CN107292188A - A kind of method and apparatus for controlling access privilege - Google Patents
A kind of method and apparatus for controlling access privilege Download PDFInfo
- Publication number
- CN107292188A CN107292188A CN201610225284.3A CN201610225284A CN107292188A CN 107292188 A CN107292188 A CN 107292188A CN 201610225284 A CN201610225284 A CN 201610225284A CN 107292188 A CN107292188 A CN 107292188A
- Authority
- CN
- China
- Prior art keywords
- acquisition
- clause
- user
- restricted information
- row
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
A kind of method and apparatus for controlling access privilege are announced herein, and this method includes:Obtain the SQL request for carrying SQL SQL statement and user profile;The position for the restricted information that needs to add line is obtained according to the SQL statement of acquisition and the table inquired about is needed;Row restricted information of the corresponding user to table is obtained according to the user profile of acquisition;The corresponding user of table inquired about the need for acquisition is added at the position of acquisition to the row restricted information of table;To being parsed added with user to the SQL statement of the row restricted information of table to filter out the information for not allowing the user to check.The embodiment of the present application realizes data filtering more quickly and conveniently to row rank, so that the bigger value for having played big data.
Description
Technical field
The present invention relates to big data application field, the method and dress of espespecially a kind of control access privilege
Put.
Background technology
With application field all the more extensive of big data technology, data magnitude is also increasing, and data should
The most important thing of big data application field is had become with safety, and it is relatively strong (for example for some sensitiveness
The fields such as finance, government, bank, public security system and communication) data, generally require when in use more
High level safeguard measure, to ensure the safety of data.At present, the data for above-mentioned field are protected
During shield, generally require the protection of row level-right to filter out some of sensitive data amounts, provide a user
Safer, open and effective big data access platform, so that the interconnection of data is more effectively carried out,
The value of bigger performance big data.
The method of existing row level-right protection includes following two schemes:Functional module control user visits
Ask authority method and view control authority method.Wherein, functional module control access privilege method is
Control of authority is carried out in application-level, is carried out by adding keyword where in the application
Limitation, still, this method can only be controlled in application program rank, if getting around application program,
It is uncontrollable;View control authority method be by view (database generally comprises table and view,
Wherein table data storages, view not data storages, when operating the data in view, really
Operate the table being associated) control of authority is realized, keyword where is added in query statement and comes real
Existing control of authority, still, does not just allow easy to operate, coding work very much when table structure or permission modification
Work amount is big, and the elastic space that simultaneity factor is applicable user management system is smaller, once authority logic becomes
It is dynamic, it is possible to need modification authority system, cause all view all to change.
Therefore, how more current urgent need to resolve to be turned into the data filtering of row rank
Problem.
The content of the invention
, can more quickly, just this application provides a kind of method and apparatus for controlling access privilege
Promptly to the data filtering of row rank, so as to the value of bigger performance big data.
In order to reach the application purpose, this application provides a kind of method for controlling access privilege, bag
Include:
Obtain the SQL request for carrying SQL SQL statement and user profile;
The position for the restricted information that needs to add line is obtained according to the SQL statement of acquisition and needs what is inquired about
Table;
Row restricted information of the corresponding user to table is obtained according to the user profile of acquisition;
The corresponding user of table inquired about the need for acquisition is added in the position of acquisition to the row restricted information of table
Put place;
Do not allowed with filtering out being parsed added with user to the SQL statement of the row restricted information of table
The information that the user checks.
Alternatively, the position for needing to add line restricted information that obtained according to the SQL statement of acquisition is wrapped
Include:
Morphology parsing is carried out to the SQL statement to obtain morphology stream;
Determine select clause, from clause and where clause in the SQL according to the morphology stream of acquisition
Position in sentence;
Position of the where clause in the SQL statement is needed into the limitation that adds line as described
The position of information.
Alternatively, described obtained according to the SQL statement of acquisition needs the table inquired about to include:
Syntax parsing is carried out with generative grammar tree to the morphology stream of acquisition;
Position in the syntax tree of generation according to the from clause of acquisition in the SQL statement
Search the table inquired about in the from clause and using the table inquired about in the from clause found as
The table for needing to inquire about.
Alternatively, it is described to add the corresponding user of table inquired about the need for acquisition to the row restricted information of table
Include at the position of acquisition:
Search in row restricted information of the user to table of acquisition and inquired about in the from clause
The row restricted information of the corresponding table of table;
The row restricted information addition of the table corresponding with the table inquired about in the from clause found is existed
In the where clause of the SQL statement.
Alternatively, also include before this method:User is obtained to limit the row of table in big data query engine
Information;
By the user profile and the user obtained storage corresponding to the row restricted information of table.
Alternatively, the user profile with the user obtained is corresponding to the row restricted information of table is stored in
In Relational DBMS MySQL.
Present invention also provides a kind of device of control access privilege, including:Acquisition module, parsing
Module, determining module, add module and filtering module;Wherein,
Acquisition module, SQL SQL statement and the SQL of user profile are carried for obtaining
Request;
Parsing module, the position for obtaining the restricted information that needs to add line according to the SQL statement of acquisition
And need the table of inquiry;
Determining module, is limited the row of table for obtaining corresponding user according to the user profile of acquisition
Information;
Add module, for the corresponding user of the table inquired about the need for acquisition to be added to the row restricted information of table
It is added at the position of acquisition;
Filtering module, for being parsed added with user to the SQL statement of the row restricted information of table
To filter out the information for not allowing the user to check.
Alternatively, the parsing module includes morphology resolution unit, for being carried out to the SQL statement
Morphology parses to obtain morphology stream;
Determine select clause, from clause and where clause in the SQL according to the morphology stream of acquisition
Position in sentence;
Position of the where clause in the SQL statement is needed into the limitation that adds line as described
The position of information.
Alternatively, the parsing module also includes syntax parsing unit, for the morphology stream to acquisition
Syntax parsing is carried out with generative grammar tree;
Position in the syntax tree of generation according to the from clause of acquisition in the SQL statement
Search the table inquired about in the from clause and using the table inquired about in the from clause found as
The table for needing to inquire about.
Alternatively, the add module, specifically for:
Search in row restricted information of the user to table of acquisition and inquired about in the from clause
The row restricted information of the corresponding table of table;
The row restricted information addition of the table corresponding with the table inquired about in the from clause found is existed
In the where clause of the SQL statement.
Alternatively, this also includes memory module, for obtaining row of the user to table in big data query engine
Restricted information;By the user profile and the user obtained storage corresponding to the row restricted information of table.
Alternatively, the memory module, specifically for by the user profile and obtain the user couple
The row restricted information correspondence of table is stored in Relational DBMS MySQL.
The embodiment of the present application includes:Acquisition carries SQL SQL statement and user profile
SQL request;Position and the need for the restricted information that needs to add line are obtained according to the SQL statement of acquisition
The table to be inquired about;Row restricted information of the corresponding user to table is obtained according to the user profile of acquisition;
The corresponding user of table inquired about the need for acquisition is added at the position of acquisition to the row restricted information of table;
Do not allow the use to being parsed added with user to the SQL statement of the row restricted information of table to filter out
The information that family is checked.The embodiment of the present application realizes data filtering more quickly and conveniently to row rank,
So as to the bigger value for having played big data.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes one of the application
Point, schematic description and description of the invention is used to explain the present invention, does not constitute to the present invention's
It is improper to limit.In the accompanying drawings:
Fig. 1 controls the flow chart of the method for access privilege for the present invention;
The schematic diagram of the syntax tree for the SQL statement that Fig. 2 receives for the present invention;
Fig. 3 travels through the method flow diagram of syntax tree for the present invention;
Fig. 4 with the addition of the schematic diagram of the syntax tree of the SQL statement of row restricted information for the present invention;
Fig. 5 controls the structural representation of the device of access privilege for the present invention.
Embodiment
For the object, technical solutions and advantages of the present invention are more clearly understood, below in conjunction with accompanying drawing
Embodiments of the invention are described in detail.It should be noted that in the case where not conflicting, this Shen
Please in embodiment and the feature in embodiment can mutually be combined.
Fig. 1 controls the flow chart of the method for access privilege for the present invention, as shown in figure 1, including:
Step 101:Acquisition carries SQL (SQL) sentence and the SQL of user profile
Request.
Step 102:Position and the need for the restricted information that needs to add line are obtained according to the SQL statement of acquisition
The table to be inquired about.
Wherein, the position that being obtained according to the SQL statement of acquisition needs to add line restricted information includes:
Morphology parsing is carried out to SQL statement to obtain morphology stream;
Determine select clause, from clause and where clause in SQL languages according to the morphology stream of acquisition
Position in sentence;
It regard position of the where clause in SQL statement as the position for the restricted information that needs to add line.
Wherein, being obtained according to the SQL statement of acquisition needs the table inquired about to include:
Syntax parsing is carried out with generative grammar tree to the morphology stream of acquisition;
Location lookup from the syntax tree of generation according to the from clause of acquisition in SQL statement
The table inquired about in clause and the table for being used as needs to inquire about in the table inquired about in the from clause found.
Wherein, select, from and where are the keywords of SQL statement;Select is the pass of inquiry
Key word, sentence (clause) behind is query function, select followed by be which that to be inquired about
Domain;From refers to the table to be inquired about;Where is which limitation is done to inquiry.
For example, such as, all information that addr in shuiwu_info is shandong are inquired about,
So SQL statement should be select*from shuiwu_info where addr=' shandong ',
* therein represents inquiry shuiwu_info all domains, i.e., all row.
Wherein, from clause followed by be inquiry which table, therefore it is exactly to inquire about that table here, which refers to,
Which table.
Step 103:Row restricted information of the corresponding user to table is obtained according to the user profile of acquisition.
Alternatively, also include before this method:
Obtain row restricted information of the user to table in big data query engine;
By user profile and the user obtained storage corresponding to the row restricted information of table.
Wherein, big data query engine can be Tool for Data Warehouse (hive) query engine.
Wherein it is possible to by user profile with the user obtained is corresponding to the row restricted information of table is stored in relation
In type data base management system (MySQL).Wherein, the row limitation of user profile and user to table is believed
Breath can call state transfer (REST, REpresentational State Transfer) by web interface
The mode of Application Program Interface (API) is stored in MySQL by web services (services),
Or directly can also be manually inserted into MySQL.
For example, such as thinking that limitation user zhangsan can only access the addr in table shuiwu_info
Domain is shandong data, then can (user profile is zhangsan and can only by these information
Access the data that the addr domains in table shuiwu_info are shandong) correspondingly it is stored in MySQL.
Step 104:The corresponding user of table inquired about the need for acquisition is existed to the row restricted information addition of table
At the position of acquisition.
This step is specifically included:Searched and from clause in row restricted information of the user to table of acquisition
The row restricted information of the corresponding table of table of middle inquiry;
The row restricted information of the table corresponding with the table inquired about in from clause found is added at this
In the where clause of SQL statement.
Step 105:To being parsed added with user to the SQL statement of the row restricted information of table to filter
The information for falling not allow the user to check.
If it should be noted that the SQL statement started is select*from T, it with the addition of user couple
SQL statement after the row restricted information of table is select*from T where id>100, that is to say, that
A new SQL statement is retrieved, so will be to the addition of user to the row restricted information of table
SQL statement carry out parsing perform one time, that is to say, that be SQL statement is internally handled one time with
Family is added to the row restricted information of table.It is to table on SQL statement user that this step, which is functionally seen,
Row restricted information add, it is ensured that user is not allowed to the information seen to filtering out;From looking into
Ask and seen in result, can be contrasted with result that is plus limiting.
In embodiment of the present invention, by the select that SQL statement is obtained according to the SQL statement received
The table inquired about in clause, from clause, the positional information of where clause and from clause and general
The user of acquisition is added in the where clause of the SQL statement to the row restricted information of table, is realized
More quickly and conveniently to the data filtering of row rank, so that the bigger value for having played big data.
Embodiment
Step one:User Zhang San (zhangsan) sends a SQL statement, and SQL statement is by table
Db1.customer and db1.merchant carries out conjunctive query ((select*from db1.customer where
Addr=' shandong ') mycustomer join (select*from db1.merchant where
Addr=' shandong ') mymerchant on mycustomer.merchant_id=mymerchant.id), so
The result of inquiry is inserted into table tmp.purchase_records (insert overwrite table afterwards
tmp.purchase_records)。
Step 2:The Zhang San prestored is obtained in Relational DBMS (MySQL)
User to the row authority restricted information of table.
Step 3:Morphology parsing is carried out to the SQL statement received, generation is such as the institute of table 1 after parsing
The morphology stream shown.
Table 1
Wherein, such as SQL statement is select id, name from T where id>When 100, table 1
In grid in each be a structure, the inside can include from keywords, from keywords
Position in SQL statement, first grid is from, and second grid is space, the 3rd side
Lattice T, wherein, what is preserved in first grid is not only this keyword of from, also has it in SQL
Position in sentence, second grid is same, and preservation is not only space, also have this space
Position in SQL statement.
Step 4:The morphology stream generated by step 3 gets the clauses such as select, from, where and existed
Positional information in whole SQL statement.
Step 5:Syntax parsing next will be carried out after morphology parsing is carried out, corresponding grammer is generated
Tree.
Step 6:The syntax tree of generation is traveled through to obtain the inquiry table in from clause.
The abstract syntax tree of SQL statement generation in step one is as shown in Figure 2.From the language shown in Fig. 2
It can be seen that including three sub- query statements in whole SQL statement in method tree.Obtaining whole grammer
During tree, start to travel through whole syntax tree from the root node of syntax tree, the rule of traversal syntax tree is such as
Shown in Fig. 3, including:
Step 201:Begun stepping through from root node.
Step 202:Whether judge present node is inquiry (query) node.When the first present node of judgement
When being query nodes, step 203 is transferred to;Otherwise, it is transferred to step 209.
Step 203:Query_rls objects are set up, and the object is squeezed into row permissions list.
Wherein, query_rls is the class name created, and this class saves corresponding query nodes
Some information, such as, which table and the alias of table and the position in SQL statement etc. queried.
Wherein, row permissions list is stored with query_rls objects.
Step 204:Select clause, from clause and where clause are obtained in morphology stream in SQL
Positional information in sentence simultaneously squeezes into query_rls objects.
Step 205:The alias of inquiry table is assigned to query_rls objects above.
For example, if SQL statement is select T1.id, T1.name from T T1, here
T1 is exactly table T alias, so needing the alias by table T to save.
Wherein, it is assigned to sky if alias is sky.
Step 206:Whether judge inquiry table is actual table.When judging that inquiry represents actual table, turn
Enter step 207;Otherwise, it is transferred to step 208.
Step 207:The table name of inquiry table is assigned to query_rls objects above.It is transferred to step 209.
Step 208:Without assignment, sky is defaulted as.It is transferred to step 209.
Step 209:Obtain the child node not detected of present node.
Wherein, subquery represents child node (or being referred to as inquiry child node), i.e., in SQL statement
Subquery sentence.
Step 210:Whether the child node not detected for judging the present node obtained is empty.When judging
The child node not detected of the present node of acquisition is space-time, is transferred to step 202;Otherwise, it is transferred to step
211。
Step 211:It return back to father node.
Step 212:Whether judge father node is empty.When judging that father node is not space-time, step is transferred to
209;Otherwise, this flow is terminated.
After to syntax tree traversal above, from clause involved in SQL statement can be obtained
In inquiry table be db1.customer and db1.merchant.Therefore, user zhangsan is to table
Db1.customer and db1.merchant row authority restricted information is respectively
db1.customer.id<100000 and db1.merchant.id<1000.
Step 7:User zhangsan is limited table db1.customer and db1.merchant row authority
Information addition processed is in where clause.
Specifically include:The positional information of where clause is obtained in the morphology stream of step 3, by right
The corresponding row authority information of each table is added to inquiry of SQL statement by the traversal of query_rls lists
In sentence.Corresponding row authority restricted information is automatically thus added to by SQL according to current login user
Suffer, shown in the new grammar tree 4 of the SQL statement finally obtained.
It can be seen that having been added in the row restricted information of user from the syntax tree shown in Fig. 4.So when
When other users are accessed, different row authorization policies are taken, the data that different user can be accessed are different, do
The limitation of data access is carried out to rank of being expert at, than if any 1000 information, but only allows Zhang San
Preceding 100 information is accessed, and Li Si is permitted by preceding 500 information of access perhaps.
Fig. 5 controls the structural representation of the device of access privilege for the present invention, as shown in figure 5, bag
Include:Acquisition module, parsing module, determining module, add module and filtering module.Wherein,
Acquisition module, SQL (SQL) sentence and user profile are carried for obtaining
SQL request.
Parsing module, the position for obtaining the restricted information that needs to add line according to the SQL statement of acquisition
And need the table of inquiry.
Wherein, parsing module include morphology resolution unit, for SQL statement carry out morphology parsing with
Obtain morphology stream;
Determine select clause, from clause and where clause in the SQL according to the morphology stream of acquisition
Position in sentence;
Position of the where clause in the SQL statement is needed into the restricted information that adds line as above-mentioned
Position.
Wherein, morphology resolution unit can be big data query engine.Wherein, big data query engine can
To be Tool for Data Warehouse (hive) query engine.
Wherein, parsing module also includes syntax parsing unit, and grammer solution is carried out for the morphology stream to acquisition
Analysis is with generative grammar tree;In the syntax tree of generation according to the from clause of acquisition in SQL statement
The table inquired about in location lookup from clause and using the table inquired about in the from clause found as above-mentioned
Need the table of inquiry.
Determining module, is limited the row of table for obtaining corresponding user according to the user profile of acquisition
Information.
Add module, for the corresponding user of the table inquired about the need for acquisition to be added to the row restricted information of table
It is added at the position of acquisition.
Wherein, add module, specifically for:
Searched in row restricted information of the user to table of acquisition corresponding with the table inquired about in from clause
The row restricted information of table;
The row restricted information of the table corresponding with the table inquired about in from clause found is added in SQL
In the where clause of sentence.
Filtering module, for being parsed added with user to the SQL statement of the row restricted information of table
To filter out the information for not allowing the user to check.
Alternatively, this also includes memory module, for obtaining row of the user to table in big data query engine
Restricted information;By user profile and the user obtained storage corresponding to the row restricted information of table.
Wherein, memory module specifically for by user profile and the user obtained to the row restricted information pair of table
It should be stored in Relational DBMS (MySQL).
It should be noted that herein, term " comprising ", "comprising" or its any other change
Body is intended to including for nonexcludability, so that process, method, article including a series of key elements
Or device not only includes those key elements, but also other key elements including being not expressly set out, either
Also include for this process, method, article or the intrinsic key element of device.In not more limitations
In the case of, the key element limited by sentence "including a ...", it is not excluded that in the mistake including the key element
Also there is other identical element in journey, method, article or device.
Above-mentioned the embodiment of the present application sequence number is for illustration only, and the quality of embodiment is not represented.
Through the above description of the embodiments, those skilled in the art can be understood that above-mentioned
Embodiment method can add the mode of required general hardware platform to realize by software, naturally it is also possible to logical
Cross hardware, but the former is more preferably embodiment in many cases.Understood based on such, the application's
The part that technical scheme substantially contributes to prior art in other words can be in the form of software product
Embody, the computer software product be stored in a storage medium (such as ROM/RAM, magnetic disc,
CD) in, including some instructions are to cause a station terminal equipment (can be mobile phone, computer, clothes
It is engaged in device, air conditioner, or network equipment etc.) perform method described in the application each embodiment.
The preferred embodiment of the application is these are only, the scope of the claims of the application is not thereby limited, it is every
The equivalent structure or equivalent flow conversion made using present specification and accompanying drawing content, or directly or
Connect and be used in other related technical fields, be similarly included in the scope of patent protection of the application.
Claims (12)
1. a kind of method for controlling access privilege, it is characterised in that including:
Obtain the SQL request for carrying SQL SQL statement and user profile;
The position for the restricted information that needs to add line is obtained according to the SQL statement of acquisition and needs what is inquired about
Table;
Row restricted information of the corresponding user to table is obtained according to the user profile of acquisition;
The corresponding user of table inquired about the need for acquisition is added in the position of acquisition to the row restricted information of table
Put place;
Do not allowed with filtering out being parsed added with user to the SQL statement of the row restricted information of table
The information that the user checks.
2. according to the method described in claim 1, it is characterised in that the SQL languages according to acquisition
Sentence, which obtains the position for needing to add line restricted information, to be included:
Morphology parsing is carried out to the SQL statement to obtain morphology stream;
Determine select clause, from clause and where clause in the SQL according to the morphology stream of acquisition
Position in sentence;
Position of the where clause in the SQL statement is needed into the limitation that adds line as described
The position of information.
3. method according to claim 2, it is characterised in that the SQL languages according to acquisition
Sentence, which is obtained, needs the table inquired about to include:
Syntax parsing is carried out with generative grammar tree to the morphology stream of acquisition;
Position in the syntax tree of generation according to the from clause of acquisition in the SQL statement
Search the table inquired about in the from clause and using the table inquired about in the from clause found as
The table for needing to inquire about.
4. method according to claim 3, it is characterised in that described to be inquired about the need for acquisition
Table corresponding user the addition of the row restricted information of table is included at the position of acquisition:
Search in row restricted information of the user to table of acquisition and inquired about in the from clause
The row restricted information of the corresponding table of table;
The row restricted information addition of the table corresponding with the table inquired about in the from clause found is existed
In the where clause of the SQL statement.
5. according to the method described in claim 1, it is characterised in that also include before this method:Obtain
Take row restricted information of the family to table in big data query engine;
By the user profile and the user obtained storage corresponding to the row restricted information of table.
6. method according to claim 5, it is characterised in that the user profile and acquisition
The user is stored in Relational DBMS MySQL to the row restricted information correspondence of table.
7. a kind of device of control access privilege, it is characterised in that including:Acquisition module, solution
Analyse module, determining module, add module and filtering module;Wherein,
Acquisition module, SQL SQL statement and the SQL of user profile are carried for obtaining
Request;
Parsing module, the position for obtaining the restricted information that needs to add line according to the SQL statement of acquisition
And need the table of inquiry;
Determining module, is limited the row of table for obtaining corresponding user according to the user profile of acquisition
Information;
Add module, for the corresponding user of the table inquired about the need for acquisition to be added to the row restricted information of table
It is added at the position of acquisition;
Filtering module, for being parsed added with user to the SQL statement of the row restricted information of table
To filter out the information for not allowing the user to check.
8. device according to claim 7, it is characterised in that the parsing module includes morphology
Resolution unit, is parsed to obtain morphology stream for carrying out morphology to the SQL statement;
Determine select clause, from clause and where clause in the SQL according to the morphology stream of acquisition
Position in sentence;
Position of the where clause in the SQL statement is needed into the limitation that adds line as described
The position of information.
9. device according to claim 8, it is characterised in that the parsing module also includes language
Method resolution unit, syntax parsing is carried out with generative grammar tree for the morphology stream to acquisition;
Position in the syntax tree of generation according to the from clause of acquisition in the SQL statement
Search the table inquired about in the from clause and using the table inquired about in the from clause found as
The table for needing to inquire about.
10. device according to claim 9, it is characterised in that the add module, specific to use
In:
Search in row restricted information of the user to table of acquisition and inquired about in the from clause
The row restricted information of the corresponding table of table;
The row restricted information addition of the table corresponding with the table inquired about in the from clause found is existed
In the where clause of the SQL statement.
11. device according to claim 7, it is characterised in that this also includes memory module, is used
The row restricted information of table in user is obtained to big data query engine;By the user profile and acquisition
The user stores to the row restricted information correspondence of table.
12. device according to claim 11, it is characterised in that the memory module, specifically
For by the user profile with the user obtained is corresponding to the row restricted information of table is stored in relation
In type data base management system MySQL.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610225284.3A CN107292188A (en) | 2016-04-12 | 2016-04-12 | A kind of method and apparatus for controlling access privilege |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610225284.3A CN107292188A (en) | 2016-04-12 | 2016-04-12 | A kind of method and apparatus for controlling access privilege |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107292188A true CN107292188A (en) | 2017-10-24 |
Family
ID=60095936
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610225284.3A Pending CN107292188A (en) | 2016-04-12 | 2016-04-12 | A kind of method and apparatus for controlling access privilege |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107292188A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109446219A (en) * | 2018-10-10 | 2019-03-08 | 新华三大数据技术有限公司 | Right management method and device |
CN109670324A (en) * | 2018-12-20 | 2019-04-23 | 成都四方伟业软件股份有限公司 | Data access method and device |
CN109815284A (en) * | 2019-01-04 | 2019-05-28 | 平安科技(深圳)有限公司 | A kind of method and apparatus of data processing |
CN111460506A (en) * | 2020-04-03 | 2020-07-28 | 中国工商银行股份有限公司 | Data access control method and device |
CN112000992B (en) * | 2020-10-29 | 2021-03-16 | 腾讯科技(深圳)有限公司 | Data leakage prevention protection method and device, computer readable medium and electronic equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101075254A (en) * | 2007-06-08 | 2007-11-21 | 北京神舟航天软件技术有限公司 | Autonomous access control method for row-level data of database table |
CN103530568A (en) * | 2012-07-02 | 2014-01-22 | 阿里巴巴集团控股有限公司 | Authority control method, device and system |
CN104077284A (en) * | 2013-03-26 | 2014-10-01 | 中国移动通信集团湖北有限公司 | Data security access method and data security access system |
CN104866776A (en) * | 2014-02-24 | 2015-08-26 | 上海宝钢国际经济贸易有限公司 | Control method and device for data access permission |
-
2016
- 2016-04-12 CN CN201610225284.3A patent/CN107292188A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101075254A (en) * | 2007-06-08 | 2007-11-21 | 北京神舟航天软件技术有限公司 | Autonomous access control method for row-level data of database table |
CN103530568A (en) * | 2012-07-02 | 2014-01-22 | 阿里巴巴集团控股有限公司 | Authority control method, device and system |
CN104077284A (en) * | 2013-03-26 | 2014-10-01 | 中国移动通信集团湖北有限公司 | Data security access method and data security access system |
CN104866776A (en) * | 2014-02-24 | 2015-08-26 | 上海宝钢国际经济贸易有限公司 | Control method and device for data access permission |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109446219A (en) * | 2018-10-10 | 2019-03-08 | 新华三大数据技术有限公司 | Right management method and device |
CN109670324A (en) * | 2018-12-20 | 2019-04-23 | 成都四方伟业软件股份有限公司 | Data access method and device |
CN109815284A (en) * | 2019-01-04 | 2019-05-28 | 平安科技(深圳)有限公司 | A kind of method and apparatus of data processing |
CN111460506A (en) * | 2020-04-03 | 2020-07-28 | 中国工商银行股份有限公司 | Data access control method and device |
CN111460506B (en) * | 2020-04-03 | 2024-04-16 | 中国工商银行股份有限公司 | Data access control method and device |
CN112000992B (en) * | 2020-10-29 | 2021-03-16 | 腾讯科技(深圳)有限公司 | Data leakage prevention protection method and device, computer readable medium and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107292188A (en) | A kind of method and apparatus for controlling access privilege | |
EP3572963B1 (en) | Database access-control policy enforcement using reverse queries | |
CN109845221B (en) | Access control policy synchronization for service layer | |
US9626452B2 (en) | Fine-grained database access-control policy enforcement using reverse queries | |
CN110443059A (en) | Data guard method and device | |
CN102571720B (en) | Method and device for processing heterogeneous information contents | |
US10404757B1 (en) | Privacy enforcement in the storage and access of data in computer systems | |
KR20180077251A (en) | Restful operations on Semantic IoT | |
CN107122365A (en) | The access method and device of heterogeneous database | |
US20040122792A1 (en) | Method, system, and program product for managing access to data items in a database | |
WO2016112162A1 (en) | Distributed storage and distributed processing policy enforcement utilizing virtual identifiers | |
US20110153582A1 (en) | Handling of classification data by a search engine | |
CN110197064A (en) | Process handling method and device, storage medium and electronic device | |
WO2018107942A1 (en) | System and method of adaptively partitioning data to speed up join queries on distributed and parallel database systems | |
EP2570943A1 (en) | Protection of data privacy in an enterprise system | |
US10108742B1 (en) | Apparatus and method for data redaction in a semi-structured document database | |
US10114975B1 (en) | Apparatus and method for data redaction in a semi-structured document database | |
CN106156064A (en) | Data base is carried out the method and device of flow-control | |
US7124132B1 (en) | Domain specification system for an LDAP ACI entry | |
WO2023030461A1 (en) | Distributed database detection method and apparatus | |
Cisco | DIST Configuration Database | |
Cisco | DIST Configuration Database | |
Cisco | DIST Configuration Database | |
Cisco | DIST Configuration Databases | |
Cisco | DIST Configuration Database |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171024 |