否大于所述当前时刻;若所述过期时刻小于或者等于所述当前时刻,则获取新的用户令牌,按照所述新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据所述新的用户令牌将所述目标用户权限列表写入至内存数据库中的会话信息,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;若所述过期时刻大于所述当前时刻,则根据所述目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断所述缓存的权限列表数据中是否存在所述访问请求地址;若所述缓存的权限列表数据中不存在所述访问请求地址,则按照所述目标用户令牌和所述租户标识值生成操作日志信息,获取并展示警示信息,所述警示信息用于指示微服务访问请求受限;若所述缓存的权限列表数据中存在所述访问请求地址,则基于所述租户标识值确定目标微服务集群,按照所述访问请求地址对所述目标微服务集群中的目标系统微服务进行访问,得到访问结果。In order to achieve the above purpose, a first aspect of the present application provides a microservice access method, including: intercepting a microservice access request through a preset microservice gateway to obtain an access request address and a target user token, the preset microservice gateway It is a request interceptor implemented based on a preset route filtering object; obtains the current time and the expiration time of the target user token, and judges whether the expiration time is greater than the current time; if the expiration time is less than or equal to the current time , then obtain a new user token, send a permission acquisition request to the target permission management service according to the new user token, obtain a target user permission list, and write the target user permission list according to the new user token The session information entered into the in-memory database, the target rights management service is used to instruct the micro-service authorization operation for multiple tenants; if the expiration time is greater than the current time, the in-memory database is queried according to the target user token Session information in, obtain the tenant identification value and cached permission list data, and determine whether the access request address exists in the cached permission list data; if the access request address does not exist in the cached permission list data, Then, the operation log information is generated according to the target user token and the tenant identification value, and the warning information is obtained and displayed, and the warning information is used to indicate that the access request of the microservice is limited; If the access request address is specified, the target microservice cluster is determined based on the tenant identification value, and the target system microservice in the target microservice cluster is accessed according to the access request address to obtain an access result.
本申请第二方面提供了一种微服务访问设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机可读指令,所述处理器执行所述计算机可读指令时实现如下步骤:通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,所述预设微服务网关为基于预设路由过滤对象实现的请求拦截器;获取当前时刻和目标用户令牌的过期时刻,并判断所述过期时刻是否大于所述当前时刻;若所述过期时刻小于或者等于所述当前时刻,则获取新的用户令牌,按照所述新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据所述新的用户令牌将所述目标用户权限列表写入至内存数据库中的会话信息,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;若所述过期时刻大于所述当前时刻,则根据所述目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断所述缓存的权 限列表数据中是否存在所述访问请求地址;若所述缓存的权限列表数据中不存在所述访问请求地址,则按照所述目标用户令牌和所述租户标识值生成操作日志信息,获取并展示警示信息,所述警示信息用于指示微服务访问请求受限;若所述缓存的权限列表数据中存在所述访问请求地址,则基于所述租户标识值确定目标微服务集群,按照所述访问请求地址对所述目标微服务集群中的目标系统微服务进行访问,得到访问结果。A second aspect of the present application provides a microservice access device, comprising a memory, a processor, and computer-readable instructions stored on the memory and executable on the processor, and the processor executes the computer-readable instructions When reading the instruction, the following steps are implemented: intercepting the microservice access request through a preset microservice gateway, and obtaining the access request address and the target user token, the preset microservice gateway is a request interceptor implemented based on a preset route filtering object; obtaining The current time and the expiration time of the target user token, and determine whether the expiration time is greater than the current time; if the expiration time is less than or equal to the current time, obtain a new user token, according to the new The user token sends a permission acquisition request to the target permission management service, obtains the target user permission list, and writes the target user permission list to the session information in the memory database according to the new user token, and the target permission management The service is used to instruct multiple tenants to perform microservice authorization operations; if the expiration time is greater than the current time, query the session information in the memory database according to the target user token to obtain the tenant identification value and the cached permission list data, to determine whether the access request address exists in the cached permission list data; if the access request address does not exist in the cached permission list data, according to the target user token and the tenant identification value Generate operation log information, obtain and display warning information, and the warning information is used to indicate that the microservice access request is limited; if the access request address exists in the cached permission list data, the target is determined based on the tenant identification value. The microservice cluster accesses the target system microservice in the target microservice cluster according to the access request address, and obtains the access result.
本申请第三方面提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,当所述计算机指令在计算机上运行时,使得计算机执行如下步骤:通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,所述预设微服务网关为基于预设路由过滤对象实现的请求拦截器;获取当前时刻和目标用户令牌的过期时刻,并判断所述过期时刻是否大于所述当前时刻;若所述过期时刻小于或者等于所述当前时刻,则获取新的用户令牌,按照所述新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据所述新的用户令牌将所述目标用户权限列表写入至内存数据库中的会话信息,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;若所述过期时刻大于所述当前时刻,则根据所述目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断所述缓存的权限列表数据中是否存在所述访问请求地址;若所述缓存的权限列表数据中不存在所述访问请求地址,则按照所述目标用户令牌和所述租户标识值生成操作日志信息,获取并展示警示信息,所述警示信息用于指示微服务访问请求受限;若所述缓存的权限列表数据中存在所述访问请求地址,则基于所述租户标识值确定目标微服务集群,按照所述访问请求地址对所述目标微服务集群中的目标系统微服务进行访问,得到访问结果。A third aspect of the present application provides a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium, and when the computer instructions are executed on a computer, the computer is caused to perform the following steps: by presetting a microservice The gateway intercepts the microservice access request, and obtains the access request address and the target user token, and the preset microservice gateway is a request interceptor implemented based on the preset route filtering object; obtains the current moment and the expiration moment of the target user token, and Determine whether the expiration time is greater than the current time; if the expiration time is less than or equal to the current time, obtain a new user token, and send a permission acquisition request to the target rights management service according to the new user token , obtain the target user authority list, and write the target user authority list into the session information in the memory database according to the new user token, and the target authority management service is used to instruct multiple tenants to perform microservice authorization operation; if the expiration time is greater than the current time, query the session information in the memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and determine whether the cached permission list data is in the cached permission list data. The access request address exists; if the access request address does not exist in the cached permission list data, the operation log information is generated according to the target user token and the tenant identification value, and the warning information is obtained and displayed. The warning information is used to indicate that the microservice access request is restricted; if the access request address exists in the cached permission list data, the target microservice cluster is determined based on the tenant identification value, and the Access the target system microservices in the target microservice cluster to obtain the access results.
本申请第四方面提供了一种微服务访问装置,包括:拦截模块,用于通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,所述预设微服务网关为基于预设路由过滤对象实现的请求拦截器;判断模块,用于获取当前时刻和目标用户令牌的过期时刻,并判断所述过期时刻是否大于所述当前时刻;写入模块,若所述过期时刻小于或者等于所述当前时刻,则用于获取新的用户令牌,按照所述新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据所述新的用户令牌将所述目标用户权限列表写入至内存数据库中的会话信息,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;查询模块,若所述过期时刻大于所述当前时刻,则用于根据所述目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断所述缓存的权限列表数据中是否存在所述访问请求地址;处理模块,若所述缓存的权限列表数据中不存在所述访问请求地址,则用于按照所述目标用户令牌和所述租户标识值生成操作日志信息,获取并展示警示信息,所述警示信息用于指示微服务访问请求受限;访问模块,若所述缓存的权限列表数据中存在所述访问请求地址,则用于基于所述租户标识值确定目标微服务集群,按照所述访问请求地址对所述目标微服务集群中的目标系统微服务进行访问,得到访问结果。A fourth aspect of the present application provides a microservice access device, including: an interception module configured to intercept a microservice access request through a preset microservice gateway to obtain an access request address and a target user token, the preset microservice gateway It is a request interceptor implemented based on a preset route filtering object; a judgment module is used to obtain the current time and the expiration time of the target user token, and judge whether the expiration time is greater than the current time; the writing module, if the If the expiration time is less than or equal to the current time, it is used to obtain a new user token, and according to the new user token, a permission acquisition request is sent to the target rights management service to obtain the target user rights list, and according to the new user token The user token writes the target user permission list to the session information in the memory database, and the target permission management service is used to instruct the microservice authorization operation for multiple tenants; the query module, if the expiration time is greater than the At the current moment, it is used to query the session information in the memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and determine whether the access request address exists in the cached permission list data; processing module, if the access request address does not exist in the cached permission list data, it is used to generate operation log information according to the target user token and the tenant identification value, obtain and display warning information, the warning information It is used to indicate that the microservice access request is limited; the access module, if the access request address exists in the cached permission list data, is used to determine the target microservice cluster based on the tenant identification value, and according to the access request address Access the target system microservice in the target microservice cluster to obtain the access result.
本申请提供的技术方案中,通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,所述预设微服务网关为基于预设路由过滤对象实现的请求拦截器;获取当前时刻和目标用户令牌的过期时刻,并判断所述过期时刻是否大于所述当前时刻;若所述过期时刻小于或者等于所述当前时刻,则获取新的用户令牌,按照所述新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据所述新的用户令牌将所述目标用户权限列表写入至内存数据库中的会话信息,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;若所述过期时刻大于所述当前时刻,则根据所述目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判 断所述缓存的权限列表数据中是否存在所述访问请求地址;若所述缓存的权限列表数据中不存在所述访问请求地址,则按照所述目标用户令牌和所述租户标识值生成操作日志信息,获取并展示警示信息,所述警示信息用于指示微服务访问请求受限;若所述缓存的权限列表数据中存在所述访问请求地址,则基于所述租户标识值确定目标微服务集群,按照所述访问请求地址对所述目标微服务集群中的目标系统微服务进行访问,得到访问结果。本申请实施例中,通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌;在用户令牌过期后按照新的用户令牌向目标权限管理服务获取并缓存目标用户权限列表;在过期时刻内基于租户标识值确定目标微服务集群,按照访问请求地址对目标微服务集群中的系统微服务进行访问,提高了微服务集群的权限验证效率和微服务访问准确率。In the technical solution provided by this application, a microservice access request is intercepted by a preset microservice gateway, and an access request address and a target user token are obtained, and the preset microservice gateway is a request interceptor implemented based on a preset route filtering object; Obtain the current time and the expiration time of the target user token, and determine whether the expiration time is greater than the current time; if the expiration time is less than or equal to the current time, obtain a new user token, according to the new The user token of the new user token sends a permission acquisition request to the target permission management service, obtains the target user permission list, and writes the target user permission list to the session information in the memory database according to the new user token, and the target permission list The management service is used to instruct multiple tenants to perform microservice authorization operations; if the expiration time is greater than the current time, query the session information in the in-memory database according to the target user token to obtain the tenant identification value and cached permissions list data, to determine whether the access request address exists in the cached permission list data; if the access request address does not exist in the cached permission list data, then according to the target user token and the tenant ID The value generates operation log information, obtains and displays warning information, and the warning information is used to indicate that the access request of the microservice is limited; if the access request address exists in the cached permission list data, it is determined based on the tenant identification value. The target microservice cluster accesses the target system microservice in the target microservice cluster according to the access request address, and obtains an access result. In the embodiment of the present application, the microservice access request is intercepted by the preset microservice gateway, and the access request address and the target user token are obtained; after the user token expires, the target user is obtained and cached from the target rights management service according to the new user token Permission list; the target microservice cluster is determined based on the tenant identification value within the expiration time, and the system microservices in the target microservice cluster are accessed according to the access request address, which improves the permission verification efficiency of the microservice cluster and the accuracy of microservice access.
附图说明Description of drawings
图1为本申请实施例中微服务访问方法的一个实施例示意图;FIG. 1 is a schematic diagram of an embodiment of a microservice access method in an embodiment of the present application;
图2为本申请实施例中微服务访问方法的另一个实施例示意图;FIG. 2 is a schematic diagram of another embodiment of a microservice access method in an embodiment of the present application;
图3为本申请实施例中微服务访问装置的一个实施例示意图;FIG. 3 is a schematic diagram of an embodiment of a microservice access device in an embodiment of the present application;
图4为本申请实施例中微服务访问装置的另一个实施例示意图;FIG. 4 is a schematic diagram of another embodiment of a microservice access device in an embodiment of the present application;
图5为本申请实施例中微服务访问设备的一个实施例示意图。FIG. 5 is a schematic diagram of an embodiment of a microservice access device in an embodiment of the present application.
具体实施方式Detailed ways
本申请实施例提供了一种微服务访问方法、装置、设备及存储介质,用于在过期时刻内基于租户标识值确定目标微服务集群,按照访问请求地址对目标微服务集群中的系统微服务进行访问,提高微服务集群的权限验证效率和微服务访问准确率。The embodiments of the present application provide a microservice access method, device, device, and storage medium, which are used to determine a target microservice cluster based on a tenant identification value within an expiration time, and to access system microservices in the target microservice cluster according to an access request address Access to improve the permission verification efficiency of the microservice cluster and the accuracy of microservice access.
本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”或“具有”及其任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third", "fourth", etc. (if any) in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that data so used may be interchanged under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" or "having" and any variations thereof are intended to cover non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to those expressly listed steps or units, but may include other steps or units not expressly listed or inherent to these processes, methods, products or devices.
为便于理解,下面对本申请实施例的具体流程进行描述,请参阅图1,本申请实施例中微服务访问方法的一个实施例包括:For ease of understanding, the following describes the specific process of the embodiment of the present application, referring to FIG. 1 , an embodiment of the microservice access method in the embodiment of the present application includes:
101、通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,预设微服务网关为基于预设路由过滤对象实现的请求拦截器。101. Intercept the microservice access request through a preset microservice gateway to obtain an access request address and a target user token, where the preset microservice gateway is a request interceptor implemented based on a preset route filtering object.
其中,预设微服务网关作为整个微服务前端流量的总入口,所有对微服务的访问必须经过预设微服务网关,预设微服务网关拦截所有的微服务访问请求,并调用权限服务进行认证校验。具体的,终端通过预设微服务网关拦截终端发送的微服务访问请求;终端从微服务访问请求中提取对应的访问请求地址url与目标用户令牌token。Among them, the preset microservice gateway is used as the main entrance of the entire microservice front-end traffic. All access to the microservice must pass through the preset microservice gateway. The preset microservice gateway intercepts all microservice access requests and calls the permission service for authentication. check. Specifically, the terminal intercepts the microservice access request sent by the terminal through the preset microservice gateway; the terminal extracts the corresponding access request address url and target user token token from the microservice access request.
进一步地,将访问请求地址存储于区块链数据库中,具体此处不做限定。Further, the access request address is stored in the blockchain database, which is not specifically limited here.
可以理解的是,本申请的执行主体可以为微服务访问装置,还可以是终端或者服务器,具体此处不做限定。本申请实施例以终端为执行主体为例进行说明。It can be understood that the execution subject of this application may be a microservice access device, or may be a terminal or a server, which is not specifically limited here. The embodiments of the present application take a terminal as an execution subject as an example for description.
102、获取当前时刻和目标用户令牌的过期时刻,并判断过期时刻是否大于当前时刻。102. Obtain the current time and the expiration time of the target user token, and determine whether the expiration time is greater than the current time.
每个目标用户令牌均存在过期时刻,其过期时刻与用户在内存数据库中的会话信息的过期时刻是一致的。具体的,终端按照预设时刻生成函数(例如,预设时刻生成函数为time())生成当前时刻;终端按照目标用户令牌从预设数据配置表中读取目标用户令牌的过期时刻;终端将过期时刻与当前时刻进行差运算,得到差值;终端判断差值是否大于0;若差值大于0,则终端确定过期时刻大于当前时刻,并执行步骤104;若差值小于或者等于0,则终 端确定过期时刻小于或者等于当前时刻,并执行步骤103。Each target user token has an expiration time, and its expiration time is consistent with the expiration time of the user's session information in the memory database. Specifically, the terminal generates the current time according to the preset time generation function (for example, the preset time generation function is time()); the terminal reads the expiration time of the target user token from the preset data configuration table according to the target user token; The terminal performs a difference operation between the expired time and the current time to obtain the difference; the terminal determines whether the difference is greater than 0; if the difference is greater than 0, the terminal determines that the expired time is greater than the current time, and executes step 104; if the difference is less than or equal to 0 , the terminal determines that the expiration time is less than or equal to the current time, and executes step 103 .
103、若过期时刻小于或者等于当前时刻,则获取新的用户令牌,按照新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据新的用户令牌将目标用户权限列表写入至内存数据库中的会话信息,目标权限管理服务用于指示对多个租户进行微服务授权操作。103. If the expiration time is less than or equal to the current time, obtain a new user token, send a permission acquisition request to the target permission management service according to the new user token, obtain the target user permission list, and assign the target user token according to the new user token. The user permission list is written to the session information in the in-memory database, and the target permission management service is used to instruct microservice authorization operations for multiple tenants.
具体的,终端更新过期时刻,并按照用户令牌向目标权限管理服务发送权限获取请求,以使得目标权限管理服务按照用户令牌查找并返回用户权限列表,终端根据用户令牌对返回的用户权限列表重新写入至内存数据库的会话信息中。也就是,终端在内存数据库中查找token有权限的url中是否包含当前请求的url,如果包含则路由到对应的微服务上。由于内存数据库具有过期时刻,当终端检测到过期时刻小于或者等于当前时刻时,终端从目标权限管理服务加载并缓存该用户的权限列表。目标权限管理服务根据token识别对应的用户及该用户对应的租户,进而查询出该用户的权限列表返给网关服务。其中,目标权限管理服务为基于预设框架springboot构建的微服务。Specifically, the terminal updates the expiration time, and sends a permission acquisition request to the target authority management service according to the user token, so that the target authority management service searches and returns the user authority list according to the user token, and the terminal matches the returned user authority according to the user token. The list is rewritten to the session information in the in-memory database. That is, the terminal searches the in-memory database to see if the url for which the token is authorized contains the url of the current request, and if so, routes it to the corresponding microservice. Since the memory database has an expiration time, when the terminal detects that the expiration time is less than or equal to the current time, the terminal loads and caches the user's rights list from the target rights management service. The target rights management service identifies the corresponding user and the tenant corresponding to the user according to the token, and then queries the user's rights list and returns it to the gateway service. Among them, the target permission management service is a microservice built based on the preset framework springboot.
104、若过期时刻大于当前时刻,则根据目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断缓存的权限列表数据中是否存在访问请求地址。104. If the expiration time is greater than the current time, query the session information in the memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and determine whether there is an access request address in the cached permission list data.
可以理解的是,终端发送登录请求至服务器,服务器创建会话信息和目标用户令牌,并将会话信息和目标用户令牌映射关联后,向终端发送已关联的会话信息和目标用户令牌,终端将其存储至内存数据库中,其中,会话信息包括权限列表数据。终端每次发送微服务访问请求中都包含目标用户令牌,目标用户令牌用于指示用户的唯一标识信息。拦截器通过验证目标用户令牌和访问请求地址验证每个微服务访问请求并建立安全上下文。安全上下文描述了用户主体及其角色,终端使用安全上下文来获取用户在内存数据库中的会话信息,并从会话信息读取目标用户令牌对应的租户标识值和缓存的权限资源列表。It can be understood that the terminal sends a login request to the server, the server creates session information and the target user token, and after mapping the session information and the target user token, sends the associated session information and target user token to the terminal. Store it in an in-memory database, where session information includes permission list data. Each time the terminal sends a microservice access request, the target user token is included, and the target user token is used to indicate the unique identification information of the user. The interceptor validates each microservice access request and establishes a security context by validating the target user token and access request address. The security context describes the user principal and its roles. The terminal uses the security context to obtain the user's session information in the in-memory database, and reads the tenant ID value corresponding to the target user token and the cached permission resource list from the session information.
105、若缓存的权限列表数据中不存在访问请求地址,则按照目标用户令牌和租户标识值生成操作日志信息,获取并展示警示信息,警示信息用于指示微服务访问请求受限。105. If there is no access request address in the cached permission list data, generate operation log information according to the target user token and tenant identification value, obtain and display warning information, and the warning information is used to indicate that the access request of the microservice is restricted.
具体的,若缓存的权限列表数据中不存在访问请求地址,则终端基于目标用户令牌和租户标识值生成操作日志信息,并将操作日志信息存储至内存数据库中,进一步地,终端将内存数据库进行数据持久化处理或者数据备份处理,以防止数据丢失,确保数据的安全性。然后终端从内存数据库中获取预设模板,终端根据预设模板生成警示信息,警示信息用于指示微服务访问请求受限(也就是,用户不具有访问权限)。Specifically, if there is no access request address in the cached permission list data, the terminal generates operation log information based on the target user token and the tenant identification value, and stores the operation log information in the memory database. Further, the terminal stores the memory database Perform data persistence processing or data backup processing to prevent data loss and ensure data security. Then the terminal obtains the preset template from the memory database, and the terminal generates warning information according to the preset template, and the warning information is used to indicate that the access request of the microservice is limited (that is, the user does not have access rights).
106、若缓存的权限列表数据中存在访问请求地址,则基于租户标识值确定目标微服务集群,按照访问请求地址对目标微服务集群中的目标系统微服务进行访问,得到访问结果。106. If there is an access request address in the cached permission list data, the target microservice cluster is determined based on the tenant identification value, and the target system microservice in the target microservice cluster is accessed according to the access request address to obtain an access result.
其中,系统微服务可以为资产管理系统,也可以为订单管理系统,还可以为财务系统或者销售管理系统,具体此处不做限定。一个租户可以包括多个用户,不同租户具有各自对应的系统服务群。可以理解的是,预设系统服务中的每张表都存在一个字段tenantId(租户标识值),用于标记该数据的所属租户,微服务访问请求在鉴权以后需要携带该字段作为微服务访问条件,预设系统服务中的所有数据都标记了所属租户。The system microservice may be an asset management system, an order management system, or a financial system or a sales management system, which is not specifically limited here. A tenant may include multiple users, and different tenants have their own corresponding system service groups. It is understandable that each table in the preset system service has a field tenantId (tenant identification value), which is used to mark the tenant to which the data belongs, and the microservice access request needs to carry this field as a microservice access after authentication. Condition, all data in the preset system service is marked with the tenant to which it belongs.
本申请实施例中,通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌;在用户令牌过期后按照新的用户令牌向目标权限管理服务获取并缓存目标用户权限列表;在过期时刻内基于租户标识值确定目标微服务集群,按照访问请求地址对目标微服务集群中的系统微服务进行访问,提高了微服务集群的权限验证效率和微服务访问准确率。In the embodiment of the present application, the microservice access request is intercepted by the preset microservice gateway, and the access request address and the target user token are obtained; after the user token expires, the target user is obtained and cached from the target rights management service according to the new user token Permission list; the target microservice cluster is determined based on the tenant identification value within the expiration time, and the system microservices in the target microservice cluster are accessed according to the access request address, which improves the permission verification efficiency of the microservice cluster and the accuracy of microservice access.
请参阅图2,本申请实施例中微服务访问方法的另一个实施例包括:Referring to FIG. 2, another embodiment of the microservice access method in the embodiment of the present application includes:
201、接收微服务访问请求,通过预设微服务网关拦截并解析微服务访问请求,得到请求头信息,预设微服务网关为基于预设路由过滤对象zuulfilter实现的请求拦截器。201. Receive a microservice access request, intercept and parse the microservice access request through a preset microservice gateway, and obtain request header information, where the preset microservice gateway is a request interceptor implemented based on a preset route filtering object zuulfilter.
例如,request=RequestContext.getCurrentContext(),其中,request用于指示终端获取的请求头信息。For example, request=RequestContext.getCurrentContext( ), where request is used to indicate the request header information obtained by the terminal.
进一步地,在步骤201之前,终端通过目标权限管理服务新增租户,并对租户配置对应的租户信息;终端获取包含多个用户信息的配置文件,并将配置文件导入至目标权限管理服务中,以使得多个用户信息分别与租户进行关联绑定;终端对租户新增至少一个系统微服务,对每个系统微服务新建资源项信息,资源项信息包括菜单资源和界面按钮;终端对租户创建角色树,对角色树中的每个角色设置资源项信息,并将角色树中的角色数据分配至与租户关联绑定的多个用户。也就是,终端通过目标权限服务进行租户和用户对微服务访问的权限控制,并且,租户与用户为一对多关系,目标权限服务可管理多个租户。Further, before step 201, the terminal adds a new tenant through the target rights management service, and configures corresponding tenant information for the tenant; the terminal obtains a configuration file containing multiple user information, and imports the configuration file into the target rights management service, In order to associate and bind multiple user information with the tenant respectively; the terminal adds at least one system microservice to the tenant, and creates resource item information for each system microservice, and the resource item information includes menu resources and interface buttons; Role tree, set resource item information for each role in the role tree, and assign the role data in the role tree to multiple users associated with the tenant. That is, the terminal controls the access rights of tenants and users to microservices through the target permission service, and the tenant and user are in a one-to-many relationship, and the target permission service can manage multiple tenants.
202、按照预设参数名从请求头信息中读取访问请求地址和目标用户令牌,目标用户令牌为用户成功登录微服务时设置的字符串。202. Read the access request address and the target user token from the request header information according to the preset parameter name, where the target user token is a string set when the user successfully logs in to the microservice.
例如,终端从请求头信息request中获取访问请求地址url和目标用户令牌token。预设路由过滤对象为zuulfilter。For example, the terminal obtains the access request address url and the target user token token from the request header information request. The default route filter object is zuulfilter.
需要说明的是,终端还需要预先搭建内存数据库,用来缓存预设微服务网关的会话session信息,例如,内存数据库可以为远程服务字典redis服务,也可以为其他数据库,具体此处不做限定;然后终端预先部署与预设微服务网关的程序包;其次终端预先部署基于对象关系型数据库管理系统pgsql的数据库集群,以便于作为权限管理服务的数据库;最后终端部署预先配置的权限服务程序包。It should be noted that the terminal also needs to build an in-memory database in advance to cache the session information of the preset microservice gateway. For example, the in-memory database can be the remote service dictionary redis service or other databases, which are not limited here. ; Then the terminal pre-deploys and presets the package of the micro-service gateway; secondly, the terminal pre-deploys the database cluster based on the object-relational database management system pgsql, so as to be the database of the rights management service; finally, the terminal deploys the pre-configured rights service package .
203、获取当前时刻和目标用户令牌的过期时刻,并判断过期时刻是否大于当前时刻。203. Obtain the current time and the expiration time of the target user token, and determine whether the expiration time is greater than the current time.
该步骤203与步骤102的执行过程相似,具体此处不再赘述。The execution process of step 203 is similar to that of step 102, and details are not repeated here.
204、若过期时刻小于或者等于当前时刻,则获取新的用户令牌,按照新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据新的用户令牌将目标用户权限列表写入至内存数据库中的会话信息,目标权限管理服务用于指示对多个租户进行微服务授权操作。204. If the expiration time is less than or equal to the current time, obtain a new user token, send a permission acquisition request to the target permission management service according to the new user token, obtain the target user permission list, and assign the target user permission according to the new user token. The user permission list is written to the session information in the in-memory database, and the target permission management service is used to instruct microservice authorization operations for multiple tenants.
需要说明的是,目标权限管理服务用于提供权限资源的管理、角色管理、授权管理、认证服务功能。该目标权限管理服务在基于角色的访问控制(Role-Based Access Control,RBAC)模型上增加了租户的概念,一个业务系统为一个租户可以包含多个微服务,包含一套权限数据,不同租户的权限控制数据完全隔离,在登陆时建立token与租户的关系。权限类型分为操作权限、管理权限和授权权限,其中,操作权限用于控制url、界面按钮与元素的访问与调用,返给网关的权限列表就只有操作权限。管理权限用于对url自身的管理如新增、删除、修改等。授权权限用于控制对操作、管理权限的授予控制。目标权限管理服务在实际获取权限列表时,通过token从会话中查询出对应的用户与租户,再获取用户在该租户中的角色列表,根据角色列表查询权限列表。It should be noted that the target rights management service is used to provide management, role management, authorization management, and authentication service functions of rights resources. The target rights management service adds the concept of tenants to the Role-Based Access Control (RBAC) model. A business system can include multiple microservices for a tenant, including a set of permission data. The permission control data is completely isolated, and the relationship between the token and the tenant is established when logging in. The permission types are divided into operation permission, management permission and authorization permission. Among them, the operation permission is used to control the access and invocation of url, interface buttons and elements, and the permission list returned to the gateway is only the operation permission. Administrative permissions are used to manage the url itself, such as adding, deleting, and modifying. Authorization authority is used to control the grant control of operation and management authority. When the target permission management service actually obtains the permission list, it uses the token to query the corresponding user and tenant from the session, then obtains the user's role list in the tenant, and queries the permission list according to the role list.
可选的,若过期时刻小于或者等于当前时刻,则终端调用预设登录页面引导用户重新登录,得到登录结果;当登录结果为预设值时,终端确定用户登录成功,并获取新的用户令牌和用户的会话信息,将新的用户令牌和用户的会话信息关联映射并存储至内存数据库中;终端按照新的用户令牌从用户的会话信息中获取用户唯一标识和租户标识值,并基于用户唯一标识和租户标识值向目标权限管理服务发送权限获取请求,以使得目标权限管理服务按照用户唯一标识和租户标识值查找并返回目标用户权限列表,目标权限管理服务用于指示对多个租户进行微服务授权操作;终端接收目标用户权限列表,基于新的用户令牌将目标用户权限列表更新至内存数据库中的会话信息,得到更新结果,并根据更新结果确 定是否发送微服务访问请求。Optionally, if the expiration time is less than or equal to the current time, the terminal calls the preset login page to guide the user to log in again, and obtains the login result; when the login result is the preset value, the terminal determines that the user login is successful, and obtains a new user password. The new user token and the user's session information are mapped and stored in the memory database; the terminal obtains the user's unique ID and tenant ID value from the user's session information according to the new user token, and Send a permission acquisition request to the target rights management service based on the user unique ID and the tenant ID value, so that the target rights management service searches and returns the target user rights list according to the user unique ID and the tenant ID value. The target rights management service is used to instruct multiple The tenant performs the microservice authorization operation; the terminal receives the target user permission list, updates the target user permission list to the session information in the memory database based on the new user token, obtains the update result, and determines whether to send the microservice access request according to the update result.
205、若过期时刻大于当前时刻,则根据目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断缓存的权限列表数据中是否存在访问请求地址。205. If the expiration time is greater than the current time, query the session information in the memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and determine whether there is an access request address in the cached permission list data.
需要说明的是,一个租户对应一个用户群(例如,一个公司或者一个公司事业部的员工),用户群中的单个人员便是系统的用户了,一个业务系统一般用来解决一个用户群的业务问题。其中,缓存的权限列表数据包括用户对应的租户、拥有所有权限的角色标识和所有权限的资源标识。可选的,当用户初次登录微服务时,目标权限管理服务根据用户名查询用户信息,用户信息包含该用户的所属租户标识值,然后再从用户角色关系表和角色资源关系表分别查询具有权限的所有角色标识、资源标识与url,然后终端将这些信息保存到用户的会话信息中,得到缓存的权限列表数据。It should be noted that a tenant corresponds to a user group (for example, employees of a company or a company business department), and a single person in the user group is the user of the system. A business system is generally used to solve the business of a user group. question. The cached permission list data includes a tenant corresponding to the user, a role ID with all permissions, and a resource ID with all permissions. Optionally, when a user logs in to the microservice for the first time, the target permission management service queries the user information based on the user name, the user information includes the user's tenant ID value, and then queries the user's role relationship table and role resource relationship table respectively. All role identifiers, resource identifiers and urls are stored in the terminal, and then the terminal saves these information in the user's session information to obtain the cached permission list data.
可选的,若过期时刻大于当前时刻,则终端将目标用户令牌设置为目标键,按照目标键查询内存数据库中的会话信息,得到目标值,会话信息为用户首次登录时调用预设权限服务获取的用户权限列表数据,也就是,终端将权限列表数据存到当前的会话session中,缓存数据的过期与session保持一致。当目标值不为空值时,终端从目标值中获取租户标识值和缓存的权限列表数据;终端调用预设查找函数按照访问请求地址检索缓存的权限列表数据,得到检索结果;若检索结果不为预设目标值,则终端确定缓存的权限列表数据中不存在访问请求地址,终端生成提示信息,提示信息用于指示微服务访问请求存在异常;若检索结果为预设目标值,则终端确定缓存的权限列表数据中存在访问请求地址。Optionally, if the expiration time is greater than the current time, the terminal sets the target user token as the target key, queries the session information in the memory database according to the target key, and obtains the target value. The obtained user permission list data, that is, the terminal stores the permission list data in the current session session, and the expiration of the cached data is consistent with the session. When the target value is not null, the terminal obtains the tenant identification value and the cached permission list data from the target value; the terminal calls the preset search function to retrieve the cached permission list data according to the access request address, and obtains the retrieval result; if the retrieval result is not is the preset target value, the terminal determines that there is no access request address in the cached permission list data, and the terminal generates prompt information, which is used to indicate that the microservice access request is abnormal; if the retrieval result is the preset target value, the terminal determines The access request address exists in the cached permission list data.
206、若缓存的权限列表数据中不存在访问请求地址,则按照目标用户令牌和租户标识值生成操作日志信息,获取并展示警示信息,警示信息用于指示微服务访问请求受限。206. If there is no access request address in the cached permission list data, generate operation log information according to the target user token and tenant identification value, obtain and display warning information, and the warning information is used to indicate that the access request of the microservice is restricted.
也就是,若缓存的权限列表数据中不存在访问请求地址,则终端确定微服务访问请求存在异常。可选的,若缓存的权限列表数据中不存在访问请求地址,则终端按照目标用户令牌和租户标识值生成操作日志信息,并将操作日志信息更新至内存数据库中;终端按照预设模板生成警示信息,通过预设提示框对警示信息进行显示,警示信息用于指示微服务访问请求受限。That is, if the access request address does not exist in the cached permission list data, the terminal determines that the microservice access request is abnormal. Optionally, if there is no access request address in the cached permission list data, the terminal generates operation log information according to the target user token and tenant identification value, and updates the operation log information to the memory database; the terminal generates the operation log information according to the preset template. Warning information, the warning information is displayed through a preset prompt box, and the warning information is used to indicate that the access request of the microservice is limited.
进一步地,终端按照时刻倒序展示操作日志信息,以使得目标人员按照实际需求获取微服务访问的过程信息。Further, the terminal displays the operation log information in reverse order of time, so that the target person obtains the process information of the microservice access according to the actual needs.
207、若缓存的权限列表数据中存在访问请求地址,则基于租户标识值确定目标微服务集群,按照访问请求地址对目标微服务集群中的目标系统微服务进行访问,得到访问结果。207. If there is an access request address in the cached permission list data, determine the target microservice cluster based on the tenant identification value, and access the target system microservice in the target microservice cluster according to the access request address to obtain an access result.
可以理解的是,预设微服务网关直接透传目标权限管理服务对终端中元素的控制列表,再由终端中超文本标记语言H5页面进行权限判断。终端中元素预先设置有唯一编号。而在目标权限管理服务中对应的租户下对应的系统微服务中新建权限资源关联该唯一编号,并对权限资源进行角色赋权。终端将查询到的当前用户的具有权限资源列表返给终端,终端根据资源列表进行权限控制。It can be understood that the preset microservice gateway directly transparently transmits the control list of the elements in the terminal by the target rights management service, and then the H5 page in the terminal makes the rights judgment. Elements in the terminal are preset with unique numbers. The unique number is associated with the new permission resource in the corresponding system microservice under the corresponding tenant in the target permission management service, and role authorization is performed on the permission resource. The terminal returns the queried resource list of the current user with rights to the terminal, and the terminal performs rights control according to the resource list.
可选的,若缓存的权限列表数据中存在访问请求地址,则终端基于租户标识值查询预设数据表,得到目标微服务集群,目标微服务集群用于指示系统微服务所属容器的列表数据;终端获取随机数(例如,random()),并按照随机数对系统微服务所属容器数量进行取余,得到目标余数;终端将目标余数设置为系统微服务所属容器的索引,按照访问请求地址和系统微服务所属容器的索引对目标微服务集群中的目标系统微服务进行服务调用,得到访问结果,访问结果包括访问成功和访问失败。例如,随机数为69,系统微服务所属容器数量为10,则系统微服务所属容器的索引(目标余数)为9,服务器对索引为9的目标系统微服务进行访问,得到访问结果。Optionally, if there is an access request address in the cached permission list data, the terminal queries the preset data table based on the tenant identification value to obtain the target microservice cluster, where the target microservice cluster is used to indicate the list data of the container to which the system microservice belongs; The terminal obtains a random number (for example, random()), and modulates the number of containers to which the system microservice belongs according to the random number to obtain the target remainder; the terminal sets the target remainder as the index of the container to which the system microservice belongs, according to the access request address and The index of the container to which the system microservice belongs makes a service call to the target system microservice in the target microservice cluster, and obtains the access result. The access result includes access success and access failure. For example, if the random number is 69 and the number of containers to which the system microservice belongs is 10, then the index (target remainder) of the container to which the system microservice belongs is 9, and the server accesses the target system microservice whose index is 9 to obtain the access result.
本申请实施例中,通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌;在用户令牌过期后按照新的用户令牌向目标权限管理服务获取并缓存目标用户权限列表;在过期时刻内基于租户标识值确定目标微服务集群,按照访问请求地址对目标微服务集群中的系统微服务进行访问,提高了微服务集群的权限验证效率和微服务访问准确率。In the embodiment of the present application, the microservice access request is intercepted by the preset microservice gateway, and the access request address and the target user token are obtained; after the user token expires, the target user is obtained and cached from the target rights management service according to the new user token Permission list; the target microservice cluster is determined based on the tenant identification value within the expiration time, and the system microservices in the target microservice cluster are accessed according to the access request address, which improves the permission verification efficiency of the microservice cluster and the accuracy of microservice access.
上面对本申请实施例中微服务访问方法进行了描述,下面对本申请实施例中微服务访问装置进行描述,请参阅图3,本申请实施例中微服务访问装置的一个实施例包括:The microservice access method in the embodiment of the present application has been described above, and the microservice access device in the embodiment of the present application is described below. Referring to FIG. 3, an embodiment of the microservice access device in the embodiment of the present application includes:
拦截模块301,用于通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,预设微服务网关为基于预设路由过滤对象实现的请求拦截器;The interception module 301 is configured to intercept the microservice access request through a preset microservice gateway to obtain an access request address and a target user token, and the preset microservice gateway is a request interceptor implemented based on a preset route filtering object;
判断模块302,用于获取当前时刻和目标用户令牌的过期时刻,并判断过期时刻是否大于当前时刻;The judgment module 302 is used to obtain the current time and the expiration time of the target user token, and judge whether the expiration time is greater than the current time;
写入模块303,若过期时刻小于或者等于当前时刻,则用于获取新的用户令牌,按照新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据新的用户令牌将目标用户权限列表写入至内存数据库中的会话信息,目标权限管理服务用于指示对多个租户进行微服务授权操作; Writing module 303, if the expiration time is less than or equal to the current time, it is used to obtain a new user token, send a permission acquisition request to the target rights management service according to the new user token, obtain a list of target user rights, and according to the new user token The user token writes the target user permission list to the session information in the in-memory database, and the target permission management service is used to instruct the microservice authorization operation for multiple tenants;
查询模块304,若过期时刻大于当前时刻,则用于根据目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断缓存的权限列表数据中是否存在访问请求地址;The query module 304, if the expiration time is greater than the current time, is used to query the session information in the memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and determine whether there is an access request address in the cached permission list data. ;
处理模块305,若缓存的权限列表数据中不存在访问请求地址,则用于按照目标用户令牌和租户标识值生成操作日志信息,获取并展示警示信息,警示信息用于指示微服务访问请求受限;The processing module 305, if the access request address does not exist in the cached permission list data, is used to generate operation log information according to the target user token and the tenant identification value, obtain and display warning information, and the warning information is used to indicate that the microservice access request is accepted. limit;
访问模块306,若缓存的权限列表数据中存在访问请求地址,则用于基于租户标识值确定目标微服务集群,按照访问请求地址对目标微服务集群中的目标系统微服务进行访问,得到访问结果。The access module 306, if there is an access request address in the cached permission list data, is used to determine the target microservice cluster based on the tenant identification value, and access the target system microservice in the target microservice cluster according to the access request address to obtain the access result .
进一步地,将访问请求地址存储于区块链数据库中,具体此处不做限定。Further, the access request address is stored in the blockchain database, which is not specifically limited here.
本申请实施例中,通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌;在用户令牌过期后按照新的用户令牌向目标权限管理服务获取并缓存目标用户权限列表;在过期时刻内基于租户标识值确定目标微服务集群,按照访问请求地址对目标微服务集群中的系统微服务进行访问,提高了微服务集群的权限验证效率和微服务访问准确率。In the embodiment of the present application, the microservice access request is intercepted by the preset microservice gateway, and the access request address and the target user token are obtained; after the user token expires, the target user is obtained and cached from the target rights management service according to the new user token Permission list; the target microservice cluster is determined based on the tenant identification value within the expiration time, and the system microservices in the target microservice cluster are accessed according to the access request address, which improves the permission verification efficiency of the microservice cluster and the accuracy of microservice access.
请参阅图4,本申请实施例中微服务访问装置的另一个实施例包括:Referring to FIG. 4 , another embodiment of the apparatus for accessing microservices in the embodiment of the present application includes:
拦截模块301,用于通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,预设微服务网关为基于预设路由过滤对象实现的请求拦截器;The interception module 301 is configured to intercept the microservice access request through a preset microservice gateway to obtain an access request address and a target user token, and the preset microservice gateway is a request interceptor implemented based on a preset route filtering object;
判断模块302,用于获取当前时刻和目标用户令牌的过期时刻,并判断过期时刻是否大于当前时刻;The judgment module 302 is used to obtain the current time and the expiration time of the target user token, and judge whether the expiration time is greater than the current time;
写入模块303,若过期时刻小于或者等于当前时刻,则用于获取新的用户令牌,按照新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据新的用户令牌将目标用户权限列表写入至内存数据库中的会话信息,目标权限管理服务用于指示对多个租户进行微服务授权操作; Writing module 303, if the expiration time is less than or equal to the current time, it is used to obtain a new user token, send a permission acquisition request to the target rights management service according to the new user token, obtain a list of target user rights, and according to the new user token The user token writes the target user permission list to the session information in the in-memory database, and the target permission management service is used to instruct the microservice authorization operation for multiple tenants;
查询模块304,若过期时刻大于当前时刻,则用于根据目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断缓存的权限列表数据中是否存在访问请求地址;The query module 304, if the expiration time is greater than the current time, is used to query the session information in the memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and determine whether there is an access request address in the cached permission list data. ;
处理模块305,若缓存的权限列表数据中不存在访问请求地址,则用于按照目标用户 令牌和租户标识值生成操作日志信息,获取并展示警示信息,警示信息用于指示微服务访问请求受限;The processing module 305, if the access request address does not exist in the cached permission list data, is used to generate operation log information according to the target user token and the tenant identification value, obtain and display warning information, and the warning information is used to indicate that the microservice access request is accepted. limit;
访问模块306,若缓存的权限列表数据中存在访问请求地址,则用于基于租户标识值确定目标微服务集群,按照访问请求地址对目标微服务集群中的目标系统微服务进行访问,得到访问结果。The access module 306, if there is an access request address in the cached permission list data, is used to determine the target microservice cluster based on the tenant identification value, and access the target system microservice in the target microservice cluster according to the access request address to obtain the access result .
可选的,拦截模块301还可以具体用于:Optionally, the interception module 301 can also be specifically used for:
接收微服务访问请求,通过预设微服务网关拦截并解析微服务访问请求,得到请求头信息,预设微服务网关为基于预设路由过滤对象zuulfilter实现的请求拦截器;Receive the microservice access request, intercept and parse the microservice access request through the preset microservice gateway, and obtain the request header information. The preset microservice gateway is a request interceptor implemented based on the preset routing filter object zuulfilter;
按照预设参数名从请求头信息中读取访问请求地址和目标用户令牌,目标用户令牌为用户成功登录微服务时设置的字符串。Read the access request address and target user token from the request header information according to the preset parameter name. The target user token is the string set when the user successfully logs in to the microservice.
可选的,写入模块303还可以具体用于:Optionally, the writing module 303 can also be specifically used for:
若过期时刻小于或者等于当前时刻,则调用预设登录页面引导用户重新登录,得到登录结果;If the expiration time is less than or equal to the current time, the preset login page is called to guide the user to log in again, and the login result is obtained;
当登录结果为预设值时,确定用户登录成功,并获取新的用户令牌和用户的会话信息,将新的用户令牌和用户的会话信息关联映射并存储至内存数据库中;When the login result is the preset value, it is determined that the user has successfully logged in, and a new user token and the user's session information are obtained, and the new user token and the user's session information are associated and mapped and stored in the memory database;
按照新的用户令牌从用户的会话信息中获取用户唯一标识和租户标识值,并基于用户唯一标识和租户标识值向目标权限管理服务发送权限获取请求,以使得目标权限管理服务按照用户唯一标识和租户标识值查找并返回目标用户权限列表,目标权限管理服务用于指示对多个租户进行微服务授权操作;Obtain the user's unique ID and tenant ID value from the user's session information according to the new user token, and send a permission acquisition request to the target rights management service based on the user's unique ID and tenant ID value, so that the target rights management service uses the user's unique ID. Find and return the target user permission list with the tenant ID value, and the target permission management service is used to instruct the microservice authorization operation for multiple tenants;
接收目标用户权限列表,基于新的用户令牌将目标用户权限列表更新至内存数据库中的会话信息,得到更新结果,并根据更新结果确定是否发送微服务访问请求。Receive the target user permission list, update the target user permission list to the session information in the in-memory database based on the new user token, obtain the update result, and determine whether to send a microservice access request according to the update result.
可选的,查询模块304还可以具体用于:Optionally, the query module 304 can also be specifically used for:
若过期时刻大于当前时刻,则将目标用户令牌设置为目标键,按照目标键查询内存数据库中的会话信息,得到目标值,会话信息为用户首次登录时调用预设权限服务获取的用户权限列表数据;If the expiration time is greater than the current time, set the target user token as the target key, query the session information in the memory database according to the target key, and obtain the target value. The session information is the user permission list obtained by calling the preset permission service when the user logs in for the first time. data;
当目标值不为空值时,从目标值中获取租户标识值和缓存的权限列表数据;When the target value is not a null value, obtain the tenant identification value and the cached permission list data from the target value;
调用预设查找函数按照访问请求地址检索缓存的权限列表数据,得到检索结果;Call the preset search function to retrieve the cached permission list data according to the access request address, and obtain the retrieval result;
若检索结果不为预设目标值,则确定缓存的权限列表数据中不存在访问请求地址,生成提示信息,提示信息用于指示微服务访问请求存在异常;If the retrieval result is not the preset target value, it is determined that there is no access request address in the cached permission list data, and prompt information is generated, and the prompt information is used to indicate that the microservice access request is abnormal;
若检索结果为预设目标值,则确定缓存的权限列表数据中存在访问请求地址。If the retrieval result is the preset target value, it is determined that there is an access request address in the cached permission list data.
可选的,处理模块305还可以具体用于:Optionally, the processing module 305 can also be specifically used for:
若缓存的权限列表数据中不存在访问请求地址,则按照目标用户令牌和租户标识值生成操作日志信息,并将操作日志信息更新至内存数据库中;If there is no access request address in the cached permission list data, the operation log information is generated according to the target user token and tenant identification value, and the operation log information is updated to the in-memory database;
按照预设模板生成警示信息,通过预设提示框对警示信息进行显示,警示信息用于指示微服务访问请求受限。The warning information is generated according to the preset template, and the warning information is displayed through the preset prompt box. The warning information is used to indicate that the access request of the microservice is limited.
可选的,访问模块306还可以具体用于:Optionally, the access module 306 can also be specifically used for:
若缓存的权限列表数据中存在访问请求地址,则基于租户标识值查询预设数据表,得到目标微服务集群,目标微服务集群用于指示系统微服务所属容器的列表数据;If there is an access request address in the cached permission list data, query the preset data table based on the tenant identification value to obtain the target microservice cluster, which is used to indicate the list data of the container to which the system microservice belongs;
获取随机数,并按照随机数对系统微服务所属容器数量进行取余,得到目标余数;Obtain a random number, and take the remainder of the number of containers to which the system microservice belongs according to the random number to obtain the target remainder;
将目标余数设置为系统微服务所属容器的索引,按照访问请求地址和系统微服务所属容器的索引对目标微服务集群中的目标系统微服务进行服务调用,得到访问结果,访问结果包括访问成功和访问失败。Set the target remainder as the index of the container to which the system microservice belongs, and make a service call to the target system microservice in the target microservice cluster according to the access request address and the index of the container to which the system microservice belongs, and obtain the access result, which includes the access success and Access failed.
可选的,微服务访问装置还包括:Optionally, the microservice access device further includes:
配置模块307,用于通过目标权限管理服务新增租户,并对租户配置对应的租户信息;A configuration module 307, configured to add a tenant through the target rights management service, and configure corresponding tenant information for the tenant;
导入模块308,用于获取包含多个用户信息的配置文件,并将配置文件导入至目标权限管理服务中,以使得多个用户信息分别与租户进行关联绑定;an import module 308, configured to obtain a configuration file containing multiple user information, and import the configuration file into the target rights management service, so that the multiple user information is associated and bound with the tenant respectively;
新增模块309,用于对租户新增至少一个系统微服务,对每个系统微服务新建资源项信息,资源项信息包括菜单资源和界面按钮;A new module 309, configured to add at least one system microservice to the tenant, and create resource item information for each system microservice, where the resource item information includes menu resources and interface buttons;
分配模块310,用于对租户创建角色树,对角色树中的每个角色设置资源项信息,并将角色树中的角色数据分配至与租户关联绑定的多个用户。The allocation module 310 is configured to create a role tree for the tenant, set resource item information for each role in the role tree, and allocate role data in the role tree to multiple users associated and bound with the tenant.
本申请实施例中,通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌;在用户令牌过期后按照新的用户令牌向目标权限管理服务获取并缓存目标用户权限列表;在过期时刻内基于租户标识值确定目标微服务集群,按照访问请求地址对目标微服务集群中的系统微服务进行访问,提高了微服务集群的权限验证效率和微服务访问准确率。In the embodiment of the present application, the microservice access request is intercepted by the preset microservice gateway, and the access request address and the target user token are obtained; after the user token expires, the target user is obtained and cached from the target rights management service according to the new user token Permission list; the target microservice cluster is determined based on the tenant identification value within the expiration time, and the system microservices in the target microservice cluster are accessed according to the access request address, which improves the permission verification efficiency of the microservice cluster and the accuracy of microservice access.
上面图3和图4从模块化的角度对本申请实施例中的微服务访问装置进行详细描述,下面从硬件处理的角度对本申请实施例中微服务访问设备进行详细描述。Figures 3 and 4 above describe in detail the microservice access device in the embodiment of the present application from the perspective of modularity, and the microservice access device in the embodiment of the present application is described in detail below from the perspective of hardware processing.
图5是本申请实施例提供的一种微服务访问设备的结构示意图,该微服务访问设备500可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上处理器(central processing units,CPU)510(例如,一个或一个以上处理器)和存储器520,一个或一个以上存储应用程序533或数据532的存储介质530(例如一个或一个以上海量存储设备)。其中,存储器520和存储介质530可以是短暂存储或持久存储。存储在存储介质530的程序可以包括一个或一个以上模块(图示没标出),每个模块可以包括对微服务访问设备500中的一系列指令操作。更进一步地,处理器510可以设置为与存储介质530通信,在微服务访问设备500上执行存储介质530中的一系列指令操作。5 is a schematic structural diagram of a microservice access device provided by an embodiment of the present application. The microservice access device 500 may vary greatly due to different configurations or performance, and may include one or more central processing units (central processing units). , CPU) 510 (eg, one or more processors) and memory 520, one or more storage media 530 (eg, one or more mass storage devices) storing application programs 533 or data 532. Among them, the memory 520 and the storage medium 530 may be short-term storage or persistent storage. The program stored in the storage medium 530 may include one or more modules (not shown in the figure), and each module may include a series of instruction operations in the microservice access device 500 . Furthermore, the processor 510 may be configured to communicate with the storage medium 530 to execute a series of instruction operations in the storage medium 530 on the microservice access device 500 .
微服务访问设备500还可以包括一个或一个以上电源540,一个或一个以上有线或无线网络接口550,一个或一个以上输入输出接口560,和/或,一个或一个以上操作系统531,例如Windows Serve,Mac OS X,Unix,Linux,FreeBSD等等。本领域技术人员可以理解,图5示出的微服务访问设备结构并不构成对微服务访问设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。 Microservice access device 500 may also include one or more power supplies 540, one or more wired or wireless network interfaces 550, one or more input and output interfaces 560, and/or, one or more operating systems 531, such as Windows Server , Mac OS X, Unix, Linux, FreeBSD and more. Those skilled in the art can understand that the microservice access device structure shown in FIG. 5 does not constitute a limitation on the microservice access device, and may include more or less components than the one shown, or combine some components, or different Component placement.
本申请还提供一种计算机可读存储介质,该计算机可读存储介质可以为非易失性计算机可读存储介质,该计算机可读存储介质也可以为易失性计算机可读存储介质,所述计算机可读存储介质中存储有指令,当所述指令在计算机上运行时,使得计算机执行如下步骤:The present application also provides a computer-readable storage medium. The computer-readable storage medium may be a non-volatile computer-readable storage medium. The computer-readable storage medium may also be a volatile computer-readable storage medium. Instructions are stored in the computer-readable storage medium, and when the instructions are executed on the computer, the computer performs the following steps:
通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,所述预设微服务网关为基于预设路由过滤对象实现的请求拦截器;Intercept the microservice access request through a preset microservice gateway to obtain the access request address and the target user token, and the preset microservice gateway is a request interceptor implemented based on a preset route filtering object;
获取当前时刻和目标用户令牌的过期时刻,并判断所述过期时刻是否大于所述当前时刻;Obtain the current time and the expiration time of the target user token, and determine whether the expiration time is greater than the current time;
若所述过期时刻小于或者等于所述当前时刻,则获取新的用户令牌,按照所述新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据所述新的用户令牌将所述目标用户权限列表写入至内存数据库中的会话信息,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;If the expiration time is less than or equal to the current time, a new user token is obtained, and a permission acquisition request is sent to the target rights management service according to the new user token to obtain a target user rights list, and according to the new user token The user token of the user token writes the target user authority list to the session information in the in-memory database, and the target authority management service is used to instruct the microservice authorization operation to be performed on multiple tenants;
若所述过期时刻大于所述当前时刻,则根据所述目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断所述缓存的权限列表数据中是否存在所述访问请求地址;If the expiration time is greater than the current time, query the session information in the in-memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and determine whether there is any content in the cached permission list data. the address of the access request;
若所述缓存的权限列表数据中不存在所述访问请求地址,则按照所述目标用户令牌和所述租户标识值生成操作日志信息,获取并展示警示信息,所述警示信息用于指示微服务 访问请求受限;If the access request address does not exist in the cached permission list data, generate operation log information according to the target user token and the tenant identification value, acquire and display warning information, and the warning information is used to instruct the micro Service access requests are restricted;
若所述缓存的权限列表数据中存在所述访问请求地址,则基于所述租户标识值确定目标微服务集群,按照所述访问请求地址对所述目标微服务集群中的目标系统微服务进行访问,得到访问结果。If the access request address exists in the cached permission list data, determine the target microservice cluster based on the tenant identification value, and access the target system microservice in the target microservice cluster according to the access request address , get the access result.
本申请还提供一种微服务访问设备,所述微服务访问设备包括存储器和处理器,存储器中存储有指令,所述指令被处理器执行时,使得处理器执行上述各实施例中的所述微服务访问方法的步骤。The present application further provides a micro-service access device, the micro-service access device includes a memory and a processor, and instructions are stored in the memory, and when the instructions are executed by the processor, the processor executes the above-mentioned steps in the above embodiments. The steps of the microservice access method.
进一步地,所述计算机可读存储介质可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序等;存储数据区可存储根据区块链节点的使用所创建的数据等。Further, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function, and the like; The data created by the use of the node, etc.
本申请所指区块链是分布式数据存储、点对点传输、共识机制、加密算法等计算机技术的新型应用模式。区块链(Blockchain),本质上是一个去中心化的数据库,是一串使用密码学方法相关联产生的数据块,每一个数据块中包含了一批次网络交易的信息,用于验证其信息的有效性(防伪)和生成下一个区块。区块链可以包括区块链底层平台、平台产品服务层以及应用服务层等。The blockchain referred to in this application is a new application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm. Blockchain, essentially a decentralized database, is a series of data blocks associated with cryptographic methods. Each data block contains a batch of network transaction information to verify its Validity of information (anti-counterfeiting) and generation of the next block. The blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system, device and unit described above can refer to the corresponding process in the foregoing method embodiments, which is not repeated here.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as an independent product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes .
以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand: The technical solutions described in the embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions in the embodiments of the present application.

Claims (20)

  1. 一种微服务访问方法,其中,包括:A microservice access method, which includes:
    通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,所述预设微服务网关为基于预设路由过滤对象实现的请求拦截器;Intercept the microservice access request through a preset microservice gateway to obtain the access request address and the target user token, and the preset microservice gateway is a request interceptor implemented based on a preset route filtering object;
    获取当前时刻和目标用户令牌的过期时刻,并判断所述过期时刻是否大于所述当前时刻;Obtain the current time and the expiration time of the target user token, and determine whether the expiration time is greater than the current time;
    若所述过期时刻小于或者等于所述当前时刻,则获取新的用户令牌,按照所述新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据所述新的用户令牌将所述目标用户权限列表写入至内存数据库中的会话信息,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;If the expiration time is less than or equal to the current time, a new user token is obtained, and a permission acquisition request is sent to the target rights management service according to the new user token to obtain a target user rights list, and according to the new user token The user token of the user token writes the target user permission list to the session information in the in-memory database, and the target permission management service is used to instruct multiple tenants to perform microservice authorization operations;
    若所述过期时刻大于所述当前时刻,则根据所述目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断所述缓存的权限列表数据中是否存在所述访问请求地址;If the expiration time is greater than the current time, query the session information in the in-memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and determine whether there is any content in the cached permission list data. the address of the access request;
    若所述缓存的权限列表数据中不存在所述访问请求地址,则按照所述目标用户令牌和所述租户标识值生成操作日志信息,获取并展示警示信息,所述警示信息用于指示微服务访问请求受限;If the access request address does not exist in the cached permission list data, generate operation log information according to the target user token and the tenant identification value, acquire and display warning information, and the warning information is used to instruct the micro Service access requests are restricted;
    若所述缓存的权限列表数据中存在所述访问请求地址,则基于所述租户标识值确定目标微服务集群,按照所述访问请求地址对所述目标微服务集群中的目标系统微服务进行访问,得到访问结果。If the access request address exists in the cached permission list data, determine the target microservice cluster based on the tenant identification value, and access the target system microservice in the target microservice cluster according to the access request address , get the access result.
  2. 根据权利要求1所述的微服务访问方法,其中,所述通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,所述预设微服务网关为基于预设路由过滤对象实现的请求拦截器,包括:The microservice access method according to claim 1, wherein the microservice access request is intercepted by a preset microservice gateway to obtain an access request address and a target user token, and the preset microservice gateway is based on a preset route Request interceptors implemented by filter objects, including:
    接收微服务访问请求,通过预设微服务网关拦截并解析所述微服务访问请求,得到请求头信息,所述预设微服务网关为基于预设路由过滤对象zuulfilter实现的请求拦截器;Receive a microservice access request, intercept and parse the microservice access request through a preset microservice gateway, and obtain request header information, where the preset microservice gateway is a request interceptor implemented based on a preset route filtering object zuulfilter;
    按照预设参数名从所述请求头信息中读取访问请求地址和目标用户令牌,所述目标用户令牌为用户成功登录微服务时设置的字符串。The access request address and the target user token are read from the request header information according to the preset parameter name, where the target user token is a string set when the user successfully logs in to the microservice.
  3. 根据权利要求1所述的微服务访问方法,其中,所述若所述过期时刻小于或者等于所述当前时刻,则获取新的用户令牌,按照所述新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据所述新的用户令牌将所述目标用户权限列表写入至内存数据库中的会话信息,所述目标权限管理服务用于指示对多个租户进行微服务授权操作,包括:The microservice access method according to claim 1, wherein, if the expiration time is less than or equal to the current time, a new user token is obtained, and a target rights management service is sent to the target rights management service according to the new user token Send a permission acquisition request, obtain a target user permission list, and write the target user permission list into the session information in the in-memory database according to the new user token, where the target permission management service is used to instruct multiple tenants Perform microservice authorization operations, including:
    若所述过期时刻小于或者等于所述当前时刻,则调用预设登录页面引导用户重新登录,得到登录结果;If the expiration time is less than or equal to the current time, calling the preset login page to guide the user to log in again, and obtain the login result;
    当所述登录结果为预设值时,确定用户登录成功,并获取新的用户令牌和用户的会话信息,将所述新的用户令牌和所述用户的会话信息关联映射并存储至内存数据库中;When the login result is a preset value, it is determined that the user has successfully logged in, a new user token and the user's session information are acquired, and the new user token and the user's session information are associated and mapped and stored in the memory in the database;
    按照所述新的用户令牌从所述用户的会话信息中获取用户唯一标识和租户标识值,并基于所述用户唯一标识和所述租户标识值向目标权限管理服务发送权限获取请求,以使得所述目标权限管理服务按照所述用户唯一标识和所述租户标识值查找并返回目标用户权限列表,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;The user unique identifier and the tenant identifier value are obtained from the session information of the user according to the new user token, and a permission acquisition request is sent to the target rights management service based on the user unique identifier and the tenant identifier value, so as to make The target rights management service searches and returns a target user rights list according to the user unique identifier and the tenant identifier value, and the target rights management service is used to instruct microservice authorization operations to be performed on multiple tenants;
    接收所述目标用户权限列表,基于所述新的用户令牌将所述目标用户权限列表更新至所述内存数据库中的会话信息,得到更新结果,并根据所述更新结果确定是否发送所述微服务访问请求。Receive the target user authority list, update the target user authority list to the session information in the memory database based on the new user token, obtain an update result, and determine whether to send the micro Service access request.
  4. 根据权利要求1所述的微服务访问方法,其中,所述若所述过期时刻大于所述当前 时刻,则根据所述目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断所述缓存的权限列表数据中是否存在所述访问请求地址,包括:The microservice access method according to claim 1, wherein, if the expiration time is greater than the current time, query session information in an in-memory database according to the target user token to obtain a tenant identification value and a cached value Permission list data, to determine whether the access request address exists in the cached permission list data, including:
    若所述过期时刻大于所述当前时刻,则将所述目标用户令牌设置为目标键,按照所述目标键查询内存数据库中的会话信息,得到目标值,所述会话信息为用户首次登录时调用预设权限服务获取的用户权限列表数据;If the expiration time is greater than the current time, the target user token is set as the target key, the session information in the memory database is queried according to the target key, and the target value is obtained, and the session information is when the user logs in for the first time User permission list data obtained by calling the preset permission service;
    当所述目标值不为空值时,从所述目标值中获取租户标识值和缓存的权限列表数据;When the target value is not a null value, obtain the tenant identification value and the cached permission list data from the target value;
    调用预设查找函数按照所述访问请求地址检索所述缓存的权限列表数据,得到检索结果;calling a preset search function to retrieve the cached permission list data according to the access request address to obtain a retrieval result;
    若所述检索结果不为预设目标值,则确定所述缓存的权限列表数据中不存在所述访问请求地址,生成提示信息,所述提示信息用于指示所述微服务访问请求存在异常;If the retrieval result is not the preset target value, determine that the access request address does not exist in the cached permission list data, and generate prompt information, where the prompt information is used to indicate that the microservice access request is abnormal;
    若所述检索结果为预设目标值,则确定所述缓存的权限列表数据中存在所述访问请求地址。If the retrieval result is a preset target value, it is determined that the access request address exists in the cached permission list data.
  5. 根据权利要求1所述的微服务访问方法,其中,所述若所述缓存的权限列表数据中不存在所述访问请求地址,则按照所述目标用户令牌和所述租户标识值生成操作日志信息,获取并展示警示信息,所述警示信息用于指示微服务访问请求受限,包括:The microservice access method according to claim 1, wherein, if the access request address does not exist in the cached permission list data, an operation log is generated according to the target user token and the tenant identification value information, obtain and display warning information, the warning information is used to indicate that the access request of the microservice is limited, including:
    若所述缓存的权限列表数据中不存在所述访问请求地址,则按照所述目标用户令牌和所述租户标识值生成操作日志信息,并将所述操作日志信息更新至所述内存数据库中;If the access request address does not exist in the cached permission list data, generate operation log information according to the target user token and the tenant identification value, and update the operation log information to the in-memory database ;
    按照预设模板生成警示信息,通过预设提示框对所述警示信息进行显示,所述警示信息用于指示微服务访问请求受限。The warning information is generated according to a preset template, and the warning information is displayed through a preset prompt box, and the warning information is used to indicate that the access request of the microservice is limited.
  6. 根据权利要求1所述的微服务访问方法,其中,所述若所述缓存的权限列表数据中存在所述访问请求地址,则基于所述租户标识值确定目标微服务集群,按照所述访问请求地址对所述目标微服务集群中的目标系统微服务进行访问,得到访问结果,包括:The microservice access method according to claim 1, wherein, if the access request address exists in the cached permission list data, the target microservice cluster is determined based on the tenant identification value, and the access request is performed according to the access request. The address accesses the target system microservice in the target microservice cluster, and obtains the access result, including:
    若所述缓存的权限列表数据中存在所述访问请求地址,则基于所述租户标识值查询预设数据表,得到目标微服务集群,所述目标微服务集群用于指示系统微服务所属容器的列表数据;If the access request address exists in the cached permission list data, query a preset data table based on the tenant identification value to obtain a target microservice cluster, where the target microservice cluster is used to indicate the location of the container to which the system microservice belongs. list data;
    获取随机数,并按照所述随机数对系统微服务所属容器数量进行取余,得到目标余数;Obtain a random number, and take the remainder of the number of containers to which the system microservice belongs according to the random number to obtain the target remainder;
    将所述目标余数设置为系统微服务所属容器的索引,按照所述访问请求地址和所述系统微服务所属容器的索引对所述目标微服务集群中的目标系统微服务进行服务调用,得到访问结果,所述访问结果包括访问成功和访问失败。Set the target remainder as the index of the container to which the system microservice belongs, and make a service call to the target system microservice in the target microservice cluster according to the access request address and the index of the container to which the system microservice belongs to obtain access. As a result, the access result includes access success and access failure.
  7. 根据权利要求1-6中任意一项所述的微服务访问方法,其中,在所述通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,所述预设微服务网关为基于预设路由过滤对象实现的请求拦截器之前,所述微服务访问方法还包括:The method for accessing microservices according to any one of claims 1-6, wherein, in said intercepting a microservice access request through a preset microservice gateway, an access request address and a target user token are obtained, and the preset microservice gateway Before the service gateway is a request interceptor implemented based on a preset route filtering object, the microservice access method further includes:
    通过所述目标权限管理服务新增租户,并对所述租户配置对应的租户信息;Add a new tenant through the target rights management service, and configure the corresponding tenant information for the tenant;
    获取包含多个用户信息的配置文件,并将所述配置文件导入至所述目标权限管理服务中,以使得多个用户信息分别与所述租户进行关联绑定;acquiring a configuration file containing multiple user information, and importing the configuration file into the target rights management service, so that multiple user information is associated and bound with the tenant respectively;
    对所述租户新增至少一个系统微服务,对每个系统微服务新建资源项信息,所述资源项信息包括菜单资源和界面按钮;Add at least one system microservice to the tenant, and create resource item information for each system microservice, where the resource item information includes menu resources and interface buttons;
    对所述租户创建角色树,对所述角色树中的每个角色设置所述资源项信息,并将所述角色树中的角色数据分配至与所述租户关联绑定的多个用户。Creating a role tree for the tenant, setting the resource item information for each role in the role tree, and assigning role data in the role tree to multiple users associated and bound with the tenant.
  8. 一种微服务访问设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机可读指令,所述处理器执行所述计算机可读指令时实现如下步骤:A microservice access device, comprising a memory, a processor, and computer-readable instructions stored on the memory and executable on the processor, and the processor implements the following steps when executing the computer-readable instructions:
    通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,所述预设微服务网关为基于预设路由过滤对象实现的请求拦截器;Intercept the microservice access request through a preset microservice gateway to obtain the access request address and the target user token, and the preset microservice gateway is a request interceptor implemented based on a preset route filtering object;
    获取当前时刻和目标用户令牌的过期时刻,并判断所述过期时刻是否大于所述当前时刻;Obtain the current time and the expiration time of the target user token, and determine whether the expiration time is greater than the current time;
    若所述过期时刻小于或者等于所述当前时刻,则获取新的用户令牌,按照所述新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据所述新的用户令牌将所述目标用户权限列表写入至内存数据库中的会话信息,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;If the expiration time is less than or equal to the current time, a new user token is obtained, and a permission acquisition request is sent to the target rights management service according to the new user token to obtain a target user rights list, and according to the new user token The user token of the user token writes the target user permission list to the session information in the in-memory database, and the target permission management service is used to instruct multiple tenants to perform microservice authorization operations;
    若所述过期时刻大于所述当前时刻,则根据所述目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断所述缓存的权限列表数据中是否存在所述访问请求地址;If the expiration time is greater than the current time, query the session information in the in-memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and determine whether there is any content in the cached permission list data. the address of the access request;
    若所述缓存的权限列表数据中不存在所述访问请求地址,则按照所述目标用户令牌和所述租户标识值生成操作日志信息,获取并展示警示信息,所述警示信息用于指示微服务访问请求受限;If the access request address does not exist in the cached permission list data, generate operation log information according to the target user token and the tenant identification value, acquire and display warning information, and the warning information is used to instruct the micro Service access requests are restricted;
    若所述缓存的权限列表数据中存在所述访问请求地址,则基于所述租户标识值确定目标微服务集群,按照所述访问请求地址对所述目标微服务集群中的目标系统微服务进行访问,得到访问结果。If the access request address exists in the cached permission list data, determine the target microservice cluster based on the tenant identification value, and access the target system microservice in the target microservice cluster according to the access request address , get the access result.
  9. 根据权利要求8所述的微服务访问设备,所述处理器执行所述计算机程序时还实现以下步骤:The microservice access device according to claim 8, wherein the processor further implements the following steps when executing the computer program:
    接收微服务访问请求,通过预设微服务网关拦截并解析所述微服务访问请求,得到请求头信息,所述预设微服务网关为基于预设路由过滤对象zuulfilter实现的请求拦截器;Receive a microservice access request, intercept and parse the microservice access request through a preset microservice gateway, and obtain request header information, where the preset microservice gateway is a request interceptor implemented based on a preset route filtering object zuulfilter;
    按照预设参数名从所述请求头信息中读取访问请求地址和目标用户令牌,所述目标用户令牌为用户成功登录微服务时设置的字符串。The access request address and the target user token are read from the request header information according to the preset parameter name, where the target user token is a string set when the user successfully logs in to the microservice.
  10. 根据权利要求8所述的微服务访问设备,所述处理器执行所述计算机程序时还实现以下步骤:The microservice access device according to claim 8, wherein the processor further implements the following steps when executing the computer program:
    若所述过期时刻小于或者等于所述当前时刻,则调用预设登录页面引导用户重新登录,得到登录结果;If the expiration time is less than or equal to the current time, calling the preset login page to guide the user to log in again, and obtain the login result;
    当所述登录结果为预设值时,确定用户登录成功,并获取新的用户令牌和用户的会话信息,将所述新的用户令牌和所述用户的会话信息关联映射并存储至内存数据库中;When the login result is a preset value, it is determined that the user has successfully logged in, a new user token and the user's session information are acquired, and the new user token and the user's session information are associated and mapped and stored in the memory in the database;
    按照所述新的用户令牌从所述用户的会话信息中获取用户唯一标识和租户标识值,并基于所述用户唯一标识和所述租户标识值向目标权限管理服务发送权限获取请求,以使得所述目标权限管理服务按照所述用户唯一标识和所述租户标识值查找并返回目标用户权限列表,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;The user unique identifier and the tenant identifier value are obtained from the session information of the user according to the new user token, and a permission acquisition request is sent to the target rights management service based on the user unique identifier and the tenant identifier value, so as to make The target rights management service searches and returns a target user rights list according to the user unique identifier and the tenant identifier value, and the target rights management service is used to instruct microservice authorization operations to be performed on multiple tenants;
    接收所述目标用户权限列表,基于所述新的用户令牌将所述目标用户权限列表更新至所述内存数据库中的会话信息,得到更新结果,并根据所述更新结果确定是否发送所述微服务访问请求。Receive the target user authority list, update the target user authority list to the session information in the memory database based on the new user token, obtain an update result, and determine whether to send the micro Service access request.
  11. 根据权利要求8所述的微服务访问设备,所述处理器执行所述计算机程序时还实现以下步骤:The microservice access device according to claim 8, wherein the processor further implements the following steps when executing the computer program:
    若所述过期时刻大于所述当前时刻,则将所述目标用户令牌设置为目标键,按照所述目标键查询内存数据库中的会话信息,得到目标值,所述会话信息为用户首次登录时调用预设权限服务获取的用户权限列表数据;If the expiration time is greater than the current time, the target user token is set as the target key, the session information in the memory database is queried according to the target key, and the target value is obtained, and the session information is when the user logs in for the first time User permission list data obtained by calling the preset permission service;
    当所述目标值不为空值时,从所述目标值中获取租户标识值和缓存的权限列表数据;When the target value is not a null value, obtain the tenant identification value and the cached permission list data from the target value;
    调用预设查找函数按照所述访问请求地址检索所述缓存的权限列表数据,得到检索结果;calling a preset search function to retrieve the cached permission list data according to the access request address to obtain a retrieval result;
    若所述检索结果不为预设目标值,则确定所述缓存的权限列表数据中不存在所述访问 请求地址,生成提示信息,所述提示信息用于指示所述微服务访问请求存在异常;If the retrieval result is not the preset target value, then it is determined that the access request address does not exist in the cached permission list data, and prompt information is generated, and the prompt information is used to indicate that the microservice access request is abnormal;
    若所述检索结果为预设目标值,则确定所述缓存的权限列表数据中存在所述访问请求地址。If the retrieval result is a preset target value, it is determined that the access request address exists in the cached permission list data.
  12. 根据权利要求8所述的微服务访问设备,所述处理器执行所述计算机程序时还实现以下步骤:The microservice access device according to claim 8, wherein the processor further implements the following steps when executing the computer program:
    若所述缓存的权限列表数据中不存在所述访问请求地址,则按照所述目标用户令牌和所述租户标识值生成操作日志信息,并将所述操作日志信息更新至所述内存数据库中;If the access request address does not exist in the cached permission list data, generate operation log information according to the target user token and the tenant identification value, and update the operation log information to the in-memory database ;
    按照预设模板生成警示信息,通过预设提示框对所述警示信息进行显示,所述警示信息用于指示微服务访问请求受限。The warning information is generated according to a preset template, and the warning information is displayed through a preset prompt box, and the warning information is used to indicate that the access request of the microservice is limited.
  13. 根据权利要求8所述的微服务访问设备,所述处理器执行所述计算机程序时还实现以下步骤:The microservice access device according to claim 8, wherein the processor further implements the following steps when executing the computer program:
    若所述缓存的权限列表数据中存在所述访问请求地址,则基于所述租户标识值查询预设数据表,得到目标微服务集群,所述目标微服务集群用于指示系统微服务所属容器的列表数据;If the access request address exists in the cached permission list data, query a preset data table based on the tenant identification value to obtain a target microservice cluster, where the target microservice cluster is used to indicate the location of the container to which the system microservice belongs. list data;
    获取随机数,并按照所述随机数对系统微服务所属容器数量进行取余,得到目标余数;Obtain a random number, and take the remainder of the number of containers to which the system microservice belongs according to the random number to obtain the target remainder;
    将所述目标余数设置为系统微服务所属容器的索引,按照所述访问请求地址和所述系统微服务所属容器的索引对所述目标微服务集群中的目标系统微服务进行服务调用,得到访问结果,所述访问结果包括访问成功和访问失败。Set the target remainder as the index of the container to which the system microservice belongs, and make a service call to the target system microservice in the target microservice cluster according to the access request address and the index of the container to which the system microservice belongs to obtain access. As a result, the access result includes access success and access failure.
  14. 根据权利要求8-13中任意一项所述的微服务访问设备,所述处理器执行所述计算机程序时还实现以下步骤:According to the microservice access device according to any one of claims 8-13, the processor further implements the following steps when executing the computer program:
    通过所述目标权限管理服务新增租户,并对所述租户配置对应的租户信息;Add a new tenant through the target rights management service, and configure the corresponding tenant information for the tenant;
    获取包含多个用户信息的配置文件,并将所述配置文件导入至所述目标权限管理服务中,以使得多个用户信息分别与所述租户进行关联绑定;acquiring a configuration file containing multiple user information, and importing the configuration file into the target rights management service, so that multiple user information is associated and bound with the tenant respectively;
    对所述租户新增至少一个系统微服务,对每个系统微服务新建资源项信息,所述资源项信息包括菜单资源和界面按钮;Add at least one system microservice to the tenant, and create resource item information for each system microservice, where the resource item information includes menu resources and interface buttons;
    对所述租户创建角色树,对所述角色树中的每个角色设置所述资源项信息,并将所述角色树中的角色数据分配至与所述租户关联绑定的多个用户。Creating a role tree for the tenant, setting the resource item information for each role in the role tree, and assigning role data in the role tree to multiple users associated and bound with the tenant.
  15. 一种计算机可读存储介质,所述计算机可读存储介质中存储计算机指令,当所述计算机指令在计算机上运行时,使得计算机执行如下步骤:A computer-readable storage medium, storing computer instructions in the computer-readable storage medium, when the computer instructions are executed on a computer, the computer is made to perform the following steps:
    通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,所述预设微服务网关为基于预设路由过滤对象实现的请求拦截器;Intercept the microservice access request through a preset microservice gateway to obtain the access request address and the target user token, and the preset microservice gateway is a request interceptor implemented based on a preset route filtering object;
    获取当前时刻和目标用户令牌的过期时刻,并判断所述过期时刻是否大于所述当前时刻;Obtain the current time and the expiration time of the target user token, and determine whether the expiration time is greater than the current time;
    若所述过期时刻小于或者等于所述当前时刻,则获取新的用户令牌,按照所述新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据所述新的用户令牌将所述目标用户权限列表写入至内存数据库中的会话信息,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;If the expiration time is less than or equal to the current time, a new user token is obtained, and a permission acquisition request is sent to the target rights management service according to the new user token to obtain a target user rights list, and according to the new user token The user token of the user token writes the target user permission list to the session information in the in-memory database, and the target permission management service is used to instruct multiple tenants to perform microservice authorization operations;
    若所述过期时刻大于所述当前时刻,则根据所述目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断所述缓存的权限列表数据中是否存在所述访问请求地址;If the expiration time is greater than the current time, query the session information in the in-memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and determine whether there is any content in the cached permission list data. the address of the access request;
    若所述缓存的权限列表数据中不存在所述访问请求地址,则按照所述目标用户令牌和所述租户标识值生成操作日志信息,获取并展示警示信息,所述警示信息用于指示微服务访问请求受限;If the access request address does not exist in the cached permission list data, generate operation log information according to the target user token and the tenant identification value, acquire and display warning information, and the warning information is used to instruct the micro Service access requests are restricted;
    若所述缓存的权限列表数据中存在所述访问请求地址,则基于所述租户标识值确定目标微服务集群,按照所述访问请求地址对所述目标微服务集群中的目标系统微服务进行访问,得到访问结果。If the access request address exists in the cached permission list data, determine the target microservice cluster based on the tenant identification value, and access the target system microservice in the target microservice cluster according to the access request address , get the access result.
  16. 根据权利要求15所述的计算机可读存储介质,当所述计算机指令在计算机上运行时,使得计算机还执行以下步骤:The computer-readable storage medium of claim 15, when the computer instructions are executed on a computer, causing the computer to further perform the following steps:
    接收微服务访问请求,通过预设微服务网关拦截并解析所述微服务访问请求,得到请求头信息,所述预设微服务网关为基于预设路由过滤对象zuulfilter实现的请求拦截器;Receive a microservice access request, intercept and parse the microservice access request through a preset microservice gateway, and obtain request header information, where the preset microservice gateway is a request interceptor implemented based on a preset route filtering object zuulfilter;
    按照预设参数名从所述请求头信息中读取访问请求地址和目标用户令牌,所述目标用户令牌为用户成功登录微服务时设置的字符串。The access request address and the target user token are read from the request header information according to the preset parameter name, where the target user token is a string set when the user successfully logs in to the microservice.
  17. 根据权利要求15所述的计算机可读存储介质,当所述计算机指令在计算机上运行时,使得计算机还执行以下步骤:The computer-readable storage medium of claim 15, when the computer instructions are executed on a computer, causing the computer to further perform the following steps:
    若所述过期时刻小于或者等于所述当前时刻,则调用预设登录页面引导用户重新登录,得到登录结果;If the expiration time is less than or equal to the current time, calling the preset login page to guide the user to log in again, and obtain the login result;
    当所述登录结果为预设值时,确定用户登录成功,并获取新的用户令牌和用户的会话信息,将所述新的用户令牌和所述用户的会话信息关联映射并存储至内存数据库中;When the login result is a preset value, it is determined that the user has successfully logged in, a new user token and the user's session information are acquired, and the new user token and the user's session information are associated and mapped and stored in the memory in the database;
    按照所述新的用户令牌从所述用户的会话信息中获取用户唯一标识和租户标识值,并基于所述用户唯一标识和所述租户标识值向目标权限管理服务发送权限获取请求,以使得所述目标权限管理服务按照所述用户唯一标识和所述租户标识值查找并返回目标用户权限列表,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;The user unique identifier and the tenant identifier value are obtained from the session information of the user according to the new user token, and a permission acquisition request is sent to the target rights management service based on the user unique identifier and the tenant identifier value, so as to make The target rights management service searches and returns a target user rights list according to the user unique identifier and the tenant identifier value, and the target rights management service is used to instruct microservice authorization operations to be performed on multiple tenants;
    接收所述目标用户权限列表,基于所述新的用户令牌将所述目标用户权限列表更新至所述内存数据库中的会话信息,得到更新结果,并根据所述更新结果确定是否发送所述微服务访问请求。Receive the target user authority list, update the target user authority list to the session information in the memory database based on the new user token, obtain an update result, and determine whether to send the micro Service access request.
  18. 根据权利要求15所述的计算机可读存储介质,当所述计算机指令在计算机上运行时,使得计算机还执行以下步骤:The computer-readable storage medium of claim 15, when the computer instructions are executed on a computer, causing the computer to further perform the following steps:
    若所述过期时刻大于所述当前时刻,则将所述目标用户令牌设置为目标键,按照所述目标键查询内存数据库中的会话信息,得到目标值,所述会话信息为用户首次登录时调用预设权限服务获取的用户权限列表数据;If the expiration time is greater than the current time, the target user token is set as the target key, the session information in the memory database is queried according to the target key, and the target value is obtained, and the session information is when the user logs in for the first time User permission list data obtained by calling the preset permission service;
    当所述目标值不为空值时,从所述目标值中获取租户标识值和缓存的权限列表数据;When the target value is not a null value, obtain the tenant identification value and the cached permission list data from the target value;
    调用预设查找函数按照所述访问请求地址检索所述缓存的权限列表数据,得到检索结果;calling a preset search function to retrieve the cached permission list data according to the access request address to obtain a retrieval result;
    若所述检索结果不为预设目标值,则确定所述缓存的权限列表数据中不存在所述访问请求地址,生成提示信息,所述提示信息用于指示所述微服务访问请求存在异常;If the retrieval result is not the preset target value, determine that the access request address does not exist in the cached permission list data, and generate prompt information, where the prompt information is used to indicate that the microservice access request is abnormal;
    若所述检索结果为预设目标值,则确定所述缓存的权限列表数据中存在所述访问请求地址。If the retrieval result is a preset target value, it is determined that the access request address exists in the cached permission list data.
  19. 根据权利要求15所述的计算机可读存储介质,当所述计算机指令在计算机上运行执行以下步骤时,使得计算机还执行以下步骤:The computer-readable storage medium of claim 15, when the computer instructions are executed on the computer to perform the following steps, cause the computer to further perform the following steps:
    若所述缓存的权限列表数据中不存在所述访问请求地址,则按照所述目标用户令牌和所述租户标识值生成操作日志信息,并将所述操作日志信息更新至所述内存数据库中;If the access request address does not exist in the cached permission list data, generate operation log information according to the target user token and the tenant identification value, and update the operation log information to the in-memory database ;
    按照预设模板生成警示信息,通过预设提示框对所述警示信息进行显示,所述警示信息用于指示微服务访问请求受限。The warning information is generated according to a preset template, and the warning information is displayed through a preset prompt box, and the warning information is used to indicate that the access request of the microservice is limited.
  20. 一种微服务访问装置,其中,所述微服务访问装置包括:A microservice access device, wherein the microservice access device includes:
    拦截模块,用于通过预设微服务网关拦截微服务访问请求,得到访问请求地址和目标用户令牌,所述预设微服务网关为基于预设路由过滤对象实现的请求拦截器;an interception module, configured to intercept a microservice access request through a preset microservice gateway to obtain an access request address and a target user token, where the preset microservice gateway is a request interceptor implemented based on a preset route filtering object;
    判断模块,用于获取当前时刻和目标用户令牌的过期时刻,并判断所述过期时刻是否大于所述当前时刻;a judgment module, used for obtaining the current moment and the expiration moment of the target user token, and judging whether the expiration moment is greater than the current moment;
    写入模块,若所述过期时刻小于或者等于所述当前时刻,则用于获取新的用户令牌,按照所述新的用户令牌向目标权限管理服务发送权限获取请求,得到目标用户权限列表,并根据所述新的用户令牌将所述目标用户权限列表写入至内存数据库中的会话信息,所述目标权限管理服务用于指示对多个租户进行微服务授权操作;The writing module, if the expiration time is less than or equal to the current time, is used to obtain a new user token, and sends a permission acquisition request to the target permission management service according to the new user token to obtain a target user permission list , and write the target user authority list into the session information in the memory database according to the new user token, and the target authority management service is used to instruct multiple tenants to perform microservice authorization operations;
    查询模块,若所述过期时刻大于所述当前时刻,则用于根据所述目标用户令牌查询内存数据库中的会话信息,得到租户标识值和缓存的权限列表数据,判断所述缓存的权限列表数据中是否存在所述访问请求地址;The query module, if the expiration time is greater than the current time, is used to query the session information in the memory database according to the target user token, obtain the tenant identification value and the cached permission list data, and judge the cached permission list Whether the access request address exists in the data;
    处理模块,若所述缓存的权限列表数据中不存在所述访问请求地址,则用于按照所述目标用户令牌和所述租户标识值生成操作日志信息,获取并展示警示信息,所述警示信息用于指示微服务访问请求受限;The processing module, if the access request address does not exist in the cached permission list data, is configured to generate operation log information according to the target user token and the tenant identification value, obtain and display warning information, the warning The information is used to indicate that the microservice access request is restricted;
    访问模块,若所述缓存的权限列表数据中存在所述访问请求地址,则用于基于所述租户标识值确定目标微服务集群,按照所述访问请求地址对所述目标微服务集群中的目标系统微服务进行访问,得到访问结果。The access module, if the access request address exists in the cached permission list data, is used to determine the target microservice cluster based on the tenant identification value, and perform an access request to the target microservice cluster according to the access request address. The system microservice is accessed and the access result is obtained.
PCT/CN2021/090256 2020-12-15 2021-04-27 Micro-service access method, apparatus and device, and storage medium WO2022126968A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202011476001.5A CN112615849B (en) 2020-12-15 2020-12-15 Micro-service access method, device, equipment and storage medium
CN202011476001.5 2020-12-15

Publications (1)

Publication Number Publication Date
WO2022126968A1 true WO2022126968A1 (en) 2022-06-23

Family

ID=75234141

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/090256 WO2022126968A1 (en) 2020-12-15 2021-04-27 Micro-service access method, apparatus and device, and storage medium

Country Status (2)

Country Link
CN (1) CN112615849B (en)
WO (1) WO2022126968A1 (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115002211A (en) * 2022-07-28 2022-09-02 成都乐超人科技有限公司 Cloud-native-based after-sale micro-service implementation method, device, equipment and medium
CN115022088A (en) * 2022-07-21 2022-09-06 中国建设银行股份有限公司 Government affair gateway system
CN115118703A (en) * 2022-07-28 2022-09-27 中国工商银行股份有限公司 Service calling method and device and electronic equipment
CN115242613A (en) * 2022-08-03 2022-10-25 浙江网商银行股份有限公司 Target node determination method and device
CN115277234A (en) * 2022-08-01 2022-11-01 重庆标能瑞源储能技术研究院有限公司 Security authentication method and system based on Internet of things platform micro-service
CN115277128A (en) * 2022-07-13 2022-11-01 上海砾阳软件有限公司 Illegal request processing method and device and electronic equipment
CN115495718A (en) * 2022-09-19 2022-12-20 广东云徙智能科技有限公司 Method, device and equipment for authorizing back-end capability based on front-end declaration
CN115567254A (en) * 2022-09-06 2023-01-03 浪潮软件股份有限公司 Method and system for realizing public data open to outside based on calculation model
CN115801476A (en) * 2023-02-09 2023-03-14 中国证券登记结算有限责任公司 Verification method and device for application request
CN115828309A (en) * 2023-02-09 2023-03-21 中国证券登记结算有限责任公司 Service calling method and system
CN116049860A (en) * 2023-03-06 2023-05-02 深圳前海环融联易信息科技服务有限公司 Access control method, device, computer equipment and storage medium
CN116069264A (en) * 2023-03-13 2023-05-05 南京飓风引擎信息技术有限公司 Application program data information storage control system
CN116401231A (en) * 2023-03-20 2023-07-07 一临云(深圳)科技有限公司 Data source management method, device and storage medium
CN116743702A (en) * 2023-08-16 2023-09-12 湖南映客互娱网络信息有限公司 Uniform domain name access method, device and equipment of SaaS system
CN117375901A (en) * 2023-09-30 2024-01-09 上海复通软件技术有限公司 Cross-tenant multi-terminal authentication method and system
CN117668920A (en) * 2024-02-02 2024-03-08 杭州高特电子设备股份有限公司 Secure access method, system, equipment and medium based on internal energy storage system
CN116401231B (en) * 2023-03-20 2024-04-26 一临云(深圳)科技有限公司 Data source management method, device and storage medium

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113139169A (en) * 2021-04-23 2021-07-20 上海中通吉网络技术有限公司 Non-invasive authority control system
CN113239060B (en) * 2021-05-31 2023-09-29 康键信息技术(深圳)有限公司 Data resource allocation processing method, device, equipment and storage medium
CN113343150A (en) * 2021-06-24 2021-09-03 平安普惠企业管理有限公司 Data processing method and device, electronic equipment and storage medium
CN113568762A (en) * 2021-07-19 2021-10-29 远光软件股份有限公司 Cross-system access method, equipment and computer readable storage medium
CN113765676A (en) * 2021-09-18 2021-12-07 平安国际智慧城市科技股份有限公司 Interface access control method based on multiple user identities and related equipment
CN114430423A (en) * 2022-01-26 2022-05-03 百果园技术(新加坡)有限公司 Communication management method, device, equipment and storage medium between terminals
CN114513349A (en) * 2022-01-29 2022-05-17 中国人民财产保险股份有限公司 Method and device for determining source of micro-service requester
CN114666094B (en) * 2022-02-17 2023-10-20 岚图汽车科技有限公司 User authority management method and related equipment of vehicle service platform
CN114756877A (en) * 2022-04-06 2022-07-15 北京有竹居网络技术有限公司 Data management method, device, server and storage medium
CN114826724B (en) * 2022-04-20 2024-04-09 网易(杭州)网络有限公司 Data processing method, device, electronic equipment and storage medium
CN115481386B (en) * 2022-09-15 2023-05-30 中航信移动科技有限公司 Batch configuration system for target application use permission
CN115344620B (en) * 2022-10-19 2023-01-06 成都中科合迅科技有限公司 Method for realizing data on-demand synchronization after front-end and back-end separation by user-defined data pool
CN116319809B (en) * 2022-12-27 2023-12-29 昆仑数智科技有限责任公司 Method and system for data operation
CN116319090B (en) * 2023-05-18 2023-08-11 中国电子信息产业集团有限公司第六研究所 Power and environment monitoring system and method based on micro-service
CN116980182B (en) * 2023-06-21 2024-02-27 杭州明实科技有限公司 Abnormal request detection method and device and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018044604A1 (en) * 2016-08-31 2018-03-08 Oracle International Corporation Data management for a multi-tenant identity cloud service
CN110601832A (en) * 2019-09-27 2019-12-20 中煤航测遥感集团有限公司 Data access method and device
CN110781476A (en) * 2019-10-15 2020-02-11 南京南瑞信息通信科技有限公司 Flexible micro-service security access control method and system
CN111355743A (en) * 2020-03-11 2020-06-30 成都卓杭网络科技股份有限公司 Management method and system based on API gateway
CN112039909A (en) * 2020-09-03 2020-12-04 平安科技(深圳)有限公司 Authentication method, device, equipment and storage medium based on unified gateway

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10846390B2 (en) * 2016-09-14 2020-11-24 Oracle International Corporation Single sign-on functionality for a multi-tenant identity and data security management cloud service
CN107483538B (en) * 2017-07-06 2021-01-01 聚好看科技股份有限公司 Method and device for processing access request packet on node of micro-service cluster
US10931656B2 (en) * 2018-03-27 2021-02-23 Oracle International Corporation Cross-region trust for a multi-tenant identity cloud service
CN110120946B (en) * 2019-04-29 2021-07-20 武汉理工大学 Unified authentication system and method for Web and micro-service
CN111431970B (en) * 2020-02-29 2023-05-26 深圳壹账通智能科技有限公司 Resource allocation method, device, equipment and storage medium based on micro-service architecture

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018044604A1 (en) * 2016-08-31 2018-03-08 Oracle International Corporation Data management for a multi-tenant identity cloud service
CN110601832A (en) * 2019-09-27 2019-12-20 中煤航测遥感集团有限公司 Data access method and device
CN110781476A (en) * 2019-10-15 2020-02-11 南京南瑞信息通信科技有限公司 Flexible micro-service security access control method and system
CN111355743A (en) * 2020-03-11 2020-06-30 成都卓杭网络科技股份有限公司 Management method and system based on API gateway
CN112039909A (en) * 2020-09-03 2020-12-04 平安科技(深圳)有限公司 Authentication method, device, equipment and storage medium based on unified gateway

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277128B (en) * 2022-07-13 2024-02-23 上海砾阳软件有限公司 Illegal request processing method and device and electronic equipment
CN115277128A (en) * 2022-07-13 2022-11-01 上海砾阳软件有限公司 Illegal request processing method and device and electronic equipment
CN115022088A (en) * 2022-07-21 2022-09-06 中国建设银行股份有限公司 Government affair gateway system
CN115002211A (en) * 2022-07-28 2022-09-02 成都乐超人科技有限公司 Cloud-native-based after-sale micro-service implementation method, device, equipment and medium
CN115118703A (en) * 2022-07-28 2022-09-27 中国工商银行股份有限公司 Service calling method and device and electronic equipment
CN115118703B (en) * 2022-07-28 2024-03-08 中国工商银行股份有限公司 Service calling method and device and electronic equipment
CN115002211B (en) * 2022-07-28 2022-12-06 成都乐超人科技有限公司 Method, device, equipment and medium for realizing after-sale micro-service based on cloud protogenesis
CN115277234B (en) * 2022-08-01 2024-01-09 重庆标能瑞源储能技术研究院有限公司 Security authentication method and system based on Internet of things platform micro-service
CN115277234A (en) * 2022-08-01 2022-11-01 重庆标能瑞源储能技术研究院有限公司 Security authentication method and system based on Internet of things platform micro-service
CN115242613B (en) * 2022-08-03 2024-03-15 浙江网商银行股份有限公司 Target node determining method and device
CN115242613A (en) * 2022-08-03 2022-10-25 浙江网商银行股份有限公司 Target node determination method and device
CN115567254A (en) * 2022-09-06 2023-01-03 浪潮软件股份有限公司 Method and system for realizing public data open to outside based on calculation model
CN115495718B (en) * 2022-09-19 2023-10-13 广东云徙智能科技有限公司 Front-end statement-based back-end capability authorization method, device and equipment
CN115495718A (en) * 2022-09-19 2022-12-20 广东云徙智能科技有限公司 Method, device and equipment for authorizing back-end capability based on front-end declaration
CN115801476A (en) * 2023-02-09 2023-03-14 中国证券登记结算有限责任公司 Verification method and device for application request
CN115828309A (en) * 2023-02-09 2023-03-21 中国证券登记结算有限责任公司 Service calling method and system
CN115828309B (en) * 2023-02-09 2023-11-07 中国证券登记结算有限责任公司 Service calling method and system
CN116049860A (en) * 2023-03-06 2023-05-02 深圳前海环融联易信息科技服务有限公司 Access control method, device, computer equipment and storage medium
CN116049860B (en) * 2023-03-06 2023-06-02 深圳前海环融联易信息科技服务有限公司 Access control method, device, computer equipment and storage medium
CN116069264A (en) * 2023-03-13 2023-05-05 南京飓风引擎信息技术有限公司 Application program data information storage control system
CN116401231A (en) * 2023-03-20 2023-07-07 一临云(深圳)科技有限公司 Data source management method, device and storage medium
CN116401231B (en) * 2023-03-20 2024-04-26 一临云(深圳)科技有限公司 Data source management method, device and storage medium
CN116743702B (en) * 2023-08-16 2024-02-27 湖南映客互娱网络信息有限公司 Uniform domain name access method, device and equipment of SaaS system
CN116743702A (en) * 2023-08-16 2023-09-12 湖南映客互娱网络信息有限公司 Uniform domain name access method, device and equipment of SaaS system
CN117375901A (en) * 2023-09-30 2024-01-09 上海复通软件技术有限公司 Cross-tenant multi-terminal authentication method and system
CN117668920A (en) * 2024-02-02 2024-03-08 杭州高特电子设备股份有限公司 Secure access method, system, equipment and medium based on internal energy storage system

Also Published As

Publication number Publication date
CN112615849A (en) 2021-04-06
CN112615849B (en) 2022-04-26

Similar Documents

Publication Publication Date Title
WO2022126968A1 (en) Micro-service access method, apparatus and device, and storage medium
JP7222036B2 (en) Model training system and method and storage medium
US9852206B2 (en) Computer relational database method and system having role based access control
CN111698228B (en) System access authority granting method, device, server and storage medium
US10055561B2 (en) Identity risk score generation and implementation
US7356840B1 (en) Method and system for implementing security filters for reporting systems
US6085191A (en) System and method for providing database access control in a secure distributed network
US6038563A (en) System and method for restricting database access to managed object information using a permissions table that specifies access rights corresponding to user access rights to the managed objects
US20170155686A1 (en) Fine-grained structured data store access using federated identity management
US6484258B1 (en) Access control using attributes contained within public key certificates
US8959613B2 (en) System and method for managing access to a plurality of servers in an organization
CN111709046A (en) User permission data configuration method, device, equipment and storage medium
CN106874461A (en) A kind of workflow engine supports multi-data source configuration security access system and method
US8051168B1 (en) Method and system for security and user account integration by reporting systems with remote repositories
US20020078004A1 (en) Extendible access control for lightweight directory access protocol
CN103095720B (en) A kind of method for managing security of cloud storage system of dialogue-based management server
US11836243B2 (en) Centralized applications credentials management
US7801967B1 (en) Method and system for implementing database connection mapping for reporting systems
US9015790B2 (en) Integrating sudo rules with entities represented in an LDAP directory
CN111274569A (en) Research, development, operation and maintenance integrated system for unified login authentication and login authentication method thereof
CN112019495B (en) Dynamic mapping mechanism and data security control method for wide-area virtual data space account
CN100561516C (en) Network gridding service system of national geolopy spatial data
CN107491360B (en) The method for being classified other redundant storage is carried out to record in tables of data
CN110430211A (en) A kind of virtualization cloud desktop system and operating method
CN110995425A (en) Database based on quantum key distribution and data access channel fusion of QKD (quantum key distribution) protocol

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 08/08/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 21904907

Country of ref document: EP

Kind code of ref document: A1