CN-121980589-A - Authority matching method and device

Abstract

The application discloses a permission matching method and device, and relates to the technical field of computers. The method comprises the steps of obtaining a path to be matched, carrying out authority rule matching on the path to be matched based on a pre-constructed authority rule tree, determining corresponding rule control authorities based on the authority rules when the authority rules in the authority rule tree are matched, obtaining an authority matching result of the path to be matched, and determining a preset default control authority as the authority matching result of the path to be matched when the authority rules in the authority rule tree are not matched. According to the application, the precise sub-nodes, the single-pass ligand sub-nodes and the multi-pass ligand sub-nodes are integrated through the authority rule tree with a single tree structure, so that common authority matching scenes such as precise matching, single-section pass matching, cross-multi-section pass matching and the like can be covered without introducing regular expressions, the integrity of the expression capability is ensured, the implementation complexity is reduced, and the system stability is improved. Meanwhile, the problem of matching logic confusion caused by traditional multi-rule scattered storage is avoided.

Inventors

• LIU PENG
• ZHANG FUMIN
• Tian Guangku
• LIN YING

Assignees

• 东软集团股份有限公司

Dates

Publication Date

20260505

Application Date

20260122

Claims (10)

1. 1. A rights matching method, comprising: obtaining a path to be matched; Performing authority rule matching on the paths to be matched based on a pre-constructed authority rule tree, wherein the authority rule tree is of a single tree structure, and each non-leaf node linked sub-node in the authority rule tree comprises at least one of an accurate sub-node, a single-pass ligand sub-node and a multi-pass ligand sub-node; When the authority rule in the authority rule tree is matched, determining a corresponding rule control authority based on the authority rule to obtain an authority matching result of the path to be matched; And when the authority rule in the authority rule tree is not matched, determining that the preset default control authority is an authority matching result of the path to be matched, wherein the preset default control authority is access refusal.
2. 2. The method according to claim 1, wherein performing authority rule matching on the paths to be matched based on the pre-constructed authority rule tree comprises: and carrying out authority rule matching on the paths to be matched through preset priority ordering based on a preset authority rule tree, wherein the preset priority ordering is that the priority of the accurate sub-node is higher than that of the multi-wildcard sub-node, and the priority of the multi-wildcard sub-node is higher than that of the single-wildcard sub-node.
3. 3. The method according to claim 2, wherein performing authority rule matching on the paths to be matched by preset priority ordering based on the preset authority rule tree comprises: based on preset priority ordering, starting from a root node of a preset authority rule tree, performing matching operation on the paths to be matched section by section, wherein the paths to be matched comprise a plurality of path sections; If the accurate sub-node is successfully matched, jumping to the accurate sub-node and consuming the current path segment, and entering the matching of the next path segment; If the accurate sub-node matching fails or the current node does not have a linked accurate sub-node and the current node has a linked multi-pass ligand sub-node, jumping to the multi-pass ligand sub-node linked with the current node, and performing matching operation on the current path segment through a stay strategy and a propulsion strategy to enter into matching of a target path segment, wherein the target path segment comprises a current path segment and a next path segment; If the current node does not have the linked multi-pass ligand sub-node and the single-pass ligand sub-node linked with the current node, matching the single-pass ligand sub-node linked with the current node, jumping to the single-pass ligand sub-node, consuming the current path segment, and entering the matching of the next path segment; And if the current node does not have the linked single-wild-card node, determining that the path to be matched is not matched with the authority rule in the authority rule tree.
4. 4. A method according to claim 3, wherein said matching the current path segment by means of a stay strategy and a push strategy, entering a match of a target path segment, comprises: when the stay strategy is adopted to carry out matching operation on the current path segment, determining that the target path segment is the current path segment, and entering the matching of the current path segment without consuming the current path segment; and when the propulsion strategy is adopted to carry out matching operation on the current path segment, determining that the target path segment is the next path segment, consuming the current path segment and entering the matching of the next path segment.
5. 5. The method according to claim 4, wherein the method further comprises: and when the stay strategy and the propulsion strategy are executed in parallel, stopping the matching operation of the other strategy when the multi-pass sub-node corresponding to any strategy is successfully matched.
6. 6. The method of claim 3, wherein each node in the pre-constructed authority rule tree stores a minimum depth parameter, the minimum depth parameter being a minimum number of path segments the node passes to any leaf node, the method further comprising: In the process of executing the matching operation on the paths to be matched section by section, aiming at the node where the path to be matched is currently located, judging whether the number of the rest path sections in the path to be matched is smaller than the minimum depth parameter of the node where the path to be matched is currently located or not in real time; And if the number of the rest path segments is smaller than the minimum depth parameter of the current node, directly stopping traversing the branch corresponding to the current node.
7. 7. A method according to claim 3, characterized in that the method further comprises: And generating a matching tracking log in the process of executing the matching operation on the paths to be matched segment by segment, wherein the matching tracking log comprises a matching level of each path segment, a matching result, node jump information and pruning triggering conditions.
8. 8. The method of claim 1, wherein the pre-built authority rule tree is built by: constructing a root node of the authority rule tree; Collecting a plurality of authority rules, splitting each authority rule according to path segments, and then linking the path segments to the root node layer by layer in a tree structure to obtain an authority rule tree, wherein each path segment of each authority rule corresponds to one node in the authority rule tree, an accurate path segment in the authority rule corresponds to the accurate sub-node, a single-wildcard path segment in the authority rule corresponds to the single-wildcard sub-node, and a multi-wildcard path segment in the authority rule corresponds to the multi-wildcard sub-node.
9. 9. The method according to claim 1, wherein leaf nodes in the pre-constructed authority rule tree store authority labels of rule control authorities corresponding to corresponding authority rules, and when the authority labels are matched to the authority rules in the authority rule tree, determining the corresponding rule control authorities based on the authority rules, and obtaining an authority matching result of the paths to be matched includes: And when the rule is matched with the rule in the rule tree, returning the rule label stored in the corresponding leaf node, and taking the rule control authority corresponding to the rule label as the authority matching result of the path to be matched.
10. 10. A rights matching apparatus, comprising: The path acquisition module is used for acquiring a path to be matched; the rule matching module is used for carrying out authority rule matching on the paths to be matched based on a pre-constructed authority rule tree, wherein the authority rule tree is of a single tree structure, and each sub-node linked with the non-leaf node in the authority rule tree comprises at least one of an accurate sub-node, a single-pass ligand sub-node and a multi-pass ligand sub-node; the result determining module is used for determining corresponding rule control authorities based on the authority rules to obtain the authority matching result of the paths to be matched when the authority rules in the authority rule tree are matched, and determining preset default control authorities as the authority matching result of the paths to be matched when the authority rules in the authority rule tree are not matched, wherein the preset default control authorities are access refusing authorities.

Description

Authority matching method and device Technical Field The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for rights matching. Background With the rapid development of internet technology, the micro-service architecture has become a mainstream scheme of distributed system design, and the API gateway serves as a core entry of the micro-service architecture and bears key responsibilities such as request routing, authority verification, flow control and the like. In an actual application scenario, the API gateway needs to perform rights matching on a large number of API paths (up to thousands to tens of thousands), where the paths often have a multi-level hierarchical relationship, and support flexible generic expression to adapt to rights policies with different granularities. Meanwhile, the high concurrency environment provides strict requirements on the response speed of authority matching, the matching process needs to be fast and efficient, and the overall use experience of the system cannot be affected, so that the performance, the certainty and the maintainability of path matching become core consideration factors of an authority matching scheme. In the prior art, in order to realize cross-multi-layer authority path matching, a regular expression is introduced to support complex multi-section cross-layer matching, rules are compiled through a regular engine, path matching is executed, and diversified hierarchical matching scenes are covered with the flexibility of regular grammar. Therefore, the authority path matching in the prior art is processed by a regular engine, and the regular expression can promote the expression flexibility, but the regular engine processing needs to introduce complex grammar analysis and compiling logic, so that the realization complexity is increased suddenly, and the system stability is insufficient. Disclosure of Invention Based on the problems, the application provides the authority matching method and the device, the accurate sub-nodes, the single-pass ligand sub-nodes and the multi-pass ligand sub-nodes are integrated through the authority rule tree with a single tree structure, regular expressions are not required to be introduced, so that common authority matching scenes such as accurate matching, single-section pass matching, multi-section pass matching and the like can be covered, the integrity of the expression capability is ensured, the implementation complexity is reduced, and the system stability is improved. The embodiment of the application discloses the following technical scheme: In a first aspect, an embodiment of the present application provides a rights matching method, including: obtaining a path to be matched; Performing authority rule matching on the paths to be matched based on a pre-constructed authority rule tree, wherein the authority rule tree is of a single tree structure, and each non-leaf node linked sub-node in the authority rule tree comprises at least one of an accurate sub-node, a single-pass ligand sub-node and a multi-pass ligand sub-node; When the authority rule in the authority rule tree is matched, determining a corresponding rule control authority based on the authority rule to obtain an authority matching result of the path to be matched; And when the authority rule in the authority rule tree is not matched, determining that the preset default control authority is an authority matching result of the path to be matched, wherein the preset default control authority is access refusal. In one possible implementation manner, the performing authority rule matching on the path to be matched based on the pre-constructed authority rule tree includes: and carrying out authority rule matching on the paths to be matched through preset priority ordering based on a preset authority rule tree, wherein the preset priority ordering is that the priority of the accurate sub-node is higher than that of the multi-wildcard sub-node, and the priority of the multi-wildcard sub-node is higher than that of the single-wildcard sub-node. In one possible implementation manner, the performing, based on the pre-constructed authority rule tree, authority rule matching on the paths to be matched through preset priority ranking includes: based on preset priority ordering, starting from a root node of a preset authority rule tree, performing matching operation on the paths to be matched section by section, wherein the paths to be matched comprise a plurality of path sections; If the accurate sub-node is successfully matched, jumping to the accurate sub-node and consuming the current path segment, and entering the matching of the next path segment; If the accurate sub-node matching fails or the current node does not have a linked accurate sub-node and the current node has a linked multi-pass ligand sub-node, jumping to the multi-pass ligand sub-node linked with the current node, and performing matching o