CN111600899A - Micro-service access control method and device, electronic equipment and storage medium - Google Patents
Micro-service access control method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111600899A CN111600899A CN202010451184.9A CN202010451184A CN111600899A CN 111600899 A CN111600899 A CN 111600899A CN 202010451184 A CN202010451184 A CN 202010451184A CN 111600899 A CN111600899 A CN 111600899A
- Authority
- CN
- China
- Prior art keywords
- access
- interface
- role
- tamper
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 238000013475 authorization Methods 0.000 claims abstract description 111
- 238000012795 verification Methods 0.000 claims description 28
- 230000015654 memory Effects 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 24
- 238000007726 management method Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 12
- 230000008569 process Effects 0.000 description 10
- 238000013500 data storage Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
本申请实施例提供一种微服务访问控制方法、装置、电子设备及存储介质。具体实现方案为:接收对微服务的目标接口的访问请求,访问请求中包括用户标识;查询用户标识对应的授权角色,授权角色包括具有访问权限的至少一个接口;根据查询的结果控制对目标接口的访问。本申请实施例通过授权角色为用户授予至少一个微服务接口的访问权限,可实现对多个微服务接口访问权限的统一管理,可在保证服务性能的同时确保对微服务接口进行安全访问控制。
Embodiments of the present application provide a microservice access control method, apparatus, electronic device, and storage medium. The specific implementation scheme is: receiving an access request to the target interface of the microservice, and the access request includes the user ID; querying the authorization role corresponding to the user ID, and the authorization role includes at least one interface with access rights; controlling the target interface according to the query result Access. The embodiment of the present application grants a user access rights to at least one microservice interface through an authorization role, so that unified management of access rights to multiple microservice interfaces can be implemented, and security access control to the microservice interfaces can be ensured while ensuring service performance.
Description
技术领域technical field
本申请计算机网络技术领域,尤其涉及一种微服务访问控制方法、装置、电子设备及存储介质。The present application is in the field of computer network technologies, and in particular, relates to a microservice access control method, apparatus, electronic device, and storage medium.
背景技术Background technique
在微服务架构中,不同的微服务可以有不同的网络地址。各个微服务之间通过互相调用完成用户请求。客户端可能通过调用多个微服务的接口完成一个用户请求。可以在客户端和服务端之间增加一个API(Application Programming Interface,应用程序接口)网关,所有的外部请求通过这个API网关进行交互,由网关进行各个微服务的调用。因此也将这个API网关称为微服务网关。在实际应用中,由于微服务架构中通常包括多个微服务,且每个微服务都会提供若干个接口,微服务网关需要对大量的微服务接口进行访问控制。因此,在大量用户并发访问时会引发网关鉴权服务的性能瓶颈。如何在保证服务性能的同时确保对微服务接口进行安全访问控制是目前亟待解决的问题。In a microservice architecture, different microservices can have different network addresses. Each microservice completes user requests by calling each other. A client may complete a user request by calling the interfaces of multiple microservices. An API (Application Programming Interface) gateway can be added between the client and the server. All external requests interact through this API gateway, and the gateway calls each microservice. Therefore, this API gateway is also called a microservice gateway. In practical applications, since the microservice architecture usually includes multiple microservices, and each microservice provides several interfaces, the microservice gateway needs to perform access control on a large number of microservice interfaces. Therefore, when a large number of users access concurrently, the performance bottleneck of the gateway authentication service will be caused. How to ensure secure access control to microservice interfaces while ensuring service performance is an urgent problem to be solved.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供一种微服务访问控制方法、装置、电子设备及存储介质,以解决相关技术存在的问题,技术方案如下:The embodiments of the present application provide a microservice access control method, device, electronic device, and storage medium to solve the problems existing in the related technologies, and the technical solutions are as follows:
第一方面,本申请实施例提供了一种微服务访问控制方法,该方法包括:In a first aspect, an embodiment of the present application provides a microservice access control method, which includes:
接收对微服务的目标接口的访问请求,访问请求中包括用户标识;Receive an access request to the target interface of the microservice, and the access request includes the user ID;
查询用户标识对应的授权角色,授权角色包括具有访问权限的至少一个接口;Query the authorization role corresponding to the user ID, and the authorization role includes at least one interface with access rights;
根据查询的结果控制对目标接口的访问。Controls access to the target interface based on the results of the query.
第二方面,本申请实施例提供了一种微服务访问控制装置,包括:In a second aspect, an embodiment of the present application provides a microservice access control device, including:
接收单元,用于接收对微服务的目标接口的访问请求,访问请求中包括用户标识;a receiving unit, configured to receive an access request to the target interface of the microservice, where the access request includes a user identifier;
查询单元,用于查询用户标识对应的授权角色,授权角色包括具有访问权限的至少一个接口;a query unit, used for querying the authorization role corresponding to the user ID, where the authorization role includes at least one interface with access rights;
控制单元,用于根据查询的结果控制对目标接口的访问。The control unit is used to control the access to the target interface according to the query result.
第三方面,本申请实施例提供了一种电子设备,包括:In a third aspect, an embodiment of the present application provides an electronic device, including:
至少一个处理器;以及at least one processor; and
与至少一个处理器通信连接的存储器;其中,a memory communicatively coupled to the at least one processor; wherein,
存储器存储有可被至少一个处理器执行的指令,指令被至少一个处理器执行,以使至少一个处理器能够执行本申请任意一项实施例所提供的方法。The memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can execute the method provided by any one of the embodiments of the present application.
第四方面,本申请实施例提供了一种计算机可读存储介质,计算机可读存储介质存储计算机指令,当计算机指令在计算机上运行时,上述各方面任一种实施方式中的方法被执行。In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, where the computer-readable storage medium stores computer instructions, and when the computer instructions are executed on a computer, the method in any one of the implementation manners of the above aspects is executed.
上述技术方案中的优点或有益效果至少包括:通过授权角色为用户授予至少一个微服务接口的访问权限,可实现对多个微服务接口访问权限的统一管理,可在保证服务性能的同时确保对微服务接口进行安全访问控制。The advantages or beneficial effects of the above technical solutions include at least: granting access rights to at least one micro-service interface to a user through an authorization role, which can realize unified management of access rights to multiple micro-service interfaces, and can ensure service performance while ensuring that the Microservice interface for secure access control.
上述概述仅仅是为了说明书的目的,并不意图以任何方式进行限制。除上述描述的示意性的方面、实施方式和特征之外,通过参考附图和以下的详细描述,本申请进一步的方面、实施方式和特征将会是容易明白的。The above summary is for illustrative purposes only and is not intended to be limiting in any way. In addition to the illustrative aspects, embodiments and features described above, further aspects, embodiments and features of the present application will become apparent by reference to the drawings and the following detailed description.
附图说明Description of drawings
在附图中,除非另外规定,否则贯穿多个附图相同的附图标记表示相同或相似的部件或元素。这些附图不一定是按照比例绘制的。应该理解,这些附图仅描绘了根据本申请公开的一些实施方式,而不应将其视为是对本申请范围的限制。In the drawings, unless stated otherwise, the same reference numbers refer to the same or like parts or elements throughout the several figures. The drawings are not necessarily to scale. It should be understood that these drawings depict only some embodiments disclosed in accordance with the present application and should not be considered as limiting the scope of the present application.
图1为根据本申请一实施例的微服务访问控制方法的流程图;FIG. 1 is a flowchart of a microservice access control method according to an embodiment of the present application;
图2为根据本申请另一实施例的微服务访问控制方法的微服务架构示意图;2 is a schematic diagram of a microservice architecture of a method for microservice access control according to another embodiment of the present application;
图3为根据本申请另一实施例的微服务访问控制方法的权限管理示意图;FIG. 3 is a schematic diagram of rights management of a microservice access control method according to another embodiment of the present application;
图4为根据本申请另一实施例的微服务访问控制方法的数据设置示意图;4 is a schematic diagram of data setting of a microservice access control method according to another embodiment of the present application;
图5为根据本申请另一实施例的微服务访问控制方法的数据设置示意图;5 is a schematic diagram of data setting of a microservice access control method according to another embodiment of the present application;
图6为根据本申请另一实施例的微服务访问控制方法的数据设置示意图;6 is a schematic diagram of data setting of a microservice access control method according to another embodiment of the present application;
图7为根据本申请另一实施例的微服务访问控制方法的数据设置示意图;7 is a schematic diagram of data setting of a microservice access control method according to another embodiment of the present application;
图8为根据本申请另一实施例的微服务访问控制方法的数据设置示意图;8 is a schematic diagram of data setting of a microservice access control method according to another embodiment of the present application;
图9为根据本申请另一实施例的微服务访问控制方法的流程图;FIG. 9 is a flowchart of a microservice access control method according to another embodiment of the present application;
图10为根据本申请另一实施例的微服务访问控制方法的微服务网关架构以及访问控制流程示意图;10 is a schematic diagram of a microservice gateway architecture and an access control flow diagram of a microservice access control method according to another embodiment of the present application;
图11为根据本申请一实施例的微服务访问控制装置的示意图;11 is a schematic diagram of a microservice access control apparatus according to an embodiment of the present application;
图12为根据本申请另一实施例的微服务访问控制装置的示意图;12 is a schematic diagram of a microservice access control apparatus according to another embodiment of the present application;
图13为根据本申请另一实施例的微服务访问控制装置的查询单元的示意图;13 is a schematic diagram of a query unit of a microservice access control apparatus according to another embodiment of the present application;
图14是用来实现本申请实施例的微服务访问控制方法的电子设备的框图。FIG. 14 is a block diagram of an electronic device used to implement the microservice access control method according to the embodiment of the present application.
具体实施方式Detailed ways
在下文中,仅简单地描述了某些示例性实施例。正如本领域技术人员可认识到的那样,在不脱离本申请的精神或范围的情况下,可通过各种不同方式修改所描述的实施例。因此,附图和描述被认为本质上是示例性的而非限制性的。In the following, only certain exemplary embodiments are briefly described. As those skilled in the art would realize, the described embodiments may be modified in various different ways, all without departing from the spirit or scope of the present application. Accordingly, the drawings and description are to be regarded as illustrative in nature and not restrictive.
图1为根据本申请一实施例的微服务访问控制方法的流程图。如图1所示,该微服务访问控制方法可以包括:FIG. 1 is a flowchart of a microservice access control method according to an embodiment of the present application. As shown in Figure 1, the microservice access control method may include:
步骤S110,接收对微服务的目标接口的访问请求,访问请求中包括用户标识;Step S110, receiving an access request to the target interface of the microservice, where the access request includes a user identifier;
步骤S120,查询用户标识对应的授权角色,授权角色包括具有访问权限的至少一个接口;Step S120, query the authorization role corresponding to the user ID, and the authorization role includes at least one interface with access rights;
步骤S130,根据查询的结果控制对目标接口的访问。Step S130, controlling access to the target interface according to the query result.
在微服务架构中,客户端可能通过调用多个微服务的接口完成一个用户请求。比如:用户查看一个商品的信息,商品的信息可能包含商品基本信息、价格信息、评论信息、折扣信息、库存信息等等。而这些信息获取则来源于不同的微服务,诸如产品系统、价格系统、评论系统、促销系统、库存系统等等。因此,要完成信息查看则需要调用多个微服务。在这种情况下,可以在客户端和服务端之间增加一个API网关,所有的外部请求通过这个微服务网关进行交互,由网关进行各个微服务的调用。In the microservice architecture, the client may complete a user request by calling the interfaces of multiple microservices. For example, when a user views information about a product, the product information may include product basic information, price information, comment information, discount information, inventory information, and so on. These information acquisitions come from different microservices, such as product systems, price systems, comment systems, promotion systems, inventory systems, and so on. Therefore, to complete the information viewing, multiple microservices need to be called. In this case, an API gateway can be added between the client and the server, all external requests interact through this microservice gateway, and the gateway calls each microservice.
图2为根据本申请另一实施例的微服务访问控制方法的微服务架构示意图。参见图2的示例,“第三方”是指使用微服务的第三方应用程序,也就是访问微服务的用户。在图2所示的微服务架构中,第三方、充电桩和APP(APPlication,应用程序)及开发者生态接入端都需要通过统一开放平台网关(微服务网关)去访问用于提供车载服务的业务中台。其中,中台和前台、后台对应,指的是在系统中被共用的中间件的集合。业务中台中可包括多个微服务,每个微服务可以是将业务的公共需求组合成的业务服务。比如公共需要可包括汽车制造商、用户、车辆、订单、交付等,将这些公共业务组合成统一的业务服务,可提供给第三方应用程序使用。在图2的提供车载服务的业务中台中的微服务可包括用于提供用户信息的用户微服务、用于提供天气信息的天气微服务等。FIG. 2 is a schematic diagram of a microservice architecture of a microservice access control method according to another embodiment of the present application. Referring to the example in Figure 2, "third party" refers to a third-party application that uses the microservice, that is, the user accessing the microservice. In the microservice architecture shown in Figure 2, third parties, charging piles, APPs (Applications) and developers' ecological access terminals all need to access through a unified open platform gateway (microservice gateway) to provide in-vehicle services business center. Among them, the middle platform corresponds to the foreground and the background, which refers to the collection of middleware shared in the system. The business center can include multiple microservices, and each microservice can be a business service that combines the public requirements of the business. For example, public needs can include car manufacturers, users, vehicles, orders, deliveries, etc. These public services are combined into a unified business service, which can be provided to third-party applications. The microservices in the platform of the service providing in-vehicle services in FIG. 2 may include user microservices for providing user information, weather microservices for providing weather information, and the like.
在系统运行过程中,微服务网关需要对大量的微服务接口进行访问控制。以采用SpringCloud微服务架构的云平台为例,该云平台可以为用户提供几十个微服务,每个微服务都可以提供若干个接口,接口总数可以超过800个。在现有技术中,第三方应用程序会通过微服务网关访问对应的接口以实现账号激活、令牌换发和功能使用。例如,账号激活的过程可包括账号绑定请求、绑定验证、验证码发送和反馈绑定验证结果等步骤。令牌换发的过程可包括令牌换发请求、生成新令牌和返回新令牌等步骤。功能使用的过程可包括功能调用、令牌验证、任务分发、指令下发和结果反馈等步骤。在上述访问过程中,如果出现大量用户并发访问的情况,由于接口数量太多会引发网关鉴权服务的性能瓶颈。During system operation, the microservice gateway needs to perform access control on a large number of microservice interfaces. Take the cloud platform that adopts the SpringCloud microservice architecture as an example, the cloud platform can provide users with dozens of microservices, each microservice can provide several interfaces, and the total number of interfaces can exceed 800. In the prior art, a third-party application would access a corresponding interface through a microservice gateway to realize account activation, token exchange, and function use. For example, the process of account activation may include steps such as account binding request, binding verification, verification code sending, and feedback of binding verification results. The process of token exchange may include the steps of requesting token exchange, generating a new token, and returning the new token. The process of function use may include steps such as function invocation, token verification, task distribution, instruction issuance, and result feedback. In the above access process, if a large number of users access concurrently, the performance bottleneck of the gateway authentication service will be caused due to the large number of interfaces.
有鉴于此,本申请提供了一种微服务访问控制方法,为不同的第三方应用程序授予不同的访问权限,以实现对多个微服务接口访问权限及访问安全的统一管理。In view of this, the present application provides a microservice access control method, which grants different access rights to different third-party applications, so as to achieve unified management of access rights and access security for multiple microservice interfaces.
如前述,在微服务架构中每个微服务都可以提供若干个接口。每个接口可以是一个URL(Uniform Resource Locator,统一资源定位系统)。其中,URL是万维网服务程序上用于指定信息位置的表示方法,也称为网址。在步骤S110中,微服务网关接收用户对目标接口的访问请求。访问请求中可包括请求访问的目标接口的URL网址、用户标识等信息。在一个示例中,用户标识可以是Access Key Id(AK,访问密钥)。微服务网关可以通过使用AccessKey Id/Secret Access Key(SK,私有访问密钥)加密的方法来验证某个请求的用户身份。其中,Access Key Id(AK)用于标识用户,Secret Access Key(SK)是用户用于加密认证字符串和微服务用来验证认证字符串的密钥。As mentioned above, each microservice can provide several interfaces in the microservice architecture. Each interface can be a URL (Uniform Resource Locator, Uniform Resource Locator). The URL is a representation method used to specify the location of information on the World Wide Web service program, and is also called a web address. In step S110, the micro-service gateway receives the user's access request to the target interface. The access request may include information such as the URL address and user ID of the target interface to be accessed. In one example, the user identification may be the Access Key Id (AK, access key). The microservice gateway can verify the user identity of a request by encrypting with the AccessKey Id/Secret Access Key (SK, secret access key). Among them, the Access Key Id (AK) is used to identify the user, and the Secret Access Key (SK) is the key used by the user to encrypt the authentication string and the microservice to verify the authentication string.
图3为根据本申请另一实施例的微服务访问控制方法的权限管理示意图。如图3所示,本申请实施例中通过授权角色实现网关权限管理。区别于传统网关的权限管理中直接为用户AK授予URL权限的方式,本申请实施例中网关为用户AK分配的是授权角色,授权角色是微服务URL的集合。参见图3的示例,网关为某个用户AK分配的授权角色包括授权角色1、授权角色2和授权角色3。其中,授权角色1中包括授权URL1和授权URL2,授权角色2中包括授权URL3、授权URL4和授权URL5,授权角色3中也包括至少一个授权URL(图3中未示出)。在在网关为该用户AK分配了授权角色之后,该用户AK就被授予了访问授权角色中包括的URL的权限。在图3的示例中,网关为该用户AK分配了授权角色1、授权角色2和授权角色3,则该用户AK拥有的权限包括访问授权角色1中包括的URL1和URL2、授权角色2中包括的URL3、URL4、和URL5,以及授权角色3中包括的至少一个URL。FIG. 3 is a schematic diagram of rights management of a microservice access control method according to another embodiment of the present application. As shown in FIG. 3 , in this embodiment of the present application, gateway authority management is implemented through authorization roles. Different from the method of directly granting the URL authority to the user AK in the authority management of the traditional gateway, in the embodiment of the present application, the gateway assigns the authorization role to the user AK, and the authorization role is a collection of microservice URLs. Referring to the example in FIG. 3 , the authorization roles assigned by the gateway to a certain user AK include authorization role 1 , authorization role 2 and authorization role 3 . Wherein, authorization role 1 includes authorization URL1 and authorization URL2, authorization role 2 includes authorization URL3, authorization URL4, and authorization URL5, and authorization role 3 also includes at least one authorization URL (not shown in FIG. 3 ). After the gateway assigns the authorization role to the user AK, the user AK is granted the right to access the URL included in the authorization role. In the example of FIG. 3 , the gateway assigns authorization role 1, authorization role 2 and authorization role 3 to the user AK, and the permissions possessed by the user AK include accessing URL1 and URL2 included in authorization role 1, and authorization role 2 including URL1 and URL2 included in authorization role 2. URL3, URL4, and URL5, and at least one URL included in authorization role 3.
本申请实施例中,可预先设置用户标识与至少一个授权角色的对应关系,并将该对应关系以关系表的形式预先存储到数据库中。另外,还可以将图3所示的授权角色与至少一个授权URL的对应关系以关系表的形式预先存储到数据库中。在步骤S120中,可根据用户标识与至少一个授权角色的对应关系,查询用户标识对应的授权角色。再根据授权角色与至少一个授权URL的对应关系,查询授权角色对应的授权URL。在步骤S130中,如果用户标识对应的授权角色包括用户请求访问的目标接口,则允许用户对目标接口进行访问。In this embodiment of the present application, a corresponding relationship between the user ID and at least one authorization role may be preset, and the corresponding relationship may be pre-stored in the database in the form of a relationship table. In addition, the corresponding relationship between the authorization role shown in FIG. 3 and the at least one authorization URL may also be pre-stored in the database in the form of a relationship table. In step S120, the authorization role corresponding to the user identifier may be queried according to the corresponding relationship between the user identifier and at least one authorization role. Then, according to the corresponding relationship between the authorization role and at least one authorization URL, the authorization URL corresponding to the authorization role is queried. In step S130, if the authorization role corresponding to the user identifier includes the target interface that the user requests to access, the user is allowed to access the target interface.
本申请实施例通过授权角色为用户授予至少一个微服务接口的访问权限,可实现对多个微服务接口访问权限的统一管理,可在保证服务性能的同时确保对微服务接口进行安全访问控制。The embodiment of the present application grants a user access rights to at least one microservice interface through an authorization role, which can realize unified management of access rights to multiple microservice interfaces, and can ensure safe access control to the microservice interfaces while ensuring service performance.
在一种实施方式中,上述方法还包括:In one embodiment, the above method further includes:
预先设置进行访问控制的至少一个微服务;Pre-set at least one microservice for access control;
预先设置每个微服务与至少一个接口的对应关系。The correspondence between each microservice and at least one interface is preset.
在一个示例中,可预先设置需要进行访问控制的每个微服务与至少一个接口的对应关系,并将该对应关系以关系表的形式预先存储到数据库中。在一个示例中,可先维护微服务名称,再维护微服务中包含的接口URL。也就是说,可先将进行访问控制的微服务名称存储到数据库中,再将其中每个微服务中包含的接口URL存储到数据库中。In one example, the corresponding relationship between each microservice that needs to perform access control and at least one interface may be preset, and the corresponding relationship may be pre-stored in the database in the form of a relational table. In one example, the microservice name may be maintained before the interface URL contained in the microservice. That is to say, the name of the microservice for access control can be stored in the database first, and then the interface URL contained in each microservice can be stored in the database.
图4为根据本申请另一实施例的微服务访问控制方法的数据设置示意图。在图4的示例中,微服务接口URL为:admin/url/insertOrUpdate。为该URL设置的所属微服务名称为goods-service。FIG. 4 is a schematic diagram of data setting of a microservice access control method according to another embodiment of the present application. In the example of Figure 4, the microservice interface URL is: admin/url/insertOrUpdate. The name of the owning microservice set for this URL is goods-service.
本申请实施例中,通过维护微服务与接口URL的对应关系,可为微服务接口访问权限的统一管理提供数据支撑。In the embodiment of the present application, by maintaining the corresponding relationship between the microservice and the interface URL, data support can be provided for the unified management of the access authority of the microservice interface.
在一种实施方式中,上述方法还包括:In one embodiment, the above method further includes:
预先设置至少一个授权角色;Pre-set at least one authorization role;
预先设置授权角色与具有访问权限的至少一个接口的对应关系。The corresponding relationship between the authorization role and the at least one interface with access rights is preset.
为实现对多个微服务接口访问权限的统一管理,数据库中需要维护的数据除了上述微服务与接口URL的对应关系之外,还需要维护授权角色与至少一个授权URL的对应关系。参见图3的示例,可预先设置授权角色与至少一个授权URL的对应关系以关系表的形式预先存储到数据库中。In order to achieve unified management of access rights to multiple microservice interfaces, in addition to the above-mentioned correspondence between microservices and interface URLs, the data to be maintained in the database also needs to maintain the correspondence between authorization roles and at least one authorization URL. Referring to the example of FIG. 3 , the corresponding relationship between the authorization role and at least one authorization URL may be preset and stored in the database in the form of a relationship table.
在一个示例中,可先维护授权角色,再通过图4示例中维护好的微服务与接口URL的对应关系,绑定授权角色和URL的授权关系。也就是说,可先将设置的至少一个授权角色存储到数据库中,再将其中每个授权角色中包含的接口URL存储到数据库中。In an example, the authorization role can be maintained first, and then the authorization relationship between the authorization role and the URL can be bound through the maintained correspondence between the microservice and the interface URL in the example in FIG. 4 . That is to say, the set at least one authorization role may be stored in the database first, and then the interface URL included in each authorization role may be stored in the database.
图5和图6为根据本申请另一实施例的微服务访问控制方法的数据设置示意图。在图5的示例中,数据库的关系二维表中的第一列数据是授权角色名称,第二列数据是创建时间,第三列数据是授权角色描述,第四列数据是针对授权角色可以实施的操作。例如,图5中第三行记录的授权角色名称为“消息平台”,图中的方框标记为该角色对应的“授权”操作按钮。点击“授权”操作按钮,则程序跳转到图6所示的界面。在图6所示的界面中可为名称为“消息平台”的授权角色设置对应的接口URL访问权限。再参见图6,名称为goods-service的微服务所提供的接口URL包括:admin/url/insertOrUpdate。在图6中可设置名称为“消息平台”的授权角色与接口URL admin/url/insertOrUpdate的对应关系。如果某个用户对应的授权角色是“消息平台”,则该用户拥有对接口URL admin/url/insertOrUpdate的访问权限。FIG. 5 and FIG. 6 are schematic diagrams of data setting of a microservice access control method according to another embodiment of the present application. In the example of FIG. 5, the first column of data in the relational two-dimensional table of the database is the name of the authorization role, the second column of data is the creation time, the third column of data is the description of the authorization role, and the fourth column of data is the authorization role The operation implemented. For example, the name of the authorization role recorded in the third row in Fig. 5 is "message platform", and the box in the figure is marked as the "authorization" operation button corresponding to this role. Click the "authorize" operation button, and the program jumps to the interface shown in Figure 6. In the interface shown in FIG. 6 , the corresponding interface URL access authority can be set for the authorization role named "message platform". Referring to Figure 6 again, the interface URL provided by the microservice named goods-service includes: admin/url/insertOrUpdate. In FIG. 6, the corresponding relationship between the authorization role named "message platform" and the interface URL admin/url/insertOrUpdate can be set. If the authorization role corresponding to a user is "message platform", the user has access to the interface URL admin/url/insertOrUpdate.
本申请实施例中,通过维护授权角色与接口URL的对应关系,可为用户授予至少一个微服务接口的访问权限,可实现对多个微服务接口访问权限的统一管理,在保证服务性能的同时确保对微服务接口进行安全访问控制。In the embodiment of the present application, by maintaining the corresponding relationship between authorization roles and interface URLs, users can be granted access rights to at least one micro-service interface, and unified management of access rights to multiple micro-service interfaces can be achieved, while ensuring service performance. Ensure secure access controls for microservice interfaces.
在一种实施方式中,上述方法还包括:In one embodiment, the above method further includes:
预先设置至少一个用户标识;Pre-set at least one user ID;
预先设置用户标识与至少一个授权角色的对应关系。A corresponding relationship between the user ID and at least one authorization role is preset.
为实现对多个微服务接口访问权限的统一管理,数据库中需要维护的数据除了上述微服务与接口URL的对应关系、授权角色与至少一个授权URL的对应关系之外,还需要维护用户标识与至少一个授权角色的对应关系。其中,用户标识可以是AK。在一个示例中,可先给第三方应用程序分配AK、SK,再维护AK对应的至少一个授权角色,以实现给不同AK分别授予对应的权限。也就是说,可先将设置的至少一个用户标识存储到数据库中,再将其中每个用户标识对应的至少一个授权角色存储到数据库中。In order to achieve unified management of access rights to multiple microservice interfaces, in addition to the above-mentioned correspondence between microservices and interface URLs, and the correspondence between authorization roles and at least one authorization URL, the data that needs to be maintained in the database also needs to maintain user IDs and URLs. Correspondence of at least one authorization role. Wherein, the user ID can be AK. In an example, AK and SK may be allocated to the third-party application first, and then at least one authorization role corresponding to the AK may be maintained, so as to grant corresponding permissions to different AKs respectively. That is to say, the set at least one user ID may be stored in the database first, and then the at least one authorization role corresponding to each user ID may be stored in the database.
图7和图8为根据本申请另一实施例的微服务访问控制方法的数据设置示意图。在图7的示例中,数据库的关系二维表中的第一列数据是用户AK,第二列数据是SK,第三列数据是创建时间,第四列数据是用户AK对应的用户描述信息,第五列数据是针对用户AK可以实施的操作。其中,用户可以是使用微服务的第三方应用程序。例如,图7中第一行记录的用户AK对应的用户描述信息为“充电服务”,图中的方框标记为该用户AK对应的“修改”操作按钮。点击“授权”操作按钮,则程序跳转到图8所示的界面。在图8所示的界面中可为用户描述信息为“充电服务”的用户AK设置对应的授权角色。再参见图8,可设置用户描述信息为“充电服务”的用户AK与名称也为“充电服务”的授权角色的对应关系。则通过以上设置,该用户AK拥有名称为“充电服务”的授权角色所包括的所有接口的访问权限。7 and 8 are schematic diagrams of data setting of a method for microservice access control according to another embodiment of the present application. In the example of FIG. 7 , the data in the first column of the relational two-dimensional table of the database is the user AK, the data in the second column is SK, the data in the third column is the creation time, and the data in the fourth column is the user description information corresponding to the user AK , the fifth column of data is for the operations that can be implemented by the user AK. Among them, users can be third-party applications that use microservices. For example, the user description information corresponding to the user AK recorded in the first row in FIG. 7 is "charging service", and the box in the figure is marked as the "modify" operation button corresponding to the user AK. Click the "authorize" operation button, and the program jumps to the interface shown in Figure 8. In the interface shown in FIG. 8 , a corresponding authorization role can be set for the user AK whose user description information is "charging service". Referring to FIG. 8 again, a correspondence relationship between a user AK whose user description information is "charging service" and an authorized role whose name is also "charging service" can be set. Through the above settings, the user AK has access rights to all interfaces included in the authorized role named "charging service".
本申请实施例中,在数据库中维护了微服务-接口、授权角色-接口、用户标识-授权角色以上三种对应关系,通过层层递进的维护模式,可为用户授予至少一个微服务接口的访问权限,可实现对多个微服务接口访问权限的统一管理,在保证服务性能的同时确保对微服务接口进行安全访问控制。In the embodiment of this application, the above three correspondences of microservice-interface, authorization role-interface, and user ID-authorization role are maintained in the database, and through the progressive maintenance mode, users can be granted at least one microservice interface It can realize the unified management of the access rights of multiple microservice interfaces, and ensure the security access control of the microservice interfaces while ensuring the service performance.
图9为根据本申请另一实施例的微服务访问控制方法的流程图。如图9所示,在一种实施方式中,图1中的步骤S120,查询用户标识对应的授权角色,具体可包括:步骤S210,根据用户标识与至少一个授权角色的对应关系,查询用户标识对应的授权角色;FIG. 9 is a flowchart of a method for microservice access control according to another embodiment of the present application. As shown in FIG. 9 , in one embodiment, in step S120 in FIG. 1 , query the authorization role corresponding to the user ID, which may specifically include: step S210 , query the user ID according to the corresponding relationship between the user ID and at least one authorization role The corresponding authorization role;
上述方法还包括:The above method also includes:
步骤S220,根据授权角色与具有访问权限的至少一个接口的对应关系,查询用户标识对应的授权角色包括的具有访问权限的接口。Step S220, according to the corresponding relationship between the authorization role and the at least one interface with the access authority, query the interface with the access authority included in the authorization role corresponding to the user ID.
图10为根据本申请另一实施例的微服务访问控制方法的微服务网关架构以及访问控制流程示意图。图10中的合作伙伴应用后台(Partner application background)可以是使用微服务的第三方应用程序。合作伙伴应用后台向微服务网关的权限鉴定模块(Authorization appraisal)发送对微服务的目标接口访问请求。权限鉴定模块向数据存储模块(Data storage module)发送查询请求,查询调用接口的用户是否具备对应的权限。FIG. 10 is a schematic diagram of a microservice gateway architecture and an access control flow diagram of a microservice access control method according to another embodiment of the present application. The partner application background in Figure 10 can be a third-party application that uses microservices. The partner application backend sends an access request to the target interface of the microservice to the authorization appraisal module (Authorization appraisal) of the microservice gateway. The authority identification module sends a query request to the data storage module to check whether the user who invokes the interface has the corresponding authority.
其中,可通过权限分配模块(Authority assignment)预先对数据存储模块进行数据维护。数据维护可包括:组装前端请求的权限分配数据,向数据存储模块发送请求;数据存储模块响应请求保存权限结果。为简化命名,在数据存储模块中将“授权角色”简称为“角色”。数据存储模块中维护的数据关系可包括:Wherein, data maintenance can be performed on the data storage module in advance through an authority assignment module. The data maintenance may include: assembling the permission assignment data requested by the front end, sending a request to the data storage module; and the data storage module responding to the request and saving the permission result. To simplify naming, "authorization roles" are simply referred to as "roles" in the data storage module. The data relationships maintained in the data storage module may include:
1)用户对象(user)数据表,该数据表中存储的数据字段可包括用户AK和用户SK;1) User object (user) data table, the data fields stored in this data table can include user AK and user SK;
2)用户-角色关系对象(user-role)数据表,该数据表中存储的数据字段可包括用户AK和角色id(标识);2) a user-role relationship object (user-role) data table, the data fields stored in the data table may include user AK and role id (identification);
3)角色对象(role)数据表,该数据表中存储的数据字段可包括角色id和角色名称;3) role object (role) data table, the data fields stored in this data table can include role id and role name;
4)角色-URL关系对象(role-URL)数据表,该数据表中存储的数据字段可包括角色id和权限id;其中,权限id也就是URL id;4) a role-URL relationship object (role-URL) data table, the data fields stored in the data table may include a role id and an authority id; wherein, the authority id is the URL id;
5)URL对象(URL object)数据表,该数据表中存储的数据字段可包括接口id和接口地址;其中,接口id也就是URL id;5) URL object data table, the data fields stored in the data table can include interface id and interface address; wherein, interface id is also URL id;
6)微服务-URL关系对象(service-URL)数据表,该数据表中存储的数据字段可包括服务id和接口id;6) Microservice-URL relational object (service-URL) data table, the data fields stored in the data table may include service id and interface id;
7)微服务对象(Micro service)数据表,该数据表中存储的数据字段可包括服务id和服务名称。7) Micro service object (Micro service) data table, the data fields stored in the data table may include service id and service name.
参见图10,查询调用接口的用户是否具备对应的权限的过程可包括:Referring to FIG. 10, the process of querying whether the user who invokes the interface has the corresponding authority may include:
步骤1)根据访问请求中包括用户标识,在用户对象(user)数据表中,查找是否存在与用户标识匹配的用户AK;Step 1) according to the access request including the user identification, in the user object (user) data table, look up whether there is a user AK that matches the user identification;
步骤2)若在步骤1)中查找到与用户标识匹配的用户AK,则根据匹配的用户AK,在用户-角色关系对象(user-role)数据表中,查找与该用户AK对应的角色id;Step 2) If the user AK matching the user ID is found in step 1), according to the matching user AK, in the user-role relationship object (user-role) data table, look up the role id corresponding to the user AK ;
步骤3)根据步骤2)中查找到的角色id,在角色-URL关系对象(role-URL)数据表中,查找与该角色id对应的URL id;Step 3) according to the role id found in step 2), in the role-URL relationship object (role-URL) data table, look up the URL id corresponding to the role id;
步骤4)根据步骤3)中查找到的URL id,在URL对象(URL object)数据表中,查找与该URL id对应的接口地址(URL网址)。Step 4) According to the URL id found in step 3), in the URL object data table, look up the interface address (URL address) corresponding to the URL id.
本申请实施例中通过以上过程查询用户标识对应的授权角色对应的接口,通过授权角色实现对多个微服务接口访问权限的统一管理,对访问需求相同的用户设置相同的授权角色即可,而不需要分别为各个用户设置授权访问的URL。由于授权角色的数量远小于URL的数量,因此,本申请实施例的微服务访问控制方法提高了管理效率,保证了服务性能。In the embodiment of the present application, the interface corresponding to the authorization role corresponding to the user ID is queried through the above process, the unified management of the access rights of multiple microservice interfaces is realized through the authorization role, and the same authorization role can be set for users with the same access requirements. There is no need to set the authorized access URL for each user separately. Since the number of authorized roles is much smaller than the number of URLs, the microservice access control method of the embodiment of the present application improves management efficiency and ensures service performance.
在一种实施方式中,根据查询的结果控制对目标接口的访问,包括:In one embodiment, controlling access to the target interface according to the result of the query includes:
在用户标识对应的授权角色包括目标接口的情况下,允许对目标接口进行访问。In the case that the authorization role corresponding to the user ID includes the target interface, the target interface is allowed to be accessed.
再参见图10,在权限鉴定模块向数据存储模块查询调用接口的用户是否具备对应的权限之后,在数据存储模块中经过上述步骤1)至步骤4)的查询过程,向权限鉴定模块返回鉴权结果。若步骤4)中查找到用户请求访问的目标接口,则允许对目标接口进行访问。在一种实施方式中,鉴权通过之后,还可以在签名检验模块(Signature verification)中根据访问请求中的请求参数计算防篡改签名,以鉴别是否被篡改过。图10中示例的网关采用统一的鉴权方式,要求对所有请求参数进行防篡改签名,保证了互联网的访问安全。若在签名检验模块中验证通过,则允许合作伙伴应用后台对目标接口进行访问,返回请求数据结果。例如,合作伙伴应用后台请求访问天气微服务,则返回有关天气信息的请求数据结果。Referring to Fig. 10 again, after the authority identification module inquires the data storage module whether the user who invokes the interface has the corresponding authority, in the data storage module, through the query process of the above-mentioned steps 1) to step 4), the authority identification module returns the authorization. result. If the target interface requested to be accessed by the user is found in step 4), the target interface is allowed to be accessed. In an embodiment, after the authentication is passed, a tamper-resistant signature may be calculated according to the request parameters in the access request in the signature verification module (Signature verification) to identify whether it has been tampered with. The gateway illustrated in Figure 10 adopts a unified authentication method and requires tamper-proof signatures for all request parameters, which ensures the security of Internet access. If the verification is passed in the signature verification module, the partner application background is allowed to access the target interface, and the request data result is returned. For example, if a partner application requests to access the weather microservice in the background, the request data result about the weather information is returned.
本申请实施例中,采用用户标识-角色-授权的管理方式,为用户AK分配角色,根据角色进行授权管理,实现了对多个微服务接口访问权限的统一高效的管理。以采用SpringCloud微服务架构的云平台为例,该云平台可以为用户提供几十个微服务,每个微服务都可以提供若干个接口,接口总数可以超过800个。采用本申请实施例的微服务访问控制方法,给新用户发放AK、SK的时间可控制在1分钟之内,明显提升了系统性能。In the embodiment of the present application, the user ID-role-authorization management method is adopted to assign roles to the user AK, and perform authorization management according to the roles, thereby realizing unified and efficient management of access rights of multiple microservice interfaces. Take the cloud platform that adopts the SpringCloud microservice architecture as an example, the cloud platform can provide users with dozens of microservices, each microservice can provide several interfaces, and the total number of interfaces can exceed 800. By using the microservice access control method in the embodiment of the present application, the time for issuing AK and SK to new users can be controlled within 1 minute, which significantly improves system performance.
在一种实施方式中,根据查询的结果控制对目标接口的访问,包括:In one embodiment, controlling access to the target interface according to the result of the query includes:
在用户标识对应的授权角色包括目标接口的情况下,对访问请求进行防篡改验证;When the authorization role corresponding to the user ID includes the target interface, tamper-proof verification is performed on the access request;
在防篡改验证通过的情况下,允许对目标接口进行访问。Access to the target interface is allowed if the tamper proof verification is passed.
在这种实施方式中,在用户标识对应的授权角色包括目标接口的情况下,可确定鉴权通过。参见图10的示例,鉴权通过之后,还可以在签名检验模块中根据访问请求中的请求参数计算防篡改签名,以鉴别是否被篡改过。在一个示例中,请求参数可包括Access KeyId、timestamp(时间戳)和sign(防篡改签名)。In this embodiment, if the authorization role corresponding to the user identification includes the target interface, it can be determined that the authentication is passed. Referring to the example in FIG. 10 , after the authentication is passed, the tamper-resistant signature can also be calculated in the signature verification module according to the request parameters in the access request to identify whether it has been tampered with. In one example, the request parameters may include Access KeyId, timestamp (timestamp), and sign (tamper-resistant signature).
本申请实施例中,在鉴权的基础上通过防篡改签名可进一步确保对微服务接口进行安全访问控制。In the embodiment of the present application, on the basis of authentication, the tamper-proof signature can further ensure secure access control to the microservice interface.
在一种实施方式中,对访问请求进行防篡改验证,包括:In one embodiment, tamper-proof verification is performed on the access request, including:
根据用户标识对应的密钥和访问请求中包括的时间戳生成第一防篡改签名信息;Generate the first tamper-resistant signature information according to the key corresponding to the user ID and the timestamp included in the access request;
将第一防篡改签名信息与访问请求中包括的第二防篡改签名信息相比较;comparing the first tamper-resistant signature information with the second tamper-resistant signature information included in the access request;
在第一防篡改签名信息与第二防篡改签名信息相同的情况下,确定防篡改验证通过。If the first tamper-resistant signature information is the same as the second tamper-resistant signature information, it is determined that the tamper-resistant verification is passed.
在一个示例性的防篡改验证的方式中,可要求客户端访问请求报文中的头部标签Header中包含如下请求参数:In an exemplary tamper-proof verification method, the client may be required to access the header tag Header in the request message to include the following request parameters:
1、access Key Id:表示用户标识。1. Access Key Id: Indicates the user ID.
access Key Id由统一开放平台网关的web(万维网)管理系统为第三方应用程序分配。The access Key Id is assigned to the third-party application by the web (World Wide Web) management system of the unified open platform gateway.
2、timestamp:表示请求时间。2. timestamp: Indicates the request time.
在一个示例中,timestamp可以是一个13位的时间戳。请求时间可采用UTC+8的表示方式。例如1569291769123。其中,UTC是协调世界时,由于英文(CUT)和法文(TUC)的缩写不同,作为妥协,简称UTC。UTC+8表示国际时加八小时,是东八区时间,也是北京时间。In one example, timestamp can be a 13-bit timestamp. The request time can be expressed in UTC+8. For example 1569291769123. Among them, UTC is Coordinated Universal Time. Due to the different abbreviations in English (CUT) and French (TUC), as a compromise, it is referred to as UTC. UTC+8 means international time plus eight hours, which is the East Eighth District time and Beijing time.
3、sign:表示防篡改签名。例如OnV1CRIWXv+k89BTphzb0AZ9m3A=。3. sign: Indicates a tamper-proof signature. For example OnV1CRIWXv+k89BTphzb0AZ9m3A=.
防篡改签名根据access Key Id对应的秘钥、timestamp以及签名算法生成。在客户端,根据access Key Id对应的秘钥SK和访问请求的时间戳timestamp,利用签名算法生成第二防篡改签名信息,也就是生成访问请求中包括的请求参数sign。服务端接收到访问请求之后,根据用户标识对应的密钥和访问请求中包括的时间戳,采用同样的签名算法,也就是说采用同样的计算方式计算出第一防篡改签名信息。服务端比较客户端Header中的sign(第二防篡改签名信息)和服务端计算出的第一防篡改签名信息是否相同,如果相同说明发出访问请求的第三方应用程序是合法的,且请求参数没有被篡改过。在这种情况下确定防篡改验证通过。The tamper-proof signature is generated according to the secret key, timestamp, and signature algorithm corresponding to the access Key Id. On the client side, according to the secret key SK corresponding to the access Key Id and the timestamp timestamp of the access request, the signature algorithm is used to generate the second tamper-resistant signature information, that is, the request parameter sign included in the access request is generated. After receiving the access request, the server uses the same signature algorithm according to the key corresponding to the user ID and the timestamp included in the access request, that is to say, uses the same calculation method to calculate the first tamper-proof signature information. The server compares whether the sign (second tamper-proof signature information) in the client Header and the first tamper-proof signature information calculated by the server are the same. has not been tampered with. In this case, it is determined that the tamper proof verification passes.
本申请实施例中,通过防篡改签名可以解决伪造、抵赖、冒充和篡改问题,保证信息传输的完整性、发送者的身份认证、防止交互中的发生抵赖行为。In the embodiment of the present application, the tamper-resistant signature can solve the problems of forgery, denial, impersonation and tampering, ensure the integrity of information transmission, the identity authentication of the sender, and prevent denial behavior in interaction.
图11为根据本申请一实施例的微服务访问控制装置的示意图。如图11所示,该微服务访问控制装置可以包括:FIG. 11 is a schematic diagram of a microservice access control apparatus according to an embodiment of the present application. As shown in Figure 11, the microservice access control device may include:
接收单元100,用于接收对微服务的目标接口的访问请求,访问请求中包括用户标识;A receiving
查询单元200,用于查询用户标识对应的授权角色,授权角色包括具有访问权限的至少一个接口;A
控制单元300,用于根据查询的结果控制对目标接口的访问。The
图12为根据本申请另一实施例的微服务访问控制装置的示意图。如图12所示,上述装置还包括设置单元400,用于:FIG. 12 is a schematic diagram of a microservice access control apparatus according to another embodiment of the present application. As shown in FIG. 12 , the above-mentioned device further includes a
预先设置进行访问控制的至少一个微服务;Pre-set at least one microservice for access control;
预先设置每个微服务与至少一个接口的对应关系。The correspondence between each microservice and at least one interface is preset.
在一种实施方式中,上述装置还包括设置单元400,用于:In one embodiment, the above device further includes a
预先设置至少一个授权角色;Pre-set at least one authorization role;
预先设置授权角色与具有访问权限的至少一个接口的对应关系。The corresponding relationship between the authorization role and the at least one interface with access rights is preset.
在一种实施方式中,设置单元400还用于:In one embodiment, the
预先设置至少一个用户标识;Pre-set at least one user ID;
预先设置用户标识与至少一个授权角色的对应关系。A corresponding relationship between the user ID and at least one authorization role is preset.
图13为根据本申请另一实施例的微服务访问控制装置的查询单元的示意图。如图13所示,在一种实施方式中,查询单元200包括:FIG. 13 is a schematic diagram of a query unit of a microservice access control apparatus according to another embodiment of the present application. As shown in FIG. 13, in one embodiment, the
第一查询子单元210,用于根据用户标识与至少一个授权角色的对应关系,查询用户标识对应的授权角色;The
第二查询子单元220,用于根据授权角色与具有访问权限的至少一个接口的对应关系,查询用户标识对应的授权角色包括的具有访问权限的接口。The
在一种实施方式中,控制单元300用于:In one embodiment, the
在用户标识对应的授权角色包括目标接口的情况下,允许对目标接口进行访问。In the case that the authorization role corresponding to the user ID includes the target interface, the target interface is allowed to be accessed.
在一种实施方式中,控制单元300包括:In one embodiment, the
验证子单元,用于在用户标识对应的授权角色包括目标接口的情况下,对访问请求进行防篡改验证;A verification subunit, used to perform tamper-proof verification on the access request when the authorization role corresponding to the user ID includes the target interface;
控制子单元,用于在防篡改验证通过的情况下,允许对目标接口进行访问。The control subunit is used to allow access to the target interface when the tamper-proof verification is passed.
在一种实施方式中,验证子单元用于:In one embodiment, the verification subunit is used to:
根据用户标识对应的密钥和访问请求中包括的时间戳生成第一防篡改签名信息;Generate the first tamper-resistant signature information according to the key corresponding to the user ID and the timestamp included in the access request;
将第一防篡改签名信息与访问请求中包括的第二防篡改签名信息相比较;comparing the first tamper-resistant signature information with the second tamper-resistant signature information included in the access request;
在第一防篡改签名信息与第二防篡改签名信息相同的情况下,确定防篡改验证通过。If the first tamper-resistant signature information is the same as the second tamper-resistant signature information, it is determined that the tamper-resistant verification is passed.
本申请实施例微服务访问控制装置中各单元的功能可以参见上述方法中的对应描述,在此不再赘述。For the functions of each unit in the microservice access control apparatus according to the embodiment of the present application, reference may be made to the corresponding description in the foregoing method, and details are not described herein again.
图14是用来实现本申请实施例的微服务访问控制方法的电子设备的框图。如图14所示,该控制设备包括:存储器910和处理器920,存储器910内存储有可在处理器920上运行的指令。处理器920执行该指令时实现上述实施例中的微服务访问控制方法。存储器910和处理器920的数量可以为一个或多个。该控制设备旨在表示各种形式的数字计算机,诸如,膝上型计算机、台式计算机、工作台、个人数字助理、服务器、刀片式服务器、大型计算机、和其它适合的计算机。控制设备还可以表示各种形式的移动装置,诸如,个人数字处理、蜂窝电话、智能电话、可穿戴设备和其它类似的计算装置。本文所示的部件、它们的连接和关系、以及它们的功能仅仅作为示例,并且不意在限制本文中描述的和/或者要求的本申请的实现。FIG. 14 is a block diagram of an electronic device used to implement the microservice access control method according to the embodiment of the present application. As shown in FIG. 14 , the control device includes: a
该控制设备还可以包括通信接口930,用于与外界设备进行通信,进行数据交互传输。各个设备利用不同的总线互相连接,并且可以被安装在公共主板上或者根据需要以其它方式安装。处理器920可以对在控制设备内执行的指令进行处理,包括存储在存储器中或者存储器上以在外部输入/输出装置(诸如,耦合至接口的显示设备)上显示GUI的图形信息的指令。在其它实施方式中,若需要,可以将多个处理器和/或多条总线与多个存储器和多个存储器一起使用。同样,可以连接多个控制设备,各个设备提供部分必要的操作(例如,作为服务器阵列、一组刀片式服务器、或者多处理器系统)。该总线可以分为地址总线、数据总线、控制总线等。为便于表示,图14中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The control device may further include a
可选的,在具体实现上,如果存储器910、处理器920及通信接口930集成在一块芯片上,则存储器910、处理器920及通信接口930可以通过内部接口完成相互间的通信。Optionally, in specific implementation, if the
应理解的是,上述处理器可以是中央处理器(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Dignal Processing,DSP)、专用集成电路(Application Specific Sntegrated Circuit,ASIC)、现场可编程门阵列(FieldProgrammable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者是任何常规的处理器等。值得说明的是,处理器可以是支持进阶精简指令集机器(advanced RISC machines,ARM)架构的处理器。It should be understood that, the above-mentioned processor may be a central processing unit (Central Processing Unit, CPU), and may also be other general-purpose processors, digital signal processors (Digital Signal Processing, DSP), application specific integrated circuits (Application Specific Sntegrated Circuit, ASIC), Field Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or any conventional processor or the like. It should be noted that the processor may be a processor supporting an advanced RISC machines (ARM) architecture.
本申请实施例提供了一种计算机可读存储介质(如上述的存储器910),其存储有计算机指令,该程序被处理器执行时实现本申请实施例中提供的方法。Embodiments of the present application provide a computer-readable storage medium (such as the above-mentioned memory 910 ), which stores computer instructions, and when the program is executed by a processor, implements the methods provided in the embodiments of the present application.
可选的,存储器910可以包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需要的应用程序;存储数据区可存储根据微服务访问控制装置的使用所创建的数据等。此外,存储器910可以包括高速随机存取存储器,还可以包括非瞬时存储器,例如至少一个磁盘存储器件、闪存器件、或其他非瞬时固态存储器件。在一些实施例中,存储器910可选包括相对于处理器920远程设置的存储器,这些远程存储器可以通过网络连接至微服务访问控制装置。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。Optionally, the
在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包括于本申请的至少一个实施例或示例中。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。In the description of this specification, description with reference to the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples", etc., mean specific features described in connection with the embodiment or example , structure, material or feature is included in at least one embodiment or example of the present application. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, those skilled in the art may combine and combine the different embodiments or examples described in this specification, as well as the features of the different embodiments or examples, without conflicting each other.
此外,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或隐含地包括至少一个该特征。在本申请的描述中,“多个”的含义是两个或两个以上,除非另有明确具体的限定。In addition, the terms "first" and "second" are only used for descriptive purposes, and should not be construed as indicating or implying relative importance or implying the number of indicated technical features. Thus, a feature delimited with "first", "second" may expressly or implicitly include at least one of that feature. In the description of the present application, "plurality" means two or more, unless otherwise expressly and specifically defined.
流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为,表示包括一个或多个(两个或两个以上)用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分。并且本申请的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能。Any description of a process or method in a flowchart or otherwise described herein may be understood to represent a representation of executable instructions comprising one or more (two or more) steps for implementing a specified logical function or process. A module, fragment or section of code. Also, the scope of the preferred embodiments of the present application includes alternative implementations in which the functions may be performed out of the order shown or discussed, including performing the functions substantially concurrently or in the reverse order depending upon the functions involved.
在流程图中表示或在此以其他方式描述的逻辑和/或步骤,例如,可以被认为是用于实现逻辑功能的可执行指令的定序列表,可以具体实现在任何计算机可读介质中,以供指令执行系统、装置或设备(如基于计算机的系统、包括处理器的系统或其他可以从指令执行系统、装置或设备取指令并执行指令的系统)使用,或结合这些指令执行系统、装置或设备而使用。The logic and/or steps represented in flowcharts or otherwise described herein, for example, may be considered an ordered listing of executable instructions for implementing the logical functions, may be embodied in any computer-readable medium, For use with, or in conjunction with, an instruction execution system, apparatus, or device (such as a computer-based system, a system including a processor, or other system that can fetch instructions from and execute instructions from an instruction execution system, apparatus, or apparatus) or equipment.
应理解的是,本申请的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。上述实施例方法的全部或部分步骤是可以通过程序来指令相关的硬件完成,该程序可以存储于一种计算机可读存储介质中,该程序在执行时,包括方法实施例的步骤之一或其组合。It should be understood that various parts of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. All or part of the steps of the method in the above-mentioned embodiments can be completed by instructing the relevant hardware through a program, and the program can be stored in a computer-readable storage medium. When the program is executed, it includes one of the steps of the method embodiment or its combination.
此外,在本申请各个实施例中的各功能单元可以集成在一个处理模块中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。上述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读存储介质中。该存储介质可以是只读存储器,磁盘或光盘等。In addition, each functional unit in each embodiment of the present application may be integrated into one processing module, or each unit may exist physically alone, or two or more units may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. If the above-mentioned integrated modules are implemented in the form of software functional modules and sold or used as independent products, they may also be stored in a computer-readable storage medium. The storage medium may be a read-only memory, a magnetic disk or an optical disk, and the like.
以上,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到其各种变化或替换,这些都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any person skilled in the art can easily think of various changes or replacements thereof within the technical scope disclosed by the present application, These should all be covered within the protection scope of this application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (18)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010451184.9A CN111600899A (en) | 2020-05-25 | 2020-05-25 | Micro-service access control method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010451184.9A CN111600899A (en) | 2020-05-25 | 2020-05-25 | Micro-service access control method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111600899A true CN111600899A (en) | 2020-08-28 |
Family
ID=72191918
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010451184.9A Pending CN111600899A (en) | 2020-05-25 | 2020-05-25 | Micro-service access control method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111600899A (en) |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112055024A (en) * | 2020-09-09 | 2020-12-08 | 深圳市欢太科技有限公司 | Authority verification method and device, storage medium and electronic equipment |
| CN112165524A (en) * | 2020-09-28 | 2021-01-01 | 唐斌 | Intelligent calling software system for pre-hospital emergency treatment |
| CN112165454A (en) * | 2020-09-03 | 2021-01-01 | 北京金山云网络技术有限公司 | Access control method, device, gateway and console |
| CN112333167A (en) * | 2020-10-27 | 2021-02-05 | 北京聚通达科技股份有限公司 | Unified authentication system |
| CN112333272A (en) * | 2020-11-06 | 2021-02-05 | 杭州安恒信息技术股份有限公司 | A microservice data access method, apparatus, device and readable storage medium |
| CN112685443A (en) * | 2021-01-12 | 2021-04-20 | 树根互联技术有限公司 | Data query method and device, electronic equipment and computer readable storage medium |
| CN112818062A (en) * | 2021-02-04 | 2021-05-18 | 北京易车互联信息技术有限公司 | Basic data support assembly system |
| CN113285933A (en) * | 2021-05-13 | 2021-08-20 | 京东数字科技控股股份有限公司 | User access control method and device, electronic equipment and storage medium |
| CN113505382A (en) * | 2021-06-18 | 2021-10-15 | 杭州华橙软件技术有限公司 | Micro-service authentication method, electronic device and storage medium |
| CN113626220A (en) * | 2021-08-06 | 2021-11-09 | 北京金山云网络技术有限公司 | Microservice control method and system |
| CN113672896A (en) * | 2021-07-08 | 2021-11-19 | 浙江大华技术股份有限公司 | Interface authority verification method, system, electronic device and storage medium |
| CN113872991A (en) * | 2021-10-28 | 2021-12-31 | 郑州云海信息技术有限公司 | Method, device, equipment and medium for controlling cloud platform interface authority |
| CN113987541A (en) * | 2021-10-29 | 2022-01-28 | 四川省明厚天信息技术股份有限公司 | Data access control method, device and electronic device |
| CN114065183A (en) * | 2021-10-18 | 2022-02-18 | 深信服科技股份有限公司 | Authority control method and device, electronic equipment and storage medium |
| CN114238893A (en) * | 2021-12-21 | 2022-03-25 | 中国建设银行股份有限公司 | Access control method, device and equipment |
| CN114327956A (en) * | 2021-12-28 | 2022-04-12 | 阿波罗智联(北京)科技有限公司 | Request processing method and device for vehicle-mounted application, electronic equipment and storage medium |
| CN114385999A (en) * | 2022-01-19 | 2022-04-22 | 中国农业银行股份有限公司 | A method, device, device and medium for managing user rights |
| CN114398177A (en) * | 2022-01-07 | 2022-04-26 | 北京百度网讯科技有限公司 | Low code informatization system and method and ARM server |
| CN114461359A (en) * | 2021-12-30 | 2022-05-10 | 江苏苏州农村商业银行股份有限公司 | Microservice-based unified interface management method and its application platform |
| CN114546470A (en) * | 2022-02-17 | 2022-05-27 | 亿咖通(湖北)技术有限公司 | Data processing method, service platform, computer-readable storage medium and processor |
| CN114745316A (en) * | 2022-04-13 | 2022-07-12 | 工银科技有限公司 | Routing method, apparatus, device, medium and program product |
| CN114785578A (en) * | 2022-04-13 | 2022-07-22 | 福建天晴数码有限公司 | Rpc service authority management method and system |
| CN114826749A (en) * | 2022-04-30 | 2022-07-29 | 济南浪潮数据技术有限公司 | Interface access control method, device and medium |
| CN114840314A (en) * | 2022-03-07 | 2022-08-02 | 中国人寿保险股份有限公司 | Working group isolation method and related equipment |
| CN115208693A (en) * | 2022-09-09 | 2022-10-18 | 中国电子科技集团公司第十五研究所 | Security access control method and device based on micro-service |
| CN115906187A (en) * | 2023-02-22 | 2023-04-04 | 山东经伟晟睿数据技术有限公司 | User authority control method and system combining function authority and interface authority |
| CN116702100A (en) * | 2022-10-21 | 2023-09-05 | 荣耀终端有限公司 | Rights management method and electronic device |
| CN116781661A (en) * | 2022-11-15 | 2023-09-19 | 中移(苏州)软件技术有限公司 | Interface management method, device, equipment and storage medium |
| CN116881942A (en) * | 2023-07-21 | 2023-10-13 | 广州三叠纪元智能科技有限公司 | Distributed system role authority verification method and system |
| CN116980182A (en) * | 2023-06-21 | 2023-10-31 | 杭州明实科技有限公司 | Abnormal request detection method and device and electronic equipment |
| WO2025081795A1 (en) * | 2023-10-19 | 2025-04-24 | 宁德时代(上海)智能科技有限公司 | Cloud platform access method and apparatus, electronic device, and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170331812A1 (en) * | 2016-05-11 | 2017-11-16 | Oracle International Corporation | Microservices based multi-tenant identity and data security management cloud service |
| CN108199852A (en) * | 2018-04-02 | 2018-06-22 | 上海企越信息技术有限公司 | A kind of method for authenticating, right discriminating system and computer readable storage medium |
| CN109831504A (en) * | 2019-01-31 | 2019-05-31 | 泰康保险集团股份有限公司 | Micro services request processing method, device and equipment |
-
2020
- 2020-05-25 CN CN202010451184.9A patent/CN111600899A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170331812A1 (en) * | 2016-05-11 | 2017-11-16 | Oracle International Corporation | Microservices based multi-tenant identity and data security management cloud service |
| CN108199852A (en) * | 2018-04-02 | 2018-06-22 | 上海企越信息技术有限公司 | A kind of method for authenticating, right discriminating system and computer readable storage medium |
| CN109831504A (en) * | 2019-01-31 | 2019-05-31 | 泰康保险集团股份有限公司 | Micro services request processing method, device and equipment |
Cited By (42)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112165454A (en) * | 2020-09-03 | 2021-01-01 | 北京金山云网络技术有限公司 | Access control method, device, gateway and console |
| CN112055024A (en) * | 2020-09-09 | 2020-12-08 | 深圳市欢太科技有限公司 | Authority verification method and device, storage medium and electronic equipment |
| CN112055024B (en) * | 2020-09-09 | 2023-08-22 | 深圳市欢太科技有限公司 | Authority checking method and device, storage medium and electronic equipment |
| CN112165524A (en) * | 2020-09-28 | 2021-01-01 | 唐斌 | Intelligent calling software system for pre-hospital emergency treatment |
| CN112333167A (en) * | 2020-10-27 | 2021-02-05 | 北京聚通达科技股份有限公司 | Unified authentication system |
| CN112333272B (en) * | 2020-11-06 | 2023-05-26 | 杭州安恒信息技术股份有限公司 | Micro-service data access method, device, equipment and readable storage medium |
| CN112333272A (en) * | 2020-11-06 | 2021-02-05 | 杭州安恒信息技术股份有限公司 | A microservice data access method, apparatus, device and readable storage medium |
| CN112685443A (en) * | 2021-01-12 | 2021-04-20 | 树根互联技术有限公司 | Data query method and device, electronic equipment and computer readable storage medium |
| CN112818062A (en) * | 2021-02-04 | 2021-05-18 | 北京易车互联信息技术有限公司 | Basic data support assembly system |
| CN113285933A (en) * | 2021-05-13 | 2021-08-20 | 京东数字科技控股股份有限公司 | User access control method and device, electronic equipment and storage medium |
| CN113505382A (en) * | 2021-06-18 | 2021-10-15 | 杭州华橙软件技术有限公司 | Micro-service authentication method, electronic device and storage medium |
| CN113672896A (en) * | 2021-07-08 | 2021-11-19 | 浙江大华技术股份有限公司 | Interface authority verification method, system, electronic device and storage medium |
| CN113626220A (en) * | 2021-08-06 | 2021-11-09 | 北京金山云网络技术有限公司 | Microservice control method and system |
| CN114065183A (en) * | 2021-10-18 | 2022-02-18 | 深信服科技股份有限公司 | Authority control method and device, electronic equipment and storage medium |
| CN113872991A (en) * | 2021-10-28 | 2021-12-31 | 郑州云海信息技术有限公司 | Method, device, equipment and medium for controlling cloud platform interface authority |
| CN113872991B (en) * | 2021-10-28 | 2024-06-07 | 郑州云海信息技术有限公司 | A cloud platform interface authority control method, device, equipment and medium |
| CN113987541A (en) * | 2021-10-29 | 2022-01-28 | 四川省明厚天信息技术股份有限公司 | Data access control method, device and electronic device |
| CN114238893B (en) * | 2021-12-21 | 2025-10-24 | 中国建设银行股份有限公司 | Access control method, device and equipment |
| CN114238893A (en) * | 2021-12-21 | 2022-03-25 | 中国建设银行股份有限公司 | Access control method, device and equipment |
| CN114327956A (en) * | 2021-12-28 | 2022-04-12 | 阿波罗智联(北京)科技有限公司 | Request processing method and device for vehicle-mounted application, electronic equipment and storage medium |
| CN114461359A (en) * | 2021-12-30 | 2022-05-10 | 江苏苏州农村商业银行股份有限公司 | Microservice-based unified interface management method and its application platform |
| CN114461359B (en) * | 2021-12-30 | 2025-03-07 | 江苏苏州农村商业银行股份有限公司 | Microservice-based unified interface management method and application platform |
| CN114398177A (en) * | 2022-01-07 | 2022-04-26 | 北京百度网讯科技有限公司 | Low code informatization system and method and ARM server |
| CN114385999A (en) * | 2022-01-19 | 2022-04-22 | 中国农业银行股份有限公司 | A method, device, device and medium for managing user rights |
| CN114546470A (en) * | 2022-02-17 | 2022-05-27 | 亿咖通(湖北)技术有限公司 | Data processing method, service platform, computer-readable storage medium and processor |
| CN114840314A (en) * | 2022-03-07 | 2022-08-02 | 中国人寿保险股份有限公司 | Working group isolation method and related equipment |
| CN114840314B (en) * | 2022-03-07 | 2024-12-17 | 中国人寿保险股份有限公司 | Work group isolation method and related equipment |
| CN114745316A (en) * | 2022-04-13 | 2022-07-12 | 工银科技有限公司 | Routing method, apparatus, device, medium and program product |
| CN114745316B (en) * | 2022-04-13 | 2023-11-14 | 工银科技有限公司 | Routing method, device, equipment and medium |
| CN114785578A (en) * | 2022-04-13 | 2022-07-22 | 福建天晴数码有限公司 | Rpc service authority management method and system |
| CN114785578B (en) * | 2022-04-13 | 2023-09-29 | 福建天晴数码有限公司 | Rpc service authority management method and system |
| CN114826749A (en) * | 2022-04-30 | 2022-07-29 | 济南浪潮数据技术有限公司 | Interface access control method, device and medium |
| CN115208693B (en) * | 2022-09-09 | 2022-12-20 | 中国电子科技集团公司第十五研究所 | A security access control method and device based on microservices |
| CN115208693A (en) * | 2022-09-09 | 2022-10-18 | 中国电子科技集团公司第十五研究所 | Security access control method and device based on micro-service |
| CN116702100B (en) * | 2022-10-21 | 2024-04-16 | 荣耀终端有限公司 | Rights management method and electronic device |
| CN116702100A (en) * | 2022-10-21 | 2023-09-05 | 荣耀终端有限公司 | Rights management method and electronic device |
| CN116781661A (en) * | 2022-11-15 | 2023-09-19 | 中移(苏州)软件技术有限公司 | Interface management method, device, equipment and storage medium |
| CN115906187A (en) * | 2023-02-22 | 2023-04-04 | 山东经伟晟睿数据技术有限公司 | User authority control method and system combining function authority and interface authority |
| CN116980182A (en) * | 2023-06-21 | 2023-10-31 | 杭州明实科技有限公司 | Abnormal request detection method and device and electronic equipment |
| CN116980182B (en) * | 2023-06-21 | 2024-02-27 | 杭州明实科技有限公司 | Abnormal request detection method and device and electronic equipment |
| CN116881942A (en) * | 2023-07-21 | 2023-10-13 | 广州三叠纪元智能科技有限公司 | Distributed system role authority verification method and system |
| WO2025081795A1 (en) * | 2023-10-19 | 2025-04-24 | 宁德时代(上海)智能科技有限公司 | Cloud platform access method and apparatus, electronic device, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111600899A (en) | Micro-service access control method and device, electronic equipment and storage medium | |
| CN111698228B (en) | System access authority granting method, device, server and storage medium | |
| CN110727712B (en) | Data processing method and device based on block chain network, electronic equipment and storage medium | |
| CN109189962B (en) | License service implementation system based on block chain | |
| US10944574B2 (en) | Method for providing virtual asset service based on decentralized identifier and virtual asset service providing server using them | |
| US10432609B2 (en) | Device-bound certificate authentication | |
| RU2598324C2 (en) | Means of controlling access to online service using conventional catalogue features | |
| CN110222518B (en) | Trusted authority access control method based on block chain | |
| US20180343126A1 (en) | System and method for utilizing connected devices to enable secure and anonymous electronic interaction in a decentralized manner | |
| CN110598434B (en) | House information processing method and device based on blockchain network, electronic equipment and storage medium | |
| CN110569658A (en) | User information processing method, device, electronic equipment and storage medium based on block chain network | |
| CN112702402A (en) | System, method, device, processor and storage medium for realizing government affair information resource sharing and exchange based on block chain technology | |
| CN108259438A (en) | A kind of method and apparatus of the certification based on block chain technology | |
| CN109669955B (en) | Digital asset query system and method based on block chain | |
| CN111612452A (en) | Intellectual property management system and method based on block chain | |
| CN112651001B (en) | Access request authentication method, device, equipment and readable storage medium | |
| CN106656937A (en) | Access control method, access control token issuing method and device | |
| CN114422258A (en) | A single sign-on method, medium and electronic device based on multi-authentication protocol | |
| WO2020173019A1 (en) | Access certificate verification method and device, computer equipment and storage medium | |
| US20170213305A1 (en) | Distribution of licenses for a third-party service operating in association with a licensed first-party service | |
| US11301557B2 (en) | System and method for data processing device management | |
| CN101567785B (en) | Method, system and entity for authenticating notes in network service | |
| TWI812366B (en) | A data sharing method, device, equipment and storage medium | |
| CN111797373B (en) | Method, system, computer device and readable storage medium for identity information authentication | |
| EP3070906A1 (en) | Multifaceted assertion directory system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200828 |
|
| RJ01 | Rejection of invention patent application after publication |