Search

CN-121997315-A - Access credential management and control method, device, system, equipment, computer program product and storage medium

CN121997315ACN 121997315 ACN121997315 ACN 121997315ACN-121997315-A

Abstract

The embodiment of the application provides a method, a device, a system, equipment, a computer program product and a storage medium for controlling access credentials. In the embodiment of the application, different management and control devices are respectively associated with different application clusters, and the acquisition request for acquiring the access credential initiated in an application cluster is preprocessed by the management and control device associated with the application cluster aiming at the management and control device associated with any application cluster, so that the management and control device can finish the response of partial acquisition request of the application cluster, the partial acquisition request does not need to be responded by an access credential issuing system, and the architecture of sharing pressure by multiple points can be realized by respectively associating different management and control devices for different application clusters. The architecture not only can effectively share the request response pressure of the access certificate issuing system, but also can avoid the problem of high concurrency of requests on single points, and further can ensure the management efficiency on the single points. Therefore, the management and control efficiency of the access certificates can be effectively improved.

Inventors

  • Huang Zhugang
  • Kuang Dahu
  • WU HENGYU
  • YUAN ZHENGXUN
  • WANG XINING

Assignees

  • 阿里云计算有限公司

Dates

Publication Date
20260508
Application Date
20241107

Claims (16)

  1. 1. An access credential management and control method, suitable for any one of a plurality of management and control devices, different management and control devices being associated with different application clusters, the method comprising: Intercepting a first acquisition request under the condition that any application program in an associated application cluster initiates the first acquisition request, wherein the first acquisition request is used for requesting to acquire an access credential; under the condition that the first acquisition request meets the requirement of issuing the certificate, if the access certificate is found for the application program, issuing the access certificate to the application program; and if the access credential cannot be found for the application program, sending a second acquisition request to an access credential issuing system so as to issue the access credential for the application program through the access credential issuing system.
  2. 2. The method of claim 1, wherein locating access credentials for the application comprises: analyzing a target access role corresponding to the application program from the first acquisition request; And searching the matched access credentials for the application program from the stored historical access credentials based on the target access role.
  3. 3. The method of claim 2, wherein finding a matching access credential for the application from stored historical access credentials based on the target access role comprises: searching a target historical access credential associated with the target access role from the stored historical access credentials; And if the target historical access credential is not expired, determining the target historical access credential as an access credential matched with the application program.
  4. 4. The method of claim 1, wherein sending a second acquisition request for the application to an access credential issuance system comprises: Extracting identity information of the application program from the first acquisition request, wherein the identity information indicates that an access role exists; And creating the second acquisition request based on the identity information so as to send the second acquisition request according to the access role indicated by the application program.
  5. 5. The method as recited in claim 4, further comprising: Receiving an access credential issued by the access credential issuance system for the second acquisition request; Feeding back the access credential to the application as a response to the first acquisition request; and storing the access credential as a historical access credential, and marking an access role corresponding to the historical access credential.
  6. 6. The method as recited in claim 5, further comprising: And for any historical access certificate, if the continuous idle time length of the historical access certificate is monitored to exceed the preset continuous idle time length threshold, the historical access certificate is cleared.
  7. 7. The method according to claim 1, wherein the managing device includes a first interception component, and intercepting the first acquisition request if it is monitored that any application program in the application cluster initiates the first acquisition request includes: and intercepting the first acquisition request by a first interception component under the condition that any application program in the application cluster initiates the first acquisition request.
  8. 8. The method according to claim 1, wherein the controlling device includes a second interception component, the second interception component being deployed on a service node in the application cluster, and intercepting the first acquisition request if it is detected that any application program in the application cluster initiates the first acquisition request, includes: And intercepting the first acquisition request by the second interception component under the condition that any application program on a service node where the second interception component is located is monitored to initiate the first acquisition request.
  9. 9. The method of claim 8, wherein the controlling means comprises a first intercepting component that looks up access credentials for the application, comprising: Searching an access certificate for the application program through the second interception component; If the access credential cannot be found for the application program, sending a third acquisition request to the first interception component through the second interception component so as to continue to find the access credential for the application program through the first interception component.
  10. 10. The method of claim 8, wherein a monitoring service is deployed for a second interception component, and wherein intercepting a first acquisition request by the second interception component if any application on a service node where the second interception component is monitored initiates the first acquisition request comprises: monitoring any application program on the service node where the monitoring service is located through the monitoring service; And triggering the second interception component to intercept the first acquisition request under the condition that any user initiates the first acquisition request is monitored.
  11. 11. The method as recited in claim 1, further comprising: And if the identity information carried in the first acquisition request is not expired and the target access role indicated in the identity information is consistent with the access role bound by the application program, determining that the first acquisition request meets the credential issuing requirement.
  12. 12. The control device is characterized by being any one of a plurality of control devices, different control devices are associated with different application clusters, and the control device comprises an interception unit, a searching unit and a request unit; The interception unit is used for intercepting a first acquisition request under the condition that any application program in the associated application cluster initiates the first acquisition request, wherein the first acquisition request is used for requesting to acquire an access credential; the searching unit is used for feeding back the access certificate to the application program if the access certificate is searched for the application program under the condition that the first acquisition request meets the certificate issuing requirement; the request unit is used for sending a second acquisition request to the access credential issuing system under the condition that the access credential cannot be found for the application program so as to issue the access credential for the application program through the access credential issuing system.
  13. 13. An access ticket management and control system, comprising a plurality of management and control devices and an access ticket issuing system, wherein different management and control devices are associated with different application clusters, and any management and control device is configured to perform the access ticket management and control method according to any of claims 1-11.
  14. 14. A computing device comprising a memory, a processor, and a communication component; The memory is used for storing one or more computer instructions; The processor is coupled with the memory and the communication component for executing the one or more computer instructions for performing the access credential management method of any of claims 1-11.
  15. 15. A computer-readable storage medium storing computer instructions that, when executed by one or more processors, cause the one or more processors to perform the access credential management method of any of claims 1-11.
  16. 16. A computer program product comprising a computer program, wherein the computer program, when executed by a processor, causes the processor to perform the access credential management method of any of claims 1-11.

Description

Access credential management and control method, device, system, equipment, computer program product and storage medium Technical Field The present application relates to the field of cloud computing technologies, and in particular, to a method, an apparatus, a system, a device, a computer program product, and a storage medium for controlling access credentials. Background With the explosive development of cloud primordia, more and more enterprises choose to apply container technology to their own production environments. The rapid development is accompanied by new security requirements, such as how an application deployed in the Kubernetes environment obtains temporary access credentials for accessing resources on the cloud in a secure manner, so that security problems caused by leakage of permanent access credentials are avoided. To address this problem, currently, applications need to request temporary access credentials from a security token service (Security Token Service, STS) of a cloud vendor based on an open identity authentication protocol (OpenID Connect, OIDC), and the STS issues temporary access credentials for the applications to provision resources on the cloud that are required for the applications to access using the temporary access credentials. However, this solution often causes a problem of high concurrency of requests on the STS, and the STS cannot provide temporary access credentials to the application in time, so that the management efficiency of the temporary access credentials is too low, and even may cause an abnormality of the application. Disclosure of Invention Aspects of the present application provide a method, apparatus, system, device, computer program product, and storage medium for access credential management to improve the efficiency of access credential management. The embodiment of the application provides an access credential management and control method, which is applicable to any management and control device in a plurality of management and control devices, wherein different management and control devices are associated with different application clusters, and comprises the following steps: Intercepting a first acquisition request under the condition that any application program in an associated application cluster initiates the first acquisition request, wherein the first acquisition request is used for requesting to acquire an access credential; And if the access credential cannot be found for the application program, sending a second acquisition request to an access credential issuing system so as to issue the access credential for the application program through the access credential issuing system. The embodiment of the application also provides a control device, which is any one of a plurality of control devices, wherein different control devices are associated with different application clusters, and the control device comprises an interception unit, a searching unit and a request unit; The interception unit is used for intercepting a first acquisition request under the condition that any application program in the associated application cluster initiates the first acquisition request, wherein the first acquisition request is used for requesting to acquire an access credential; the searching unit is used for feeding back the access certificate to the application program if the access certificate is searched for the application program under the condition that the first acquisition request meets the certificate issuing requirement; the request unit is used for sending a second acquisition request to the access credential issuing system under the condition that the access credential cannot be found for the application program so as to issue the access credential for the application program through the access credential issuing system. The embodiment of the application also provides an access credential management and control system, which comprises a plurality of management and control devices and an access credential issuing system, wherein different management and control devices are associated with different application clusters, and any management and control device is used for executing the access credential management and control method. The embodiment of the application also provides a computing device, which comprises a memory, a processor and a communication component; The memory is used for storing one or more computer instructions; The processor is coupled with the memory and the communication component for executing the one or more computer instructions for performing the aforementioned access credential management method. Embodiments of the present application also provide a computer-readable storage medium storing computer instructions that, when executed by one or more processors, cause the one or more processors to perform the aforementioned access credential management method. Embodiments of the present application also provide a computer pr