CN120509016A

CN120509016A - Authentication method, device, equipment and storage medium for database access

Info

Publication number: CN120509016A
Application number: CN202410185744.9A
Authority: CN
Inventors: 沈登徽; 刘吉林
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2024-02-19
Filing date: 2024-02-19
Publication date: 2025-08-19

Abstract

The present application discloses a database access authentication method, apparatus, device and storage medium, and relates to the field of computer technology. The method comprises: a first client sends a service request to a configuration server; the configuration server performs service authentication on the service request; if the service request passes the service authentication, the configuration server uses a first private key to sign the communication address of the first client to obtain signature information; the configuration server sends access configuration information to the first client; the first client sends a database access request to the server of the first database based on the access configuration information; the server of the first database uses a first public key to verify the signature information; if the information obtained by the verification matches the communication address of the first client, the server of the first database determines that the first client has passed the authentication. This method creates a password for a legitimate communication address to access the database, effectively enhancing the security of the database.

Description

Identity verification method, device, equipment and storage medium for database access

Technical Field

The embodiment of the application relates to the technical field of computers, in particular to an identity verification method, device and equipment for database access and a storage medium.

Background

With the development of cloud computing, more and more enterprises migrate services to run on cloud computing technology platforms. Thus, there is a need for a business to securely access a database on a cloud service platform.

In the related art, when a service is deployed on a cloud computing technology platform, the communication address to which the service is allocated is not fixed, so that when the service accesses a database, user name and password are used for identity verification, and the database can be accessed after the identity verification is passed.

In the related art, a user name and a password are easy to leak, and if the user name and the password are leaked, any host can illegally access the database, so that a very high risk of data leakage exists.

Disclosure of Invention

The embodiment of the application provides an identity verification method, device and equipment for database access and a storage medium. The technical scheme provided by the embodiment of the application is as follows:

According to an aspect of an embodiment of the present application, there is provided an authentication method for database access, the method including:

receiving a database access request sent by a first client, wherein the database access request is used for requesting to access a first database, the database access request comprises signature information, the signature information is obtained by signing a communication address of the first client by adopting a first private key corresponding to the first database, and a configuration server sends access configuration information containing the signature information to the first client under the condition that a service request sent by the first client passes service authentication, wherein the service authentication is used for verifying the validity of the service request;

checking the signature information by adopting a first public key corresponding to the first database;

and under the condition that the information obtained by checking the signature is matched with the communication address of the first client, determining that the first client passes the authentication.

receiving a service request sent by a first client, wherein the service request is used for indicating to initiate access to a first database;

Service authentication is carried out on the service request, and the service authentication is used for verifying the validity of the service request;

under the condition that the service request passes the service authentication, a first private key corresponding to the first database is adopted to sign the communication address of the first client to obtain signature information;

And sending access configuration information to the first client, wherein the access configuration information comprises signature information, a database access request sent to a server of the first database by the first client according to the access configuration information comprises the signature information, the database access request is used for requesting to access the first database, and the first client passes identity verification under the condition that information obtained by checking signature on the signature information by adopting a first public key corresponding to the first database is matched with a communication address of the first client.

sending a service request to a configuration server, wherein the service request is used for indicating to initiate access to a first database;

Receiving access configuration information sent by the configuration server, wherein the access configuration information comprises signature information, the access configuration information is sent under the condition that the service request passes service authentication, the service authentication is used for verifying the validity of the service request, and the signature information is obtained by signing a communication address of the first client by adopting a first private key corresponding to the first database;

According to the access configuration information, a database access request is sent to a server of the first database, the database access request is used for requesting to access the first database, the database access request comprises the signature information, and under the condition that information obtained by signing the signature information by adopting a first public key corresponding to the first database is matched with a communication address of the first client, the first client passes identity verification.

the method comprises the steps that a first client sends a service request to a configuration server, wherein the service request is used for indicating to initiate access to a first database;

the configuration server performs service authentication on the service request, wherein the service authentication is used for verifying the validity of the service request;

Under the condition that the service request passes the service authentication, the configuration server signs the communication address of the first client by adopting a first private key corresponding to the first database to obtain signature information;

the configuration server sends access configuration information to the first client, wherein the access configuration information comprises the signature information;

The first client sends a database access request to a server of the first database according to the access configuration information, wherein the database access request is used for requesting to access the first database, and the database access request comprises the signature information;

The server of the first database adopts a first public key corresponding to the first database to check the signature information;

And under the condition that the information obtained by checking the signature is matched with the communication address of the first client, the server of the first database determines that the first client passes the identity verification.

According to one aspect of an embodiment of the present application, there is provided an authentication system for database access, the system including a first client, a configuration server, and a server of a first database;

The first client is used for sending a service request to the configuration server, wherein the service request is used for indicating to initiate access to the first database;

The configuration server is used for carrying out service authentication on the service request, and the service authentication is used for verifying the validity of the service request;

The configuration server is further configured to sign a communication address of the first client by using a first private key corresponding to the first database to obtain signature information when the service request passes the service authentication;

the configuration server is further configured to send access configuration information to the first client, where the access configuration information includes the signature information;

the first client is further configured to send a database access request to a server of the first database according to the access configuration information, where the database access request is used for requesting access to the first database, and the database access request includes the signature information;

The server of the first database is used for checking the signature information by adopting a first public key corresponding to the first database;

And under the condition that the information obtained by checking the signature is matched with the communication address of the first client, the server of the first database is also used for determining that the first client passes the identity verification.

According to an aspect of an embodiment of the present application, there is provided an authentication apparatus for database access, the apparatus including:

an access request receiving module, configured to receive a database access request sent by a first client, where the database access request is used to request access to a first database, and the database access request includes signature information, where the signature information is obtained by signing a communication address of the first client by using a first private key corresponding to the first database, and in a case where a service request sent by the first client passes service authentication, a configuration server sends access configuration information including the signature information to the first client, where the service authentication is used to verify validity of the service request;

the signature information signature verification module is used for verifying the signature information by adopting a first public key corresponding to the first database;

And the identity verification module is used for determining that the first client passes identity verification under the condition that the information obtained by verification is matched with the communication address of the first client.

The service request receiving module is used for receiving a service request sent by the first client, and the service request is used for indicating to initiate access to the first database;

The service authentication module is used for carrying out service authentication on the service request, and the service authentication is used for verifying the validity of the service request;

The communication address signing module is used for signing the communication address of the first client by adopting a first private key corresponding to the first database under the condition that the service request passes the service authentication to obtain signature information;

the configuration information sending module is used for sending access configuration information to the first client, the access configuration information comprises signature information, a database access request sent by the first client to a server of the first database according to the access configuration information comprises the signature information, the database access request is used for requesting to access the first database, and the first client passes identity verification when information obtained by signing the signature information by adopting a first public key corresponding to the first database is matched with a communication address of the first client.

The service request sending module is used for sending a service request to the configuration server, wherein the service request is used for indicating to initiate access to the first database;

The configuration information receiving module is used for receiving access configuration information sent by the configuration server, wherein the access configuration information comprises signature information, the access configuration information is sent under the condition that a service request passes service authentication, the service authentication is used for verifying the validity of the service request, and the signature information is obtained by signing a communication address of the first client by adopting a first private key corresponding to the first database;

The access request sending module is configured to send a database access request to a server of the first database according to the access configuration information, where the database access request is used to request access to the first database, and the database access request includes the signature information, where, when information obtained by signing the signature information with a first public key corresponding to the first database is matched with a communication address of the first client, the first client passes identity verification.

According to an aspect of an embodiment of the present application, there is provided a computer device including a processor and a memory, the memory storing a computer program, the computer program being loaded and executed by the processor to implement the above-described authentication method of database access.

According to an aspect of an embodiment of the present application, there is provided a computer readable storage medium having stored therein a computer program loaded and executed by a processor to implement the above-described authentication method of database access.

According to an aspect of an embodiment of the present application, there is provided a computer program product comprising a computer program loaded and executed by a processor to implement the above-described authentication method of database access.

The technical scheme provided by the embodiment of the application at least comprises the following beneficial effects:

The first client sends a service request to the configuration server, the service request is used for indicating to initiate access to the first database, the configuration server performs service authentication on the received service request, the validity of the service request is verified, under the condition that the service request passes the service authentication, the configuration server adopts a first private key corresponding to the first database to sign a communication address of the first client to obtain signature information, the configuration server takes the signature information as a password for accessing the first database and sends the password to the first client, the first client sends a database access request carrying the signature information to the server of the first database, the server of the first database adopts a corresponding first public key to verify the signature information, if the information obtained by the verification is matched with a communication address of the first client, the first client passes identity verification, so that a password is dynamically created for each legal communication address, the password can only be used on the client corresponding to the communication address, and the security of the database can be effectively enhanced.

Drawings

FIG. 1 is a schematic illustration of an implementation environment for an embodiment of the present application;

FIG. 2 is a flow chart of a method of authentication for database access provided by one embodiment of the present application;

FIG. 3 is a block diagram of a database access authentication device according to one embodiment of the present application;

FIG. 4 is a block diagram of a database access authentication device according to another embodiment of the present application;

FIG. 5 is a block diagram of a database access authentication device according to another embodiment of the present application;

fig. 6 is a block diagram of a computer device according to an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.

Referring to fig. 1, a schematic diagram of an implementation environment of an embodiment of the present application is shown. The implementation environment may include a terminal device 10, a database server 20, and a configuration server 30.

The terminal device 10 includes, but is not limited to, a PC (Personal Computer ), a host of a cloud computing technology platform, a mobile phone, a tablet computer, an intelligent voice interaction device, a game host, a wearable device, a multimedia playing device, a vehicle-mounted terminal, an intelligent home appliance, an AR (Augmented Reality) device, a VR (Virtual Reality) device, and other electronic devices. The terminal device 10 may be a database client having a need for remote access to the database. For example, one host deployed on a cloud technology platform.

The database server 20 is an electronic device for storing, managing and providing database services, that is, a database server. For example, the database server 20 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server providing a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network, a content delivery network), and basic cloud computing services such as big data and an artificial intelligence platform, but is not limited thereto.

The configuration server 30 is an electronic device for centrally managing and storing the relevant configuration of the access database server 20. For example, the configuration server 30 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, and basic cloud computing services such as big data and artificial intelligence platforms, but is not limited thereto.

The cloud computing (cloud computing) refers to a delivery and use mode of an IT infrastructure, to obtain required resources in an on-demand and easily-extensible mode through a network, and the cloud computing (cloud computing) refers to a delivery and use mode of a service, to obtain required services in an on-demand and easily-extensible mode through the network. Such services may be IT, software, internet related, or other services. Cloud Computing is a product of fusion of traditional computer and network technology developments such as Grid Computing (Grid Computing), distributed Computing (Distributed Computing), parallel Computing (Parallel Computing), utility Computing (Utility Computing), network storage (Network Storage Technologies), virtualization (Virtualization), load balancing (Load Balance), and the like.

With the development of the internet, real-time data flow and diversification of connected devices, and the promotion of demands of search services, social networks, mobile commerce, open collaboration and the like, cloud computing is rapidly developed. Unlike the previous parallel distributed computing, the generation of cloud computing will promote the revolutionary transformation of the whole internet mode and enterprise management mode in concept.

The terminal device 10, the database server 20, and the configuration server 30 may communicate with each other via a network. The network may be a wired network or a wireless network.

Illustratively, the service deployed on the terminal device 10 has a requirement of accessing a database, the terminal device 10 sends a service request to the configuration server 30 to request for accessing the database, the configuration server 30 performs service authentication on the terminal device 10, if the terminal device 10 passes the service authentication, signs a communication address of the terminal device 10 to obtain signature information, sends access configuration information to the terminal device 10, the access configuration information carries the signature information, the terminal device 10 sends a database access request to the database server 20 according to the access configuration information, the database server 20 performs signature verification on the signature information, and if the information obtained by the signature verification matches with the communication address of the terminal device 10, the terminal device 10 passes identity verification of the database server 20.

The technical scheme provided by the application is described and illustrated by the method embodiment.

Referring to fig. 2, a flowchart of a method for verifying identity of database access according to an embodiment of the present application is shown. The method is applicable in the implementation environment of the scheme shown in fig. 1. The method may include at least one of the following steps 210-270:

at step 210, the first client sends a service request to the configuration server, the service request indicating to initiate access to the first database.

Accordingly, the configuration server receives a service request sent by the first client, where the service request is used to instruct to initiate access to the first database.

In some embodiments, the service is deployed on a first client, and the data of the first database needs to be invoked when the first client processes the service.

In some embodiments, a transaction refers to transactions that a computer needs to process. For example, training a large model, providing weather data for a user, providing electronic map data, and so forth.

The first client is a host of the cloud computing technology platform, and the picture processing service is deployed on the first client, wherein the picture processing service comprises a service trained by a picture processing model, and when the picture processing model is trained, data in a first database needs to be called as training data.

In some embodiments, a service request refers to a requirement that a client put forth to obtain a specified service while processing a service. In the embodiment of the application, the service request refers to the requirement of the first client for accessing the first database when processing the service.

In some embodiments, the first database refers to a database that stores data required by the first client.

The Database (Database), which can be considered as an electronic filing cabinet, is a place for storing electronic files, and users can perform operations such as adding, inquiring, updating, deleting and the like on the data in the files. A "database" is a collection of data stored together in a manner that can be shared with multiple users, with as little redundancy as possible, independent of the application.

A Database MANAGEMENT SYSTEM (DBMS) is a computer software system designed for managing a Database, and generally has basic functions such as storage, interception, security, and backup. The database management system may be categorized according to the database model it supports, such as relational, extensible markup language (Extensible Markup Language, abbreviated XML), or according to the type of computer supported, such as server clusters, mobile phones, or according to the query language used, such as structured query language (Structured Query Language, abbreviated SQL), XQuery, or according to the performance impact emphasis, such as maximum scale, maximum speed of operation, or other categorization means. Regardless of the manner of classification used, some DBMSs are able to support multiple query languages across categories, for example, simultaneously.

In some embodiments, the first database may be an open source database. The databases include relational databases and non-relational databases. Relational databases refer to databases that employ relational models to organize data, i.e., store data in the form of rows and columns. For example, open-source relational databases include, but are not limited to, SQL SERVER, oracle, mySQL, postgreSQL, and the like. A non-relational database refers to a distributed database stored as key-value pairs. For example, open-source non-relational databases include, but are not limited to, mongoDB, redis, couchDB, etc. databases.

Step 220, the configuration server performs service authentication on the first client, where the service authentication is used to verify the validity of the service request.

The configuration server is a server for centrally managing and storing configuration related to the access database, and information such as an access address, a communication address, a user name and a password used for accessing the database is stored in the configuration server. Wherein the access address refers to address information for connecting to the database, and comprises at least one of a host name, a port number, a database name, and the like. The communication address is an address used when the electronic device performs network communication. The user name used by accessing the database is used in the database to uniquely identify a user, and the password corresponding to the user name is information for verifying the identity of the user. In the present application, the password may be the communication address of the client signed by the first private key, or may be a string of fixed characters set by the user.

In some embodiments, the communication address refers to an internet protocol address (Internet Protocol Address, IP address for short).

Service authentication is a security mechanism used to verify whether a request has access to a service or resource. This typically involves checking the identity of the requester (such as a user name and password) and whether they have access to the requested resource.

Illustratively, after a service deployed at a first client is initiated, the first client accesses a configuration server and sends a service request to the configuration server, which service authenticates the service request.

In some embodiments, the configuration server obtains signature authentication information included in the service request, wherein the signature authentication information is obtained by signing authentication information corresponding to the first client by the configuration server through a second key, the configuration server performs signature verification on the signature authentication information through the second key to obtain verified authentication information, and the configuration server determines that the service request passes service authentication when the verified authentication information is valid.

In some embodiments, the signature authentication information is obtained by signing the identity credential submitted by the first client with the second key when the configuration server authenticates the first client. The signature authentication information comprises information such as relevant information, authority range, valid time and the like of the user. There are many methods for authenticating the first client, for example, an HTTP (Hyper Text Transfer Protocol ) basic authentication method, a Session-based authentication method, a Token-based authentication method, and the like.

In some embodiments, after the first client is authenticated, the received signature authentication information is stored in the first client, the signature authentication information is carried in the service request when the service request is sent to the configuration server each time, the configuration server adopts a second secret key to check the signature authentication information, judges the integrity and the authenticity of the checked authentication information, determines whether the checked authentication information is valid, if the checked authentication information is valid, the service request passes the service authentication, and if the checked authentication information is invalid, the service request does not pass the authentication.

The configuration server authenticates the first client by using a Token-based authentication method, the first client sends relevant information of a user to the configuration server, after the configuration server verifies the relevant information of the user, the configuration server signs the authentication information of the first client by using a second key after confirming that the first client passes the authentication, signature authentication information is obtained, the signature authentication information is returned to the first client, the first client carries the signature authentication information when sending a service request to the configuration server, the configuration server adopts a second key to check the signature authentication information, the integrity and the authenticity of the checked authentication information are judged, the checked authentication information is confirmed to be valid, and the service request passes the service authentication.

It should be noted that the above-described authentication method is merely exemplary and explanatory, and that other authentication methods may be used for service authentication, which is not limiting to the present application.

In the related art, the authentication mechanism of the database management system is based on three elements, namely an IP address, a user name and a corresponding password, and the security of the database can be ensured by using the three elements under the condition that the IP address used by the client is fixed. However, in the case that the IP address used by the client is not fixed, for example, when the service is deployed on the cloud computing platform, the acquired host is randomly allocated by the cloud computing platform, so that the IP address allocated to each service is not fixed, and at this time, the database cannot use the IP address to perform identity verification, and only relies on two elements of the user name and the corresponding password to perform identity verification. The user name and the password are easy to acquire by service development or operation and maintenance, once the user name and the password are revealed, any host can illegally access the database, and the risk of data disclosure is extremely high.

Illustratively, taking the database management system as MySQL as an example, mySQL's authentication mechanism may restrict the user to access only from a specific hostname or IP address based on the user name, password, and hostname or IP address, in MySQL's database mysql.user table, there is a "Host" field for storing allowed hostnames or IP addresses, whose value may be a specific hostname, a specific IP address, an IP address range (IP address number segment), or "%" representing any Host, when the user attempts to connect to the database, mySQL will check the user name and client's IP address or hostname in the request to determine if there is a matching record, if no matching record is found, connection will be denied, when the user attempts to connect to MySQL database, the database management system will verify that the user has access rights, the hash algorithm is provided with specific encryption algorithm (such as SHA-1, SHA-256, etc.), if the hash algorithm is not successfully performed, hash the hash value is then stored in the hash password table, if the hash value is successfully performed, otherwise, the hash value is successfully performed.

Based on the above example, in case the IP address of the client is not fixed, the Host field needs to be set to "%", meaning that the user can connect to the database using any hostname or IP address, which would therefore lead to the following security risks:

1. Exposed to attacks when the Host field is set to "%", a malicious user or attacker can attempt to connect to the database from anywhere. This increases the risk of exposure to brute force, dictionary attacks or other means of attack.

2. Unauthorized access-allowing access from any host may result in easier unauthorized access by internal employees or external entities. This may lead to data leakage, data tampering, or other security issues.

3. Tracing and auditing of database activities becomes more difficult when a user can access the database from anywhere. This may result in potential security problems that cannot be timely discovered and resolved.

By the method, a part of illegal service requests are filtered through the service authentication mode, so that the service requests passing through the service authentication are ensured to be legal access sources, and the security of database access is improved.

In step 230, in the case that the service request passes the service authentication, the configuration server signs the communication address of the first client by using the first private key corresponding to the first database, so as to obtain signature information.

In some embodiments, the communication address of the first client is an IP address of the first client.

In some embodiments, the configuration server parses the service request to obtain the communication address of the first client.

Illustratively, the configuration server parses the IP address of the first client from the service request according to the HTTP protocol.

The asymmetric encryption algorithm is an algorithm in cryptography, and for example, the asymmetric encryption algorithm may be an RSA (Rivest-Shamir-Adleman) algorithm, a digital signature algorithm (Digital Signature Algorithm, abbreviated DSA), an elliptic encryption algorithm (Elliptic Curve Cryptography, abbreviated ECC), or the like, which requires two keys, one being a public key, abbreviated public key, and one being a private key, abbreviated private key, and being referred to as asymmetric encryption because encryption and decryption require two different keys. The public key can be published and can be released outwards at will, the private key can not be published, and the private key must be strictly kept secret by the user.

Digital signatures are a technique for ensuring digital information integrity and authentication by using asymmetric encryption algorithms to create and authenticate digital signatures. The process of encrypting digital information using a private key is called signing, and the process of decrypting the encrypted digital information using a corresponding public key is called verification signing. If a user encrypts plaintext by using his private key, anyone can decrypt ciphertext by using the user's public key, the private key is only held by the user, so that the user can be sure that the file must come from the user, the public can verify whether the data or file issued by the user is complete and tampered halfway, and the receiver can trust the data and the file to come from the user, which is called digital signature.

In some embodiments, the first private key is used to sign the communication address of the first client, and there is a first public key corresponding to the first private key, which is used to sign the signed communication address. In the present application, a process of encrypting a communication address of a first client by using a first private key is called signature, and a process of decrypting a communication address obtained by signing by using a first public key is called signature verification.

In some embodiments, the service request includes service characteristic information, where the service characteristic information is used to indicate a service requirement of the first client.

The service characteristic information includes information indicating the first database accessed by the first client, for example, an environment to which the first client belongs, a data source to be accessed, identification information of the first database, and the like.

In some embodiments, before performing step 230, it is also desirable to perform at least one of the following steps:

In step 230-1, the configuration server determines, according to the service feature information, a first database and a first account matched with the service requirement of the first client.

In some embodiments, a corresponding relationship exists between the service request and the first database and the first account, and the configuration server matches the corresponding first database and the first account for the service request according to the service characteristic information in the service request.

In some embodiments, the first client connects to the first database using a first account number.

In step 230-2, the configuration server obtains second record data corresponding to the first database, where the second record data includes at least one piece of account information, and each piece of account information includes a set of corresponding account and private key.

The second record data is used for storing information such as account numbers, connection configuration and the like corresponding to the database. In some embodiments, the configuration server queries account information corresponding to the first account in the second record data according to the determined first database.

In some embodiments, the account included in each piece of account information may be indicated by using an account identifier, for example, the account identifier may be a user name corresponding to the account, a serial number corresponding to the account, and the application is not limited thereto.

In some embodiments, each database may correspond to multiple sets of account numbers and private keys.

And 230-3, the configuration server acquires a private key corresponding to the first account number from the second record data to obtain a first private key.

By the method, the account number and the password used by the client for accessing the database are not stored in the client, but the corresponding account number is automatically matched with the service request sent by the configuration server for the client, so that the risk of information disclosure of the account number, the password and the like is reduced.

In some embodiments, the account information further includes plug-in indication information, the plug-in indication information is used for indicating an identity verification plug-in, the identity verification plug-in is a plug-in supported by a first database and used for realizing identity verification, the configuration server determines an encryption mode corresponding to the first identity verification plug-in based on first plug-in indication information included in account information to which a first account and a first private key belong, the first identity verification plug-in is the identity verification plug-in indicated by the first plug-in indication information, and the configuration server signs a communication address of the first client by the first private key based on the encryption mode to obtain signature information.

The authentication plug-in is a separate module of the server of the database, which can be loaded and unloaded as required. In some embodiments, the server of the first database includes a plug-in architecture for supporting different authentication methods.

In some embodiments, the plug-in architecture of the server of the first database includes a built-in plug-in and a third party plug-in. The built-in plug-in is an authentication plug-in built into the database server, for example, the built-in plug-in may be at least one of mysql_native_password (password authentication based on SHA-1 hash) and caching _sha2_password (password authentication based on SHA-256 hash). The third party plug-in is used to implement the authentication plug-in for a particular authentication requirement, for example, the third party plug-in may be at least one of a MySQL may be integrated with an LDAP server using a lightweight directory access protocol (LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL, LDAP for short) plug-in or a MySQL may be integrated with a pluggable authentication module (Pluggable Authentication Modules, PAM for short) framework of the system using a PAM plug-in. Optionally, the third party plug-in may also be a developer created custom authentication plug-in. For example, mySQL provides an application programming interface (Application Programming Interface, abbreviated API) and development tools so that a developer can create a custom authentication plug-in that is installed in the plug-in framework of MySQL to accommodate the needs of the user.

In some embodiments, the above-mentioned plug-in indication information may be a name of the authentication plug-in, a serial number of the authentication plug-in, or other identification information for indicating the authentication plug-in, which is not limited in the present application.

In some embodiments, the encryption manner corresponding to the authentication plug-in may be an asymmetric encryption algorithm, or may be an encryption algorithm corresponding to the authentication plug-in designed by the developer, which is not limited to the present application.

The configuration server determines a corresponding first database and a first account according to service feature information of a service request, determines account information corresponding to the first account from second record data corresponding to the first database, and as shown in table 1, the account information includes three fields, namely a user name, a private key and plug-in indication information, determines a value of a private key field in the account information corresponding to the first account as a first private key, signs a communication address of a first client by adopting an encryption mode and the first private key corresponding to the plug-in indication information, and obtains signature information.

Table 1 keyword field description of account information

Fields	Value of	Description of the invention
			user	test_user	User name
private_key	{ Private Key }	Private key
			plugin	my_authentication	Plug-in indication information

Through the mode, the user can flexibly select the identity verification plug-in for identity verification according to the requirements and the application scene so as to meet various security requirements and strategies, and the server of the database is also beneficial to being in butt joint with the existing identity verification infrastructure.

In step 240, the configuration server sends access configuration information to the first client, where the access configuration information includes signature information.

Correspondingly, the corresponding first client receives the access configuration information sent by the configuration server.

In some embodiments, the configuration server determines access configuration information based on the account information and the signature information.

In some embodiments, the access configuration information further includes at least one of information related to the account number, a communication address of the first database, a port number of the first database, and indication information of the first database. The related information of the account number refers to a user name corresponding to the account number. The communication address of the first database refers to the IP address of the first database. The port number is a numerical identification used to represent processes and services, and is used in the transport layer to distinguish between different applications or processes. In this embodiment, the port number of the first database is a port number for indicating the database service on which the server of the first database handles connections and communications from the client. Illustratively, mySQL has a default port number of 3306, oracle Database has a default port number of 1521, mongoDB has a default port number of 27017, and Redis has a default port number of 6379. The indication information of the first database is used to indicate the first database, and may be represented by a name, a serial number, or the like of the first database, which is not limited to the present application.

In some embodiments, the configuration server obtains database record data including at least one piece of database information for storing database-related information, each piece of database information including a communication address of the database and a port number of the database. In some embodiments, the configuration server queries database record data for database information corresponding to the first database according to the determined first database.

By the method, the access configuration information for accessing the database is sent to the client side, and the client side is assisted to determine and access the corresponding database.

Step 250, the first client sends a database access request to a server of the first database according to the access configuration information, where the database access request is used to request access to the first database, and the database access request includes signature information.

Correspondingly, the server of the first database receives a database access request sent by the first client.

In some embodiments, the database access request further includes a user name corresponding to the first account.

In some embodiments, the server of the first database parses the database access request to obtain the communication address of the first client.

Illustratively, the server of the first database parses the IP address of the first client from the database access request according to the HTTP protocol.

In some embodiments, the database access request includes a first account number, and before executing step 250, at least one of the following steps is also required:

In step 250-1, the server of the first database obtains first record data corresponding to the first database, where the first record data includes at least one piece of record information, and each piece of record information includes a set of corresponding account number and public key.

The first record data is used for storing account numbers, connection configurations and other information for accessing the first database. In some embodiments, the server of the first database obtains the corresponding record information in the first record data according to the user name of the first account and the IP address of the first client.

In some embodiments, the record information further includes source IP information.

In some embodiments, the value of the source IP information in the record information is set to a first wild card that indicates that all clients are allowed to access the corresponding database.

Optionally, after creating the account, the configuration server may further limit clients that are allowed to access the corresponding database by adding the IP address of the client to the record information.

In step 250-2, the server of the first database obtains the public key corresponding to the first account from the first record data, and obtains the first public key.

In some embodiments, the public key corresponding to the first account number is a string used for authentication.

In step 260, the server of the first database adopts the first public key corresponding to the first database to check the signature information.

In some embodiments, the record information further comprises plug-in indication information, the plug-in indication information is used for indicating an identity verification plug-in, the identity verification plug-in is a plug-in supported by a first database and used for realizing identity verification, the first identity verification plug-in is called based on first plug-in indication information included in the record information to which the first account number and the first public key belong, the first identity verification plug-in is the identity verification plug-in indicated by the first plug-in indication information, and signature information is checked by the first identity verification plug-in through the first public key.

In some embodiments, the first authentication plug-in is pre-installed and configured on a server of the first database when the first account is created on the first database.

The server of the first database determines, according to the database access request, an account record corresponding to the first account from the first record data corresponding to the first database, where the record information includes four fields, as shown in table 2, including a source IP, a user name, a public key, and plug-in indication information, determines a value of the public key field in the record information corresponding to the first account as the first public key, invokes the first identity verification plug-in indicated by the plug-in indication information, performs signature verification on signature information in the database access request by using the first public key, and obtains signature information after signature verification, where the value of the source IP field is a first wildcard "%", which means that any client that passes the service request of service authentication can access the first database.

Table 2 key field description of record information

Fields	Value of	Description of the invention
			Host	%	Source IP
User	test_user	User name
			Plugin	my_authentication	Plug-in indication information
Authentication_string	{ Public key }	Public key

By the method, the first database obtains the corresponding public key according to the database access request to check signature information in the database access request, so that signature information can be checked only by using the public key corresponding to the private key for signing, and the safety of the database is improved.

In some embodiments, the server of the first database compares the signed information with the communication address of the first client via the first authentication plug-in.

In some embodiments, if the information obtained by the signature verification is the same as the communication address of the first client, the first client passes the authentication, and if the information obtained by the signature verification is different from the communication address of the first client, the first client does not pass the authentication.

Because the communication address refers to an IP address, the IP address of each client is difficult to forge, because the IP address is based on the TCP/IP protocol, and when the client establishes a communication connection with a server of the configuration server or the database, the TCP/IP protocol stack needs to pass through three handshakes, and the source IP address is verified in the three handshakes. If the client falsifies the IP address, the handshake message is sent to the wrong address, and the three-way handshake process cannot be completed. Thus, a client that falsifies an IP address cannot establish an efficient TCP connection with the configuration server and the server of the database.

Through the mode, the client uses the signature information and the user name of the account to connect with the database, compares the signed information with the communication address of the client, judges whether the current client is consistent with the client obtaining the signature information through service authentication, verifies the identity of the client, and enhances the security of the server of the database.

Step 270, in the case that the information obtained by the signature verification matches with the communication address of the first client, the server of the first database determines that the first client passes the authentication.

In some embodiments, the server of the first database sends the identity passing information to the first client in the event that the server of the first database determines that the first client passes the identity verification.

In some embodiments, the first client accesses the first database on demand.

In summary, according to the technical scheme provided by the embodiment of the application, the first client sends the service request to the configuration server, the service request is used for indicating to initiate access to the first database, the configuration server performs service authentication on the received service request, and verifies the validity of the service request, under the condition that the service request passes the service authentication, the configuration server adopts the first private key corresponding to the first database to sign the communication address of the first client to obtain signature information, the configuration server sends the signature information to the first client as a password for accessing the first database, the first client sends the database access request carrying the signature information to the server of the first database, the server of the first database adopts the corresponding first public key to verify the signature information, and if the obtained information is matched with the communication address of the first client, the first client passes identity verification, so that a password is dynamically created for each legal communication address, the password can only be used on the client corresponding to the communication address, and the security of the database can be effectively enhanced.

The creation process of the first account number for connecting and accessing the first database is described below.

And initiating a process of creating the account corresponding to the database by the service developer at the configuration server.

In some embodiments, a service developer registers a service on a configuration server, the service including a need to access a first database.

In some embodiments, a configuration server generates a key pair corresponding to a first account, the key pair comprises a group of corresponding private keys and public keys, the private key corresponding to the first account is a first private key, the public key corresponding to the first account is a first public key, the configuration server adds first account information in second record data, the first account information comprises the first account and the first private key, and the configuration server sends first record information to a server of a first database, wherein the first record information comprises the first account and the first public key.

In some embodiments, the first record information further includes first plug-in indication information for indicating the first authentication plug-in.

In some embodiments, the configuration server generates a key pair corresponding to the first account number using an asymmetric encryption algorithm.

By the method, the corresponding account is created for the appointed service in the configuration server, so that different accounts are created according to different requirements to access the database.

In some embodiments, a server of the first database receives first record information sent by a configuration server, the first record information including a first account number and a first public key, and the server of the first database adds the first record information to the first record data.

In some embodiments, after receiving the first record information sent by the configuration server, the server of the first database executes the authorization statement, and the server of the first database creates an account corresponding to the first record information. For example, the server of the first database is a MySQL server, and after receiving the first record information, the MySQL server executes the following authorized SQL statement:

CREATE USER ' test_user ' @ ' IDENTIFIED WITH MY _ authentication AS ' { public key } ';

The meaning of the SQL statement is to create an account number named test_user, allow the account number to be connected to the MySQL server from any host (%), perform identity verification by using a self-defined identity verification plug-in named my_verification, and simultaneously add first record information corresponding to the account number in the first record data.

In some embodiments, the server of the first database installs the first authentication plug-in indicated by the first plug-in indication information when creating the first account.

The service developer registers a service a on a configuration server, the service a needs to access a first database, the configuration server creates a first account corresponding to the service a, generates a key pair corresponding to the first account by using an RSA encryption algorithm, adds first account information corresponding to the first account in second record data, the first account information includes a first account and a first private key in the key pair, the configuration server sends the first record information to a server of the first database, the first record information includes the first account and a first public key in the key pair, after the server of the first database receives the first record information, an authorized SQL statement is executed, the first account is created on the server of the first database, the first record information is added in the first record data, and a first identity verification plug-in indicated by the first plug-in indication information is installed.

By the method, the account corresponding to the configuration server is created on the server of the database, and the corresponding access configuration information can be acquired from the configuration server to access the database.

The following are examples of the apparatus of the present application that may be used to perform the method embodiments of the present application. For details not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the method of the present application.

Referring to fig. 3, a block diagram of an authentication device for database access according to an embodiment of the present application is shown. The device has the function of realizing the identity verification method for accessing the database, and the function can be realized by hardware or corresponding software executed by hardware. The device may be the database server 20 described above, or may be provided in the database server 20. As shown in fig. 3, the apparatus 300 may include an access request receiving module 310, a signature information verification module 320, and an authentication module 330.

The access request receiving module 310 is configured to receive a database access request sent by a first client, where the database access request is used to request access to a first database, and the database access request includes signature information, where the signature information is obtained by signing a communication address of the first client by using a first private key corresponding to the first database, and in a case where a service request sent by the first client passes service authentication, the configuration server sends access configuration information including the signature information to the first client, where the service authentication is used to verify validity of the service request.

And the signature information signature verification module 320 is configured to verify the signature information by using a first public key corresponding to the first database.

And the identity verification module 330 is configured to determine that the first client passes identity verification when the information obtained by the verification matches with the communication address of the first client.

In some embodiments, the database access request includes a first account number, and the apparatus 300 further includes a first record data acquisition module and a first public key acquisition module (not shown in FIG. 3).

The first record data acquisition module is used for acquiring first record data corresponding to the first database, wherein the first record data comprises at least one piece of record information, and each piece of record information comprises a group of corresponding account numbers and public keys.

The first public key obtaining module is used for obtaining a public key corresponding to the first account number from the first record data to obtain the first public key.

In some embodiments, the record information further includes plug-in indication information, where the plug-in indication information is used to indicate an authentication plug-in, the authentication plug-in is a plug-in supported by the first database and used to implement authentication, the signature information verification module 320 is used to invoke a first authentication plug-in based on first plug-in indication information included in the record information to which the first account number and the first public key belong, the first authentication plug-in is an authentication plug-in indicated by the first plug-in indication information, and the signature information is verified by the first authentication plug-in using the first public key.

In some embodiments, the signature information verification module 320 is further configured to compare, by the first authentication plug-in, the information obtained by the verification with the communication address of the first client.

In some embodiments, the apparatus 300 further comprises a recorded information receiving module and a recorded information adding module (not shown in fig. 3).

The record information receiving module is used for receiving first record information sent by the configuration server, wherein the first record information comprises the first account number and the first public key.

And the record information adding module is used for adding the first record information into the first record data.

In summary, according to the technical scheme provided by the embodiment of the application, the server of the first database performs signature verification on the signature information by receiving the database access request sent by the first client and adopting the first public key corresponding to the first database, and determines that the first client passes identity verification under the condition that the information obtained by the signature verification is matched with the communication address of the first client, so that the password created for the legal communication address can only be used on the corresponding client, and the database can be accessed, thereby enhancing the security of the database.

Referring to fig. 4, a block diagram of an authentication apparatus for database access according to another embodiment of the present application is shown. The device has the function of realizing the identity verification method for accessing the database, and the function can be realized by hardware or corresponding software executed by hardware. The device may be the configuration server 30 described above, or may be provided in the configuration server 30. As shown in fig. 4, the apparatus 400 may include a service request receiving module 410, a service authentication module 420, a communication address signing module 430, and a configuration information transmitting module 440.

The service request receiving module 410 is configured to receive a service request sent by a first client, where the service request is used to instruct to initiate access to a first database.

A service authentication module 420, configured to perform service authentication on the service request, where the service authentication is used to verify validity of the service request.

And the communication address signing module 430 is configured to sign, when the service request passes the service authentication, the communication address of the first client by using a first private key corresponding to the first database, so as to obtain signature information.

The configuration information sending module 440 is configured to send access configuration information to the first client, where the access configuration information includes the signature information, a database access request sent by the first client to a server of the first database according to the access configuration information includes the signature information, where the database access request is used to request access to the first database, and if information obtained by signing the signature information with a first public key corresponding to the first database matches with a communication address of the first client, the first client passes identity verification.

In some embodiments, the service request includes service characteristic information, where the service characteristic information is used to indicate a service requirement of the first client, and the apparatus 400 further includes a service matching module, a second record data obtaining module, and a first private key obtaining module (not shown in fig. 4).

And the service matching module is used for determining the first database and the first account matched with the service requirement of the first client according to the service characteristic information.

The second record data acquisition module is used for acquiring second record data corresponding to the first database, the second record data comprises at least one piece of account information, and each piece of account information comprises a group of corresponding account and a private key.

The first private key obtaining module is used for obtaining a private key corresponding to the first account number from the second record data to obtain the first private key.

In some embodiments, the account information further includes plug-in indication information, where the plug-in indication information is used to indicate an authentication plug-in, the authentication plug-in is a plug-in supported by the first database and used to implement authentication, the communication address signature module 430 is used to determine a signature mode corresponding to a first authentication plug-in based on first plug-in indication information included in the account information to which the first account and the first private key belong, where the first authentication plug-in is the authentication plug-in indicated by the first plug-in indication information, and sign, based on the signature mode, a communication address of the first client with the first private key to obtain the signature information.

In some embodiments, the apparatus 400 further includes a key pair generation module, a first account information addition module, and a first record information transmission module (not shown in fig. 4).

The key pair generation module is used for generating a key pair corresponding to the first account, wherein the key pair comprises a group of corresponding private keys and public keys, the private key corresponding to the first account is the first private key, and the public key corresponding to the first account is the first public key.

The first account information adding module is used for adding first account information in the second record data, wherein the first account information comprises the first account and the first private key.

The first record information sending module is used for sending first record information to a server of the first database, wherein the first record information comprises the first account number and the first public key.

In some embodiments, the service authentication module 420 is configured to obtain signature authentication information included in the service request, where the signature authentication information is obtained by signing authentication information corresponding to the first client using a second key, and perform signature verification on the signature authentication information using the second key to obtain signed authentication information, and determine that the service request passes the service authentication if the signed authentication information is valid.

In summary, according to the technical scheme provided by the embodiment of the application, the configuration server receives the service request sent by the first client, performs service authentication on the service request, verifies the validity of the service request, signs the communication address of the first client by adopting the first private key corresponding to the first database under the condition that the service request passes the service authentication, obtains signature information, and sends access configuration information carrying the signature information to the first client, thereby realizing filtering clients from illegal sources in a service authentication mode, dynamically creating a password for the communication address of each legal client, and improving the security of the database.

Referring to fig. 5, a block diagram of an authentication device for database access according to another embodiment of the present application is shown. The device has the function of realizing the identity verification method for accessing the database, and the function can be realized by hardware or corresponding software executed by hardware. The device may be the terminal device 10 described above, or may be provided in the terminal device 10. As shown in fig. 5, the apparatus 500 may include a service request transmitting module 510, a configuration information receiving module 520, and an access request transmitting module 530.

The service request sending module 510 is configured to send a service request to the configuration server, where the service request is used to instruct to initiate access to the first database.

The configuration information receiving module 520 is configured to receive access configuration information sent by the configuration server, where the access configuration information includes signature information, where the access configuration information is sent when the service request passes service authentication, where the service authentication is used to verify the validity, and the signature information is obtained by signing a communication address of the first client with a first private key corresponding to the first database.

An access request sending module 530, configured to send, to a server of the first database, a database access request according to the access configuration information, where the database access request is used to request access to the first database, and the database access request includes the signature information, where, when information obtained by signing the signature information with a first public key corresponding to the first database matches a communication address of the first client, the first client passes identity verification.

In some embodiments, the service request includes service feature information, where the service feature information is used to indicate a service requirement of the first client, and the first private key is a private key corresponding to a first account obtained from second record data corresponding to the first database based on the service feature information, where the second record data includes at least one piece of account information, and each piece of account information includes a set of corresponding account and private key.

In some embodiments, the database access request includes a first account, the first public key is a public key corresponding to the first account obtained from first record data corresponding to the first database, the first record data includes at least one piece of record information, and each piece of record information includes a set of corresponding account and public key.

In summary, according to the technical scheme provided by the embodiment of the application, the first client requests to access the first database by sending the service request to the configuration server, receives the access configuration information sent by the configuration server, and sends the database access request to the first database server according to the access configuration information, wherein the database access request is used for requesting to access the first database, and the database access request comprises signature information, wherein when the information obtained by signing the signature information by adopting the first public key corresponding to the first database is matched with the communication address of the first client, the first client passes identity verification, so that the access configuration information for accessing the first database from the configuration server is realized, the account number for accessing the first database does not need to be saved in the first client, the possibility of account number leakage is reduced, and the security of the database is improved.

It should be noted that, in the apparatus provided in the foregoing embodiment, when implementing the functions thereof, only the division of the foregoing functional modules is used as an example, in practical application, the foregoing functional allocation may be implemented by different functional modules, that is, the internal structure of the device is divided into different functional modules, so as to implement all or part of the functions described above. In addition, the apparatus and the method embodiments provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the apparatus and the method embodiments are detailed in the method embodiments and are not repeated herein.

An identity verification system for database access comprises a first client, a configuration server and a server of a first database;

For other steps to be executed by the first client, the configuration server and the server of the first database, refer to the above embodiments, and are not described herein.

Referring to FIG. 6, a block diagram of a computer device 600 according to one embodiment of the application is shown. The computer device 600 may be the terminal device 10 in the implementation environment shown in fig. 1, the server 20 in the implementation environment shown in fig. 1, or the configuration server 30 in the implementation environment shown in fig. 1, for implementing the database access authentication method provided in the above embodiment. Specifically, the present application relates to a method for manufacturing a semiconductor device.

In general, computer device 600 includes a processor 610 and a memory 620.

Processor 610 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 610 may be implemented in at least one hardware form of digital signal Processing (DIGITAL SIGNAL Processing, abbreviated as DSP), field programmable gate array (Field Programmable GATE ARRAY, abbreviated as FPGA), programmable logic array (Programmable Logic Array, abbreviated as PLA). The processor 610 may also include a main processor, which is a processor for processing data in a wake-up state, also referred to as a central processor (Central Processing Unit, abbreviated as CPU), and a coprocessor, which is a low-power processor for processing data in a standby state. In some embodiments, the processor 610 may integrate with an image processor (Graphics Processing Unit, GPU for short) that is responsible for rendering and rendering the content that the display screen needs to display. In some embodiments, the processor 610 may also include an AI processor for processing computing operations related to machine learning.

Memory 620 may include one or more computer-readable storage media, which may be non-transitory. Memory 620 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer-readable storage medium in memory 620 is used to store a computer program configured to be executed by one or more processors to implement the above-described database access authentication method.

Those skilled in the art will appreciate that the architecture shown in fig. 6 is not limiting as to the computer device 600, and may include more or fewer components than shown, or may combine certain components, or employ a different arrangement of components.

In an exemplary embodiment, a computer readable storage medium is also provided, in which a computer program is stored which, when being executed by a processor, implements the above-mentioned authentication method of database access. Optionally, the computer readable storage medium may include Read-Only Memory (ROM), random access Memory (Random Access Memory RAM), solid state disk (Solid STATE DRIVES SSD), or optical disk. The random access memory may include a resistive random access memory (RESISTANCE RANDOM ACCESS MEMORY, for short, reRAM) and a dynamic random access memory (Dynamic Random Access Memory, for short, DRAM).

In an exemplary embodiment, a computer program product is also provided, the computer program product comprising a computer program stored in a computer readable storage medium. A processor of a computer device reads the computer program from the computer readable storage medium, the processor executing the computer program causing the computer device to perform the above-described authentication method of database access.

It should be noted that, in the present application, the relevant data (such as pictures) should be collected and processed strictly according to the requirements of relevant national laws and regulations during the application of the examples, so as to obtain the informed consent or independent consent of the personal information body, and develop the subsequent data use and processing behaviors within the authorized scope of the laws and regulations and the personal information body.

It should be understood that references herein to "a plurality" are to two or more. "and/or" describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate that there are three cases of a alone, a and B together, and B alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. In addition, the step numbers described herein are merely exemplary of one possible execution sequence among steps, and in some other embodiments, the steps may be executed out of the order of numbers, such as two differently numbered steps being executed simultaneously, or two differently numbered steps being executed in an order opposite to that shown, which is not limiting.

The foregoing description of the preferred embodiments of the present application is not intended to limit the application, but rather, the application is to be construed as limited to the appended claims.

Claims

1. A database access identity authentication method, characterized in that the method comprises:

receiving a database access request sent by a first client, the database access request being used to request access to a first database, the database access request including signature information, wherein the signature information is obtained by signing a communication address of the first client using a first private key corresponding to the first database; and if the service request sent by the first client passes service authentication, the configuration server sending access configuration information including the signature information to the first client, wherein the service authentication is used to verify the legitimacy of the service request;

Verifying the signature using the first public key corresponding to the first database;

If the information obtained by the signature verification matches the communication address of the first client, it is determined that the first client passes the identity authentication.

2. The method according to claim 1, wherein the database access request includes a first account; the method further comprises:

Obtaining first record data corresponding to the first database, where the first record data includes at least one piece of record information, and each piece of record information includes a set of corresponding account numbers and public keys;

Obtain a public key corresponding to the first account from the first record data to obtain the first public key.

3. The method according to claim 2, wherein the record information further includes plug-in indication information, wherein the plug-in indication information is used to indicate an identity authentication plug-in, and the identity authentication plug-in is a plug-in supported by the first database for implementing identity authentication;

The verifying the signature information by using the first public key corresponding to the first database includes:

Based on first plug-in indication information included in the record information to which the first account and the first public key belong, calling a first authentication plug-in, the first authentication plug-in being the authentication plug-in indicated by the first plug-in indication information;

The signature information is verified using the first public key through the first identity authentication plug-in.

4. The method according to claim 3, characterized in that after verifying the signature information using the first public key through the first identity authentication plug-in, the method further comprises:

The first identity verification plug-in compares the information obtained by the signature verification with the communication address of the first client.

5. The method according to claim 2, further comprising:

Receive first record information sent by a configuration server, where the first record information includes the first account and the first public key;

The first record information is added to the first record data.

6. A database access identity authentication method, characterized in that the method comprises:

receiving a service request sent by a first client, where the service request is used to instruct to initiate access to a first database;

Performing service authentication on the service request, wherein the service authentication is used to verify the legitimacy of the service request;

When the service request passes the service authentication, using the first private key corresponding to the first database to sign the communication address of the first client to obtain signature information;

Access configuration information is sent to the first client, where the access configuration information includes the signature information. A database access request sent by the first client to the server of the first database according to the access configuration information includes the signature information, and the database access request is used to request access to the first database. When information obtained by verifying the signature information using the first public key corresponding to the first database matches the communication address of the first client, the first client passes identity authentication.

7. The method according to claim 6, wherein the service request includes service feature information, and the service feature information is used to indicate the service requirements of the first client; the method further comprises:

Determining, based on the service feature information, the first database and the first account that match the service requirements of the first client;

Obtaining second record data corresponding to the first database, where the second record data includes at least one piece of account information, and each piece of account information includes a set of corresponding account numbers and private keys;

Obtain the private key corresponding to the first account from the second record data to obtain the first private key.

8. The method according to claim 7, wherein the account information further includes plug-in indication information, wherein the plug-in indication information is used to indicate an identity authentication plug-in, and the identity authentication plug-in is a plug-in supported by the first database for implementing identity authentication;

The step of using the first private key corresponding to the first database to sign the communication address of the first client to obtain signature information includes:

Determining, based on first plug-in indication information included in the account information to which the first account and the first private key belong, a signature method corresponding to a first identity authentication plug-in, wherein the first identity authentication plug-in is the identity authentication plug-in indicated by the first plug-in indication information;

The communication address of the first client is signed using the first private key based on the signature method to obtain the signature information.

9. The method according to claim 7, further comprising:

Generate a key pair corresponding to the first account, the key pair including a set of corresponding private keys and public keys, wherein the private key corresponding to the first account is the first private key, and the public key corresponding to the first account is the first public key;

Adding first account information to the second record data, where the first account information includes the first account and the first private key;

Sending first record information to a server of the first database, where the first record information includes the first account and the first public key.

10. The method according to claim 6, wherein performing service authentication on the service request comprises:

Obtaining signature authentication information included in the service request, wherein the signature authentication information is obtained by signing authentication information corresponding to the first client using a second key;

Using the second key, verifying the signature authentication information to obtain verified authentication information;

If the authentication information after the signature verification is valid, it is determined that the service request passes the service authentication.

11. A database access identity authentication method, characterized in that the method comprises:

Sending a service request to the configuration server, where the service request is used to instruct to initiate access to the first database;

receiving access configuration information sent by the configuration server, the access configuration information including signature information, wherein the access configuration information is sent when the service request passes service authentication, the service authentication being used to verify the legitimacy of the service request, and the signature information being obtained by signing the communication address of the first client using the first private key corresponding to the first database;

According to the access configuration information, a database access request is sent to the server of the first database, where the database access request is used to request access to the first database, and the database access request includes the signature information. When information obtained by verifying the signature information using the first public key corresponding to the first database matches the communication address of the first client, the first client passes identity authentication.

12. The method according to claim 11 is characterized in that the service request includes business feature information, the business feature information is used to indicate the business requirements of the first client, the first private key is a private key corresponding to the first account obtained from second record data corresponding to the first database based on the business feature information, the second record data includes at least one account information, and each account information includes a set of corresponding account numbers and private keys.

13. The method according to claim 11 is characterized in that the database access request includes a first account number, the first public key is a public key corresponding to the first account number obtained from the first record data corresponding to the first database, the first record data includes at least one record information, and each record information includes a set of corresponding account numbers and public keys.

14. A database access identity authentication method, characterized in that the method comprises:

The first client sends a service request to the configuration server, where the service request is used to instruct to initiate access to the first database;

The configuration server performs service authentication on the service request, where the service authentication is used to verify the legitimacy of the service request;

When the service request passes the service authentication, the configuration server uses the first private key corresponding to the first database to sign the communication address of the first client to obtain signature information;

The configuration server sends access configuration information to the first client, where the access configuration information includes the signature information;

The first client sends a database access request to the server of the first database according to the access configuration information, where the database access request is used to request access to the first database and includes the signature information;

The server of the first database verifies the signature information using the first public key corresponding to the first database;

When the information obtained by the signature verification matches the communication address of the first client, the server of the first database determines that the first client passes the identity authentication.

15. An identity authentication device for database access, characterized in that the device comprises:

an access request receiving module, configured to receive a database access request sent by a first client, the database access request being used to request access to a first database, the database access request including signature information, wherein the signature information is obtained by signing the communication address of the first client using a first private key corresponding to the first database; if the service request sent by the first client passes service authentication, the configuration server sends access configuration information including the signature information to the first client, wherein the service authentication is used to verify the legitimacy of the service request;

a signature information verification module, configured to verify the signature information using the first public key corresponding to the first database;

The identity authentication module is used to determine that the first client passes the identity authentication when the information obtained by the signature verification matches the communication address of the first client.

16. An identity authentication device for database access, characterized in that the device comprises:

A service request receiving module, configured to receive a service request sent by a first client, wherein the service request is used to instruct to initiate access to a first database;

A service authentication module, configured to perform service authentication on the service request, wherein the service authentication is used to verify the legitimacy of the service request;

a communication address signing module, configured to, when the service request passes the service authentication, use the first private key corresponding to the first database to sign the communication address of the first client to obtain signature information;

A configuration information sending module is used to send access configuration information to the first client, where the access configuration information includes the signature information, wherein the database access request sent by the first client to the server of the first database according to the access configuration information includes the signature information, and the database access request is used to request access to the first database; when the information obtained by verifying the signature information using the first public key corresponding to the first database matches the communication address of the first client, the first client passes the identity authentication.

17. An identity authentication device for database access, characterized in that the device comprises:

A service request sending module, configured to send a service request to the configuration server, wherein the service request is used to instruct to initiate access to the first database;

a configuration information receiving module, configured to receive access configuration information sent by the configuration server, the access configuration information including signature information, wherein the access configuration information is sent when the service request passes service authentication, the service authentication being used to verify the legitimacy of the service request, and the signature information is obtained by signing the communication address of the first client using the first private key corresponding to the first database;

An access request sending module is used to send a database access request to the server of the first database according to the access configuration information, wherein the database access request is used to request access to the first database, and the database access request includes the signature information. When the signature information is verified using the first public key corresponding to the first database, and the information obtained matches the communication address of the first client, the first client passes the identity authentication.

18. A computer device, characterized in that the computer device comprises a processor and a memory, the memory storing a computer program, the computer program being loaded and executed by the processor to implement the method according to any one of claims 1 to 5, or the method according to any one of claims 6 to 10, or the method according to any one of claims 11 to 13.

19. A computer-readable storage medium, characterized in that a computer program is stored in the storage medium, and the computer program is used to be executed by a processor to implement the method according to any one of claims 1 to 5, or to implement the method according to any one of claims 6 to 10, or to implement the method according to any one of claims 11 to 13.

20. A computer program product, characterized in that the computer program product comprises a computer program, which is loaded and executed by a processor to implement the method according to any one of claims 1 to 5, or the method according to any one of claims 6 to 10, or the method according to any one of claims 11 to 13.