CN107292188A - A kind of method and apparatus for controlling access privilege - Google Patents

A kind of method and apparatus for controlling access privilege Download PDF

Info

Publication number
CN107292188A
CN107292188A CN201610225284.3A CN201610225284A CN107292188A CN 107292188 A CN107292188 A CN 107292188A CN 201610225284 A CN201610225284 A CN 201610225284A CN 107292188 A CN107292188 A CN 107292188A
Authority
CN
China
Prior art keywords
acquisition
clause
user
restricted information
row
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610225284.3A
Other languages
Chinese (zh)
Inventor
王超
徐安华
李少辉
冯是聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Mininglamp Software System Co ltd
Original Assignee
Beijing Mininglamp Software System Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Mininglamp Software System Co ltd filed Critical Beijing Mininglamp Software System Co ltd
Priority to CN201610225284.3A priority Critical patent/CN107292188A/en
Publication of CN107292188A publication Critical patent/CN107292188A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A kind of method and apparatus for controlling access privilege are announced herein, and this method includes:Obtain the SQL request for carrying SQL SQL statement and user profile;The position for the restricted information that needs to add line is obtained according to the SQL statement of acquisition and the table inquired about is needed;Row restricted information of the corresponding user to table is obtained according to the user profile of acquisition;The corresponding user of table inquired about the need for acquisition is added at the position of acquisition to the row restricted information of table;To being parsed added with user to the SQL statement of the row restricted information of table to filter out the information for not allowing the user to check.The embodiment of the present application realizes data filtering more quickly and conveniently to row rank, so that the bigger value for having played big data.

Description

A kind of method and apparatus for controlling access privilege
Technical field
The present invention relates to big data application field, the method and dress of espespecially a kind of control access privilege Put.
Background technology
With application field all the more extensive of big data technology, data magnitude is also increasing, and data should The most important thing of big data application field is had become with safety, and it is relatively strong (for example for some sensitiveness The fields such as finance, government, bank, public security system and communication) data, generally require when in use more High level safeguard measure, to ensure the safety of data.At present, the data for above-mentioned field are protected During shield, generally require the protection of row level-right to filter out some of sensitive data amounts, provide a user Safer, open and effective big data access platform, so that the interconnection of data is more effectively carried out, The value of bigger performance big data.
The method of existing row level-right protection includes following two schemes:Functional module control user visits Ask authority method and view control authority method.Wherein, functional module control access privilege method is Control of authority is carried out in application-level, is carried out by adding keyword where in the application Limitation, still, this method can only be controlled in application program rank, if getting around application program, It is uncontrollable;View control authority method be by view (database generally comprises table and view, Wherein table data storages, view not data storages, when operating the data in view, really Operate the table being associated) control of authority is realized, keyword where is added in query statement and comes real Existing control of authority, still, does not just allow easy to operate, coding work very much when table structure or permission modification Work amount is big, and the elastic space that simultaneity factor is applicable user management system is smaller, once authority logic becomes It is dynamic, it is possible to need modification authority system, cause all view all to change.
Therefore, how more current urgent need to resolve to be turned into the data filtering of row rank Problem.
The content of the invention
, can more quickly, just this application provides a kind of method and apparatus for controlling access privilege Promptly to the data filtering of row rank, so as to the value of bigger performance big data.
In order to reach the application purpose, this application provides a kind of method for controlling access privilege, bag Include:
Obtain the SQL request for carrying SQL SQL statement and user profile;
The position for the restricted information that needs to add line is obtained according to the SQL statement of acquisition and needs what is inquired about Table;
Row restricted information of the corresponding user to table is obtained according to the user profile of acquisition;
The corresponding user of table inquired about the need for acquisition is added in the position of acquisition to the row restricted information of table Put place;
Do not allowed with filtering out being parsed added with user to the SQL statement of the row restricted information of table The information that the user checks.
Alternatively, the position for needing to add line restricted information that obtained according to the SQL statement of acquisition is wrapped Include:
Morphology parsing is carried out to the SQL statement to obtain morphology stream;
Determine select clause, from clause and where clause in the SQL according to the morphology stream of acquisition Position in sentence;
Position of the where clause in the SQL statement is needed into the limitation that adds line as described The position of information.
Alternatively, described obtained according to the SQL statement of acquisition needs the table inquired about to include:
Syntax parsing is carried out with generative grammar tree to the morphology stream of acquisition;
Position in the syntax tree of generation according to the from clause of acquisition in the SQL statement Search the table inquired about in the from clause and using the table inquired about in the from clause found as The table for needing to inquire about.
Alternatively, it is described to add the corresponding user of table inquired about the need for acquisition to the row restricted information of table Include at the position of acquisition:
Search in row restricted information of the user to table of acquisition and inquired about in the from clause The row restricted information of the corresponding table of table;
The row restricted information addition of the table corresponding with the table inquired about in the from clause found is existed In the where clause of the SQL statement.
Alternatively, also include before this method:User is obtained to limit the row of table in big data query engine Information;
By the user profile and the user obtained storage corresponding to the row restricted information of table.
Alternatively, the user profile with the user obtained is corresponding to the row restricted information of table is stored in In Relational DBMS MySQL.
Present invention also provides a kind of device of control access privilege, including:Acquisition module, parsing Module, determining module, add module and filtering module;Wherein,
Acquisition module, SQL SQL statement and the SQL of user profile are carried for obtaining Request;
Parsing module, the position for obtaining the restricted information that needs to add line according to the SQL statement of acquisition And need the table of inquiry;
Determining module, is limited the row of table for obtaining corresponding user according to the user profile of acquisition Information;
Add module, for the corresponding user of the table inquired about the need for acquisition to be added to the row restricted information of table It is added at the position of acquisition;
Filtering module, for being parsed added with user to the SQL statement of the row restricted information of table To filter out the information for not allowing the user to check.
Alternatively, the parsing module includes morphology resolution unit, for being carried out to the SQL statement Morphology parses to obtain morphology stream;
Determine select clause, from clause and where clause in the SQL according to the morphology stream of acquisition Position in sentence;
Position of the where clause in the SQL statement is needed into the limitation that adds line as described The position of information.
Alternatively, the parsing module also includes syntax parsing unit, for the morphology stream to acquisition Syntax parsing is carried out with generative grammar tree;
Position in the syntax tree of generation according to the from clause of acquisition in the SQL statement Search the table inquired about in the from clause and using the table inquired about in the from clause found as The table for needing to inquire about.
Alternatively, the add module, specifically for:
Search in row restricted information of the user to table of acquisition and inquired about in the from clause The row restricted information of the corresponding table of table;
The row restricted information addition of the table corresponding with the table inquired about in the from clause found is existed In the where clause of the SQL statement.
Alternatively, this also includes memory module, for obtaining row of the user to table in big data query engine Restricted information;By the user profile and the user obtained storage corresponding to the row restricted information of table.
Alternatively, the memory module, specifically for by the user profile and obtain the user couple The row restricted information correspondence of table is stored in Relational DBMS MySQL.
The embodiment of the present application includes:Acquisition carries SQL SQL statement and user profile SQL request;Position and the need for the restricted information that needs to add line are obtained according to the SQL statement of acquisition The table to be inquired about;Row restricted information of the corresponding user to table is obtained according to the user profile of acquisition; The corresponding user of table inquired about the need for acquisition is added at the position of acquisition to the row restricted information of table; Do not allow the use to being parsed added with user to the SQL statement of the row restricted information of table to filter out The information that family is checked.The embodiment of the present application realizes data filtering more quickly and conveniently to row rank, So as to the bigger value for having played big data.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes one of the application Point, schematic description and description of the invention is used to explain the present invention, does not constitute to the present invention's It is improper to limit.In the accompanying drawings:
Fig. 1 controls the flow chart of the method for access privilege for the present invention;
The schematic diagram of the syntax tree for the SQL statement that Fig. 2 receives for the present invention;
Fig. 3 travels through the method flow diagram of syntax tree for the present invention;
Fig. 4 with the addition of the schematic diagram of the syntax tree of the SQL statement of row restricted information for the present invention;
Fig. 5 controls the structural representation of the device of access privilege for the present invention.
Embodiment
For the object, technical solutions and advantages of the present invention are more clearly understood, below in conjunction with accompanying drawing Embodiments of the invention are described in detail.It should be noted that in the case where not conflicting, this Shen Please in embodiment and the feature in embodiment can mutually be combined.
Fig. 1 controls the flow chart of the method for access privilege for the present invention, as shown in figure 1, including:
Step 101:Acquisition carries SQL (SQL) sentence and the SQL of user profile Request.
Step 102:Position and the need for the restricted information that needs to add line are obtained according to the SQL statement of acquisition The table to be inquired about.
Wherein, the position that being obtained according to the SQL statement of acquisition needs to add line restricted information includes:
Morphology parsing is carried out to SQL statement to obtain morphology stream;
Determine select clause, from clause and where clause in SQL languages according to the morphology stream of acquisition Position in sentence;
It regard position of the where clause in SQL statement as the position for the restricted information that needs to add line.
Wherein, being obtained according to the SQL statement of acquisition needs the table inquired about to include:
Syntax parsing is carried out with generative grammar tree to the morphology stream of acquisition;
Location lookup from the syntax tree of generation according to the from clause of acquisition in SQL statement The table inquired about in clause and the table for being used as needs to inquire about in the table inquired about in the from clause found.
Wherein, select, from and where are the keywords of SQL statement;Select is the pass of inquiry Key word, sentence (clause) behind is query function, select followed by be which that to be inquired about Domain;From refers to the table to be inquired about;Where is which limitation is done to inquiry.
For example, such as, all information that addr in shuiwu_info is shandong are inquired about, So SQL statement should be select*from shuiwu_info where addr=' shandong ', * therein represents inquiry shuiwu_info all domains, i.e., all row.
Wherein, from clause followed by be inquiry which table, therefore it is exactly to inquire about that table here, which refers to, Which table.
Step 103:Row restricted information of the corresponding user to table is obtained according to the user profile of acquisition.
Alternatively, also include before this method:
Obtain row restricted information of the user to table in big data query engine;
By user profile and the user obtained storage corresponding to the row restricted information of table.
Wherein, big data query engine can be Tool for Data Warehouse (hive) query engine.
Wherein it is possible to by user profile with the user obtained is corresponding to the row restricted information of table is stored in relation In type data base management system (MySQL).Wherein, the row limitation of user profile and user to table is believed Breath can call state transfer (REST, REpresentational State Transfer) by web interface The mode of Application Program Interface (API) is stored in MySQL by web services (services), Or directly can also be manually inserted into MySQL.
For example, such as thinking that limitation user zhangsan can only access the addr in table shuiwu_info Domain is shandong data, then can (user profile is zhangsan and can only by these information Access the data that the addr domains in table shuiwu_info are shandong) correspondingly it is stored in MySQL.
Step 104:The corresponding user of table inquired about the need for acquisition is existed to the row restricted information addition of table At the position of acquisition.
This step is specifically included:Searched and from clause in row restricted information of the user to table of acquisition The row restricted information of the corresponding table of table of middle inquiry;
The row restricted information of the table corresponding with the table inquired about in from clause found is added at this In the where clause of SQL statement.
Step 105:To being parsed added with user to the SQL statement of the row restricted information of table to filter The information for falling not allow the user to check.
If it should be noted that the SQL statement started is select*from T, it with the addition of user couple SQL statement after the row restricted information of table is select*from T where id>100, that is to say, that A new SQL statement is retrieved, so will be to the addition of user to the row restricted information of table SQL statement carry out parsing perform one time, that is to say, that be SQL statement is internally handled one time with Family is added to the row restricted information of table.It is to table on SQL statement user that this step, which is functionally seen, Row restricted information add, it is ensured that user is not allowed to the information seen to filtering out;From looking into Ask and seen in result, can be contrasted with result that is plus limiting.
In embodiment of the present invention, by the select that SQL statement is obtained according to the SQL statement received The table inquired about in clause, from clause, the positional information of where clause and from clause and general The user of acquisition is added in the where clause of the SQL statement to the row restricted information of table, is realized More quickly and conveniently to the data filtering of row rank, so that the bigger value for having played big data.
Embodiment
Step one:User Zhang San (zhangsan) sends a SQL statement, and SQL statement is by table Db1.customer and db1.merchant carries out conjunctive query ((select*from db1.customer where Addr=' shandong ') mycustomer join (select*from db1.merchant where Addr=' shandong ') mymerchant on mycustomer.merchant_id=mymerchant.id), so The result of inquiry is inserted into table tmp.purchase_records (insert overwrite table afterwards tmp.purchase_records)。
Step 2:The Zhang San prestored is obtained in Relational DBMS (MySQL) User to the row authority restricted information of table.
Step 3:Morphology parsing is carried out to the SQL statement received, generation is such as the institute of table 1 after parsing The morphology stream shown.
Table 1
Wherein, such as SQL statement is select id, name from T where id>When 100, table 1 In grid in each be a structure, the inside can include from keywords, from keywords Position in SQL statement, first grid is from, and second grid is space, the 3rd side Lattice T, wherein, what is preserved in first grid is not only this keyword of from, also has it in SQL Position in sentence, second grid is same, and preservation is not only space, also have this space Position in SQL statement.
Step 4:The morphology stream generated by step 3 gets the clauses such as select, from, where and existed Positional information in whole SQL statement.
Step 5:Syntax parsing next will be carried out after morphology parsing is carried out, corresponding grammer is generated Tree.
Step 6:The syntax tree of generation is traveled through to obtain the inquiry table in from clause.
The abstract syntax tree of SQL statement generation in step one is as shown in Figure 2.From the language shown in Fig. 2 It can be seen that including three sub- query statements in whole SQL statement in method tree.Obtaining whole grammer During tree, start to travel through whole syntax tree from the root node of syntax tree, the rule of traversal syntax tree is such as Shown in Fig. 3, including:
Step 201:Begun stepping through from root node.
Step 202:Whether judge present node is inquiry (query) node.When the first present node of judgement When being query nodes, step 203 is transferred to;Otherwise, it is transferred to step 209.
Step 203:Query_rls objects are set up, and the object is squeezed into row permissions list.
Wherein, query_rls is the class name created, and this class saves corresponding query nodes Some information, such as, which table and the alias of table and the position in SQL statement etc. queried.
Wherein, row permissions list is stored with query_rls objects.
Step 204:Select clause, from clause and where clause are obtained in morphology stream in SQL Positional information in sentence simultaneously squeezes into query_rls objects.
Step 205:The alias of inquiry table is assigned to query_rls objects above.
For example, if SQL statement is select T1.id, T1.name from T T1, here T1 is exactly table T alias, so needing the alias by table T to save.
Wherein, it is assigned to sky if alias is sky.
Step 206:Whether judge inquiry table is actual table.When judging that inquiry represents actual table, turn Enter step 207;Otherwise, it is transferred to step 208.
Step 207:The table name of inquiry table is assigned to query_rls objects above.It is transferred to step 209.
Step 208:Without assignment, sky is defaulted as.It is transferred to step 209.
Step 209:Obtain the child node not detected of present node.
Wherein, subquery represents child node (or being referred to as inquiry child node), i.e., in SQL statement Subquery sentence.
Step 210:Whether the child node not detected for judging the present node obtained is empty.When judging The child node not detected of the present node of acquisition is space-time, is transferred to step 202;Otherwise, it is transferred to step 211。
Step 211:It return back to father node.
Step 212:Whether judge father node is empty.When judging that father node is not space-time, step is transferred to 209;Otherwise, this flow is terminated.
After to syntax tree traversal above, from clause involved in SQL statement can be obtained In inquiry table be db1.customer and db1.merchant.Therefore, user zhangsan is to table Db1.customer and db1.merchant row authority restricted information is respectively db1.customer.id<100000 and db1.merchant.id<1000.
Step 7:User zhangsan is limited table db1.customer and db1.merchant row authority Information addition processed is in where clause.
Specifically include:The positional information of where clause is obtained in the morphology stream of step 3, by right The corresponding row authority information of each table is added to inquiry of SQL statement by the traversal of query_rls lists In sentence.Corresponding row authority restricted information is automatically thus added to by SQL according to current login user Suffer, shown in the new grammar tree 4 of the SQL statement finally obtained.
It can be seen that having been added in the row restricted information of user from the syntax tree shown in Fig. 4.So when When other users are accessed, different row authorization policies are taken, the data that different user can be accessed are different, do The limitation of data access is carried out to rank of being expert at, than if any 1000 information, but only allows Zhang San Preceding 100 information is accessed, and Li Si is permitted by preceding 500 information of access perhaps.
Fig. 5 controls the structural representation of the device of access privilege for the present invention, as shown in figure 5, bag Include:Acquisition module, parsing module, determining module, add module and filtering module.Wherein,
Acquisition module, SQL (SQL) sentence and user profile are carried for obtaining SQL request.
Parsing module, the position for obtaining the restricted information that needs to add line according to the SQL statement of acquisition And need the table of inquiry.
Wherein, parsing module include morphology resolution unit, for SQL statement carry out morphology parsing with Obtain morphology stream;
Determine select clause, from clause and where clause in the SQL according to the morphology stream of acquisition Position in sentence;
Position of the where clause in the SQL statement is needed into the restricted information that adds line as above-mentioned Position.
Wherein, morphology resolution unit can be big data query engine.Wherein, big data query engine can To be Tool for Data Warehouse (hive) query engine.
Wherein, parsing module also includes syntax parsing unit, and grammer solution is carried out for the morphology stream to acquisition Analysis is with generative grammar tree;In the syntax tree of generation according to the from clause of acquisition in SQL statement The table inquired about in location lookup from clause and using the table inquired about in the from clause found as above-mentioned Need the table of inquiry.
Determining module, is limited the row of table for obtaining corresponding user according to the user profile of acquisition Information.
Add module, for the corresponding user of the table inquired about the need for acquisition to be added to the row restricted information of table It is added at the position of acquisition.
Wherein, add module, specifically for:
Searched in row restricted information of the user to table of acquisition corresponding with the table inquired about in from clause The row restricted information of table;
The row restricted information of the table corresponding with the table inquired about in from clause found is added in SQL In the where clause of sentence.
Filtering module, for being parsed added with user to the SQL statement of the row restricted information of table To filter out the information for not allowing the user to check.
Alternatively, this also includes memory module, for obtaining row of the user to table in big data query engine Restricted information;By user profile and the user obtained storage corresponding to the row restricted information of table.
Wherein, memory module specifically for by user profile and the user obtained to the row restricted information pair of table It should be stored in Relational DBMS (MySQL).
It should be noted that herein, term " comprising ", "comprising" or its any other change Body is intended to including for nonexcludability, so that process, method, article including a series of key elements Or device not only includes those key elements, but also other key elements including being not expressly set out, either Also include for this process, method, article or the intrinsic key element of device.In not more limitations In the case of, the key element limited by sentence "including a ...", it is not excluded that in the mistake including the key element Also there is other identical element in journey, method, article or device.
Above-mentioned the embodiment of the present application sequence number is for illustration only, and the quality of embodiment is not represented.
Through the above description of the embodiments, those skilled in the art can be understood that above-mentioned Embodiment method can add the mode of required general hardware platform to realize by software, naturally it is also possible to logical Cross hardware, but the former is more preferably embodiment in many cases.Understood based on such, the application's The part that technical scheme substantially contributes to prior art in other words can be in the form of software product Embody, the computer software product be stored in a storage medium (such as ROM/RAM, magnetic disc, CD) in, including some instructions are to cause a station terminal equipment (can be mobile phone, computer, clothes It is engaged in device, air conditioner, or network equipment etc.) perform method described in the application each embodiment.
The preferred embodiment of the application is these are only, the scope of the claims of the application is not thereby limited, it is every The equivalent structure or equivalent flow conversion made using present specification and accompanying drawing content, or directly or Connect and be used in other related technical fields, be similarly included in the scope of patent protection of the application.

Claims (12)

1. a kind of method for controlling access privilege, it is characterised in that including:
Obtain the SQL request for carrying SQL SQL statement and user profile;
The position for the restricted information that needs to add line is obtained according to the SQL statement of acquisition and needs what is inquired about Table;
Row restricted information of the corresponding user to table is obtained according to the user profile of acquisition;
The corresponding user of table inquired about the need for acquisition is added in the position of acquisition to the row restricted information of table Put place;
Do not allowed with filtering out being parsed added with user to the SQL statement of the row restricted information of table The information that the user checks.
2. according to the method described in claim 1, it is characterised in that the SQL languages according to acquisition Sentence, which obtains the position for needing to add line restricted information, to be included:
Morphology parsing is carried out to the SQL statement to obtain morphology stream;
Determine select clause, from clause and where clause in the SQL according to the morphology stream of acquisition Position in sentence;
Position of the where clause in the SQL statement is needed into the limitation that adds line as described The position of information.
3. method according to claim 2, it is characterised in that the SQL languages according to acquisition Sentence, which is obtained, needs the table inquired about to include:
Syntax parsing is carried out with generative grammar tree to the morphology stream of acquisition;
Position in the syntax tree of generation according to the from clause of acquisition in the SQL statement Search the table inquired about in the from clause and using the table inquired about in the from clause found as The table for needing to inquire about.
4. method according to claim 3, it is characterised in that described to be inquired about the need for acquisition Table corresponding user the addition of the row restricted information of table is included at the position of acquisition:
Search in row restricted information of the user to table of acquisition and inquired about in the from clause The row restricted information of the corresponding table of table;
The row restricted information addition of the table corresponding with the table inquired about in the from clause found is existed In the where clause of the SQL statement.
5. according to the method described in claim 1, it is characterised in that also include before this method:Obtain Take row restricted information of the family to table in big data query engine;
By the user profile and the user obtained storage corresponding to the row restricted information of table.
6. method according to claim 5, it is characterised in that the user profile and acquisition The user is stored in Relational DBMS MySQL to the row restricted information correspondence of table.
7. a kind of device of control access privilege, it is characterised in that including:Acquisition module, solution Analyse module, determining module, add module and filtering module;Wherein,
Acquisition module, SQL SQL statement and the SQL of user profile are carried for obtaining Request;
Parsing module, the position for obtaining the restricted information that needs to add line according to the SQL statement of acquisition And need the table of inquiry;
Determining module, is limited the row of table for obtaining corresponding user according to the user profile of acquisition Information;
Add module, for the corresponding user of the table inquired about the need for acquisition to be added to the row restricted information of table It is added at the position of acquisition;
Filtering module, for being parsed added with user to the SQL statement of the row restricted information of table To filter out the information for not allowing the user to check.
8. device according to claim 7, it is characterised in that the parsing module includes morphology Resolution unit, is parsed to obtain morphology stream for carrying out morphology to the SQL statement;
Determine select clause, from clause and where clause in the SQL according to the morphology stream of acquisition Position in sentence;
Position of the where clause in the SQL statement is needed into the limitation that adds line as described The position of information.
9. device according to claim 8, it is characterised in that the parsing module also includes language Method resolution unit, syntax parsing is carried out with generative grammar tree for the morphology stream to acquisition;
Position in the syntax tree of generation according to the from clause of acquisition in the SQL statement Search the table inquired about in the from clause and using the table inquired about in the from clause found as The table for needing to inquire about.
10. device according to claim 9, it is characterised in that the add module, specific to use In:
Search in row restricted information of the user to table of acquisition and inquired about in the from clause The row restricted information of the corresponding table of table;
The row restricted information addition of the table corresponding with the table inquired about in the from clause found is existed In the where clause of the SQL statement.
11. device according to claim 7, it is characterised in that this also includes memory module, is used The row restricted information of table in user is obtained to big data query engine;By the user profile and acquisition The user stores to the row restricted information correspondence of table.
12. device according to claim 11, it is characterised in that the memory module, specifically For by the user profile with the user obtained is corresponding to the row restricted information of table is stored in relation In type data base management system MySQL.
CN201610225284.3A 2016-04-12 2016-04-12 A kind of method and apparatus for controlling access privilege Pending CN107292188A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610225284.3A CN107292188A (en) 2016-04-12 2016-04-12 A kind of method and apparatus for controlling access privilege

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610225284.3A CN107292188A (en) 2016-04-12 2016-04-12 A kind of method and apparatus for controlling access privilege

Publications (1)

Publication Number Publication Date
CN107292188A true CN107292188A (en) 2017-10-24

Family

ID=60095936

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610225284.3A Pending CN107292188A (en) 2016-04-12 2016-04-12 A kind of method and apparatus for controlling access privilege

Country Status (1)

Country Link
CN (1) CN107292188A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109446219A (en) * 2018-10-10 2019-03-08 新华三大数据技术有限公司 Right management method and device
CN109670324A (en) * 2018-12-20 2019-04-23 成都四方伟业软件股份有限公司 Data access method and device
CN109815284A (en) * 2019-01-04 2019-05-28 平安科技(深圳)有限公司 A kind of method and apparatus of data processing
CN111460506A (en) * 2020-04-03 2020-07-28 中国工商银行股份有限公司 Data access control method and device
CN112000992B (en) * 2020-10-29 2021-03-16 腾讯科技(深圳)有限公司 Data leakage prevention protection method and device, computer readable medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101075254A (en) * 2007-06-08 2007-11-21 北京神舟航天软件技术有限公司 Autonomous access control method for row-level data of database table
CN103530568A (en) * 2012-07-02 2014-01-22 阿里巴巴集团控股有限公司 Authority control method, device and system
CN104077284A (en) * 2013-03-26 2014-10-01 中国移动通信集团湖北有限公司 Data security access method and data security access system
CN104866776A (en) * 2014-02-24 2015-08-26 上海宝钢国际经济贸易有限公司 Control method and device for data access permission

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101075254A (en) * 2007-06-08 2007-11-21 北京神舟航天软件技术有限公司 Autonomous access control method for row-level data of database table
CN103530568A (en) * 2012-07-02 2014-01-22 阿里巴巴集团控股有限公司 Authority control method, device and system
CN104077284A (en) * 2013-03-26 2014-10-01 中国移动通信集团湖北有限公司 Data security access method and data security access system
CN104866776A (en) * 2014-02-24 2015-08-26 上海宝钢国际经济贸易有限公司 Control method and device for data access permission

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109446219A (en) * 2018-10-10 2019-03-08 新华三大数据技术有限公司 Right management method and device
CN109670324A (en) * 2018-12-20 2019-04-23 成都四方伟业软件股份有限公司 Data access method and device
CN109815284A (en) * 2019-01-04 2019-05-28 平安科技(深圳)有限公司 A kind of method and apparatus of data processing
CN111460506A (en) * 2020-04-03 2020-07-28 中国工商银行股份有限公司 Data access control method and device
CN111460506B (en) * 2020-04-03 2024-04-16 中国工商银行股份有限公司 Data access control method and device
CN112000992B (en) * 2020-10-29 2021-03-16 腾讯科技(深圳)有限公司 Data leakage prevention protection method and device, computer readable medium and electronic equipment

Similar Documents

Publication Publication Date Title
CN107292188A (en) A kind of method and apparatus for controlling access privilege
EP3572963B1 (en) Database access-control policy enforcement using reverse queries
CN109845221B (en) Access control policy synchronization for service layer
US9626452B2 (en) Fine-grained database access-control policy enforcement using reverse queries
CN110443059A (en) Data guard method and device
CN102571720B (en) Method and device for processing heterogeneous information contents
US10404757B1 (en) Privacy enforcement in the storage and access of data in computer systems
KR20180077251A (en) Restful operations on Semantic IoT
CN107122365A (en) The access method and device of heterogeneous database
US20040122792A1 (en) Method, system, and program product for managing access to data items in a database
WO2016112162A1 (en) Distributed storage and distributed processing policy enforcement utilizing virtual identifiers
US20110153582A1 (en) Handling of classification data by a search engine
CN110197064A (en) Process handling method and device, storage medium and electronic device
WO2018107942A1 (en) System and method of adaptively partitioning data to speed up join queries on distributed and parallel database systems
EP2570943A1 (en) Protection of data privacy in an enterprise system
US10108742B1 (en) Apparatus and method for data redaction in a semi-structured document database
US10114975B1 (en) Apparatus and method for data redaction in a semi-structured document database
CN106156064A (en) Data base is carried out the method and device of flow-control
US7124132B1 (en) Domain specification system for an LDAP ACI entry
WO2023030461A1 (en) Distributed database detection method and apparatus
Cisco DIST Configuration Database
Cisco DIST Configuration Database
Cisco DIST Configuration Database
Cisco DIST Configuration Databases
Cisco DIST Configuration Database

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171024