Author |

guide

This paper discusses the design and development of Unified Authority Management Service (MPS) in detail, and proposes a set of comprehensive RBAC, ACL, and DAC authority model solutions to the problem of confusion in enterprise internal multi-platform authority management. The article comprehensively introduces the construction process of MPS from the aspects of demand analysis, technology selection, function design and so on. In terms of platform & node management, MPS supports a variety of business platform access methods, while providing node management and organization management functions. The authority management module covers historical authority import, authority assignment, authentication service, etc. The application & authorization module implements online application, approval process and automatic authorization functions. The permission audit & recovery module supports permission data download, operation log recording, permission renewal and recovery. The successful application of MPS within Baidu has demonstrated its excellent performance and potential, and is expected to provide strong support for more efficient enterprise rights management in the future.

The full text is 6171 words, and the expected reading time is 16 minutes.

01 background

In today's era of rapid development of information technology, there are more and more application systems and data platforms within enterprises. These platforms are responsible for different businesses and functional designs. Each platform's authority system is self-built, and there is no unified authority design and standardized authority management. This leads to the confusion of authority management and unclear hierarchical division. In order to solve this problem, the mobile data center decided to develop a unified permission management service (MEDD Permission Service, hereinafter referred to as MPS), which aims to integrate all platform permissions in the data center, and realize the centralized management of platform permissions, businesses, and users. Provide powerful management services for the future realization of comprehensive data rights and platform tool interoperability rights management methods.

This article will introduce the design and implementation of unified authority management service in detail, including requirements analysis, technology selection, function design, platform & node management, authority management, application & authorization, authority audit and recovery, etc.

02 Demand Analysis

In the requirements analysis stage, it is necessary to communicate with the relevant business platform and data platform teams to understand the characteristics of their authority system, authority management issues, and their expectations for unified authority management services. Requirements analysis mainly includes:

Platform authority integration : Determine the business platforms and data platforms that need to be integrated, understand their authority system architecture and functions, so as to ensure that MPS can seamlessly integrate with them.

Permission hierarchical division : clarify the hierarchical division of permissions, including user roles, organizational structure, resource types, etc., in order to establish a reasonable permission model.

Unified authentication : Determine whether a unified authentication mechanism needs to be introduced to improve user experience and security.

Approval process : Define the application, approval and recovery process of permissions to ensure security and flexibility, while considering the customizability of the approval process.

API interface : Consider how the business platform accesses MPS, design a simple and easy-to-integrate API interface, and ensure the security of the interface.

03 Technology selection

MPS chooses to use the GDP (Go Develop Platform) framework for development. As a Go development framework developed internally by Baidu, GDP has the following advantages:

In-plant infrastructure support : GDP is widely used within Baidu, so it can be better integrated with Baidu's internal infrastructure and ecosystem to provide more stable and efficient services.

Easy configuration and assembly : Rights management services may need to be flexibly assembled and configured according to the requirements of different business platforms. The easy configuration and assembly features of GDP can help realize this.

RPC capability and common basic library : Rights management services need to communicate and integrate with other systems. GDP provides comprehensive RPC Client and RPC Server capabilities, and is equipped with a common basic library, which facilitates rapid development and integration.

Support for standardized monitoring : GDP supports a standardized monitoring solution based on Prometheus, which is helpful for comprehensive monitoring and operation and maintenance of MPS.

04 Permission model design

After completing the demand analysis of the business platform, we need to determine the permission model to be used based on the business scenario of the business platform to be accessed. MPS adopts a comprehensive permission model of RBAC, ACL, and DAC to achieve flexible and precise permission control. This comprehensive model combines the advantages of the three types of access control, providing more flexibility and granular control for business platform rights management.

MPS divides the authority of the business platform into two categories:

Business authority : The authority of a business platform user to a certain node or authority package is divided into business read authority, business write authority and custom authority types. For example, the read permission required for users to view reports on the business platform.

Management authority : the authority to operate on the MPS system business platform interface, specifically divided into the following operations:

Operate business platform users and grant permissions to their nodes or permission packages.
The permission package of the operation business platform has been changed.
Operate business platform nodes to go online, offline, and change attributes and structures.

After classifying permissions, MPS flexibly applies them to three permission models: ACL, DAC, and RBAC.

ACL (Access Control List) : ACL is a resource-based access control model, which grants resource access rights to a list of users or user groups. Every resource has an ACL that lists the principals and their corresponding permissions that are allowed or denied access to the resource. The ACL model is suitable for fine-grained access control, and can realize precise permission management for a single resource. The ACL model is reflected in the MPS to support granting user permissions to specific nodes, thereby realizing fine-grained access control to nodes.

DAC (Discretionary Access Control) : DAC is an access control model based on resource owners. Resource owners have the right to decide who has access to their resources. In the DAC model, resource access rights are set by resource owners, who can authorize other users or user groups to access their own resources, and revoke these authorizations at any time. Combined with the idea of the DAC model, MPS defines different user roles based on the business platform, such as super administrators, node administrators, ordinary users, etc. Each user role has different menu and node management permissions, and users with user roles can independently Grant business permissions to other users of the business platform to which they belong.

RBAC (Role-Based Access Control) : RBAC is a role-based access control model, which grants permissions to roles and then grants roles to users. In the RBAC model, roles represent a set of related permissions, and users obtain permissions by being assigned to corresponding roles. The RBAC model is suitable for large-scale access control. Through the management of roles, the distribution and maintenance of rights can be simplified, and the efficiency and maintainability of rights management are improved. MPS supports users to combine multiple nodes into a permission package, and then add users to the permission package for authorization.

05 Functional Design

According to the result of demand analysis, the function of MPS is divided, and the rights management service is divided into four modules, and each module is responsible for different functions.

1. Platform & node management:

Support access to multiple platforms, support the use of default template parameters and customized parameters
Support node access and organization management. Node definition: the abstract resources that need to be managed by the business platform, such as reports, buttons, page links, etc.

2. Authority management:

Import historical permissions
Add, delete, modify and check functions of platform management permissions
The function of adding, deleting, modifying and checking platform business permissions
Authentication service

3. Application & Authorization:

User online application, customized approval process, automatic authorization after approval
Call back to the business platform after the permission is changed, and the callback method can be customized

4. Permission audit & recovery:

Automatic recovery of permissions in scenarios such as permission expiration, user resignation and job transfer
Business platform operation record push
Authorization audit data download

06 Platform & Node Management

The service platform needs to provide the following initialization parameters when accessing the MPS:

Platform basic information, the platform basic information table stored in Chart 1
The platform's custom permission type, MPS generates business read and write permissions for each platform by default, and the platform can customize more business permission types, which are stored in the platform permission type table in Figure 1
Platform customized menu bar, MPS provides a general menu bar by default, and the platform can choose to use part of it, which is stored in the platform menu table in Figure 1

△Chart 1 Business Platform Management

After the initialization parameters are determined, MPS will create a basic business platform (see Figure 3). MPS initializes an initial node for each business platform, and generates openapi access keys at the same time, which are stored in the platform key table in Figure 1. MPS provides a complete openapi interface. The keys are divided into primary keys and secondary keys. The key can access all the openapi interfaces provided by MPS. When the secondary key is generated, the range of openapi interfaces to be accessed needs to be specified. Accessing APIs beyond the range will result in authentication failure.

After the platform initialization is completed, the business platform development engineer can synchronize the business nodes to MPS. MPS provides two node synchronization solutions:

Push : The business platform abstracts the resources that need to be controlled in the business into a tree structure, and synchronizes the business node tree to the MPS platform through the node-related openapi interface provided by MPS.

Pull : The business platform needs to provide an interface for obtaining the node tree structure according to the returned data format specified by MPS. MPS will obtain the business node data in real time and mount it under the initial node.

Scheme 1 MPS will store node data locally, which is divided into two tables for storage. The basic information is stored in the node information table, and the tree structure relationship is stored in the node tree organization table (see Figure 2).

△Chart 2 Node Management

Solution 1 When the business node changes, for example, the report goes offline, the business side needs to synchronize the change to MPS. If the synchronization fails, it will cause data inconsistency, which can be solved by timing full synchronization and error alarm. The advantage is that MPS stores node data. It can provide stable rights management services.

The advantage of solution 2 is to obtain the node data of the business side in real time, and can perceive the node changes in the first time. The disadvantage is that if the data acquisition fails, only the cached data can be used, which may be different from the real-time node data, affecting the use of some functions.

In summary, considering the limited change frequency of nodes on the business platform and the authority management service paying more attention to the availability and reliability of the system, MPS recommends the use of Solution 1.

△Chart 3 MPS Basic Service Platform

07 Rights Management

After the business platform is connected to MPS, in order not to affect the experience of existing users, it is necessary to import the existing user business permission data into MPS. MPS provides an openapi interface for adding permissions in batches.

After the import of historical user authority data is complete, for incremental business authority, you need to add a platform administrator first, and then the administrator can authorize users through the MPS interface.

The platform administrators of the business platform are divided into two types:

Super administrator : has all menu permissions and management permissions for all nodes

Node administrator : has some menu permissions and some node management permissions, and sets the user as a node administrator of a node, and the user can manage this node and all sub-nodes below.

Generally speaking, the super administrators of a platform are controlled at 2-3 people, who are used as the person in charge of the bottom line, and the specific authorization operations are the responsibility of the administrators of each node under the business platform.

In order to realize the authority isolation between multiple service platforms in MPS for the same user, the user needs to create a service platform account in MPS. The platform administrator can search for a user first. If the user is not a user of the current platform, the user needs to be added to the platform first. MPS stores the user's basic information in the user basic information table, and stores the user's account information on each platform in the user platform account table. Account information, so that the user's data on each platform is isolated vertically through the user account, and the user's cross-platform permissions can be overviewed horizontally through the user name, which is convenient for permission review.

MPS supports two authority authorization management methods:

Directly give users permission to add nodes
Add multiple nodes to the permission package (see Figure 4), and then add users to the permission package

The first method is clearer when reviewing permissions, and the second method is more convenient when adding permissions in batches.

△Chart 4 Authorization Package Creation

After adding user permissions, the business platform development engineer needs to access the authentication service of MPS inside the business system. When the user logs in to the business platform to access resources, the authentication interface of MPS is called to calculate the user permissions. The MPS authentication service supports multiple permissions. Calculation parameters:

Inherit parent permissions : When calculating the user's permissions for a node, you can only calculate the current node permissions, or you can choose the inheritance mode to recursively search for parent node permissions from the current node until you find or reach the root node.

Authority package or node authority priority : Support authority package authority and node authority, whichever calculation priority is higher, and can also be mixed calculations.

△Chart 5 User Rights Management

08 Application & Authorization

Adding permissions for business platform users can be manually authorized by the platform administrator, but the disadvantages of this method are obvious:

Users need to communicate with administrators and record by email or IM, which is inefficient
Rights management takes up a lot of time for administrators and may be mishandled
When reviewing permissions, it is costly to search for the entire process record of permission activation

In order to improve work efficiency and reduce the burden on users and administrators, the online authorization process shown in Figure 6 is designed

△Chart 6 Online application process for users

The MPS platform has designed two access modes for online applications:

Fully managed mode : MPS provides a set of common permission approval model and application page (as shown in Figure 7). The business platform jumps to the MPS permission application page when users have no permission to access resources. For users, they only need to care about filling in the content of the work order and selecting the node or permission package to apply for. For the platform, they only need to customize the approver of each node.

Self-built page mode : If the general permission application page does not meet the needs of the business platform, you can develop the front-end page yourself, and then call the application form submission interface of MPS. MPS is responsible for subsequent approval and authorization.

△Chart 7 MPS application page

MPS uses Baidu's internal process system to provide approval capabilities. The approval process can be understood as a chain of steps as shown in Figure 8. Through the investigation of the connected business platforms, it is found that the approval process requirements of different platforms are quite different. Some platforms require only one person in charge to approve all nodes, and some platforms set different approval processes according to different nodes. For the process system, the approval process needs to be determined first, and then a user application will generate an instance of the approval process. The approval process can be understood as an entity class in program code development. If a class is customized for each node of the approval process for a platform that requires multiple approval processes, the management cost is high and the expansion is not flexible.

To this end, MPS researched the existing approval process of the platform, designed the general approval process class shown in Figure 8, and set the required parameters for each node, which is equivalent to setting a multi-parameter set for the general approval process class Constructor. The data approver is the approver set on the node by the business platform. The business platform can specify the approver when synchronizing the node, or it can be configured by the administrator in Figure 10. When the nodes of the business platform need to set up a new approval process, they only need to provide customized parameters to generate an approval instance that meets the requirements.

△ Chart 8 General Approval Process

△ Chart 9 Online application management

△Chart 10 Change of node attributes

After the user submits the application, it will be approved by the approver. After the approval, the MPS will be called back to the user for authorization. According to the requirements of some business platforms, MPS supports event callback. The business platform can configure the callback method, and the business platform callback can be triggered after automatic authorization.

09 Permission Audit & Recovery

For the business platform, the permissions of certain nodes are often reviewed on a quarterly or monthly basis to determine whether the user permissions meet expectations, recycle user permissions that do not meet expectations, and extend some user permissions that are about to expire.

MPS provides a complete authority audit capability:

User permission download: The business platform can download node user permission data after reporting.
Daily operation log: MPS will record all authority operations and node operations of administrators on the business platform and send emails to the configured recipients.
MPS provides comprehensive permission renewal & recycling capabilities:
Detect users through daily scheduled tasks, collect user permissions with a validity period of less than 10 days, and send a renewal email to the user with a link to apply for renewal. The user can jump to the application page to apply for permission renewal.
Resigned and transferred users are regularly acquired every day. For resigned users, MPS will set the status of the user account to invalid. The business platform will judge the user status during authentication. When the user status is invalid, it will directly return that the user has no permission. For post-transfer users, MPS will put the user on the watch list and send an email to the user's superior. The user's superior will judge whether to retain the user's authority. If the superior confirms the reservation, the user will be removed from the watch list. Account frozen. If you need to restore the user rights, you only need to restore the state of the user account.

MPS also supports email subscription service. Administrators only need to subscribe to relevant emails. MPS will send platform-related permission change emails and CC emails sent to platform users every day.

△Chart 11 Authority recycling and auditing

10 Summary

Promoted by the promotion effect of the access platform, combined with user feedback for upgrades and performance improvements, MPS has become the core authority system of the data center and has been widely used within Baidu MEG. Its access has covered nearly 40 business platforms, effectively managed more than 100,000 authority nodes, and covered more than 50 approval models. Handle about 2,000 to 3,000 permission application work orders per month, serving more than 20,000 users. The daily peak value of API calls is as high as 1.3 million, and it can provide 300,000 daily authentication services.

The excellent performance of MPS stems from the clear division of management functions and the ingenious application of the general authority approval model. This provides the system with powerful rights management, application and authorization functions, and solves the problems of confusing rights management and unclear levels in the past. At the same time, it also ensures data security and compliance, significantly improving user experience and work efficiency.

Looking forward to the future, MPS has the potential for further expansion and generalization, which can provide support for the access of more business platforms, realize comprehensive integrated rights management, and promote the intercommunication between platform tools. This will further enhance the authority management system of the mobile data center and provide enterprises with more efficient and reliable authority management services.

——END——

recommended reading

Baidu APP iOS terminal package size 50M optimization practice (5) HEIC picture and useless class optimization practice

Baidu Knows Cloud and Architecture Evolution

Baidu APP iOS terminal package size 50M optimization practice (4) code optimization

Baidu App Startup Performance Optimization Practice

Application practice of light sweeping motion effect on mobile terminal