WO2023241366A1 - Data processing method and system, and electronic device and computer-readable storage medium - Google Patents

Data processing method and system, and electronic device and computer-readable storage medium Download PDF

Info

Publication number
WO2023241366A1
WO2023241366A1 PCT/CN2023/097671 CN2023097671W WO2023241366A1 WO 2023241366 A1 WO2023241366 A1 WO 2023241366A1 CN 2023097671 W CN2023097671 W CN 2023097671W WO 2023241366 A1 WO2023241366 A1 WO 2023241366A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
condition
control module
request
module
Prior art date
Application number
PCT/CN2023/097671
Other languages
French (fr)
Chinese (zh)
Inventor
陈登月
莫元武
Original Assignee
易保网络技术(上海)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 易保网络技术(上海)有限公司 filed Critical 易保网络技术(上海)有限公司
Publication of WO2023241366A1 publication Critical patent/WO2023241366A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Definitions

  • the invention relates to the field of computer technology, and in particular to a data processing method, system, electronic equipment and computer-readable storage medium.
  • clients can respond to user operations and obtain products and services provided by the connected business platform to process corresponding businesses. , and then the client can display the corresponding business processing results to the user based on the business processing data fed back by the business platform.
  • the insurance business client can rely on the online insurance platform to provide insurance-related service modules to users who need insurance.
  • the client relying on the business platform can be a business system application (application, APP) running on an electronic device such as a mobile phone, or a web-based business system application, which is not limited here.
  • third-party services can also be microservices running under Kubernetes, and the business platform can connect business requests for such third-party services to corresponding third-party services for processing, where Kubernetes is used
  • An open source system that automatically deploys, scales and manages containerized applications.
  • some third-party services may be software developed under some old frameworks, that is, the development framework may be incompatible with the system framework of the business platform; some third-party services may have authorization restrictions, etc.
  • the embodiments of the present application provide a data processing method, system, electronic device and computer-readable storage medium to solve It solves the current problems of difficulty and large development volume in functional enhancement and transformation of service modules such as third-party services integrated on the business platform. It can effectively enhance the security performance and scene adaptability of each service module, so there is no need to modify third-party services. Higher-cost functional enhancements and transformations save service development costs. Moreover, the business platform implemented based on this application solution can easily connect to third-party services and perform some security or scene adaptability function upgrades without modifying the relevant code of third-party services, which is conducive to improving the client, development side and third-party services. A multi-device user experience.
  • embodiments of the present application provide a data processing method, which method is applied to a business platform including a routing module, a data management and control module, and a service module, where the service module includes third-party services.
  • the method includes:
  • the routing module obtains the first request data for the target service
  • the routing module sends first request data to the data management and control module, where the first request data at least includes identification information of the target service module and target data acquisition parameters for the target service;
  • the data management and control module determines whether the first request data satisfies the first condition, where the first condition is used to check the validity and security of the first request data processed by the request target service module;
  • the data management and control module After confirming that the first request data meets the first condition, the data management and control module sends the first request data to the target service module;
  • the data management and control module modifies the first request data to obtain the second request data that meets the first condition, and the data management and control module sends the second request data to the target service module.
  • the business request-related data accessed by the business platform is screened, for example, including the above-mentioned validity and security check of the first request data based on the preset first condition.
  • the request data that meets some inspection requirements related to the target service module ie, the above-mentioned first request data
  • the above-mentioned target service module includes a third-party service.
  • the third-party service may be, for example, the visualization service (Kibana) illustrated in Embodiment 2 below.
  • the above-mentioned first request data may be, for example, visualization service request data that needs to be processed by Kibana.
  • the first condition is dynamically determined based on at least one of the normative requirements of the API entry parameters of the target service module and the service data security requirements of the target service module.
  • the first condition corresponding to the preset of the visualization service can be determined based on Kibana's various API entry parameter thresholds and other requirements, as well as Kibana's requirements for the source of data content for visual display and the security of the data content.
  • the first condition may also include restrictions on the data table format corresponding to the data content to be visually displayed, etc., which is not limited here.
  • the first condition includes a parameter threshold judgment condition preset for at least one API entry parameter of the target service module, and the data management and control module judges whether the first request data satisfies the first Conditions include: the data management and control module determines whether the value of the first parameter in the first request data is within the preset first parameter threshold range; if the value of the first parameter is within the first parameter threshold range, the data management and control module confirms The first request data satisfies the first condition; if the value of the first parameter is not within the first parameter threshold range, the data management and control module confirms that the first request data does not satisfy the first condition.
  • the data management and control module modifies the first request data to obtain the second request data that satisfies the first condition, including: The value of the first parameter within a parameter threshold range is adjusted to within the first parameter threshold range.
  • the corresponding API entry parameters in the request data can be adjusted to within the threshold requirement range, so that the business request data In the subsequent process, the target service module is successfully connected for processing.
  • the target service module is used to process the request data sent by the data management and control module.
  • the request data includes first request data and second request data, and the above method includes:
  • the target service module processes the received request data to obtain the first processing data
  • the target service module returns the first processing data to the data management and control module
  • the data management and control module determines whether the first processed data satisfies the second condition, where the second condition is used to perform a security check on the first processed data to be returned to the service requesting end, which is the client that initiates the target service;
  • the data management and control module After confirming that the first processed data meets the second condition, the data management and control module sends the first processed data to the routing module;
  • the data management and control module modifies the first processed data to obtain second processed data that meets the second condition, and the data management and control module sends the second processed data to the routing module.
  • the business processing data obtained by the target service module processing the corresponding business request data i.e., the above-mentioned first request data
  • the business requester receiving the business processing data can also receive higher security guarantees.
  • the second condition is dynamically determined based on at least one of a security verification parameter, a permission verification parameter, and a data protection verification parameter of the service requesting end.
  • the second condition includes sensitive data identification parameters as security verification parameters; and the data management and control module determines whether the first processed data satisfies the second condition, including:
  • the data management and control module determines whether the first processed data contains sensitive data based on the sensitive data identification parameters
  • the first processed data contains sensitive data, it is confirmed that the first processed data does not meet the second condition.
  • the data management and control module modifies the first processed data to obtain the second processed data that satisfies the second condition, including: deleting the first processed data. Sensitive data in the processed data; or, encrypting sensitive data in the first processed data.
  • the second condition includes authorization information verification parameters as authority verification parameters; and the data management and control module determines whether the first processed data satisfies the second condition, including:
  • the data management and control module verifies parameters based on the authorization information to confirm whether the terminal recipient of the first processed data has the right to obtain the entire data content of the first processed data;
  • the terminal recipient of the first processed data has the right to obtain the entire data content of the first processed data, it is confirmed that the first processed data satisfies the second condition;
  • the terminal recipient of the first processed data does not have the right to obtain the entire data content of the first processed data, it is confirmed that the first processed data does not meet the second condition.
  • the data management and control module modifies the first processed data to obtain the second processed data that satisfies the second condition, including:
  • the terminal recipient of the first processed data does not have the right to obtain the entire data content of the first processed data, the first processed data is deleted.
  • the second condition includes a preset time threshold for protecting business platform data as a data protection verification parameter; and the data management and control module determines whether the first processed data satisfies the second conditions, including:
  • the data management and control module determines whether the first processed data includes data whose collection time is earlier than a preset time threshold
  • the first processed data does not include data whose collection time is earlier than the preset time threshold, it is confirmed that the first processed data meets the second condition;
  • the first processed data includes data whose collection time is earlier than the preset time threshold, it is confirmed that the first processed data does not meet the second condition.
  • the data management and control module modifies the first processed data to obtain the second processed data that satisfies the second condition, including: Data in the processed data whose collection time is earlier than the preset time threshold are deleted.
  • the routing module is any one of Nginx, Traefik, Envoy, and Kong.
  • routing module can also be other service modules that can access business data and have routing functions, which are not limited here.
  • embodiments of the present application provide a data processing system, including:
  • the routing module is used to obtain the first request data for the target service and send it to the data management and control module, where the first request data at least includes the identification information of the target service module and the target data acquisition parameters for the target service;
  • the data management and control module is used to determine whether the first request data satisfies the first condition, where the first condition is used to check the validity and security of the first request data processed by the request target service module; and, after confirming the first request data When the first condition is met, it is used to send the first request data to the target service module; and when it is confirmed that the first request data does not meet the first condition, it is used to modify the first request data to obtain the second request data that satisfies the first condition. , and sends the second request data to the target service module;
  • the target service module is configured to process the first processing data according to the received first request data or the second request data, and return the first processing data to the data management and control module.
  • the above-mentioned target service module can be either a local service module developed in the business platform introduced in the embodiment below, or a third-party service module integrated or accessed by the business platform, such as the chain example in Embodiment 1 below.
  • the road query service and the visualization service (Kibana) exemplified in Embodiment 2 are not limited here.
  • the data management and control module is also used to determine whether the first processed data satisfies a second condition, where the second condition is used to perform a security check on the first processed data to be returned to the business requesting end.
  • the service requesting end is the client that initiates the target service; and, when confirming that the first processing data meets the second condition, is used to send the first processing data to the routing module;
  • the first processing data When it is confirmed that the first processing data does not meet the second condition, it is used to modify the first processing data to obtain second processing data that meets the second condition, and send the second processing data to the routing module.
  • embodiments of the present application provide an electronic device, including: one or more processors; one or more memories; one or more memories store one or more programs. When one or more programs are When one or more processors are executed, the electronic device is caused to execute the data processing method provided in the first aspect.
  • embodiments of the present application provide a computer-readable storage medium that includes a computer program/instruction.
  • the computer program/instruction is executed by a processor, the data processing method provided in the first aspect is implemented.
  • Figure 1 shows a schematic diagram of an interaction scenario between a client and a business platform provided by an embodiment of the present application.
  • Figure 2a shows a processing process of business interaction data between a client and a business platform provided by an embodiment of the present application. Process diagram.
  • Figure 2b shows a schematic diagram of the processing process of business interaction data between another client and the business platform provided by the embodiment of the present application.
  • Figure 3 shows a schematic flowchart of the implementation of a data processing method provided by an embodiment of the present application.
  • Figure 4 shows a schematic flowchart of the implementation of a data processing method corresponding to the link query service provided in Embodiment 1 of the present application.
  • Figure 5 shows a schematic implementation flow diagram of a data processing method corresponding to Kibana provided in Embodiment 2 of the present application.
  • Figure 6 shows a schematic structural diagram of an electronic device 600 for running a business platform or client provided by an embodiment of the present application.
  • Figure 1 shows a schematic diagram of an interaction scenario between a client and a business platform according to an embodiment of the present application.
  • this scenario includes a client program running on device 100a (referred to as client 100a), a development-side program running on device 100b (referred to as development-side 100b), and a third-party service running on device 100c.
  • the provider referred to as the third-party server 100b
  • the business platform running on the device 200 (referred to as the business platform 200).
  • the client 100a may be a program product developed by an insurance company and other merchants and oriented to terminal consumer groups, and is used to provide insurance-related business services or other non-insurance-related business services to terminal consumer groups (ie, users).
  • the development terminal 100b is used to provide a development platform for developers. Developers can develop service modules that provide various services in the business platform 200 through the development terminal 100b, including technical services that provide functions such as analysis or visual display, and functions such as business processing. business services, etc.
  • the service module includes not only local services developed for the business platform 200, but also third-party services that are integrated into the business platform 200 or access the business platform 200 to provide corresponding service content through correspondingly developed program interfaces, which are not limited here.
  • the third-party server 100c can provide some open source and accessible third-party services to dock corresponding business requests transferred by the business platform 200, or some third-party services provided by the third-party server 100c can also be integrated into the business platform 200 for corresponding processing. Corresponding business request.
  • the third-party services that are accessed or integrated into the business platform 200 may be, for example, email services, payment services, link query services, visualization services, etc., which are not limited here.
  • the service platform 200 is used to access the service request initiated by the client 100a, and arrange the corresponding service module to process the service request. It can be understood that the business platform 200 can communicate and connect with the client 100a, the development 100b and the third-party server 100c respectively to form a business service system or a data processing system.
  • the device 100a running the client program or the device 100b running the development program can be, for example, a mobile phone, a laptop, a tablet or other electronic device, or run a third-party service.
  • the device 200 running the business platform may be, for example, a server, a desktop computer, a laptop computer, a handheld computer, a netbook, or other electronic devices that are embedded or coupled with one or more processors or that can access the network.
  • the user can initiate a service request through the client 100a.
  • the user can fill in an insurance order, or initiate a query for an insurance service order, or other service request through the insurance client 100a.
  • the service platform 200 can implement a routing function to access service requests from each client 100b. If the service module required by the business request is a local service module of the business platform 200 or a third-party service integrated into the business platform 200, the business platform 200 can call the corresponding service module to process the business request; if the service module required by the business request service module If it is a third-party service running on the device 100c, the service platform 200 can forward the accessed service request to the corresponding third-party service. In this way, the service platform 200 accesses the service request of the client 100a and sends it to the corresponding service module for processing.
  • the routing function implemented by the above-mentioned business platform 200 can be implemented by Nginx, Traefik, Envoy, Kong and other open source software with edge router functions, and is not limited here.
  • the service module with routing function implemented in the business platform 200 based on the above-mentioned open source software is called a routing module. That is to say, the routing module can forward the corresponding service request to the corresponding service module in the service platform 200 according to the obtained target service identification information of each service request.
  • the service module provided on the service platform 200 responds to the service request sent by the client, and after performing corresponding service processing, the service processing data can be returned to the corresponding client through the routing module.
  • the third-party services currently integrated or accessed on the business platform 200 have undergone necessary transformations according to the actual needs of the business platform during integration or program interface development.
  • the service module needs to perform corresponding functions.
  • Enhanced code transformation including code transformation in aspects such as security performance enhancement and scene adaptability enhancement.
  • the third-party services integrated by the business platform 200 need to face secondary transformation with relatively large development costs, while the third-party services connected to the business platform 200 cannot achieve such function-enhancing transformations.
  • developers of the business platform 200 may not understand the existing code of third-party services, so it takes time and effort to understand the existing codes of integrated third-party services; for example, the technology stack used by some third-party services does not match the development business platform. 200 uses different technology stacks, so developers of the business platform 200 need to spend time and effort to learn the technology stacks corresponding to some third-party services, etc., so that it is possible to enhance the functions of third-party services. In other words, all of the above will greatly increase the cost of functional enhancement and transformation of third-party services.
  • this application provides a data processing method, which adds a data management and control module to the business platform to implement data processing on the request data sent to the service module and the business processing data returned by the service module. Inspection and control. That is, the added data management and control module can perform data inspection and control on the unified routing module of the business platform access request data, the request data and business processing data transmitted between the service module, including identifying whether the requester of the request data has access rights. , whether the API entry parameters and other parameters of the requested data meet the legality requirements, and whether the business processing data returned by the service module in response to the business request meets the security requirements, and whether data filtering is required.
  • the above-mentioned service modules include local services developed for the business platform, third-party services integrated into the business platform, and third-party services accessed by the business platform through program interfaces.
  • the security performance and scene adaptability of each service module can be effectively enhanced. Therefore, there is no need to carry out costly functional enhancements and modifications to third-party services, saving service development costs.
  • the above-mentioned data management and control module can customize some data management and control functions according to the service module requirements provided by the business platform 200 to the client. For example, it can also add data processing functions supported by multi-tenants to adapt third-party services to multi-tenants. Scenes etc. There are no restrictions here.
  • the business request form or content requirements that originally did not meet the third-party service processing can be processed.
  • the above-mentioned data management and control module can also perform security screening on the business processing data returned by the service module, such as deleting some sensitive data and filtering historical data before a preset time length. etc., thus effectively improving the security of the corresponding service modules provided by the business platform.
  • Figure 2a shows a schematic diagram of the processing process of business interaction data between the client and the business platform.
  • the business platform 200 receives, for example, a business request from the client 100a through the unified routing module 201a.
  • the routing module 201a identifies the target service of the corresponding business request, it forwards it to the corresponding service module 202a for processing, that is, Figure The “data entry” process shown in 2a.
  • the service module 202a returns the corresponding service processing data to the routing module 201a, and the routing module 201a forwards it to the client 100a, that is, the "data return” process shown in Figure 2a.
  • Figure 2b shows another schematic diagram of the processing process of business interaction data between the client and the business platform according to an embodiment of the present application.
  • the business platform 200 receives, for example, a business request from the client 100a through the unified routing module 201b.
  • the routing module 201b identifies the target service of the corresponding business request, it first sends the request data of the business request to the data management and control module. 202b.
  • the data management and control module 202b performs a data check on the requested data, such as identifying whether the requester of the requested data has access rights and whether parameters such as API entry parameters of the requested data meet legality requirements.
  • the data management and control module 202b can also modify the request data that does not meet the data inspection requirements, such as adaptively modifying the request data parameters that do not meet the legality requirements.
  • the data management and control module 202b sends the request data that passes the data check or is qualified after modification to the corresponding service module 202b in the business platform 200 for processing. That is, the “data entry” process shown in Figure 2b.
  • the service module 202b first sends the corresponding business processing data to the data management and control module 202b, and the data management and control module 202b screens the returned business processing data based on the preset return conditions.
  • the preset return condition is, for example, used to confirm whether the returned business processing data meets security requirements, including whether it is necessary to filter out historical data that may easily cause security issues, whether it involves sensitive fields, etc.
  • the data management and control module 202b can make some adaptive modifications, such as deleting historical data before the preset time length for the returned business processing data, or deleting the returned business processing data. Sensitivity treatment, etc.
  • the data management and control module 202b sends the business processing data that satisfies the preset return conditions or the modified return conditions to the routing module 201b, and the routing module 201b forwards it to the client 100a, that is, the "data return" shown in Figure 2b process.
  • the business platform 200 can also more flexibly access third-party services based on the data management and control module.
  • the request data can be sent to the third-party service for processing, and the data management and control module can also filter some useless data or data that threatens security returned by the third-party service, which can also ensure the access to the third-party service process. Safety.
  • Figure 3 shows a schematic flowchart of the implementation of a data processing method according to an embodiment of the present application. Among them, the process shown in Figure 3 shows the interaction between the unified routing module 201, the data management and control module 202 and the various service modules 203. As mentioned above, the service module 203 includes third-party services integrated or accessed by the business platform 200. .
  • the process includes the following steps:
  • the routing module 201 obtains the service request data for the target service (as the first request data).
  • the routing module 201 is Traefik software, which is one of the reverse proxy tools. It has functions such as HTTP reverse proxy and load balancing, and can intercept the HTTP request data sent by the client to the service module 203, that is, the business Request data.
  • the aforementioned "interception” can be understood as acquisition.
  • the routing module 201 can obtain the service request data sent to the service platform 200 by the client 100a or 100b.
  • the service request data may include, for example, requester identification information, service module identification information, and specifically requested business content.
  • the specific requested business content may be defined, for example, by a target data acquisition parameter, which is not limited here.
  • the requester identification information, service module identification information, etc. can be sent in the form of domain names or paths, for example, and are not limited here.
  • the routing module 201 forwards the service request data to the data management and control module 202.
  • the routing module 201 may first send the service request data to the data management and control module 202 preset in the service platform 200 for processing. It can be understood that for the service request data that needs to be forwarded to the data management and control module 202, the service module related information corresponding to the corresponding service request can be pre-configured in the routing module 201, so that when the routing module 201 receives the corresponding service request data, it can be based on The configuration first sends the received business request data to the data management and control module for processing.
  • the routing module 201 can forward it to the corresponding service module 203 based on the domain name or path in the request data and based on the corresponding preset forwarding rules. For example, the routing module 201 forwards service requests prefixed with /web1/ to the service module 203-1, forwards service requests prefixed with /web2/ to the service module 203-2, and so on. For another example, the routing module 201 can also confirm the target service that receives the request data according to the API path of the request data. That is, the routing module 201 can match the corresponding forwarding rules according to the API path and forward the business request data to the corresponding service module. There are no restrictions here.
  • the routing module 201 when forwarding the service request data, can first redirect the request data that is originally intended to be sent to the corresponding target service module 203 to the data management and control module 202 . It can be understood that when forwarding the service request data to the corresponding data management and control module 202, the routing module 201 can also forward the identification information corresponding to the identified target service module 203 to the data management and control module 202, so that the data management and control module 202 can perform corresponding processing. After data inspection, modification and other management and control processing, the business request data is sent to the target service module 203.
  • the data management and control module 202 confirms the access permission of the requester based on the received request data.
  • the data management and control module 202 analyzes and processes the received service request forwarded by the routing module 201 .
  • the data management and control module 202 may first confirm whether the requesting party has access rights based on the requesting party identification information in the request data. That is to say, the data management and control module 202 can first authenticate the requester who initiates the service request data, for example, check whether the requesting user has permission authentication and whether he has access permission to the requested service content, etc.
  • the authority authentication refers to whether the requesting user has completed legal identity authentication in the corresponding business system. Users who have completed legal identity authentication can verify their legal identity information by providing user names and passwords. If the username and password are consistent, it is considered that the user has passed the authentication, has authority authentication, and has access rights to the corresponding business content.
  • the routing module 201 forwards the service request data initiated by the client 100a to the data management and control module 202.
  • the data management and control module 202 can first identify whether user A has a right to the request based on the requester identification information in the request data. Access rights to user B’s historical policy data. If user A is the administrator of the insurance business platform, for example, has the authority to query the historical policy data of user B in the past week, it can be confirmed that the account of user A logged in by client 100a has access permission, that is, client 100a belongs to the authorized requester .
  • the data management and control module 202 can confirm that the client 100a used by user A, as the service request initiator, does not have Access permission, that is, the client 100a belongs to the requester without permission.
  • user A may also have restricted permissions.
  • user A's permissions may limit user A to only query policy business data for the past week.
  • the data management and control module 202 may accordingly Add this restrictive query condition to the business request data, and then continue to perform the following steps 305 to 308. After completing the data check, the business request data with the restrictive query condition added is then sent to the corresponding service module 203 for processing. No further details will be given here.
  • the data management and control module 202 For the unauthorized requester, the data management and control module 202 returns an access denial message to the routing module 201.
  • the data management and control module 202 may return an access denial message to the requester through the routing module 201. information. In other embodiments, the data management and control module 202 may also feed back error prompt information to the requesting party through the routing module 201, which is not limited here. It can be understood that the routing module 201 can forward the received access denial message returned by the data management and control module 202 to the requester that initiates the response to the service request data.
  • the data management and control module 202 checks whether the received request data meets the data inspection requirements (as the first condition).
  • the data management and control module 202 may further perform a data check on the received service request data.
  • This data check includes, for example, checking whether relevant parameters in the business request data meet legality requirements or are compliant with regulations. If the requested data meets the data inspection requirements, for example, all parameters are compliant and legal, you can continue to perform the following step 306 to send the request data to the corresponding service module for processing; if the requested data does not meet the data inspection requirements, for example, some If the parameters do not meet the legality requirements or are not compliant, you need to perform the following step 307 to modify the relevant parameters.
  • the data management and control module 202 can check whether the API entry parameters in the request data meet the legality requirements. For example, a certain API entry parameter queries the reasonable age range of the insured person should be between 0 and 65. If a certain API entry parameter is received, In the request data, if the value of the corresponding API entry parameter is 70, it can be considered that this API entry parameter in the received request data is illegal. And if the value of the corresponding API entry parameter in a certain request data received is 55, it can be considered that the API entry parameter of the received request data is legal.
  • the content of the data check can also be other, such as checking whether the option parameters about the insurance type in the request data are legal, etc., specific data
  • the first condition based on which the management and control 202 performs data inspection can be customized, preset, or adjusted according to the needs of the business scenario, and is not limited here.
  • the data management and control module 202 sends the request data that meets the data inspection requirements to the service module 203.
  • the data management and control module 202 will, for the service request data that passes the check, that is, the request data that meets the data check requirements, for example, the request data whose relevant parameters meet the legality requirements, the data management and control module 202 202 can be sent to the corresponding service module 203 for corresponding business processing.
  • the data management and control module 202 modifies the request data that does not meet the data inspection requirements.
  • the data management and control module 202 can modify the relevant parameters. For example, for the above example, if in a certain request data received, the value of the corresponding API entry parameter is 70, which does not meet the legality requirements, the data management and control module 202 can modify the parameter value according to the preset reasonable age range. , for example, change "70" to "65". There are no restrictions here.
  • the data management and control module 202 can complete the age parameter in the request data, for example, a preset wildcard value, such as 50. As a completion value for the age parameter in the request data.
  • the data management and control module 202 can convert the corresponding birth year parameter based on the age parameter in the request data, and then update to in request data.
  • the content of the data check can also be other, for example, the option parameters for insurance types in the check request data, the option parameters for personal insurance types are mixed with the option parameters for enterprise group insurance, etc., which also need to be modified. , there is no restriction here.
  • the data management and control module 202 sends the modified request data (as the second request data) to the service module 203.
  • the data management and control module 202 can modify the checked illegal parameters and other data, so that the request data meets the data check requirements corresponding to the corresponding service module, for example, make the parameters For illegal request data, modify relevant parameters to within the legal range, etc.
  • the service module 203 responds to the received request data and performs corresponding business processing.
  • the service module 203 can perform corresponding service processing in response to the requested service content corresponding to the request data.
  • the service module 203 may serve a third party. Since the data management and control module 202 has processed the request data, the obtained request data meets the API interface parameter requirements of the service module 203. That is to say, regardless of whether the request data sent by the client meets the requirements of the API interface parameters of the service module 203, the service module 203 can respond to the request sent by the client without modifying the service module 203.
  • the service module 203 may also be a service module provided by the platform itself (not a third-party service).
  • the business platform 200 when the business platform 200 integrates a new third-party service or develops a new program interface to access the new third-party service, the business platform 200 does not need to Modifying the program code or related entry parameters of a third-party service, or the interface program code or related entry parameters of a third-party service, does not require modifying the program code or related parameters of the routing module, thus reducing the amount of development.
  • the service request data received by the service module 203 may be the request data that meets the data inspection requirements sent by the data management and control module 202 in the above-mentioned step 306, or may be the modified request data sent by the data management and control module 202 in the above-mentioned step 308.
  • the request data is not limited here.
  • the service module 203 returns the business processing data (as the first processing data) to the data management and control module 202.
  • the processed business processing data can be returned to the data management and control module 202. That is, the service processing data returned by the service module 203 in response to the corresponding service request can also be After further processing by the data management and control module 202, it is returned to the requesting party through the routing module 201. Please refer to the detailed description below for details and will not go into details here.
  • the data management and control module 202 checks whether the returned business processing data meets the preset return conditions (as the second condition). If the judgment result after the check is yes, it indicates that the business processing data can be returned, that is, the following step 312 can be performed; if the judgment result after the check is no, it indicates that the business processing data needs to be further checked and processed before returning. That is, the following step 313 can be performed.
  • the data management and control module 202 can check the business processing data according to the preset return conditions.
  • the preset return conditions can be set according to specific business content and business scenarios.
  • the preset return conditions may include checking whether the returned business processing data meets the corresponding business security requirements, such as checking whether it is necessary to filter some historical data, business data, etc. in the business processing data that may cause security problems. Process whether there are sensitive fields in the data, etc.
  • the data management and control module 202 returns the business processing data that meets the preset return conditions to the routing module 201.
  • the data management and control module 202 can directly send it to the routing module 201, and the routing module 201 forwards it to the corresponding client, that is, the service requester.
  • the data management and control module 202 modifies the business processing data that does not meet the preset return conditions.
  • the business processing data needs to be further checked and processed.
  • the data management and control module 202 can filter this part of the historical data. For example, it can delete the returned policy data with invalid validity period. to a portion of policy data for 3 months, etc., to complete data filtering.
  • the data management and control module 202 can encrypt or desensitize the returned business processing data, for example, replace necessary sensitive fields with encrypted data, or replace unnecessary Sensitive fields can be deleted to desensitize them, etc., and there are no restrictions here.
  • the returned business processing data is the processing result corresponding to user A's query of user B's historical policy data, where user A's permission can only query user B's policy business data for the past week, then the corresponding service
  • the module 203 returns the business processing data to the data management and control module 202 after querying the results
  • the data management and control module 202 can filter and desensitize the returned business processing data according to user A's permissions. For example, the policy business data from one week ago and sensitive information such as User B's bank account in the returned business processing data are deleted, and then the processed business processing data is sent to the client through the routing module 201.
  • the data management and control module 202 returns the modified business processing data (as the second processing data) to the routing module 201.
  • the modified business processing data can be sent to the routing module 201, and the routing module 201 returns it to the service requester.
  • the routing module 201 returns the received service processing data to the service requester.
  • the routing module 201 can return to the requester that initiates the service request, such as the client 100a or 100b shown in FIG. 1, the business processing data that meets the preset return conditions after being checked by the data management and control module 202, or the data
  • the management and control module 202 modifies the processed business processing data, etc., which are not limited here.
  • Module 202 can also preset (or customize) adaptive data management and control strategies according to different service modules. Including data inspection strategies for business request data and data inspection strategies for business processing data returned by the service module.
  • the corresponding data management and control conditions in the above-mentioned data management and control module 202 can be adjusted, and then based on data management and control
  • the transfer transition processing of module 202 is used to realize the above functional enhancement. Based on this application solution, there is no need to upgrade the code execution logic of the third-party service itself, which is conducive to reducing the cost of manpower and resources spent on functional upgrades of service modules such as third-party services and some local services of the business platform 200.
  • This embodiment of the application takes the service module 203 as the link query service (jaeger-query) 203-1 as an example to introduce the specific implementation process of the data processing method provided by the embodiment of the application, and then implements the link query service 203-1.
  • the link query service 203-1 mainly provides the query capability for application call link information.
  • a business request initiated by a user through the client may undergo response processing by multiple service modules after accessing the business platform. If the user wants to query in which link (that is, which service module) the business request takes more time, the user can query through the link query service 203-1, and the business platform can query according to the link query service 203-1. The time consuming of business requests in the processing of each service module is analyzed, and whether each service module operates abnormally.
  • the link query service 203-1 is mainly used to provide the query capability for application call link information. This service can implement analysis of application performance (or service performance) and the degree of rationalization of the call link.
  • Figure 4 shows a schematic implementation flow chart of a data processing method corresponding to the link query service 203-1 according to an embodiment of the present application. It can be understood that the process shown in Figure 4 involves the interaction between the routing module 201, the data management and control module 202 and the link query service 203-1.
  • the method specifically includes the following steps:
  • the routing module 201 obtains link analysis request data.
  • the requester who initiates the link analysis request to request the link query service 203-1 to provide the corresponding link information query service may be, for example, the administrator account of the developer corresponding to a certain client program.
  • the administrator account can log in to the client 100a and initiate the above-mentioned link analysis request to the business platform 200.
  • some clients may also initiate the above link analysis request to the service platform 200 based on other business requirements, which is not limited here.
  • the data used to call the link query service to request link analysis usually includes some query parameter options used to determine query conditions.
  • the parameter types corresponding to these options may include, for example, Traceld (used to mark monitoring objects), service call interface name, client application name, client IP (that is, the IP of the service call initiator), the service name being queried and called, time-consuming threshold (for example, the call takes more than the specified number of milliseconds), call type, whether the call is abnormal, The business primary key (that is, the field based on which the corresponding business event is searched), response code, etc. will not be described in detail here.
  • step 301 For the specific process of obtaining the request data, please refer to the above-mentioned step 301, which will not be described in detail here.
  • the routing module 201 forwards the link analysis request data to the data management and control module 202.
  • step 302 For the specific process of forwarding the request data, please refer to the above-mentioned step 302, which will not be described in detail here.
  • the data management and control module 202 analyzes the request data according to the received link and confirms the access permission of the requester.
  • the data management and control module 202 can, for example, according to the received link analysis request data, confirm whether the account logged in by the client that initiated the link analysis request is a management account authorized by the business platform 200. If so, it can confirm that the account logged in is a management account authorized by the business platform 200.
  • the requester is a requester with authority; if not, it can be confirmed that the requester is a requester without authority.
  • step 303 For the specific process of confirming the access permission of the requesting party, please refer to the above-mentioned step 303, which will not be described in detail here.
  • the data management and control module 202 For the requester without permission, the data management and control module 202 returns an access denial message to the routing module 201.
  • the requester's link analysis request can be rejected. if the data management and control module 202 confirms that the requester initiating the link analysis request is not a management account authorized by the business platform 200 and confirms that the requester is an unauthorized requester, then the requester's link analysis request can be rejected. .
  • step 304 For the specific process of denying access, please refer to the above-mentioned step 304, which will not be described in detail here.
  • the data management and control module 202 performs data inspection on the received link analysis request data.
  • the data management and control module 202 can further receive the link.
  • Road analysis request data to perform corresponding data checks.
  • the data management and control module 202 can perform data inspection through preset cookies and the content of the link analysis request. If the link analysis request data meets the data inspection requirements, the following step 406 can be continued to send the link analysis request data to The link query service 203-1 performs processing.
  • the link analysis request data does not meet the data inspection requirements, for example, the link analysis request data lacks the interface name of the service call as a query parameter, or the interface name is inaccurate, and the link query service 203-1 queries the corresponding service data. It needs to be based on the interface name, and it cannot support fuzzy search on the query parameter of the interface name, that is, related parameters that lack necessary information. At this time, you need to perform the following step 407 to modify the parts of the request data that do not meet the inspection requirements, such as matching the interface name of the corresponding service based on other relevant parameters in the link analysis request data, or modifying the ambiguous interface name. Fuzzy search, get the accurate interface name, replace the original interface name in the request data, etc.
  • step 408 is executed to send a link analysis request to the link query service 203-1.
  • the following step 408 is executed to send a link analysis request to the link query service 203-1.
  • the specific data checking process please refer to the above-mentioned step 305, which will not be described in detail here.
  • the data management and control module 202 sends the link analysis request data that meets the data inspection requirements to the link query service 203-1.
  • the data management and control module 202 modifies the link analysis request data that does not meet the data inspection requirements.
  • the modification of the link analysis request data that does not meet the data inspection requirements includes information completion for parameters that lack necessary information in the request data.
  • step 307 please refer to the above-mentioned step 307, which will not be described again here.
  • the data management and control module 202 sends the modified link analysis request data to the link query service 203-1.
  • the link query service 203-1 queries the time-consuming data of each service module in the service link.
  • the time-consuming data includes the time it takes for each service module to receive the corresponding service request and perform the corresponding business processing, and the time it takes for each service module to perform the business processing process, etc., which are not limited here.
  • the link query service 203-1 returns the queried time-consuming data to the data management and control module 202.
  • the data management and control module 202 checks whether the returned time-consuming data meets the preset return conditions.
  • the data management and control module 202 receives the original data (ie, time-consuming data) returned by the link query service 203-1 Check whether the preset return conditions are met, such as checking whether there is sensitive data. If there is sensitive data, desensitization processing is required, such as deleting sensitive data that does not need to be returned. For another example, the data management and control module 202 can also check whether the returned time-consuming data contains relevant authorization information of the requester, for example, based on the preset client IP in the link analysis request data, to confirm that the link analysis service 203-1 Whether the returned time-consuming data corresponds to the client IP information has corresponding customer authorization information. If there is no authorization information, it means that the client IP has not yet obtained authorization from the corresponding client, that is, the requester is not authorized, and the time-consuming data returned by the link query service 203-1 is deleted.
  • relevant authorization information of the requester for example, based on the preset client IP in the link analysis request data, to confirm that the link analysis service 203-1 Whether the returned time
  • the data management and control module 202 returns the time-consuming data that satisfies the preset return conditions to the routing module 201.
  • the time-consuming data that meets the preset return conditions after checking can be returned to the requesting client and displayed on the corresponding link analysis page.
  • the preset return conditions may not only include the conditions such as no sensitive data and authorization information of the requesting party as exemplified in step 411 above, but may also include other preset return conditions. There are no restrictions here.
  • the relevant parameters of the link analysis request data responded by the link query service 203-1 may also include a time-consuming threshold, the name of the service called by the query, etc., then the link query service 203-1 responds to the link analysis Among the time-consuming data returned by the request, the corresponding call time should be greater than the specified number of milliseconds, and the time-consuming data should correspond to the service name being queried and called.
  • the time-consuming data obtained by the link query service 203-1 may include the time-consuming data of calling the service within the last year.
  • the time-consuming data may be, for example, the time-consuming data of calling the policy data management service.
  • the business platform 200 may only allow the service call time-consuming data of the last three months to be called based on security considerations.
  • the preset return conditions set in the data management and control module 202 will include time filtering conditions, that is, the data management and control module 202 can control the filtering of time-consuming data 3 months ago, and only return the latest 3 months to the routing module. Months of time-consuming data.
  • the data management and control module 202 modifies the time-consuming data that does not meet the preset return conditions.
  • the data management and control module 202 detects that there is sensitive data in the time-consuming data returned by the link query service 203-1, and it needs to perform desensitization processing, such as deleting the corresponding sensitive data, or encrypting the corresponding sensitive data, that is, the above modification. process.
  • desensitization processing such as deleting the corresponding sensitive data, or encrypting the corresponding sensitive data, that is, the above modification. process.
  • the default return condition set in the data management module 202 includes the time filter condition of "last 3 months”
  • the time-consuming time returned by the link query service 203-1 Among the data, the time-consuming data 3 months ago belongs to the time-consuming data that does not meet the preset return conditions, and the data management and control module 202 can delete it from the time-consuming data to be returned.
  • the data management and control module 202 returns the modified time-consuming data to the routing module 201.
  • the routing module 201 returns the received time-consuming data to the requester.
  • the data processing method corresponding to the link query service 203-1 implemented based on the above-mentioned process shown in Figure 4 can perform authentication and control on the link analysis request requesting the link query service 203-1, and can also perform authentication and control on the link query service 203-1.
  • the time-consuming data returned by the link query service 203-1 is subjected to sensitive data inspection and desensitization processing, or whether it meets the security requirements of some service module-related data, etc., thereby improving the link query analysis provided by the link query service 203-1.
  • Security of the Service Moreover, this enhancement of security performance can be achieved without upgrading the link query service 203-1.
  • Kibana 203-2 is a visualization platform that searches, views, stores and retrieves data through Kibana. (Elasticsearch) indexes data and interacts with it to achieve data analysis and visualization, such as displaying the searched data in the form of charts.
  • some users of the distributed business system may want to display some business statistics in the form of charts and other forms on the client interface to facilitate analysis and management.
  • the user can initiate a visualization service request for Kibana 203-2 to the business platform 200 through the corresponding client to request the target data for visual display through Kibana 203-2 search and the page for visual display of the data.
  • Figure 5 shows a schematic implementation flow diagram of a data processing method corresponding to Kibana 203-2 according to an embodiment of the present application. It can be understood that the process shown in Figure 5 involves the interaction between the routing module 201, the data management and control module 202 and Kibana 203-2.
  • the method specifically includes the following steps:
  • the routing module 201 obtains the visualization service request data.
  • the requester who initiates a visualization service request to request Kibana 203-2 to provide corresponding data search and visualization services can be, for example, the administrator account of a developer corresponding to a certain client program.
  • the client program needs to be served.
  • the operation log or related link information of the service module of the corresponding business request is used to obtain the corresponding business data, and a page for visual display of the searched corresponding business data is provided.
  • some clients may also initiate the above visualization service request to the business platform 200 based on other business requirements, which is not limited here.
  • step 301 For the specific process of obtaining the request data, please refer to the above-mentioned step 301, which will not be described in detail here.
  • the routing module 201 sends the visualization service request data to the data management and control module 202.
  • step 302 For the specific process of forwarding the request data, please refer to the above-mentioned step 302, which will not be described in detail here.
  • the data management and control module 202 confirms the access permission of the requester based on the received visualization service request data.
  • the data management and control module 202 can confirm, based on the received visual service request data, whether the client that initiated the visual service request has the authority to obtain data such as the corresponding service module operation log.
  • the visual service request is a service request to visually display the number of new policyholders, the number of intended policyholders, and the number of policyholders being maintained on the insurance business platform, then the client that initiated the service request or the The account logged in on the client (i.e. the requesting party) should have the management authority to view and obtain policyholder-related data on the insurance business platform.
  • the requesting party can be confirmed to be a requesting party with authority; if the requesting party does not have permission to obtain, the requesting party can be confirmed to be a requesting party without authority.
  • step 303 For the specific process of confirming the access permission of the requesting party, you can also refer to the above-mentioned step 303, which will not be described in detail here.
  • the data management and control module 202 For the requester without permission, the data management and control module 202 returns an access denial message to the routing module 201.
  • the data management and control module 202 confirms that the requester who initiates the visualization service request does not have the authority to obtain data such as the corresponding service module operation log and confirms that the requester is an unauthorized requester, it can deny the visualization of the requester. Request for service.
  • step 304 For the specific process of denying access, you can also refer to the above-mentioned step 304, which will not be described again here.
  • the data management and control module 202 performs data inspection on the received visualization service request data.
  • the data management and control module 202 can further receive The visualization service requests the data for corresponding data inspection.
  • the data management and control module 202 can perform data checking through preset cookies and the content of the visual service request, such as checking whether relevant request parameters lack necessary information, etc. If the visualization service request data meets the data inspection requirements, for example, the descriptive parameters set corresponding to the requested relevant data in the visualization service request data are complete and accurate, and there is no lack of necessary information. Then you can continue to perform the following step 506 to send the visualization service request data to Kibana 203-2 for processing.
  • the descriptive parameters corresponding to the requested relevant data in the visual service request data are missing or inaccurate, for example, the policy data time series parameters to be obtained are missing, that is, The collection time of policy data must correspond to the set start time and end time being missing or incorrectly set. For example, the start time or end time may be set to a time in the future. In this case, necessary information is missing. Then you need to perform the following step 507 to modify the portion of the request data that does not meet the inspection requirements.
  • the data management and control module 202 can set the missing start time to a date 6 months ago based on the 6-month time span usually set by Kibana 203-2 to provide visualization services, and set the end time to the same date as the start time.
  • the starting time span is a certain date of 6 months, that is, it is set to obtain the policy data of the past 6 months to extract the number of policyholders for visual display to complete the missing information.
  • the data management and control module 202 can continue to perform the following step 508 to send a visualization service request to Kibana 203-2.
  • step 508 For the specific data checking process, you can also refer to the above-mentioned step 305, which will not be described again here.
  • the data management and control module 202 sends the visualization service request data that meets the data inspection requirements to Kibana 203-2.
  • the data management and control module 202 modifies the visualization service request data that does not meet the data inspection requirements.
  • the modification of the visualization service request data that does not meet the data inspection requirements includes information completion for parameters that lack necessary information in the request data.
  • the data management and control module 202 can complete the visualization service request data requesting to display the analysis results of the number of policyholders based on the 6-month time span usually set by Kibana 203-2 to provide visualization services.
  • the data management and control module 202 sets the missing start time to a date 6 months ago, and sets the end time to a date that spans 6 months from the starting time, that is, setting the acquisition
  • the policy data of the past 6 months are used to extract the number of policyholders for visual display to complete the missing information.
  • step 307 For the specific process of modifying the visualization service request data that does not meet the data inspection requirements, you can also refer to the above step 307, which will not be described again here.
  • the data management and control module 202 sends the modified visualization service request data to Kibana 203-2.
  • Kibana 203-2 In response to the received visual service request data, Kibana 203-2 searches the running log or link information of the corresponding service module to process the visual data of the corresponding business system.
  • the requested business data corresponding to the visualization service request data may be policy data, for example.
  • Kibana 203-2 may obtain the operation log of the corresponding policy data management service and/or the policy data management service in the insurance business platform. Call link information, etc., and then process the visual data used to form a visual page based on the policyholder-related information extracted from the operation log or call link information.
  • the visual data includes the corresponding business data obtained based on the operation log of the corresponding service module, and the relevant parameters of the visual page obtained by processing the corresponding business data through the data visualization processing capability provided by Kibana 203-2, such as the used histogram, Pie charts and other graphs Table path parameters, etc. are not limited here.
  • Kibana 203-2 returns the processed visual data to the data management and control module 202.
  • the data management and control module 202 checks whether the returned visual data meets the preset return conditions.
  • the data management and control module 202 checks whether the original data (i.e., visual data) returned by Kibana 203-2 meets the preset return conditions, for example, checking whether there is insurance amount data or insurance in the visual data corresponding to the analysis result of the number of policyholders. Sensitive data such as a person’s ID number. If there is sensitive data, desensitization processing is required, such as deleting sensitive data that does not need to be returned, etc. For another example, the data management and control module 202 can also check whether the returned visual data contains relevant authorization information of the requester. If there is no authorization information, for example, the requester is not authorized, the visual data returned by Kibana 203-2 will be deleted.
  • the original data i.e., visual data
  • Sensitive data such as a person’s ID number. If there is sensitive data, desensitization processing is required, such as deleting sensitive data that does not need to be returned, etc.
  • the data management and control module 202 can also check whether the returned visual data contains relevant authorization
  • the data management and control module 202 returns the visual data that meets the preset return conditions to the routing module 201.
  • visual data that meets the preset return conditions after inspection can be returned to the requesting client for visual display on the corresponding client business interface.
  • the data management and control module 202 modifies the visual data that does not meet the preset return conditions.
  • the data management and control module 202 detects that there is sensitive data in the visual data returned by Kibana 203-2.
  • the visual data corresponding to the analysis result of the number of policyholders includes the insurance amount data of some policyholders, or some of the insured persons.
  • a person’ s ID number and other information. Desensitization processing is required, such as deleting sensitive data such as the insurance amount data and the ID number of the policy holder in the visual data corresponding to the analysis results of the number of policyholders, or encrypting the corresponding sensitive data, which is the above modification process.
  • the data management and control module 202 returns the modified visual data to the routing module 201.
  • the routing module 201 returns the received visualization data to the requester.
  • the data processing method corresponding to Kibana 203-2 implemented based on the process shown in Figure 5 above can authenticate and control the visualization service request data requesting Kibana 203-2, and can also perform visualization returned by Kibana 203-2
  • the data undergoes sensitive data inspection and desensitization processing, thereby improving the security of data search and visualization services provided by Kibana 203-2.
  • this security performance enhancement can be achieved without upgrading Kibana 203-2.
  • Figure 6 shows a schematic structural diagram of an electronic device 600 according to an embodiment of the present application.
  • the electronic device 600 can run the above-mentioned business platform 200.
  • the electronic device 600 can also run clients of some business systems, such as running insurance business clients, etc., which is not limited here.
  • server 200 may include one or more processors 604, system control logic 608 connected to at least one of the processors 604, system memory 612 connected to the system control logic 608, A non-volatile memory (NVM) 616 coupled to the system control logic 608, and a network interface 620 coupled to the system control logic 608.
  • processors 604 system control logic 608 connected to at least one of the processors 604, system memory 612 connected to the system control logic 608, A non-volatile memory (NVM) 616 coupled to the system control logic 608, and a network interface 620 coupled to the system control logic 608.
  • NVM non-volatile memory
  • processor 604 may include one or more single-core or multi-core processors. In some embodiments, processor 604 may include any combination of general-purpose processors and special-purpose processors (eg, graphics processors, applications processors, baseband processors, etc.). In an embodiment where the server 200 adopts an eNB (Evolved Node B, enhanced base station) or a RAN (Radio Access Network, radio access network) controller, the processor 604 may be configured to execute various conforming embodiments, for example, One or more of the various embodiments shown in Figures 2-5.
  • eNB evolved Node B, enhanced base station
  • RAN Radio Access Network, radio access network
  • system control logic 608 may include any suitable interface controller to provide any suitable interface to at least one of processors 604 and/or any suitable device or component in communication with system control logic 608 .
  • system control logic 608 may include one or more memory controllers to provide an interface to system memory 612 .
  • System memory 612 may be used to load and store data and/or instructions.
  • Memory 612 of server 200 may include any suitable volatile memory in some embodiments, such as suitable dynamic random access memory (DRAM).
  • DRAM dynamic random access memory
  • NVM/memory 616 may include one or more tangible, non-transitory computer-readable media for storing data and/or instructions.
  • NVM/memory 616 may include any suitable non-volatile memory such as flash memory and/or any suitable non-volatile storage device, such as HDD (Hard Disk Drive), CD (Compact Disc) , CD) drive, DVD (Digital Versatile Disc, Digital Versatile Disc) drive at least one.
  • NVM/storage 616 may comprise a portion of storage resources on the device on which server 200 is installed, or it may be accessed by the device but is not necessarily part of the device. For example, NVM/storage 616 may be accessed over the network via network interface 620.
  • system memory 612 and NVM/storage 616 may include temporary and permanent copies of instructions 624, respectively.
  • Instructions 624 may include instructions that, when executed by at least one of processors 604, cause server 200 to implement the methods illustrated in Figures 3-4.
  • instructions 624, hardware, firmware, and/or software components thereof may additionally/alternatively be located in system control logic 608, network interface 620, and/or processor 604.
  • Network interface 620 may include a transceiver for providing a radio interface for server 200 to communicate with any other suitable devices (such as front-end modules, antennas, etc.) over one or more networks.
  • network interface 620 may be integrated with other components of server 200.
  • network interface 620 may be integrated with at least one of processor 604, system memory 612, NVM/storage 616, and a firmware device (not shown) with instructions that when at least one of processor 604 executes said When instructed, the server 200 implements the above-mentioned methods shown in FIGS. 2 to 5 .
  • Network interface 620 may further include any suitable hardware and/or firmware to provide a multiple-input multiple-output radio interface.
  • network interface 620 may be a network adapter, a wireless network adapter, a telephone modem, and/or a wireless modem.
  • At least one of the processors 604 may be packaged with logic for one or more controllers of the system control logic 608 to form a system in package (SiP). In one embodiment, at least one of the processors 604 may be integrated on the same die with logic for one or more controllers of the system control logic 608 to form a system on a chip (SoC).
  • SiP system in package
  • SoC system on a chip
  • Server 200 may further include input/output (I/O) devices 632.
  • the I/O device 632 may include a user interface that enables a user to interact with the server 200; the peripheral component interface is designed to enable peripheral components to also interact with the server 200.
  • the server 200 further includes a sensor for determining at least one of environmental conditions and location information related to the server 200 .
  • the user interface may include, but is not limited to, a display (e.g., a liquid crystal display, a touch screen display, etc.), a speaker, a microphone, one or more cameras (e.g., a still image camera and/or video camera), a flashlight (e.g., LED flash) and keyboard.
  • a display e.g., a liquid crystal display, a touch screen display, etc.
  • a speaker e.g., a speaker
  • a microphone e.g., a microphone
  • one or more cameras e.g., a still image camera and/or video camera
  • a flashlight e.g., LED flash
  • peripheral component interfaces may include, but are not limited to, non-volatile memory ports, audio jacks, and Power interface.
  • sensors may include, but are not limited to, gyroscope sensors, accelerometers, proximity sensors, ambient light sensors, and positioning units.
  • the positioning unit may also be part of or interact with network interface 620 to communicate with components of the positioning network (eg, Global Positioning System (GPS) satellites).
  • GPS Global Positioning System
  • This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer.
  • Such computer programs may be stored on a computer-readable medium such as, but not limited to, any type of disk including floppy disk, optical disk, CD-ROM, magneto-optical disk, read-only memory (ROM), random access memory (RAM) , EPROM, EEPROM, magnetic or optical card, application specific integrated circuit (ASIC), or any type of medium suitable for storing electronic instructions, and each may be coupled to a computer system bus.
  • the computers referred to in the specification may include a single processor or may employ an architecture involving multiple processors for increased computing power.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application relates to the technical field of computers, and in particular to a data processing method and system, and an electronic device and a computer-readable storage medium. The method comprises: a routing module sending, to a data management and control module, acquired first request data for a target business; the data management and control module determining whether the first request data meets a first condition, wherein the first condition is used for performing validity and security checking on the first request data that a target service module is requested to process; when confirming that the first request data meets the first condition, the data management and control module sending the first request data to the target service module; and when confirming that the first request data does not meet the first condition, the data management and control module modifying the first request data, so as to obtain second request data which meets the first condition, and the data management and control module sending the second request data to the target service module. By means of the solution in the present application, the security performance and the scenario adaptability performance of each service module can be effectively enhanced, and the renovation cost of a service function can be reduced.

Description

数据处理方法、系统、电子设备及计算机可读存储介质Data processing methods, systems, electronic devices and computer-readable storage media
本申请要求于2022年6月13日提交中国专利局、申请号为202210660992.5、申请名称为“数据处理方法、系统、电子设备及计算机可读存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application submitted to the China Patent Office on June 13, 2022, with the application number 202210660992.5 and the application title "Data processing method, system, electronic device and computer-readable storage medium", and its entire content incorporated herein by reference.
技术领域Technical field
本发明涉及计算机技术领域,具体涉及一种数据处理方法、系统、电子设备及计算机可读存储介质。The invention relates to the field of computer technology, and in particular to a data processing method, system, electronic equipment and computer-readable storage medium.
背景技术Background technique
随着计算机技术的发展,越来越多的客户端依托于相应的业务平台向用户提供产品及服务,即客户端可以响应于用户操作,获取对接的业务平台提供的产品和服务来处理相应业务,进而客户端可以基于业务平台反馈的业务处理数据,向用户展示相应的业务处理结果。例如,保险业务客户端,可以依托于网络保险平台向需要投保的用户提供保险相关的服务模块。可以理解,依托于业务平台的客户端,可以是运行在手机等电子设备的业务系统应用程序(application,APP),也可以是基于web的业务系统应用,在此不做限制。With the development of computer technology, more and more clients rely on corresponding business platforms to provide products and services to users. That is, clients can respond to user operations and obtain products and services provided by the connected business platform to process corresponding businesses. , and then the client can display the corresponding business processing results to the user based on the business processing data fed back by the business platform. For example, the insurance business client can rely on the online insurance platform to provide insurance-related service modules to users who need insurance. It can be understood that the client relying on the business platform can be a business system application (application, APP) running on an electronic device such as a mobile phone, or a web-based business system application, which is not limited here.
作为业务平台,为了向客户端提供更加全面的产品和服务,通常需要集成一些第三方服务,例如链路查询服务、可视化服务第三方开源服务模块。在另一些实施例中,第三方服务也可以是运行在Kubernetes下的微服务,而业务平台可以将对这类第三方服务的业务请求对接给相应的第三方服务进行处理,其中Kubernetes是用于自动部署,扩展和管理容器化应用程序的开源系统。然而,有些第三方服务,可能是在一些旧框架下开发的软件,即开发框架与业务平台的系统框架可能存在不兼容;还有些第三方服务可能存在授权限制等。因此业务平台在集成或接入这些第三方服务时,往往需要根据个案需求,对第三方服务的软件源代码进行一些改造。其中,这些改造例如是为了适应业务的系统框架而进行的一些适应性改造、或是为了解除授权限制而进行的改造等。并且,当第三方服务升级或更新一些入口参数等时,以上这些根据个案需求的代码改造则无法自动完成适应更新,只能由开发人员重新进行相应的代码改造。As a business platform, in order to provide clients with more comprehensive products and services, it is usually necessary to integrate some third-party services, such as link query services and visualization service third-party open source service modules. In other embodiments, third-party services can also be microservices running under Kubernetes, and the business platform can connect business requests for such third-party services to corresponding third-party services for processing, where Kubernetes is used An open source system that automatically deploys, scales and manages containerized applications. However, some third-party services may be software developed under some old frameworks, that is, the development framework may be incompatible with the system framework of the business platform; some third-party services may have authorization restrictions, etc. Therefore, when the business platform integrates or accesses these third-party services, it often needs to make some modifications to the software source code of the third-party services based on individual case needs. Among them, these modifications are, for example, some adaptive modifications to adapt to the system framework of the business, or modifications to lift authorization restrictions, etc. Moreover, when third-party services upgrade or update some entry parameters, etc., the above code modifications based on individual case requirements cannot be automatically completed to adapt to the updates, and developers can only make corresponding code modifications again.
因此,当业务场景发生变化,或者为了满足业务平台提供的一些服务模块的安全性需求时,需要增强业务平台上集成的一些第三方服务的功能,例如安全性能、场景适应性能等,如果还通过上述集成第三方服务时采用的根据个案需求进行功能增强改造,则无疑会产生较大的开发成本。因此,目前需要一种数据处理方案,来解决对业务平台集成或接入的第三方服务的功能增强问题。Therefore, when the business scenario changes, or in order to meet the security requirements of some service modules provided by the business platform, it is necessary to enhance the functions of some third-party services integrated on the business platform, such as security performance, scene adaptability, etc., if it is also passed The above-mentioned integration of third-party services requires functional enhancement and transformation based on individual case needs, which will undoubtedly incur greater development costs. Therefore, a data processing solution is currently needed to solve the problem of functional enhancement of third-party services integrated or accessed by the business platform.
发明内容Contents of the invention
本申请实施例提供了一种数据处理方法、系统、电子设备及计算机可读存储介质,解 决了目前对业务平台上集成的第三方服务等服务模块进行功能增强改造难度大、开发量大的问题,能够有效增强各服务模块的安全性能以及场景适应性能,因此也无需对第三方服务进行成本较高的功能增强改造,节约了服务开发成本。并且,基于本申请方案实现的业务平台能够轻松对接第三方服务以及进行一些安全性或者场景适应性的功能升级,无需修改第三方服务的相关代码,有利于提高客户端、开发端以及第三方服务端等多端使用体验。The embodiments of the present application provide a data processing method, system, electronic device and computer-readable storage medium to solve It solves the current problems of difficulty and large development volume in functional enhancement and transformation of service modules such as third-party services integrated on the business platform. It can effectively enhance the security performance and scene adaptability of each service module, so there is no need to modify third-party services. Higher-cost functional enhancements and transformations save service development costs. Moreover, the business platform implemented based on this application solution can easily connect to third-party services and perform some security or scene adaptability function upgrades without modifying the relevant code of third-party services, which is conducive to improving the client, development side and third-party services. A multi-device user experience.
第一方面,本申请实施例提供了一种数据处理方法,该方法应用于包括路由模块、数据管控模块的业务平台,以及服务模块,其中服务模块包括第三方服务,该方法包括:In the first aspect, embodiments of the present application provide a data processing method, which method is applied to a business platform including a routing module, a data management and control module, and a service module, where the service module includes third-party services. The method includes:
路由模块获取用于目标业务的第一请求数据;The routing module obtains the first request data for the target service;
路由模块向数据管控模块发送第一请求数据,其中第一请求数据至少包括目标服务模块的识别信息、以及用于目标业务的目标数据获取参数;The routing module sends first request data to the data management and control module, where the first request data at least includes identification information of the target service module and target data acquisition parameters for the target service;
数据管控模块判断第一请求数据是否满足第一条件,其中第一条件用于对请求目标服务模块处理的第一请求数据进行有效性及安全性检查;The data management and control module determines whether the first request data satisfies the first condition, where the first condition is used to check the validity and security of the first request data processed by the request target service module;
确认第一请求数据满足第一条件,数据管控模块向目标服务模块发送第一请求数据;After confirming that the first request data meets the first condition, the data management and control module sends the first request data to the target service module;
确认第一请求数据不满足第一条件,数据管控模块修改第一请求数据,以得到满足第一条件的第二请求数据,并且,数据管控模块向目标服务模块发送第二请求数据。After confirming that the first request data does not meet the first condition, the data management and control module modifies the first request data to obtain the second request data that meets the first condition, and the data management and control module sends the second request data to the target service module.
即通过具有数据管控功能的数据管控模块,对业务平台接入的业务请求相关数据进行筛查,例如包括上述基于预设的第一条件对第一请求数据进行有效性及安全性检查等。最终将满足目标服务模块相关的一些检查要求的请求数据(即上述第一请求数据)发送给目标服务模块。上述目标服务模块包括第三方服务,该第三方服务例如可以是下文具体实施例2中示例的可视化服务(Kibana),上述第一请求数据例如可以是需要Kibana处理的可视化服务请求数据。That is, through the data management and control module with the data management and control function, the business request-related data accessed by the business platform is screened, for example, including the above-mentioned validity and security check of the first request data based on the preset first condition. Finally, the request data that meets some inspection requirements related to the target service module (ie, the above-mentioned first request data) is sent to the target service module. The above-mentioned target service module includes a third-party service. The third-party service may be, for example, the visualization service (Kibana) illustrated in Embodiment 2 below. The above-mentioned first request data may be, for example, visualization service request data that needs to be processed by Kibana.
在上述第一方面的一种可能的实现中,上述第一条件是基于目标服务模块的API入口参数的规范性要求、以及目标服务模块的服务数据安全性要求中的至少一项动态确定的。In a possible implementation of the first aspect, the first condition is dynamically determined based on at least one of the normative requirements of the API entry parameters of the target service module and the service data security requirements of the target service module.
例如对应于可视化服务(Kibana)预设的第一条件,可以是基于Kibana的各项API入口参数阈值等要求、以及Kibana对待可视化展示的数据内容来源以及数据内容的安全性等方面的要求来确定。在另一些实施例中,该第一条件例如也可以包括对待可视化展示的数据内容对应的数据表格式等方面的限定,在此不做限制。For example, the first condition corresponding to the preset of the visualization service (Kibana) can be determined based on Kibana's various API entry parameter thresholds and other requirements, as well as Kibana's requirements for the source of data content for visual display and the security of the data content. . In other embodiments, the first condition may also include restrictions on the data table format corresponding to the data content to be visually displayed, etc., which is not limited here.
在上述第一方面的一种可能的实现中,第一条件包括对目标服务模块的至少一项API入口参数预设的参数阈值判断条件,并且,数据管控模块判断第一请求数据是否满足第一条件,包括:数据管控模块判断第一请求数据中的第一参数的值是否在预设的第一参数阈值范围内;若第一参数的值在第一参数阈值范围内,则数据管控模块确认第一请求数据满足第一条件;若第一参数的值不在第一参数阈值范围内,则数据管控模块确认第一请求数据不满足第一条件。In a possible implementation of the above first aspect, the first condition includes a parameter threshold judgment condition preset for at least one API entry parameter of the target service module, and the data management and control module judges whether the first request data satisfies the first Conditions include: the data management and control module determines whether the value of the first parameter in the first request data is within the preset first parameter threshold range; if the value of the first parameter is within the first parameter threshold range, the data management and control module confirms The first request data satisfies the first condition; if the value of the first parameter is not within the first parameter threshold range, the data management and control module confirms that the first request data does not satisfy the first condition.
在上述第一方面的一种可能的实现中,确认第一请求数据不满足第一条件,数据管控模块修改第一请求数据,以得到满足第一条件的第二请求数据,包括:将不在第一参数阈值范围内的第一参数的值,调整至第一参数阈值范围内。In a possible implementation of the above first aspect, it is confirmed that the first request data does not satisfy the first condition, and the data management and control module modifies the first request data to obtain the second request data that satisfies the first condition, including: The value of the first parameter within a parameter threshold range is adjusted to within the first parameter threshold range.
即对于不满足目标服务模块的API入口参数阈值要求的业务请求数据(即上述第一请求数据),可以将该请求数据中相应的API入口参数调整至阈值要求范围内,以便于该业务请求数据在后续过程中顺利接入目标服务模块进行处理。 That is, for business request data that does not meet the API entry parameter threshold requirements of the target service module (i.e., the above-mentioned first request data), the corresponding API entry parameters in the request data can be adjusted to within the threshold requirement range, so that the business request data In the subsequent process, the target service module is successfully connected for processing.
在上述第一方面的一种可能的实现中,目标服务模块用于处理数据管控模块发来的请求数据,请求数据包括第一请求数据和第二请求数据,并且,上述方法包括:In a possible implementation of the above first aspect, the target service module is used to process the request data sent by the data management and control module. The request data includes first request data and second request data, and the above method includes:
目标服务模块根据接收到的请求数据,处理得到第一处理数据;The target service module processes the received request data to obtain the first processing data;
目标服务模块向数据管控模块返回第一处理数据;The target service module returns the first processing data to the data management and control module;
数据管控模块判断第一处理数据是否满足第二条件,其中第二条件用于对待返回业务请求端的第一处理数据进行安全性检查,业务请求端为发起目标业务的客户端;The data management and control module determines whether the first processed data satisfies the second condition, where the second condition is used to perform a security check on the first processed data to be returned to the service requesting end, which is the client that initiates the target service;
确认第一处理数据满足第二条件,数据管控模块向路由模块发送第一处理数据;After confirming that the first processed data meets the second condition, the data management and control module sends the first processed data to the routing module;
确认第一处理数据不满足第二条件,数据管控模块修改第一处理数据,以得到满足第二条件的第二处理数据,并且,数据管控模块向路由模块发送第二处理数据。After confirming that the first processed data does not meet the second condition, the data management and control module modifies the first processed data to obtain second processed data that meets the second condition, and the data management and control module sends the second processed data to the routing module.
即目标服务模块处理相应业务请求数据(即上述第一请求数据)得到的业务处理数据,即上述第一处理数据,也可以通过数据管控模块进行一些安全性检查,以提高目标服务模块提供相应服务以及处理数据的安全性,进而接收该业务处理数据的业务请求端也能得到较高的安全保障。That is, the business processing data obtained by the target service module processing the corresponding business request data (i.e., the above-mentioned first request data), that is, the above-mentioned first processing data, can also perform some security checks through the data management and control module to improve the target service module in providing corresponding services. As well as the security of the processed data, the business requester receiving the business processing data can also receive higher security guarantees.
在上述第一方面的一种可能的实现中,第二条件是基于业务请求端的安全性校验参数、权限校验参数、以及数据保护性校验参数中的至少一项动态确定的。In a possible implementation of the above first aspect, the second condition is dynamically determined based on at least one of a security verification parameter, a permission verification parameter, and a data protection verification parameter of the service requesting end.
在上述第一方面的一种可能的实现中,第二条件包括敏感数据识别参数作为安全性校验参数;并且,数据管控模块判断第一处理数据是否满足第二条件,包括:In a possible implementation of the above first aspect, the second condition includes sensitive data identification parameters as security verification parameters; and the data management and control module determines whether the first processed data satisfies the second condition, including:
数据管控模块基于敏感数据识别参数,判断第一处理数据是否包含敏感数据;The data management and control module determines whether the first processed data contains sensitive data based on the sensitive data identification parameters;
若第一处理数据不包含敏感数据,则确认第一处理数据满足第二条件;If the first processed data does not contain sensitive data, confirm that the first processed data meets the second condition;
若第一处理数据包含敏感数据,则确认第一处理数据不满足第二条件。If the first processed data contains sensitive data, it is confirmed that the first processed data does not meet the second condition.
在上述第一方面的一种可能的实现中,确认第一处理数据不满足第二条件,数据管控模块修改第一处理数据,以得到满足第二条件的第二处理数据,包括:删除第一处理数据中的敏感数据;或者,对第一处理数据中的敏感数据进行加密。In a possible implementation of the above first aspect, it is confirmed that the first processed data does not satisfy the second condition, and the data management and control module modifies the first processed data to obtain the second processed data that satisfies the second condition, including: deleting the first processed data. Sensitive data in the processed data; or, encrypting sensitive data in the first processed data.
在上述第一方面的一种可能的实现中,第二条件包括授权信息验证参数作为权限校验参数;并且,数据管控模块判断第一处理数据是否满足第二条件,包括:In a possible implementation of the above first aspect, the second condition includes authorization information verification parameters as authority verification parameters; and the data management and control module determines whether the first processed data satisfies the second condition, including:
数据管控模块基于授权信息验证参数,确认第一处理数据的终端接收方是否具有对第一处理数据全部数据内容的获取权限;The data management and control module verifies parameters based on the authorization information to confirm whether the terminal recipient of the first processed data has the right to obtain the entire data content of the first processed data;
若第一处理数据的终端接收方具有对第一处理数据全部数据内容的获取权限,则确认第一处理数据满足第二条件;If the terminal recipient of the first processed data has the right to obtain the entire data content of the first processed data, it is confirmed that the first processed data satisfies the second condition;
若第一处理数据的终端接收方不具有对第一处理数据全部数据内容的获取权限,则确认第一处理数据不满足第二条件。If the terminal recipient of the first processed data does not have the right to obtain the entire data content of the first processed data, it is confirmed that the first processed data does not meet the second condition.
在上述第一方面的一种可能的实现中,确认第一处理数据不满足第二条件,数据管控模块修改第一处理数据,以得到满足第二条件的第二处理数据,包括:In a possible implementation of the above first aspect, it is confirmed that the first processed data does not meet the second condition, and the data management and control module modifies the first processed data to obtain the second processed data that satisfies the second condition, including:
若第一处理数据的终端接收方不具有对第一处理数据全部数据内容的获取权限,删除第一处理数据。If the terminal recipient of the first processed data does not have the right to obtain the entire data content of the first processed data, the first processed data is deleted.
在上述第一方面的一种可能的实现中,第二条件包括用于保护业务平台数据的预设时间阈值作为数据保护性校验参数;并且,数据管控模块判断第一处理数据是否满足第二条件,包括:In a possible implementation of the above first aspect, the second condition includes a preset time threshold for protecting business platform data as a data protection verification parameter; and the data management and control module determines whether the first processed data satisfies the second conditions, including:
数据管控模块判断第一处理数据是否包括采集时间早于预设时间阈值的数据; The data management and control module determines whether the first processed data includes data whose collection time is earlier than a preset time threshold;
若第一处理数据不包括采集时间早于预设时间阈值的数据,则确认第一处理数据满足第二条件;If the first processed data does not include data whose collection time is earlier than the preset time threshold, it is confirmed that the first processed data meets the second condition;
若第一处理数据包括采集时间早于预设时间阈值的数据,则确认第一处理数据不满足第二条件。If the first processed data includes data whose collection time is earlier than the preset time threshold, it is confirmed that the first processed data does not meet the second condition.
在上述第一方面的一种可能的实现中,确认第一处理数据不满足第二条件,数据管控模块修改第一处理数据,以得到满足第二条件的第二处理数据,包括:对第一处理数据中采集时间早于预设时间阈值的数据进行删除。In a possible implementation of the above first aspect, it is confirmed that the first processed data does not satisfy the second condition, and the data management and control module modifies the first processed data to obtain the second processed data that satisfies the second condition, including: Data in the processed data whose collection time is earlier than the preset time threshold are deleted.
在上述第一方面的一种可能的实现中,路由模块为Nginx、Traefik、Envoy、Kong中的任一项。In a possible implementation of the first aspect above, the routing module is any one of Nginx, Traefik, Envoy, and Kong.
可以理解,在另一些实施例中,上述路由模块也可以是其他的一些能够接入业务数据、具有路由功能的服务模块,在此不做限制。It can be understood that in other embodiments, the above-mentioned routing module can also be other service modules that can access business data and have routing functions, which are not limited here.
第二方面,本申请实施例提供了一种数据处理系统,包括:In the second aspect, embodiments of the present application provide a data processing system, including:
路由模块,用于获取用于目标业务的第一请求数据并发送给数据管控模块,其中第一请求数据至少包括目标服务模块的识别信息、以及用于目标业务的目标数据获取参数;The routing module is used to obtain the first request data for the target service and send it to the data management and control module, where the first request data at least includes the identification information of the target service module and the target data acquisition parameters for the target service;
数据管控模块,用于判断第一请求数据是否满足第一条件,其中第一条件用于对请求目标服务模块处理的第一请求数据进行有效性及安全性检查;并且,在确认第一请求数据满足第一条件时,用于向目标服务模块发送第一请求数据;以及在确认第一请求数据不满足第一条件时,用于修改第一请求数据以得到满足第一条件的第二请求数据,并向目标服务模块发送第二请求数据;The data management and control module is used to determine whether the first request data satisfies the first condition, where the first condition is used to check the validity and security of the first request data processed by the request target service module; and, after confirming the first request data When the first condition is met, it is used to send the first request data to the target service module; and when it is confirmed that the first request data does not meet the first condition, it is used to modify the first request data to obtain the second request data that satisfies the first condition. , and sends the second request data to the target service module;
目标服务模块,用于根据接收到的第一请求数据或第二请求数据,处理得到第一处理数据,并向数据管控模块返回第一处理数据。The target service module is configured to process the first processing data according to the received first request data or the second request data, and return the first processing data to the data management and control module.
可以理解,上述目标服务模块既可以是下文实施例中介绍的业务平台中开发的本地服务模块,也可以是该业务平台集成或者接入的第三方服务模块,例如下文实施例1中示例的链路查询服务以及实施例2中示例的可视化服务(Kibana),在此不做限制。It can be understood that the above-mentioned target service module can be either a local service module developed in the business platform introduced in the embodiment below, or a third-party service module integrated or accessed by the business platform, such as the chain example in Embodiment 1 below. The road query service and the visualization service (Kibana) exemplified in Embodiment 2 are not limited here.
在上述第二方面的一种可能的实现中,数据管控模块,还用于判断第一处理数据是否满足第二条件,其中第二条件用于对待返回业务请求端的第一处理数据进行安全性检查,业务请求端为发起目标业务的客户端;并且,在确认第一处理数据满足第二条件时,用于向路由模块发送第一处理数据;In a possible implementation of the second aspect above, the data management and control module is also used to determine whether the first processed data satisfies a second condition, where the second condition is used to perform a security check on the first processed data to be returned to the business requesting end. , the service requesting end is the client that initiates the target service; and, when confirming that the first processing data meets the second condition, is used to send the first processing data to the routing module;
在确认第一处理数据不满足第二条件时,用于修改第一处理数据,以得到满足第二条件的第二处理数据,并向路由模块发送第二处理数据。When it is confirmed that the first processing data does not meet the second condition, it is used to modify the first processing data to obtain second processing data that meets the second condition, and send the second processing data to the routing module.
第三方面,本申请实施例提供了一种电子设备,包括:一个或多个处理器;一个或多个存储器;一个或多个存储器存储有一个或多个程序,当一个或者多个程序被一个或多个处理器执行时,使得电子设备执行上述第一方面提供的数据处理方法。In a third aspect, embodiments of the present application provide an electronic device, including: one or more processors; one or more memories; one or more memories store one or more programs. When one or more programs are When one or more processors are executed, the electronic device is caused to execute the data processing method provided in the first aspect.
第四方面,本申请实施例提供了一种计算机可读存储介质,包括计算机程序/指令,该计算机程序/指令被处理器执行时,实现上述第一方面提供的数据处理方法。In a fourth aspect, embodiments of the present application provide a computer-readable storage medium that includes a computer program/instruction. When the computer program/instruction is executed by a processor, the data processing method provided in the first aspect is implemented.
附图说明Description of the drawings
图1所示为本申请实施例提供的一种客户端与业务平台之间的交互场景示意图。Figure 1 shows a schematic diagram of an interaction scenario between a client and a business platform provided by an embodiment of the present application.
图2a所示为本申请实施例提供的一种客户端与业务平台之间业务交互数据的处理过 程示意图。Figure 2a shows a processing process of business interaction data between a client and a business platform provided by an embodiment of the present application. Process diagram.
图2b所示为本申请实施例提供的另一种客户端与业务平台之间业务交互数据的处理过程示意图。Figure 2b shows a schematic diagram of the processing process of business interaction data between another client and the business platform provided by the embodiment of the present application.
图3所示为本申请实施例提供的一种数据处理方法的实施流程示意图。Figure 3 shows a schematic flowchart of the implementation of a data processing method provided by an embodiment of the present application.
图4所示为本申请实施例1提供的一种对应于链路查询服务的数据处理方法实施流程示意图。Figure 4 shows a schematic flowchart of the implementation of a data processing method corresponding to the link query service provided in Embodiment 1 of the present application.
图5所示为本申请实施例2提供的一种对应于Kibana的数据处理方法实施流程示意图。Figure 5 shows a schematic implementation flow diagram of a data processing method corresponding to Kibana provided in Embodiment 2 of the present application.
图6所示为本申请实施例提供的一种用于运行业务平台或客户端的电子设备600结构示意图。Figure 6 shows a schematic structural diagram of an electronic device 600 for running a business platform or client provided by an embodiment of the present application.
具体实施方式Detailed ways
图1根据本申请实施例示出了一种客户端与业务平台之间的交互场景示意图。Figure 1 shows a schematic diagram of an interaction scenario between a client and a business platform according to an embodiment of the present application.
如图1所示,该场景包括运行在设备100a上的客户端程序(简称客户端100a)、运行在设备100b上的开发端程序(简称开发端100b)、运行在设备100c上的第三方服务提供端(简称第三方服务端100b)以及运行在设备200上的业务平台(简称业务平台200)。As shown in Figure 1, this scenario includes a client program running on device 100a (referred to as client 100a), a development-side program running on device 100b (referred to as development-side 100b), and a third-party service running on device 100c. The provider (referred to as the third-party server 100b) and the business platform running on the device 200 (referred to as the business platform 200).
其中客户端100a可以是由保险公司等商家开发并面向终端消费群体的程序产品,用于为终端消费群体(即用户)提供保险相关业务服务或者其他非保险相关的业务服务等。The client 100a may be a program product developed by an insurance company and other merchants and oriented to terminal consumer groups, and is used to provide insurance-related business services or other non-insurance-related business services to terminal consumer groups (ie, users).
开发端100b用于为开发人员提供开发平台,开发人员可以通过开发端100b开发业务平台200中提供各类服务的服务模块,包括提供分析或者可视化展示等功能的技术服务、以及提供业务处理等功能的业务服务等。另外,该服务模块既包括为业务平台200开发的本地服务,也包括集成到业务平台200或者通过相应开发的程序接口接入业务平台200提供相应服务内容的第三方服务,在此不做限制。The development terminal 100b is used to provide a development platform for developers. Developers can develop service modules that provide various services in the business platform 200 through the development terminal 100b, including technical services that provide functions such as analysis or visual display, and functions such as business processing. business services, etc. In addition, the service module includes not only local services developed for the business platform 200, but also third-party services that are integrated into the business platform 200 or access the business platform 200 to provide corresponding service content through correspondingly developed program interfaces, which are not limited here.
第三方服务端100c例如可以提供一些开源可接入的第三方服务对接业务平台200中转的相应业务请求等,或者第三方服务端100c提供的一些第三方服务也可以集成到业务平台200中对应处理相应的业务请求。其中,接入或集成到业务平台200中的第三方服务例如可以是邮件服务、支付服务或者链路查询服务、可视化服务等,在此不做限制。For example, the third-party server 100c can provide some open source and accessible third-party services to dock corresponding business requests transferred by the business platform 200, or some third-party services provided by the third-party server 100c can also be integrated into the business platform 200 for corresponding processing. Corresponding business request. The third-party services that are accessed or integrated into the business platform 200 may be, for example, email services, payment services, link query services, visualization services, etc., which are not limited here.
业务平台200用于接入客户端100a发起的业务请求,并安排相应的服务模块来处理该业务请求。可以理解,业务平台200可以分别与客户端100a、开发100b以及第三方服务端100c通信连接形成一个业务服务系统或者说是数据处理系统。The service platform 200 is used to access the service request initiated by the client 100a, and arrange the corresponding service module to process the service request. It can be understood that the business platform 200 can communicate and connect with the client 100a, the development 100b and the third-party server 100c respectively to form a business service system or a data processing system.
可以理解,运行客户端程序的设备100a或运行开发端程序的设备100b例如可以是手机、笔记本电脑、平板电脑等电子设备、运行第三方服务。运行业务平台的设备200例如可以是服务器、桌面型计算机、膝上型计算机、手持计算机、上网本等嵌入或耦接有一个或多个处理器的、或能够访问网络的其他电子设备等,在此不做限制。It can be understood that the device 100a running the client program or the device 100b running the development program can be, for example, a mobile phone, a laptop, a tablet or other electronic device, or run a third-party service. The device 200 running the business platform may be, for example, a server, a desktop computer, a laptop computer, a handheld computer, a netbook, or other electronic devices that are embedded or coupled with one or more processors or that can access the network. Here, No restrictions.
继续参考图1所示,用户可以通过客户端100a发起业务请求,例如用户可以通过保险业务的客户端100a填写保险订单、或者发起查询保险业务订单等业务请求。相应地,业务平台200可以实现路由功能接入来自各客户端100b的业务请求。如果该业务请求所需的服务模块为业务平台200的本地服务模块或者集成到业务平台200中的第三方服务,则业务平台200可以调用相应服务模块处理该业务请求;如果该业务请求所需的服务模块 为运行在设备100c上的第三方服务,则业务平台200可以将接入的业务请求转发给相应的第三方服务。如此,业务平台200接入客户端100a的业务请求以及发送给相应服务模块处理的过程。Continuing to refer to Figure 1, the user can initiate a service request through the client 100a. For example, the user can fill in an insurance order, or initiate a query for an insurance service order, or other service request through the insurance client 100a. Correspondingly, the service platform 200 can implement a routing function to access service requests from each client 100b. If the service module required by the business request is a local service module of the business platform 200 or a third-party service integrated into the business platform 200, the business platform 200 can call the corresponding service module to process the business request; if the service module required by the business request service module If it is a third-party service running on the device 100c, the service platform 200 can forward the accessed service request to the corresponding third-party service. In this way, the service platform 200 accesses the service request of the client 100a and sends it to the corresponding service module for processing.
上述业务平台200实现的路由功能可以由Nginx、Traefik、Envoy、Kong等具有边缘路由器(edge router)功能的开源软件来实现,在此不做限制。在本申请实施例中,业务平台200中基于上述开源软件实现的具有路由功能的服务模块,称为路由模块。也就是说,路由模块可以根据获取的各业务请求的目标服务识别信息,将相应的业务请求转发给业务平台200中相应的服务模块。The routing function implemented by the above-mentioned business platform 200 can be implemented by Nginx, Traefik, Envoy, Kong and other open source software with edge router functions, and is not limited here. In the embodiment of this application, the service module with routing function implemented in the business platform 200 based on the above-mentioned open source software is called a routing module. That is to say, the routing module can forward the corresponding service request to the corresponding service module in the service platform 200 according to the obtained target service identification information of each service request.
继续参考图1所示,业务平台200上提供的服务模块响应于客户端发来的业务请求,进行相应业务处理后,可以通过路由模块将业务处理数据返回给相应的客户端。Continuing to refer to Figure 1, the service module provided on the service platform 200 responds to the service request sent by the client, and after performing corresponding service processing, the service processing data can be returned to the corresponding client through the routing module.
如前所述,目前业务平台200上集成或接入的第三方服务,在集成时或者开发程序接口时已根据业务平台的实际需求对第三方服务进行了必要的改造。但在利用包括第三方服务处理客户端业务请求的过程中,如果业务平台200为满足业务处理安全性的需求、或者为了使第三方程序适应不同的业务场景,则需要对服务模块进行相应的功能增强代码改造,包括安全性能增强、场景适应性能增强等方面的代码改造。此种情形下,业务平台200集成的第三方服务,则需要面临较大开发成本的二次改造,而业务平台200接入的第三方服务则无法实现这类功能增强性质的改造。比如,业务平台200的开发人员,可能不了解第三方服务的既存代码,因而理解已集成的第三方服务既存代码需要耗费时间精力;又比如,有些第三方服务的采用的技术栈与开发业务平台200所采用的技术栈不同,因而业务平台200的开发人员需要花费时间精力来学习一些第三方服务对应的技术栈等,才有可能实现对第三方服务进行功能增强改造。也就是说,以上这些都会大大增加对第三方服务进行功能增强改造的成本。As mentioned above, the third-party services currently integrated or accessed on the business platform 200 have undergone necessary transformations according to the actual needs of the business platform during integration or program interface development. However, in the process of using third-party services to process client business requests, if the business platform 200 is to meet business processing security requirements or to adapt third-party programs to different business scenarios, the service module needs to perform corresponding functions. Enhanced code transformation, including code transformation in aspects such as security performance enhancement and scene adaptability enhancement. In this case, the third-party services integrated by the business platform 200 need to face secondary transformation with relatively large development costs, while the third-party services connected to the business platform 200 cannot achieve such function-enhancing transformations. For example, developers of the business platform 200 may not understand the existing code of third-party services, so it takes time and effort to understand the existing codes of integrated third-party services; for example, the technology stack used by some third-party services does not match the development business platform. 200 uses different technology stacks, so developers of the business platform 200 need to spend time and effort to learn the technology stacks corresponding to some third-party services, etc., so that it is possible to enhance the functions of third-party services. In other words, all of the above will greatly increase the cost of functional enhancement and transformation of third-party services.
为了解决上述技术问题,本申请提供了一种数据处理方法,该方法通过在业务平台中增加数据管控模块,来实现对发送给服务模块的请求数据、以及对服务模块返回的业务处理数据进行数据检查及管控。即,增加的数据管控模块能够对业务平台接入请求数据的统一路由模块、与服务模块之间传输的请求数据和业务处理数据进行数据检查及管控,包括识别请求数据的请求方是否拥有访问权限、请求数据的API入口参数等参数是否满足合法性要求、以及服务模块响应业务请求返回的业务处理数据是否满足安全性要求、是否需要进行数据过滤等方面的管控。可以理解,上述服务模块既包括为业务平台开发的本地服务、也包括集成到业务平台上的第三方服务、以及业务平台通过程序接口接入的第三方服务等。如此,通过本申请实施例所提供的数据处理方法,能够有效增强各服务模块的安全性能以及场景适应性能,因此也无需对第三方服务进行成本较高的功能增强改造,节约了服务开发成本。In order to solve the above technical problems, this application provides a data processing method, which adds a data management and control module to the business platform to implement data processing on the request data sent to the service module and the business processing data returned by the service module. Inspection and control. That is, the added data management and control module can perform data inspection and control on the unified routing module of the business platform access request data, the request data and business processing data transmitted between the service module, including identifying whether the requester of the request data has access rights. , whether the API entry parameters and other parameters of the requested data meet the legality requirements, and whether the business processing data returned by the service module in response to the business request meets the security requirements, and whether data filtering is required. It can be understood that the above-mentioned service modules include local services developed for the business platform, third-party services integrated into the business platform, and third-party services accessed by the business platform through program interfaces. In this way, through the data processing method provided by the embodiment of the present application, the security performance and scene adaptability of each service module can be effectively enhanced. Therefore, there is no need to carry out costly functional enhancements and modifications to third-party services, saving service development costs.
可以理解,上述数据管控模块可以根据业务平台200向客户端提供的服务模块需求,定制化的设置一些数据管控功能,例如还可以增加多租户支持的数据处理功能,以使第三方服务适应多租户场景等。在此不做限制。It can be understood that the above-mentioned data management and control module can customize some data management and control functions according to the service module requirements provided by the business platform 200 to the client. For example, it can also add data processing functions supported by multi-tenants to adapt third-party services to multi-tenants. Scenes etc. There are no restrictions here.
例如,业务平台在集成第三方服务时对第三方服务进行必要的少量改造后,基于本申请实施例所提供的数据处理方法,可以将原本不符合第三方服务处理的业务请求形式或内容要求的请求数据,经数据管控平台处理后接入对应的第三方服务,从而使业务平台能够 利用第三方服务顺利对接各客户端发起的业务请求。并且,本申请实施例所提供的数据处理方法中,上述数据管控模块还能够对服务模块返回的业务处理数据进行安全筛查,例如删除一些敏感数据、对预设时间长度以前的历史数据进行过滤等,从而能够有效提高业务平台提供相应服务模块的安全性。For example, after the business platform performs a small amount of necessary modifications to the third-party service when integrating the third-party service, based on the data processing method provided by the embodiment of this application, the business request form or content requirements that originally did not meet the third-party service processing can be processed. Request data and access the corresponding third-party service after being processed by the data management and control platform, so that the business platform can Use third-party services to smoothly connect business requests initiated by each client. Moreover, in the data processing method provided by the embodiment of the present application, the above-mentioned data management and control module can also perform security screening on the business processing data returned by the service module, such as deleting some sensitive data and filtering historical data before a preset time length. etc., thus effectively improving the security of the corresponding service modules provided by the business platform.
作为示例,图2a示出了一种客户端与业务平台之间业务交互数据的处理过程示意图。As an example, Figure 2a shows a schematic diagram of the processing process of business interaction data between the client and the business platform.
如图2a所示,业务平台200通过统一的路由模块201a接收的例如来自客户端100a的业务请求,路由模块201a识别相应业务请求的目标服务后,转发给相应的服务模块202a进行处理,即图2a所示的“数据进入”过程。服务模块202a处理相应的业务请求后,将相应的业务处理数据返回给路由模块201a,由路由模块201a转发给客户端100a,即图2a所示的“数据返回”过程。As shown in Figure 2a, the business platform 200 receives, for example, a business request from the client 100a through the unified routing module 201a. After the routing module 201a identifies the target service of the corresponding business request, it forwards it to the corresponding service module 202a for processing, that is, Figure The “data entry” process shown in 2a. After processing the corresponding service request, the service module 202a returns the corresponding service processing data to the routing module 201a, and the routing module 201a forwards it to the client 100a, that is, the "data return" process shown in Figure 2a.
图2b根据本申请实施例示出了另一种客户端与业务平台之间业务交互数据的处理过程示意图。Figure 2b shows another schematic diagram of the processing process of business interaction data between the client and the business platform according to an embodiment of the present application.
如图2b所示,业务平台200通过统一的路由模块201b接收的例如来自客户端100a的业务请求,路由模块201b识别相应业务请求的目标服务后,先将业务请求的请求数据发送给数据管控模块202b,由数据管控模块202b对请求数据进行数据检查,比如识别请求数据的请求方是否拥有访问权限、请求数据的API入口参数等参数是否满足合法性要求等。该数据管控模块202b还可以对不满足数据检查要求的请求数据进行修改处理,例如对不满足合法性要求的请求数据参数进行适应性修改等。之后,数据管控模块202b再将数据检查合格、或者修改后合格的请求数据发送给业务平台200中对应的服务模块202b进行处理。即图2b所示的“数据进入”过程。As shown in Figure 2b, the business platform 200 receives, for example, a business request from the client 100a through the unified routing module 201b. After the routing module 201b identifies the target service of the corresponding business request, it first sends the request data of the business request to the data management and control module. 202b. The data management and control module 202b performs a data check on the requested data, such as identifying whether the requester of the requested data has access rights and whether parameters such as API entry parameters of the requested data meet legality requirements. The data management and control module 202b can also modify the request data that does not meet the data inspection requirements, such as adaptively modifying the request data parameters that do not meet the legality requirements. After that, the data management and control module 202b sends the request data that passes the data check or is qualified after modification to the corresponding service module 202b in the business platform 200 for processing. That is, the “data entry” process shown in Figure 2b.
继续参考图2b所示,服务模块202b处理相应的业务请求后,将相应的业务处理数据先发送给数据管控模块202b,由数据管控模块202b对返回的业务处理数据基于预设返回条件进行筛查,该预设返回条件例如是用于确认返回的业务处理数据是否满足安全性要求,包括是否需要过滤掉容易引发安全问题的历史数据、是否涉及敏感字段等。对于不满足预设返回条件的业务处理数据,数据管控模块202b可以进行一些适应性的修改,例如对返回的业务处理数据删除预设时间长度以前的历史数据、或者对返回的业务处理数据进行脱敏处理等。之后,数据管控模块202b再将满足预设返回条件、或者修改后满足返回条件的业务处理数据发送给路由模块201b,由路由模块201b转发给客户端100a,即图2b所示的“数据返回”过程。Continuing to refer to Figure 2b, after processing the corresponding business request, the service module 202b first sends the corresponding business processing data to the data management and control module 202b, and the data management and control module 202b screens the returned business processing data based on the preset return conditions. , the preset return condition is, for example, used to confirm whether the returned business processing data meets security requirements, including whether it is necessary to filter out historical data that may easily cause security issues, whether it involves sensitive fields, etc. For business processing data that does not meet the preset return conditions, the data management and control module 202b can make some adaptive modifications, such as deleting historical data before the preset time length for the returned business processing data, or deleting the returned business processing data. Sensitivity treatment, etc. After that, the data management and control module 202b sends the business processing data that satisfies the preset return conditions or the modified return conditions to the routing module 201b, and the routing module 201b forwards it to the client 100a, that is, the "data return" shown in Figure 2b process.
可以看出,相较于图2a所示的业务交互数据处理过程,图2b所示的业务交互数据处理过程中,“进入”或“返回”数据的安全性更高,业务平台200提供的服务模块处理各种业务数据的安全性以及场景适应性也更强。并且在将业务数据交给相应第三方服务处理的过程中,如需实现第三方服务的安全功能或者场景适应性能等方面的功能增强时,只需对业务平台200的数据管控模块进行相应的参数调整或者一些适应性的代码改造即可,无需改造第三方服务。如此,可以大大减小一些功能增强改造的开发量。另外,业务平台200基于数据管控模块也可以更加灵活的接入第三方服务,接入第三方服务时,只需调整数据管控模块将接入的业务请求处理成符合第三方服务的入口参数等要求的请求数据,即可发送给第三方服务进行处理,并且通过数据管控模块还可以将第三方服务返回的一些无用数据或者威胁安全性的数据进行过滤,如此也能够保障接入第三方服务过程的安全。 It can be seen that compared with the business interaction data processing process shown in Figure 2a, in the business interaction data processing process shown in Figure 2b, the security of "entering" or "returning" data is higher, and the services provided by the business platform 200 The module handles various business data with greater security and scenario adaptability. And in the process of handing over the business data to the corresponding third-party service for processing, if it is necessary to realize the security function or scene adaptability of the third-party service, etc., it only needs to set the corresponding parameters for the data management and control module of the business platform 200 Adjustments or some adaptive code modifications are enough, and there is no need to modify third-party services. In this way, the development amount of some functional enhancements can be greatly reduced. In addition, the business platform 200 can also more flexibly access third-party services based on the data management and control module. When accessing a third-party service, you only need to adjust the data management and control module to process the accessed business request to comply with the entry parameters and other requirements of the third-party service. The request data can be sent to the third-party service for processing, and the data management and control module can also filter some useless data or data that threatens security returned by the third-party service, which can also ensure the access to the third-party service process. Safety.
图3根据本申请实施例示出了一种数据处理方法的实施流程示意图。其中,图3所示流程示出了统一的路由模块201、数据管控模块202以及各项服务模块203之间的交互,如上所述,服务模块203包括业务平台200集成或接入的第三方服务。Figure 3 shows a schematic flowchart of the implementation of a data processing method according to an embodiment of the present application. Among them, the process shown in Figure 3 shows the interaction between the unified routing module 201, the data management and control module 202 and the various service modules 203. As mentioned above, the service module 203 includes third-party services integrated or accessed by the business platform 200. .
具体地,如图3所示,该流程包括以下步骤:Specifically, as shown in Figure 3, the process includes the following steps:
301:路由模块201获取用于目标业务的业务请求数据(作为第一请求数据)。301: The routing module 201 obtains the service request data for the target service (as the first request data).
示例性地,以路由模块201为作为反向代理工具之一的Traefik软件为例,它具有HTTP反向代理以及均衡负载等功能,可以截获客户端发给服务模块203的HTTP请求数据,即业务请求数据。For example, the routing module 201 is Traefik software, which is one of the reverse proxy tools. It has functions such as HTTP reverse proxy and load balancing, and can intercept the HTTP request data sent by the client to the service module 203, that is, the business Request data.
前述“截获”可以理解为获取,参考上述图1所示场景,即路由模块201可以获取客户端100a或100b发送给业务平台200的业务请求数据。该业务请求数据例如可以包括请求方识别信息、服务模块识别信息以及具体请求的业务内容等,其中具体请求的业务内容例如可以通过目标数据获取参数来限定,在此不做限制。其中,请求方识别信息、服务模块识别信息等例如可以以域名或路径等形式发送,在此不做限制。The aforementioned "interception" can be understood as acquisition. Referring to the scenario shown in Figure 1 above, the routing module 201 can obtain the service request data sent to the service platform 200 by the client 100a or 100b. The service request data may include, for example, requester identification information, service module identification information, and specifically requested business content. The specific requested business content may be defined, for example, by a target data acquisition parameter, which is not limited here. Among them, the requester identification information, service module identification information, etc. can be sent in the form of domain names or paths, for example, and are not limited here.
302:路由模块201向数据管控模块202转发业务请求数据。302: The routing module 201 forwards the service request data to the data management and control module 202.
示例性地,路由模块201在将业务请求数据发送给相应服务模块203之前,可以先将该业务请求数据发送给预设在业务平台200中的数据管控模块202进行处理。可以理解,需要转发给数据管控模块202的业务请求数据,可以在路由模块201中预先配置相应业务请求对应的服务模块相关信息等,以使路由模块201在接收到相应业务请求数据时,能够基于配置先将接收到的业务请求数据发送给数据管控模块进行处理。For example, before sending the service request data to the corresponding service module 203, the routing module 201 may first send the service request data to the data management and control module 202 preset in the service platform 200 for processing. It can be understood that for the service request data that needs to be forwarded to the data management and control module 202, the service module related information corresponding to the corresponding service request can be pre-configured in the routing module 201, so that when the routing module 201 receives the corresponding service request data, it can be based on The configuration first sends the received business request data to the data management and control module for processing.
可以理解,通常路由模块201(例如Traefik)截获业务请求数据后可以基于请求数据中的域名或者路径等,基于相应预设的转发规则转发给相应服务模块203。例如,路由模块201将以/web1/为前缀的业务请求转发给服务模块203-1、将以/web2/为前缀的业务请求转发给服务模块203-2等。又例如,路由模块201也可以根据请求数据的API路径确认接收该请求数据的目标服务,即路由模块201可以根据API路径匹配相应的转发规则,将业务请求数据转发给相应服务模块。在此不做限制。而在本申请实施例中,路由模块201可以在转发业务请求数据时,将原本要发送给相应目标服务模块203的请求数据,先转向发送给数据管控模块202。可以理解,路由模块201在转发业务请求数据给相应数据管控模块202时,还可以将识别到的目标服务模块203对应的识别信息也转发给数据管控模块202,以便于数据管控模块202进行相应的数据检查、修改等管控处理后,将该业务请求数据发送给目标服务模块203。It can be understood that generally, after intercepting the service request data, the routing module 201 (for example, Traefik) can forward it to the corresponding service module 203 based on the domain name or path in the request data and based on the corresponding preset forwarding rules. For example, the routing module 201 forwards service requests prefixed with /web1/ to the service module 203-1, forwards service requests prefixed with /web2/ to the service module 203-2, and so on. For another example, the routing module 201 can also confirm the target service that receives the request data according to the API path of the request data. That is, the routing module 201 can match the corresponding forwarding rules according to the API path and forward the business request data to the corresponding service module. There are no restrictions here. In this embodiment of the present application, when forwarding the service request data, the routing module 201 can first redirect the request data that is originally intended to be sent to the corresponding target service module 203 to the data management and control module 202 . It can be understood that when forwarding the service request data to the corresponding data management and control module 202, the routing module 201 can also forward the identification information corresponding to the identified target service module 203 to the data management and control module 202, so that the data management and control module 202 can perform corresponding processing. After data inspection, modification and other management and control processing, the business request data is sent to the target service module 203.
303:数据管控模块202根据接收到的请求数据,确认请求方的访问权限。303: The data management and control module 202 confirms the access permission of the requester based on the received request data.
示例性地,数据管控模块202对于接收到的路由模块201转向发来的业务请求,进行分析处理。例如,数据管控模块202可以先根据请求数据中的请求方识别信息,确认请求方是否具备访问权限。也就是说,数据管控模块202可以先对发起业务请求数据的请求方,进行鉴权,例如检查请求方用户是否有权限认证,是否具有对所请求业务内容的访问权限等。其中的权限认证是指请求方用户是否在相应业务系统中已完成合法身份鉴定,已完成合法身份鉴定的用户可以通过提供用户名和密码来验证自己的合法身份信息。如果用户名和密码一致,那么认为用户认证通过,具备权限认证,对相应业务内容具有访问权限。For example, the data management and control module 202 analyzes and processes the received service request forwarded by the routing module 201 . For example, the data management and control module 202 may first confirm whether the requesting party has access rights based on the requesting party identification information in the request data. That is to say, the data management and control module 202 can first authenticate the requester who initiates the service request data, for example, check whether the requesting user has permission authentication and whether he has access permission to the requested service content, etc. The authority authentication refers to whether the requesting user has completed legal identity authentication in the corresponding business system. Users who have completed legal identity authentication can verify their legal identity information by providing user names and passwords. If the username and password are consistent, it is considered that the user has passed the authentication, has authority authentication, and has access rights to the corresponding business content.
参考上述图1所示场景,作为示例,用户A如果从客户端100a操作查询用户B的历 史保单数据,则路由模块201将客户端100a发起的这一业务请求数据转向发送给数据管控模块202后,数据管控模块202可以先根据请求数据中的请求方识别信息,鉴别用户A是否有对用户B的历史保单数据的访问权限。如果用户A是保险业务平台的管理员,例如具有查询近一周用户B的历史保单数据的权限,则可以确认客户端100a登录的用户A的账户具有访问权限,即客户端100a属于有权限请求方。Referring to the scenario shown in Figure 1 above, as an example, if user A queries the history of user B from the client 100a, If the policy data is stored, the routing module 201 forwards the service request data initiated by the client 100a to the data management and control module 202. The data management and control module 202 can first identify whether user A has a right to the request based on the requester identification information in the request data. Access rights to user B’s historical policy data. If user A is the administrator of the insurance business platform, for example, has the authority to query the historical policy data of user B in the past week, it can be confirmed that the account of user A logged in by client 100a has access permission, that is, client 100a belongs to the authorized requester .
而如果用户A为其他保险用户,非管理员,则无权查询用户B的历史保单数据,此时数据管控模块202则可以确认用户A所使用的客户端100a,作为业务请求发起方,不具有访问权限,即客户端100a属于无权限请求方。If user A is another insurance user and is not an administrator, he does not have the right to query the historical policy data of user B. At this time, the data management and control module 202 can confirm that the client 100a used by user A, as the service request initiator, does not have Access permission, that is, the client 100a belongs to the requester without permission.
可以理解,在另一些实施例中,用户A也可能具有限制权限,例如用户A的权限可能限定用户A只能查询近一周的保单业务数据,此种情形下,数据管控模块202则可以对相应的业务请求数据加上这一限制性查询条件,再继续执行下述步骤305至308,完成数据检查后把添加了限制性查询条件的业务请求数据,再发送给对应的服务模块203进行处理,在此不做赘述。It can be understood that in other embodiments, user A may also have restricted permissions. For example, user A's permissions may limit user A to only query policy business data for the past week. In this case, the data management and control module 202 may accordingly Add this restrictive query condition to the business request data, and then continue to perform the following steps 305 to 308. After completing the data check, the business request data with the restrictive query condition added is then sent to the corresponding service module 203 for processing. No further details will be given here.
304:对于无权限请求方,数据管控模块202向路由模块201返回拒绝访问的消息。304: For the unauthorized requester, the data management and control module 202 returns an access denial message to the routing module 201.
示例性地,数据管控模块202如果确定接收到的业务请求数据的请求方不具有相应的访问权限,即确认请求方为无权请求方时,可以通过路由模块201向该请求方返回拒绝访问的消息。在另一些实施例中,数据管控模块202也可以通过路由模块201向该请求方反馈错误提示信息等,在此不做限制。可以理解,路由模块201可以将接收到的数据管控模块202返回的拒绝访问消息,转发给发起响应业务请求数据的请求方。For example, if the data management and control module 202 determines that the requester of the received business request data does not have the corresponding access rights, that is, if the requester is confirmed to be an unauthorized requester, the data management and control module 202 may return an access denial message to the requester through the routing module 201. information. In other embodiments, the data management and control module 202 may also feed back error prompt information to the requesting party through the routing module 201, which is not limited here. It can be understood that the routing module 201 can forward the received access denial message returned by the data management and control module 202 to the requester that initiates the response to the service request data.
305:对于有权限请求方,数据管控模块202检查接收到的请求数据是否满足数据检查要求(作为第一条件)。305: For the authorized requester, the data management and control module 202 checks whether the received request data meets the data inspection requirements (as the first condition).
示例性地,数据管控模块202如果确定接收到的业务请求数据的请求方为有权请求方,则可以进一步对接收到的业务请求数据进行数据检查。该数据检查,例如包括检查业务请求数据中的相关参数是否符合合法性要求、或者是否合规等。若请求数据满足数据检查要求,例如各项参数均合规、合法,则可以继续执行下述步骤306,将请求数据发送给相应的服务模块进行处理;若请求数据不满足数据检查要求,例如一些参数不符合合法性要求或者不合规,则需要执行下述步骤307对相关参数进行修改。For example, if the data management and control module 202 determines that the requester of the received service request data is an authorized requester, it may further perform a data check on the received service request data. This data check includes, for example, checking whether relevant parameters in the business request data meet legality requirements or are compliant with regulations. If the requested data meets the data inspection requirements, for example, all parameters are compliant and legal, you can continue to perform the following step 306 to send the request data to the corresponding service module for processing; if the requested data does not meet the data inspection requirements, for example, some If the parameters do not meet the legality requirements or are not compliant, you need to perform the following step 307 to modify the relevant parameters.
作为示例,例如数据管控模块202可以检查请求数据中的API入口参数是否满足合法性要求,比如某一API入口参数查询参保人员的合理年龄范围应在0至65之间,如果接收到的某个请求数据中,相应API入口参数的值为70,则可以认为接收到的请求数据中,这一API入口参数不合法。而如果收到的某个请求数据中,相应API入口参数的值为55,则可以认为接收到的请求数据API入口参数是合法的。As an example, the data management and control module 202 can check whether the API entry parameters in the request data meet the legality requirements. For example, a certain API entry parameter queries the reasonable age range of the insured person should be between 0 and 65. If a certain API entry parameter is received, In the request data, if the value of the corresponding API entry parameter is 70, it can be considered that this API entry parameter in the received request data is illegal. And if the value of the corresponding API entry parameter in a certain request data received is 55, it can be considered that the API entry parameter of the received request data is legal.
在另一些实施例中,除检查请求数据中的API入口参数是否满足合法性要求之外,数据检查的内容还可以为其他,例如检查请求数据中关于保险险种的选项参数是否合法等,具体数据管控202进行数据检查所依据的第一条件,可以根据业务场景需求进行定制、预设、或者调整,在此不做限制。In other embodiments, in addition to checking whether the API entry parameters in the request data meet the legality requirements, the content of the data check can also be other, such as checking whether the option parameters about the insurance type in the request data are legal, etc., specific data The first condition based on which the management and control 202 performs data inspection can be customized, preset, or adjusted according to the needs of the business scenario, and is not limited here.
306:数据管控模块202向服务模块203发送满足数据检查要求的请求数据。306: The data management and control module 202 sends the request data that meets the data inspection requirements to the service module 203.
示例性地,数据管控模块202在完成数据检查后,对于检查通过的业务请求数据,即满足数据检查要求的请求数据,例如相关参数满足合法性要求的请求数据,数据管控模块 202可以发送给相应的服务模块203,进行相应的业务处理。Exemplarily, after completing the data check, the data management and control module 202 will, for the service request data that passes the check, that is, the request data that meets the data check requirements, for example, the request data whose relevant parameters meet the legality requirements, the data management and control module 202 202 can be sent to the corresponding service module 203 for corresponding business processing.
307:数据管控模块202对不满足数据检查要求的请求数据进行修改。307: The data management and control module 202 modifies the request data that does not meet the data inspection requirements.
示例性地,对于不满足数据检查要求的请求数据,例如API入口参数不符合合法性要求的请求数据,数据管控模块202可以对相关参数进行修改。例如,对于前述例子,如果接收到的某个请求数据中,相应API入口参数的值为70,不符合合法性要求,则数据管控模块202可以根据预设的合理年龄范围对该参数值进行修改,例如将“70”修改为“65”。在此不做限制。For example, for request data that does not meet the data inspection requirements, for example, request data whose API entry parameters do not meet the legality requirements, the data management and control module 202 can modify the relevant parameters. For example, for the above example, if in a certain request data received, the value of the corresponding API entry parameter is 70, which does not meet the legality requirements, the data management and control module 202 can modify the parameter value according to the preset reasonable age range. , for example, change "70" to "65". There are no restrictions here.
又例如,请求数据中没有年龄参数,而目标服务模块的API入口参数需要匹配年龄参数,则数据管控模块202可以在该请求数据中补全年龄参数,例如将预设的通配值,例如50作为请求数据中年龄参数的补全值。For another example, if there is no age parameter in the request data, and the API entry parameter of the target service module needs to match the age parameter, the data management and control module 202 can complete the age parameter in the request data, for example, a preset wildcard value, such as 50. As a completion value for the age parameter in the request data.
再例如,接收到的请求数据中包括年龄参数,但API入口参数需要匹配的是出生年份参数,则数据管控模块202可以根据请求数据中的年龄参数换算得到的对应的出生年份参数,再更新到请求数据中。For another example, if the received request data includes an age parameter, but the API entry parameter needs to match the birth year parameter, the data management and control module 202 can convert the corresponding birth year parameter based on the age parameter in the request data, and then update to in request data.
在另一些实施例中,数据检查的内容还可以为其他,例如检查请求数据中关于保险险种的选项参数中,个人保险险种选项参数中混入了企业团险的险种选项参数等,也需要进行修改,在此不做限制。In other embodiments, the content of the data check can also be other, for example, the option parameters for insurance types in the check request data, the option parameters for personal insurance types are mixed with the option parameters for enterprise group insurance, etc., which also need to be modified. , there is no restriction here.
308:数据管控模块202向服务模块203发送修改后的请求数据(作为第二请求数据)。308: The data management and control module 202 sends the modified request data (as the second request data) to the service module 203.
示例性地,对于不满足数据检查要求的请求数据,数据管控模块202可以对检查出来的不合法参数等数据进行修改,以使该请求数据满足对应于相应服务模块的数据检查要求,例如使参数不合法的请求数据中,相关参数修改至合法范围内等。For example, for request data that does not meet the data check requirements, the data management and control module 202 can modify the checked illegal parameters and other data, so that the request data meets the data check requirements corresponding to the corresponding service module, for example, make the parameters For illegal request data, modify relevant parameters to within the legal range, etc.
309:服务模块203响应于接收到的请求数据,进行相应业务处理。309: The service module 203 responds to the received request data and performs corresponding business processing.
示例性地,服务模块203在接收到数据管控模块202发来的业务请求数据后,可以响应于该请求数据对应请求的业务内容,进行相应的业务处理。For example, after receiving the service request data from the data management and control module 202, the service module 203 can perform corresponding service processing in response to the requested service content corresponding to the request data.
本实施例中,服务模块203可以为第三方服务。由于数据管控模块202已经对请求数据进行了处理,使得获取到的请求数据已符合服务模块203的API接口参数要求。也就是说,无论客户端发送的请求数据是否符合服务模块203对API接口参数的要求,服务模块203均可以对客户端发送的请求进行响应,而不需要对服务模块203进行修改。在其他实施例中,服务模块203也可以是平台自身提供的服务模块(非第三方服务)。In this embodiment, the service module 203 may serve a third party. Since the data management and control module 202 has processed the request data, the obtained request data meets the API interface parameter requirements of the service module 203. That is to say, regardless of whether the request data sent by the client meets the requirements of the API interface parameters of the service module 203, the service module 203 can respond to the request sent by the client without modifying the service module 203. In other embodiments, the service module 203 may also be a service module provided by the platform itself (not a third-party service).
另外可以理解,由于数据管控模块202所具有的数据处理功能,当业务平台200集成了新的第三方服务、或者开发了新的程序接口接入新的第三方服务时,业务平台200既不需要修改第三方服务的程序代码或者相关入口参数等、或者接入第三方服务的接口程序代码或者相关入口参数等,也不需要修改路由模块的程序代码或相关参数,因而可以减少开发量。In addition, it can be understood that due to the data processing function of the data management and control module 202, when the business platform 200 integrates a new third-party service or develops a new program interface to access the new third-party service, the business platform 200 does not need to Modifying the program code or related entry parameters of a third-party service, or the interface program code or related entry parameters of a third-party service, does not require modifying the program code or related parameters of the routing module, thus reducing the amount of development.
可以理解,服务模块203接收到的业务请求数据,可以是上述步骤306中数据管控模块202发来的满足数据检查要求的请求数据,也可以是上述步骤308中数据管控模块202发来的修改后的请求数据,在此不做限制。It can be understood that the service request data received by the service module 203 may be the request data that meets the data inspection requirements sent by the data management and control module 202 in the above-mentioned step 306, or may be the modified request data sent by the data management and control module 202 in the above-mentioned step 308. The request data is not limited here.
310:服务模块203向数据管控模块202返回业务处理数据(作为第一处理数据)。310: The service module 203 returns the business processing data (as the first processing data) to the data management and control module 202.
示例性地,服务模块203完成相应的业务处理后,可以将处理后的业务处理数据返回给数据管控模块202。即服务模块203响应于相应的业务请求返回的业务处理数据,也可 以经过数据管控模块202进行进一步的处理后,再通过路由模块201返回给请求方。具体参考下文详述,在此不做赘述。For example, after the service module 203 completes the corresponding business processing, the processed business processing data can be returned to the data management and control module 202. That is, the service processing data returned by the service module 203 in response to the corresponding service request can also be After further processing by the data management and control module 202, it is returned to the requesting party through the routing module 201. Please refer to the detailed description below for details and will not go into details here.
311:数据管控模块202检查返回的业务处理数据是否满足预设返回条件(作为第二条件)。如果检查后的判断结果为是,则表明可以返回该业务处理数据,即可以执行下述步骤312;如果检查后的判断结果为否,则表明需要对业务处理数据进行进一步检查处理后再返回,即可以执行下述步骤313。311: The data management and control module 202 checks whether the returned business processing data meets the preset return conditions (as the second condition). If the judgment result after the check is yes, it indicates that the business processing data can be returned, that is, the following step 312 can be performed; if the judgment result after the check is no, it indicates that the business processing data needs to be further checked and processed before returning. That is, the following step 313 can be performed.
示例性地,数据管控模块202接收到服务模块203返回的业务处理数据后,可以根据预设返回条件对该业务处理数据进行检查。其中,预设返回条件可以根据具体的业务内容及业务场景进行设定。例如,在本申请实施例中,预设返回条件可以包括检查返回的业务处理数据是否符合相应业务安全性要求,例如检查是否需要过滤业务处理数据中的一些可能会导致安全问题的历史数据、业务处理数据中是否存在敏感字段等。For example, after receiving the business processing data returned by the service module 203, the data management and control module 202 can check the business processing data according to the preset return conditions. Among them, the preset return conditions can be set according to specific business content and business scenarios. For example, in the embodiment of this application, the preset return conditions may include checking whether the returned business processing data meets the corresponding business security requirements, such as checking whether it is necessary to filter some historical data, business data, etc. in the business processing data that may cause security problems. Process whether there are sensitive fields in the data, etc.
312:数据管控模块202向路由模块201返回满足预设返回条件的业务处理数据。312: The data management and control module 202 returns the business processing data that meets the preset return conditions to the routing module 201.
示例性地,对于满足预设返回条件的业务处理数据,数据管控模块202可以直接发送给路由模块201,由路由模块201转发给相应的客户端,即业务请求方。For example, for business processing data that meets the preset return conditions, the data management and control module 202 can directly send it to the routing module 201, and the routing module 201 forwards it to the corresponding client, that is, the service requester.
313:数据管控模块202修改不满足预设返回条件的业务处理数据。313: The data management and control module 202 modifies the business processing data that does not meet the preset return conditions.
示例性地,对于不满足预设返回条件的业务处理数据,需要对业务处理数据进行进一步检查处理。作为示例,对于前述例子,如果业务处理数据中存在需要过滤的可能会导致安全问题的历史数据,数据管控模块202则可以对这部分历史数据进行过滤处理,例如可以删除返回的保单数据中有效期不到3个月的一部分保单数据等,完成数据过滤。又例如,如果业务处理数据中存在敏感字段,数据管控模块202则可以对返回的业务处理数据进行加密处理或者脱敏处理,例如将必要的敏感字段替换为加密后的数据,或者将不必要的敏感字段可以进行删除以脱敏等,在此不做限制。For example, for business processing data that does not meet the preset return conditions, the business processing data needs to be further checked and processed. As an example, for the above example, if there is historical data that needs to be filtered that may cause security problems, the data management and control module 202 can filter this part of the historical data. For example, it can delete the returned policy data with invalid validity period. to a portion of policy data for 3 months, etc., to complete data filtering. For another example, if there are sensitive fields in the business processing data, the data management and control module 202 can encrypt or desensitize the returned business processing data, for example, replace necessary sensitive fields with encrypted data, or replace unnecessary Sensitive fields can be deleted to desensitize them, etc., and there are no restrictions here.
作为示例,对于前述例子,例如返回的业务处理数据是对应于用户A查询用户B的历史保单数据的处理结果,其中用户A的权限只能查询用户B近一周的保单业务数据,则相应的服务模块203查询到结果后返回业务处理数据给数据管控模块202时,数据管控模块202此时则可以根据用户A的权限对返回的业务处理数据进行过滤及脱敏处理。比如删除一周以前的保单业务数据、以及返回的业务处理数据中用户B的银行账户等敏感信息,再将处理后的业务处理数据通过路由模块201发送给客户端。As an example, for the above example, for example, the returned business processing data is the processing result corresponding to user A's query of user B's historical policy data, where user A's permission can only query user B's policy business data for the past week, then the corresponding service When the module 203 returns the business processing data to the data management and control module 202 after querying the results, the data management and control module 202 can filter and desensitize the returned business processing data according to user A's permissions. For example, the policy business data from one week ago and sensitive information such as User B's bank account in the returned business processing data are deleted, and then the processed business processing data is sent to the client through the routing module 201.
314:数据管控模块202向路由模块201返回修改后的业务处理数据(作为第二处理数据)。314: The data management and control module 202 returns the modified business processing data (as the second processing data) to the routing module 201.
示例性地,数据管控模块202完成对不符合数据检查要求的业务处理数据修改后,可以将修改后的业务处理数据发送给路由模块201,由路由模块201返回给业务请求方。For example, after the data management and control module 202 completes the modification of the business processing data that does not meet the data inspection requirements, the modified business processing data can be sent to the routing module 201, and the routing module 201 returns it to the service requester.
315:路由模块201向业务请求方返回接收到的业务处理数据。315: The routing module 201 returns the received service processing data to the service requester.
示例性地,路由模块201可以向发起业务请求的请求方,例如上述图1所示的客户端100a或100b,返回经数据管控模块202检查后满足预设返回条件的业务处理数据、或者经数据管控模块202修改处理后的业务处理数据等,在此不做限制。For example, the routing module 201 can return to the requester that initiates the service request, such as the client 100a or 100b shown in FIG. 1, the business processing data that meets the preset return conditions after being checked by the data management and control module 202, or the data The management and control module 202 modifies the processed business processing data, etc., which are not limited here.
可以理解,基于上述图3所示流程实现的数据处理方法,能够实现一定程度的数据管控,包括安全性管控以及数据相关参数合法合规等方面的管控等,实现这一数据管控功能的数据管控模块202还可以根据不同的服务模块预设(或称定制)适应性的数据管控策略, 包括对业务请求数据的数据检查策略、以及对服务模块返回的业务处理数据的数据检查策略等。如此,如果需要对业务平台200集成或接入的第三方服务在安全性能、场景适应性能等方面进行功能增强改造,则可以通过调整上述数据管控模块202中的相应数据管控条件,进而基于数据管控模块202的中转过渡处理来实现上述功能增强。基于本申请方案,无需对第三方服务本身的代码执行逻辑进行升级改造,有利于降低在第三方服务以及业务平台200的一些本地服务等服务模块的功能升级方面所花费的人力、资源成本。It can be understood that the data processing method implemented based on the process shown in Figure 3 above can achieve a certain degree of data control, including security control and control of legal compliance of data-related parameters, etc., to realize the data control of this data control function. Module 202 can also preset (or customize) adaptive data management and control strategies according to different service modules. Including data inspection strategies for business request data and data inspection strategies for business processing data returned by the service module. In this way, if it is necessary to enhance the functions of the third-party services integrated or accessed by the business platform 200 in terms of security performance, scene adaptability, etc., the corresponding data management and control conditions in the above-mentioned data management and control module 202 can be adjusted, and then based on data management and control The transfer transition processing of module 202 is used to realize the above functional enhancement. Based on this application solution, there is no need to upgrade the code execution logic of the third-party service itself, which is conducive to reducing the cost of manpower and resources spent on functional upgrades of service modules such as third-party services and some local services of the business platform 200.
为了更清楚的理解本申请技术方案,基于上述图3所示交互流程以及图4所示的数据管控模块202的结构,下面结合具体业务场景,介绍本申请实施例所提供的数据处理方法在另一些业务场景中的具体实施过程。In order to understand the technical solution of the present application more clearly, based on the above-mentioned interaction process shown in Figure 3 and the structure of the data management and control module 202 shown in Figure 4, the following describes the data processing method provided by the embodiment of the present application in combination with specific business scenarios. Specific implementation processes in some business scenarios.
实施例1Example 1
本申请实施例以服务模块203为链路查询服务(jaeger-query)203-1为例,介绍本申请实施例所提供的数据处理方法的具体实现过程,进而实现对链路查询服务203-1进行功能增强的目的。其中,链路查询服务203-1主要提供对应用调用链路信息的查询能力。This embodiment of the application takes the service module 203 as the link query service (jaeger-query) 203-1 as an example to introduce the specific implementation process of the data processing method provided by the embodiment of the application, and then implements the link query service 203-1. For the purpose of functional enhancement. Among them, the link query service 203-1 mainly provides the query capability for application call link information.
可以理解,在分布式微服务的场景下,用户通过客户端发起的一个业务请求,在接入业务平台后可能会经过多个服务模块的响应处理。如果用户想要查询该业务请求在哪个环节(即哪个服务模块)耗时比较高等,则可以通过链路查询服务203-1进行查询,业务平台则可以根据链路查询服务203-1查询到的业务请求在各个服务模块的处理环节中的耗时情况,分析各服务模块是否存在异常运行。可以理解,链路查询服务203-1,主要用于提供对应用调用链路信息的查询能力,该服务可以实现对应用性能(或称服务性能)的分析以及调用链路合理化程度等分析。It can be understood that in the scenario of distributed microservices, a business request initiated by a user through the client may undergo response processing by multiple service modules after accessing the business platform. If the user wants to query in which link (that is, which service module) the business request takes more time, the user can query through the link query service 203-1, and the business platform can query according to the link query service 203-1. The time consuming of business requests in the processing of each service module is analyzed, and whether each service module operates abnormally. It can be understood that the link query service 203-1 is mainly used to provide the query capability for application call link information. This service can implement analysis of application performance (or service performance) and the degree of rationalization of the call link.
图4根据本申请实施例示出了一种对应于链路查询服务203-1的数据处理方法实施流程示意图。可以理解,图4所示流程涉及路由模块201、数据管控模块202与链路查询服务203-1之间的交互。Figure 4 shows a schematic implementation flow chart of a data processing method corresponding to the link query service 203-1 according to an embodiment of the present application. It can be understood that the process shown in Figure 4 involves the interaction between the routing module 201, the data management and control module 202 and the link query service 203-1.
具体地,如图4所示,该方法具体包括以下步骤:Specifically, as shown in Figure 4, the method specifically includes the following steps:
401:路由模块201获取链路分析请求数据。401: The routing module 201 obtains link analysis request data.
示例性地,发起链路分析请求以请求链路查询服务203-1提供相应链路信息查询服务的请求方,例如可以是对应于某个客户端程序对应开发商家的管理员账户,当需要检测业务平台200调用处理业务请求的各项服务模块是否正常运行时,该管理员账户可以登录客户端100a则可以向业务平台200发起上述链路分析请求。在另一些实施例中,一些客户端也可以基于其他方面的业务需求,向业务平台200发起上述链路分析请求,在此不做限制。For example, the requester who initiates the link analysis request to request the link query service 203-1 to provide the corresponding link information query service may be, for example, the administrator account of the developer corresponding to a certain client program. When detection is required, When the business platform 200 calls various service modules that process business requests and whether they are running normally, the administrator account can log in to the client 100a and initiate the above-mentioned link analysis request to the business platform 200. In other embodiments, some clients may also initiate the above link analysis request to the service platform 200 based on other business requirements, which is not limited here.
可以理解,调用链路查询服务请求链路分析的数据中,通常会包括一些用于确定查询条件的查询参数选项,这些选项对应的参数类型例如可以包括Traceld(用于标记监控对象)、服务调用的接口名称、客户端的应用名称、客户端IP(即服务调用发起方的IP)、被查询调用的服务名称、耗时阈值(例如调用耗时大于指定毫秒数)、调用类型、是否异常调用、业务主键(即搜索相应业务事件所基于的字段)、响应码等等,在此不做赘述。It can be understood that the data used to call the link query service to request link analysis usually includes some query parameter options used to determine query conditions. The parameter types corresponding to these options may include, for example, Traceld (used to mark monitoring objects), service call interface name, client application name, client IP (that is, the IP of the service call initiator), the service name being queried and called, time-consuming threshold (for example, the call takes more than the specified number of milliseconds), call type, whether the call is abnormal, The business primary key (that is, the field based on which the corresponding business event is searched), response code, etc. will not be described in detail here.
具体获取请求数据的过程可以参考上述步骤301,在此不做赘述。For the specific process of obtaining the request data, please refer to the above-mentioned step 301, which will not be described in detail here.
402:路由模块201向数据管控模块202转发链路分析请求数据。402: The routing module 201 forwards the link analysis request data to the data management and control module 202.
具体转发请求数据的过程可以参考上述步骤302,在此不做赘述。 For the specific process of forwarding the request data, please refer to the above-mentioned step 302, which will not be described in detail here.
403:数据管控模块202根据接收到的链路分析请求数据,确认请求方的访问权限。403: The data management and control module 202 analyzes the request data according to the received link and confirms the access permission of the requester.
示例性地,数据管控模块202例如可以根据接收到的链路分析请求数据,确认发起该链路分析请求的客户端登录的账户是否为经业务平台200授权的管理账户,若是,则可以确认该请求方为有权限请求方;若否,则可以确认该请求方为无权限请求方。For example, the data management and control module 202 can, for example, according to the received link analysis request data, confirm whether the account logged in by the client that initiated the link analysis request is a management account authorized by the business platform 200. If so, it can confirm that the account logged in is a management account authorized by the business platform 200. The requester is a requester with authority; if not, it can be confirmed that the requester is a requester without authority.
具体确认请求方访问权限的过程可以参考上述步骤303,在此不做赘述。For the specific process of confirming the access permission of the requesting party, please refer to the above-mentioned step 303, which will not be described in detail here.
404:对于无权限请求方,数据管控模块202向路由模块201返回拒绝访问的消息。404: For the requester without permission, the data management and control module 202 returns an access denial message to the routing module 201.
示例性地,数据管控模块202如果确认发起链路分析请求的请求方不是经业务平台200授权的管理账户,可以确认该请求方为无权限请求方,则可以拒绝该请求方的链路分析请求。For example, if the data management and control module 202 confirms that the requester initiating the link analysis request is not a management account authorized by the business platform 200 and confirms that the requester is an unauthorized requester, then the requester's link analysis request can be rejected. .
具体拒绝访问的过程可以参考上述步骤304,在此不做赘述。For the specific process of denying access, please refer to the above-mentioned step 304, which will not be described in detail here.
405:对于有权限请求方,数据管控模块202对接收到的链路分析请求数据进行数据检查。405: For the authorized requester, the data management and control module 202 performs data inspection on the received link analysis request data.
示例性地,数据管控模块202如果确认发起链路分析请求的请求方是经业务平台200授权的管理账户,可以确认该请求方为有权限请求方,则数据管控模块202可以进一步接收到的链路分析请求数据进行相应的数据检查。例如数据管控模块202可以通过预设的Cookie以及链路分析请求的内容进行数据检查,若链路分析请求数据满足数据检查要求,则可以继续执行下述步骤406,将链路分析请求数据发送给链路查询服务203-1进行处理。For example, if the data management and control module 202 confirms that the requester who initiated the link analysis request is a management account authorized by the business platform 200 and can confirm that the requester is an authorized requester, the data management and control module 202 can further receive the link. Road analysis request data to perform corresponding data checks. For example, the data management and control module 202 can perform data inspection through preset cookies and the content of the link analysis request. If the link analysis request data meets the data inspection requirements, the following step 406 can be continued to send the link analysis request data to The link query service 203-1 performs processing.
若链路分析请求数据不满足数据检查要求,例如该链路分析请求数据中缺少作为查询参数的服务调用的接口名称、或者该接口名称不准确,而链路查询服务203-1查询相应服务数据时需基于该接口名称,并且也无法支持对接口名称这一查询参数的模糊搜索,即缺少必要信息的相关参数。此时则需要执行下述步骤407对该请求数据中不满足检查要求的部分进行修改,例如基于链路分析请求数据中的其他相关参数匹配出相应服务的接口名称,或者对模糊的接口名称进行模糊搜索,得到准确的接口名称,替换该请求数据中的原接口名称等。If the link analysis request data does not meet the data inspection requirements, for example, the link analysis request data lacks the interface name of the service call as a query parameter, or the interface name is inaccurate, and the link query service 203-1 queries the corresponding service data. It needs to be based on the interface name, and it cannot support fuzzy search on the query parameter of the interface name, that is, related parameters that lack necessary information. At this time, you need to perform the following step 407 to modify the parts of the request data that do not meet the inspection requirements, such as matching the interface name of the corresponding service based on other relevant parameters in the link analysis request data, or modifying the ambiguous interface name. Fuzzy search, get the accurate interface name, replace the original interface name in the request data, etc.
执行下述步骤407之后,再执行下述步骤408向链路查询服务203-1发送链路分析请求。具体数据检查过程可以参考上述步骤305,在此不做赘述。After executing the following step 407, the following step 408 is executed to send a link analysis request to the link query service 203-1. For the specific data checking process, please refer to the above-mentioned step 305, which will not be described in detail here.
406:数据管控模块202向链路查询服务203-1发送满足数据检查要求的链路分析请求数据。406: The data management and control module 202 sends the link analysis request data that meets the data inspection requirements to the link query service 203-1.
407:数据管控模块202对不满足数据检查要求的链路分析请求数据进行修改。407: The data management and control module 202 modifies the link analysis request data that does not meet the data inspection requirements.
示例性地,对不满足数据检查要求的链路分析请求数据进行的修改,包括对该请求数据中缺少必要信息的参数进行信息补全等。具体可以参考上述步骤307,在此不做赘述。For example, the modification of the link analysis request data that does not meet the data inspection requirements includes information completion for parameters that lack necessary information in the request data. For details, please refer to the above-mentioned step 307, which will not be described again here.
408:数据管控模块202向链路查询服务203-1发送修改后的链路分析请求数据。408: The data management and control module 202 sends the modified link analysis request data to the link query service 203-1.
409:链路查询服务203-1响应于接收到的链路分析请求数据,查询服务链路中各环节服务模块的耗时数据。示例性地,该耗时数据包括各服务模块接收到相应业务请求进行相应业务处理的时长、以及各服务模块执行业务处理的过程所消耗的时长等,在此不做限制。409: In response to the received link analysis request data, the link query service 203-1 queries the time-consuming data of each service module in the service link. Illustratively, the time-consuming data includes the time it takes for each service module to receive the corresponding service request and perform the corresponding business processing, and the time it takes for each service module to perform the business processing process, etc., which are not limited here.
410:链路查询服务203-1向数据管控模块202返回查询到的耗时数据。410: The link query service 203-1 returns the queried time-consuming data to the data management and control module 202.
411:数据管控模块202检查返回的耗时数据是否满足预设返回条件。411: The data management and control module 202 checks whether the returned time-consuming data meets the preset return conditions.
示例性地,数据管控模块202接收链路查询服务203-1返回的原始数据(即耗时数据) 检查是否满足预设返回条件,例如检查有无敏感数据,若有敏感数据,则需要进行脱敏处理,例如删除无需返回的敏感数据等。又例如,数据管控模块202还可以检查返回的耗时数据中是否有请求方的相关授权信息,例如基于链路分析请求数据中预设的客户端IP,来确认链路分析服务203-1所返回的耗时数据中对应于该客户端IP信息是否具有相应的客户授权信息。如无授权信息,则表明该客户端IP暂时未取得相应客户的授权,即请求方未被授权,则删除链路查询服务203-1返回的耗时数据。Exemplarily, the data management and control module 202 receives the original data (ie, time-consuming data) returned by the link query service 203-1 Check whether the preset return conditions are met, such as checking whether there is sensitive data. If there is sensitive data, desensitization processing is required, such as deleting sensitive data that does not need to be returned. For another example, the data management and control module 202 can also check whether the returned time-consuming data contains relevant authorization information of the requester, for example, based on the preset client IP in the link analysis request data, to confirm that the link analysis service 203-1 Whether the returned time-consuming data corresponds to the client IP information has corresponding customer authorization information. If there is no authorization information, it means that the client IP has not yet obtained authorization from the corresponding client, that is, the requester is not authorized, and the time-consuming data returned by the link query service 203-1 is deleted.
具体检查判断过程可以参考上述步骤311,在此不做赘述。For the specific inspection and judgment process, please refer to the above-mentioned step 311, which will not be described in detail here.
412:数据管控模块202向路由模块201返回满足预设返回条件的耗时数据。412: The data management and control module 202 returns the time-consuming data that satisfies the preset return conditions to the routing module 201.
示例性地,检查后满足预设返回条件的耗时数据,则可以返回给请求方客户端,在相应的链路分析页面展示。其中,预设返回条件不仅可以包括上述步骤411中示例的无敏感数据、有请求方的授权信息等条件,也可以包含其他的预设返回条件。在此不做限制。For example, the time-consuming data that meets the preset return conditions after checking can be returned to the requesting client and displayed on the corresponding link analysis page. Among them, the preset return conditions may not only include the conditions such as no sensitive data and authorization information of the requesting party as exemplified in step 411 above, but may also include other preset return conditions. There are no restrictions here.
例如,链路查询服务203-1所响应的链路分析请求数据的相关参数例如还可以包括耗时阈值、被查询调用的服务名称等,则链路查询服务203-1响应于该链路分析请求所返回的耗时数据中,对应的调用耗时应大于指定毫秒数、并且该耗时数据应对应于被查询调用的服务名称等。然而,链路查询服务203-1获取的耗时数据可能包含最近一年内的调用该服务的耗时数据,该耗时数据例如可以是调用保单数据管理服务的耗时数据。而业务平台200,例如为保险业务提供相应服务的业务平台,可能基于安全性考虑,只允许调用最近3个月的服务调用耗时数据。此种情形下,数据管控模块202中设定的预设返回条件则会包含时间过滤条件,即数据管控模块202可以控制对3个月以前的耗时数据进行过滤,仅向路由模块返回最近3个月的耗时数据。For example, the relevant parameters of the link analysis request data responded by the link query service 203-1 may also include a time-consuming threshold, the name of the service called by the query, etc., then the link query service 203-1 responds to the link analysis Among the time-consuming data returned by the request, the corresponding call time should be greater than the specified number of milliseconds, and the time-consuming data should correspond to the service name being queried and called. However, the time-consuming data obtained by the link query service 203-1 may include the time-consuming data of calling the service within the last year. The time-consuming data may be, for example, the time-consuming data of calling the policy data management service. The business platform 200, for example, a business platform that provides corresponding services for the insurance business, may only allow the service call time-consuming data of the last three months to be called based on security considerations. In this case, the preset return conditions set in the data management and control module 202 will include time filtering conditions, that is, the data management and control module 202 can control the filtering of time-consuming data 3 months ago, and only return the latest 3 months to the routing module. Months of time-consuming data.
413:数据管控模块202修改不满足预设返回条件的耗时数据。413: The data management and control module 202 modifies the time-consuming data that does not meet the preset return conditions.
例如数据管控模块202检查到链路查询服务203-1返回的耗时数据中有敏感数据,则需要进行脱敏处理,例如删除相应敏感数据,或者对相应敏感数据进行加密处理等,即上述修改过程。又例如,参考上述步骤412中所示例的,数据管控模块202中设定的预设返回条件若包含“最近3个月”的时间过滤条件,则链路查询服务203-1所返回的耗时数据中,3个月以前的耗时数据则属于不满足预设返回条件的耗时数据,数据管控模块202可以将其从待返回的耗时数据中删除。For example, the data management and control module 202 detects that there is sensitive data in the time-consuming data returned by the link query service 203-1, and it needs to perform desensitization processing, such as deleting the corresponding sensitive data, or encrypting the corresponding sensitive data, that is, the above modification. process. For another example, referring to the example in step 412 above, if the default return condition set in the data management module 202 includes the time filter condition of "last 3 months", then the time-consuming time returned by the link query service 203-1 Among the data, the time-consuming data 3 months ago belongs to the time-consuming data that does not meet the preset return conditions, and the data management and control module 202 can delete it from the time-consuming data to be returned.
具体修改过程可以参考上述步骤313中相关描述,在此不做赘述。For the specific modification process, please refer to the relevant description in step 313 above, and will not be described again here.
414:数据管控模块202向路由模块201返回修改后的耗时数据。414: The data management and control module 202 returns the modified time-consuming data to the routing module 201.
415:路由模块201向请求方返回接收到的耗时数据。415: The routing module 201 returns the received time-consuming data to the requester.
可以理解,基于上述图4所示流程实现的对应于链路查询服务203-1的数据处理方法,能够对请求链路查询服务203-1的链路分析请求进行鉴权管控,还能够对链路查询服务203-1返回的耗时数据进行敏感数据检查以及脱敏处理、或者在检查是否符合一些服务模块相关数据的安全性要求等,从而提高链路查询服务203-1提供链路查询分析服务的安全性。而且,这种安全性能的增强,无需对链路查询服务203-1进行升级改造即可实现。It can be understood that the data processing method corresponding to the link query service 203-1 implemented based on the above-mentioned process shown in Figure 4 can perform authentication and control on the link analysis request requesting the link query service 203-1, and can also perform authentication and control on the link query service 203-1. The time-consuming data returned by the link query service 203-1 is subjected to sensitive data inspection and desensitization processing, or whether it meets the security requirements of some service module-related data, etc., thereby improving the link query analysis provided by the link query service 203-1. Security of the Service. Moreover, this enhancement of security performance can be achieved without upgrading the link query service 203-1.
实施例2Example 2
本申请实施例以服务模块203为一种可视化服务,即Kibana 203-2为例,介绍通过实施本申请实施例所提供的数据处理方法,如何实现对数据可视化服务进行功能增强的过程。其中,Kibana 203-2为一种可视化平台,通过Kibana搜索、查看存储在检索 (Elasticsearch)索引中的数据并与之交互,可以实现数据分析和可视化,例如将搜索到的数据以图表的形式展示出来。This embodiment of the present application takes the service module 203 as a visualization service, namely Kibana 203-2, as an example to introduce how to implement the function enhancement of the data visualization service by implementing the data processing method provided by the embodiment of the present application. Among them, Kibana 203-2 is a visualization platform that searches, views, stores and retrieves data through Kibana. (Elasticsearch) indexes data and interacts with it to achieve data analysis and visualization, such as displaying the searched data in the form of charts.
可以理解,在一些分布式业务系统的运营维护管理场景中,一些分布式业务系统的用户可能希望在客户端的界面上通过图表等形式来展示一些业务统计数据,以便于分析管理。此时,用户则可以通过相应的客户端向业务平台200发起对Kibana 203-2的可视化服务请求,以请求通过Kibana 203-2搜索进行可视化展示的目标数据、以及可视化展示数据的页面。It is understandable that in the operation, maintenance and management scenarios of some distributed business systems, some users of the distributed business system may want to display some business statistics in the form of charts and other forms on the client interface to facilitate analysis and management. At this time, the user can initiate a visualization service request for Kibana 203-2 to the business platform 200 through the corresponding client to request the target data for visual display through Kibana 203-2 search and the page for visual display of the data.
图5根据本申请实施例示出了一种对应于Kibana 203-2的数据处理方法实施流程示意图。可以理解,图5所示流程涉及路由模块201、数据管控模块202与Kibana 203-2之间的交互。Figure 5 shows a schematic implementation flow diagram of a data processing method corresponding to Kibana 203-2 according to an embodiment of the present application. It can be understood that the process shown in Figure 5 involves the interaction between the routing module 201, the data management and control module 202 and Kibana 203-2.
具体地,如图5所示,该方法具体包括以下步骤:Specifically, as shown in Figure 5, the method specifically includes the following steps:
501:路由模块201获取可视化服务请求数据。501: The routing module 201 obtains the visualization service request data.
示例性地,发起可视化服务请求以请求Kibana 203-2提供相应数据搜索以及可视化服务的请求方,例如可以是某个客户端程序对应开发商家的管理员账户,当需要对该客户端程序所服务的用户相关业务数据进行分析时,可以通过该业务系统的运维客户端向业务平台200发起对Kibana 203-2可视化服务请求,以请求通过Kibana 203-2搜索向该客户端程序提供相应服务处理相应业务请求的服务模块的运行日志或相关链路信息,以获取相应业务数据,并对搜索到的相应业务数据提供可视化展示的页面。For example, the requester who initiates a visualization service request to request Kibana 203-2 to provide corresponding data search and visualization services can be, for example, the administrator account of a developer corresponding to a certain client program. When the client program needs to be served, When analyzing user-related business data, you can initiate a Kibana 203-2 visualization service request to the business platform 200 through the operation and maintenance client of the business system to request that the client program be provided with corresponding service processing through Kibana 203-2 search. The operation log or related link information of the service module of the corresponding business request is used to obtain the corresponding business data, and a page for visual display of the searched corresponding business data is provided.
在另一些实施例中,一些客户端也可以基于其他方面的业务需求,向业务平台200发起上述可视化服务请求,在此不做限制。In other embodiments, some clients may also initiate the above visualization service request to the business platform 200 based on other business requirements, which is not limited here.
具体获取请求数据的过程可以参考上述步骤301,在此不做赘述。For the specific process of obtaining the request data, please refer to the above-mentioned step 301, which will not be described in detail here.
502:路由模块201向数据管控模块202发送可视化服务请求数据。502: The routing module 201 sends the visualization service request data to the data management and control module 202.
具体转发请求数据的过程可以参考上述步骤302,在此不做赘述。For the specific process of forwarding the request data, please refer to the above-mentioned step 302, which will not be described in detail here.
503:数据管控模块202根据接收到的可视化服务请求数据,确认请求方的访问权限。503: The data management and control module 202 confirms the access permission of the requester based on the received visualization service request data.
示例性地,数据管控模块202例如可以根据接收到的可视化服务请求数据,确认发起该可视化服务请求的客户端是否具有获取相应服务模块运行日志等数据的权限。例如,该可视化服务请求,是对于保险业务平台上的新增投保人数量、意向投保人数量、以及在维护的投保人数量等进行可视化展示的服务请求,则发起该服务请求的客户端或者在该客户端上登录的账户(即请求方)应具有查看、获取保险业务平台上投保人相关数据的管理权限。若请求方具备获取待可视化的投保人相关数据等的权限,则可以确认该请求方为有权限请求方;若无获取权限,则可以确认该请求方为无权限请求方。For example, the data management and control module 202 can confirm, based on the received visual service request data, whether the client that initiated the visual service request has the authority to obtain data such as the corresponding service module operation log. For example, the visual service request is a service request to visually display the number of new policyholders, the number of intended policyholders, and the number of policyholders being maintained on the insurance business platform, then the client that initiated the service request or the The account logged in on the client (i.e. the requesting party) should have the management authority to view and obtain policyholder-related data on the insurance business platform. If the requesting party has the authority to obtain the policyholder-related data to be visualized, the requesting party can be confirmed to be a requesting party with authority; if the requesting party does not have permission to obtain, the requesting party can be confirmed to be a requesting party without authority.
具体确认请求方访问权限的过程,也可以参考上述步骤303,在此不做赘述。For the specific process of confirming the access permission of the requesting party, you can also refer to the above-mentioned step 303, which will not be described in detail here.
504:对于无权限请求方,数据管控模块202向路由模块201返回拒绝访问的消息。504: For the requester without permission, the data management and control module 202 returns an access denial message to the routing module 201.
示例性地,数据管控模块202如果确认发起可视化服务请求的请求方,不具有获取相应服务模块运行日志等数据的权限,可以确认该请求方为无权限请求方,则可以拒绝该请求方的可视化服务请求。For example, if the data management and control module 202 confirms that the requester who initiates the visualization service request does not have the authority to obtain data such as the corresponding service module operation log and confirms that the requester is an unauthorized requester, it can deny the visualization of the requester. Request for service.
具体拒绝访问的过程,也可以参考上述步骤304,在此不做赘述。For the specific process of denying access, you can also refer to the above-mentioned step 304, which will not be described again here.
505:对于有权限请求方,数据管控模块202对接收到的可视化服务请求数据进行数据检查。 505: For the authorized requester, the data management and control module 202 performs data inspection on the received visualization service request data.
示例性地,数据管控模块202如果确认发起可视化服务请求的请求方,具有获取相应服务模块运行日志等数据的权限,可以确认该请求方为有权限请求方,则数据管控模块202可以进一步接收到的可视化服务请求数据进行相应的数据检查。例如,数据管控模块202可以通过预设的Cookie以及可视化服务请求的内容进行数据检查,例如检查相关请求参数是否缺少必要信息等。若可视化服务请求数据满足数据检查要求,例如该可视化服务请求数据中所请求的相关数据对应设定的各项描述性参数完整且准确,不缺少必要信息。则可以继续执行下述步骤506,将可视化服务请求数据发送给Kibana 203-2进行处理。For example, if the data management and control module 202 confirms that the requester who initiated the visualization service request has the authority to obtain the corresponding service module operation log and other data, and can confirm that the requester is an authorized requester, the data management and control module 202 can further receive The visualization service requests the data for corresponding data inspection. For example, the data management and control module 202 can perform data checking through preset cookies and the content of the visual service request, such as checking whether relevant request parameters lack necessary information, etc. If the visualization service request data meets the data inspection requirements, for example, the descriptive parameters set corresponding to the requested relevant data in the visualization service request data are complete and accurate, and there is no lack of necessary information. Then you can continue to perform the following step 506 to send the visualization service request data to Kibana 203-2 for processing.
若可视化服务请求数据不满足数据检查要求,例如该可视化服务请求数据中所请求的相关数据对应设定的各项描述性参数有缺失或者不准确,例如缺少待获取的保单数据时间序列参数,即保单数据的采集时间须对应设置的起始时间和结束时间缺失或者设置有误,其中设置有误例如可以是起始时间或者结束时间设置为未来的某个时间,此种情形即缺少必要信息。则需要执行下述步骤507对该请求数据中不满足检查要求的部分进行修改。例如数据管控模块202可以根据Kibana 203-2提供可视化服务通常设置的6个月时间跨度,将缺失的起始时间设定为6个月之前的某个日期,并将结束时间相应设置为与起始时间跨度为6个月的某个日期,即设定获取近6个月的保单数据来提取投保人数量以用于可视化展示,以完成缺失信息的补全。If the visual service request data does not meet the data inspection requirements, for example, the descriptive parameters corresponding to the requested relevant data in the visual service request data are missing or inaccurate, for example, the policy data time series parameters to be obtained are missing, that is, The collection time of policy data must correspond to the set start time and end time being missing or incorrectly set. For example, the start time or end time may be set to a time in the future. In this case, necessary information is missing. Then you need to perform the following step 507 to modify the portion of the request data that does not meet the inspection requirements. For example, the data management and control module 202 can set the missing start time to a date 6 months ago based on the 6-month time span usually set by Kibana 203-2 to provide visualization services, and set the end time to the same date as the start time. The starting time span is a certain date of 6 months, that is, it is set to obtain the policy data of the past 6 months to extract the number of policyholders for visual display to complete the missing information.
之后,数据管控模块202可以继续执行下述步骤508向Kibana 203-2发送可视化服务请求。具体数据检查过程,也可以参考上述步骤305,在此不做赘述。Afterwards, the data management and control module 202 can continue to perform the following step 508 to send a visualization service request to Kibana 203-2. For the specific data checking process, you can also refer to the above-mentioned step 305, which will not be described again here.
506:数据管控模块202向Kibana 203-2发送满足数据检查要求的可视化服务请求数据。506: The data management and control module 202 sends the visualization service request data that meets the data inspection requirements to Kibana 203-2.
507:数据管控模块202对不满足数据检查要求的可视化服务请求数据进行修改。507: The data management and control module 202 modifies the visualization service request data that does not meet the data inspection requirements.
示例性地,对不满足数据检查要求的可视化服务请求数据进行的修改,包括对该请求数据中缺少必要信息的参数进行信息补全等。For example, the modification of the visualization service request data that does not meet the data inspection requirements includes information completion for parameters that lack necessary information in the request data.
对于前述例子,例如数据管控模块202可以根据Kibana 203-2提供可视化服务通常设置的6个月时间跨度,对请求展示投保人数量分析结果的可视化服务请求数据进行补全。比如,数据管控模块202对将缺失的起始时间设定为6个月之前的某个日期,并将结束时间相应设置为与起始时间跨度为6个月的某个日期,即设定获取近6个月的保单数据来提取投保人数量以用于可视化展示,以完成缺失信息的补全。For the aforementioned example, for example, the data management and control module 202 can complete the visualization service request data requesting to display the analysis results of the number of policyholders based on the 6-month time span usually set by Kibana 203-2 to provide visualization services. For example, the data management and control module 202 sets the missing start time to a date 6 months ago, and sets the end time to a date that spans 6 months from the starting time, that is, setting the acquisition The policy data of the past 6 months are used to extract the number of policyholders for visual display to complete the missing information.
具体对不满足数据检查要求的可视化服务请求数据进行修改的过程,也可以参考上述步骤307,在此不做赘述。For the specific process of modifying the visualization service request data that does not meet the data inspection requirements, you can also refer to the above step 307, which will not be described again here.
508:数据管控模块202向Kibana 203-2发送修改后的可视化服务请求数据。508: The data management and control module 202 sends the modified visualization service request data to Kibana 203-2.
509:Kibana 203-2响应于接收到的可视化服务请求数据,搜索相应服务模块的运行日志或链路信息,以处理得到相应业务系统的可视化数据。509: In response to the received visual service request data, Kibana 203-2 searches the running log or link information of the corresponding service module to process the visual data of the corresponding business system.
示例性地,可视化服务请求数据相应请求的业务数据例如可以是保单数据,Kibana 203-2则可以在保险业务平台中获取相应的保单数据管理服务等的运行日志、和/或保单数据管理服务的调用链路信息等,进而基于从运行日志或调用链路信息中提取得到的投保人相关信息,处理得到用于形成可视化页面的可视化数据。其中,该可视化数据包括基于相应服务模块的运行日志获取的相应业务数据、以及对相应业务数据经Kibana 203-2提供的数据可视化处理能力处理得到的可视化页面相关参数,例如所采用的柱状图、饼图等图 表路径参数等,在此不做限制。For example, the requested business data corresponding to the visualization service request data may be policy data, for example. Kibana 203-2 may obtain the operation log of the corresponding policy data management service and/or the policy data management service in the insurance business platform. Call link information, etc., and then process the visual data used to form a visual page based on the policyholder-related information extracted from the operation log or call link information. Among them, the visual data includes the corresponding business data obtained based on the operation log of the corresponding service module, and the relevant parameters of the visual page obtained by processing the corresponding business data through the data visualization processing capability provided by Kibana 203-2, such as the used histogram, Pie charts and other graphs Table path parameters, etc. are not limited here.
510:Kibana 203-2向数据管控模块202返回处理得到的可视化数据。510: Kibana 203-2 returns the processed visual data to the data management and control module 202.
511:数据管控模块202检查返回的可视化数据是否满足预设返回条件。511: The data management and control module 202 checks whether the returned visual data meets the preset return conditions.
示例性地,数据管控模块202对Kibana 203-2返回的原始数据(即可视化数据)检查是否满足预设返回条件,例如检查对应于投保人数量分析结果的可视化数据中有无保额数据或者投保人的身份证号等敏感数据。若有敏感数据,则需要进行脱敏处理,例如删除无需返回的敏感数据等。又例如,数据管控模块202还可以检查返回的可视化数据中是否有请求方的相关授权信息,如无授权信息,例如请求方未被授权,则删除Kibana 203-2返回的可视化数据。For example, the data management and control module 202 checks whether the original data (i.e., visual data) returned by Kibana 203-2 meets the preset return conditions, for example, checking whether there is insurance amount data or insurance in the visual data corresponding to the analysis result of the number of policyholders. Sensitive data such as a person’s ID number. If there is sensitive data, desensitization processing is required, such as deleting sensitive data that does not need to be returned, etc. For another example, the data management and control module 202 can also check whether the returned visual data contains relevant authorization information of the requester. If there is no authorization information, for example, the requester is not authorized, the visual data returned by Kibana 203-2 will be deleted.
具体检查判断过程,也可以参考上述步骤311,在此不做赘述。For the specific inspection and judgment process, you can also refer to the above-mentioned step 311, which will not be described again here.
512:数据管控模块202向路由模块201返回满足预设返回条件的可视化数据。512: The data management and control module 202 returns the visual data that meets the preset return conditions to the routing module 201.
示例性地,检查后满足预设返回条件的可视化数据,则可以返回给请求方客户端,在相应的客户端业务界面上进行可视化展示。For example, visual data that meets the preset return conditions after inspection can be returned to the requesting client for visual display on the corresponding client business interface.
513:数据管控模块202修改不满足预设返回条件的可视化数据。513: The data management and control module 202 modifies the visual data that does not meet the preset return conditions.
示例性地,数据管控模块202检查到Kibana 203-2返回的可视化数据中有敏感数据,例如,对应于投保人数量分析结果的可视化数据中,有部分投保人的保额数据,或者有部分投保人的身份证号等信息。则需要进行脱敏处理,例如删除对应于投保人数量分析结果的可视化数据中的保额数据以及投保人的身份证号等敏感数据,或者对相应敏感数据进行加密处理等,即上述修改过程。For example, the data management and control module 202 detects that there is sensitive data in the visual data returned by Kibana 203-2. For example, the visual data corresponding to the analysis result of the number of policyholders includes the insurance amount data of some policyholders, or some of the insured persons. A person’s ID number and other information. Desensitization processing is required, such as deleting sensitive data such as the insurance amount data and the ID number of the policy holder in the visual data corresponding to the analysis results of the number of policyholders, or encrypting the corresponding sensitive data, which is the above modification process.
具体修改过程也可以参考上述步骤313中相关描述,在此不做赘述。For the specific modification process, you can also refer to the relevant description in step 313 above, and will not be described again here.
514:数据管控模块202向路由模块201返回修改后的可视化数据。514: The data management and control module 202 returns the modified visual data to the routing module 201.
515:路由模块201向请求方返回接收到的可视化数据。515: The routing module 201 returns the received visualization data to the requester.
可以理解,基于上述图5所示流程实现的对应于Kibana 203-2的数据处理方法,能够对请求Kibana 203-2的可视化服务请求数据进行鉴权管控,还能够对Kibana 203-2返回的可视化数据进行敏感数据检查以及脱敏处理等,从而提高Kibana 203-2提供数据搜索及可视化服务的安全性。而且,这种安全性能的增强,无需对Kibana 203-2进行升级改造便可以实现。It can be understood that the data processing method corresponding to Kibana 203-2 implemented based on the process shown in Figure 5 above can authenticate and control the visualization service request data requesting Kibana 203-2, and can also perform visualization returned by Kibana 203-2 The data undergoes sensitive data inspection and desensitization processing, thereby improving the security of data search and visualization services provided by Kibana 203-2. Moreover, this security performance enhancement can be achieved without upgrading Kibana 203-2.
图6根据本申请实施例示出了一种电子设备600结构示意图。在本申请实施例中,该电子设备600可以运行上述业务平台200。在另一些实施例中,该电子设备600也可以运行一些业务系统的客户端,例如运行保险业务客户端等,在此不做限制。Figure 6 shows a schematic structural diagram of an electronic device 600 according to an embodiment of the present application. In this embodiment of the present application, the electronic device 600 can run the above-mentioned business platform 200. In other embodiments, the electronic device 600 can also run clients of some business systems, such as running insurance business clients, etc., which is not limited here.
如图6所示,在一些实施例中,服务器200可以包括一个或多个处理器604,与处理器604中的至少一个连接的系统控制逻辑608,与系统控制逻辑608连接的系统内存612,与系统控制逻辑608连接的非易失性存储器(NVM)616,以及与系统控制逻辑608连接的网络接口620。As shown in Figure 6, in some embodiments, server 200 may include one or more processors 604, system control logic 608 connected to at least one of the processors 604, system memory 612 connected to the system control logic 608, A non-volatile memory (NVM) 616 coupled to the system control logic 608, and a network interface 620 coupled to the system control logic 608.
在一些实施例中,处理器604可以包括一个或多个单核或多核处理器。在一些实施例中,处理器604可以包括通用处理器和专用处理器(例如,图形处理器,应用处理器,基带处理器等)的任意组合。在服务器200采用eNB(Evolved Node B,增强型基站)或RAN(Radio Access Network,无线接入网)控制器的实施例中,处理器604可以被配置为执行各种符合的实施例,例如,如图2至图5所示的多个实施例中的一个或多个。 In some embodiments, processor 604 may include one or more single-core or multi-core processors. In some embodiments, processor 604 may include any combination of general-purpose processors and special-purpose processors (eg, graphics processors, applications processors, baseband processors, etc.). In an embodiment where the server 200 adopts an eNB (Evolved Node B, enhanced base station) or a RAN (Radio Access Network, radio access network) controller, the processor 604 may be configured to execute various conforming embodiments, for example, One or more of the various embodiments shown in Figures 2-5.
在一些实施例中,系统控制逻辑608可以包括任意合适的接口控制器,以向处理器604中的至少一个和/或与系统控制逻辑608通信的任意合适的设备或组件提供任意合适的接口。In some embodiments, system control logic 608 may include any suitable interface controller to provide any suitable interface to at least one of processors 604 and/or any suitable device or component in communication with system control logic 608 .
在一些实施例中,系统控制逻辑608可以包括一个或多个存储器控制器,以提供连接到系统内存612的接口。系统内存612可以用于加载以及存储数据和/或指令。在一些实施例中服务器200的内存612可以包括任意合适的易失性存储器,例如合适的动态随机存取存储器(DRAM)。In some embodiments, system control logic 608 may include one or more memory controllers to provide an interface to system memory 612 . System memory 612 may be used to load and store data and/or instructions. Memory 612 of server 200 may include any suitable volatile memory in some embodiments, such as suitable dynamic random access memory (DRAM).
NVM/存储器616可以包括用于存储数据和/或指令的一个或多个有形的、非暂时性的计算机可读介质。在一些实施例中,NVM/存储器616可以包括闪存等任意合适的非易失性存储器和/或任意合适的非易失性存储设备,例如HDD(Hard Disk Drive,硬盘驱动器),CD(Compact Disc,光盘)驱动器,DVD(Digital Versatile Disc,数字通用光盘)驱动器中的至少一个。NVM/memory 616 may include one or more tangible, non-transitory computer-readable media for storing data and/or instructions. In some embodiments, NVM/memory 616 may include any suitable non-volatile memory such as flash memory and/or any suitable non-volatile storage device, such as HDD (Hard Disk Drive), CD (Compact Disc) , CD) drive, DVD (Digital Versatile Disc, Digital Versatile Disc) drive at least one.
NVM/存储器616可以包括安装服务器200的装置上的一部分存储资源,或者它可以由设备访问,但不一定是设备的一部分。例如,可以经由网络接口620通过网络访问NVM/存储616。NVM/storage 616 may comprise a portion of storage resources on the device on which server 200 is installed, or it may be accessed by the device but is not necessarily part of the device. For example, NVM/storage 616 may be accessed over the network via network interface 620.
特别地,系统内存612和NVM/存储器616可以分别包括:指令624的暂时副本和永久副本。指令624可以包括:由处理器604中的至少一个执行时导致服务器200实施如图3-4所示的方法的指令。在一些实施例中,指令624、硬件、固件和/或其软件组件可另外地/替代地置于系统控制逻辑608,网络接口620和/或处理器604中。In particular, system memory 612 and NVM/storage 616 may include temporary and permanent copies of instructions 624, respectively. Instructions 624 may include instructions that, when executed by at least one of processors 604, cause server 200 to implement the methods illustrated in Figures 3-4. In some embodiments, instructions 624, hardware, firmware, and/or software components thereof may additionally/alternatively be located in system control logic 608, network interface 620, and/or processor 604.
网络接口620可以包括收发器,用于为服务器200提供无线电接口,进而通过一个或多个网络与任意其他合适的设备(如前端模块,天线等)进行通信。在一些实施例中,网络接口620可以集成于服务器200的其他组件。例如,网络接口620可以集成于处理器604的,系统内存612,NVM/存储器616,和具有指令的固件设备(未示出)中的至少一种,当处理器604中的至少一个执行所述指令时,服务器200实现上述图2至图5所示的方法。Network interface 620 may include a transceiver for providing a radio interface for server 200 to communicate with any other suitable devices (such as front-end modules, antennas, etc.) over one or more networks. In some embodiments, network interface 620 may be integrated with other components of server 200. For example, network interface 620 may be integrated with at least one of processor 604, system memory 612, NVM/storage 616, and a firmware device (not shown) with instructions that when at least one of processor 604 executes said When instructed, the server 200 implements the above-mentioned methods shown in FIGS. 2 to 5 .
网络接口620可以进一步包括任意合适的硬件和/或固件,以提供多输入多输出无线电接口。例如,网络接口620可以是网络适配器,无线网络适配器,电话调制解调器和/或无线调制解调器。Network interface 620 may further include any suitable hardware and/or firmware to provide a multiple-input multiple-output radio interface. For example, network interface 620 may be a network adapter, a wireless network adapter, a telephone modem, and/or a wireless modem.
在一个实施例中,处理器604中的至少一个可以与用于系统控制逻辑608的一个或多个控制器的逻辑封装在一起,以形成系统封装(SiP)。在一个实施例中,处理器604中的至少一个可以与用于系统控制逻辑608的一个或多个控制器的逻辑集成在同一管芯上,以形成片上系统(SoC)。In one embodiment, at least one of the processors 604 may be packaged with logic for one or more controllers of the system control logic 608 to form a system in package (SiP). In one embodiment, at least one of the processors 604 may be integrated on the same die with logic for one or more controllers of the system control logic 608 to form a system on a chip (SoC).
服务器200可以进一步包括:输入/输出(I/O)设备632。I/O设备632可以包括用户界面,使得用户能够与服务器200进行交互;外围组件接口的设计使得外围组件也能够与服务器200交互。在一些实施例中,服务器200还包括传感器,用于确定与服务器200相关的环境条件和位置信息的至少一种。Server 200 may further include input/output (I/O) devices 632. The I/O device 632 may include a user interface that enables a user to interact with the server 200; the peripheral component interface is designed to enable peripheral components to also interact with the server 200. In some embodiments, the server 200 further includes a sensor for determining at least one of environmental conditions and location information related to the server 200 .
在一些实施例中,用户界面可包括但不限于显示器(例如,液晶显示器,触摸屏显示器等),扬声器,麦克风,一个或多个相机(例如,静止图像照相机和/或摄像机),手电筒(例如,发光二极管闪光灯)和键盘。In some embodiments, the user interface may include, but is not limited to, a display (e.g., a liquid crystal display, a touch screen display, etc.), a speaker, a microphone, one or more cameras (e.g., a still image camera and/or video camera), a flashlight (e.g., LED flash) and keyboard.
在一些实施例中,外围组件接口可以包括但不限于非易失性存储器端口、音频插孔和 电源接口。In some embodiments, peripheral component interfaces may include, but are not limited to, non-volatile memory ports, audio jacks, and Power interface.
在一些实施例中,传感器可包括但不限于陀螺仪传感器,加速度计,近程传感器,环境光线传感器和定位单元。定位单元还可以是网络接口620的一部分或与网络接口620交互,以与定位网络的组件(例如,全球定位系统(GPS)卫星)进行通信。In some embodiments, sensors may include, but are not limited to, gyroscope sensors, accelerometers, proximity sensors, ambient light sensors, and positioning units. The positioning unit may also be part of or interact with network interface 620 to communicate with components of the positioning network (eg, Global Positioning System (GPS) satellites).
在说明书对“一个实施例”或“实施例”的引用意指结合实施例所描述的具体特征、结构或特性被包括在根据本申请实施例公开的至少一个范例实施方案或技术中。说明书中的各个地方的短语“在一个实施例中”的出现不一定全部指代同一个实施例。Reference in the specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one example implementation or technology disclosed in accordance with the embodiments of the present application. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment.
本申请实施例的公开还涉及用于执行文本中的操作装置。该装置可以专门处于所要求的目的而构造或者其可以包括被存储在计算机中的计算机程序选择性地激活或者重新配置的通用计算机。这样的计算机程序可以被存储在计算机可读介质中,诸如,但不限于任何类型的盘,包括软盘、光盘、CD-ROM、磁光盘、只读存储器(ROM)、随机存取存储器(RAM)、EPROM、EEPROM、磁或光卡、专用集成电路(ASIC)或者适于存储电子指令的任何类型的介质,并且每个可以被耦合到计算机系统总线。此外,说明书中所提到的计算机可以包括单个处理器或者可以是采用针对增加的计算能力的多个处理器涉及的架构。The disclosure of the embodiments of the present application also relates to devices for performing the operations in the text. This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such computer programs may be stored on a computer-readable medium such as, but not limited to, any type of disk including floppy disk, optical disk, CD-ROM, magneto-optical disk, read-only memory (ROM), random access memory (RAM) , EPROM, EEPROM, magnetic or optical card, application specific integrated circuit (ASIC), or any type of medium suitable for storing electronic instructions, and each may be coupled to a computer system bus. Furthermore, the computers referred to in the specification may include a single processor or may employ an architecture involving multiple processors for increased computing power.
另外,在本说明书所使用的语言已经主要被选择用于可读性和指导性的目的并且可能未被选择为描绘或限制所公开的主题。因此,本申请实施例公开旨在说明而非限制本文所讨论的概念的范围。 Additionally, the language used in this specification has been selected primarily for readability and instructional purposes and may not have been selected to delineate or limit the disclosed subject matter. Accordingly, the present disclosure of examples is intended to illustrate, but not to limit, the scope of the concepts discussed herein.

Claims (17)

  1. 一种数据处理方法,其特征在于,所述方法应用于包括路由模块、数据管控模块的业务平台,以及服务模块,其中所述服务模块包括第三方服务,所述方法包括:A data processing method, characterized in that the method is applied to a business platform including a routing module, a data management and control module, and a service module, wherein the service module includes third-party services, and the method includes:
    路由模块获取用于目标业务的第一请求数据;The routing module obtains the first request data for the target service;
    路由模块向所述数据管控模块发送所述第一请求数据,其中所述第一请求数据至少包括所述目标服务模块的识别信息、以及用于所述目标业务的目标数据获取参数;The routing module sends the first request data to the data management and control module, where the first request data at least includes identification information of the target service module and target data acquisition parameters for the target service;
    数据管控模块判断所述第一请求数据是否满足第一条件,其中所述第一条件用于对请求目标服务模块处理的所述第一请求数据进行有效性及安全性检查;The data management and control module determines whether the first request data satisfies a first condition, wherein the first condition is used to check the validity and security of the first request data processed by the request target service module;
    确认所述第一请求数据满足所述第一条件,所述数据管控模块向所述目标服务模块发送所述第一请求数据;Confirming that the first request data satisfies the first condition, the data management and control module sends the first request data to the target service module;
    确认所述第一请求数据不满足所述第一条件,所述数据管控模块修改所述第一请求数据,以得到满足所述第一条件的第二请求数据,并且,所述数据管控模块向所述目标服务模块发送所述第二请求数据。After confirming that the first request data does not satisfy the first condition, the data management and control module modifies the first request data to obtain the second request data that satisfies the first condition, and the data management and control module reports to The target service module sends the second request data.
  2. 根据权利要求1所述的方法,其特征在于,所述第一条件是基于所述目标服务模块的API入口参数的规范性要求、以及所述目标服务模块的服务数据安全性要求中的至少一项动态确定的。The method according to claim 1, characterized in that the first condition is based on at least one of normative requirements of API entry parameters of the target service module and service data security requirements of the target service module. Items are determined dynamically.
  3. 根据权利要求2所述的方法,其特征在于,所述第一条件包括对目标服务模块的至少一项API入口参数预设的参数阈值判断条件,并且,The method according to claim 2, wherein the first condition includes a parameter threshold judgment condition preset for at least one API entry parameter of the target service module, and,
    所述数据管控模块判断所述第一请求数据是否满足第一条件,包括:The data management and control module determines whether the first request data meets the first condition, including:
    数据管控模块判断所述第一请求数据中的第一参数的值是否在预设的第一参数阈值范围内;The data management and control module determines whether the value of the first parameter in the first request data is within a preset first parameter threshold range;
    若所述第一参数的值在所述第一参数阈值范围内,则所述数据管控模块确认所述第一请求数据满足所述第一条件;If the value of the first parameter is within the first parameter threshold range, the data management and control module confirms that the first request data satisfies the first condition;
    若所述第一参数的值不在所述第一参数阈值范围内,则所述数据管控模块确认所述第一请求数据不满足所述第一条件。If the value of the first parameter is not within the first parameter threshold range, the data management and control module confirms that the first request data does not meet the first condition.
  4. 根据权利要求3所述的方法,其特征在于,确认所述第一请求数据不满足所述第一条件,所述数据管控模块修改所述第一请求数据,以得到满足所述第一条件的第二请求数据,包括:The method according to claim 3, characterized in that, after confirming that the first request data does not satisfy the first condition, the data management and control module modifies the first request data to obtain the first request data that satisfies the first condition. The second request data includes:
    将不在所述第一参数阈值范围内的所述第一参数的值,调整至所述第一参数阈值范围内。Adjust the value of the first parameter that is not within the first parameter threshold range to within the first parameter threshold range.
  5. 根据权利要求1所述的方法,其特征在于,所述目标服务模块用于处理所述数据管控模块发来的请求数据,所述请求数据包括所述第一请求数据和所述第二请求数据,并且,所述方法包括:The method according to claim 1, characterized in that the target service module is used to process the request data sent by the data management and control module, and the request data includes the first request data and the second request data. , and the method includes:
    目标服务模块根据接收到的所述请求数据,处理得到第一处理数据;The target service module processes the received request data to obtain the first processing data;
    目标服务模块向所述数据管控模块返回所述第一处理数据;The target service module returns the first processing data to the data management and control module;
    数据管控模块判断所述第一处理数据是否满足第二条件,其中所述第二条件用于对待返回业务请求端的所述第一处理数据进行安全性检查,所述业务请求端为发起所述目标业务的客户端; The data management and control module determines whether the first processed data satisfies a second condition, wherein the second condition is used to perform a security check on the first processed data to be returned to the service requesting end, which is the initiator of the target. Business client;
    确认所述第一处理数据满足所述第二条件,所述数据管控模块向所述路由模块发送所述第一处理数据;Confirming that the first processed data meets the second condition, the data management and control module sends the first processed data to the routing module;
    确认所述第一处理数据不满足所述第二条件,所述数据管控模块修改所述第一处理数据,以得到满足所述第二条件的第二处理数据,并且,所述数据管控模块向所述路由模块发送所述第二处理数据。After confirming that the first processed data does not meet the second condition, the data management and control module modifies the first processed data to obtain second processed data that meets the second condition, and the data management and control module reports The routing module sends the second processing data.
  6. 根据权利要求5所述的方法,其特征在于,所述第二条件是基于所述业务请求端的安全性校验参数、权限校验参数、以及数据保护性校验参数中的至少一项动态确定的。The method of claim 5, wherein the second condition is dynamically determined based on at least one of a security verification parameter, an authority verification parameter, and a data protection verification parameter of the service requesting end. of.
  7. 根据权利要求6所述的方法,其特征在于,所述第二条件包括敏感数据识别参数作为所述安全性校验参数;并且,所述数据管控模块判断所述第一处理数据是否满足第二条件,包括:The method of claim 6, wherein the second condition includes a sensitive data identification parameter as the security verification parameter; and the data management and control module determines whether the first processed data satisfies the second condition. conditions, including:
    数据管控模块基于所述敏感数据识别参数,判断所述第一处理数据是否包含敏感数据;The data management and control module determines whether the first processed data contains sensitive data based on the sensitive data identification parameters;
    若所述第一处理数据不包含敏感数据,则确认所述第一处理数据满足所述第二条件;If the first processed data does not contain sensitive data, confirm that the first processed data meets the second condition;
    若所述第一处理数据包含敏感数据,则确认所述第一处理数据不满足所述第二条件。If the first processed data contains sensitive data, it is confirmed that the first processed data does not meet the second condition.
  8. 根据权利要求7所述的方法,其特征在于,所述确认所述第一处理数据不满足所述第二条件,所述数据管控模块修改所述第一处理数据,以得到满足所述第二条件的第二处理数据,包括:The method according to claim 7, characterized in that, after confirming that the first processing data does not satisfy the second condition, the data management and control module modifies the first processing data to obtain the data that satisfies the second condition. The second processing data of the condition includes:
    删除所述第一处理数据中的敏感数据;或者,Delete the sensitive data in the first processed data; or,
    对所述第一处理数据中的敏感数据进行加密。Sensitive data in the first processed data is encrypted.
  9. 根据权利要求6所述的方法,其特征在于,所述第二条件包括授权信息验证参数作为所述权限校验参数;并且,所述数据管控模块判断所述第一处理数据是否满足第二条件,包括:The method of claim 6, wherein the second condition includes authorization information verification parameters as the authority verification parameters; and the data management and control module determines whether the first processed data satisfies the second condition. ,include:
    数据管控模块基于所述授权信息验证参数,确认所述第一处理数据的终端接收方是否具有对所述第一处理数据全部数据内容的获取权限;The data management and control module confirms whether the terminal recipient of the first processed data has the right to obtain the entire data content of the first processed data based on the authorization information verification parameter;
    若所述第一处理数据的终端接收方具有对所述第一处理数据全部数据内容的获取权限,则确认所述第一处理数据满足所述第二条件;If the terminal recipient of the first processed data has the right to obtain the entire data content of the first processed data, it is confirmed that the first processed data satisfies the second condition;
    若所述第一处理数据的终端接收方不具有对所述第一处理数据全部数据内容的获取权限,则确认所述第一处理数据不满足所述第二条件。If the terminal recipient of the first processed data does not have the right to obtain the entire data content of the first processed data, it is confirmed that the first processed data does not satisfy the second condition.
  10. 根据权利要求9所述的方法,其特征在于,所述确认所述第一处理数据不满足所述第二条件,所述数据管控模块修改所述第一处理数据,以得到满足所述第二条件的第二处理数据,包括:The method according to claim 9, characterized in that, after confirming that the first processing data does not satisfy the second condition, the data management and control module modifies the first processing data to obtain the data that satisfies the second condition. The second processing data of the condition includes:
    若所述第一处理数据的终端接收方不具有对所述第一处理数据全部数据内容的获取权限,删除所述第一处理数据。If the terminal recipient of the first processed data does not have the right to obtain the entire data content of the first processed data, the first processed data is deleted.
  11. 根据权利要求6所述的方法,其特征在于,所述第二条件包括用于保护业务平台数据的预设时间阈值作为所述数据保护性校验参数;并且,所述数据管控模块判断所述第一处理数据是否满足第二条件,包括:The method of claim 6, wherein the second condition includes a preset time threshold for protecting business platform data as the data protective verification parameter; and the data management and control module determines that the Whether the first processed data meets the second condition, including:
    数据管控模块判断所述第一处理数据是否包括采集时间早于所述预设时间阈值的数据;The data management and control module determines whether the first processed data includes data whose collection time is earlier than the preset time threshold;
    若所述第一处理数据不包括采集时间早于所述预设时间阈值的数据,则确认所述第一处理数据满足所述第二条件; If the first processed data does not include data whose acquisition time is earlier than the preset time threshold, confirm that the first processed data meets the second condition;
    若所述第一处理数据包括采集时间早于所述预设时间阈值的数据,则确认所述第一处理数据不满足所述第二条件。If the first processed data includes data whose acquisition time is earlier than the preset time threshold, it is confirmed that the first processed data does not satisfy the second condition.
  12. 根据权利要求11所述的方法,其特征在于,所述确认所述第一处理数据不满足所述第二条件,所述数据管控模块修改所述第一处理数据,以得到满足所述第二条件的第二处理数据,包括:The method according to claim 11, characterized in that, after confirming that the first processing data does not satisfy the second condition, the data management and control module modifies the first processing data to obtain the data that satisfies the second condition. The second processing data of the condition includes:
    对所述第一处理数据中采集时间早于所述预设时间阈值的数据进行删除。Delete data in the first processed data whose collection time is earlier than the preset time threshold.
  13. 根据权利要求1至12中任一项所述的方法,其特征在于,所述路由模块为Nginx、Traefik、Envoy、Kong中的任一项。The method according to any one of claims 1 to 12, characterized in that the routing module is any one of Nginx, Traefik, Envoy, and Kong.
  14. 一种数据处理系统,其特征在于,包括:A data processing system, characterized by including:
    路由模块,用于获取用于目标业务的第一请求数据并发送给数据管控模块,其中所述第一请求数据至少包括所述目标服务模块的识别信息、以及用于所述目标业务的目标数据获取参数;A routing module, configured to obtain the first request data for the target service and send it to the data management and control module, where the first request data at least includes the identification information of the target service module and the target data for the target service. Get parameters;
    数据管控模块,用于判断所述第一请求数据是否满足第一条件,其中所述第一条件用于对请求目标服务模块处理的所述第一请求数据进行有效性及安全性检查;并且,在确认所述第一请求数据满足所述第一条件时,用于向目标服务模块发送所述第一请求数据;以及在确认所述第一请求数据不满足所述第一条件时,用于修改所述第一请求数据以得到满足所述第一条件的第二请求数据,并向目标服务模块发送所述第二请求数据;A data management and control module, used to determine whether the first request data satisfies a first condition, wherein the first condition is used to check the validity and security of the first request data processed by the request target service module; and, When it is confirmed that the first request data satisfies the first condition, used to send the first request data to the target service module; and when it is confirmed that the first request data does not satisfy the first condition, used to Modify the first request data to obtain second request data that satisfies the first condition, and send the second request data to the target service module;
    目标服务模块,用于根据接收到的所述第一请求数据或所述第二请求数据,处理得到第一处理数据,并向所述数据管控模块返回所述第一处理数据。The target service module is configured to process the first processing data according to the received first request data or the second request data, and return the first processing data to the data management and control module.
  15. 根据权利要求14所述的数据处理系统,其特征在于,所述数据管控模块,还用于判断所述第一处理数据是否满足第二条件,其中所述第二条件用于对待返回业务请求端的所述第一处理数据进行安全性检查,所述业务请求端为发起所述目标业务的客户端;并且,The data processing system according to claim 14, characterized in that the data management and control module is also used to determine whether the first processed data satisfies a second condition, wherein the second condition is used to return the service requesting end. The first processed data undergoes a security check, and the service requesting end is the client that initiates the target service; and,
    在确认所述第一处理数据满足所述第二条件时,用于向所述路由模块发送所述第一处理数据;When it is confirmed that the first processing data meets the second condition, be used to send the first processing data to the routing module;
    在确认所述第一处理数据不满足所述第二条件时,用于修改所述第一处理数据,以得到满足所述第二条件的第二处理数据,并向所述路由模块发送所述第二处理数据。When it is confirmed that the first processing data does not meet the second condition, it is used to modify the first processing data to obtain second processing data that meets the second condition, and send the said processing data to the routing module. Second process the data.
  16. 一种电子设备,其特征在于,包括:一个或多个处理器;一个或多个存储器;所述一个或多个存储器存储有一个或多个程序,当一个或者多个程序被所述一个或多个处理器执行时,使得所述电子设备执行权利要求1至12中任一项所述的数据处理方法。An electronic device, characterized in that it includes: one or more processors; one or more memories; the one or more memories store one or more programs. When one or more programs are processed by the one or more When executed by multiple processors, the electronic device is caused to execute the data processing method described in any one of claims 1 to 12.
  17. 一种计算机可读存储介质,其特征在于,包括计算机程序/指令,该计算机程序/指令被处理器执行时,实现权利要求1至12中任一项所述的数据处理方法。 A computer-readable storage medium, characterized in that it includes a computer program/instruction. When the computer program/instruction is executed by a processor, the data processing method according to any one of claims 1 to 12 is implemented.
PCT/CN2023/097671 2022-06-13 2023-06-01 Data processing method and system, and electronic device and computer-readable storage medium WO2023241366A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210660992.5 2022-06-13
CN202210660992.5A CN115242433B (en) 2022-06-13 2022-06-13 Data processing method, system, electronic device and computer readable storage medium

Publications (1)

Publication Number Publication Date
WO2023241366A1 true WO2023241366A1 (en) 2023-12-21

Family

ID=83669605

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/097671 WO2023241366A1 (en) 2022-06-13 2023-06-01 Data processing method and system, and electronic device and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN115242433B (en)
WO (1) WO2023241366A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115242433B (en) * 2022-06-13 2024-02-09 易保网络技术(上海)有限公司 Data processing method, system, electronic device and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180026943A1 (en) * 2014-08-22 2018-01-25 Shape Security, Inc. Modifying Authentication for an Application Programming Interface
CN112702336A (en) * 2020-12-22 2021-04-23 数字广东网络建设有限公司 Security control method and device for government affair service, security gateway and storage medium
CN114417344A (en) * 2020-10-09 2022-04-29 Sap欧洲公司 Resource security integration platform
CN115242433A (en) * 2022-06-13 2022-10-25 易保网络技术(上海)有限公司 Data processing method, system, electronic device and computer readable storage medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109522726A (en) * 2018-10-16 2019-03-26 平安万家医疗投资管理有限责任公司 Method for authenticating, server and the computer readable storage medium of small routine
CN110225039B (en) * 2019-06-14 2021-10-26 华云数据控股集团有限公司 Authority model obtaining method, authority authentication method, gateway, server and storage medium
CN112270011B (en) * 2020-11-19 2022-04-01 北京炼石网络技术有限公司 Method, device and system for protecting service and data security of existing application system
CN113765982A (en) * 2020-12-17 2021-12-07 北京沃东天骏信息技术有限公司 Request response method, device, system, server and storage medium
CN113268420A (en) * 2021-05-21 2021-08-17 北京大米科技有限公司 Development method, device and system of data interface and computer storage medium
CN113704744A (en) * 2021-07-21 2021-11-26 阿里巴巴(中国)有限公司 Data processing method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180026943A1 (en) * 2014-08-22 2018-01-25 Shape Security, Inc. Modifying Authentication for an Application Programming Interface
CN114417344A (en) * 2020-10-09 2022-04-29 Sap欧洲公司 Resource security integration platform
CN112702336A (en) * 2020-12-22 2021-04-23 数字广东网络建设有限公司 Security control method and device for government affair service, security gateway and storage medium
CN115242433A (en) * 2022-06-13 2022-10-25 易保网络技术(上海)有限公司 Data processing method, system, electronic device and computer readable storage medium

Also Published As

Publication number Publication date
CN115242433B (en) 2024-02-09
CN115242433A (en) 2022-10-25

Similar Documents

Publication Publication Date Title
US10541806B2 (en) Authorizing account access via blinded identifiers
JP7144117B2 (en) Model training system and method and storage medium
US10452862B2 (en) System and method for creating a policy for managing personal data on a mobile communications device
US20200126079A1 (en) Asset management method and apparatus, and electronic device
CN110266764B (en) Gateway-based internal service calling method and device and terminal equipment
US8918901B2 (en) System and method for restricting access to requested data based on user location
WO2015096695A1 (en) Installation control method, system and device for application program
US20150347773A1 (en) Method and system for implementing data security policies using database classification
US11368462B2 (en) Systems and method for hypertext transfer protocol requestor validation
US10282461B2 (en) Structure-based entity analysis
US10192262B2 (en) System for periodically updating backings for resource requests
WO2020233354A1 (en) Gateway-based external service calling method and device, and terminal device
WO2023241366A1 (en) Data processing method and system, and electronic device and computer-readable storage medium
US20200233699A1 (en) Platform-based change management
US10013237B2 (en) Automated approval
US11595372B1 (en) Data source driven expected network policy control
US10382398B2 (en) Application signature authorization
US20230315890A1 (en) Call location based access control of query to database
CN114866247B (en) Communication method, device, system, terminal and server
US20240152640A1 (en) Managing access to data stored on a terminal device
US11983580B2 (en) Real-time modification of application programming interface behavior
US20230205897A1 (en) Application groups for enforcing data transfer controls
US11870791B2 (en) Policy-controlled token authorization
WO2023129805A1 (en) Application groups for enforcing data transfer controls
CN117729036A (en) Cloud resource access method, system, equipment and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23822936

Country of ref document: EP

Kind code of ref document: A1