[go: up one dir, main page]

WO2025081795A1 - Cloud platform access method and apparatus, electronic device, and storage medium - Google Patents

Cloud platform access method and apparatus, electronic device, and storage medium Download PDF

Info

Publication number
WO2025081795A1
WO2025081795A1 PCT/CN2024/093205 CN2024093205W WO2025081795A1 WO 2025081795 A1 WO2025081795 A1 WO 2025081795A1 CN 2024093205 W CN2024093205 W CN 2024093205W WO 2025081795 A1 WO2025081795 A1 WO 2025081795A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
user
cloud platform
permission
rights
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/093205
Other languages
French (fr)
Chinese (zh)
Inventor
李喜勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Contemporary Amperex Intelligence Technology Shang Hai Ltd
Original Assignee
Contemporary Amperex Intelligence Technology Shang Hai Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Contemporary Amperex Intelligence Technology Shang Hai Ltd filed Critical Contemporary Amperex Intelligence Technology Shang Hai Ltd
Publication of WO2025081795A1 publication Critical patent/WO2025081795A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5072Grid computing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the present application relates to the technical field of cloud platforms, and in particular to a cloud platform access method, device, electronic device and storage medium.
  • the access rights configured for users are at the menu level and button level, which cannot guarantee the security of interface functions.
  • the user's access rights need to be authenticated by each microservice, which increases the resource consumption of microservices and reduces the efficiency of microservice development.
  • the present application provides a cloud platform access method, device, electronic device and storage medium to improve the functional security of cloud platform interfaces, reduce resource consumption of microservices, and improve the development efficiency of microservices.
  • an embodiment of the present application provides a cloud platform access method, including:
  • the access rights including button rights and interface rights
  • the user is allowed to access the microservice corresponding to the target access address.
  • the access rights configured for users are at the minimum granularity interface level to ensure the security of interface functions, realize the security management of cloud platform interfaces, and perform unified authentication and verification of user access rights, thereby reducing the resource consumption of microservices.
  • Microservices only need to focus on the development of their own business functions, thereby improving the development efficiency of microservices.
  • the method further includes:
  • the user's access rights are obtained through the basic system management service and saved in the cache.
  • obtaining the user's access rights through the basic system management service and saving the access rights to the cache includes:
  • the permission list including directory permissions, menu permissions, button permissions and interface permissions;
  • the button permissions and interface permissions in the permission list are saved in the cache through the basic system management service.
  • the method further includes:
  • the user's permission list is returned to the user through the basic system management service.
  • the method further includes:
  • the login information is verified through the basic system management service, and if the verification passes, it is determined that the user has successfully logged into the cloud platform.
  • the method further includes:
  • the method further includes:
  • the permission configuration information includes a role configured for the user and a permission list configured for the role;
  • the user's permission configuration information can be saved in the database through the basic system management service.
  • obtaining the access rights of the user from the cache includes:
  • the allowing the user to access the microservice corresponding to the target access address when it is determined that the access address corresponding to the access permission has the target access address includes:
  • the business gateway service determines whether the access address corresponding to the access permission contains the target access address, and if it is determined that the access address corresponding to the access permission contains the target access address, the user is allowed to access the microservice corresponding to the target access address.
  • the business gateway service obtains the user's access rights from the cache for authentication and verification, effectively improving the business gateway
  • the authentication efficiency of the service is improved, thereby improving the access efficiency of users.
  • an embodiment of the present application proposes a cloud platform access device, including:
  • a first acquisition module is used to acquire a user's access request to the cloud platform, wherein the access request includes a target access address;
  • a second acquisition module is used to acquire the user's access rights from the cache, where the access rights include button rights and interface rights;
  • a determination module is used to determine whether the access address corresponding to the access permission contains the target access address, and if it is determined that the access address corresponding to the access permission contains the target access address, allow the user to access the microservice corresponding to the target access address.
  • the access rights configured for users are at the minimum granularity interface level to ensure the security of interface functions, realize the security management of cloud platform interfaces, and perform unified authentication and verification of user access rights, thereby reducing the resource consumption of microservices.
  • Microservices only need to focus on the development of their own business functions, thereby improving the development efficiency of microservices.
  • an embodiment of the present application proposes an electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, the cloud platform access method as described in the first aspect is implemented.
  • the access rights configured for users are at the minimum granularity interface level to ensure the security of interface functions, realize the security management of cloud platform interfaces, and perform unified authentication and verification of user access rights, thereby reducing the resource consumption of microservices.
  • Microservices only need to focus on the development of their own business functions, thereby improving the development efficiency of microservices.
  • an embodiment of the present application proposes a computer-readable storage medium on which a computer program is stored.
  • the computer program is executed by a processor, the cloud platform access method described in the first aspect is implemented.
  • the access rights configured for users are at the minimum granularity interface level to ensure the security of interface functions, realize the security management of cloud platform interfaces, and perform unified authentication and verification of user access rights, thereby reducing the resource consumption of microservices.
  • Microservices only need to focus on the development of their own business functions, thereby improving the development efficiency of microservices.
  • FIG1 is a flow chart of a cloud platform access method provided in some embodiments of the present application.
  • FIG2 is a schematic diagram of a cloud platform architecture in a cloud platform access method provided in some embodiments of the present application.
  • FIG. 3 is a diagram of the basic system management data model relationship in the cloud platform access method provided in some embodiments of the present application picture;
  • FIG4 is a schematic diagram of the structure of a cloud platform access device provided in some embodiments of the present application.
  • FIG5 is a schematic diagram of the structure of an electronic device provided in some embodiments of the present application.
  • first, second, etc. in the specification and claims of the present application are used to distinguish similar objects, and are not used to describe a specific order or sequence. It should be understood that the data used in this way can be interchangeable under appropriate circumstances, so that the embodiments of the present application can be implemented in an order other than those illustrated or described here, and the objects distinguished by "first”, “second”, etc. are generally of one type, and the number of objects is not limited.
  • the first object can be one or more.
  • “and/or” in the specification and claims represents at least one of the connected objects, and the character “/" generally indicates that the objects associated with each other are in an "or” relationship.
  • the access rights configured for users are at the menu level and button level, and the cloud platform interfaces are not securely managed.
  • the user can access the microservice corresponding to the interface based on the address of the interface, resulting in the inability to ensure the functional security of the interface.
  • the microservice is required to authenticate and verify the user's access rights by itself to determine whether the user is allowed to access the microservice. This authentication method results in a large resource consumption of microservices, and microservices not only need to focus on the development of their own business functions, but also need to authenticate the user's access rights, reducing the development efficiency of microservices.
  • this application proposes a cloud platform access method, which configures the minimum granularity interface level access rights for users. Even if the user obtains the address of the interface, the user cannot access the microservice corresponding to the interface if the user does not have the access rights to the interface, thereby ensuring the functional security of the interface and realizing the security management and control of the cloud platform interface.
  • the user's access rights are uniformly authenticated and verified, and each microservice does not need to perform authentication processing, which reduces the resource consumption of microservices, and microservices only need to focus on the development of their own business functions, improving the development efficiency of microservices.
  • FIG1 is a flow chart of a cloud platform access method according to an embodiment of the present application.
  • the cloud platform access method provided in the embodiment of the present application includes steps 110 to 130 .
  • Step 110 Obtain the user's access request to the cloud platform, where the access request includes a target access address.
  • the cloud platform has a front end and a back end.
  • the front end of the cloud platform can be a browser end or a web page end, as shown in Figure 2, and the front end of the cloud platform can be provided with a business management system.
  • the back end of the cloud platform can provide various resources, as shown in Figure 2, and the back end of the cloud platform is provided with a cloud platform microservice cluster, which can provide business gateway services and various internal microservices.
  • Users can interact with the front end of the cloud platform. Users can perform business operations on the front end, and the front end can respond to the user's operations, determine the microservice corresponding to the business operated by the user, and generate an access request for the microservice.
  • the front end sends the access request to the back end, and the business gateway service of the back end first obtains the access request in order to perform unified authentication and verification of the user's access rights.
  • the access request includes a target access address, which is the access address of the microservice that the user wants to access.
  • the access address can be a URL (uniform resource locator).
  • the access request may further include a user identifier.
  • the user identifier may be used to represent the identity information of the user, for example, the user identifier may be a user account. Through the user identifier, the access request may be matched with the user.
  • the business gateway service can simultaneously obtain access requests from multiple users for the same microservice, and can also simultaneously obtain access requests from multiple users for different microservices.
  • Step 120 Obtain the user's access rights from the cache, where the access rights include button rights and interface rights.
  • the user's access rights are pre-saved in the cache. After obtaining the user's access rights, the user's access rights are directly obtained from the cache for authentication verification.
  • obtaining the user's access rights from the cache in step 120 includes:
  • the user's access permissions are retrieved from the cache through the business gateway service.
  • the business gateway service can call the user's access rights in the cache.
  • the user's access rights in the cache include button rights and interface rights, that is, the user's access rights are used to indicate the button addresses and interface addresses that the user is allowed to access, and the button addresses and interface addresses are the user's access addresses.
  • buttons and interfaces are displayed on the front end in the form of buttons and interfaces.
  • the configuration of the minimum granularity interface level permissions is achieved.
  • the user identifier and access rights can be stored in a cache accordingly.
  • the business gateway service After obtaining an access request, the business gateway service obtains the access rights corresponding to the user identifier from the cache based on the user identifier in the access request.
  • the access rights corresponding to the user identifier are the user's access rights.
  • Step 130 When it is determined that the access address corresponding to the access permission has the target access address, the user is allowed to access the microservice corresponding to the target access address.
  • the access address corresponding to the access permission is the button address and interface address that the user is allowed to access. By comparing the access address corresponding to the access permission with the target access address, it can be determined whether the user is allowed to access the target access address. The corresponding microservice is accessed.
  • step 130 when it is determined that the access address corresponding to the access permission has the target access address, allowing the user to access the microservice corresponding to the target access address includes:
  • the business gateway service is used to determine whether the access address corresponding to the access permission has the target access address, and if it is determined that the access address corresponding to the access permission has the target access address, the user is allowed to access the microservice corresponding to the target access address.
  • the business gateway service detects whether the access address corresponding to the user's access rights contains the target access address. If so, it indicates that the user has access rights to the target access address, and the user is allowed to access the microservice corresponding to the target access address. If not, it indicates that the user does not have access rights to the target access address, and the user is not allowed to access the microservice corresponding to the target access address.
  • the business gateway service forwards the user's access request to the microservice corresponding to the target access address, so that the user can access the microservice corresponding to the target access address.
  • the embodiment of the present application configures the minimum granularity interface level permissions to the user, ensures the functional security of the cloud platform interface, and allows the cloud platform interface to be provided to the front-end business management system under security control.
  • the user's access rights are uniformly authenticated and verified through the business gateway service, without the need for each microservice to authenticate the user's access rights, which reduces the microservice security and access control control, reduces the resource consumption of microservices, and microservices only need to focus on their own business function development, improve the development efficiency of microservices, and improve the timeliness of function release.
  • the cloud platform access method further includes:
  • the user's access rights are obtained through the basic system management service and saved in the cache.
  • the user's access rights are pre-configured and stored. Before the user performs business operations on the front end, the user needs to log in to the business management system on the front end to log in to the cloud platform. When it is determined that the user has successfully logged in to the cloud platform, the basic system management service obtains the pre-stored user's access rights and stores the user's access rights in the cache.
  • the cache can be a redis cache.
  • the basic system management service is a microservice in the backend of the cloud platform.
  • This embodiment uses the basic system management service as an independent service to provide functions such as permission management, so that other microservices do not need to pay attention to permission management issues, thereby improving the development efficiency of other microservices.
  • the basic system management service saves the user's access rights to the cache, so that the business gateway service can directly obtain the user's access rights from the cache for authentication verification after obtaining the user's access request, effectively improving the authentication efficiency of the business gateway service, and thus improving the user's access efficiency.
  • the step of obtaining the user's access rights through the basic system management service and saving them in the cache includes:
  • the permission list includes directory permissions, menu permissions, button permissions, and interface permissions.
  • the button permissions and interface permissions in the permission list are saved to the cache through the basic system management service.
  • the user's permission list is pre-stored in the database.
  • the basic system management service obtains the user's permission list from the database.
  • the permission list includes multiple types of permissions configured for the user, namely directory permissions, menu permissions, button permissions, and interface permissions. Among them, directory permissions are configured as the routing path of the directory, menu permissions are configured as the routing path of the menu, button permissions are configured as the address of the button, and interface permissions are configured as the address of the interface.
  • the basic system management service After obtaining the user's permission list, the basic system management service saves the button permissions and interface permissions in the permission list into the cache.
  • the button permissions and interface permissions are the user's access permissions.
  • This embodiment divides the permission types into detailed categories, making it easier to manage and control permissions.
  • the database pre-stores the correspondence between users and roles, and the correspondence between roles and permission lists.
  • the basic system management service can determine the user's role based on the correspondence between users and roles, and can determine the user's permission list based on the correspondence between roles and permission lists.
  • roles can be pre-configured for users, and different users can have different roles.
  • a user's role can be a common user or an administrator, and of course other roles can be defined, and each role has a corresponding permission list.
  • Permission lists can be pre-configured for roles, and different roles can have different permission lists.
  • the user's list of permissions is returned to the user through the underlying system management service.
  • the basic system management service can return the user's permission list to the business gateway service, and the business gateway service forwards the user's permission list to the front end.
  • the front end can display the corresponding permissions to the user based on the user's permission list. For example, the front end displays the menus and buttons that the user has permissions to so that the user can operate the menus and buttons on the front end.
  • the cloud platform access method further includes:
  • the login information is verified through the basic system management service, and if the verification passes, it is determined that the user has successfully logged into the cloud platform.
  • the user can log in at the front end, for example, the user enters the user account and password at the front end.
  • the front end responds to the user's login operation and generates a login request, which includes login information.
  • the login information can be the information entered by the user at the front end, such as the user account and password.
  • the front end sends the login request to the back end, and the business gateway service at the back end first obtains the login request. It should be noted that for the user's login request, the business gateway service does not need to authenticate the user's access rights, and directly forwards the login request to the basic system management service.
  • the basic system management service can verify the login information in the login request, and after the verification, return a token (such as a token) to the business gateway service.
  • the business gateway forwards the token to the front end to indicate that the user has successfully logged into the cloud platform.
  • This embodiment uses the basic system management service as an independent service to provide login management and other functions, so that other microservices do not need to pay attention to login management issues, thereby improving the development efficiency of other microservices.
  • the login request may also include a user identifier.
  • the user's pre-configured permission list is stored in the database of the basic system management service in correspondence with the user identifier.
  • the basic system management service may obtain the permission list corresponding to the user identifier from the database, i.e., the user's permission list, and store the user's access rights (i.e., button permissions and interface permissions in the permission list) in correspondence with the user identifier in the cache.
  • the cloud platform access method further includes:
  • the basic system management service can set a login interval. If the user has not logged in for a long time, that is, the user's login is determined to be invalid, and the basic system management service clears the user's access rights in the cache.
  • the basic system management service After re-confirming that the user has successfully logged in to the cloud platform, the basic system management service re-acquires the user's access rights and saves them to the cache.
  • the cloud platform access method further includes:
  • the user's permission configuration information can be saved in the database through the basic system management service.
  • User roles can include common users and administrators.
  • the permissions configured for roles such as administrators and common users can be different. For example, administrators have business function usage and management permissions, while common users only have business function usage permissions.
  • the front-end business management system may include functions such as user account management, role management, authority management, and operation record management.
  • user account management is used to manage user account information
  • role management is used to manage user roles and other information
  • authority management is used to manage information such as permissions corresponding to roles
  • operation record management is used to record user access to microservices.
  • the user account management, role management, permission management and operation record management functions of the front-end business management system can be provided by the back-end basic system management service.
  • the basic system management service can generate a management system configuration page and display the management system configuration page to the administrator on the front-end so that the administrator can Configure corresponding permissions for ordinary users.
  • the administrator creates a user account, creates a role, and configures permissions on the management system configuration page, then grants permissions to the role, and then grants the role to the user's account to generate the user's permission configuration information.
  • the front end sends the user's permission configuration information to the business gateway service, and the business gateway service forwards the user's permission configuration information to the basic system management service.
  • the basic system management service stores the user's permission configuration information in the database in the form of a basic system management data model.
  • the basic system management data model relationship diagram is shown in Figure 3.
  • the defined data model includes a user account table, a role table, a user role relationship table, a permission table, and a role permission relationship table.
  • the user account table may include information such as the user's account, email address, and mobile phone number.
  • the role table may include information such as role code, role name, and role type (such as administrator, ordinary user).
  • the permission table may include information such as permission code, permission name, front-end routing, routing path, and permission type. Permission types include directories, menus, buttons, and interfaces.
  • the user role relationship table includes a role table ID and a user account table ID.
  • the user account table ID is the identifier of the user account table, and the user account table ID can associate the user account table with the user role relationship table.
  • the role table ID is the identifier of the role table, and the role table ID can associate the role table with the user role relationship table.
  • the role permission relationship table includes a role table ID and a permission table ID.
  • the role table ID is the identifier of the role table, and the role table ID can associate the role table with the role permission relationship table.
  • the permission table ID is the identifier of the permission table, and the permission table ID can associate the permission table with the role permission relationship table.
  • the role table can be associated with the permission table.
  • This embodiment configures user permissions by configuring permissions for roles and users, thereby improving the flexibility of user permission configuration.
  • the basic system management service provides basic management functions as an independent service, so that other microservices only need to focus on their own business function development, improve development efficiency, and improve the timeliness of function release.
  • the cloud platform access method provided in the embodiment of the present application can be executed by a cloud platform access device.
  • the cloud platform access device executing the cloud platform access method is taken as an example to illustrate the cloud platform access device provided in the embodiment of the present application.
  • the embodiment of the present application also provides a cloud platform access device.
  • the cloud platform access device includes: a first acquisition module 10 , a second acquisition module 20 and a determination module 30 .
  • a first acquisition module 10 is used to acquire a user's access request to the cloud platform, wherein the access request includes a target access address;
  • a second acquisition module 20 used to acquire the user's access rights from the cache, the access rights including button rights and interface rights;
  • the determination module 30 is used to determine whether the access address corresponding to the access permission contains the target access address. The access address is determined, and when it is determined that the access address corresponding to the access permission has the target access address, the user is allowed to access the microservice corresponding to the target access address.
  • the access rights configured for users in the embodiment of the present application are at the minimum granularity interface level, which ensures the security of interface functions, realizes the security management and control of cloud platform interfaces, and performs unified authentication and verification on user access rights, thereby reducing the resource consumption of microservices.
  • Microservices only need to focus on the development of their own business functions, thereby improving the development efficiency of microservices.
  • the second acquisition module 20 is further used to call the user's access rights from the cache through the business gateway service;
  • the determination module 30 is also used to determine through the business gateway service whether the access address corresponding to the access permission contains the target access address, and when it is determined that the access address corresponding to the access permission contains the target access address, allow the user to access the microservice corresponding to the target access address.
  • This embodiment obtains the user's access rights from the cache through the business gateway service for authentication verification, which effectively improves the authentication efficiency of the business gateway service and further improves the user's access efficiency.
  • the cloud platform access device further includes a third acquisition module, and the third acquisition module is used to:
  • the user's access rights are obtained through the basic system management service and saved in the cache.
  • This embodiment obtains the user's access rights through the basic system management service and saves them in the cache, so that the business gateway service can directly obtain the user's access rights from the cache for authentication verification after obtaining the user's access request, effectively improving the authentication efficiency of the business gateway service and thereby improving the user's access efficiency.
  • the third acquisition module is further used to:
  • the permission list including directory permissions, menu permissions, button permissions and interface permissions;
  • the button permissions and interface permissions in the permission list are saved in the cache through the basic system management service.
  • This embodiment makes it easier to manage and control permissions by dividing permission types in detail.
  • the cloud platform access device further includes a return module, and the return module is used to:
  • the user's permission list is returned to the user through the basic system management service.
  • the cloud platform access device further includes a fourth acquisition module, and the fourth acquisition module is used to:
  • the login information is verified through the basic system management service, and if the verification passes, it is determined that the user has successfully logged into the cloud platform.
  • the cloud platform access device further includes a clearing module, and the clearing module is used to:
  • the basic system management service is used to manage all the items in the cache. Clear the access rights of the user.
  • the cloud platform access device further includes a fifth acquisition module, and the fifth acquisition module is used to:
  • the permission configuration information includes a role configured for the user and a permission list configured for the role;
  • the user's permission configuration information can be saved in the database through the basic system management service.
  • This embodiment provides basic management functions by using basic system management services as independent services, so that other microservices only need to focus on their own business function development, improve development efficiency, and improve function release timeliness.
  • the cloud platform access device in the embodiment of the present application can be an electronic device, or a component in the electronic device, such as an integrated circuit or a chip.
  • the electronic device can be a terminal, or a device other than a terminal.
  • the electronic device can be a server, a network attached storage (NAS) or a personal computer (PC), etc., which is not specifically limited in the embodiment of the present application.
  • NAS network attached storage
  • PC personal computer
  • the cloud platform access device in the embodiment of the present application may be a device having an operating system.
  • the operating system may be a Microsoft (Windows) operating system, an Android (Android) operating system, an IOS operating system, or other possible operating systems, which are not specifically limited in the embodiment of the present application.
  • the cloud platform access device provided in the embodiment of the present application can implement each process of the cloud platform access method in the method embodiments of Figures 1 to 3, and will not be described again here to avoid repetition.
  • the embodiment of the present application also provides an electronic device 500, including a processor 501, a memory 502, and a computer program stored in the memory 502 and executable on the processor 501.
  • the program is executed by the processor 501, the various processes of the above-mentioned cloud platform access method embodiment are implemented, and the same technical effect can be achieved. To avoid repetition, it will not be repeated here.
  • An embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored.
  • the steps of the cloud platform access method of any of the above-mentioned embodiments are implemented. For the sake of brevity, they are not repeated here.
  • the technical solution of the present application can be embodied in the form of a computer software product, which is stored in a storage medium (such as ROM/RAM, a disk, or an optical disk), and includes a number of instructions for a terminal (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the methods described in each embodiment of the present application.
  • a storage medium such as ROM/RAM, a disk, or an optical disk
  • a terminal which can be a mobile phone, a computer, a server, or a network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

A cloud platform access method and apparatus, an electronic device, and a storage medium, belonging to the technical field of cloud platforms. The cloud platform access method comprises: acquiring an access request of a user for a cloud platform, wherein the access request comprises a target access address; acquiring from a cache an access permission of the user, wherein the access permission comprises a button permission and an interface permission; and when it is determined that access addresses corresponding to the access permission comprise the target access address, allowing the user to access a micro-service corresponding to the target access address.

Description

云平台访问方法、装置、电子设备及存储介质Cloud platform access method, device, electronic device and storage medium

相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS

本申请基于申请号为:202311363639.1,申请日为2023年10月19日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。This application is based on the Chinese patent application with application number: 202311363639.1 and application date of October 19, 2023, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby introduced into this application as a reference.

技术领域Technical Field

本申请涉及云平台技术领域,具体而言,涉及一种云平台访问方法、装置、电子设备及存储介质。The present application relates to the technical field of cloud platforms, and in particular to a cloud platform access method, device, electronic device and storage medium.

背景技术Background Art

通过给云平台不同用户配置不同的访问权限,可以控制不同用户访问云平台中不同的微服务。相关技术中,给用户配置的访问权限为菜单级别和按钮级别,无法保障接口功能安全。另外,需要通过各微服务对用户的访问权限进行鉴权验证,这就造成了增大微服务的资源消耗,且降低微服务开发效率。By configuring different access rights for different users of the cloud platform, it is possible to control different users' access to different microservices in the cloud platform. In the related art, the access rights configured for users are at the menu level and button level, which cannot guarantee the security of interface functions. In addition, the user's access rights need to be authenticated by each microservice, which increases the resource consumption of microservices and reduces the efficiency of microservice development.

发明内容Summary of the invention

本申请提供了一种云平台访问方法、装置、电子设备及存储介质,以提高云平台接口功能安全,减少微服务的资源消耗,且提高微服务的开发效率。The present application provides a cloud platform access method, device, electronic device and storage medium to improve the functional security of cloud platform interfaces, reduce resource consumption of microservices, and improve the development efficiency of microservices.

第一方面,本申请实施例提供了一种云平台访问方法,包括:In a first aspect, an embodiment of the present application provides a cloud platform access method, including:

获取用户针对云平台的访问请求,所述访问请求包括目标访问地址;Obtaining a user's access request to the cloud platform, wherein the access request includes a target access address;

从缓存中获取所述用户的访问权限,所述访问权限包括按钮权限和接口权限;Obtaining the user's access rights from the cache, the access rights including button rights and interface rights;

在确定所述访问权限对应的访问地址中具有所述目标访问地址的情况下,允许所述用户对所述目标访问地址对应的微服务进行访问。When it is determined that the access address corresponding to the access permission includes the target access address, the user is allowed to access the microservice corresponding to the target access address.

在上述技术方案中,给用户配置的访问权限为最小粒度接口级别,保障接口功能安全,实现对云平台接口的安全管控,且对用户的访问权限进行统一鉴权验证,减少微服务的资源消耗,且微服务只需关注自身业务功能开发,提高微服务的开发效率。In the above technical solution, the access rights configured for users are at the minimum granularity interface level to ensure the security of interface functions, realize the security management of cloud platform interfaces, and perform unified authentication and verification of user access rights, thereby reducing the resource consumption of microservices. Microservices only need to focus on the development of their own business functions, thereby improving the development efficiency of microservices.

根据本申请的一个实施例,所述方法还包括:According to one embodiment of the present application, the method further includes:

在确定所述用户成功登录所述云平台的情况下,通过基础系统管理服务获取所述用户的访问权限并保存至所述缓存中。When it is determined that the user has successfully logged into the cloud platform, the user's access rights are obtained through the basic system management service and saved in the cache.

通过基础系统管理服务获取用户的访问权限并保存至缓存中,以便业务网关服务在 获取用户的访问请求后直接从缓存中获取用户的访问权限进行鉴权验证,有效提高业务网关服务的鉴权效率,进而提高用户的访问效率。Obtain the user's access rights through the basic system management service and save them in the cache so that the business gateway service can access them in the future. After obtaining the user's access request, the user's access rights are directly obtained from the cache for authentication verification, which effectively improves the authentication efficiency of the business gateway service and thus improves the user's access efficiency.

根据本申请的一个实施例,所述通过基础系统管理服务获取所述用户的访问权限并保存至所述缓存中,包括:According to an embodiment of the present application, obtaining the user's access rights through the basic system management service and saving the access rights to the cache includes:

通过所述基础系统管理服务从数据库中获取所述用户的权限列表,所述权限列表包括目录权限、菜单权限、按钮权限和接口权限;Obtaining the user's permission list from a database through the basic system management service, the permission list including directory permissions, menu permissions, button permissions and interface permissions;

通过所述基础系统管理服务将所述权限列表中的按钮权限和接口权限保存至所述缓存中。The button permissions and interface permissions in the permission list are saved in the cache through the basic system management service.

通过对权限类型进行细致划分,更易于权限管理和控制。By dividing permission types into detailed categories, permission management and control are easier.

根据本申请的一个实施例,所述方法还包括:According to one embodiment of the present application, the method further includes:

通过所述基础系统管理服务将所述用户的权限列表返回给所述用户。The user's permission list is returned to the user through the basic system management service.

根据本申请的一个实施例,所述方法还包括:According to one embodiment of the present application, the method further includes:

获取所述用户针对所述云平台的登录请求,所述登录请求包括登录信息;Obtaining a login request from the user for the cloud platform, wherein the login request includes login information;

通过所述基础系统管理服务对所述登录信息进行验证,并在验证通过的情况下确定所述用户成功登录所述云平台。The login information is verified through the basic system management service, and if the verification passes, it is determined that the user has successfully logged into the cloud platform.

根据本申请的一个实施例,所述方法还包括:According to one embodiment of the present application, the method further includes:

在确定所述用户登录失效的情况下,通过所述基础系统管理服务对所述缓存中的所述用户的访问权限进行清除。When it is determined that the user login is invalid, the access rights of the user in the cache are cleared through the basic system management service.

根据本申请的一个实施例,所述方法还包括:According to one embodiment of the present application, the method further includes:

获取所述用户的权限配置信息,所述权限配置信息包括给所述用户配置的角色,以及给所述角色配置的权限列表;Obtaining permission configuration information of the user, wherein the permission configuration information includes a role configured for the user and a permission list configured for the role;

通过所述基础系统管理服务能够将所述用户的权限配置信息保存至所述数据库中。The user's permission configuration information can be saved in the database through the basic system management service.

通过将基础系统管理服务作为独立服务提供基础管理功能,使得其他微服务只需关注自身业务功能开发,提高开发效率,提升功能发布时效。By providing basic management functions as independent services, other microservices only need to focus on their own business function development, thereby improving development efficiency and the timeliness of function release.

根据本申请的一个实施例,所述从缓存中获取所述用户的访问权限,包括:According to an embodiment of the present application, obtaining the access rights of the user from the cache includes:

通过业务网关服务从缓存中调用所述用户的访问权限;Retrieving the user's access rights from the cache through the business gateway service;

所述在确定所述访问权限对应的访问地址中具有所述目标访问地址的情况下,允许所述用户对所述目标访问地址对应的微服务进行访问,包括:The allowing the user to access the microservice corresponding to the target access address when it is determined that the access address corresponding to the access permission has the target access address includes:

通过所述业务网关服务确定所述访问权限对应的访问地址中是否具有所述目标访问地址,并在确定所述访问权限对应的访问地址中具有所述目标访问地址的情况下,允许所述用户对所述目标访问地址对应的微服务进行访问。The business gateway service determines whether the access address corresponding to the access permission contains the target access address, and if it is determined that the access address corresponding to the access permission contains the target access address, the user is allowed to access the microservice corresponding to the target access address.

通过业务网关服务从缓存中获取用户的访问权限进行鉴权验证,有效提高业务网关 服务的鉴权效率,进而提高用户的访问效率。The business gateway service obtains the user's access rights from the cache for authentication and verification, effectively improving the business gateway The authentication efficiency of the service is improved, thereby improving the access efficiency of users.

第二方面,本申请实施例提出了一种云平台访问装置,包括:In a second aspect, an embodiment of the present application proposes a cloud platform access device, including:

第一获取模块,用于获取用户针对云平台的访问请求,所述访问请求包括目标访问地址;A first acquisition module is used to acquire a user's access request to the cloud platform, wherein the access request includes a target access address;

第二获取模块,用于从缓存中获取所述用户的访问权限,所述访问权限包括按钮权限和接口权限;A second acquisition module is used to acquire the user's access rights from the cache, where the access rights include button rights and interface rights;

确定模块,用于确定所述访问权限对应的访问地址中是否具有所述目标访问地址,并且在确定所述访问权限对应的访问地址中具有所述目标访问地址的情况下,允许所述用户对所述目标访问地址对应的微服务进行访问。A determination module is used to determine whether the access address corresponding to the access permission contains the target access address, and if it is determined that the access address corresponding to the access permission contains the target access address, allow the user to access the microservice corresponding to the target access address.

在上述技术方案中,给用户配置的访问权限为最小粒度接口级别,保障接口功能安全,实现对云平台接口的安全管控,且对用户的访问权限进行统一鉴权验证,减少微服务的资源消耗,且微服务只需关注自身业务功能开发,提高微服务的开发效率。In the above technical solution, the access rights configured for users are at the minimum granularity interface level to ensure the security of interface functions, realize the security management of cloud platform interfaces, and perform unified authentication and verification of user access rights, thereby reducing the resource consumption of microservices. Microservices only need to focus on the development of their own business functions, thereby improving the development efficiency of microservices.

第三方面,本申请实施例提出了一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如第一方面所述的云平台访问方法。In a third aspect, an embodiment of the present application proposes an electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, the cloud platform access method as described in the first aspect is implemented.

在上述技术方案中,给用户配置的访问权限为最小粒度接口级别,保障接口功能安全,实现对云平台接口的安全管控,且对用户的访问权限进行统一鉴权验证,减少微服务的资源消耗,且微服务只需关注自身业务功能开发,提高微服务的开发效率。In the above technical solution, the access rights configured for users are at the minimum granularity interface level to ensure the security of interface functions, realize the security management of cloud platform interfaces, and perform unified authentication and verification of user access rights, thereby reducing the resource consumption of microservices. Microservices only need to focus on the development of their own business functions, thereby improving the development efficiency of microservices.

第四方面,本申请实施例提出了一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时,实现如第一方面所述的云平台访问方法。In a fourth aspect, an embodiment of the present application proposes a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the cloud platform access method described in the first aspect is implemented.

在上述技术方案中,给用户配置的访问权限为最小粒度接口级别,保障接口功能安全,实现对云平台接口的安全管控,且对用户的访问权限进行统一鉴权验证,减少微服务的资源消耗,且微服务只需关注自身业务功能开发,提高微服务的开发效率。In the above technical solution, the access rights configured for users are at the minimum granularity interface level to ensure the security of interface functions, realize the security management of cloud platform interfaces, and perform unified authentication and verification of user access rights, thereby reducing the resource consumption of microservices. Microservices only need to focus on the development of their own business functions, thereby improving the development efficiency of microservices.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本申请的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for use in the embodiments will be briefly introduced below. It should be understood that the following drawings only show certain embodiments of the present application and therefore should not be regarded as limiting the scope. For ordinary technicians in this field, other related drawings can be obtained based on these drawings without paying creative work.

图1是本申请一些实施例提供的云平台访问方法的流程示意图;FIG1 is a flow chart of a cloud platform access method provided in some embodiments of the present application;

图2是本申请一些实施例提供的云平台访问方法中的云平台架构示意图;FIG2 is a schematic diagram of a cloud platform architecture in a cloud platform access method provided in some embodiments of the present application;

图3是本申请一些实施例提供的云平台访问方法中的基础系统管理数据模型关系 图;FIG. 3 is a diagram of the basic system management data model relationship in the cloud platform access method provided in some embodiments of the present application picture;

图4是本申请一些实施例提供的云平台访问装置的结构示意图;FIG4 is a schematic diagram of the structure of a cloud platform access device provided in some embodiments of the present application;

图5是本申请一些实施例提供的电子设备的结构示意图。FIG5 is a schematic diagram of the structure of an electronic device provided in some embodiments of the present application.

具体实施方式DETAILED DESCRIPTION

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员获得的所有其他实施例,都属于本申请保护的范围。The following will be combined with the drawings in the embodiments of the present application to clearly describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, rather than all the embodiments. All other embodiments obtained by ordinary technicians in this field based on the embodiments in the present application belong to the scope of protection of this application.

本申请的说明书和权利要求书中的术语“第一”、“第二”等是用于区别类似的对象,而不用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施,且“第一”、“第二”等所区分的对象通常为一类,并不限定对象的个数,例如第一对象可以是一个,也可以是多个。此外,说明书以及权利要求中“和/或”表示所连接对象的至少其中之一,字符“/”,一般表示前后关联对象是一种“或”的关系。The terms "first", "second", etc. in the specification and claims of the present application are used to distinguish similar objects, and are not used to describe a specific order or sequence. It should be understood that the data used in this way can be interchangeable under appropriate circumstances, so that the embodiments of the present application can be implemented in an order other than those illustrated or described here, and the objects distinguished by "first", "second", etc. are generally of one type, and the number of objects is not limited. For example, the first object can be one or more. In addition, "and/or" in the specification and claims represents at least one of the connected objects, and the character "/" generally indicates that the objects associated with each other are in an "or" relationship.

在云计算时代,大量资源通过云平台统一管理,并通过接口的形式对外提供微服务。为了方便管理,给云平台不同用户配置不同的访问权限,可以控制不同用户访问云平台中不同的微服务。In the era of cloud computing, a large number of resources are managed uniformly through cloud platforms, and microservices are provided to the outside world through interfaces. To facilitate management, different access rights are configured for different users of the cloud platform, and different users can be controlled to access different microservices in the cloud platform.

相关技术中,给用户配置的访问权限为菜单级别和按钮级别,未对云平台的接口进行安全管控。在用户获取某接口的地址的情况下,即使用户不具有该接口的访问权限,也可以根据该接口的地址访问该接口对应的微服务,导致接口功能安全无法得到保障。另外,在用户访问某接口对应的微服务的情况下,需要该微服务自行对用户的访问权限进行鉴权验证,以判断是否允许用户对该微服务进行访问。这种鉴权方式导致微服务的资源消耗较大,且微服务不仅需要关注自身业务功能开发,还需对用户的访问权限进行鉴权处理,降低微服务的开发效率。In the related art, the access rights configured for users are at the menu level and button level, and the cloud platform interfaces are not securely managed. When a user obtains the address of an interface, even if the user does not have access rights to the interface, the user can access the microservice corresponding to the interface based on the address of the interface, resulting in the inability to ensure the functional security of the interface. In addition, when a user accesses a microservice corresponding to an interface, the microservice is required to authenticate and verify the user's access rights by itself to determine whether the user is allowed to access the microservice. This authentication method results in a large resource consumption of microservices, and microservices not only need to focus on the development of their own business functions, but also need to authenticate the user's access rights, reducing the development efficiency of microservices.

为了解决以上问题,本申请提出一种云平台访问方法,给用户配置最小粒度接口级别的访问权限,即使用户获取接口的地址,在用户没有该接口的访问权限的情况下也无法访问该接口对应的微服务,从而保障接口功能安全,实现对云平台接口的安全管控。而且,对用户的访问权限进行统一鉴权验证,无需各微服务进行鉴权处理,减少微服务的资源消耗,且微服务只需关注自身业务功能开发,提高微服务的开发效率。In order to solve the above problems, this application proposes a cloud platform access method, which configures the minimum granularity interface level access rights for users. Even if the user obtains the address of the interface, the user cannot access the microservice corresponding to the interface if the user does not have the access rights to the interface, thereby ensuring the functional security of the interface and realizing the security management and control of the cloud platform interface. In addition, the user's access rights are uniformly authenticated and verified, and each microservice does not need to perform authentication processing, which reduces the resource consumption of microservices, and microservices only need to focus on the development of their own business functions, improving the development efficiency of microservices.

下面参考附图描述本申请实施例的云平台访问方法、装置、电子设备及存储介质。The following describes the cloud platform access method, device, electronic device and storage medium of the embodiments of the present application with reference to the accompanying drawings.

图1是本申请实施例的云平台访问方法的流程示意图。FIG1 is a flow chart of a cloud platform access method according to an embodiment of the present application.

如图1所示,本申请实施例提供的云平台访问方法包括步骤110至步骤130。 As shown in FIG. 1 , the cloud platform access method provided in the embodiment of the present application includes steps 110 to 130 .

步骤110、获取用户针对云平台的访问请求,访问请求包括目标访问地址。Step 110: Obtain the user's access request to the cloud platform, where the access request includes a target access address.

云平台具有前端和后端。云平台的前端可以为浏览器端或网页端,如图2所示,云平台的前端可以设有业务管理系统。云平台的后端可以提供各种资源,如图2所示,云平台的后端设有云平台微服务集群,可以提供业务网关服务以及各种内部微服务。The cloud platform has a front end and a back end. The front end of the cloud platform can be a browser end or a web page end, as shown in Figure 2, and the front end of the cloud platform can be provided with a business management system. The back end of the cloud platform can provide various resources, as shown in Figure 2, and the back end of the cloud platform is provided with a cloud platform microservice cluster, which can provide business gateway services and various internal microservices.

用户可以与云平台的前端进行交互。用户可以在前端进行业务操作,前端可以响应用户的操作,确定用户所操作的业务对应的微服务,并生成针对该微服务的访问请求。前端将该访问请求发送给后端,后端的业务网关服务先获取该访问请求,以便对用户的访问权限进行统一的鉴权验证。Users can interact with the front end of the cloud platform. Users can perform business operations on the front end, and the front end can respond to the user's operations, determine the microservice corresponding to the business operated by the user, and generate an access request for the microservice. The front end sends the access request to the back end, and the business gateway service of the back end first obtains the access request in order to perform unified authentication and verification of the user's access rights.

访问请求包括目标访问地址,目标访问地址即为用户所要访问的微服务的访问地址。其中,访问地址可以为URL(uniform resource locator,统一资源定位符)。The access request includes a target access address, which is the access address of the microservice that the user wants to access. The access address can be a URL (uniform resource locator).

在一些实施例中,访问请求还可以包括用户标识。用户标识可以用来表征用户的身份信息,例如,用户标识可以为用户账号。通过用户标识,可以将访问请求与用户相对应。In some embodiments, the access request may further include a user identifier. The user identifier may be used to represent the identity information of the user, for example, the user identifier may be a user account. Through the user identifier, the access request may be matched with the user.

需要说明的是,业务网关服务可以同时获取多个用户针对同一微服务的访问请求,也可以同时获取多个用户针对不同微服务的访问请求。It should be noted that the business gateway service can simultaneously obtain access requests from multiple users for the same microservice, and can also simultaneously obtain access requests from multiple users for different microservices.

步骤120、从缓存中获取用户的访问权限,访问权限包括按钮权限和接口权限。Step 120: Obtain the user's access rights from the cache, where the access rights include button rights and interface rights.

用户的访问权限预先保存在缓存中。在获取用户的访问权限后,直接从缓存中获取用户的访问权限进行鉴权验证。The user's access rights are pre-saved in the cache. After obtaining the user's access rights, the user's access rights are directly obtained from the cache for authentication verification.

根据本申请的一些实施例,步骤120中的从缓存中获取用户的访问权限,包括:According to some embodiments of the present application, obtaining the user's access rights from the cache in step 120 includes:

通过业务网关服务从缓存中调用用户的访问权限。The user's access permissions are retrieved from the cache through the business gateway service.

业务网关服务在获取用户的访问请求后,可以调用缓存中的用户的访问权限。缓存中的用户的访问权限包括按钮权限和接口权限,即用户的访问权限用于指示允许用户访问的按钮地址和接口地址,按钮地址和接口地址为用户的访问地址。After obtaining the user's access request, the business gateway service can call the user's access rights in the cache. The user's access rights in the cache include button rights and interface rights, that is, the user's access rights are used to indicate the button addresses and interface addresses that the user is allowed to access, and the button addresses and interface addresses are the user's access addresses.

需要说明的是,后端的微服务对应的接口以按钮和接口的形式展示在前端,通过将用户的访问权限配置为按钮权限和接口权限,实现最小粒度接口级别权限的配置。It should be noted that the interfaces corresponding to the backend microservices are displayed on the front end in the form of buttons and interfaces. By configuring the user's access rights as button permissions and interface permissions, the configuration of the minimum granularity interface level permissions is achieved.

在一些实施例中,用户标识与访问权限可以对应保存在缓存中,业务网关服务在获取访问请求后,根据访问请求中的用户标识,从缓存中获取用户标识对应的访问权限,用户标识对应的访问权限即为用户的访问权限。In some embodiments, the user identifier and access rights can be stored in a cache accordingly. After obtaining an access request, the business gateway service obtains the access rights corresponding to the user identifier from the cache based on the user identifier in the access request. The access rights corresponding to the user identifier are the user's access rights.

步骤130、在确定访问权限对应的访问地址中具有目标访问地址的情况下,允许用户对目标访问地址对应的微服务进行访问。Step 130: When it is determined that the access address corresponding to the access permission has the target access address, the user is allowed to access the microservice corresponding to the target access address.

访问权限对应的访问地址即为允许用户访问的按钮地址和接口地址。通过将访问权限对应的访问地址与目标访问地址进行比较,即可确定是否允许用户对目标访问地址对 应的微服务进行访问。The access address corresponding to the access permission is the button address and interface address that the user is allowed to access. By comparing the access address corresponding to the access permission with the target access address, it can be determined whether the user is allowed to access the target access address. The corresponding microservice is accessed.

根据本申请的一些实施例,步骤130中的在确定访问权限对应的访问地址中具有目标访问地址的情况下,允许用户对目标访问地址对应的微服务进行访问,包括:According to some embodiments of the present application, in step 130, when it is determined that the access address corresponding to the access permission has the target access address, allowing the user to access the microservice corresponding to the target access address includes:

通过业务网关服务确定访问权限对应的访问地址中是否具有目标访问地址,并在确定访问权限对应的访问地址中具有目标访问地址的情况下,允许用户对目标访问地址对应的微服务进行访问。The business gateway service is used to determine whether the access address corresponding to the access permission has the target access address, and if it is determined that the access address corresponding to the access permission has the target access address, the user is allowed to access the microservice corresponding to the target access address.

业务网关服务检测用户的访问权限对应的访问地址中是否具有目标访问地址,若具有目标访问地址,则表明用户具有对目标访问地址的访问权限,允许用户对目标访问地址对应的微服务进行访问;若不具有目标访问地址,则表明用户不具有对目标访问地址的访问权限,不允许用户对目标访问地址对应的微服务进行访问。The business gateway service detects whether the access address corresponding to the user's access rights contains the target access address. If so, it indicates that the user has access rights to the target access address, and the user is allowed to access the microservice corresponding to the target access address. If not, it indicates that the user does not have access rights to the target access address, and the user is not allowed to access the microservice corresponding to the target access address.

在允许用户对目标访问地址对应的微服务进行访问的情况下,业务网关服务将用户的访问请求转发给目标访问地址对应的微服务,以便用户对目标访问地址对应的微服务进行访问。When the user is allowed to access the microservice corresponding to the target access address, the business gateway service forwards the user's access request to the microservice corresponding to the target access address, so that the user can access the microservice corresponding to the target access address.

本申请实施例将最小粒度接口级别的权限配置给用户,保障云平台接口功能安全,让云平台的接口都在安全管控下提供给前端的业务管理系统使用。另外,通过业务网关服务对用户的访问权限进行统一鉴权验证,无需各微服务对用户的访问权限进行鉴权处理,减轻微服务安全和访问控制把控,减少微服务的资源消耗,且微服务只需关注自身业务功能开发,提高微服务的开发效率,提升功能发布时效。The embodiment of the present application configures the minimum granularity interface level permissions to the user, ensures the functional security of the cloud platform interface, and allows the cloud platform interface to be provided to the front-end business management system under security control. In addition, the user's access rights are uniformly authenticated and verified through the business gateway service, without the need for each microservice to authenticate the user's access rights, which reduces the microservice security and access control control, reduces the resource consumption of microservices, and microservices only need to focus on their own business function development, improve the development efficiency of microservices, and improve the timeliness of function release.

根据本申请的一些实施例,该云平台访问方法还包括:According to some embodiments of the present application, the cloud platform access method further includes:

在确定用户成功登录云平台的情况下,通过基础系统管理服务获取用户的访问权限并保存至缓存中。When it is determined that the user has successfully logged in to the cloud platform, the user's access rights are obtained through the basic system management service and saved in the cache.

用户的访问权限预先已配置并存储。用户在前端进行业务操作之前,用户需要先在前端登录业务管理系统,以登录云平台。在确定用户成功登录云平台的情况下,基础系统管理服务获取预先存储的用户的访问权限,并将用户的访问权限存储至缓存中。其中,缓存可以为redis缓存。The user's access rights are pre-configured and stored. Before the user performs business operations on the front end, the user needs to log in to the business management system on the front end to log in to the cloud platform. When it is determined that the user has successfully logged in to the cloud platform, the basic system management service obtains the pre-stored user's access rights and stores the user's access rights in the cache. The cache can be a redis cache.

基础系统管理服务为云平台后端的一种微服务。本实施例将基础系统管理服务作为独立服务来提供权限管理等功能,使得其他微服务无需关注权限管理问题,提高其他微服务的开发效率。另外,基础系统管理服务在获取用户的访问权限后,将用户的访问权限保存至缓存中,以便业务网关服务在获取用户的访问请求后直接从缓存中获取用户的访问权限进行鉴权验证,有效提高业务网关服务的鉴权效率,进而提高用户的访问效率。The basic system management service is a microservice in the backend of the cloud platform. This embodiment uses the basic system management service as an independent service to provide functions such as permission management, so that other microservices do not need to pay attention to permission management issues, thereby improving the development efficiency of other microservices. In addition, after obtaining the user's access rights, the basic system management service saves the user's access rights to the cache, so that the business gateway service can directly obtain the user's access rights from the cache for authentication verification after obtaining the user's access request, effectively improving the authentication efficiency of the business gateway service, and thus improving the user's access efficiency.

根据本申请的一些实施例,通过基础系统管理服务获取用户的访问权限并保存至缓存中的步骤,包括: According to some embodiments of the present application, the step of obtaining the user's access rights through the basic system management service and saving them in the cache includes:

通过基础系统管理服务从数据库中获取用户的权限列表,权限列表包括目录权限、菜单权限、按钮权限和接口权限;Obtain the user's permission list from the database through the basic system management service. The permission list includes directory permissions, menu permissions, button permissions, and interface permissions.

通过基础系统管理服务将权限列表中的按钮权限和接口权限保存至缓存中。The button permissions and interface permissions in the permission list are saved to the cache through the basic system management service.

数据库中预先存储有用户的权限列表。在确定用户成功登录云平台的情况下,基础系统管理服务从数据库中获取用户的权限列表。权限列表包括给用户配置的多种类型的权限,即目录权限、菜单权限、按钮权限和接口权限。其中,目录权限配置的为目录的路由路径,菜单权限配置的为菜单的路由路径,按钮权限配置的为按钮的地址,接口权限配置的为接口的地址。The user's permission list is pre-stored in the database. When it is determined that the user has successfully logged into the cloud platform, the basic system management service obtains the user's permission list from the database. The permission list includes multiple types of permissions configured for the user, namely directory permissions, menu permissions, button permissions, and interface permissions. Among them, directory permissions are configured as the routing path of the directory, menu permissions are configured as the routing path of the menu, button permissions are configured as the address of the button, and interface permissions are configured as the address of the interface.

基础系统管理服务在获取用户的权限列表后,将权限列表中的按钮权限和接口权限保存至缓存中。其中,按钮权限和接口权限即为用户的访问权限。After obtaining the user's permission list, the basic system management service saves the button permissions and interface permissions in the permission list into the cache. Among them, the button permissions and interface permissions are the user's access permissions.

本实施例将权限类型进行细致划分,更易于权限管理和控制。This embodiment divides the permission types into detailed categories, making it easier to manage and control permissions.

在一些实施例中,数据库中预先存储用户与角色的对应关系,角色与权限列表的对应关系。基础系统管理服务根据用户与角色的对应关系可以确定用户的角色,根据角色与权限列表的对应关系可以确定用户的权限列表。In some embodiments, the database pre-stores the correspondence between users and roles, and the correspondence between roles and permission lists. The basic system management service can determine the user's role based on the correspondence between users and roles, and can determine the user's permission list based on the correspondence between roles and permission lists.

其中,角色可以预先配置给用户,不同用户配置的角色可以不同。例如,用户的角色可以为普通用户,也可以为管理员等,当然也可以定义其他角色,每种角色分别具有相应的权限列表。权限列表可以预先配置给角色,不同角色配置的权限列表可以不同。Among them, roles can be pre-configured for users, and different users can have different roles. For example, a user's role can be a common user or an administrator, and of course other roles can be defined, and each role has a corresponding permission list. Permission lists can be pre-configured for roles, and different roles can have different permission lists.

根据本申请的一些实施例,该云平台访问方法还包括:According to some embodiments of the present application, the cloud platform access method further includes:

通过基础系统管理服务将用户的权限列表返回给用户。The user's list of permissions is returned to the user through the underlying system management service.

基础系统管理服务在获取用户的权限列表后,可以将用户的权限列表返回给业务网关服务,业务网关服务将用户的权限列表转发给前端。前端可以基于用户的权限列表向用户展示对应的权限。例如,前端向用户展示其具有权限的菜单和按钮等,以便用户在前端对该菜单和按钮进行操作。After obtaining the user's permission list, the basic system management service can return the user's permission list to the business gateway service, and the business gateway service forwards the user's permission list to the front end. The front end can display the corresponding permissions to the user based on the user's permission list. For example, the front end displays the menus and buttons that the user has permissions to so that the user can operate the menus and buttons on the front end.

根据本申请的一些实施例,该云平台访问方法还包括:According to some embodiments of the present application, the cloud platform access method further includes:

获取用户针对云平台的登录请求,登录请求包括登录信息;Obtain the user's login request for the cloud platform, which includes login information;

通过基础系统管理服务对登录信息进行验证,并在验证通过的情况下确定用户成功登录云平台。The login information is verified through the basic system management service, and if the verification passes, it is determined that the user has successfully logged into the cloud platform.

用户可以在前端进行登录操作,例如,用户在前端输入用户账号和密码。前端响应用户的登录操作,生成登录请求,登录请求包括登录信息。该登录信息可以为用户在前端输入的信息,如用户账号和密码。前端将该登录请求发送给后端,后端的业务网关服务先获取该登录请求。需要说明的是,针对用户的登录请求,业务网关服务无需对用户的访问权限进行鉴权验证,直接将该登录请求转发给基础系统管理服务。 The user can log in at the front end, for example, the user enters the user account and password at the front end. The front end responds to the user's login operation and generates a login request, which includes login information. The login information can be the information entered by the user at the front end, such as the user account and password. The front end sends the login request to the back end, and the business gateway service at the back end first obtains the login request. It should be noted that for the user's login request, the business gateway service does not need to authenticate the user's access rights, and directly forwards the login request to the basic system management service.

基础系统管理服务可以对该登录请求中的登录信息进行验证,并在验证通过后,向业务网关服务返回令牌(如token令牌),业务网关将该令牌转发给前端,以表明用户成功登录云平台。The basic system management service can verify the login information in the login request, and after the verification, return a token (such as a token) to the business gateway service. The business gateway forwards the token to the front end to indicate that the user has successfully logged into the cloud platform.

本实施例将基础系统管理服务作为独立服务来提供登录管理等功能,使得其他微服务无需关注登录管理问题,提高其他微服务的开发效率。This embodiment uses the basic system management service as an independent service to provide login management and other functions, so that other microservices do not need to pay attention to login management issues, thereby improving the development efficiency of other microservices.

在一些实施例中,登录请求还可以包括用户标识。用户预先配置的权限列表与用户标识对应保存在基础系统管理服务的数据库中。基础系统管理服务在获取该登录请求并确定用户成功登录云平台后,可以从数据库中获取用户标识对应的权限列表,即用户的权限列表,并将用户的访问权限(即权限列表中的按钮权限和接口权限)与用户标识对应保存至缓存中。In some embodiments, the login request may also include a user identifier. The user's pre-configured permission list is stored in the database of the basic system management service in correspondence with the user identifier. After obtaining the login request and determining that the user has successfully logged into the cloud platform, the basic system management service may obtain the permission list corresponding to the user identifier from the database, i.e., the user's permission list, and store the user's access rights (i.e., button permissions and interface permissions in the permission list) in correspondence with the user identifier in the cache.

根据本申请的一些实施例,该云平台访问方法还包括:According to some embodiments of the present application, the cloud platform access method further includes:

在确定用户登录失效的情况下,通过基础系统管理服务对缓存中的用户的访问权限进行清除。When it is determined that the user login is invalid, the user's access permissions in the cache are cleared through the basic system management service.

基础系统管理服务可以设置登录间隔时长,若用户长时间未登录,即用户未登录时长达到该登录间隔时长,则确定用户登录失效,基础系统管理服务对缓存中的用户的访问权限进行清除。The basic system management service can set a login interval. If the user has not logged in for a long time, that is, the user's login is determined to be invalid, and the basic system management service clears the user's access rights in the cache.

在确定用户登录失效的情况下,若用户重新登录云平台,则需要重新在前端进行登录操作,如重新输入用户账号和密码。基础系统管理服务在重新确定用户成功登录云平台后,重新获取用户的访问权限并保存至缓存中。If the user login is determined to be invalid, if the user logs in to the cloud platform again, the user needs to log in again on the front end, such as re-entering the user account and password. After re-confirming that the user has successfully logged in to the cloud platform, the basic system management service re-acquires the user's access rights and saves them to the cache.

根据本申请的一些实施例,该云平台访问方法还包括:According to some embodiments of the present application, the cloud platform access method further includes:

获取用户的权限配置信息,权限配置信息包括给用户配置的角色,以及给角色配置的权限列表;Get the user's permission configuration information, which includes the role configured for the user and the permission list configured for the role;

通过基础系统管理服务能够将用户的权限配置信息保存至数据库中。The user's permission configuration information can be saved in the database through the basic system management service.

用户的角色可以包括普通用户和管理员等。管理员和普通用户等角色配置的权限可以不同,例如管理员具有业务功能使用和管理权限,普通用户只具有业务功能使用权限。User roles can include common users and administrators. The permissions configured for roles such as administrators and common users can be different. For example, administrators have business function usage and management permissions, while common users only have business function usage permissions.

如图2所示,前端的业务管理系统可以包括用户账号管理、角色管理、权限管理和操作记录管理等功能。其中,用户账号管理用于管理用户账号等信息,角色管理用于管理用户的角色等信息,权限管理用于管理角色对应的权限等信息,操作记录管理用于记录用户对微服务的访问等情况。As shown in Figure 2, the front-end business management system may include functions such as user account management, role management, authority management, and operation record management. Among them, user account management is used to manage user account information, role management is used to manage user roles and other information, authority management is used to manage information such as permissions corresponding to roles, and operation record management is used to record user access to microservices.

前端的业务管理系统的用户账号管理、角色管理、权限管理和操作记录管理等功能可以由后端的基础系统管理服务所提供。通过基础系统管理服务可以生成管理系统配置页面,并在前端向管理员展示管理系统配置页面,以便管理员可以在管理系统配置页面 给普通用户配置对应的权限。The user account management, role management, permission management and operation record management functions of the front-end business management system can be provided by the back-end basic system management service. The basic system management service can generate a management system configuration page and display the management system configuration page to the administrator on the front-end so that the administrator can Configure corresponding permissions for ordinary users.

例如,管理员在管理系统配置页面创建用户的账号,创建角色,并配置权限,然后将权限赋予角色,再将角色赋予用户的账号,生成用户的权限配置信息。前端将用户的权限配置信息发送给业务网关服务,业务网关服务将用户的权限配置信息转发给基础系统管理服务,基础系统管理服务将用户的权限配置信息以基础系统管理数据模型的形式存储至数据库中。For example, the administrator creates a user account, creates a role, and configures permissions on the management system configuration page, then grants permissions to the role, and then grants the role to the user's account to generate the user's permission configuration information. The front end sends the user's permission configuration information to the business gateway service, and the business gateway service forwards the user's permission configuration information to the basic system management service. The basic system management service stores the user's permission configuration information in the database in the form of a basic system management data model.

其中,基础系统管理数据模型关系图如图3所示。定义数据模型包括用户账号表、角色表、用户角色关系表、权限表和角色权限关系表。其中,用户账号表可以包括用户的账号、邮箱和手机号等信息。角色表可以包括角色编码、角色名称和角色类型(如管理员,普通用户)等信息。权限表可以包括权限编码、权限名称、前端路由、路由路径和权限类型等信息。其中,权限类型包括目录、菜单、按钮和接口。The basic system management data model relationship diagram is shown in Figure 3. The defined data model includes a user account table, a role table, a user role relationship table, a permission table, and a role permission relationship table. The user account table may include information such as the user's account, email address, and mobile phone number. The role table may include information such as role code, role name, and role type (such as administrator, ordinary user). The permission table may include information such as permission code, permission name, front-end routing, routing path, and permission type. Permission types include directories, menus, buttons, and interfaces.

用户角色关系表包括角色表ID和用户账号表ID。用户账号表ID为用户账号表的标识,用户账号表ID可以将用户账号表与用户角色关系表相关联。角色表ID为角色表的标识,角色表ID可以将角色表与用户角色关系表相关联。通过用户角色关系表,可以将用户账号表与角色表相关联。角色权限关系表包括角色表ID和权限表ID。角色表ID为角色表的标识,角色表ID可以将角色表与角色权限关系表相关联。权限表ID为权限表的标识,权限表ID可以将权限表与角色权限关系表相关联。通过角色权限关系表,可以将角色表与权限表相关联。The user role relationship table includes a role table ID and a user account table ID. The user account table ID is the identifier of the user account table, and the user account table ID can associate the user account table with the user role relationship table. The role table ID is the identifier of the role table, and the role table ID can associate the role table with the user role relationship table. Through the user role relationship table, the user account table can be associated with the role table. The role permission relationship table includes a role table ID and a permission table ID. The role table ID is the identifier of the role table, and the role table ID can associate the role table with the role permission relationship table. The permission table ID is the identifier of the permission table, and the permission table ID can associate the permission table with the role permission relationship table. Through the role permission relationship table, the role table can be associated with the permission table.

本实施例通过给角色配置权限,给用户配置角色的方式来对用户的权限进行配置,提高用户权限配置的灵活性。基础系统管理服务作为独立服务来提供基础管理功能,使得其他微服务只需关注自身业务功能开发,提高开发效率,提升功能发布时效。This embodiment configures user permissions by configuring permissions for roles and users, thereby improving the flexibility of user permission configuration. The basic system management service provides basic management functions as an independent service, so that other microservices only need to focus on their own business function development, improve development efficiency, and improve the timeliness of function release.

本申请实施例提供的云平台访问方法,执行主体可以为云平台访问装置。本申请实施例中以云平台访问装置执行云平台访问方法为例,说明本申请实施例提供的云平台访问装置。The cloud platform access method provided in the embodiment of the present application can be executed by a cloud platform access device. In the embodiment of the present application, the cloud platform access device executing the cloud platform access method is taken as an example to illustrate the cloud platform access device provided in the embodiment of the present application.

本申请实施例还提供一种云平台访问装置。The embodiment of the present application also provides a cloud platform access device.

如图4所示,该云平台访问装置包括:第一获取模块10、第二获取模块20和确定模块30。As shown in FIG. 4 , the cloud platform access device includes: a first acquisition module 10 , a second acquisition module 20 and a determination module 30 .

第一获取模块10,用于获取用户针对云平台的访问请求,所述访问请求包括目标访问地址;A first acquisition module 10 is used to acquire a user's access request to the cloud platform, wherein the access request includes a target access address;

第二获取模块20,用于从缓存中获取所述用户的访问权限,所述访问权限包括按钮权限和接口权限;A second acquisition module 20, used to acquire the user's access rights from the cache, the access rights including button rights and interface rights;

确定模块30,用于确定所述访问权限对应的访问地址中是否具有所述目标访问地 址,并且在确定所述访问权限对应的访问地址中具有所述目标访问地址的情况下,允许所述用户对所述目标访问地址对应的微服务进行访问。The determination module 30 is used to determine whether the access address corresponding to the access permission contains the target access address. The access address is determined, and when it is determined that the access address corresponding to the access permission has the target access address, the user is allowed to access the microservice corresponding to the target access address.

本申请实施例给用户配置的访问权限为最小粒度接口级别,保障接口功能安全,实现对云平台接口的安全管控,且对用户的访问权限进行统一鉴权验证,减少微服务的资源消耗,且微服务只需关注自身业务功能开发,提高微服务的开发效率。The access rights configured for users in the embodiment of the present application are at the minimum granularity interface level, which ensures the security of interface functions, realizes the security management and control of cloud platform interfaces, and performs unified authentication and verification on user access rights, thereby reducing the resource consumption of microservices. Microservices only need to focus on the development of their own business functions, thereby improving the development efficiency of microservices.

在一些实施例中,第二获取模块20还用于通过业务网关服务从缓存中调用所述用户的访问权限;In some embodiments, the second acquisition module 20 is further used to call the user's access rights from the cache through the business gateway service;

确定模块30还用于通过所述业务网关服务确定所述访问权限对应的访问地址中是否具有所述目标访问地址,并在确定所述访问权限对应的访问地址中具有所述目标访问地址的情况下,允许所述用户对所述目标访问地址对应的微服务进行访问。The determination module 30 is also used to determine through the business gateway service whether the access address corresponding to the access permission contains the target access address, and when it is determined that the access address corresponding to the access permission contains the target access address, allow the user to access the microservice corresponding to the target access address.

本实施例通过业务网关服务从缓存中获取用户的访问权限进行鉴权验证,有效提高业务网关服务的鉴权效率,进而提高用户的访问效率。This embodiment obtains the user's access rights from the cache through the business gateway service for authentication verification, which effectively improves the authentication efficiency of the business gateway service and further improves the user's access efficiency.

在一些实施例中,该云平台访问装置还包括第三获取模块,第三获取模块用于:In some embodiments, the cloud platform access device further includes a third acquisition module, and the third acquisition module is used to:

在确定所述用户成功登录所述云平台的情况下,通过基础系统管理服务获取所述用户的访问权限并保存至所述缓存中。When it is determined that the user has successfully logged into the cloud platform, the user's access rights are obtained through the basic system management service and saved in the cache.

本实施例通过基础系统管理服务获取用户的访问权限并保存至缓存中,以便业务网关服务在获取用户的访问请求后直接从缓存中获取用户的访问权限进行鉴权验证,有效提高业务网关服务的鉴权效率,进而提高用户的访问效率。This embodiment obtains the user's access rights through the basic system management service and saves them in the cache, so that the business gateway service can directly obtain the user's access rights from the cache for authentication verification after obtaining the user's access request, effectively improving the authentication efficiency of the business gateway service and thereby improving the user's access efficiency.

在一些实施例中,第三获取模块还用于:In some embodiments, the third acquisition module is further used to:

通过所述基础系统管理服务从数据库中获取所述用户的权限列表,所述权限列表包括目录权限、菜单权限、按钮权限和接口权限;Obtaining the user's permission list from a database through the basic system management service, the permission list including directory permissions, menu permissions, button permissions and interface permissions;

通过所述基础系统管理服务将所述权限列表中的按钮权限和接口权限保存至所述缓存中。The button permissions and interface permissions in the permission list are saved in the cache through the basic system management service.

本实施例通过对权限类型进行细致划分,更易于权限管理和控制。This embodiment makes it easier to manage and control permissions by dividing permission types in detail.

在一些实施例中,该云平台访问装置还包括返回模块,返回模块用于:In some embodiments, the cloud platform access device further includes a return module, and the return module is used to:

通过所述基础系统管理服务将所述用户的权限列表返回给所述用户。The user's permission list is returned to the user through the basic system management service.

在一些实施例中,该云平台访问装置还包括第四获取模块,第四获取模块用于:In some embodiments, the cloud platform access device further includes a fourth acquisition module, and the fourth acquisition module is used to:

获取所述用户针对所述云平台的登录请求,所述登录请求包括登录信息;Obtaining a login request from the user for the cloud platform, wherein the login request includes login information;

通过所述基础系统管理服务对所述登录信息进行验证,并在验证通过的情况下确定所述用户成功登录所述云平台。The login information is verified through the basic system management service, and if the verification passes, it is determined that the user has successfully logged into the cloud platform.

在一些实施例中,该云平台访问装置还包括清除模块,清除模块用于:In some embodiments, the cloud platform access device further includes a clearing module, and the clearing module is used to:

在确定所述用户登录失效的情况下,通过所述基础系统管理服务对所述缓存中的所 述用户的访问权限进行清除。In the case where it is determined that the user login is invalid, the basic system management service is used to manage all the items in the cache. Clear the access rights of the user.

在一些实施例中,该云平台访问装置还包括第五获取模块,第五获取模块用于:In some embodiments, the cloud platform access device further includes a fifth acquisition module, and the fifth acquisition module is used to:

获取所述用户的权限配置信息,所述权限配置信息包括给所述用户配置的角色,以及给所述角色配置的权限列表;Obtaining permission configuration information of the user, wherein the permission configuration information includes a role configured for the user and a permission list configured for the role;

通过所述基础系统管理服务能够将所述用户的权限配置信息保存至所述数据库中。The user's permission configuration information can be saved in the database through the basic system management service.

本实施例通过将基础系统管理服务作为独立服务来提供基础管理功能,使得其他微服务只需关注自身业务功能开发,提高开发效率,提升功能发布时效。This embodiment provides basic management functions by using basic system management services as independent services, so that other microservices only need to focus on their own business function development, improve development efficiency, and improve function release timeliness.

本申请实施例中的云平台访问装置可以是电子设备,也可以是电子设备中的部件,例如集成电路或芯片。该电子设备可以是终端,也可以为除终端之外的其他设备。示例性的,电子设备可以为服务器、网络附属存储器(Network Attached Storage,NAS)或个人计算机(personal computer,PC)等,本申请实施例不作具体限定。The cloud platform access device in the embodiment of the present application can be an electronic device, or a component in the electronic device, such as an integrated circuit or a chip. The electronic device can be a terminal, or a device other than a terminal. Exemplarily, the electronic device can be a server, a network attached storage (NAS) or a personal computer (PC), etc., which is not specifically limited in the embodiment of the present application.

本申请实施例中的云平台访问装置可以为具有操作系统的装置。该操作系统可以为微软(Windows)操作系统,可以为安卓(Android)操作系统,可以为IOS操作系统,还可以为其他可能的操作系统,本申请实施例不作具体限定。The cloud platform access device in the embodiment of the present application may be a device having an operating system. The operating system may be a Microsoft (Windows) operating system, an Android (Android) operating system, an IOS operating system, or other possible operating systems, which are not specifically limited in the embodiment of the present application.

本申请实施例提供的云平台访问装置能够实现图1至图3的方法实施例中云平台访问方法实现的各个过程,为避免重复,这里不再赘述。The cloud platform access device provided in the embodiment of the present application can implement each process of the cloud platform access method in the method embodiments of Figures 1 to 3, and will not be described again here to avoid repetition.

在一些实施例中,如图5所示,本申请实施例还提供一种电子设备500,包括处理器501、存储器502及存储在存储器502上并可在处理器501上运行的计算机程序,该程序被处理器501执行时实现上述云平台访问方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。In some embodiments, as shown in Figure 5, the embodiment of the present application also provides an electronic device 500, including a processor 501, a memory 502, and a computer program stored in the memory 502 and executable on the processor 501. When the program is executed by the processor 501, the various processes of the above-mentioned cloud platform access method embodiment are implemented, and the same technical effect can be achieved. To avoid repetition, it will not be repeated here.

本申请实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行的情况下,实现上述任意一种实施方式的云平台访问方法的步骤,为了简洁,在此不再赘述。An embodiment of the present application also provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the steps of the cloud platform access method of any of the above-mentioned embodiments are implemented. For the sake of brevity, they are not repeated here.

需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。此外,需要指出的是,本申请实施方式中的方法和装置的范围不限按示出或讨论的顺序来执行功能,还可包括根据所涉及的功能按基本同时的方式或按相反的顺序来执行功能,例如,可以按不同于所描述的次序来执行所描述的方法,并且还可以添加、省去、或组合各种步骤。另外,参照某些示例所描述的特征可在其他示例中被组合。 It should be noted that, in this article, the terms "comprise", "include" or any other variant thereof are intended to cover non-exclusive inclusion, so that the process, method, article or device including a series of elements includes not only those elements, but also includes other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, the elements defined by the sentence "comprise one..." do not exclude the presence of other identical elements in the process, method, article or device including the element. In addition, it should be pointed out that the scope of the methods and devices in the embodiments of the present application is not limited to performing functions in the order shown or discussed, and may also include performing functions in a substantially simultaneous manner or in reverse order according to the functions involved, for example, the described method may be performed in an order different from that described, and various steps may also be added, omitted, or combined. In addition, the features described with reference to certain examples may be combined in other examples.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以计算机软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above implementation methods, those skilled in the art can clearly understand that the above-mentioned embodiment methods can be implemented by means of software plus a necessary general hardware platform, and of course by hardware, but in many cases the former is a better implementation method. Based on such an understanding, the technical solution of the present application, or the part that contributes to the prior art, can be embodied in the form of a computer software product, which is stored in a storage medium (such as ROM/RAM, a disk, or an optical disk), and includes a number of instructions for a terminal (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the methods described in each embodiment of the present application.

上面结合附图对本申请的实施例进行了描述,但是本申请并不局限于上述的具体实施方式,上述的具体实施方式仅仅是示意性的,而不是限制性的,本领域的普通技术人员在本申请的启示下,在不脱离本申请宗旨和权利要求所保护的范围情况下,还可做出很多形式,均属于本申请的保护之内。The embodiments of the present application are described above in conjunction with the accompanying drawings, but the present application is not limited to the above-mentioned specific implementation methods. The above-mentioned specific implementation methods are merely illustrative and not restrictive. Under the guidance of the present application, ordinary technicians in this field can also make many forms without departing from the purpose of the present application and the scope of protection of the claims, all of which are within the protection of the present application.

在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示意性实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本申请的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of this specification, the description with reference to the terms "one embodiment", "some embodiments", "illustrative embodiments", "examples", "specific examples", or "some examples" means that the specific features, structures, materials, or characteristics described in conjunction with the embodiment or example are included in at least one embodiment or example of the present application. In this specification, the schematic representation of the above terms does not necessarily refer to the same embodiment or example. Moreover, the specific features, structures, materials, or characteristics described may be combined in any one or more embodiments or examples in a suitable manner.

尽管已经示出和描述了本申请的实施例,本领域的普通技术人员可以理解:在不脱离本申请的原理和宗旨的情况下可以对这些实施例进行多种变化、修改、替换和变型,本申请的范围由权利要求及其等同物限定。 Although the embodiments of the present application have been shown and described, those skilled in the art will appreciate that various changes, modifications, substitutions and variations may be made to the embodiments without departing from the principles and spirit of the present application, and that the scope of the present application is defined by the claims and their equivalents.

Claims (11)

一种云平台访问方法,其特征在于,包括:A cloud platform access method, characterized by comprising: 获取用户针对云平台的访问请求,所述访问请求包括目标访问地址;Obtaining a user's access request to the cloud platform, wherein the access request includes a target access address; 从缓存中获取所述用户的访问权限,所述访问权限包括按钮权限和接口权限;Obtaining the user's access rights from the cache, the access rights including button rights and interface rights; 在确定所述访问权限对应的访问地址中具有所述目标访问地址的情况下,允许所述用户对所述目标访问地址对应的微服务进行访问。When it is determined that the access address corresponding to the access permission includes the target access address, the user is allowed to access the microservice corresponding to the target access address. 根据权利要求1所述的云平台访问方法,其特征在于,所述方法还包括:The cloud platform access method according to claim 1, characterized in that the method further comprises: 在确定所述用户成功登录所述云平台的情况下,通过基础系统管理服务获取所述用户的访问权限并保存至所述缓存中。When it is determined that the user has successfully logged into the cloud platform, the user's access rights are obtained through the basic system management service and saved in the cache. 根据权利要求2所述的云平台访问方法,其特征在于,所述通过基础系统管理服务获取所述用户的访问权限并保存至所述缓存中,包括:The cloud platform access method according to claim 2, wherein obtaining the user's access rights through the basic system management service and saving them to the cache comprises: 通过所述基础系统管理服务从数据库中获取所述用户的权限列表,所述权限列表包括目录权限、菜单权限、按钮权限和接口权限;Obtaining the user's permission list from a database through the basic system management service, the permission list including directory permissions, menu permissions, button permissions and interface permissions; 通过所述基础系统管理服务将所述权限列表中的按钮权限和接口权限保存至所述缓存中。The button permissions and interface permissions in the permission list are saved in the cache through the basic system management service. 根据权利要求2或3所述的云平台访问方法,其特征在于,所述方法还包括:The cloud platform access method according to claim 2 or 3, characterized in that the method further comprises: 通过所述基础系统管理服务将所述用户的权限列表返回给所述用户。The user's permission list is returned to the user through the basic system management service. 根据权利要求2-4任一项所述的云平台访问方法,其特征在于,所述方法还包括:The cloud platform access method according to any one of claims 2 to 4, characterized in that the method further comprises: 获取所述用户针对所述云平台的登录请求,所述登录请求包括登录信息;Obtaining a login request from the user for the cloud platform, wherein the login request includes login information; 通过所述基础系统管理服务对所述登录信息进行验证,并在验证通过的情况下确定所述用户成功登录所述云平台。The login information is verified through the basic system management service, and if the verification passes, it is determined that the user has successfully logged into the cloud platform. 根据权利要求2-5任一项所述的云平台访问方法,其特征在于,所述方法还包括:The cloud platform access method according to any one of claims 2 to 5, characterized in that the method further comprises: 在确定所述用户登录失效的情况下,通过所述基础系统管理服务对所述缓存中的所述用户的访问权限进行清除。When it is determined that the user login is invalid, the access rights of the user in the cache are cleared through the basic system management service. 根据权利要求3所述的云平台访问方法,其特征在于,所述方法还包括:The cloud platform access method according to claim 3, characterized in that the method further comprises: 获取所述用户的权限配置信息,所述权限配置信息包括给所述用户配置的角色,以及给所述角色配置的权限列表;Obtaining permission configuration information of the user, wherein the permission configuration information includes a role configured for the user and a permission list configured for the role; 通过所述基础系统管理服务能够将所述用户的权限配置信息保存至所述数据库中。The user's permission configuration information can be saved in the database through the basic system management service. 根据权利要求1-7中任一项所述的云平台访问方法,其特征在于,所述从缓存中获取所述用户的访问权限,包括:The cloud platform access method according to any one of claims 1 to 7, characterized in that obtaining the user's access rights from the cache comprises: 通过业务网关服务从缓存中调用所述用户的访问权限; Retrieving the user's access rights from the cache through the business gateway service; 所述在确定所述访问权限对应的访问地址中具有所述目标访问地址的情况下,允许所述用户对所述目标访问地址对应的微服务进行访问,包括:The allowing the user to access the microservice corresponding to the target access address when it is determined that the access address corresponding to the access permission has the target access address includes: 通过所述业务网关服务确定所述访问权限对应的访问地址中是否具有所述目标访问地址,并在确定所述访问权限对应的访问地址中具有所述目标访问地址的情况下,允许所述用户对所述目标访问地址对应的微服务进行访问。The business gateway service determines whether the access address corresponding to the access permission contains the target access address, and if it is determined that the access address corresponding to the access permission contains the target access address, the user is allowed to access the microservice corresponding to the target access address. 一种云平台访问装置,其特征在于,包括:A cloud platform access device, characterized by comprising: 第一获取模块,用于获取用户针对云平台的访问请求,所述访问请求包括目标访问地址;A first acquisition module is used to acquire a user's access request to the cloud platform, wherein the access request includes a target access address; 第二获取模块,用于从缓存中获取所述用户的访问权限,所述访问权限包括按钮权限和接口权限;A second acquisition module is used to acquire the user's access rights from the cache, where the access rights include button rights and interface rights; 确定模块,用于确定所述访问权限对应的访问地址中是否具有所述目标访问地址,并且在确定所述访问权限对应的访问地址中具有所述目标访问地址的情况下,允许所述用户对所述目标访问地址对应的微服务进行访问。A determination module is used to determine whether the access address corresponding to the access permission contains the target access address, and if it is determined that the access address corresponding to the access permission contains the target access address, allow the user to access the microservice corresponding to the target access address. 一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现如权利要求1-8任一项所述的云平台访问方法。An electronic device comprises a memory, a processor and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, the cloud platform access method as described in any one of claims 1 to 8 is implemented. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时,实现根据权利要求1-8任一项所述的云平台访问方法。 A computer-readable storage medium having a computer program stored thereon, characterized in that when the computer program is executed by a processor, the cloud platform access method according to any one of claims 1-8 is implemented.
PCT/CN2024/093205 2023-10-19 2024-05-14 Cloud platform access method and apparatus, electronic device, and storage medium Pending WO2025081795A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202311363639.1A CN118132247A (en) 2023-10-19 2023-10-19 Cloud platform access method and device, electronic equipment and storage medium
CN202311363639.1 2023-10-19

Publications (1)

Publication Number Publication Date
WO2025081795A1 true WO2025081795A1 (en) 2025-04-24

Family

ID=91244600

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/093205 Pending WO2025081795A1 (en) 2023-10-19 2024-05-14 Cloud platform access method and apparatus, electronic device, and storage medium

Country Status (2)

Country Link
CN (1) CN118132247A (en)
WO (1) WO2025081795A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120602221A (en) * 2025-08-01 2025-09-05 苏州元脑智能科技有限公司 Single sign-on method, system and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120331539A1 (en) * 2011-06-24 2012-12-27 Canon Kabushiki Kaisha Authentication system, authentication method, and storage medium for realizing a multitenant service
CN111600899A (en) * 2020-05-25 2020-08-28 华人运通(上海)云计算科技有限公司 Micro-service access control method and device, electronic equipment and storage medium
CN112615849A (en) * 2020-12-15 2021-04-06 平安科技(深圳)有限公司 Micro-service access method, device, equipment and storage medium
CN114491451A (en) * 2022-01-25 2022-05-13 京东科技信息技术有限公司 Authority configuration and verification method and device, electronic equipment and storage medium
CN116708037A (en) * 2023-08-07 2023-09-05 勤源(江苏)科技有限公司 Cloud platform access authority control method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120331539A1 (en) * 2011-06-24 2012-12-27 Canon Kabushiki Kaisha Authentication system, authentication method, and storage medium for realizing a multitenant service
CN111600899A (en) * 2020-05-25 2020-08-28 华人运通(上海)云计算科技有限公司 Micro-service access control method and device, electronic equipment and storage medium
CN112615849A (en) * 2020-12-15 2021-04-06 平安科技(深圳)有限公司 Micro-service access method, device, equipment and storage medium
CN114491451A (en) * 2022-01-25 2022-05-13 京东科技信息技术有限公司 Authority configuration and verification method and device, electronic equipment and storage medium
CN116708037A (en) * 2023-08-07 2023-09-05 勤源(江苏)科技有限公司 Cloud platform access authority control method and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120602221A (en) * 2025-08-01 2025-09-05 苏州元脑智能科技有限公司 Single sign-on method, system and storage medium

Also Published As

Publication number Publication date
CN118132247A (en) 2024-06-04

Similar Documents

Publication Publication Date Title
US11019103B2 (en) Managing security agents in a distributed environment
US10693865B2 (en) Web-based interface integration for single sign-on
US10643149B2 (en) Whitelist construction
US10897466B2 (en) System and method for externally-delegated access control and authorization
US9100398B2 (en) Enhancing directory service authentication and authorization using contextual information
CN107147647B (en) Webpage authorization method and device
US20220232010A1 (en) Protected resource authorization using autogenerated aliases
WO2017084290A1 (en) Public account two-dimensional code generation method and server, and public account following method, server and terminal
CN114266021A (en) User authority management method, device, equipment and medium
US20200036749A1 (en) Web browser incorporating social and community features
WO2025081795A1 (en) Cloud platform access method and apparatus, electronic device, and storage medium
US12294615B2 (en) Using a requestor identity to enforce a security policy on a network connection that conforms to a shared-access communication protocol
CN103067398A (en) Method and equipment for achieving third-party application accessing user data
CN111597564B (en) Data access and permission configuration method, device, terminal and storage medium
US12032647B2 (en) Tenant network for rewriting of code included in a web page
CN120768685A (en) Method and system for temporary cross-client data synchronization for the same account
CN118250496A (en) Data processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24878448

Country of ref document: EP

Kind code of ref document: A1