| The ever-changing demand from customer requires a more agile way to do software development,which makes the micro-service architecture an inevitable trend.The proposition of this architecture has cross-age significance and even becomes more and more popular in not the software industry but the academic research field.However,the current micro-service architecture is only preliminary,and there still many problems exist:First,the design of micro-service framework divides system into several independent modules and enlarges the attack surface.Inter-process communication turns to the communication between service modules makes it difficult to guarantee the information security;Then,Modules trust each other unconditionally in communication and hardly ever confirm the source,which can be easily exploited by attacker.Last,application business usually needs cooperation of multiple modules.But the separated modules are loosely structured and difficult to be managed in a unified way.When an exception occurs,it will not only fail to respond in time,but also take a lot of time to locate the problem.Aiming at the security problems mentioned above,this paper launches research from three aspects: key distribution scheme,micro-service access control mechanism and log monitoring.To avoid the attacker exploits the trust relationship between services,this paper proposes a challenge-response-based authentication and key distribution mechanism,which uses the zero-knowledge authentication to identify each micro-service modules and distribute secure key;As for the access control between micro-services,this paper improves the role-based access control model,applies it to the micro-services architecture,proposes the micro-services-based access control mechanism,and restricts the access scope of micro-services to prevent the threaten from fallen server;To achieve log analysis and management of the whole micro-service system,we propose the pre-warning line attributes which should be focused and explain the idea about log analysis.Using publish-subscribe model of message queue to collect all the logs and monitor the business running states of micro-service,which can assist administrator with their maintenance work.Finally,based on the solution we put forward,we finish the process in this situation and do some test and analysis.Results show that,the protocol proposed in this paper can effectively ensure the confidentiality and integrity of the messages.The access control mechanism we proposed can exactly limit the access scope of each micro-service module.The log analysis system can effectively help administrators with maintenance work. |
PDF Full Text Request