CN101674334B - Access control method of network storage equipment - Google Patents
Access control method of network storage equipment Download PDFInfo
- Publication number
- CN101674334B CN101674334B CN2009102723589A CN200910272358A CN101674334B CN 101674334 B CN101674334 B CN 101674334B CN 2009102723589 A CN2009102723589 A CN 2009102723589A CN 200910272358 A CN200910272358 A CN 200910272358A CN 101674334 B CN101674334 B CN 101674334B
- Authority
- CN
- China
- Prior art keywords
- access control
- user
- acl
- data
- role
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to an access control method of network storage equipment, belonging to a computer network storage system. The invention solves the problem that the prior access control method maintains and manages one centralized access control list, thereby forming the performance bottleneck and influencing the performance and the expandability of the storage system. In the invention, the access control method comprises the steps of object establishment and object operation. The network storage equipment stores data objects and directory objects needed by users, each of the data objects and the directory objects comprises an attribute part and a data part, and each attribute part comprises an access control list. The invention uses each access control list as a security attribute of each data object to be stored together with the data, defines the inherited rules of each access control list and the priority of each access control item, improves the flexibility of data access control, positions the corresponding access control list while reading the data to be operated by users, realizes the distributed access control, greatly reduces the access control cost of a distributed storage system, and improves the expandability of the system.
Description
Technical field
The invention belongs to the computer network storage system, be specifically related to a kind of access control method of the network storage equipment.
Background technology
The expansion of the Internet makes data message be the geometric progression explosive increase, and the figure spirit prize JimGray of winner points out: per 18 months newly-increased data volumes equal the summation of data volume since the dawn of human civilization under the network environment.The continuous development that digital library, ecommerce, medical image, bioengineering, science calculating, virtual reality, the digitlization earth, website multimedia etc. are used; To set up high-performance, highly reliable Weight Massive Information Storage System has proposed demand, following its scale of storage system will reach the PB level.PB level high performance network storage system has hundreds of memory device, and needing provides service concurrent and burst to a large number of users simultaneously.
Recent years, the constructing technology of PB level network store system has been launched big quantity research, made up at present and the mass network storage system of using; As attach net storage system or object storage system, and comprise application client, meta data server and three main portions of memory device more, memory device is direct-connected to network; Metadata and data separating although the structure that this data path and control path are separated has improved the performance and the extensibility of storage system, have also been brought potential safety hazard; Through open network; The object of client computer on can DASD, memory device has lost the protection of system, must ownly tackle the security threat of automatic network and malice client's attack; For this reason, visit must be controlled to network store system.
In various existing storage systems, user data is organized with data object and directory object.Data object is exactly the data of user storage, and directory object is responsible for the data object is organized, and in the generic-document system, just is equivalent to common catalogue, and in object-based file system, root object, zone object and collection object can be treated as directory object.
The task of network store system access control is to provide for the user on the basis that system resource to greatest extent shares in system, and user's access rights are managed, and prevents user's illegal operation and to information stealing of confidential information particularly.User's access rights management is to realize through ACL (ACL, Access Control List), through ACL and controlled data object association are got up; When data object of user capture; Through inquiring about the ACL of this data object, if can find this user's access control entry, and when having the authority of solicit operation; Just can carry out user's operation, otherwise the request of refusing user's.
Present network store system access control method; Mostly adopt the scope check that safety and policy manager concentrate user's accessing operation and issue the corresponding authority certificate; The standard based on the object storage device command (SCSI Object-Based StorageDevice Commands-2 (OSD-2), Project t10/1729-d, revision 3ed. like the proposition of T10 technical committee; T10Technical Committee; NCITS, January 2008), by safety and concentrated ACL of policy manager maintenance and management; Obviously form performance bottleneck for PB level large-scale storage systems, greatly influenced the performance and the extensibility of network store system.
Summary of the invention
The present invention provides a kind of access control method of the network storage equipment; Solve existing access control method by safety and concentrated ACL of policy manager maintenance and management; Form performance bottleneck; Influence the performance of network store system and the problem of extensibility, for storage system provides access control mechanisms more flexibly and effectively.
Among the present invention, parent object is the set of subobject catalogue, and catalogue is a parent object with respect to its subdirectory that comprises and file in common file system, and in object-based file system, root object, zone object and collection object can be parent objects; Subobject is a notion with respect to parent object, the object that is comprised by parent object.
Among the present invention, user and role's corresponding relation is a many-to-many relationship: a user can belong to one or more roles, and a kind of role can comprise one or more users; The role has the branch of priority, and its priority definition is by concrete application system decision.
The access control method of a kind of network storage equipment of the present invention comprises and creates object step and Object Operations step, creates the object step earlier, after establishment object step is accomplished, could respond user's Object Operations request, beginning Object Operations step; The said network storage equipment is object storage equipment or attached net storage device, stores required data object and the directory object of user, and the object interface or the file interface of standard externally is provided; It is characterized in that:
One. said data object and directory object are formed by attribute section and data division, and attribute section comprises data creation person, size of data and ACL; Said ACL comprises head, controlled area and expansion area index; Said directory object attribute section ACL also increases inherits the district;
Said head comprises ACL byte number, succession sign, inherits object number, extension flag, controlled area access control entry digital section and inherits district's access control entry digital section; ACL byte number field indication ACL and the shared byte number in expansion area thereof; Whether the ACL of inheriting this data object of attribute field indication has dynamic inherited attribute; Inherit the object number field and specify the object number of the parent object of this data object subordinate, be used for searching parent object in dynamic succession process; Whether this object accesses control tabulation of extension flag field indication is expanded; The number of the various access control entries that comprise in the access control entry digital section indication ACL controlled area, controlled area; Inherit district's access control entry digital section indication ACL and inherit the number of the various access control entries that comprise in the district;
Said controlled area is made up of some access control entries, and access control entry is divided into user capture control item and role access control item;
Said expansion area index comprises begin block number and several two fields of continuous blocks, indicates the physical block number of extended area on memory device and continuous piece number respectively, is used for extending user access control entry and role access control item;
Said succession district is made up of some access control entries, and access control entry is divided into user capture control item and role access control item, offers subobject and inherits use;
Said user capture control item and role access control item, by user or role identification field and rights field composition, rights field limits user or role's operating right with permission mask separately;
Two. the process of said establishment object step is:
(2.1) read the ACL of parent object: when the network storage equipment is received user's establishment Object Operations request, read to create the ACL of the parent object of data object or directory object;
(2.2) whether inspection has create right: check whether this user has the authority of creating object under this parent object, be then to carry out creation operation, turns over journey (2.3); Otherwise refusal is created the Object Operations request;
(2.3) initialization object information: on the network storage equipment for data object or the directory object allocation space that will create, attribute section with this user be made as data creation person, size of data puts 0; Controlled area in ACL increases the user capture control item to the founder, and gives its whole authorities, and controlled area access control entry digital section is composed 1; ACL expansion area index begin block number and several two fields of continuous blocks are put 0;
(2.4) check whether static succession sign is effective: whether the static state succession attribute field that the inspection user creates the Object Operations request is effective, is then to turn over journey (2.5), otherwise finishes;
(2.5) the static succession: the access control entry that parent object is inherited the district adds the controlled area of institute's data object of creating or directory object ACL to, and controlled area access control entry digital section is done modify, end;
Three. the process of said Object Operations step is:
(3.1) read access control tabulation: when the network storage equipment is received user's operation requests, read the controlled area of this user's institute's requested data object or directory object ACL;
(3.2) whether whether inspection user capture control item exists: in the controlled area, searching the corresponding user capture control item of this user and exist, is the process of then carrying out (3.3); Otherwise turn over journey (3.4);
(3.3) whether inspection has operating right: whether inspection user or its affiliated role have institute's requested operation authority to this data object or directory object, are then to carry out user's operation requests, finish; Otherwise the refusing user's operation requests finishes;
(3.4) whether inspection role access control item exists: whether the corresponding role access control item of role exists under in the controlled area, searching this user; Be then to select the corresponding role access control item of the highest role of its medium priority; The process of carrying out (3.3), otherwise turn over journey (3.5);
Whether (3.5) sign is inherited in inspection effective: whether the succession sign of ACL head of checking this user's requested data object or directory object is effective, be the process of then carrying out (3.6), otherwise the refusing user's operation requests finishes;
(3.6) read the parent object ACL: find the parent object of this data object according to the succession object number in the ACL of this user's requested data object or directory object, read the succession district of this parent object ACL and turn over journey (3.2).
The present invention proposes the inheritance rules of access control entry; Increase the flexibility of data access control; The access control entry that two kinds of succession modes are inherited parent object is inherited and is dynamically inherited in the management of the tabulation of simplified access control simultaneously, subobject through static state, the static succession when occurring in data object or directory object establishment; Specify by user's establishment order, the parent object that institute will inherit is inherited the ACL controlled area that the access control entry of distinguishing copies to newdata object or directory object; Dynamically succession occurs in the scope check process, and subobject is not preserved the copy of parent object access control entry, and the access control entry that just when scope check, goes as required to read parent object succession district carries out scope check.
Inherit the district and only be present in the ACL of directory object, offer subobject and inherit and use,, do not have subobject, so the ACL of data object do not inherit the district, inherit Qu Weikong in other words because data object is an object of finally storing data.
Clearly, compare with dynamically inheriting, the static scope check speed of inheriting is faster.But because in static state was inherited, subobject had been preserved the copy of parent object access control entry, so its consistency maintenance and space overhead are bigger.Can take suitable succession strategy according to practical application.
The present invention stipulates the priority of access control entry, can solve the problem of access control entry mandate conflict.The priority of access control entry is higher than the priority that parent object is inherited district's access control entry in the controlled area of ACL; The priority of user capture control item is higher than the priority of role access control item in controlled area or the succession district.Such as; The access control entry that possibly both comprise certain user in ACL also comprises role's under this user access control entry; Simultaneously, the ACL of data object self possibly comprise certain user or role's access control entry and parent object that this data object is inherited also possibly comprise same subscriber or role's access control entry; Belong under a plurality of roles' the situation a user, confirm access control entry, the control that conducts interviews of role's that can be according to priority high access control entry according to role's priority.
The present invention also provides the expansion scheme of ACL, to satisfy in the large-scale storage systems the conduct interviews needs of control to a large number of users and role.Under the situation of controlled area limited space, other access control entry stored into other places of disk, and search through the expansion area index field.The expansion area index is counted two parts by begin block number and continuous blocks and is formed, and has indicated the physical block number of extended area on memory device and continuous piece number respectively.In practical application, data all have its main visit colony, can consider the user or the corresponding access control entry of role of often visit are stored in the ACL controlled area, and other access control entry is through the expansion area index search.
The present invention introduces autonomous access control mechanisms for the network storage equipment; ACL is stored with data as the security attribute of data object together; Read the user in the data that will operate; Locate corresponding ACL, realized distributed access control, solved the bottleneck that carries out central access control by strategy and security manager.Reduced the access control expense of distributed memory system dramatically.
Description of drawings
Fig. 1 is the magnetic disk figure of the object storage equipment that the present invention relates to;
Fig. 2 is the search procedure sketch map of object in the object storage equipment that the present invention relates to;
Fig. 3 is the storage organization sketch map of root object in the object storage equipment that the present invention relates to;
Fig. 4 (a) is the storage organization sketch map of the medium and small user object of object storage equipment that the present invention relates to;
Fig. 4 (b) is the storage organization sketch map of large user's object in the object storage equipment that the present invention relates to;
Fig. 5 is the storage organization sketch map of ACL of the present invention;
Fig. 6 is a FB(flow block) of the present invention;
Fig. 7 creates the object flow chart of steps for the present invention;
Fig. 8 is an Object Operations flow chart of steps of the present invention.
Embodiment
Below in conjunction with accompanying drawing the present invention is further specified.
The data in magnetic disk layout of object storage equipment is as shown in Figure 1, is divided into superblock, B tree district and data field three parts.This object storage equipment is that least unit is organized data with the piece, and block size acquiescence is got 4KB, can also be provided with when the disk formatting by the keeper, by block size field reflection in the superblock; Superblock is a piece, and some essential informations of include file system comprise information such as block size, total block data, free block number, number of objects, object subregion concordance list, root object node location, clear area number and clear area concordance list; Object subregion concordance list is the starting point of searching object, indicates the B tree root node location of each subregion respectively; The clear area concordance list is responsible for searching the free space of organizing equipment.B tree district comprises several continuous blocks, is made up of regional header and several B tree nodes, and the B tree node is divided into B leaf node, B tree root node and B tree intermediate node; Each B tree node comprises a header and searches item with several B trees; It is the combination of keyword and positional value that B tree is searched, for B leaf node, positional value be the piece that belongs to of the Object node of searching number; For B tree root node and B tree intermediate node, positional value points to one deck B tree node down.The data field comprises several continuous blocks, is used to store data object and directory object.
In this object storage equipment, the concrete search procedure of object is as shown in Figure 2.Comprise partition number and the object number that to search the object place in the Object Operations request that the user sends; Be respectively 5 and 63 among the figure, the object subregion concordance list of partition number 5 in superblock that will search the object place according to the user finds the B tree root node of searching object place subregion 5 correspondences, for B tree root node and B tree intermediate node; The item of searching wherein is made up of keyword and B tree node index; This moment, B tree node index was smaller or equal to the subtree of this keyword, like the corresponding B tree node index of keyword in the B tree root node among the figure 59 smaller or equal to 59 subtree, and the corresponding B tree node index keyword of keyword 97 greater than 59 smaller or equal to 97 subtree; Recursive lookup successively; In B leaf node, find the keyword 63 that will search, number find the object of will searching according to thereafter the institute's Object node of searching place piece again, if but final in leaf node, can not find the object number that will search; Then search failure, object does not exist.
Four kinds of objects of this object storage device storage, i.e. root object, zone object, collection object and user object.Each object storage equipment is only stored a root object, and it has comprised some global properties of object storage apparatus logic unit, and the root object structure is as shown in Figure 3, is made up of attribute description district, ACL and root object attribute.Attribute leaves the front of data in as the part of data in this memory device; The attribute description district has comprised some global properties of object properties; Specified the metadata of the property pages and the attribute of types of objects, i.e. the offset address of each attribute in object data in each property pages.The attribute description district is made up of five parts, and first is some global informations of attribute description piece, has specified the skew of attribute description piece, attribute number of pages, attribute number and the object properties size of types of objects; Next four parts are respectively root object, zone object, collection object and user object attribute description piece, and each object properties description block is formed by page metadata and attribute metadata.If need certain class object attribute is carried out read-write operation; At first find the attribute description piece of corresponding object according to object type and object properties description block offset table; Search corresponding page metadata according to the attribute page number again, confirm attribute metadata address in this property pages, search corresponding attribute number at this page or leaf again with this; Obtain offset address and the attribute size of this attribute in data at last, the data respective byte is carried out read-write operation to accomplish the corresponding property operation with this.The ACL of root object is mainly used in and offers that zone object is inherited and to the coarsegrain access control of whole memory device.
User object is the object that really comprises user data, and structure is made up of object header, ACL and data field shown in Fig. 4 (a), Fig. 4 (b).The object header comprises information such as Object node number, affiliated partition number, affiliated user number, object size, shared number and number of regions.In a specific embodiment, the object header takies 44 bytes altogether, and ACL accounts for 986 bytes.Data field might not store data, when the data of user object during smaller or equal to certain threshold value, is called little user object, and the data of little user object directly leave in the data field of Object node, shown in Fig. 4 (a); When the data of user object during greater than described threshold value; Be called large user's object; The deposit data of large user's object is in several continuums of disk, and data field is deposited the index information (promptly belong to disk begin block number with continuous blocks number) of corresponding several continuums, shown in Fig. 4 (b); Said threshold value deducts the size of object header and ACL for the Object node size.
As previously mentioned; The present invention stores ACL as the security attribute and the object of object together; Read from disk the user in the object that will operate, obtained the ACL of object, the very big like this expense that has reduced distributed access control.
In order to increase the flexibility of object accesses control, simplified access is controlled the management of tabulation simultaneously, proposes the inheritance rules of access control entry, and subobject can be inherited the access control entry that the parent object ACL is inherited the district as required.The object storage system that corresponding front relates to, root object are that parent object, the zone object of zone object is that parent object, the collection object of collection object and user object also can be the parent object of user object.So user object can be inherited the ACL of subregion and collection object and inherit access control entry, the collection object in district and can inherit the zone object ACL and inherit access control entry, the zone object in district and can inherit the access control entry that the root object ACL is inherited the district.The succession of access control entry makes that thousands of object with identical access-control attributes can the management of simplified access control through the access control entry of sharing their total parent objects.
The succession of access control entry divides static the succession with dynamic to inherit two kinds.The static succession when occurring in Object Creation, the parent object that institute will be inherited is inherited the access control entry of distinguishing and is copied in the ACL controlled area of this object.Dynamically succession occurs in the scope check process, and subobject is not preserved the copy of parent object access control entry, and the access control entry that just when scope check, goes as required to read in the parent object ACL succession district is checked.Clearly, compare with dynamically inheriting, the static scope check speed of inheriting is faster, because need as dynamically inheriting, not go to read the ACL of parent object during scope check.But because the copy of parent object access control entry has been preserved in static succession, so the expense of its consistency maintenance is bigger.Can take suitable succession strategy according to practical application, such as: for the succession district of parent object ACL, can be with using always but the access control entry that seldom changes adopts static the succession, be of little use or the access control entry that often changes adopts dynamically and inherits.
As shown in Figure 5, ACL comprises head, controlled area, succession district and four parts of expansion area index; Head comprises ACL byte number, succession sign, inherits object number, extension flag, controlled area access control entry digital section and inherits district's access control entry digital section; ACL byte number field indication ACL and the shared byte number in expansion area thereof; Whether the ACL of inheriting this data object of attribute field indication has dynamic inherited attribute; If inherit sign effectively; Then when in the ACL controlled area, not finding relative users or role's access control entry; Continue to search the ACL of its parent object and inherit the district, if do not find again and the ACL of parent object is inherited sign and effectively then continued upwards to search, it is invalid to inherit sign up to the ACL of certain object; Inherit the object number field and specify the object number of the parent object of this data object subordinate, be used for searching parent object in dynamic succession process; Whether this object accesses control tabulation of extension flag field indication is expanded; The number of the various access control entries that comprise in the access control entry digital section indication ACL controlled area, controlled area; Inherit district's access control entry digital section indication ACL and inherit the number of the various access control entries that comprise in the district;
The controlled area is used for the user is operated the control that conducts interviews, and is made up of some user capture control items and role access control item, and the corresponding user of each access control entry or a kind of role comprise user/role identification and authority;
Inherit the district and also form, offer subobject specially and inherit,, do not have subobject, so the ACL of user object is not inherited the district because user object is an object of finally storing data by some user capture control items and role access control item;
The expansion area index comprises begin block number and several two fields of continuous blocks, is used for extended access list, and they have indicated the physical block number of ACL extended area on equipment and continuous piece number respectively.Have only when the extension flag in the head is effective, each field of expansion area index is just meaningful.
The access control entry that possibly both comprise certain user in ACL also comprises role's under this user access control entry; Simultaneously, the ACL of object self possibly comprise certain user or role's access control entry and parent object that this object is inherited also possibly comprise same subscriber or role's access control entry.The mandate collision problem that possibly have in these cases, access control entry.For this reason, we have defined the priority of access control entry: the priority of object self access control entry is higher than the priority of inheriting access control entry, the priority of user capture control item is higher than the priority of group or role access control item.That is to say; Carry no longer to search after finding corresponding access control entry in the ACL at object and inherit access control entry (if inheriting sign effectively), comprise at the same time under the situation of role access control item under user capture control item and this user and be as the criterion with the user capture control item.Belong under a plurality of roles' the situation a user, confirm access control entry according to role's priority, the control that conducts interviews of role's that can be according to priority high access control entry, role's priority definition is by concrete application system decision.
As shown in Figure 6, the present invention includes and create object step and Object Operations step, create the object step earlier, after establishment object step is accomplished, could respond user's Object Operations request, beginning Object Operations step.
It is as shown in Figure 7 to create the object step.When object storage equipment is received user's establishment Object Operations request, at first read to create the ACL of the parent object of object; Check whether this user has the authority of creating object under this parent object; Otherwise refusal is created the Object Operations request; Be then to carry out creation operation, and on object storage equipment for the object allocation space that will create, attribute section with this user be made as the founder, size of data puts 0; Controlled area in ACL increases the user capture control item to the founder; And give its whole authorities, and controlled area access control entry digital section is composed 1, ACL expansion area index begin block number is put 0 with several two fields of continuous blocks; After the initialization new Object essential information; Whether the static state succession attribute field that the inspection user creates the Object Operations request is effective; Invalid then Object Creation finishes, and as effectively, the access control entry of then parent object being inherited the district adds institute's object accesses of creating to and controls the controlled area of tabulating; And controlled area access control entry digital section done modify, Object Creation finishes.
The process of Object Operations step is as shown in Figure 8.When object storage equipment is received user's Object Operations request, the controlled area of at first reading this user's requested object ACL; In the controlled area, search the corresponding user capture control item of this user and whether exist,, check then whether the user has institute's requested operation authority to this object if exist; If do not exist, then in the controlled area, search the corresponding role access control item of role under this user, if find; Then carry out scope check according to the highest corresponding role access control item of role of its medium priority; If the corresponding role access control item of role does not exist yet under the user, and the succession sign of the ACL head of this user's request object is effective, then finds the parent object of this object according to the succession object number in the ACL of this user's request object; Control conducts interviews in the succession district of this parent object ACL; By that analogy, it is invalid to inherit sign up to the ACL of certain parent object, then the refusing user's operation requests.
Claims (1)
1. the access control method of a network storage equipment comprises and creates object step and Object Operations step, creates the object step earlier, after establishment object step is accomplished, could respond user's Object Operations request, beginning Object Operations step; The said network storage equipment is object storage equipment or attached net storage device, stores required data object and the directory object of user, and the object interface or the file interface of standard externally is provided; It is characterized in that:
One. said data object and directory object are formed by attribute section and data division, and attribute section comprises data creation person, size of data and ACL; Said ACL comprises head, controlled area and expansion area index; Said directory object attribute section ACL also increases inherits the district;
Said head comprises ACL byte number field, succession attribute field, inherits object number field, extension flag field, controlled area access control entry digital section and inherits district's access control entry digital section; ACL byte number field indication ACL and the shared byte number in expansion area thereof; Whether the ACL of inheriting this data object of attribute field indication has dynamic inherited attribute; Inherit the object number field and specify the object number of the parent object of this data object subordinate, be used for searching parent object in dynamic succession process; Whether this object accesses control tabulation of extension flag field indication is expanded; The number of the various access control entries that comprise in the access control entry digital section indication ACL controlled area, controlled area; Inherit district's access control entry digital section indication ACL and inherit the number of the various access control entries that comprise in the district;
Said controlled area is made up of some access control entries, and access control entry is divided into user capture control item and role access control item;
Said expansion area index comprises begin block number and several two fields of continuous blocks, indicates the physical block number of extended area on memory device and continuous piece number respectively, is used for extending user access control entry and role access control item;
Said succession district is made up of some access control entries, and access control entry is divided into user capture control item and role access control item, offers subobject and inherits use;
Said user capture control item and role access control item, by user or role identification field and rights field composition, rights field limits user or role's operating right with permission mask separately;
Two. the process of said establishment object step is:
(2.1) read the ACL of parent object: when the network storage equipment is received user's establishment Object Operations request, read to create the ACL of the parent object of data object or directory object;
(2.2) whether inspection has create right: check whether this user has the authority of creating object under this parent object, be then to carry out creation operation, turns over journey (2.3); Otherwise refusal is created the Object Operations request;
(2.3) initialization object information: on the network storage equipment for data object or the directory object allocation space that will create, attribute section with this user be made as data creation person, size of data puts 0; Controlled area in ACL increases the user capture control item to the founder, and gives its whole authorities, and controlled area access control entry digital section is composed 1; ACL expansion area index begin block number and several two fields of continuous blocks are put 0;
(2.4) check whether static succession sign is effective: whether the static state succession attribute field that the inspection user creates the Object Operations request is effective, is then to turn over journey (2.5), otherwise finishes;
(2.5) the static succession: the access control entry that parent object is inherited the district adds the controlled area of institute's data object of creating or directory object ACL to, and controlled area access control entry digital section is done modify, end;
Three. the process of said Object Operations step is:
(3.1) read access control tabulation: when the network storage equipment is received user's operation requests, read the controlled area of this user's institute's requested data object or directory object ACL;
(3.2) whether whether inspection user capture control item exists: in the controlled area, searching the corresponding user capture control item of this user and exist, is the process of then carrying out (3.3); Otherwise turn over journey (3.4);
(3.3) whether inspection has operating right: whether inspection user or its affiliated role have institute's requested operation authority to this data object or directory object, are then to carry out user's operation requests, finish; Otherwise the refusing user's operation requests finishes;
(3.4) whether inspection role access control item exists: whether the corresponding role access control item of role exists under in the controlled area, searching this user; Be then to select the corresponding role access control item of the highest role of its medium priority; The process of carrying out (3.3), otherwise turn over journey (3.5);
Whether (3.5) sign is inherited in inspection effective: whether the succession sign of ACL head of checking this user's requested data object or directory object is effective, be the process of then carrying out (3.6), otherwise the refusing user's operation requests finishes;
(3.6) read the parent object ACL: find the parent object of this data object according to the succession object number in the ACL of this user's requested data object or directory object, read the succession district of this parent object ACL and turn over journey (3.2).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102723589A CN101674334B (en) | 2009-09-30 | 2009-09-30 | Access control method of network storage equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102723589A CN101674334B (en) | 2009-09-30 | 2009-09-30 | Access control method of network storage equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101674334A CN101674334A (en) | 2010-03-17 |
| CN101674334B true CN101674334B (en) | 2012-05-23 |
Family
ID=42021318
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102723589A Active CN101674334B (en) | 2009-09-30 | 2009-09-30 | Access control method of network storage equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101674334B (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5659051B2 (en) * | 2011-03-17 | 2015-01-28 | 株式会社東芝 | COMMUNICATION MEDIUM, IC CARD, AND COMMUNICATION METHOD |
| CN103078845B (en) * | 2012-12-19 | 2017-05-10 | 华为技术有限公司 | Method for calibrating access control list (ACL), and shared storage system |
| CN103064957B (en) * | 2012-12-28 | 2016-06-15 | 华为技术有限公司 | Realize method and the client of ACL |
| CN103631930A (en) * | 2013-12-06 | 2014-03-12 | 北京京东尚科信息技术有限公司 | Statistical method and statistical system for search engine space occupation |
| CN103677829B (en) * | 2013-12-13 | 2016-08-17 | 北京同有飞骥科技股份有限公司 | Object Operations accesses the method controlled |
| CN108292346A (en) * | 2015-11-25 | 2018-07-17 | 开利公司 | The extracts physical access control policy from static rights and Access Events |
| CN106250762A (en) * | 2016-07-18 | 2016-12-21 | 乐视控股(北京)有限公司 | For the method and system preventing storage object from illegally quoting |
| CN106652153B (en) * | 2016-10-17 | 2019-03-26 | 深圳市穗彩科技开发有限公司 | Color method and system are sent in expansible lottery ticket retrieval |
| CN106682186B (en) * | 2016-12-29 | 2020-06-16 | 华为技术有限公司 | File access control list management method and related device and system |
| CN108268790A (en) * | 2016-12-30 | 2018-07-10 | 北京国双科技有限公司 | The configuration method and device of data permission |
| CN106940715B (en) * | 2017-03-09 | 2019-11-15 | 星环信息科技(上海)有限公司 | A kind of method and apparatus of the inquiry based on concordance list |
| US10754971B2 (en) * | 2017-04-21 | 2020-08-25 | Google Llc | Referenced access control list |
| CN107277016B (en) * | 2017-06-22 | 2020-05-29 | 郑州云海信息技术有限公司 | Authority verification method and device |
| CN107403105B (en) * | 2017-06-30 | 2020-09-04 | 华为技术有限公司 | Permission setting method and device for file system |
| CN110858833B (en) * | 2018-08-22 | 2022-09-30 | 京东方科技集团股份有限公司 | Access control policy configuration method, device and system and storage medium |
| CN109522365B (en) * | 2018-10-18 | 2021-06-22 | 四川大学 | Data table in information management system and field distributed access control method thereof |
| CN109669640B (en) * | 2018-12-24 | 2023-05-23 | 浙江大华技术股份有限公司 | Data storage method, device, electronic equipment and medium |
| CN111245933A (en) * | 2020-01-10 | 2020-06-05 | 上海德拓信息技术股份有限公司 | Log-based object storage additional writing implementation method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1728665A (en) * | 2005-07-26 | 2006-02-01 | 华中科技大学 | Expandable storage system and control method based on objects |
| CN101464901A (en) * | 2009-01-16 | 2009-06-24 | 华中科技大学 | Object search method in object storage device |
-
2009
- 2009-09-30 CN CN2009102723589A patent/CN101674334B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1728665A (en) * | 2005-07-26 | 2006-02-01 | 华中科技大学 | Expandable storage system and control method based on objects |
| CN101464901A (en) * | 2009-01-16 | 2009-06-24 | 华中科技大学 | Object search method in object storage device |
Non-Patent Citations (1)
| Title |
|---|
| 王慧丽等.基于对象存储系统中属性管理的研究与实现.《计算机应用研究》.2007,第24卷(第11期),第188-190页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101674334A (en) | 2010-03-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101674334B (en) | Access control method of network storage equipment | |
| US9672267B2 (en) | Hybrid data management system and method for managing large, varying datasets | |
| US9641334B2 (en) | Method and apparatus for ascertaining data access permission of groups of users to groups of data elements | |
| RU2408070C2 (en) | Detectability and listing mechanism in hierarchically protected data storage system | |
| US7831643B1 (en) | System, method and computer program product for multi-level file-sharing by concurrent users | |
| CN100470522C (en) | Methods and apparatus for accessing content in a virtual pool on a content addressable storage system | |
| US8271530B2 (en) | Method and mechanism for managing and accessing static and dynamic data | |
| CN103812939B (en) | Big data storage system | |
| CN100456311C (en) | System and method for actualizing content-based file system security | |
| CN111108493A (en) | System, method, and apparatus for simplifying file system operations using key-value storage systems | |
| CN104123359A (en) | Resource management method of distributed object storage system | |
| US20080034438A1 (en) | Multiple hierarchy access control method | |
| US20180145983A1 (en) | Distributed data storage system using a common manifest for storing and accessing versions of an object | |
| CN101316273A (en) | Distributed safety memory system | |
| CN1531303A (en) | Caching system and method at user terminal without protocol concerned | |
| US9430490B1 (en) | Multi-tenant secure data deduplication using data association tables | |
| CN106844584B (en) | Metadata structure, operation method, positioning method and segmentation method based on metadata structure | |
| WO2012090189A1 (en) | Method and apparatus for ascertaining data access permission of groups of users to groups of data elements | |
| EP2332081A2 (en) | Storage tiers for database server system | |
| KR100622130B1 (en) | Crash recovery system and method for a distributed file server using object based storage | |
| US11720607B2 (en) | System for lightweight objects | |
| US20120109987A1 (en) | Remote file sharing based on content filtering | |
| US20060206484A1 (en) | Method for preserving consistency between worm file attributes and information in management servers | |
| US8146155B1 (en) | Controlling access to content on an object addressable storage system | |
| US9009731B2 (en) | Conversion of lightweight object to a heavyweight object |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |