[go: up one dir, main page]

CN118245991B - Method and system for managing authorized client instance - Google Patents

Method and system for managing authorized client instance Download PDF

Info

Publication number
CN118245991B
CN118245991B CN202410659208.8A CN202410659208A CN118245991B CN 118245991 B CN118245991 B CN 118245991B CN 202410659208 A CN202410659208 A CN 202410659208A CN 118245991 B CN118245991 B CN 118245991B
Authority
CN
China
Prior art keywords
authorization
access
instance
application system
service platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410659208.8A
Other languages
Chinese (zh)
Other versions
CN118245991A (en
Inventor
高士尧
代元秀
李进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Bige Big Data Co ltd
Original Assignee
Beijing Bige Big Data Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Bige Big Data Co ltd filed Critical Beijing Bige Big Data Co ltd
Priority to CN202410659208.8A priority Critical patent/CN118245991B/en
Publication of CN118245991A publication Critical patent/CN118245991A/en
Application granted granted Critical
Publication of CN118245991B publication Critical patent/CN118245991B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/54Link editing before load time
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides an authorization client instance management method and system, wherein the method comprises the following steps: the method comprises the steps that an authorization client sends an instance creation request to an authorization service platform, wherein the authorization client is implanted into an application system, and the application system and the authorization service platform are deployed in the same cluster environment; the method comprises the steps that an authorization service platform receives an instance creation request, determines whether the number of available instances is 0, generates instance authorization codes under the condition that the number of available instances is not 0, and sends the instance authorization codes to an authorization client, wherein each instance corresponds to one instance authorization code; in the case where the number of available instances is 0, there is no response; the authorization client receives the instance authorization code, creates an instance in the application system, deploys the application system and the authorization service platform in the same cluster environment, and can automatically acquire the instance authorization code from a resource pool of the authorization service platform, and the instance authorization code is issued as required in the limit without being applied from a licensing center when the instance authorization code is used each time.

Description

Method and system for managing authorized client instance
Technical Field
The application relates to the technical field of authorization authentication, in particular to an authorization client instance management method and system.
Background
The information-based rapid development and promotion enterprises continuously send application software to various industry users, so that the safety of the application software is also very important, and effective means are needed to improve the safety of independently researched and developed application software, so that the threat of piracy cracking is avoided, and the application software is also responsible for the use safety of clients. Generally, for a client using the internet as an application running environment, the client performs authorization and rights-limiting operations through an interface provided by an online access development enterprise, and there is no need to worry about the problem that an authorization code or a license is cracked, and online authorization is convenient, easy to use and wide in use, so that most enterprise clients can choose an online authorization mode.
Currently, digital signature, which is an anti-counterfeit technique, is mainly used, and it is able to verify the authenticity of data by means of a public key. That is, only the owner of the private key can acquire data that passes digital signature verification. Thus, no one can forge a digital signature unless the private key is compromised (typically stored on a server).
During the license generation process, the server digitally signs the license using an asymmetrically encrypted private key, and the client performs digital signature verification using a corresponding public key. Only after the verification is passed will the content of the license be verified again.
To increase the difficulty of cracking application software, the following methods are generally adopted:
First, apply a timestamp: the release time stamp is added into the license file, and if the specified time in the license file is smaller than the current time stamp, the license file cannot be used even if the system time is modified. In this way, the use of expired license files in new versions of application software is restricted.
Second, code decompilation: the decompilation difficulty of codes is enhanced, permission file verification is avoided by using codes which are easy to decompilate, and particularly, the situation that verification codes are directly changed into True and codes for storing public key character strings are required to be paid attention to avoid direct replacement. The difficulty of cracking can be increased by embedding the check liner code into the binary code and performing code confusion.
However, the above manner does not support custom authorization of actual business scenario, but only limits on user type and time stamp, and requires customized and custom advanced configuration according to actual requirements of clients.
Disclosure of Invention
The embodiment of the application provides an authorized client instance management method, an authorized client instance management device, computer equipment and a storage medium.
In a first aspect of the embodiment of the present application, there is provided a method for managing an authorized client instance, including:
The method comprises the steps that an authorization client sends an instance creation request to an authorization service platform, wherein the authorization client is implanted into an application system, and the application system and the authorization service platform are deployed in the same cluster environment;
the method comprises the steps that an authorization service platform receives an instance creation request, determines whether the number of available instances is 0, generates instance authorization codes under the condition that the number of available instances is not 0, and sends the instance authorization codes to an authorization client, wherein each instance corresponds to one instance authorization code; in the case where the number of available instances is 0, there is no response;
the authorization client receives the instance authorization code and creates an instance in the application system.
In an alternative embodiment of the present application, the determining whether the available instance is 0 includes:
comparing the number of preset examples with the number of created actual examples, and determining that the available examples are not 0 when the number of created actual examples is smaller than the number of preset examples; in the case where the number of created actual instances is equal to the preset number of instances, it is determined that the available instance is 0.
In an alternative embodiment of the present application, before the authorization client sends the instance creation request to the authorization service platform, the method further comprises:
The authorization service platform acquires the authorization code of the application system, decrypts the authorization code of the application system, acquires the decrypted authorization code and sends the decrypted authorization code to the application system;
the application system analyzes the configuration item information of the SDK of the authorization client to obtain the configuration item information, checks the decrypted authorization code and the configuration item information, and determines that the authorization of the application system is successful after the verification is passed.
In an alternative embodiment of the present application, the application authorization code is generated based on the license center platform according to the client identification information, the authorization service platform identification information, the validity period of the application system, the application identification information and name, and the number of application instances.
In an alternative embodiment of the present application, the application system communicates with the deployment authorization service platform via a GRPC protocol.
In an alternative embodiment of the application, the method further comprises:
Each application system respectively monitors and acquires user authorized access behavior information, constructs an application change set, establishes a distributed block chain, and generates an access change coefficient from the access change set If access to the coefficient of variationSending a first early warning instruction to an authorization service platform according to the preset change threshold value; if access to the coefficient of variationWhen the preset change threshold value is less than or equal to the preset change threshold value, a first qualified instruction is sent to an authorization service platform;
Planning an application system authentication step by using a trained authorization authentication model to obtain a plurality of verification matching strip sets, wherein the verification matching strip sets comprise: identity authentication matching information bar, license matching information bar, equipment management matching information bar and geographic position authentication matching information bar, and information verification coefficient is generated according to a matching bar set If the information verifies the coefficientNot less than a first thresholdGenerating and sending a second qualified instruction by the authorization service platform; when the information verifies the coefficient< First threshold valueGenerating a second early warning instruction;
After the authorization service platform identifies the first qualified instruction and the second qualified instruction of the user, judging the priority authorization level and executing authorization actions on the user;
and triggering a corresponding safety response strategy after receiving the first early warning instruction and the second early warning instruction.
In an alternative embodiment of the application, the method further comprises:
Acquiring user authorized access behavior information, including user login IP, application operation, access content and access flow information;
summarizing user access behavior information, extracting and acquiring access frequency fluctuation value fwbd, access content fluctuation value nrbd, access time fluctuation value sjbd, access right fluctuation value qxbd and access device fluctuation value sbbd of a user, and identifying and acquiring access fluctuation ratio And time interval ratioConstructing an application variation set; the access variation ratioIs generated by the following formula:
Wherein, And (2) andAndFor the preset scaling factors of the access frequency variation fwbd, the access content variation nrbd, the access time variation sjbd, the access rights variation qxbd and the access device variation sbbd,Is a constant correction coefficient.
In an alternative embodiment of the application, the time interval ratioIs generated by the following formula:
Wherein, Representing the time interval between the jth access and the (j+1) th access of the user, m represents the total access times of the user, and calculating all access time intervals of the userTo obtain the time interval ratio of the users
In an alternative embodiment of the application, the access variation ratio is based onAnd time interval ratioAfter dimensionless processing, mapping the corresponding data values to regions and mapping the corresponding data values to intervalsThen generates access variation coefficient according to the following formula
Wherein, In order to access the preset mean value of the variation ratio,N is a positive integer greater than 1 for a preset average of the time interval ratio,N is the number of access behavior information; And Is a weight value; And (2) and
In a second aspect of the embodiment of the present application, there is provided an authorized client instance management system, including:
The authorization client is used for sending an instance creation request to the authorization service platform, receiving an instance authorization code and creating an instance in the application system, wherein the authorization client is implanted in the application system, and the application system and the authorization service platform are deployed in the same cluster environment;
The authorization service platform is connected with the authorization client and is used for receiving an instance creation request, determining whether the number of available instances is 0, generating instance authorization codes and sending the instance authorization codes to the authorization client under the condition that the number of available instances is not 0, wherein each instance corresponds to one instance authorization code; in the case where the number of available instances is 0, there is no response.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a flow chart of an authorization client instance management method provided by an embodiment of the present application;
FIG. 2 is a flowchart of an authorization client instance management method according to another embodiment of the present application;
FIG. 3 is a flowchart of an authorization client instance management method according to yet another embodiment of the present application;
FIG. 4 is a flowchart of an authorization client instance management method according to yet another embodiment of the present application;
fig. 5 is a schematic structural diagram of an authorization client instance management system according to an embodiment of the present application.
Detailed Description
In the process of realizing the application, the inventor finds that the current authorization mode does not support the custom authorization of the actual service scene, but only limits on the user type and the time stamp, and the customized and custom advanced configuration is needed according to the actual requirements of the clients.
In view of the above problems, in an embodiment of the present application, an authorization client sends an instance creation request to an authorization service platform, where the authorization client is embedded in an application system, and the application system and the authorization service platform are deployed in the same cluster environment; the method comprises the steps that an authorization service platform receives an instance creation request, determines whether the number of available instances is 0, generates instance authorization codes under the condition that the number of available instances is not 0, and sends the instance authorization codes to an authorization client, wherein each instance corresponds to one instance authorization code; in the case where the number of available instances is 0, there is no response; the authorization client receives the instance authorization code, creates an instance in the application system, deploys the application system and the authorization service platform in the same cluster environment, and for the application system needing instance authorization, the authorization client implanted in the application system can automatically acquire the instance authorization code from a resource pool of the authorization service platform, and issues the instance authorization code in a limited amount as required without applying from a licensing center when the application system is not used each time.
The scheme in the embodiment of the application can be realized by adopting various computer languages, such as object-oriented programming language Java, an transliteration script language JavaScript and the like.
In order to make the technical solutions and advantages of the embodiments of the present application more apparent, the following detailed description of exemplary embodiments of the present application is provided in conjunction with the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present application and not exhaustive of all embodiments. It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other.
Referring to fig. 1, the method for managing an authorized client instance provided in the embodiment of the present application includes steps S1 to S4 as follows:
S1, an authorization client sends an instance creation request to an authorization service platform, wherein the authorization client is implanted into an application system, and the application system and the authorization service platform are deployed in the same cluster environment.
In an alternative embodiment of the present application, before the authorization client sends the instance creation request to the authorization service platform, the method further comprises:
The authorization service platform acquires the authorization code of the application system, decrypts the authorization code of the application system, acquires the decrypted authorization code and sends the decrypted authorization code to the application system;
the application system analyzes the configuration item information of the SDK of the authorization client to obtain the configuration item information, checks the decrypted authorization code and the configuration item information, and determines that the authorization of the application system is successful after the verification is passed.
In an alternative embodiment of the present application, the application system communicates with the deployment authorization service platform via a GRPC protocol.
In an optional embodiment of the present application, an authorized service platform and an application system embedded with an SDK of an authorized client are deployed in a client site cluster environment, where the authorized service platform obtains cluster identification information, that is, the authorized service platform identification information, so as to be used when authorization is applied, and the uniqueness of the authorized service platform identification information and the application system identification information determines the application system in the client site cluster environment, so that the application system cannot be used across the cluster environment, and the spatial security of an authorized file is ensured.
S2, the authorization service platform receives an instance creation request, determines whether the number of available instances is 0, generates instance authorization codes under the condition that the number of available instances is not 0, and sends the instance authorization codes to the authorization client, wherein each instance corresponds to one instance authorization code; in the case where the number of available instances is 0, there is no response.
In an alternative embodiment of the present application, the determining whether the available instance is 0 includes:
comparing the number of preset examples with the number of created actual examples, and determining that the available examples are not 0 when the number of created actual examples is smaller than the number of preset examples; in the case where the number of created actual instances is equal to the preset number of instances, it is determined that the available instance is 0.
S3, the authorization client receives the instance authorization code and creates an instance in the application system.
In an alternative embodiment of the present application, the application authorization code is generated based on the license center platform according to the client identification information, the authorization service platform identification information, the validity period of the application system, the application identification information and name, and the number of application instances.
In an alternative embodiment of the present application, when creating an instance in an application system, the creation quota is controlled according to the total number of instances of the authorization code of the application system, and each time an instance is created, the authorization client SDK automatically acquires the instance authorization code from the authorization service platform through the GRPC protocol, and each time an instance is created, an instance authorization code is generated. If the number of the instances exceeds the creation limit of the authorization application, the authorization service platform stops generating instance authorization codes. In addition, if the application system returns the instances, the total number of the instances is kept unchanged, the available instances are increased, the authorization service platform is restored to be normal, and a new instance authorization code is generated.
Referring to fig. 2, in an alternative embodiment of the application, the application system is deployed by:
S21, acquiring at least one application system corresponding to the authorization client, implanting an authorization client SDK into the application system, and writing an application system identification code and a name into the application system, wherein the authorization client SDK is internally provided with the authorization client, and packages a registration instance of the authorization client, query instance authorization, query application system authorization and a program of the registration application system for calling;
S22, each application system is deployed in a target cluster corresponding to the authorized client, wherein the application system automatically communicates with the authorized service platform through a GRPC protocol based on the SDK of the authorized client, and the uniqueness of the application system is determined through combining the identification code and the name of the application system with the identification information of the authorized service platform, and the GRPC protocol is used for connecting the authorized service platform and services of the application system.
In an optional embodiment of the present application, the acquiring an application system corresponding to the authorized client includes:
and exporting the application system corresponding to the authorized client from the license center platform in a file form, wherein the application system exported in the file form is used as a product file when a product is deployed in a customer site cluster environment, the SDK of the authorized client is required to be implanted into a developed application source code before deployment, and meanwhile, the product identifier and the product name are written in as application system identifier information and name, so that the authorized service platform can conduct business translation on the SDK of the authorized client.
In an alternative embodiment of the present application, the product may be an application migration system, and in the case where the product is an application migration system, examples include, but are not limited to, migrating application examples.
In an optional embodiment of the present application, after the deploying each application system in the target cluster corresponding to the authorized client, the method further includes:
The authorization service platform acquires an application system authorization code, decrypts the application system authorization code to obtain authorization information, and sends the authorization information to the application system, wherein the application system authorization code is generated according to client identification information, authorization service platform identification information, the effective period of the application system, application system identification information and names and the number of application instances;
The application system analyzes the configuration item information of the SDK of the authorized client to obtain the configuration item information, checks the authorization information and the configuration item information, and determines that the authorization of the application system is successful after the verification is passed.
Referring to fig. 3, in an alternative embodiment of the present application, the application system is updated by:
S31, after the authorization of the application system is successful, the application system verifies whether the current time is within the valid period of the application system;
s32, under the condition that the current time is within the effective period of the application system, starting the use permission of the application system;
S33, under the condition that the current time is not within the effective time period of the application system in the decrypted authorization code, generating prompt information for updating the effective time period of the application system, and sending the prompt information to the authorization service platform.
In an alternative embodiment of the application, the method further comprises:
The authorization service platform acquires the authorization code of the application system, decrypts the authorization code of the application system, acquires the decrypted authorization code and sends the decrypted authorization code to the application system;
the application system analyzes the configuration item information of the SDK of the authorization client to obtain the configuration item information, checks the decrypted authorization code and the configuration item information, and determines that the authorization of the application system is successful after the verification is passed.
In an optional embodiment of the present application, the verifying the decrypted authorization code and the configuration item information includes:
comparing the decrypted authorization code with client identification information, authorization service platform identification information, effective time period of the application system, application system identification information and name and application instance number in the configuration item information;
under the condition that the decrypted authorization code is consistent with the client identification information, the authorization service platform identification information, the effective period of the application system, the application system identification information, the name and the number of application instances in the configuration item information, the verification is confirmed to pass;
And if any one of the decrypted authorization code and the client identification information in the configuration item information, the authorization service platform identification information, the effective time period of the application system, the application system identification information, the name and the number of the application instances is inconsistent, determining that verification is not passed, generating prompt information of updating the effective time period of the application system and sending the prompt information to the authorization service platform.
In an optional embodiment of the present application, after the generating the prompt information of the application system updating the valid period and sending the prompt information to the authorization service platform, the method further includes:
The authorization service platform acquires the updated application system authorization code, decrypts the updated application system authorization code, obtains the updated decrypted authorization code and sends the updated decrypted authorization code to the application system;
and the application system checks the updated decrypted authorization code and the configuration item information, and determines that the authorization of the application system is successful after the verification is passed.
Referring to fig. 4, in an alternative embodiment of the present application, before step S1, the method further includes:
S41, generating an application system authorization code corresponding to a target cluster by a license center platform, wherein the application system authorization code is generated according to client identification information, authorization service platform identification information, an effective period of an application system, application system identification information and names and the number of application instances, an authorization client SDK is implanted in the application system information, and the application system information comprises identification information and names of the application system;
S42, an authorized service platform and a preset application system are deployed in the target cluster, wherein the application system and the deployed authorized service platform communicate through a GRPC protocol;
s43, the authorization service platform acquires the authorization code of the application system, decrypts the authorization code of the application system, obtains the decrypted authorization code and sends the decrypted authorization code to the application system;
S44, the application system analyzes the configuration item information of the SDK of the authorized client to obtain the configuration item information, checks the decrypted authorization code and the configuration item information, and determines that the application system is authorized successfully after the verification is passed, so that the application system is allowed to log in the use instance.
In an optional embodiment of the present application, a license center in a cluster environment providing an application system fills in information about application authorization, including a user, third party application information, project information, cluster identification information of a deployed application system (authorized service platform identification information), an effective timestamp, the number of instances, and the number of application systems, and triggers an approval process of a third party for docking after the application is successful, and an appointed responsible person completes approval, and obtains an authorization code of the application system from the license center after approval is completed.
In an optional embodiment of the present application, in the client site cluster environment, the authorization service platform automatically discovers that the application system needs to be authorized first when being used for the first time, and gives the authorization code line of the application system acquired by the license center platform to the designated responsible person, and then pastes the authorization code under the application system corresponding to the authorization service platform.
In an alternative embodiment of the present application, the authorization service platform obtains the application system authorization code and decrypts the application system authorization code, including:
The authorization service platform decrypts the application system authorization code based on a preset private key.
In an optional embodiment of the present application, the license center platform and the authorization service platform may not be in the same cluster environment, and the license center platform may be deployed in the cluster environment that provides the service of the application system, as an entry for applying authorization; the authorization service platform and the application system which needs to be used by the client are deployed in the client site cluster environment, and the authorization service platform and the client site cluster environment have the capabilities of automatic discovery of the application, offline authorization and automatic verification of the authorization information.
In an alternative embodiment of the present application, the deploying an authorization service platform in a target cluster includes:
Creating a name space in the target cluster, and arranging an authorization file and an authorization service platform in the name space;
Binding an authorization file with an authorization service platform, wherein the authorization file comprises target cluster identification information, client identification information, application system identification information and a name.
In an alternative embodiment of the application, the method further comprises:
after the application system is successfully authorized, the application system verifies whether the decrypted authorization code is consistent with the target cluster identification information, the client identification information, the application system identification information and the name in the authorization file;
and under the condition that the decrypted authorization code is consistent with the target cluster identification information, the client identification information, the application system identification information and the name in the authorization file, displaying the current application system on the authorization service platform.
In an alternative embodiment of the present application, the license center platform is a center end, at least one target cluster is a remote end, and the license center platform is deployed by the following steps:
and deploying files respectively corresponding to each target cluster, wherein the files comprise authorization service platform identification information, valid time periods of the application system, application system identification information and the number of application instances.
In an alternative embodiment of the present application, the license center platform generates an application system authorization code corresponding to the target cluster through an asymmetric encryption algorithm.
In an alternative embodiment of the application, the method further comprises:
Each application system respectively monitors and acquires user authorized access behavior information, constructs an application change set, establishes a distributed block chain, and generates an access change coefficient from the access change set If access to the coefficient of variationSending a first early warning instruction to an authorization service platform according to the preset change threshold value; if access to the coefficient of variationWhen the preset change threshold value is less than or equal to the preset change threshold value, a first qualified instruction is sent to an authorization service platform;
Planning an application system authentication step by using a trained authorization authentication model to obtain a plurality of verification matching strip sets, wherein the verification matching strip sets comprise: identity authentication matching information bar, license matching information bar, equipment management matching information bar and geographic position authentication matching information bar, and information verification coefficient is generated according to a matching bar set If the information verifies the coefficientNot less than a first thresholdGenerating and sending a second qualified instruction by the authorization service platform; when the information verifies the coefficient< First threshold valueGenerating a second early warning instruction;
After the authorization service platform identifies the first qualified instruction and the second qualified instruction of the user, judging the priority authorization level and executing authorization actions on the user;
and triggering a corresponding safety response strategy after receiving the first early warning instruction and the second early warning instruction.
In an alternative embodiment of the application, the method further comprises:
Acquiring user authorized access behavior information, including user login IP, application operation, access content and access flow information;
summarizing user access behavior information, extracting and acquiring access frequency fluctuation value fwbd, access content fluctuation value nrbd, access time fluctuation value sjbd, access right fluctuation value qxbd and access device fluctuation value sbbd of a user, and identifying and acquiring access fluctuation ratio And time interval ratioConstructing an application variation set; the access variation ratioIs generated by the following formula:
Wherein, And (2) andAndFor the preset scaling factors of the access frequency variation fwbd, the access content variation nrbd, the access time variation sjbd, the access rights variation qxbd and the access device variation sbbd,Is a constant correction coefficient.
In an alternative embodiment of the application, the time interval ratioIs generated by the following formula:
Wherein, Representing the time interval between the jth access and the (j+1) th access of the user, m represents the total access times of the user, and calculating all access time intervals of the userTo obtain the time interval ratio of the users
In an alternative embodiment of the application, the access variation ratio is based onAnd time interval ratioAfter dimensionless processing, mapping the corresponding data values to regions and mapping the corresponding data values to intervalsThen generates access variation coefficient according to the following formula
Wherein, In order to access the preset mean value of the variation ratio,N is a positive integer greater than 1 for a preset average of the time interval ratio,N is the number of access behavior information; And Is a weight value; And (2) and
In the authorization client instance management method disclosed by the invention, based on a multi-level authorization technology, a GRPC channel is established through an authorization client SDK and an authorization service platform, so that automatic discovery of an application system and automatic analysis and verification of an authorization file are realized, the authorization client SDK supports two development languages of JAVA and GoLang, secondary development is carried out according to actual service scene requirements, multi-level authorization requirements of various core service scenes are met, and the method is suitable for the application system developed in enterprises and has strong applicability and expandability.
In the method for managing the instances of the authorized client, based on an authorized instance resource pooling technology, for an application system needing to operate business by creating instance resources, when an instance is created, the authorized client automatically acquires instance authorization codes from an authorized service platform, verifies whether the number of the instances exceeds an authorization limit, if so, the creation cannot be continued, if so, the creation can be continued within the limit, in addition, in an instance resource pool required by an application deployed in a clustered environment, flexible scheduling of the instances is supported, and in a limited instance number range, the instance creation and the instance return re-creation are carried out, and meanwhile, the instance authorization codes are synchronously updated.
In the authorization client instance management method disclosed by the invention, a multi-level authorization technology is adopted, and the core business logic is realized in the authorization service client SDK so as to meet the unified management of offline authorization and authorization information of a plurality of products under different project environments, so that the method can perform multi-level protection on the independently developed application software under the non-internet environment of a secret-related unit, and realize advanced authorization, safety protection, resource limitation and effective realization.
It should be understood that, although the steps in the flowchart are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the figures may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor does the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of other steps or other steps.
Referring to fig. 5, one embodiment of the present application provides an authorization client instance management system, including:
The authorization client is used for sending an instance creation request to the authorization service platform, receiving an instance authorization code and creating an instance in the application system, wherein the authorization client is implanted in the application system, and the application system and the authorization service platform are deployed in the same cluster environment;
The authorization service platform is connected with the authorization client and is used for receiving an instance creation request, determining whether the number of available instances is 0, generating instance authorization codes and sending the instance authorization codes to the authorization client under the condition that the number of available instances is not 0, wherein each instance corresponds to one instance authorization code; in the case where the number of available instances is 0, there is no response.
In an alternative embodiment of the present application, the authorization client instance management system further includes:
The license center platform is used for generating an application system authorization code corresponding to the target cluster, wherein the application system authorization code is generated according to client identification information, authorization service platform identification information, the effective period of an application system, application system identification information and names and the number of application instances, an authorization client SDK is implanted in the application system information, and the application system information comprises identification information and names of the application system;
The system comprises a target cluster, a preset application system, a service platform and a service platform, wherein the target cluster is used for receiving configuration item information of an SDK of an authorized client, and is used for acquiring the configuration item information, verifying a decrypted authorization code and the configuration item information, and determining that the application system is authorized successfully after verification is passed, so that the application system is allowed to log in a use instance, wherein the application system is communicated with the deployment authorization service platform through a GRPC protocol;
The authorization service platform is deployed in the target cluster, is also used for acquiring the authorization code of the application system, decrypting the authorization code of the application system, obtaining the decrypted authorization code and sending the decrypted authorization code to the application system.
For specific limitations of the authorization client instance management system described above, reference may be made to the limitations of the method described above, and no further description is given here. The various modules in the above-described authorization client instance management system may be implemented in whole or in part in software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (8)

1. A method for managing instances of an authorized client, comprising:
The method comprises the steps that an authorization client sends an instance creation request to an authorization service platform, wherein the authorization client is implanted into an application system, and the application system and the authorization service platform are deployed in the same cluster environment;
the method comprises the steps that an authorization service platform receives an instance creation request, determines whether the number of available instances is 0, generates instance authorization codes under the condition that the number of available instances is not 0, and sends the instance authorization codes to an authorization client, wherein each instance corresponds to one instance authorization code; in the case where the number of available instances is 0, there is no response;
The authorization client receives the instance authorization code, creates an instance in the application system,
Wherein the method further comprises:
Each application system respectively monitors and acquires user authorized access behavior information, constructs an application change set, establishes a distributed block chain, and generates an access change coefficient from the access change set If access to the coefficient of variationSending a first early warning instruction to an authorization service platform according to the preset change threshold value; if access to the coefficient of variationWhen the preset change threshold value is less than or equal to the preset change threshold value, a first qualified instruction is sent to an authorization service platform;
Planning an application system authentication step by using a trained authorization authentication model to obtain a plurality of verification matching strip sets, wherein the verification matching strip sets comprise: identity authentication matching information bar, license matching information bar, equipment management matching information bar and geographic position authentication matching information bar, and information verification coefficient is generated according to a matching bar set If the information verifies the coefficientNot less than a first thresholdGenerating and sending a second qualified instruction by the authorization service platform; when the information verifies the coefficient< First threshold valueGenerating a second early warning instruction;
After the authorization service platform identifies the first qualified instruction and the second qualified instruction of the user, judging the priority authorization level and executing authorization actions on the user;
When the first early warning instruction and the second early warning instruction are received, the corresponding safety response strategy is triggered,
Wherein the method further comprises:
Acquiring user authorized access behavior information, including user login IP, application operation, access content and access flow information;
summarizing user access behavior information, extracting and acquiring access frequency fluctuation value fwbd, access content fluctuation value nrbd, access time fluctuation value sjbd, access right fluctuation value qxbd and access device fluctuation value sbbd of a user, and identifying and acquiring access fluctuation ratio And time interval ratioConstructing an application variation set; the access variation ratioIs generated by the following formula:
Wherein, And (2) andAndFor the preset scaling factors of the access frequency variation fwbd, the access content variation nrbd, the access time variation sjbd, the access rights variation qxbd and the access device variation sbbd,Is a constant correction coefficient.
2. The method of claim 1, wherein the determining whether the available instance is 0 comprises:
comparing the number of preset examples with the number of created actual examples, and determining that the available examples are not 0 when the number of created actual examples is smaller than the number of preset examples; in the case where the number of created actual instances is equal to the preset number of instances, it is determined that the available instance is 0.
3. The method of claim 1, wherein prior to the authorization client sending the instance creation request to the authorization service platform, the method further comprises:
The authorization service platform acquires the authorization code of the application system, decrypts the authorization code of the application system, acquires the decrypted authorization code and sends the decrypted authorization code to the application system;
the application system analyzes the configuration item information of the SDK of the authorization client to obtain the configuration item information, checks the decrypted authorization code and the configuration item information, and determines that the authorization of the application system is successful after the verification is passed.
4. The method of claim 3, wherein the application authorization code is generated based on the license center platform from client identification information, authorization service platform identification information, a validity period of the application system, application system identification information and name, and a number of application instances.
5. A method according to claim 3, wherein the application system communicates with the deployment authorization service platform via a GRPC protocol.
6. The method of claim 1, wherein the time interval ratioIs generated by the following formula:
Wherein, Representing the time interval between the jth access and the (j+1) th access of the user, m represents the total access times of the user, and calculating all access time intervals of the userTo obtain the time interval ratio of the users
7. The method of claim 6, wherein the access variation ratio is based onAnd time interval ratioAfter dimensionless processing, mapping the corresponding data values to regions and mapping the corresponding data values to intervalsThen generates access variation coefficient according to the following formula
Wherein, In order to access the preset mean value of the variation ratio,N is a positive integer greater than 1 for a preset average of the time interval ratio,N, the number of access behavior information; bd i is the access variation ratio of the ith access behavior information,AndIs a weight value; And (2) and
8. An authoritative client instance management system, comprising:
The authorization client is used for sending an instance creation request to the authorization service platform, receiving an instance authorization code and creating an instance in the application system, wherein the authorization client is implanted in the application system, and the application system and the authorization service platform are deployed in the same cluster environment;
The authorization service platform is connected with the authorization client and is used for receiving an instance creation request, determining whether the number of available instances is 0, generating instance authorization codes and sending the instance authorization codes to the authorization client under the condition that the number of available instances is not 0, wherein each instance corresponds to one instance authorization code; in the case where the number of available instances is 0, no response,
Each application system monitors and acquires user authorized access behavior information respectively, constructs an application change set, establishes a distributed block chain, and generates an access change coefficient from the access change setIf access to the coefficient of variationSending a first early warning instruction to an authorization service platform according to the preset change threshold value; if access to the coefficient of variationWhen the preset change threshold value is less than or equal to the preset change threshold value, a first qualified instruction is sent to an authorization service platform;
Planning an application system authentication step by using a trained authorization authentication model to obtain a plurality of verification matching strip sets, wherein the verification matching strip sets comprise: identity authentication matching information bar, license matching information bar, equipment management matching information bar and geographic position authentication matching information bar, and information verification coefficient is generated according to a matching bar set If the information verifies the coefficientNot less than a first thresholdGenerating and sending a second qualified instruction by the authorization service platform; when the information verifies the coefficient< First threshold valueGenerating a second early warning instruction;
After the authorization service platform identifies the first qualified instruction and the second qualified instruction of the user, judging the priority authorization level and executing authorization actions on the user;
When the first early warning instruction and the second early warning instruction are received, the corresponding safety response strategy is triggered,
Acquiring user authorized access behavior information, wherein the acquisition comprises user login IP, application operation, access content and access flow information;
summarizing user access behavior information, extracting and acquiring access frequency fluctuation value fwbd, access content fluctuation value nrbd, access time fluctuation value sjbd, access right fluctuation value qxbd and access device fluctuation value sbbd of a user, and identifying and acquiring access fluctuation ratio And time interval ratioConstructing an application variation set; the access variation ratioIs generated by the following formula:
Wherein, And (2) andAndFor the preset scaling factors of the access frequency variation fwbd, the access content variation nrbd, the access time variation sjbd, the access rights variation qxbd and the access device variation sbbd,Is a constant correction coefficient.
CN202410659208.8A 2024-05-27 2024-05-27 Method and system for managing authorized client instance Active CN118245991B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410659208.8A CN118245991B (en) 2024-05-27 2024-05-27 Method and system for managing authorized client instance

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410659208.8A CN118245991B (en) 2024-05-27 2024-05-27 Method and system for managing authorized client instance

Publications (2)

Publication Number Publication Date
CN118245991A CN118245991A (en) 2024-06-25
CN118245991B true CN118245991B (en) 2024-09-17

Family

ID=91551381

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410659208.8A Active CN118245991B (en) 2024-05-27 2024-05-27 Method and system for managing authorized client instance

Country Status (1)

Country Link
CN (1) CN118245991B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106371873A (en) * 2016-08-31 2017-02-01 苏州蓝海彤翔系统科技有限公司 Application starting request processing method and system and server

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10812462B2 (en) * 2019-01-08 2020-10-20 Servicenow, Inc. Session management for mobile devices
CN115037547B (en) * 2022-06-22 2024-04-05 北京天拓四方科技有限公司 Software authorization method and system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106371873A (en) * 2016-08-31 2017-02-01 苏州蓝海彤翔系统科技有限公司 Application starting request processing method and system and server

Also Published As

Publication number Publication date
CN118245991A (en) 2024-06-25

Similar Documents

Publication Publication Date Title
EP3788522B1 (en) System and method for mapping decentralized identifiers to real-world entities
US10824701B2 (en) System and method for mapping decentralized identifiers to real-world entities
CN101529412B (en) Data file access control
US8978125B2 (en) Identity controlled data center
CN112422287B (en) Multi-level role authority control method and device based on cryptography
JP2006229948A (en) Method and system which authenticate certainly service specialized user of remote service interface to storage medium
CA2565508C (en) Secure license key method and system
CN101547202B (en) Method and device for processing security level of device on the net
CN111460400A (en) Data processing method and device and computer readable storage medium
US8417640B2 (en) Secure license key method and system
CN111984936B (en) Authorization distribution method, device, server and storage medium
CN108964883A (en) It is a kind of using smart phone as the digital certificate store of medium and endorsement method
CN118245991B (en) Method and system for managing authorized client instance
CN111125734B (en) Data processing method and system
CN118245091B (en) Authorized client application deployment method, apparatus, computer device and storage medium
CN118245990B (en) Multi-level offline authorization method and system
CN118245093B (en) Method, device, computer equipment and storage medium for updating authorized client application
US11799641B2 (en) System functionality activation using distributed ledger
CN116170759A (en) A WeChat-based local area network access method and system
CN114024742A (en) Authorization management method, device, device and storage medium
CN112365263A (en) Block chain account management intercommunication method, device, equipment and storage medium
JP2016163198A (en) File management device, file management system, file management method, and file management program
CN105790931A (en) Secret key distributing method, network equipment, terminal equipment and system
CN111986008A (en) Block chain-based house property transfer method, system, server and storage medium
HK40030253A (en) System and method for mapping decentralized identifiers to real-world entities

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant