CN-122019351-A - Service debugging method, device, electronic equipment and computer readable storage medium

Abstract

The application provides a service debugging method, a device, electronic equipment and a computer readable storage medium, and relates to the technical field of service debugging. The method comprises the steps of initiating a debugging request aiming at a target service instance based on a local agent, acquiring short-term security credentials by the local agent, establishing an encrypted communication channel by the local agent through the short-term security credentials and a remote agent, extracting the target service instance identifications from the short-term security credentials by the remote agent, acquiring a real-time network address of the target service instance, and transmitting received debugging traffic to the real-time network address of the target service instance by the remote agent. The method realizes identity authentication and authorization through short-term security credentials, ensures the security and credibility of the debugging request, reduces the security risk in the debugging process, and also enhances the flexibility and efficiency of cross-network environment debugging.

Inventors

• Dong Hongshuai

Assignees

• 北京创鑫旅程网络技术有限公司

Dates

Publication Date

20260512

Application Date

20260213

Claims (10)

1. 1. A method of service commissioning, the method comprising: Initiating a debugging request aiming at a target service instance based on a local agent, and acquiring a short-term security credential by the local agent, wherein the short-term security credential comprises an identification of the target service instance; establishing, by the local agent, an encrypted communication channel with a remote agent using the short-term security credentials; Extracting, by the remote agent, the target service instance identification from the short-term security credentials and obtaining a real-time network address of the target service instance, and And the remote agent sends the received debugging traffic to the real-time network address of the target service instance.
2. 2. The method of claim 1, wherein the initiating, by the home agent, a debug request for a target service instance based on the home agent, acquiring, by the home agent, short-term security credentials, comprises: starting an authorization process by the local agent, wherein the authorization process is used for guiding a user to finish authentication at an authentication server and selecting the target service instance; And under the condition that the authentication is successful, generating an initial security credential by the local agent, and writing the identification of the target service instance into a specific field of the initial security credential to obtain the short-term security credential.
3. 3. The method of claim 2, wherein the short-term security credential has a validity period of a finite duration; the method comprises the steps that a debugging request aiming at a target service instance is initiated based on a local agent, short-term security credentials are acquired by the local agent, and the method further comprises the steps of: and under the condition that the validity period of the short-term security certificate is monitored to be lower than the limited time, the local agent initiates a renewal request to acquire a new short-term security certificate.
4. 4. The method of claim 1, wherein the establishing, by the home agent, an encrypted communication channel with a remote agent using the short-term security credentials comprises: initiating, by the local agent, a connection request to the remote agent and presenting the short-term security credentials in a transport layer security handshake process to complete identity authentication; An encrypted data stream is established between the local agent and the remote agent if the local agent and the remote agent are successfully authenticated in both directions.
5. 5. The method of claim 1, wherein the extracting, by the remote agent, the target service instance identification from the short-term security credentials and obtaining the real-time network address of the target service instance comprises: Analyzing the short-term security credentials, and reading the target service instance identifier from a specific field; sending an address query request to a service registry based on the target service instance identifier; a response is received from the service registry including the latest network address corresponding to the identification.
6. 6. The method according to claim 1, wherein the method further comprises: The local agent receives the original debugging data stream from the debugging client and encapsulates the original debugging data stream into a data format which can be transmitted through the encryption communication channel for transmission; Receiving, by the remote agent, data from the encrypted communication channel and restoring the original debug data stream; And transmitting the restored original debugging data stream to the real-time network address of the target service instance by the remote agent.
7. 7. The method of claim 6, wherein the receiving, by the remote agent, data from the encrypted communication channel and reverting the original debug data stream comprises: the remote agent does not store the related information after completing one-time debugging flow forwarding; The associated information comprises user identity, security credentials or target address mapping relation associated with the forwarding.
8. 8. The service debugging device is characterized by comprising a local agent module and a remote agent module; the local agent module is used for: initiating a debug request for a target service instance and obtaining a short-term security credential, wherein the short-term security credential includes the target service instance identification, and Establishing an encrypted communication channel with the remote agent module using the short-term security credentials; The remote agent module is used for: Extracting the target service instance identifier from the short-term security credentials and obtaining a real-time network address of the target service instance, and And sending the received debugging traffic to the real-time network address of the target service instance.
9. 9. An electronic device comprising a memory and a processor, the memory having stored therein program instructions which, when executed by the processor, perform the steps of the method of any of claims 1-7.
10. 10. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein computer program instructions which, when executed by a processor, perform the steps of the method of any of claims 1-7.

Description

Service debugging method, device, electronic equipment and computer readable storage medium Technical Field The present application relates to the field of service debugging technologies, and in particular, to a service debugging method, device, electronic equipment, and computer readable storage medium. Background In the remote debugging scene of the micro-service architecture, the prior art mainly comprises three types of schemes, but all have obvious defects, and cannot fully meet the requirements of the production environment on safety, stability and usability. The first scheme is to guide the remote test environment flow to the developer to realize debugging locally, but the scheme takes the intercommunication of a local network and a micro-service cluster network as a premise, and the premise that an office area network is strictly isolated from a Kubernetes Pod network and a VPC network in a main stream cloud primary deployment mode is almost unsatisfied, meanwhile, the developer needs to communicate a specific middleware infrastructure of a target environment locally, independent clusters of different environments and a strict IP white list mechanism make the authorization cost extremely high, and in addition, a proxy gateway relied on by the scheme is mainly designed for L7-layer HTTP/HTTPS, gRPC protocols, cannot support the long connection characteristic of debugging protocols such as JDWP and the like, and forwards clear text flow to sensitive data after the local is subjected to intermediate hijacking risk. The second scheme is to establish a reverse proxy through a network tunnel to forward a local debugging request to a remote instance, so that the network isolation problem is solved, but the user request is transmitted in a naked running or plaintext form to have hijacked risk, the dynamic configuration process lacks an effective authentication mechanism, the user can be configured and forwarded to any remote address theoretically, the L4 layer TCP forwarding lacks protocol identification capability to bring uncontrolled safety risk, and a routing mechanism based on the binding of the user IP and the remote object 1:1 can not support the scene of single user debugging a plurality of instances at the same time. The third type of scheme introduces a double-layer architecture of a local agent and a remote agent and combines Token authentication, but the remote agent bears authentication and routing forwarding functions at the same time, so that the functional coupling degree is high, the local agent is started to rely on pre-acquired tokens, the operation flow is complicated, the differential agents are required to be started respectively during multi-instance debugging, a custom packaging protocol lacks an encryption transmission mechanism, eavesdropping risks exist in a public network exposure scene, the tokens are used as core credentials and are only logically bound with user identities, the tokens are easy to replay or forge, and the tokens have risks of packet grabbing, replay attack or log leakage along with traffic transmission. In summary, in the prior art, there are five core pain points of protocol support limitation, network isolation barrier, service discovery difficulty, security mechanism deletion and multi-user support deficiency, and a new remote debugging scheme capable of simultaneously satisfying protocol compatibility, network reachability, service dynamic discovery, security controllability and multi-user support is needed. Disclosure of Invention In view of the above, an object of an embodiment of the present application is to provide a service debugging method, apparatus, electronic device, and computer readable storage medium, so as to improve the above-mentioned problems in the prior art. In a first aspect, an embodiment of the present application provides a service debugging method, where the method includes initiating a debugging request for a target service instance based on a local proxy, obtaining, by the local proxy, a short-term security credential, where the short-term security credential includes a target service instance identifier, establishing, by the local proxy, an encrypted communication channel with a remote proxy using the short-term security credential, extracting, by the remote proxy, the target service instance identifier from the short-term security credential, and obtaining, by the remote proxy, a real-time network address of the target service instance, and sending, by the remote proxy, received debugging traffic to the real-time network address of the target service instance. In the implementation process, the local agent is used as an entrance of the debugging request and is responsible for acquiring short-term security credentials containing the target service instance identifier, and an encryption communication channel is established by utilizing the credentials and the remote agent, so that the security and traceability of the debugging requ