Access control method, apparatus, device, readable storage medium and program product

By using the interface definition information of the target service to parse and validate network requests in a microservice architecture, the problems of high development cost and cumbersome configuration of API gateways are solved, and efficient access control is achieved.

CN122160077APending Publication Date: 2026-06-05TENCENT TECHNOLOGY (SHENZHEN) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
TENCENT TECHNOLOGY (SHENZHEN) CO LTD
Filing Date
2024-12-04
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

In a microservice architecture, API gateways are costly to develop and have cumbersome service configurations, resulting in low access control efficiency.

Method used

By acquiring network requests initiated by business objects, and using the interface definition information of the target service to parse and validate the requests, access control is achieved, avoiding internal and external protocol conversion.

Benefits of technology

It effectively reduced development costs, simplified service configuration processes, and improved access control efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160077A_ABST
    Figure CN122160077A_ABST
Patent Text Reader

Abstract

Embodiments of the present application provide an access control method, device, equipment, readable storage medium and program product. The access control method comprises: obtaining a network request initiated by a business object and directed to a target service; in the case that the network request matches a gray control rule of the target service, obtaining target interface definition information of the target service, the target interface definition information containing definition information of an interface parameter of the target service; performing parsing processing on the network request by using the target interface definition information to obtain a parsed network request; and performing checking processing on the parsed network request to obtain an access control result, the access control result being used to indicate whether to send the parsed network request to the target service. By using the embodiments of the present application, network request access control can be implemented by performing parsing and checking on the network request, development cost can be effectively reduced, service configuration process can be simplified, and access control efficiency can be improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer technology, and specifically to access control methods, apparatus, devices, readable storage media, and program products. Background Technology

[0002] Microservices (or microservice architecture) is a cloud-native architectural approach characterized by a single application containing numerous loosely coupled, independently deployable small components or services. In a multi-business object system within microservices, business objects refer to entities or organizations that use the application, and each business object has its own set of data and configurations. To ensure the security and isolation of business object data, access control is typically implemented for network requests initiated by business objects.

[0003] Application Programming Interface (API) gateways can typically be used to control network request access. API gateways can distribute received network requests to the appropriate backend services, thereby simplifying the interaction between business objects and multiple microservices. However, API gateways require converting internal request protocols to standard protocols, resulting in higher development costs, more complex service configurations, and lower control efficiency. Summary of the Invention

[0004] This application provides access control methods, apparatus, devices, readable storage media, and program products, which can realize network request access control by parsing and verifying network requests, effectively reducing development costs, simplifying service configuration processes, and improving access control efficiency.

[0005] On one hand, embodiments of this application provide an access control method, which includes:

[0006] Retrieve network requests initiated by the business object for the target service;

[0007] If the network request matches the grayscale control rule of the target service, the target interface definition information of the target service is obtained, and the target interface definition information includes the definition information of the interface parameters of the target service;

[0008] The network request is parsed using the target interface definition information to obtain the parsed network request;

[0009] By validating the parsed network request, an access control result is obtained, which indicates whether to send the parsed network request to the target service.

[0010] Accordingly, embodiments of this application provide an access control device, which includes:

[0011] The acquisition unit is used to acquire network requests initiated by business objects for the target service;

[0012] The acquisition unit is further configured to acquire target interface definition information of the target service when the network request matches the grayscale control rule of the target service, wherein the target interface definition information includes the definition information of the interface parameters of the target service;

[0013] The processing unit is used to parse the network request using the target interface definition information to obtain the parsed network request;

[0014] The control unit is used to perform verification processing on the parsed network request to obtain an access control result, which is used to indicate whether to send the parsed network request to the target service.

[0015] Accordingly, embodiments of this application provide a computer device, which includes:

[0016] A processor is a tool for implementing computer programs.

[0017] A computer-readable storage medium storing a computer program adapted to be loaded by a processor and executed by the access control method described above.

[0018] Accordingly, embodiments of this application also provide a computer-readable storage medium storing a computer program, which, when read and executed by a processor of a computer device, causes the computer device to perform the aforementioned access control method.

[0019] Accordingly, this application also provides a computer program product, which includes a computer program stored in a computer-readable storage medium. A processor of a computer device reads the computer program from the computer-readable storage medium and executes the computer program, causing the computer device to perform the access control method described above.

[0020] In this application, the data center providing microservices can obtain network requests initiated by business objects targeting a target service, and, if the network request matches the canary control rules of the target service, obtain the target interface definition information of the target service. The data center can use the target interface definition information to parse the network request, and by verifying the parsed network request, obtain an access control result. This access control result indicates whether to send the parsed network request to the target service. The method provided in this application enables access control of network requests based on the access control result. Furthermore, it allows parsing of network requests initiated by business objects using interface definition information without requiring internal / external protocol conversions similar to those used in API gateways, effectively reducing development costs, simplifying service configuration processes, and significantly improving the efficiency of network request access control. Attached Figure Description

[0021] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0022] Figure 1 This is a schematic diagram of the system architecture of an access control system provided in an embodiment of this application;

[0023] Figure 2 This is a flowchart illustrating an access control method provided in an embodiment of this application;

[0024] Figure 3 This is a schematic diagram of an access control method provided in an embodiment of this application;

[0025] Figure 4 This is a flowchart illustrating another access control method provided in an embodiment of this application;

[0026] Figure 5 This is a schematic diagram of another access control method provided in an embodiment of this application;

[0027] Figure 6 This is a schematic diagram of yet another access control method provided in an embodiment of this application;

[0028] Figure 7 This is a structural block diagram of an access control device provided in an embodiment of this application;

[0029] Figure 8 This is a structural block diagram of a computer device provided in an embodiment of this application. Detailed Implementation

[0030] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of this application.

[0031] It should be noted that the terms "first," "second," etc., used in the embodiments of this application are for descriptive purposes only and should not be construed as indicating or implying their relative importance or implicitly specifying the number of technical features indicated. Therefore, a technical feature specified with "first" or "second" may explicitly or implicitly include at least one of those features.

[0032] To facilitate understanding, the following brief explanations are provided for some of the terms:

[0033] Data center: refers to a building where electronic information equipment is centrally located and provides an operating environment. It can centrally store, compute and exchange data. It is the core infrastructure of cloud computing and the foundation for access control systems to provide services to business objects.

[0034] Intranet: In an access control system, the local area network (LAN) where the server resides is used only internally and is typically connected by a router or switch. The intranet provides a relatively closed network environment, allowing communication only between internal devices and remaining invisible to the external network. Functions such as resource sharing and internal communication can be achieved through the intranet.

[0035] Business Objects: Also known as tenants. In an access control system, a tenant refers to an independent entity or organization that uses the system or services. Each tenant has its own set of data and configurations, which are isolated from the data and configurations of other tenants to ensure data security and privacy. In this application, business objects (tenants) refer to different external departments or external business parties that can access the services provided by the access control system.

[0036] When a business object initiates a network request to obtain services provided by an access control system, communication between the external network and the system's internal network is involved. This communication typically requires management and control through network devices such as Network Address Translation (NAT) or firewalls. In some cases, API gateways are also used for network request access control. However, API gateways require callers to convert their internal request protocols to standard protocols, which increases development costs. Furthermore, when services in the access control system are updated or new interfaces are added, the updated service's interface package needs to be imported, routing rules configured, timeouts set, and the system republished. This makes the configuration process overly cumbersome and impacts access control efficiency.

[0037] Based on this, embodiments of this application provide an access control method that can be applied to a microservice environment. The access control method provided in this application can obtain network requests initiated by business objects targeting a target service; if the network request matches the gray-scale control rules of the target service, it obtains the target interface definition information of the target service, which includes the definition information of the interface parameters of the target service; it parses the network request using the target interface definition information to obtain the parsed network request; and it verifies the parsed network request to obtain an access control result, which indicates whether to send the parsed network request to the target service. Through the method provided in this application, network request access control can be implemented by parsing and verifying network requests, effectively reducing development costs, simplifying service configuration processes, and improving access control efficiency.

[0038] The access control method provided in this application can be applied to the field of cloud computing. Cloud computing is a computing model that distributes computing tasks across a resource pool composed of a large number of computers, enabling various application systems to obtain computing power, storage space, and information services as needed. The cloud computing resource pool mainly includes: computing devices (virtualized machines containing operating systems), storage devices, and network devices. In this application embodiment, the access control system can provide cloud services, such as cloud disks, cloud computing, and cloud applications. After receiving a business request from a business object for a target service, the data center in the access control system can obtain the target interface definition information of the target service if the network request matches the gray-scale control rules of the target service. It then uses the target interface definition information to parse the network request, obtaining the parsed network request. By verifying the parsed network request, an access control result is obtained, which indicates whether to send the parsed network request to the target service. The access control method provided in this application embodiment can achieve access control for network requests, while effectively simplifying the service configuration process and improving access control efficiency.

[0039] The architecture of the access control system provided in the embodiments of this application will be described below with reference to the accompanying drawings.

[0040] Please see Figure 1 This figure is a schematic diagram of the system architecture of an access control system provided in an embodiment of this application. The access control system includes a terminal device 101 and access control data centers 102 (as shown in the figure, access control data centers 102a, 102b, and 102c). The terminal device 101 can interact with objects. Multiple access control data centers 102 can form an intranet for the access control system, which is used for access control and providing services. Wherein:

[0041] Terminal device 101 can interact with objects, and the accounts logged in within the terminal device can be referred to as business objects. Terminal device 101 can generate network requests and send them to access control data center 102 to obtain corresponding services. Terminal device 101 can be a handheld device with communication capabilities (such as a smartphone or tablet), a computing device (such as a personal computer (PC), in-vehicle terminal, intelligent voice interaction device, wearable device, or other intelligent device, but is not limited to these). A business object is an independent entity that uses the access control system or services. One business object can correspond to multiple terminal devices 101. For example, if the business object is a company, then the terminal devices corresponding to the business object can be all the terminal devices (such as computers) configured within that company.

[0042] Access control data center 102 is used for centralized storage, computation, and exchange of data. Processes running within multiple access control data centers 102 can form an intranet for the access control system. This intranet can receive network requests sent by terminal devices 101 and perform access control on those requests. Access control data center 102 can be a server cluster or distributed system composed of multiple physical servers, or it can be a cloud server providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (CDNs), and big data and artificial intelligence platforms.

[0043] The following will elaborate on such matters. Figure 1 The working principle of the access control system shown is as follows:

[0044] Terminal device 101 can initiate a network request for a target service and send the network request to the intranet of the access control system comprised of access control data center 102. The intranet contains access control services for implementing network request access control. When the network request matches the gray-scale control rules of the target service, the access control service can obtain the target interface definition information of the target service, which includes the definition information of the interface parameters of the target service. The access control service can use the target interface definition information to parse the network request, obtaining the parsed network request; and by verifying the parsed network request, it obtains an access control result, which indicates whether to send the parsed network request to the target service.

[0045] If the access control result indicates that the parsed network request should be sent to the target service, the access control service will send the parsed network request to the target service so that the terminal device 101 can obtain the target service; if the access control result indicates that the parsed network request should not be sent to the target service, the access control service will return a request failure message to intercept the network request. The access control method provided in this application embodiment can achieve network request access control by parsing and validating network requests, without requiring conversion between internal and external protocols. It utilizes interface definition information to parse network requests, effectively reducing development costs, simplifying service configuration processes, and improving access control efficiency.

[0046] It is understood that the schematic diagrams of the access control system described in the embodiments of this application are for the purpose of more clearly illustrating the access control method of the embodiments of this application, and do not constitute a limitation on the access control method provided in the embodiments of this application. Those skilled in the art will recognize that... Figure 1The number of terminal devices 101 and access control data centers 102 shown in this embodiment is merely illustrative. Any number of devices and nodes can be configured according to business implementation needs. Furthermore, as system architecture evolves and new business scenarios emerge, the access control method provided in this application embodiment is equally applicable to similar technical problems.

[0047] It should be noted that the collection and processing of relevant data in this application (e.g., data involved in the verification of parsed network requests) should strictly comply with the requirements of relevant laws and regulations when applied in practice, obtain the informed consent or separate consent of the personal information subject, and carry out subsequent data use and processing within the scope of laws and regulations and the authorization of the personal information subject.

[0048] Please see Figure 2 , Figure 2 This is a flowchart illustrating an access control method provided in an embodiment of this application. The access control method can be implemented by the aforementioned access control data center 102, or by other devices capable of implementing the access control method. The following description uses the implementation of the access control method by the aforementioned access control data center 102 as an example. The flow of the access control method provided in this embodiment includes, but is not limited to:

[0049] S201. Obtain the network request initiated by the business object for the target service.

[0050] In this embodiment, the access control system provides various application services, such as cloud storage and cloud computing. The target service can be any one of these application services. To obtain the target service provided by the access control system, a business object can initiate a network request for that service. The access control system includes an intranet of access control services composed of multiple data centers. This intranet includes a caller service, an access control service, and various application services. The caller service corresponds to the business object and is used to receive network requests initiated by the business object; the access control service is used to perform access control processing on the network requests. The caller service in the intranet can receive network requests for the target service initiated by the business object.

[0051] S202. If the network request matches the grayscale control rule of the target service, obtain the target interface definition information of the target service, wherein the target interface definition information includes the definition information of the interface parameters of the target service.

[0052] In this embodiment, different application services in the access control system correspond to different grayscale control rules. The grayscale control rules determine the grayscale ratio of each interface of the application service, enabling coarse-grained access control of network requests (i.e., determining whether to forward the network request by judging whether it matches the grayscale control rules). If a network request matches the grayscale control rules of the target service, the calling service in the access control system can send the network request to the access control service within the access control system. The access control service can obtain the target interface definition information (also called interface parameter metadata) of the target service. This target interface definition information includes the definition information of the target service's interface parameters (e.g., the target service's interface parameter name, interface parameter format, etc.). The target interface definition information can be used to parse the network request, facilitating access control of the parsed network request. The process by which the access control service obtains the target interface definition information of the target service can also be called the access control service "reflecting" the target service's target interface definition information.

[0053] In one embodiment, the specific implementation of obtaining the target interface definition information of the target service can be as follows: determining the acquisition time of the first interface definition information of the target service, wherein the first interface definition information includes the first definition information of the interface parameters of the target service; if the time difference between the acquisition time and the current time is greater than a time threshold, then acquiring the second interface definition information of the target service, and determining the second interface definition information as the target interface definition information, wherein the second interface definition information includes the second definition information of the interface parameters of the target service; if the time difference between the acquisition time and the current time is less than or equal to the time threshold, then determining the first interface definition information as the target interface definition information.

[0054] Specifically, the access control service can periodically retrieve the interface definition information of the target service and store the retrieved interface definition information and the retrieval time. Upon receiving a network request, the access control service can determine the retrieval time of the stored first interface definition information of the target service, which includes the first definition information of the interface parameters of the target service.

[0055] If the time difference between the acquisition time and the current time is greater than the time threshold, the access control service acquires the second interface definition information of the target service, identifies the second interface definition information as the target interface definition information, and stores the second interface definition information and its acquisition time to replace the first interface definition information and its acquisition time. If the time difference between the acquisition time and the current time is less than or equal to the time threshold, the access control service directly identifies the first interface definition information as the target interface definition information. The time threshold can be adaptively adjusted according to different application requirements. For example, if the time threshold is 1 minute, when a network request is received, the access control service determines whether the stored interface definition information of the target service (i.e., the first interface definition information) was acquired within the past minute. If so, the interface definition information is identified as the target interface definition information; otherwise, the access control service reacquires the interface definition information of the target service and identifies the newly acquired interface definition information (i.e., the second interface definition information) as the target interface definition information. In scenarios where the target service is updated, the first interface definition information and the second interface definition information may be different. Specifically, when the number of interfaces of the target service remains unchanged, but the interface parameters are updated, the first interface definition information obtained before the interface parameters are updated differs from the second interface definition information obtained after the interface parameters are updated. Similarly, when the number of interfaces of the target service is updated, and the interface parameters are also updated, the first interface definition information obtained before the update differs from the second interface definition information obtained after the update. The method provided in this application embodiment can determine the validity of interface definition information after receiving a network request, avoiding situations where the service's interfaces and interface parameters are updated but the interface definition information is not updated. This ensures the accuracy of subsequent network request parsing using the interface definition information. Furthermore, when the target service is updated, the method provided in this application embodiment can promptly obtain the updated interface definition information without requiring complex service configuration processes, effectively reducing service development costs and improving access control efficiency.

[0056] In some cases, when application services in an access control system are updated, configuration items such as the application service's interface configuration (including the service's interface definition information), routing rules, and timeout may also be updated. The access control service provided in this application can automatically inherit the updated application service configuration items, eliminating the need for developers to perform repetitive configuration in the access control service. This achieves the reuse of application service configuration items, simplifies the configuration process, and effectively solves the problem of cumbersome service configuration.

[0057] S203. The network request is parsed using the target interface definition information to obtain the parsed network request.

[0058] In this embodiment, after obtaining the target interface definition information of the target service, the access control service can use the target interface definition information to parse the network request and obtain the parsed network request. The parsed network request may contain one or more parameters for auxiliary authentication, such as: tickets, signatures, authentication scenarios, authentication parameters, etc. The method provided in this embodiment allows for the parsing of network requests using interface definition information, which facilitates subsequent authentication of the parsed network request, thereby achieving access control over the network request and improving the efficiency of access control.

[0059] In one example, the network request is parsed using the target interface definition information to obtain the specific implementation of the parsed network request. This can be done by: obtaining the packaged network request, which is in serialized binary format; and then deserializing the packaged network request using the target interface definition information to obtain the parsed network request, whose data format matches the requirement format of the target service.

[0060] Specifically, the access control service can obtain a packaged network request, which may be sent by the calling service. The packaged network request is in serialized binary format. To quickly obtain authentication parameters from the network request, the access control service can use the target interface definition information to deserialize the packaged network request, obtaining a parsed network request. The data format of this parsed network request matches the requirement format of the target service; that is, the data format of the parsed network request is a data format that matches the target service. The method provided in this application embodiment can parse binary format network requests to obtain network requests with data formats matching the target service. This facilitates subsequent verification processing of the parsed network request, thereby achieving access control of the network request and effectively improving access control efficiency.

[0061] In one embodiment, the access control service uses target interface definition information to deserialize the packaged network request to obtain the parsed network request. The specific method can be as follows: based on the target interface definition information, the packaged network request in binary format is converted to obtain a parsed network request in non-binary format. For example, based on the target interface definition information, a target binary field is obtained from a specified field in the packaged network request, and the target binary field is converted to obtain decimal interface parameters or a string indicating the identity information of the business object. Another example is: based on the target interface definition information, the packaged network request in binary format is restored to data with a more complex structure.

[0062] In one embodiment, the specific implementation of obtaining the packaged network request can be as follows: obtaining the data format requirement information of the target service, which is used to indicate the packaging method of the network request; and packaging the network request according to the data format requirement information of the target service to obtain the packaged network request.

[0063] Specifically, the calling service in the access control system can obtain the data format requirements of the target service. This data format requirements information indicates the packaging method for network requests. The calling service can package the network request according to the data format requirements of the target service to obtain a packaged network request. For example, for standard application services, the calling service will use a general packaging method, putting the binary data of the network request into a general request payload to obtain a packaged network request; for specific application services, the calling service will package the network request according to the data format requirements of the application service (e.g., forwarding the binary content of the network request as is). After packaging, the calling service can send the packaged network request to the access control service. Through the method provided in this application embodiment, network requests can be packaged so that the access control service can quickly parse the packaged network request after receiving it, thereby further improving access control efficiency.

[0064] S204. By performing verification processing on the parsed network request, an access control result is obtained. The access control result is used to indicate whether to send the parsed network request to the target service.

[0065] In this embodiment, the access control service in the access control system obtains an access control result by verifying the parsed network request. This result indicates whether to send the parsed network request to the target service. If the result indicates to send the parsed network request, the access control service can send it to the target service to enable it to respond and provide services to the business object. If the result indicates not to send the parsed network request, the service can intercept the request, generate a call failure message (e.g., an error code), and send this message to the calling service. The method provided in this embodiment enables access control of network requests without complex internal / external protocol conversions; only parsing and verification of the network request are required, effectively shortening the service configuration process and improving access control efficiency.

[0066] When services in an access control system are updated (e.g., service version updates, service interface updates, etc.), the method provided in this application can utilize the service's gray-scale control rules to control network requests initiated by business objects. If a network request matches the gray-scale control rules of the target service (also known as a network request hitting the gray-scale), the network request is further parsed and validated, and the validated network request is forwarded to the updated service. Conversely, if a network request does not match the gray-scale control rules of the target service (also known as a network request hitting the gray-scale), the network request can be directly forwarded to the service before the update, thus achieving the gray-scale release of the updated service and ensuring the operational security of the access control system. Furthermore, forwarding network requests that hit the gray-scale and pass validation to the updated service can also, to some extent, ensure the data security of the updated service, which is beneficial for maintaining system stability.

[0067] In some cases, the access control service sends the parsed network request to the target service in the following ways: the access control service obtains the target service's routing configuration file based on the target service's service name; the access control service performs route selection, sends the request, and performs detection and reporting operations based on the routing configuration file. The access control service then sends the request response packet and return code to the calling service. Furthermore, because the data format of the parsed network request matches the required format of the target service, the target service processes the parsed network request efficiently. The method provided in this application embodiment allows access control to be accessed without the business object's awareness, enabling cross-border traffic reporting and access authentication, improving system security, and increasing the speed at which the target service responds to network requests.

[0068] In one embodiment, the specific implementation of obtaining the access control result by verifying the parsed network request can be as follows: according to the access verification method, the parsed network request is subjected to access verification processing to obtain the access verification result; the access control result is determined according to the access verification result; wherein, the access verification method includes one or more of the following: request signature verification method, interface whitelist verification method, caller whitelist verification method, ticket verification method, and request authentication method.

[0069] Specifically, the access control service can perform access verification processing on the parsed network request according to the access verification method, obtain the access verification result, and determine the access control result based on the access verification result. Access verification methods include one or more of the following: request signature verification method, interface whitelist verification method, caller whitelist verification method, ticket verification method, and request authentication method. For example, if the access verification methods include request signature verification method and interface whitelist verification method, when both the access verification results of the request signature verification method and the access verification results of the interface whitelist verification method indicate that the parsed network request has passed verification, the access control result indicating that the parsed network request should be sent to the target service can be determined. That is, the access control service can only send the parsed network request to the target service when all verification methods pass.

[0070] Access control services can perform one or more access verifications on parsed network requests. Each access verification method corresponds to different verification content. Request signature verification method: To determine that the network request originates from an authenticated business object, the request header contains a signature; the signature is generated by encrypting a timestamp using a key agreed upon by both communicating parties; the access control service checks the correctness of the signature carried in the network request.

[0071] Interface whitelist verification method: The access control service determines whether the interface requested by the network request is a legitimate address.

[0072] Caller whitelist verification method: The access control service determines whether the business object corresponding to the network request has access permissions to the target service and the interface of the target service.

[0073] Ticket verification method: In order to ensure that the network request comes from an authorized business object (e.g., a logged-in user), the request header of the network request needs to carry a ticket issued by the ticket service to the logged-in user; the access control service checks the validity of the ticket carried in the network request.

[0074] Authentication Method: To ensure that network requests have the necessary permissions, the access control service can perform horizontal and vertical authentication to check whether the business object has the permission to access or modify the data being operated on. The access control service can also perform checks based on the authentication scenario and extended authentication parameters carried in the network request. In some cases, the access control service can also use other access verification methods to verify the network request. The method provided in this application embodiment allows for the use of various access verification methods to process the parsed network request and determine the access control result based on the verification result. Because there are many types of access verification methods, multi-dimensional access control can be implemented for network requests based on the verification result, effectively improving the flexibility of access control.

[0075] An access control system can contain multiple business objects, and each business object can correspond to one or more terminal devices. Each business object possesses a corresponding set of data and configurations within the access control system. The access control method provided in this application, upon receiving a network request initiated by a business object, can perform verification processing on the network request (e.g., using a request authentication method) to determine whether the business object has access to and modification permissions for the target service and related data. This ensures that business objects can typically only access their corresponding services and modify their specific data and configurations, but cannot modify the data of other business objects. Therefore, the method provided in this application can also achieve isolation between the data, configurations, and services corresponding to different business objects, effectively guaranteeing data security and system stability.

[0076] In one embodiment, the specific implementation of performing access verification processing on the parsed network request according to the access verification method to obtain the access verification result can be as follows: obtaining the category of the authentication parameters contained in the parsed network request; determining the target access verification method from multiple access verification methods according to the category; and performing authentication processing on the authentication parameters contained in the parsed network request based on the target access verification method to obtain the access verification result.

[0077] Specifically, the access control service can obtain the category of the authentication parameters contained in the parsed network request, and determine the target access verification method from multiple access verification methods based on the obtained category. The access control service can then perform authentication processing on the authentication parameters contained in the parsed network request based on the target access verification method to obtain the access verification result. For example, if the authentication parameters contained in the parsed network request are of the categories of signature type and ticket type, the access control service can determine the request signature verification method and ticket verification method as the target access verification methods, and use these two access verification methods respectively to perform authentication processing on the signature and ticket contained in the parsed network request to obtain the access verification result. The method provided by this application embodiment allows for flexible access verification processing based on the authentication parameters carried in the network request, improving the flexibility of access control.

[0078] In some cases, the access verification methods used by the access control service can be configured or enabled according to application requirements. For example, if the application requirements indicate that network requests need to be checked against the API whitelist and the caller whitelist, the access control service can use the API whitelist verification method and the caller whitelist verification method to perform access verification processing on each parsed network request.

[0079] Please see Figure 3 This figure is a schematic diagram of an access control method provided in an embodiment of this application. Figure 3The provided access control method may include the following steps: S301, the calling service obtains a network request for the target service; the calling service in the access control system obtains the network request initiated by the network request for the target service. S302, the access control service receives the network request; if the network request matches the gray-scale control rules of the target service, the access control service receives the network request sent by the calling service. S303, the access control service obtains the target interface definition information of the target service; the access control service can obtain the target interface definition information of the target service, which includes the definition information of the interface parameters of the target service. S304, the access control service parses the network request using the target interface definition information; the access control service can use the target interface definition information to parse the network request and obtain the parsed network request. S305, the access control service verifies the network request according to the access verification method to determine whether the network request passes the verification; the access control service performs access verification processing on the network request according to the access verification method, obtains the access verification result, and determines the access control result based on the access verification result. The access control result indicates whether to send the parsed network request to the target service, or it can be expressed as the access control result indicating whether the network request passes the verification. If the access control result indicates that the parsed network request should be sent to the target service (or the network request passes verification), then step S306 is executed. S306: The access control service forwards the parsed network request to the target service. If the access control result indicates that the parsed network request should not be sent to the target service (or the network request fails verification), then step S307 is executed. S307: The access control service intercepts the network request and returns an error code. The method provided in this application embodiment can effectively improve the efficiency of access control.

[0080] The access control method provided in this application embodiment can obtain network requests from business objects and implement network request proxying; it can obtain interface definition information and use the interface definition information to parse network requests, which is beneficial for subsequent authentication of parsed network requests. At the same time, when obtaining interface definition information, the validity of the interface definition information can be effectively guaranteed. When the application service is updated, the method provided in this application embodiment can automatically inherit the configuration items of the updated application service, eliminating the need for developers to repeatedly configure the access control service, realizing the reuse of application service configuration items, reducing development costs, simplifying the configuration process, and effectively solving the problem of cumbersome service configuration; it can perform verification processing on the parsed network requests, so that access control can be accessed without the business object's awareness, realizing multi-dimensional access control of network requests, and also realizing cross-border traffic reporting and access authentication, enhancing system security and effectively improving the flexibility of access control.

[0081] Please see Figure 4 , Figure 4 This is a flowchart illustrating another access control method provided in an embodiment of this application. This access control method can be implemented by the aforementioned access control data center 102, or by other devices capable of implementing the access control method. The following description uses the implementation of the access control method by the aforementioned access control data center 102 as an example. The flow of the access control method provided in this embodiment includes, but is not limited to:

[0082] S401. Obtain network requests initiated by the business object for the target service.

[0083] In this embodiment, network requests initiated by a business object for a target service are transmitted to the access control system via an external network. The access control system runs a caller service and an access control service on its internal network. The caller service can obtain the network requests from the business object. After parsing and verifying the network requests, the access control service forwards the network requests to the application service running on the internal network. Therefore, the method provided in this application can realize proxying and access control for cross-boundary requests (i.e., network requests transmitted from an external network to an internal network).

[0084] S402. Obtain the grayscale control rules of the target service from the target grayscale routing table, and call the access control framework to match the network request with the grayscale control rules of the target service.

[0085] In this embodiment, the calling service can register an access control framework. This framework intercepts network requests initiated by business objects and forwards them, i.e., proxies the network requests. The access control framework can also obtain the grayscale control rules for the target service from the target grayscale routing table. These rules may include the calling service, the target service, the target service's interfaces, and the grayscale ratios of each interface. The grayscale ratio of each interface indicates the proportion of network requests accessing that interface that require further verification.

[0086] The access control framework is invoked to match the network request with the grayscale control rules of the target service, obtaining the matching result. If the matching result indicates that the network request and the grayscale control rules of the target service do not match (or the network request does not hit the grayscale), the access control framework is invoked to forward the network request to the target service. If the matching result indicates that the network request and the grayscale control rules of the target service match (or the network request hits the grayscale), the step of obtaining the target interface definition information of the target service is executed, as shown in step S403 below. For example, if the grayscale ratio of interface A of the target service is 50%, then for 10 network requests requesting access to interface A, the access control framework can directly forward 5 of the network requests to the target service, and forward the remaining 5 network requests to the access control service, so that the access control service can execute the steps shown in steps S403 to S405 or the steps shown in steps S202 to S204 above. The method provided in this application embodiment can automatically distribute and route network requests initiated by business objects using an access control framework, achieving coarse-grained access control. At the same time, it does not require extensive development or modification, effectively reducing the development cost of the access control system.

[0087] In some cases, if the matching result indicates that the network request matches the canary control rules of the target service, the access control framework can obtain the data format requirements of the target service and package the network request according to these requirements. This packaged network request can then be adapted to the access control service's interface protocol. The packaged network request can also carry parameters for auxiliary authentication, such as tickets, signatures, authentication scenarios, and authentication parameters. These auxiliary authentication parameters can be stored in the data fragment cookies of the packaged network request. The access control framework can then send the packaged network request to the access control service.

[0088] In one embodiment, the access control method provided by this application may include the following steps: registering an access control framework using the object parameters of a business object; calling the access control framework to obtain grayscale control configuration information; calling the access control framework to update the current grayscale routing table using the grayscale control configuration information to obtain a target grayscale routing table, wherein the target grayscale routing table contains grayscale control rules for the target service.

[0089] Specifically, the initiating service in the access control system can register an access control framework using object parameters of the business object. These object parameters can be the business object's unique key. After registration, the access control framework can intercept all network requests initiated by the business object and proxy these requests. It can also retrieve canary deployment configuration information from the access control framework. This canary deployment configuration information is read from a configuration file stored on the server where the initiating service resides. This configuration file is distributed to the server by the developers over the network. The access control framework can periodically read the canary deployment configuration information from the server where the initiating service resides. The canary deployment configuration information can include the initiating service in the access control system, various application services, various interfaces of the application services, and the canary deployment ratio of each interface.

[0090] After obtaining the canary control configuration information, the access control framework can update the current canary routing table in memory using this information to obtain the target canary routing table. This target canary routing table contains the canary control rules for the target service. When the access control framework receives a network request initiated by a business object, it queries the target canary routing table based on the service name and interface requested by the network request to obtain a matching result. The method provided in this application embodiment allows the access control framework to obtain canary control configuration information and perform access control on network requests based on this information, without requiring significant adjustments to the calling service. This solves the problem of requiring extensive development for access control services and reduces the development cost of the access control system.

[0091] Please see Figure 5 This figure is a schematic diagram of another access control method provided in an embodiment of this application. Figure 5The provided access control method may include the following steps: S501, the calling service registers the access control framework; the calling service in the access control system can register the access control framework using the object parameters of the business object. S502, the access control framework obtains the network request for the target service; when the business object initiates a network request for the target service, the access control framework can obtain the network request. S503, the access control framework matches the network request with the grayscale control rules of the target service to determine whether the network request hits the grayscale target; the access control framework can obtain the grayscale control rules of the target service from the grayscale routing table stored in memory and match the network request with the grayscale control rules of the target service. If the network request and the grayscale control rules of the target service do not match (i.e., the network request does not hit the grayscale target), then step S504 is executed. S504, the access control framework sends the network request to the target service. If the network request and the grayscale control rules of the target service match (i.e., the network request hits the grayscale target), then step S505 and subsequent steps are executed. S505. The access control service packages the network request; the access control framework can package the network request according to the data format requirements of the target service to obtain the packaged network request. S506. The access control framework sends the packaged network request to the access control service; the packaged network request contains parameters for auxiliary authentication. The method provided in this application embodiment allows for lightweight modifications to the calling service and registration of the access control framework, thereby achieving automatic traffic splitting and routing of network requests. This effectively solves the problem of requiring extensive development when accessing the access control service, significantly reducing development costs. Simultaneously, it combines coarse-grained gray-scale logic with the multi-dimensional verification control implemented by the subsequent access control service, greatly improving the flexibility of access control.

[0092] S403. If the network request matches the grayscale control rule of the target service, obtain the target interface definition information of the target service, wherein the target interface definition information includes the definition information of the interface parameters of the target service.

[0093] In this embodiment, when a network request matches the gray-scale control rules of the target service, the access control service can obtain the target interface definition information of the target service. This target interface definition information may include the definition information of the interface parameters of the target service. The specific implementation method for obtaining the target interface definition information can be as shown in step S202 above.

[0094] S404. The network request is parsed using the target interface definition information to obtain the parsed network request.

[0095] In this embodiment, the access control service can use the target interface definition information to parse the network request and obtain the parsed network request. The format of the parsed network request can match the requirement format of the target service. The specific implementation of obtaining the parsed network request can be as shown in step S203 above.

[0096] S405. By performing verification processing on the parsed network request, an access control result is obtained. The access control result is used to indicate whether to send the parsed network request to the target service.

[0097] In this embodiment, the access control service in the access control system obtains an access control result by verifying the parsed network request. This result indicates whether to send the parsed network request to the target service. If the result indicates to send the parsed network request, the access control service can send it to the target service to enable the target service to respond and provide services to the business object. If the result indicates not to send the parsed network request, the access control service can intercept the request, generate a call failure message (e.g., an error code), and send this message to the calling service. Since the method provided in this application verifies network requests initiated by business objects, and this verification process includes identity verification of the business object, the access control service can determine the corresponding business object for each network request through verification. This allows for the separation of network requests initiated by different business objects, achieving data isolation between different business objects. This facilitates the independence of data and configuration for different business objects and ensures system and data security. In addition, when a network request initiated by a business object for data of other business objects passes the verification, the access control service can also send the network request to the corresponding service, thereby enabling mutual access between different business objects.

[0098] Please see Figure 6 This figure is a schematic diagram of another access control method provided in an embodiment of this application. The access control system includes a calling service 61, an access control service 62, and an application service ( Figure 6 In this context, the application service is the target service (63), and the calling service has registered an access control framework (611, also referred to as the access control SDK). The access control framework can proxy network requests, or it can obtain grayscale control configuration information from the grayscale configuration file stored on the server corresponding to the calling service, and use the grayscale control configuration information to update the grayscale routing table.

[0099] Business object 64 can initiate a network request to the target service. Access control framework 611 can obtain this network request and query the grayscale routing table based on it. If the grayscale control rules of the target service in the grayscale routing table do not match the network request (i.e., grayscale not hit), access control framework 611 directly sends the network request to target service 63 and returns call information (e.g., call response). If the grayscale control rules of the target service in the grayscale routing table match the network request (i.e., grayscale hit), access control framework 611 packages the network request according to the data format requirements of the target service to obtain the packaged network request. Access control framework 611 sends the packaged network request to access control service 62. Access control service 62 can perform service interface parameter reflection, that is, obtain the target interface definition information of the target service, and use the target interface definition information to parse the packaged network request to obtain the parsed network request. Access control service includes multiple verification methods: request signature verification method, interface whitelist verification method, caller whitelist verification method, ticket verification method, and request authentication method. Access control service 62 can perform access verification processing on parsed network requests using one or more verification methods based on application requirements and configuration information. When the parsed network request passes all access verifications performed by access control service 62 (i.e., the network request passes verification), access control service 62 can send the parsed network request to target service 63; otherwise, access control service 62 can intercept the network request and send an error code to calling service 61. The method provided in this embodiment can effectively implement access control for network requests, solving the problem of insufficient flexibility in access control capabilities.

[0100] The access control method provided in this application embodiment can obtain network requests from business objects and realize cross-border network request proxying; it can achieve automatic traffic routing of network requests with only lightweight modifications to the calling service, solving the problem of needing a lot of development for access control services and reducing the development cost of access control systems; it can use interface definition information to parse network requests, which is beneficial for subsequent authentication of parsed network requests. At the same time, when obtaining interface definition information, it can effectively ensure the validity of interface definition information. When the application service is updated, the method provided in this application embodiment can automatically inherit the configuration items of the updated application service, eliminating the need for developers to repeatedly configure in the access control service, realizing the reuse of application service configuration items, reducing development costs, simplifying the configuration process, and effectively solving the problem of cumbersome service configuration; it can perform verification processing on parsed network requests, so that access control can be accessed without the business object's awareness, realizing multi-dimensional access control of network requests, and can also realize cross-border traffic reporting, gray-scale logic, and access authentication, enhancing system security. It combines coarse-grained gray-scale routing with multi-dimensional access verification, effectively improving the flexibility of access control.

[0101] Please see Figure 7 , Figure 7 This is a structural block diagram of an access control device provided in an embodiment of this application. The access control device can be disposed in the computer device provided in this embodiment of the application, and the computer device can be as described above. Figure 2 The access control data center 102 in the access control system shown. Figure 7 The access control device shown can be a computer program running on a computer device, which can be used to execute... Figure 2 or Figure 4 The steps in some or all of the access control method embodiments shown are illustrated. Please refer to [link / reference]. Figure 7 The access control device may include the following units:

[0102] The acquisition unit 701 is used to acquire network requests initiated by the business object for the target service;

[0103] The acquisition unit 701 is further configured to acquire target interface definition information of the target service when the network request matches the grayscale control rule of the target service, wherein the target interface definition information includes the definition information of the interface parameters of the target service;

[0104] Processing unit 702 is used to parse the network request using the target interface definition information to obtain the parsed network request;

[0105] The control unit 703 is used to perform verification processing on the parsed network request to obtain an access control result, which is used to indicate whether to send the parsed network request to the target service.

[0106] In one embodiment, the acquisition unit 701, when acquiring the target interface definition information of the target service, specifically performs the following steps:

[0107] Determine the acquisition time of the first interface definition information of the target service, wherein the first interface definition information includes the first definition information of the interface parameters of the target service;

[0108] If the time difference between the acquisition time and the current time is greater than a time threshold, then the second interface definition information of the target service is acquired, and the second interface definition information is determined as the target interface definition information. The second interface definition information includes the second definition information of the interface parameters of the target service.

[0109] If the time difference between the acquired time and the current time is less than or equal to the time threshold, then the first interface definition information is determined as the target interface definition information.

[0110] In one embodiment, the processing unit 702 is used to parse the network request using the target interface definition information, and when obtaining the parsed network request, it specifically performs the following steps:

[0111] Obtain the packaged network request, wherein the packaged network request is in serialized binary format;

[0112] Using the target interface definition information, the packaged network request is deserialized to obtain a parsed network request. The data format of the parsed network request matches the requirement format corresponding to the target service.

[0113] In one embodiment, when the processing unit 702 obtains the packaged network request, it specifically performs the following steps:

[0114] Obtain the data format requirement information of the target service, wherein the data format requirement information is used to indicate the packaging method of the network request;

[0115] The network request is packaged according to the data format requirements of the target service to obtain the packaged network request.

[0116] In one embodiment, the acquisition unit 701 is further configured to perform the following steps:

[0117] Retrieve the grayscale control rules for the target service from the target grayscale routing table;

[0118] The access control framework is invoked to match the network request with the grayscale control rules of the target service to obtain the matching result.

[0119] If the matching result indicates that the network request does not match the grayscale control rules of the target service, then the access control framework is invoked to forward the network request to the target service;

[0120] If the matching result indicates that the network request matches the grayscale control rule of the target service, then the step of obtaining the target interface definition information of the target service is executed.

[0121] In one embodiment, the acquisition unit 701 is further configured to perform the following steps:

[0122] Register the access control framework using the object parameters of the business object;

[0123] The access control framework is invoked to obtain the grayscale control configuration information;

[0124] The access control framework is invoked, and the grayscale control configuration information is used to update the current grayscale routing table to obtain the target grayscale routing table, which contains the grayscale control rules for the target service.

[0125] In one embodiment, the control unit 703, when obtaining an access control result by verifying the parsed network request, specifically performs the following steps:

[0126] According to the access verification method, the parsed network request is subjected to access verification processing to obtain the access verification result;

[0127] The access control result is determined based on the access verification result; wherein, the access verification method includes one or more of the following: request signature verification method, interface whitelist verification method, caller whitelist verification method, ticket verification method, and request authentication method.

[0128] In one embodiment, the control unit 703 is configured to perform access verification processing on the parsed network request according to the access verification method, and when obtaining the access verification result, specifically execute the following steps:

[0129] Obtain the category of the authentication parameters contained in the parsed network request;

[0130] Based on the category, a target access verification method is determined from the various access verification methods.

[0131] Based on the target access verification method, the authentication parameters contained in the parsed network request are processed to obtain the access verification result.

[0132] Figure 7 The various units in the access control device shown can be individually or entirely merged into one or more other units, or some of the units can be further divided into multiple functionally smaller units. This achieves the same operation without affecting the technical effects of the embodiments of this application. The above units are based on logical function division. In practical applications, the function of one unit can be implemented by multiple units, or the function of multiple units can be implemented by one unit. In other embodiments of this application, the access control device may also include other units. In practical applications, these functions can also be implemented with the assistance of other units, and can be implemented collaboratively by multiple units.

[0133] In one embodiment, the ability to perform such operations can be achieved by running on a general-purpose computing device, such as a computer, which includes processing elements and storage elements such as a central processing unit (CPU), random access memory (RAM), and read-only memory (ROM). Figure 2 or Figure 4 Computer programs for the steps involved in some or all of the methods shown, to construct, for example... Figure 7 The access control device shown herein, and the access control method for implementing the embodiments of this application, are described. A computer program may be recorded on, for example, a computer-readable storage medium, loaded onto the aforementioned computing device via the computer-readable storage medium, and executed therein.

[0134] The access control device provided in this application embodiment can obtain network requests from business objects and realize cross-border network request proxying; it can achieve automatic traffic routing of network requests with only lightweight modifications to the calling service, solving the problem of needing a lot of development for access control services and reducing the development cost of access control systems; it can use interface definition information to parse network requests, which is beneficial for subsequent authentication of parsed network requests. At the same time, when obtaining interface definition information, it can effectively ensure the validity of interface definition information. When the application service is updated, the method provided in this application embodiment can automatically inherit the configuration items of the updated application service, eliminating the need for developers to repeatedly configure in the access control service, realizing the reuse of application service configuration items, reducing development costs, simplifying the configuration process, and effectively solving the problem of cumbersome service configuration; it can perform verification processing on parsed network requests, so that access control can be accessed without the business object's awareness, realizing multi-dimensional access control of network requests, and can also realize cross-border traffic reporting, gray-scale logic, and access authentication, enhancing system security. It combines coarse-grained gray-scale routing with multi-dimensional access verification, effectively improving the flexibility of access control.

[0135] Based on the above methods and apparatus embodiments, this application provides a computer device. Please refer to... Figure 8 , Figure 8 This is a structural block diagram of a computer device provided in an embodiment of this application. Figure 8 The computer device shown can be the one described above. Figure 1 Access control data center 102 in the middle. Figure 8 The computer device shown includes at least a processor 801, an input interface 802, an output interface 803, and a computer-readable storage medium 804. The processor 801, input interface 802, output interface 803, and computer-readable storage medium 804 can be connected via a bus or other means.

[0136] Computer-readable storage medium 804 can be stored in the memory of a computer device. Computer-readable storage medium 804 is used to store computer programs, including computer instructions. Processor 801 is used to execute the computer program stored in computer-readable storage medium 804. Processor 801 (or CPU (Central Processing Unit)) is the computing and control core of the computer device, suitable for implementing computer programs, specifically for loading and executing computer programs to achieve corresponding methods or functions.

[0137] This application also provides a computer-readable storage medium (Memory), which is a memory device in a computer device used to store programs and data. It is understood that the computer-readable storage medium here can include both built-in storage media in the computer device and extended storage media supported by the computer device. The computer-readable storage medium provides storage space for storing the operating system of the computer device. Furthermore, the storage space also stores computer programs suitable for loading and execution by a processor. It should be noted that the computer-readable storage medium here can be high-speed RAM or non-volatile memory, such as at least one disk storage device; optionally, it can also be at least one computer-readable storage medium located remotely from the aforementioned processor.

[0138] In a specific implementation, the processor 801 can load and execute the computer program stored in the computer-readable storage medium 804 to achieve the aforementioned related... Figure 2 or Figure 4 The corresponding steps in the access control method shown. In a specific implementation, the computer program in the computer-readable storage medium 804 is loaded by the processor 801 and executed as follows:

[0139] Retrieve network requests initiated by the business object for the target service;

[0140] If the network request matches the grayscale control rule of the target service, the target interface definition information of the target service is obtained, and the target interface definition information includes the definition information of the interface parameters of the target service;

[0141] The network request is parsed using the target interface definition information to obtain the parsed network request;

[0142] By validating the parsed network request, an access control result is obtained, which indicates whether to send the parsed network request to the target service.

[0143] In one embodiment, when the computer program in the computer-readable storage medium 804 is loaded and executed by the processor 801 to obtain the target interface definition information of the target service, it is specifically used to perform the following steps:

[0144] Determine the acquisition time of the first interface definition information of the target service, wherein the first interface definition information includes the first definition information of the interface parameters of the target service;

[0145] If the time difference between the acquisition time and the current time is greater than a time threshold, then the second interface definition information of the target service is acquired, and the second interface definition information is determined as the target interface definition information. The second interface definition information includes the second definition information of the interface parameters of the target service.

[0146] If the time difference between the acquired time and the current time is less than or equal to the time threshold, then the first interface definition information is determined as the target interface definition information.

[0147] In one embodiment, when the computer program in the computer-readable storage medium 804 is loaded and executed by the processor 801 to parse the network request using the target interface definition information and obtain the parsed network request, it specifically performs the following steps:

[0148] Obtain the packaged network request, wherein the packaged network request is in serialized binary format;

[0149] Using the target interface definition information, the packaged network request is deserialized to obtain a parsed network request. The data format of the parsed network request matches the requirement format corresponding to the target service.

[0150] In one embodiment, when the computer program in the computer-readable storage medium 804 is loaded and executed by the processor 801 to obtain the packaged network request, it is specifically used to perform the following steps:

[0151] Obtain the data format requirement information of the target service, wherein the data format requirement information is used to indicate the packaging method of the network request;

[0152] The network request is packaged according to the data format requirements of the target service to obtain the packaged network request.

[0153] In one embodiment, when the computer program in the computer-readable storage medium 804 is loaded and executed by the processor 801, it is further configured to perform the following steps:

[0154] Retrieve the grayscale control rules for the target service from the target grayscale routing table;

[0155] The access control framework is invoked to match the network request with the grayscale control rules of the target service to obtain the matching result.

[0156] If the matching result indicates that the network request does not match the grayscale control rules of the target service, then the access control framework is invoked to forward the network request to the target service;

[0157] If the matching result indicates that the network request matches the grayscale control rule of the target service, then the step of obtaining the target interface definition information of the target service is executed.

[0158] In one embodiment, when the computer program in the computer-readable storage medium 804 is loaded and executed by the processor 801, it is further configured to perform the following steps:

[0159] Register the access control framework using the object parameters of the business object;

[0160] The access control framework is invoked to obtain the grayscale control configuration information;

[0161] The access control framework is invoked, and the grayscale control configuration information is used to update the current grayscale routing table to obtain the target grayscale routing table, which contains the grayscale control rules for the target service.

[0162] In one embodiment, when the computer program in the computer-readable storage medium 804 is loaded and executed by the processor 801 to obtain an access control result by verifying the parsed network request, it is specifically used to perform the following steps:

[0163] According to the access verification method, the parsed network request is subjected to access verification processing to obtain the access verification result;

[0164] The access control result is determined based on the access verification result; wherein, the access verification method includes one or more of the following: request signature verification method, interface whitelist verification method, caller whitelist verification method, ticket verification method, and request authentication method.

[0165] In one embodiment, when the computer program in the computer-readable storage medium 804 is loaded and executed by the processor 801 to perform access verification processing on the parsed network request according to the access verification method and obtain the access verification result, it is specifically used to perform the following steps:

[0166] Obtain the category of the authentication parameters contained in the parsed network request;

[0167] Based on the category, a target access verification method is determined from the various access verification methods.

[0168] Based on the target access verification method, the authentication parameters contained in the parsed network request are processed to obtain the access verification result.

[0169] The computer device provided in this application embodiment can acquire network requests from business objects and realize cross-border network request proxying; it can achieve automated traffic routing of network requests with only lightweight modifications to the calling service, solving the problem of needing extensive development for access control services and reducing the development cost of access control systems; it can use interface definition information to parse network requests, which is beneficial for subsequent authentication of parsed network requests. At the same time, when acquiring interface definition information, it can effectively ensure the validity of interface definition information. When application services are updated, the method provided in this application embodiment can automatically inherit the configuration items of the updated application services, eliminating the need for developers to repeatedly configure in the access control service, realizing the reuse of application service configuration items, reducing development costs, simplifying the configuration process, and effectively solving the problem of cumbersome service configuration; it can perform verification processing on parsed network requests, thereby enabling access control without the business object's awareness, realizing multi-dimensional access control of network requests, and also realizing cross-border traffic reporting, gray-scale logic, and access authentication, enhancing system security. It combines coarse-grained gray-scale routing with multi-dimensional access verification, effectively improving the flexibility of access control.

[0170] This application also provides a computer-readable storage medium storing computer instructions. When executed on a computer device, the instructions cause the computer device to perform the steps in the various method embodiments of this application to implement the access control method provided in this application. Specific implementation details can be found in the foregoing description and will not be repeated here.

[0171] This application also provides a computer program product, which includes a computer program or computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer program or computer instructions from the computer-readable storage medium and executes the computer program or computer instructions, causing the computer device to perform the steps in the various method embodiments of this application to implement the access control method provided in this application. Specific implementation details can be found in the foregoing description and will not be repeated here.

[0172] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed in this application can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application. In the embodiments of this application, the terms "module" or "unit" refer to a computer program or part of a computer program with a predetermined function, which works with other related parts to achieve a predetermined goal, and can be implemented wholly or partially using software, hardware (such as processing circuitry or memory), or a combination thereof. Similarly, a processor (or multiple processors or memory) can be used to implement one or more modules or units. Furthermore, each module or unit can be part of an overall module or unit that includes the functionality of that module or unit.

[0173] In the above embodiments, implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, as a computer program product. A computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the flow or function according to the embodiments of this application is generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in or transmitted through a computer-readable storage medium. The computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that integrates one or more available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid-state disk (SSD)).

[0174] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. An access control method, characterized in that, The method includes: Retrieve network requests initiated by the business object for the target service; If the network request matches the grayscale control rule of the target service, the target interface definition information of the target service is obtained, and the target interface definition information includes the definition information of the interface parameters of the target service; The network request is parsed using the target interface definition information to obtain the parsed network request; By validating the parsed network request, an access control result is obtained, which indicates whether to send the parsed network request to the target service.

2. The method as described in claim 1, characterized in that, The step of obtaining the target interface definition information of the target service includes: Determine the acquisition time of the first interface definition information of the target service, wherein the first interface definition information includes the first definition information of the interface parameters of the target service; If the time difference between the acquisition time and the current time is greater than a time threshold, then the second interface definition information of the target service is acquired, and the second interface definition information is determined as the target interface definition information. The second interface definition information includes the second definition information of the interface parameters of the target service. If the time difference between the acquired time and the current time is less than or equal to the time threshold, then the first interface definition information is determined as the target interface definition information.

3. The method as described in claim 1 or 2, characterized in that, The step of parsing the network request using the target interface definition information to obtain the parsed network request includes: Obtain the packaged network request, wherein the packaged network request is in serialized binary format; Using the target interface definition information, the packaged network request is deserialized to obtain a parsed network request. The data format of the parsed network request matches the requirement format corresponding to the target service.

4. The method as described in claim 3, characterized in that, The process of obtaining the packaged network request includes: Obtain the data format requirement information of the target service, wherein the data format requirement information is used to indicate the packaging method of the network request; The network request is packaged according to the data format requirements of the target service to obtain the packaged network request.

5. The method as described in claim 1 or 2, characterized in that, The method further includes: Retrieve the grayscale control rules for the target service from the target grayscale routing table; The access control framework is invoked to match the network request with the grayscale control rules of the target service to obtain the matching result. If the matching result indicates that the network request does not match the grayscale control rules of the target service, then the access control framework is invoked to forward the network request to the target service; If the matching result indicates that the network request matches the grayscale control rule of the target service, then the step of obtaining the target interface definition information of the target service is executed.

6. The method as described in claim 5, characterized in that, The method further includes: Register the access control framework using the object parameters of the business object; The access control framework is invoked to obtain the grayscale control configuration information; The access control framework is invoked, and the grayscale control configuration information is used to update the current grayscale routing table to obtain the target grayscale routing table, which contains the grayscale control rules for the target service.

7. The method as described in claim 1 or 2, characterized in that, The process of verifying the parsed network request to obtain the access control result includes: According to the access verification method, the parsed network request is subjected to access verification processing to obtain the access verification result; The access control result is determined based on the access verification result; wherein, the access verification method includes one or more of the following: request signature verification method, interface whitelist verification method, caller whitelist verification method, ticket verification method, and request authentication method.

8. The method as described in claim 7, characterized in that, The step of performing access verification processing on the parsed network request according to the access verification method to obtain the access verification result includes: Obtain the category of the authentication parameters contained in the parsed network request; Based on the category, a target access verification method is determined from the various access verification methods. Based on the target access verification method, the authentication parameters contained in the parsed network request are processed to obtain the access verification result.

9. An access control device, characterized in that, include: The acquisition unit is used to acquire network requests initiated by business objects for the target service; The acquisition unit is further configured to acquire target interface definition information of the target service when the network request matches the grayscale control rule of the target service, wherein the target interface definition information includes the definition information of the interface parameters of the target service; The processing unit is used to parse the network request using the target interface definition information to obtain the parsed network request; The control unit is used to perform verification processing on the parsed network request to obtain an access control result, which is used to indicate whether to send the parsed network request to the target service.

10. A computer device, characterized in that, The computer device includes: A processor is a tool for implementing computer programs. A computer-readable storage medium storing a computer program adapted to be loaded by the processor and to implement the access control method as described in any one of claims 1-8.

11. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program adapted to be loaded by a processor and to implement the access control method as described in any one of claims 1-8.

12. A computer program product, characterized in that, The computer program product includes a computer program that, when executed by a processor, implements the access control method as described in any one of claims 1-8.