Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The flow diagrams depicted in the figures are merely illustrative and not necessarily all of the elements and operations/steps are included or performed in the order described. For example, some operations/steps may be further divided, combined, or partially combined, so that the order of actual execution may be changed according to actual situations.
It is to be understood that the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that, in order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, the words "first", "second", etc. are used to distinguish identical items or similar items having substantially the same function and effect. For example, the first data and the second data are merely for distinguishing different data, and the order thereof is not limited. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ.
It should also be understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
Some embodiments of the present application are described in detail below with reference to the accompanying drawings. The following embodiments and features of the embodiments may be combined with each other without conflict.
With the rapid development of cloud technology, emerging scenes and business states of cloud ecology, cloud computing, cloud application and the like are endless, and particularly in the fields of finance science and technology and medical health care, cloud infrastructure is gradually becoming an important energized grip for industry informatization, but brings brand new problems and challenges. For example, in the field of financial cloud services, with rapid progress of financial science and technology and continuous increase of user scale, in order to adapt to diversified business and service needs, the trend of scale and diversification of cloud applications is also becoming more and more obvious, and use of various data sources is also becoming more and more frequent. However, in particular in important scenes such as open banks, high-frequency transactions, compliance monitoring and the like, multi-source heterogeneous cloud data including market quotations, order streams, institution researches, wind control models, statistical data and the like are required to be quickly called, the cloud data are often stored in databases of different brands, different systems and different versions, which are different in data centers, different security systems and authority IDs are required, different transmission bandwidths and different operation methods are also required, the traditional technical scheme of caching and preprocessing the data in advance not only causes high cost of local storage and communication equipment, but also causes slow business efficiency per se, is too complex in IT infrastructure, is difficult to realize iterative development of a data management system, and is more difficult to say, supports rapid development of application on the cloud.
For another example, in the medical health care fields of telemedicine, health management, electronic medical record, medical image storage and transmission, intelligent diagnosis guiding and the like, along with rapid progress of technologies such as artificial intelligence, computer vision, data management systems and the like, doctors and patients go to hospital managers to provide abundant data such as diagnosis, pathology, cases and the like, and higher requirements are put on the safety, the integration and the convenience of cloud application, so that the data throughput of cloud infrastructure is gradually increased. However, due to the requirements of security management and privacy protection of medical data such as medical insurance data, medical records, patient information, etc., the data are often stored in databases of different brands, different systems and different versions, which are also different data centers, so that huge multi-source heterogeneous data is formed.
In order to meet the requirements of compliance and data security and ensure efficient and stable operation of IT infrastructures such as cloud services, research, development, operation and maintenance or business departments need to regularly carry out password replacement on data sources required to be used by cloud applications. According to the traditional password replacement scheme, cloud application developers, operators or users are required to cooperate, and user information is manually updated periodically, so that normal use of the application can be ensured. However, manual input by personnel not only consumes manpower and material resources, but also easily causes the problems of information error and the like, thereby causing the problems of system failure, downtime of service, complex flow, low efficiency, resource waste and the like, further affecting the safe and stable operation of system service, reducing the working efficiency of development iteration, business service and management operation and maintenance, and possibly causing social negative influence due to the characteristics of financial service. Unlike the static password management of the traditional centralized information management system (MANAGEMENT INFORMATION SYSTEM, MIS), the password security management of the cloud application and the cloud data has become a highly dynamic urgent requirement, and the manual password security management has hardly satisfied the technical requirements of the data manager, the developer and even the end user on the dynamic management of the rights. Aiming at different cloud applications, the updated password is automatically called and configured, so that the method becomes a urgent requirement.
In addition, because of the diversity of the scale and deployment conditions of the cloud service system, in order to meet the requirements of hierarchical management and network security, and prevent the problems of system downtime, data leakage or abnormal service caused by deliberately utilizing management vulnerabilities through configuring wrong data source passwords by control end users without rights, different management rights need to be given to different control end users. Multisource, distributed data security management is a realistic option for regulatory approval and requirements, as well as meeting practical security and economic needs. However, as the size of multi-source heterogeneous data increases, if fast dynamic management of rights cannot be achieved, the accuracy of data invocation of cloud applications may be impacted. For example, the a data source and the B data source are distributed in a first time zone, the C data source is distributed in a second time zone, and due to the long time required by the conventional serial authentication scheme, when the C data source updates the password, the cloud application may still wait for the authentication of the B data source, and it is difficult to update the password of the C data source in time, so that the data of the C data source cannot be invoked. For another example, when hundreds of a data sources and hundreds of B data sources need to be used, three to four data sources update passwords, and a serial traditional authority authentication scheme is adopted, so that a cloud application can not acquire data of all data sources in one request, the accuracy of data calling of the cloud application is affected, and normal operation of the cloud application in the fields of financial science and technology, intelligent medical treatment and the like is affected. How to realize the quick dynamic management of the authority so that the accuracy of the data call of the cloud application can be ensured becomes a problem.
In addition, the devices of the existing cloud service system need to communicate with each other according to a specific rule or protocol, and in order to safely, reliably, smoothly and efficiently acquire information carrying a password, matching and checking are needed before calling according to the related attribute information of the information to be called, so that analysis errors and password error risks caused by inconsistent attributes are reduced.
In addition, the existing cloud service system may be deployed on various computer devices and run related software systems with different versions, different operating systems with different versions, different computer languages and different kinds of computer devices can have different encryption and decryption tool classes, and the most suitable encryption and decryption tool classes are called according to different conditions, so that on one hand, the operating efficiency of the computer is improved, the error reporting risk is reduced, and on the other hand, the problem that a password analysis method is not properly selected is avoided, and smooth completion of password calling and automatic configuration tasks is ensured.
In addition, for the existing middleware software platform, when the configuration data source is applied, the password is manually input on the control console of the control console, the password is easily input in error, the configuration password of the data source is input, namely, is blocked, and the user does not necessarily know the specific condition of inputting the password text after the input is completed. If the password configuration of the data source corresponding to each application is carried out once, each application needs to be connected with a plurality of databases, the user names and the total amount of passwords of the databases are increased, so that people grasping the passwords of the databases are increased, and the hidden danger of leakage is not only unsafe but also exists.
In order to solve the above problems, the embodiment of the application provides a password calling method. Referring to fig. 1, fig. 1 is a schematic flowchart illustrating steps of a password call method according to an embodiment of the application.
As shown in fig. 1, the password call method specifically includes steps S101 to S105.
S101, acquiring a password call instruction.
The password call can be performed for cloud application, container instance, micro service or API interface, and related password call instructions are obtained.
Illustratively, the password call instruction may be obtained using a command line tool, a telnet tool, a file transfer protocol, a Web console, an API, a graphical interface, and the like.
For example, the Web console interface of the cloud application to be input with the new password may at least include cloud application name information, a password input box and a "get password" button, when the user clicks the "get password" button, the user gets a password call instruction of the user, and the system automatically fills the password in the corresponding password input box.
Referring to fig. 2, fig. 2 is a schematic diagram illustrating a method for generating a cryptographic call instruction according to an embodiment of the application. As shown in fig. 2, the method for generating the password call instruction may include at least steps S101a to S101c, and the method for generating the password call instruction may be used to implement step S101 described above.
S101a, acquiring control end user name information and control end user password information.
The control end user password information input by the user can at least comprise a static password and a dynamic password, and the dynamic password can at least comprise a preset mobile phone number or a verification code received by a mailbox.
The control end user login interface is displayed, wherein the control end user login interface comprises a user name input box, a password input box and a login confirmation button, a user can input control end user name information in the user name input box, input control end user password information in the password input box and click the login confirmation button, and the system obtains the control end user name information and the control end user password information which are input by the user.
S101b, determining the authorization condition of the control end user according to the control end user name information and the control end user password information.
The authorization condition of the control end user may at least include two conditions of "the user is authorized to login" and "the user is not authorized to login", and may also include information of the data source that the user is authorized to manage, for example, a list of data sources that the user can manage.
S101c, generating a password call instruction according to the authorization condition of the control end user.
The authorization status may include, among other things, information about the data sources that the user has rights to manage, such as a list of data sources that the user is able to manage.
If the authorization condition of the control end user is normal, a data source list in the management authority range of the control end user is obtained, and a corresponding password calling instruction is generated according to the data source list, wherein the password calling instruction is used for calling the passwords of the data sources in the data source list.
It can be understood that by generating the password call instruction according to the authorization condition of the control end user, the security risks such as password call override, data leakage and the like can be avoided, and the data security is ensured.
It will be further appreciated that the cryptographic call instruction may be directed to a single data source, may be directed to multiple data sources, and may be directed to all or part of the data sources to which a particular application corresponds.
Referring to fig. 3, fig. 3 is a schematic diagram illustrating a method for generating a cryptographic call instruction according to another embodiment of the present application. As shown in fig. 3, the method for generating the password call instruction may include at least steps S101d to S101e, and the method for generating the password call instruction may be used to implement step S101 described above.
S101d, acquiring the current time and a preset password call plan.
The password call plan may include at least a preset password call time.
For example, a current time and a preset password call plan may be obtained, where the preset password call plan includes a preset password call time, and the password call time is a time period for allowing password call.
Further, the password call time may be a password call time under a specified condition, for example, the time allowed for performing the password call is one hour after the system finishes replacing the data source password.
It can be understood that by acquiring the preset password call plan, the subsequent password call operation can be prevented from conflicting with the password update operation of the data end manager, and the problems of access conflict, update failure, password call error, password data damage and the like are reduced.
S101e, if the current time is the preset password call time, generating and obtaining a password call instruction.
For example, if the current time is one hour after the system finishes replacing the data source password, that is, within a preset password calling time range, a password calling instruction is generated.
For example, the password call instruction may be generated for a portion of the data sources for which password replacement has been completed, for example, if the current time is after one hour when the first data source completes replacing the data source password, and the current time is twenty minutes when the second data source completes replacing the data source password, and the preset password call time range is after one hour when the data source completes replacing the data source password, the generated password call instruction only calls the password of the first data source.
S102, acquiring configuration information according to the password call instruction.
The configuration information may include data source attribute information and encryption and decryption tool class information.
Illustratively, the encryption and decryption tool class information may include encryption and decryption functions of AES, RSA, or Base64, and associated key pair generation and verification functions. The encryption and decryption tool class information can also comprise class paths and class names to which related functions belong.
For example, if a server such as CyberArk is used as a platform for storing and managing related passwords, the configuration information may include basic configuration information of the server such as CyberArk, a class path and a class name of the encryption and decryption tool class.
It can be understood that the configuration information can specify a specific encryption and decryption tool class through encryption and decryption tool class information according to the actual situation of the data source, for example, go-crypto library of Golang, a cryptograph package of Python, cryptoJS of JavaScript or Java.
Further, the data source attribute information may further include one or more of file format information, database type information, and data source user name information.
It can be appreciated that by obtaining the data source attribute information, the subsequent steps of verifying the consistency according to the data source attribute information, obtaining the encrypted password information and the signature information thereof can be facilitated.
It is further understood that the manner in which the configuration information is obtained may include locally obtaining a relevant cache, sending a configuration information obtaining request to a data source or to a system control platform, and so forth.
S103, acquiring encrypted password information and signature thereof according to the data source attribute information.
Wherein the data source attribute information further includes one or more of file format information, database type information, and data source user name information.
The method comprises the steps of obtaining attribute information of an application end, determining a consistency check result according to user name information of a control end, attribute information of the application end and attribute information of a data source, and calling an interface or copying a file to obtain encrypted password information and a signature of the encrypted password information if the consistency check result is passed.
The application end attribute information comprises file format requirement information and database type requirement information, and the consistency check result comprises one or more of corresponding control end user name information and data source user name information, corresponding file format requirement information and file format information, and corresponding database type requirement information and database type information.
Furthermore, the encrypted password information and signature thereof and other information can be obtained by utilizing a binary stream mode, so that the data damage caused by forced analysis is avoided.
S104, checking the signature according to the encryption and decryption tool information to obtain a checking result.
For example, if the configuration information includes a public key, the public key for verifying the signature may be obtained according to the configuration information, and the signature may be decrypted and verified according to the public key to obtain the verification result.
Further, after the signature is verified according to the encryption and decryption tool information to obtain a verification result, if the verification result is not passed, the password, the encrypted password information and the signature thereof are cleared, and prompt information is generated and used for prompting password call failure.
The prompt information may further include a prompt for a specific call failure reason, such as a failure code number.
It can be understood that when the verification result is that the password fails, the password, the encrypted password information and the signature thereof are cleared in time, so that the risk of data leakage can be effectively reduced, and a hacker is prevented from acquiring the password of the data source through the residual information in the device.
And S105, if the verification result is passed, decoding the encrypted password information according to the encryption and decryption tool information to obtain the password.
The data source attribute information also comprises version information of the data source server, a decryption tool can be determined according to the encryption and decryption tool class information and the version information of the data source server, and the encrypted password information is decoded by using the decryption tool to obtain a password.
For example, the encryption and decryption tool may be determined according to the version condition of the password management server, if the adopted password management server is cyberark4.0, the encryption signature is verified by using the SHA256 algorithm, and the password is obtained by decrypting by using the SM2 algorithm.
And if the data source connection result is failure, the password, the encrypted password information and the signature thereof are cleared, prompt information is generated, and the prompt information is used for prompting password call failure.
The prompt information may further include a prompt for a specific call failure reason, such as a failure code number.
It can be understood that after the encrypted password information is decoded according to the encryption and decryption tool information to obtain the password, the data source is directly tried to be connected, so that the user can sense the problems of incorrect encrypted password information and signature thereof in the configuration information in advance and timely feed back or try to call again, the problems, risks or software and hardware faults are effectively exposed in advance, and the high-efficiency, safe and stable operation and maintenance of the system are ensured.
The method comprises the steps of obtaining encrypted password information and signatures thereof by utilizing configuration information, carrying out password call according to various cloud application requirements and data authority configuration efficiently, accurately and flexibly, so that user information input is completed rapidly, working efficiency of development, iteration and safe operation and maintenance is improved, verifying the signatures by encryption and decryption tool information, decoding the encrypted password information, illegal tampering of information or incorrect invoking information can be effectively prevented, safety and stability of system operation are guaranteed, and parallel authentication and data extraction of data authority for a plurality of heterogeneous data sources are enabled to be possible by utilizing the configuration information to obtain the encrypted password information and the signatures thereof, time delay problems caused by traditional serial connection of data sources are avoided, and efficiency and effectiveness of authority authentication and data extraction are improved.
The embodiment of the application provides a password calling method, which avoids risks and problems possibly caused by manual input of user information, can efficiently and accurately call a plurality of applications by acquiring encrypted password information and signatures thereof by utilizing configuration information, thereby rapidly completing user information input, improving the working efficiency of development, iteration and safe operation and maintenance, and can effectively prevent information from being illegally tampered or called to wrong information by checking the signatures by encryption and decryption tool information and decoding the encrypted password information. The provided password calling method further finely updates the data source password of the application in a mode of timing, determining conditions, determining an updating object according to an authorization range and the like, ensures high efficiency, safety and stability of system operation and maintenance, facilitates management, and enhances the data safety level of the method and effectively reduces the leakage risk of related data by timely clearing relevant information when password calling fails.
Fig. 4 is a schematic structural diagram of a password call device according to an embodiment of the present application, where the password call device is configured to execute the foregoing password call method. The password calling device can be configured on a terminal or a server.
As shown in fig. 4, the password invoking device 100 includes an instruction acquisition module 101, a configuration acquisition module 102, an information acquisition module 103, an information verification module 104, and an information decoding module 105.
An instruction acquisition module 101, configured to acquire a password call instruction;
The configuration acquisition module 102 is configured to acquire configuration information according to a password call instruction, where the configuration information includes data source attribute information and encryption and decryption tool class information;
An information obtaining module 103, configured to obtain encrypted password information and a signature thereof according to the attribute information of the data source;
The information verification module 104 is configured to verify the signature according to the encryption and decryption tool information to obtain a verification result;
And the information decoding module 105 is configured to decode the encrypted password information according to the encryption and decryption tool information to obtain a password if the verification result is passed.
In some embodiments, the password call device 100 may further include a password authentication module. The password verification module can be used for decoding the encrypted password information according to the encryption and decryption tool information to obtain a password, connecting a data source according to the password to obtain a data source connection result, and clearing the password, the encrypted password information and the signature thereof if the data source connection result is failure, so as to generate prompt information which is used for prompting password call failure.
It should be noted that, for convenience and brevity of description, the specific working process of the apparatus and each module described above may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
The apparatus described above may be implemented in the form of a computer program which is executable on a computer device as shown in fig. 5.
Referring to fig. 5, fig. 5 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device may be a server. With reference to FIG. 5, the computer device includes a processor, memory, and a network interface connected by a system bus, where the memory may include a non-volatile storage medium and an internal memory.
The non-volatile storage medium may store an operating system and a computer program. The computer program comprises program instructions that, when executed, cause a processor to perform any of the cryptographic invocation methods of the present application.
The processor is used to provide computing and control capabilities to support the operation of the entire computer device.
The internal memory provides an environment for the execution of a computer program in a non-volatile storage medium that, when executed by a processor, causes the processor to perform any one of a number of cryptographic invocation methods.
The network interface is used for network communication such as transmitting assigned tasks and the like. It will be appreciated by those skilled in the art that the structure shown in FIG. 5 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
It should be appreciated that the Processor may be a central processing unit (Central Processing Unit, CPU), it may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Wherein in one embodiment the processor is configured to run a computer program stored in the memory to implement the steps of:
The method comprises the steps of obtaining a password call instruction, obtaining configuration information according to the password call instruction, obtaining encrypted password information and a signature thereof according to the data source attribute information, checking the signature according to the encrypted and decrypted tool information to obtain a checking result, and decoding the encrypted password information according to the encrypted and decrypted tool information to obtain a password if the checking result is passed.
In some embodiments, the processor is specifically configured to obtain control end user name information and control end user password information when used for obtaining the password call instruction, determine an authorization condition of the control end user according to the control end user name information and the control end user password information, and generate the password call instruction according to the authorization condition of the control end user.
In some embodiments, the processor is specifically configured to obtain a current time and a preset password call plan, where the password call plan includes a preset password call time, and generate a password call instruction if the current time is the preset password call time.
In some embodiments, the data source attribute information further includes one or more of file format information, database type information and data source user name information, and the processor is specifically configured to obtain application side attribute information when used for obtaining encrypted password information and a signature thereof according to the data source attribute information, and determine a consistency check result according to the control side user name information, the application side attribute information and the data source attribute information, where the application side attribute information includes file format requirement information and database type requirement information, the consistency check result includes one or more of control side user name information corresponding to the data source user name information, file format requirement information corresponding to the file format information, and database type requirement information corresponding to the database type information, and if the consistency check result is passed, call an interface or copy a file to obtain the encrypted password information and the signature thereof.
In some embodiments, the data source attribute information further includes version information of a data source server, and the processor is specifically configured to determine, when configured to decode the encrypted password information according to the encryption and decryption tool class information, a decryption tool according to the encryption and decryption tool class information and the version information of the data source server, and decode the encrypted password information by using the decryption tool to obtain a password.
In some embodiments, the processor is further configured to, after the verifying the signature according to the encryption and decryption tool class information to obtain a verification result, clear the password, the encrypted password information and the signature thereof if the verification result is not passed, and generate prompt information, where the prompt information is used to prompt that the password call fails.
In some embodiments, the processor is further configured to, after the processor is configured to decode the encrypted password information according to the encryption and decryption tool class information to obtain a password, connect a data source according to the password to obtain a data source connection result, and if the data source connection result is failure, clear the password, the encrypted password information and a signature thereof, and generate prompt information, where the prompt information is used to prompt that the password call fails.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, the computer program comprises program instructions, and the processor executes the program instructions to realize any password calling method provided by the embodiment of the application.
The computer readable storage medium may be an internal storage unit of the computer device according to the foregoing embodiment, for example, a hard disk or a memory of the computer device. The computer readable storage medium may also be an external storage device of the computer device, such as a plug-in hard disk, a smart memory card (SMART MEDIA CARD, SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD), or the like, which are provided on the computer device.
While the application has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the application. Therefore, the protection scope of the application is subject to the protection scope of the claims.