CN109376526A - Authority control method and device, electronic equipment and computer readable storage medium - Google Patents

Abstract

Embodiments of the present disclosure disclose an authority control method, apparatus, electronic device, and computer-readable storage medium. The method includes: receiving a distributed transaction, and splitting the distributed transaction into a main transaction and at least one sub-transaction ; Perform the authority authorization operation on the main transaction; when the authority authorization operation reports that the authority authorization is successful, the message middleware is used to execute the authority authorization operation of the at least one sub-transaction until the authority authorization is successful. The solution can combine multiple dimensions to control the authority of business services, and improve the scope of application of authority control.

Description

Permission control method, device, electronic device, and computer-readable storage medium

technical field

The present disclosure relates to the technical field of computer data processing, and in particular, to an authority control method, an apparatus, an electronic device, and a computer-readable storage medium.

Background technique

With the economic development and the continuous expansion of the scale of enterprises, the amount of data processed by enterprises has greatly increased. Especially for cross-regional enterprises, it has become a trend to use multiple data centers in different places to manage company data. According to the complexity of the business, users are required to Access to multiple data centers for business processing, however, multi-data center management is likely to cause confusion in business processing and abuse of authority management. Therefore, the permission system came into being. According to the security rules or security policies set by the permission system, the user can access and only access the resources authorized by him.

At present, the authority system is an important part involved in almost all background management systems, and the main purpose is to control the authority of the entire background system data. The permission system is used to control the permissions of resources. The so-called resources are everything that can be authorized. For example, roles, pages or interfaces can be resources. When authorizing users through the permission system, if the user applies for more permissions, many other services will be called, which will involve distributed transactions. In this case, the consistency of the authorization data must be guaranteed to avoid some permissions. The authorization is successful, and some authorization authorization fails. The generally adopted processing methods of distributed transactions are as follows: a scheme for splitting distributed transactions into local transactions, ensuring data consistency through the local message table, this scheme basically avoids distributed transactions, but the local message table is Relational databases, and relational databases have bottlenecks in throughput and performance. Frequent reading and writing messages will put pressure on relational databases. Therefore, in high concurrency scenarios, this solution will have performance limitations. A solution is to roll back a business service involving a distributed transaction (that is, the business corresponding to the above-mentioned resource) by calling an interface. After the authorization of the business service fails, the business authority data corresponding to the distributed transaction is rolled back, However, this scheme generally calls the authorization services of a series of business services in a serial manner. When there are many serial services, the rollback cost is high, and many authorization services are difficult to roll back directly, so they are very limited.

SUMMARY OF THE INVENTION

Embodiments of the present disclosure provide an authority control method, an apparatus, an electronic device, and a computer-readable storage medium.

In a first aspect, an authority control method is provided in the embodiments of the present disclosure.

Specifically, the authority control method includes:

receiving a distributed transaction, and splitting the distributed transaction into a main transaction and at least one sub-transaction;

Perform a permission authorization operation on the main transaction;

When the permission authorization operation reports that the permission authorization is successful, the message middleware is used to execute the permission authorization operation of the at least one sub-transaction until the permission authorization is successful.

With reference to the first aspect, in a first implementation manner of the first aspect of the present disclosure, the receiving a distributed transaction and splitting the distributed transaction into a main transaction and at least one sub-transaction include:

receiving the distributed transaction;

obtaining the content data of the distributed transaction;

The distributed transaction is split into the main transaction and the at least one sub-transaction according to the content data.

In combination with the first aspect and the first implementation manner of the first aspect, in the second implementation manner of the first aspect of the present disclosure, when the permission authorization operation reports that permission authorization is successful, use message middleware to execute the The authorization authorization operation of at least one sub-transaction until the authorization is successful, including:

When the authority authorization operation reports that authority authorization is successful, a push message is generated, and the push message carries authority authorization tags corresponding to the at least one sub-transaction respectively;

Push the push message through the message middleware to trigger the at least one sub-transaction corresponding to the permission authorization flag to execute the push message, and perform the permission authorization operation of the at least one sub-transaction until the permission authorization is successful .

In conjunction with the second implementation manner of the first aspect, in the third implementation manner of the first aspect, the present disclosure further includes:

Record the state of the at least one sub-transaction in response to the push message, and obtain a message consumption state table including the message consumption state corresponding to the at least one sub-transaction;

Monitor the message consumption status table in real time, and process the repeatedly consumed messages.

With reference to the second implementation manner of the first aspect and the third implementation manner of the first aspect, in the fourth implementation manner of the first aspect of the present disclosure, the push message is pushed through the message middleware to Triggering the at least one sub-transaction corresponding to the permission authorization mark to execute the push message, and performing the permission authorization operation of the at least one sub-transaction until the permission authorization is successful, including:

Pushing the push message through the message middleware, so as to trigger the at least one sub-transaction corresponding to the permission authorization tag to respectively respond to the push message;

Perform a permission authorization operation on the at least one sub-transaction in a local transaction mode;

When the permission authorization operation reports that permission authorization is successful, discarding the push message;

When the permission authorization operation reports that permission authorization fails, use the message middleware to re-acquire the push message, and compare the push message with the message consumption status table;

When the consumption status information of the push message exists in the message consumption status table, and the consumption status information is successful, discarding the push message;

When the consumption status information of the push message exists in the message consumption status table, and the consumption status information is a failure, the push message is re-executed, and the sub-transaction of the at least one sub-transaction that has not been authorized successfully is executed. the authorization authorization operation until the authorization authorization succeeds.

In conjunction with the first aspect, the first implementation manner of the first aspect, the second implementation manner of the first aspect, the third implementation manner of the first aspect, and the fourth implementation manner of the first aspect, the present disclosure is described in the first In a fifth implementation manner of the aspect, after the authority authorization operation is performed on the main transaction, the method further includes:

When the permission authorization operation reports that permission authorization fails, a rollback operation is performed on the main transaction.

In combination with the first aspect, the first implementation manner of the first aspect, the second implementation manner of the first aspect, the third implementation manner of the first aspect, the fourth implementation manner of the first aspect, and the third implementation manner of the first aspect Five implementations, the present disclosure is in the sixth implementation of the first aspect,

The distributed transaction includes a transaction to be authorized and an application transaction that initiates a transaction to be authorized, the main transaction is the application transaction, and the at least one sub-transaction is the transaction to be authorized.

In combination with the first aspect, the first implementation manner of the first aspect, the second implementation manner of the first aspect, the third implementation manner of the first aspect, the fourth implementation manner of the first aspect, and the third implementation manner of the first aspect Five implementation manners and the sixth implementation manner of the first aspect, in the seventh implementation manner of the first aspect, the present disclosure further includes:

The permission authorization operation of the at least one sub-transaction is monitored in real time, and abnormal permission authorization information is recorded for use when retrying the permission authorization operation.

In a second aspect, an embodiment of the present disclosure provides an authority control apparatus.

Specifically, the authority control device includes:

a receiving module, configured to receive distributed transactions;

a splitting module configured to split the distributed transaction into a main transaction and at least one sub-transaction;

The authorization module is configured to perform a permission authorization operation on the main transaction, and when the permission authorization operation reports that the permission authorization is successful, use the message middleware to perform the permission authorization operation of the at least one sub-transaction until the permission authorization is successful.

In conjunction with the second aspect, in a first implementation manner of the second aspect of the present disclosure, the splitting module includes:

an acquisition submodule, configured to acquire the content data of the distributed transaction;

A splitting sub-module is configured to split the distributed transaction into the main transaction and the at least one sub-transaction according to the content data.

In combination with the second aspect and the first implementation manner of the second aspect, in a second implementation manner of the second aspect of the present disclosure, the authorization module includes:

A generating submodule, configured to generate a push message when the authority authorization operation reports that authority authorization is successful, and the push message carries the authority authorization mark corresponding to the at least one sub-transaction respectively;

An authorization submodule, configured to push the push message through the message middleware, so as to trigger the at least one sub-transaction corresponding to the authority authorization mark to execute the push message, and to execute the authority of the at least one sub-transaction Authorize the operation until the authorization is successful.

With reference to the second implementation manner of the second aspect, in a third implementation manner of the second aspect of the present disclosure, the authority control apparatus further includes:

a recording monitoring module, configured to record the state of the at least one sub-transaction in response to the push message, and obtain a message consumption status table including the message consumption status corresponding to the at least one sub-transaction; and monitor the message consumption status table in real time, and process Messages that are repeatedly consumed.

In combination with the second implementation manner of the second aspect and the third implementation manner of the second aspect, in a fourth implementation manner of the second aspect of the present disclosure, the authorization submodule includes:

a push submodule, configured to push the push message through the message middleware, so as to trigger the at least one sub-transaction corresponding to the permission authorization tag to respectively respond to the push message;

an authorization sub-module, configured to perform a permission authorization operation on the at least one sub-transaction in a local transaction mode;

A discarding submodule, configured to discard the push message when the permission authorization operation reports that the permission authorization is successful;

an acquisition sub-module, configured to re-acquire the push message by using the message middleware when the authorization authorization operation reports that authorization authorization fails;

a comparison submodule, configured to compare the push message with the message consumption status table;

The discarding submodule is further configured to discard the push message when there is consumption status information of the push message in the message consumption status table and the consumption status information is successful;

The authorization sub-module is further configured to re-execute the push message when the consumption status information of the push message exists in the message consumption status table and the consumption status information is failed, and perform the at least one Permission authorization operations of sub-transactions that are not authorized successfully in sub-transactions, until the authorization is successful.

In conjunction with the second aspect, the first implementation manner of the second aspect, the second implementation manner of the second aspect, the third implementation manner of the second aspect, and the fourth implementation manner of the second aspect, the present disclosure is described in the second In a fifth implementation manner of the aspect, the authority control device further includes:

The rollback module is configured to perform a rollback operation on the main transaction after the authority authorization operation is performed on the main transaction, when the authority authorization operation reports that authority authorization fails.

Combining the second aspect, the first implementation manner of the second aspect, the second implementation manner of the second aspect, the third implementation manner of the second aspect, the fourth implementation manner of the second aspect, and the third implementation manner of the second aspect Five implementations, the present disclosure is in the sixth implementation of the second aspect,

The distributed transaction includes a transaction to be authorized and an application transaction that initiates a transaction to be authorized, the main transaction is the application transaction, and the at least one sub-transaction is the transaction to be authorized.

In combination with the second aspect, the first implementation manner of the second aspect, the second implementation manner of the second aspect, the third implementation manner of the second aspect, the fourth implementation manner of the second aspect, and the third implementation manner of the second aspect Five implementations and the sixth implementation of the second aspect, the present disclosure is in the seventh implementation of the second aspect,

The authority control device further includes:

The record monitoring module is configured to monitor the authority authorization operation of the at least one sub-transaction in real time, and record abnormal authority authorization information for use when retrying the authority authorization operation.

In a third aspect, an embodiment of the present disclosure provides an electronic device, including a memory and a processor, where the memory is configured to store one or more computer instructions that support the permission control apparatus to execute the permission control method in the first aspect, the The processor is configured to execute computer instructions stored in the memory. The authority control apparatus may further include a communication interface for the authority control apparatus to communicate with other devices or a communication network.

In a fourth aspect, an embodiment of the present disclosure provides a computer-readable storage medium for storing computer instructions used by an authority control apparatus, which includes a computer used for executing the authority control method in the above-mentioned first aspect as the authority control apparatus. instruction.

The technical solutions provided by the embodiments of the present disclosure may include the following beneficial effects:

The above technical solution, by splitting the distributed transaction, and performing different authorization processing on the split main transaction and at least one sub-transaction, realizes the authority control of business services in combination with multiple dimensions, and improves the scope of application of the authority control. .

It is to be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present disclosure.

Description of drawings

Other features, objects and advantages of the present disclosure will become more apparent from the following detailed description of non-limiting embodiments, taken in conjunction with the accompanying drawings. In the attached image:

FIG. 1 shows a flowchart of an authority control method according to an embodiment of the present disclosure;

Fig. 2 shows a flowchart of step S101 of the authority control method according to the embodiment shown in Fig. 1;

FIG. 3 shows a flowchart of step S103 of the authority control method according to the embodiment shown in FIG. 1;

FIG. 4 shows a flowchart of a permission control method according to another embodiment of the present disclosure;

FIG. 5 shows a flowchart of a permission control method according to yet another embodiment of the present disclosure;

FIG. 6 shows a structural block diagram of an authority control apparatus according to an embodiment of the present disclosure;

FIG. 7 shows a structural block diagram of the splitting module 602 of the authority control apparatus according to the embodiment shown in FIG. 6;

Fig. 8 shows a structural block diagram of the authorization module 603 of the authority control apparatus according to the embodiment shown in Fig. 6;

FIG. 9 shows a structural block diagram of an authority control apparatus according to another embodiment of the present disclosure;

Fig. 10 shows a structural block diagram of the authorization sub-module 802 of the authority control apparatus according to the embodiment shown in Fig. 8;

FIG. 11 shows a structural block diagram of an authority control apparatus according to still another embodiment of the present disclosure;

FIG. 12 shows a structural block diagram of an electronic device according to an embodiment of the present disclosure;

FIG. 13 is a schematic structural diagram of a computer system suitable for implementing the authority control method according to an embodiment of the present disclosure.

Detailed ways

Hereinafter, exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily implement them. Also, for the sake of clarity, parts unrelated to describing the exemplary embodiments are omitted from the drawings.

In the present disclosure, it should be understood that terms such as "comprising" or "having" are intended to indicate the presence of features, numbers, steps, acts, components, parts, or combinations thereof disclosed in this specification, and are not intended to exclude a or multiple other features, numbers, steps, acts, components, parts, or combinations thereof may exist or be added.

In addition, it should be noted that the embodiments of the present disclosure and the features of the embodiments may be combined with each other under the condition of no conflict. The present disclosure will be described in detail below with reference to the accompanying drawings and in conjunction with embodiments.

The technical solution provided by the embodiment of the present disclosure realizes the authority control of business services in combination with multiple dimensions by splitting the distributed transaction, and performing different authority authorization processing on the split main transaction and at least one sub-transaction, thereby improving authority Scope of control.

FIG. 1 shows a flowchart of an authority control method according to an embodiment of the present disclosure. As shown in FIG. 1, the permission control method includes the following steps S101-S103:

In step S101, a distributed transaction is received, and the distributed transaction is split into a main transaction and at least one sub-transaction;

In step S102, a permission authorization operation is performed on the main transaction;

In step S103, when the authority authorization operation reports that the authority authorization is successful, the message middleware is used to execute the authority authorization operation of the at least one sub-transaction until the authority authorization is successful.

As mentioned above, the authority system is an important part of almost all background management systems. The main purpose is to control the authority of the entire background system data. When authorizing users through the permission system, if the user applies for more permissions, many other services will be called, which will involve distributed transactions. In this case, the consistency of the authorization data must be guaranteed to avoid some permissions. The authorization is successful, and some authorization authorization fails. One of the commonly used processing methods of distributed transactions is to split distributed transactions into local transactions, and ensure data consistency through the local message table, which basically avoids distributed transactions; In the scheme of rolling back the business service (that is, the business corresponding to the above-mentioned resource) involving the distributed transaction, after the authorization of the business service fails, the business authority data corresponding to the distributed transaction is rolled back. However, the local message table is a relational database, and the relational database has bottlenecks in throughput and performance. Frequent reading and writing messages will put pressure on the relational database. Therefore, in high concurrency scenarios, this solution will have performance limitations. Moreover, the rollback scheme generally calls the authorization services of a series of business services in a serial manner. When there are many serial services, the rollback cost is high, and many authorization services are difficult to roll back directly, so they are very limited.

Considering the above-mentioned defects, in this embodiment, an authority control method is proposed. The method divides the distributed transaction and performs different authority authorization processing on the split main transaction and at least one sub-transaction, so as to realize the combination of Permission control of business services is carried out in multiple dimensions to improve the scope of application of permission control.

The distributed transaction means that the participants of the transaction, the server supporting the transaction, the resource server, and the transaction manager (ie, the authority control device) are located on different nodes of different distributed systems, respectively. The distributed transaction includes a transaction to be authorized and an application transaction that initiates the transaction to be authorized. The main transaction is the application transaction, and at least one sub-transaction is the transaction to be authorized.

Wherein, the authority control device may be a user-operable portal for setting employee or user authority. In this embodiment, the authority control device may communicate with the authority control client of the terminal having a visual display device (such as a display), In this way, the user can set the authority of the employee or the user by operating the visual display device in the terminal. For example, the user selects roles, pages, and print permissions to authorize employee 1 through operations on the terminal, then after the user selects the functional options within the scope of permissions (that is, the above-mentioned roles, pages, and print functions) , by triggering the confirmation application function button, the above operation information is sent to the authority control device, the authority application is triggered, and the authority authorization operation of the above function options is started, and the entire authority setting operation is called a distributed transaction, and the authority authorization of the function options The operation is called the transaction to be authorized, and the operation that triggers the permission application is called the application transaction that initiates the transaction to be authorized. In this embodiment, since there can be multiple functions selected by the function option, there may be multiple or one transactions to be authorized, that is, in the process of authorization in this embodiment, at least one transaction to be authorized can be triggered Generated, in this embodiment, the number of transactions to be authorized when authorization authorization is performed at the same time is not limited.

Among them, permission control includes resource-based permission control and role-based permission control. In the resource-based permission control device, resources refer to everything that can be authorized, and a page, a piece of data, and an interface are all resources. In role-based permission control devices, role-based permission access control (RBAC, Role-Based Access Control) is generally used. In RBAC, permissions are associated with roles, and users get the permissions of these roles by becoming members of appropriate roles. This greatly simplifies the management of permissions. In an organization, roles are created to accomplish various tasks, and users are assigned corresponding roles according to their responsibilities and qualifications. Users can easily be assigned from one role to another. Roles can be given new permissions according to new requirements and system integration, and permissions can also be withdrawn from a role as needed.

In an optional implementation manner of this embodiment, after receiving the distributed transaction triggered by the user operation, the authority control apparatus splits the distributed transaction into a main transaction and at least one sub-transaction, and the authority control apparatus first The authorization operation is performed on the main transaction, and the authorization authorization operation is performed on the main transaction in the local transaction mode. The authorization authorization operation can be successful or failed. When the authorization authorization operation reports that the authorization authorization is successful, it indicates that the authorization operation is successful. If the main transaction authorization operation is successful, then the authorization authorization operation of the specific at least one sub-transaction can be started. Here, the authorization control device can use the message middleware to perform the authorization authorization operation of the at least one sub-transaction until the authorization authorization is successful.

Wherein, the authority control device uses the local transaction mode to perform authority authorization operation on the main transaction. The specific implementation may be business arrangement and asynchronous recovery through a local database.

In an optional implementation manner of this embodiment, as shown in FIG. 2 , the step S101, that is, the step of receiving a distributed transaction and splitting the distributed transaction into a main transaction and at least one sub-transaction includes step S201 -S203:

In step S201, the distributed transaction is received;

In step S202, obtain the content data of the distributed transaction;

In step S203, according to the content data, the distributed transaction is split into the main transaction and the at least one sub-transaction.

In this embodiment, the authority control device can split the distributed transaction based on the difference of the business content, first perform the authority authorization operation on the main transaction, and then perform the authority authorization operation on at least one sub-transaction, and use different authority authorizations The operation implements a different transaction authorization authorization operation, which improves the flexibility and diversity of transaction processing.

Wherein, after receiving the distributed transaction, the authority control device can obtain the content data of the distributed transaction through the trigger operation of the distributed transaction; wherein, the content data is the content corresponding to the business; in this way, the authority control device can, according to the content data, The distributed transaction is split into at least one sub-transaction, that is, a transaction to be authorized, and an application transaction that initiates the transaction to be authorized (that is, a main transaction).

In this embodiment, the authority control device may provide the applicant with authority for different services (ie, functional options), and different services may need to be implemented by calling different service servers, so that distributed transactions are received.

The content data can be understood as the type of business function, for example, mail business, printing business, data processing business, role assignment, and so on.

In an optional implementation manner of this embodiment, as shown in FIG. 3 , the step S103, that is, when the permission authorization operation reports that the permission authorization is successful, the message middleware is used to perform the permission authorization operation of at least one sub-transaction until the permission is granted. The steps of successful authorization include steps S301-S302:

In step S301, when the authority authorization operation reports that the authority authorization is successful, a push message is generated, and the push message carries the authority authorization mark corresponding to at least one sub-transaction respectively;

In step S302, the push message is pushed through the message middleware to trigger the at least one sub-transaction corresponding to the permission authorization mark to execute the push message, and the permission authorization operation of the at least one sub-transaction is performed , until the authorization is successful.

In this embodiment, the authority control device uses the message middleware to perform the authority authorization operation of at least one sub-transaction, and the persistent message function and the retry function utilized by the message middleware successfully realize the authority authorization of at least one sub-transaction, improving the The success rate of authorization authorization.

Among them, message middleware is suitable for distributed environments that require reliable data transmission. In the authority control device using message middleware, different transactions activate each other's events by transmitting messages to complete corresponding operations. When the permission authorization operation reports that the permission authorization is successful, a push message is generated, and then the push message is sent to the message server. The message server stores the message in several queues, and then forwards the push message to the business server corresponding to at least one sub-transaction for permission authorization. operate. Message middleware can communicate between different platforms. It is often used to shield the characteristics between various platforms and protocols, and realize collaboration between applications. Its advantage is that it can provide synchronization and asynchronous between clients and servers. connection, and can transmit or store and forward messages at any time.

In this embodiment, when the authority authorization operation reports that authority authorization is successful, the authority control device triggers the generation of a push message, wherein the push message carries authority authorization marks corresponding to at least one sub-transaction, indicating that at least one sub-transaction starts to be performed At this time, the authority control device pushes the push message through the message middleware, so as to trigger at least one sub-transaction corresponding to the authority authorization mark to execute the push message respectively, perform the authority authorization operation of at least one sub-transaction, and use the message middle The persistent message function and retry function of the file are used until the authorization is successful.

Wherein, the authority control device pushes the push message through the message middleware, so as to trigger at least one sub-transaction corresponding to the authorization tag to respond to the push message, and use the local transaction mode to perform the authorization operation on each sub-transaction, by calling the service corresponding to each sub-transaction. Service, implement the permission assignment of the business service interface corresponding to each sub-transaction, and the authorization is successful.

Among them, the authorization mark is the mark corresponding to each sub-transaction in the at least one sub-transaction and the push message, which can be understood as the subscription identification of the push message. The message middleware can push the message to the service server interface through the subscription relationship, that is, the message middleware The push message is pushed to the service server interface corresponding to the at least one sub-transaction according to the authorization mark, so as to implement the operation of authorizing the authority of the at least one sub-transaction according to the push message.

Among them, the understanding of subscription is: a message producer (publishing) publishes a message to a topic, and multiple message consumers (subscribing) consume the message at the same time, and the message published to the topic will be consumed by all subscribers. That is to say, a specific message can be received by multiple consumers (here, at least one sub-transaction), as long as the consumers subscribe to a topic. Message producers (publishers) send messages to a virtual channel called a topic, which can be subscribed to by multiple consumers.

In an optional implementation manner of this embodiment, as shown in FIG. 4 , the method further includes the step of processing the repeatedly consumed messages according to the status of at least one sub-transaction response to the push message, that is, as shown in FIG. 4 , The method includes steps S401-S402:

In step S401, record the state of the at least one sub-transaction in response to the push message, and obtain a message consumption state table including the message consumption state corresponding to the at least one sub-transaction;

In step S402, the message consumption status table is monitored in real time, and the repeatedly consumed messages are processed.

In this embodiment, in the process of performing at least one sub-transaction by pushing messages, the authority control device also records the consumption of messages through a message consumption status table, so as to avoid the problems of repeated consumption and repeated authorization of messages. The efficiency in the authorization process is improved, and the redundancy of data processing is reduced.

The message consumption state table may be a data structure established locally and used to record the consumption state of local messages. In this embodiment, when the authority control device executes the push message and implements authority authorization for at least one sub-transaction, it is necessary to record whether the authority authorization is successful or not, that is, record message consumption. In this way, when the same push message is generated again , when you want to re-authorize the same sub-transaction of the same user, you can refuse to repeat the authorization of the same sub-transaction of the same user through the consumption of the same message in the message consumption status table.

In this embodiment, when recording the push message, the message consumption status table may also record the authority authorization operation for which user and which sub-transaction.

In this embodiment, as long as the authority control device performs authority authorization of at least one sub-transaction, it records the status of at least one sub-transaction in real time in response to the push message, and also monitors the message consumption status table in real time to know the information in the message consumption status table. , find out the repeated consumption of the message, and abort the execution of the repeated consumption of the message, discard the repeated consumption of the message.

Among them, the message consumption status table can be implemented using the nosql database to improve the data reading speed.

Further, in an optional implementation manner of this embodiment, step S302 is to push the push message through the message middleware to trigger the at least one sub-transaction corresponding to the permission authorization mark to execute the The steps of pushing the message and performing the permission authorization operation of the at least one sub-transaction until the permission authorization succeeds include the following steps:

Pushing the push message through the message middleware, so as to trigger the at least one sub-transaction corresponding to the permission authorization tag to respectively respond to the push message;

Perform a permission authorization operation on the at least one sub-transaction in a local transaction mode;

When the permission authorization operation reports that permission authorization is successful, discarding the push message;

When the permission authorization operation reports that permission authorization fails, use the message middleware to re-acquire the push message, and compare the push message with the message consumption status table;

When the consumption status information of the push message exists in the message consumption status table, and the consumption status information is successful, discarding the push message;

When the consumption status information of the push message exists in the message consumption status table, and the consumption status information is a failure, the push message is re-executed, and the sub-transaction of the at least one sub-transaction that has not been authorized successfully is executed. the authorization authorization operation until the authorization authorization succeeds.

Wherein, after acquiring the push message, the authority control device starts to perform authority authorization operation on each sub-transaction in the at least one sub-transaction in a local transaction mode according to the push message, and writes the corresponding relationship between the push message and each sub-transaction in the message In the consumption status table, after the local transaction of a sub-transaction is executed, if the execution is successful, the push message corresponding to the sub-transaction is discarded, and the consumption status information of the push message of the sub-transaction in the message consumption status table is updated as successful. . If the authorization authorization of a sub-transaction fails, then the message persistence function and retry function of the message middleware are used to re-acquire the push message corresponding to the sub-transaction, and compare it with the one in the local message consumption status table. Compare the consumption status information of the sub-transactions. If the push message is successful in the message consumption status table, stop executing the local transaction, the sub-transaction is not executed, and the push message is discarded. Otherwise, the sub-transaction corresponding to the execution is executed. The local transaction is executed successfully, so as to achieve the idempotency of the authorization service, and finally achieve the consistency of the business data.

Among them, idempotency means that for users who submit the same operation multiple times, the interface only performs one operation, that is, for a sub-transaction of a user, until a permission authorization operation is performed. Consistency means that in a distributed system, the data of multiple nodes is consistent. This means that when the authorization authorization operation is performed, either all of them succeed or all of them fail.

In an optional implementation manner of this embodiment, as shown in FIG. 5 , after the step S102, that is, after the step of performing a permission authorization operation on the main transaction, the method further includes step S501:

In step S501, when the authority authorization operation reports that authority authorization fails, a rollback operation is performed on the main transaction.

In this embodiment, after the authority control device performs the authority authorization operation of the main transaction, there may be two results of the authority authorization operation feedback authority authorization success and authority authorization operation feedback authority authorization failure, when the authority authorization operation feedback authority authorization failure When the authorization control device performs a rollback operation on the main transaction, it will not continue to perform the authorization authorization operation of at least one subsequent sub-transaction. It is only possible to perform the rollback after the authorization operation of the main transaction authorization. In other authorization control methods In the implementation process, the rollback method is not used, which improves the efficiency of permission control.

In an optional implementation manner of this embodiment, the method further includes:

The permission authorization operation of the at least one sub-transaction is monitored in real time, and abnormal permission authorization information is recorded for use when retrying the permission authorization operation.

In this embodiment, in the entire authority control method, the authority authorization operation of at least one sub-transaction can be monitored in real time, the data and operations occurring during the authority authorization operation are recorded, and abnormal authority authorization information is generated for retrying the authority. It is used during authorized operations, so that the processing capability and status of messages can be monitored, and adjustments can be made in a timely manner, which improves the availability and scalability of services.

The abnormal authority authorization information may include abnormal message consumption status, abnormal data, abnormal message processing capability, and the like.

The following are the apparatus embodiments of the present disclosure, which can be used to execute the method embodiments of the present disclosure.

FIG. 6 shows a structural block diagram of an authority control apparatus according to an embodiment of the present disclosure. The apparatus may be implemented by software, hardware, or a combination of the two to become part or all of an electronic device. As shown in Figure 6, the authority control device includes:

A receiving module 601, configured to receive distributed transactions;

A splitting module 602, configured to split the distributed transaction into a main transaction and at least one sub-transaction;

The authorization module 603 is configured to perform a permission authorization operation on the main transaction, and when the permission authorization operation reports that the permission authorization is successful, use the message middleware to perform the permission authorization operation of the at least one sub-transaction until the permission authorization succeeds .

As mentioned above, the authority system is an important part of almost all background management systems. The main purpose is to control the authority of the entire background system data. When authorizing users through the permission system, if the user applies for more permissions, many other services will be called, which will involve distributed transactions. In this case, the consistency of the authorization data must be guaranteed to avoid some permissions. The authorization is successful, and some authorization authorization fails. One of the commonly used processing methods of distributed transactions is to split distributed transactions into local transactions, and ensure data consistency through the local message table, which basically avoids distributed transactions; In the scheme of rolling back the business service (that is, the business corresponding to the above-mentioned resource) involving the distributed transaction, after the authorization of the business service fails, the business authority data corresponding to the distributed transaction is rolled back. However, the local message table is a relational database, and the relational database has bottlenecks in throughput and performance. Frequent reading and writing messages will put pressure on the relational database. Therefore, in high concurrency scenarios, this solution will have performance limitations. Moreover, the rollback scheme generally calls the authorization services of a series of business services in a serial manner. When there are many serial services, the rollback cost is high, and many authorization services are difficult to roll back directly, so they are very limited.

Considering the above-mentioned defects, in this embodiment, an authority control device is proposed. The device divides the distributed transaction and performs different authority authorization processing on the split main transaction and at least one sub-transaction, so as to realize the combination of Permission control of business services is carried out in multiple dimensions to improve the scope of application of permission control.

The distributed transaction means that the participants of the transaction, the server supporting the transaction, the resource server, and the transaction manager (ie, the authority control device) are located on different nodes of different distributed systems, respectively.

In an optional implementation of this embodiment, the distributed transaction includes a transaction to be authorized and an application transaction that initiates a transaction to be authorized, the main transaction is the application transaction, and the at least one sub-transaction is the transaction to be authorized Authorize transactions.

Wherein, the authority control device may be a user-operable portal for setting employee or user authority. In this embodiment, the authority control device may communicate with the authority control client of the terminal having a visual display device (such as a display), In this way, the user can set the authority of the employee or the user by operating the visual display device in the terminal. For example, the user selects roles, pages, and print permissions to authorize employee 1 through operations on the terminal, then after the user selects the functional options within the scope of permissions (that is, the above-mentioned roles, pages, and print functions) , by triggering the confirmation application function button, the above operation information is sent to the authority control device, the authority application is triggered, and the authority authorization operation of the above function options is started, and the entire authority setting operation is called a distributed transaction, and the authority authorization of the function options The operation is called the transaction to be authorized, and the operation that triggers the permission application is called the application transaction that initiates the transaction to be authorized. In this embodiment, since there can be multiple functions selected by the function option, there may be multiple or one transactions to be authorized, that is, in the process of authorization in this embodiment, at least one transaction to be authorized can be triggered Generated, in this embodiment, the number of transactions to be authorized when authorization authorization is performed at the same time is not limited.

Among them, permission control includes resource-based permission control and role-based permission control. In the resource-based permission control device, resources refer to everything that can be authorized, and a page, a piece of data, and an interface are all resources. In role-based permission control devices, role-based permission access control (RBAC, Role-Based Access Control) is generally used. In RBAC, permissions are associated with roles, and users get the permissions of these roles by becoming members of appropriate roles. This greatly simplifies the management of permissions. In an organization, roles are created to accomplish various tasks, and users are assigned corresponding roles according to their responsibilities and qualifications. Users can easily be assigned from one role to another. Roles can be given new permissions according to new requirements and system integration, and permissions can also be withdrawn from a role as needed.

In an optional implementation manner of this embodiment, after receiving a distributed transaction triggered by a user operation, the distributed transaction is split into a main transaction and at least one sub-transaction, and a permission authorization operation is first performed on the main transaction. , and the local transaction method is used to perform the authorization authorization operation on the main transaction. The authorization authorization operation can be successful or failed. When the authorization authorization operation reports that the authorization authorization is successful, it indicates that the authorization operation of the main transaction is successful. The permission authorization operation of the specific at least one sub-transaction can be started. Here, the message middleware can be used to perform the permission authorization operation of the at least one sub-transaction until the permission authorization is successful.

The specific implementation of the authorization authorization operation for the main transaction in the local transaction mode may be the implementation of business orchestration and asynchronous recovery through the local database.

In an optional implementation manner of this embodiment, as shown in FIG. 7 , the splitting module 602 includes:

Obtaining sub-module 701, configured to obtain the content data of the distributed transaction;

The splitting sub-module 702 is configured to split the distributed transaction into the main transaction and the at least one sub-transaction according to the content data.

In this embodiment, the distributed transaction can be split based on the difference of the business content, firstly performing the authority authorization operation on the main transaction, and then performing the authority authorization operation on at least one sub-transaction, and using different authority authorization operations to realize a Different transaction permissions authorize operations to improve the flexibility and diversity of transaction processing.

Among them, after receiving the distributed transaction, the content data of the distributed transaction can be obtained through the trigger operation of the distributed transaction; wherein, the content data is the content corresponding to the business; in this way, the distributed transaction can be split according to the content data. It is at least one sub-transaction, that is, the transaction to be authorized, and the application transaction that initiates the transaction to be authorized (that is, the main transaction).

In this embodiment, the applicant can be provided with permissions for different services (ie, functional options), and different services may need to be implemented by invoking different service servers, so that distributed transactions are received.

The content data can be understood as the type of business function, for example, mail business, printing business, data processing business, role assignment, and so on.

In an optional implementation manner of this embodiment, as shown in FIG. 8 , the authorization module 603 includes:

The generating submodule 801 is configured to generate a push message when the authority authorization operation reports that authority authorization is successful, and the push message carries the authority authorization mark corresponding to the at least one sub-transaction respectively;

The authorization sub-module 802 is configured to push the push message through the message middleware, so as to trigger the at least one sub-transaction corresponding to the permission authorization mark to execute the push message, and perform the at least one sub-transaction. Permission authorization operation until the permission authorization is successful.

In this embodiment, the message middleware is used to perform the authorization authorization operation of at least one sub-transaction, and the persistent message function and the retry function utilized by the message middleware successfully realize the authorization of at least one sub-transaction, which improves the authorization of authorization. success rate.

Among them, message middleware is suitable for distributed environments that require reliable data transmission. In the authority control device using message middleware, different transactions activate each other's events by transmitting messages to complete corresponding operations. When the permission authorization operation reports that the permission authorization is successful, a push message is generated, and then the push message is sent to the message server. The message server stores the message in several queues, and then forwards the push message to the business server corresponding to at least one sub-transaction for permission authorization. operate. Message middleware can communicate between different platforms. It is often used to shield the characteristics between various platforms and protocols, and realize collaboration between applications. Its advantage is that it can provide synchronization and asynchronous between clients and servers. connection, and can transmit or store and forward messages at any time.

In this embodiment, when the authority authorization operation reports that authority authorization is successful, the generation of a push message is triggered, wherein the push message carries authority authorization marks corresponding to at least one sub-transaction, indicating that authority authorization for at least one sub-transaction starts. At this time, push the push message through the message middleware to trigger at least one sub-transaction corresponding to the permission authorization tag to execute the push message respectively, perform the permission authorization operation of at least one sub-transaction, and use the persistent message function of the message middleware and retry the function until the authorization is successful.

The push message is pushed through the message middleware to trigger at least one sub-transaction corresponding to the authorization tag to respectively respond to the push message, and the authorization operation is performed on each sub-transaction in a local transaction mode, and the business service corresponding to each sub-transaction is invoked to achieve The permission assignment of the business service interface corresponding to each sub-transaction indicates that the authorization is successful.

Among them, the authorization mark is the mark corresponding to each sub-transaction in the at least one sub-transaction and the push message, which can be understood as the subscription identification of the push message. The message middleware can push the message to the service server interface through the subscription relationship, that is, the message middleware The push message is pushed to the service server interface corresponding to the at least one sub-transaction according to the authorization mark, so as to implement the operation of authorizing the authority of the at least one sub-transaction according to the push message.

Among them, the understanding of subscription is: a message producer (publishing) publishes a message to a topic, and multiple message consumers (subscribing) consume the message at the same time, and the message published to the topic will be consumed by all subscribers. That is to say, a specific message can be received by multiple consumers (here, at least one sub-transaction), as long as the consumers subscribe to a topic. Message producers (publishers) send messages to a virtual channel called a topic, which can be subscribed to by multiple consumers.

In an optional implementation manner of this embodiment, as shown in FIG. 9 , the authority control apparatus further includes:

The recording and monitoring module 901 is configured to record the state of the at least one sub-transaction responding to the push message, and obtain a message consumption state table including the message consumption state corresponding to the at least one sub-transaction; and monitor the message consumption state table in real time, Handle re-consumed messages.

In this embodiment, in the process of performing at least one sub-transaction by pushing a message, a message consumption status table can also be used to record the consumption of the message, so as to avoid the problem of repeated consumption and repeated authorization of the message, and improve the authorization process. efficiency, reducing the redundancy of data processing.

The message consumption state table may be a data structure established locally and used to record the consumption state of local messages. In this embodiment, when a push message is executed to implement authority authorization for at least one sub-transaction, it is necessary to record whether the authority authorization is successful or not, that is, record message consumption. When re-authorizing the same sub-transaction of the same user, it is possible to refuse to repeat the authorization of the same sub-transaction of the same user through the consumption of the same message in the message consumption status table.

In this embodiment, when recording the push message, the message consumption status table may also record the authority authorization operation for which user and which sub-transaction.

In this embodiment, in the process of authorization of at least one sub-transaction, the status of at least one sub-transaction responding to the push message is recorded in real time, and the message consumption status table is also monitored in real time to learn the changes in the message consumption status table, find out The message that is repeatedly consumed is output, the execution of the message that is repeatedly consumed is aborted, and the message that is repeatedly consumed is discarded.

Among them, the message consumption status table can be implemented using the nosql database to improve the data reading speed.

In an optional implementation manner of this embodiment, as shown in FIG. 10 , the authorization sub-module 802 includes:

Pushing sub-module 1001, configured to push the push message through the message middleware, so as to trigger the at least one sub-transaction corresponding to the permission authorization mark to respond to the push message respectively;

Authorization sub-module 1002, configured to perform a permission authorization operation on the at least one sub-transaction in a local transaction mode;

Discarding sub-module 1003, configured to discard the push message when the permission authorization operation reports that permission authorization is successful;

Obtaining sub-module 1004, configured to use the message middleware to re-acquire the push message when the permission authorization operation feedbacks that permission authorization fails;

A comparison sub-module 1005 is configured to compare the push message with the message consumption status table;

The discarding sub-module 1003 is further configured to discard the push message when there is consumption status information of the push message in the message consumption status table and the consumption status information is successful;

The authorization sub-module 1002 is further configured to re-execute the push message when the consumption status information of the push message exists in the message consumption status table, and the consumption status information is failed, and perform the at least The authorization authorization operation of the sub-transaction that is not authorized successfully in a sub-transaction until the authorization is successful.

Wherein, after the push message is obtained, the authority authorization operation is performed on each sub-transaction in the at least one sub-transaction in a local transaction mode according to the push message, and the corresponding relationship between the push message and each sub-transaction is written in the message consumption status table , after the local transaction of a sub-transaction is executed, if the execution is successful, the push message corresponding to the sub-transaction is discarded, and the consumption status information of the push message of the sub-transaction in the message consumption status table is updated to be successful. If the authorization authorization of a sub-transaction fails, then the message persistence function and retry function of the message middleware are used to re-acquire the push message corresponding to the sub-transaction, and compare it with the one in the local message consumption status table. Compare the consumption status information of the sub-transactions. If the push message is successful in the message consumption status table, stop executing the local transaction, the sub-transaction is not executed, and the push message is discarded. Otherwise, the sub-transaction corresponding to the execution is executed. The local transaction is executed successfully, so as to achieve the idempotency of the authorization service, and finally achieve the consistency of the business data.

Among them, idempotency means that for users who submit the same operation multiple times, the interface only performs one operation, that is, for a sub-transaction of a user, until a permission authorization operation is performed. Consistency means that in a distributed system, the data of multiple nodes is consistent. This means that when the authorization authorization operation is performed, either all of them succeed or all of them fail.

In an optional implementation manner of this embodiment, as shown in FIG. 11 , the authority control apparatus further includes:

The rollback module 1101 is configured to perform a rollback operation on the main transaction after the authorization authorization operation is performed on the main transaction, when the authorization authorization operation reports that authorization authorization fails.

In this embodiment, after the authority authorization operation of the main transaction is performed, there may be two results of the authority authorization operation feedback authority authorization success and authority authorization operation feedback authority authorization failure. When the transaction is rolled back, it will not continue to perform the authorization authorization operation of at least one subsequent sub-transaction. It is only possible to perform the rollback after the authorization operation of the main transaction authorization. Efficiency of access control.

In an optional implementation manner of this embodiment, the recording and monitoring module is configured to monitor the authority authorization operation of the at least one sub-transaction in real time, and record abnormal authority authorization information for use when retrying the authority authorization operation.

In this embodiment, the authority authorization operation of at least one sub-transaction can be monitored in real time, the data and operations that occur during the authority authorization operation are recorded, and the authority authorization information is abnormal, which is used when retrying the authority authorization operation. The processing capability and status of messages can be monitored, and adjustments can be made in a timely manner, which improves the availability and scalability of services.

The abnormal authority authorization information may include abnormal message consumption status, abnormal data, abnormal message processing capability, and the like.

The present disclosure also discloses an electronic device. FIG. 12 shows a structural block diagram of an electronic device according to an embodiment of the present disclosure. As shown in FIG. 12 , the electronic device 1200 includes a memory 1201 and a processor 1202; wherein,

The memory 1201 is used to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor 1202 to implement any of the above method steps.

FIG. 13 is a schematic structural diagram of a computer system suitable for implementing the authority control method according to an embodiment of the present disclosure.

As shown in FIG. 13, a computer system 1300 includes a central processing unit (CPU) 1301, which can be loaded into a random access memory (RAM) 1303 according to a program stored in a read only memory (ROM) 1302 or a program from a storage section 1308 Instead, various processes in the above-described embodiments are executed. In the RAM 1303, various programs and data necessary for the operation of the system 1300 are also stored. The CPU 1301 , the ROM 1302 , and the RAM 1303 are connected to each other through a bus 1304 . An input/output (I/O) interface 1305 is also connected to bus 1304 .

The following components are connected to the I/O interface 1305: an input section 1306 including a keyboard, a mouse, etc.; an output section 1307 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 1308 including a hard disk, etc. ; and a communication section 1309 including a network interface card such as a LAN card, a modem, and the like. The communication section 1309 performs communication processing via a network such as the Internet. Drivers 1310 are also connected to I/O interface 1305 as needed. A removable medium 1311, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is mounted on the drive 1310 as needed so that a computer program read therefrom is installed into the storage section 1308 as needed.

In particular, according to embodiments of the present disclosure, the methods described above may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product including a computer program tangibly embodied on a readable medium thereof, the computer program including program code for executing the rights control method. In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 1309, and/or installed from the removable medium 1311.

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the diagram or block diagram may represent a module, segment, or portion of code that contains one or more functions for implementing the specified logical function. executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented in dedicated hardware-based systems that perform the specified functions or operations , or can be implemented in a combination of dedicated hardware and computer instructions.

The units or modules involved in the embodiments of the present disclosure can be implemented in software or hardware. The described units or modules may also be provided in the processor, and the names of these units or modules do not constitute a limitation on the units or modules themselves in certain circumstances.

As another aspect, the present disclosure also provides a computer-readable storage medium, and the computer-readable storage medium may be a computer-readable storage medium included in the apparatus described in the foregoing embodiments; A computer-readable storage medium that fits into a device. The computer-readable storage medium stores one or more programs used by one or more processors to perform the methods described in the present disclosure.

The above description is merely a preferred embodiment of the present disclosure and an illustration of the technical principles employed. Those skilled in the art should understand that the scope of the invention involved in the present disclosure is not limited to the technical solutions formed by the specific combination of the above-mentioned technical features, and should also cover the above-mentioned technical features without departing from the inventive concept. Other technical solutions formed by any combination of its equivalent features. For example, a technical solution is formed by replacing the above features with the technical features disclosed in the present disclosure (but not limited to) with similar functions.

Claims (10)

1. an authority control method, is characterized in that, comprises: receiving a distributed transaction, and splitting the distributed transaction into a main transaction and at least one sub-transaction; Perform a permission authorization operation on the main transaction; When the permission authorization operation reports that the permission authorization is successful, the message middleware is used to execute the permission authorization operation of the at least one sub-transaction until the permission authorization is successful. 2. The method according to claim 1, wherein the receiving a distributed transaction and splitting the distributed transaction into a main transaction and at least one sub-transaction comprises: receiving the distributed transaction; obtaining the content data of the distributed transaction; The distributed transaction is split into the main transaction and the at least one sub-transaction according to the content data. 3. The method according to claim 1 or 2, wherein when the permission authorization operation reports that permission authorization is successful, a message middleware is used to perform the permission authorization operation of the at least one sub-transaction until the permission is authorized. success, including: When the authority authorization operation reports that authority authorization is successful, a push message is generated, and the push message carries authority authorization tags corresponding to the at least one sub-transaction respectively; Push the push message through the message middleware to trigger the at least one sub-transaction corresponding to the permission authorization flag to execute the push message, and perform the permission authorization operation of the at least one sub-transaction until the permission authorization is successful . 4. The method of claim 3, further comprising: Record the state of the at least one sub-transaction in response to the push message, and obtain a message consumption state table including the message consumption state corresponding to the at least one sub-transaction; Monitor the message consumption status table in real time, and process repeatedly consumed messages. 5. An authority control device, characterized in that, comprising: a receiving module, configured to receive distributed transactions; a splitting module configured to split the distributed transaction into a main transaction and at least one sub-transaction; The authorization module is configured to perform a permission authorization operation on the main transaction, and when the permission authorization operation reports that the permission authorization is successful, use the message middleware to perform the permission authorization operation of the at least one sub-transaction until the permission authorization is successful. 6. The device according to claim 5, wherein the splitting module comprises: an acquisition submodule, configured to acquire the content data of the distributed transaction; A splitting sub-module is configured to split the distributed transaction into the main transaction and the at least one sub-transaction according to the content data. 7. The device according to claim 5 or 6, wherein the authorization module comprises: A generating submodule, configured to generate a push message when the authority authorization operation reports that authority authorization is successful, and the push message carries the authority authorization mark corresponding to the at least one sub-transaction respectively; An authorization submodule, configured to push the push message through the message middleware, so as to trigger the at least one sub-transaction corresponding to the authority authorization mark to execute the push message, and to execute the authority of the at least one sub-transaction Authorize the operation until the authorization is successful. 8. The device according to claim 7, wherein the authority control device further comprises: a recording monitoring module, configured to record the state of the at least one sub-transaction in response to the push message, and obtain a message consumption status table including the message consumption status corresponding to the at least one sub-transaction; and monitor the message consumption status table in real time, and process Messages that are repeatedly consumed. 9. An electronic device, comprising a memory and a processor; wherein, The memory is for storing one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement the method steps of any of claims 1-4. 10. A computer-readable storage medium on which computer instructions are stored, characterized in that, when the computer instructions are executed by a processor, the method steps of any one of claims 1-4 are implemented.