CN107657182A - A kind of method for strengthening media data control of authority reliability - Google Patents

A kind of method for strengthening media data control of authority reliability Download PDF

Info

Publication number
CN107657182A
CN107657182A CN201710972256.2A CN201710972256A CN107657182A CN 107657182 A CN107657182 A CN 107657182A CN 201710972256 A CN201710972256 A CN 201710972256A CN 107657182 A CN107657182 A CN 107657182A
Authority
CN
China
Prior art keywords
user
authority
file
authorization message
white list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710972256.2A
Other languages
Chinese (zh)
Other versions
CN107657182B (en
Inventor
孙翔
王熙
温序铭
张洁
王炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Sobey Digital Technology Co Ltd
Original Assignee
Chengdu Sobey Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Sobey Digital Technology Co Ltd filed Critical Chengdu Sobey Digital Technology Co Ltd
Priority to CN201710972256.2A priority Critical patent/CN107657182B/en
Publication of CN107657182A publication Critical patent/CN107657182A/en
Application granted granted Critical
Publication of CN107657182B publication Critical patent/CN107657182B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of method for strengthening media data control of authority reliability, comprise the following steps:Authorize, user initiates certification request, if certification success, object handles engine return to usertoken values to user;The usertoken values got are passed to control program by user;Control program is to object handles engine requests authorization message;Object handles engine returns to authorization message to control program;Control program sets authorization message into driver;Driver carries out user right judgement according to authorization message.This programme is by setting object handles engine and control program to be controlled the data access process of user, to realize to rights management and data access, make service-user and storage user's binding, service-user is consistent with the authority of storage user, and realizes the purpose of enhancing security reliability.

Description

A kind of method for strengthening media data control of authority reliability
Technical field
The present invention relates to media data processing method, more particularly to a kind of side for strengthening media data control of authority reliability Method.
Background technology
Existing media data authority control method uses single authority control method from operation layer, and with traditional file The control of authority method of system sets the access rights of file.Following three deficiencies be present in such authority control method:
1) security reliability is poor:Existing media data authority control method is to metadata and the control of authority dynamics ratio of file It is weaker, it is many simply to have accomplished the control of authority of material for the media data of radio, TV and film industries, but it is only limitted to file for file The write-in of aspect, control etc. is read, user can not be directed to safe and reliable control of authority is provided.
2) authority separates:Existing media data authority control method has been carried out point to service-user and the authority of storage user From can not be managed collectively.
3) volume controlled is not accurate:The Statisti-cal control of real-time and precise is not carried out to the memory space quota of user, causes to use Family writes file space-consuming excess, and quota is used in mix.
The content of the invention
It is an object of the invention to:For in existing media data authority control method, service-user can only access first number According to storage user can only access file, and service-user and the authority of storage user are separated from each other, so as to cause to metadata and text Caused by the control dynamics of part are weak the problem of security reliability difference, it is reliable that the present invention provides a kind of enhancing media data control of authority The method of property.
The technical solution adopted by the present invention is as follows:
A kind of method for strengthening media data control of authority reliability, comprises the following steps,
(1) authorize:Media business mandate is carried out by object handles engine and process white list is set, obtains and authorizes letter Breath;
(2) user, authentication authorization and accounting user initiate certification request, if certification success, object handles engine return to user Usertoken values;
(3) the usertoken values got are passed to control program by user;
(4) control program is to object handles engine requests authorization message;
(5) object handles engine returns to authorization message to control program;
(6) control program sets authorization message into driver;
(7) driver carries out user right judgement according to authorization message, if user right is legal, is performed to storage Corresponding operation, then performs step (8);Otherwise, refusal operation;
(8) driver is by the feedback of the information of file operation to control program.
Further, driver includes:IRP_CREATE functions are establishment, open file and file, IRP_READ Function is reads file, and IRP_WRITE functions are written document, and IRP_CLOSE functions are to close file, IRP_SET_ INFORMATION functions are renaming, delete file.
Further, authorization message includes user's white list, managed UNC paths, the operation allowed.
Further, it is the step of media business mandate in step (1):
(111) authority for obtaining file access path is distributed for DB role;
(112) it is Unit folder allocation memory space quota sizes;
(113) it is the authority of Unit folder allocation file operations, including reads file, written document, deletes file;
(114) DB role is distributed for service-user;
(115) storage user is established into corresponding relation with Unit files;
(116) service-user and storage user are bound one by one.
Further, the setting steps of process white list are in step (1):
(121) process white list is set in object handles engine;
(122) process white list information is sent to driver by object handles engine;
(123) process initiates access request;
(124) driver carries out filtering interception according to process white list information, judges the process belonged in white list then Allow access request, denied access is asked if the process in white list that is not belonging to.
Further, user right judgment step is:
(71) authentication procedure obtains authority corresponding to role by the role of certification user in calculation procedure (2);
(72) role-security of the user obtained in step (1) recorded internal memory by authentication procedure, and access path is returned Back to user terminal;
(73) access path that user terminal returns according to step (72) is initiated to access the request of material;
(74) authentication procedure judges the legitimacy of user's request by the role-security of record, that is, judges that user's request is It is no in authorization message, if user request in authorization message, judge that user right is legal, otherwise, user right does not conform to Method.
In summary, by adopting the above-described technical solution, the beneficial effects of the invention are as follows:
1. security reliability is strong:The security access mechanisms such as flexibly powerful authentication, mandate, white list are mutually tied in this programme Close, by the way that white list mechanism is combined with licensing scheme, to be authenticated to user, the access of storing process is authorized for user Authority, so as to strengthen the security reliability of media data.
2. authority is unified:In this programme, it can not unify to avoid operation layer user from being separated with the authority of accumulation layer user Management, service-user and storage user are bound one by one, realize the unification of DB authorities and storage authority, service-user can be with By the binding relationship established with storage user, the operation in corresponding authority is realized.
3. capacity is precisely controlled:The operational feedback of user is passed through by control to control program by driver IRP_WRITE Processing procedure ordered pair user storage space capacity carries out in real time precisely statistics, realizes the volume controlled that application program writes to file.
Brief description of the drawings
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the overview flow chart of the present invention;
Fig. 2 is authorization flow figure of the present invention;
Fig. 3 is authorizing procedure figure of the present invention;
Fig. 4 is process white list flow chart of the present invention.
Embodiment
All features disclosed in this specification, or disclosed all methods or during the step of, except mutually exclusive Feature and/or step beyond, can combine in any way.
The present invention is elaborated with reference to Fig. 1, Fig. 2, Fig. 3, Fig. 4.
In this programme, service-user is referred in the media data of prior art accesses, and accesses the user of metadata;Deposit Storage user is referred in the media data of prior art accesses, and accesses the user of file.
A kind of method for strengthening media data control of authority reliability, comprises the following steps,
(1) authorize:Media business mandate is carried out by object handles engine and process white list is set, obtains and authorizes letter Breath;
(2) user initiates certification request, the user authentication authorization and accounting user for initiating certification request, if certification success, at object Manage engine and return to usertoken values to user;
(3) the usertoken values got are passed to control program by user;Control program is used for the mistake of management and control mandate Journey, usertoken is transmitted to object handles engine as a pipeline, authorization message is calculated and authorization message is returned to drive It is dynamic.
(4) control program is to object handles engine requests authorization message;
(5) object handles engine returns to authorization message to control program;
(6) control program sets authorization message into driver;
(7) driver carries out user right judgement according to authorization message, if user right is legal, is performed to storage Corresponding operation, then performs step (8);Otherwise, refusal operation;
(8) driver is by the feedback of the information of file operation to control program.Wherein IRP_WRITE can be to the storage of user Spatial content carries out accurate statistics and fed back.
Driver:For IRP_CREATE functions to create, opening file and file, IRP_READ functions are reading file, IRP_WRITE functions are written document, and IRP_CLOSE functions to close file, attach most importance to life by IRP_SET_INFORMATION functions Name, delete file.
Further, authorization message includes user's white list, managed UNC paths, the operation allowed and others Other authorization messages that those skilled in the art are contemplated that.
For media business feature, media materials include the metadata existed in database D B and the text deposited in storage Part, therefore when authorizing, service-user and storage user have been done and bound one by one, has been awarded in a manner of " role+authority " for user Give the authority of DB role and stored authority of the user to Unit files, ensure control of authority of the service-user with storing user Unified, authorization flow figure is as shown in Figure 2.
Further, the step of media business mandate is:
(111) authority for obtaining file access path is distributed for DB role;
(112) it is Unit folder allocation memory space quota sizes;
(113) it is the authority of Unit folder allocation file operations, including reads file, written document, deletes file;
(114) DB role is distributed for service-user;
(115) storage user is established into corresponding relation with Unit files;
(116) service-user and storage user are bound one by one.
The process of the white list of setting in authorization message is:
(121) process white list is set in object handles engine;
(122) process white list information is sent to driver by object handles engine;
(123) process initiates access request;
(124) driver carries out filtering interception according to process white list information, judges the process belonged in white list then Allow access request, denied access is asked if the process in white list that is not belonging to.
Further, user right judgment step is:
(71) authentication procedure obtains authority corresponding to role by the role of the certification user in calculation procedure (2);Calculate During certification user right, the character list of user is obtained first, and union is taken to character list, then in conjunction with the visit of role bindings Authority is asked, obtains the authority that user is possessed.
(72) role-security of the user obtained in step (1) recorded internal memory by authentication procedure, and access path is returned Back to user terminal;
(73) access path that user terminal returns according to step (72) is initiated to access the request of material;
(74) authentication procedure judges the legitimacy of user's request by the role-security of record, that is, judges that user's request is It is no in authorization message, if user request in authorization message, judge that user right is legal, otherwise, user right does not conform to Method.

Claims (6)

  1. A kind of 1. method for strengthening media data control of authority reliability, it is characterised in that comprise the following steps,
    (1) authorize:Media business mandate is carried out by object handles engine and process white list is set, obtains authorization message;
    (2) user, authentication authorization and accounting user initiate certification request, if certification success, object handles engine return to user Usertoken values;
    (3) the usertoken values got are passed to control program by user;
    (4) control program is to object handles engine requests authorization message;
    (5) object handles engine returns to authorization message to control program;
    (6) control program sets authorization message into driver;
    (7) driver carries out user right judgement according to authorization message, if user right is legal, is performed to storage corresponding Operation, then perform step (8);Otherwise, refusal operation;
    (8) driver is by the feedback of the information of file operation to control program.
  2. A kind of 2. method for strengthening media data control of authority reliability according to claim 1, it is characterised in that driving Program includes:For IRP_CREATE functions to create, opening file and file, IRP_READ functions are to read file, IRP_WRITE Function is written document, and to close file, IRP_SET_INFORMATION functions are renaming, delete text IRP_CLOSE functions Part.
  3. 3. a kind of method for strengthening media data control of authority reliability according to claim 1, it is characterised in that authorize Information includes user's white list, managed UNC paths, the operation allowed.
  4. 4. according to a kind of method of any described enhancing media data control of authority reliabilities of claim 1-3, its feature exists It is in the step of, media business mandate:
    (111) authority for obtaining file access path is distributed for DB role;
    (112) it is Unit folder allocation memory space quota sizes;
    (113) it is the authority of Unit folder allocation file operations, including reads file, written document, deletes file;
    (114) DB role is distributed for service-user;
    (115) storage user is established into corresponding relation with Unit files;
    (116) service-user and storage user are bound one by one.
  5. 5. according to a kind of method of any described enhancing media data control of authority reliabilities of claim 1-3, its feature exists With the setting steps of process white list are in step (1):
    (121) process white list is set in object handles engine;
    (122) process white list information is sent to driver by object handles engine;
    (123) process initiates access request;
    (124) driver carries out filtering interception according to process white list information, and the process for judging to belong in white list then allows Access request, denied access is asked if the process in white list that is not belonging to.
  6. A kind of 6. method for strengthening media data control of authority reliability according to claim 4, it is characterised in that user Authority judgment step is:
    (71) authentication procedure obtains authority corresponding to role by the role of the certification user in calculation procedure (2);
    (72) role-security of the user obtained in step (1) recorded internal memory by authentication procedure, and access path is returned to User terminal;
    (73) access path that user terminal returns according to step (72) is initiated to access the request of material;
    (74) authentication procedure by the role-security of record come judge user ask legitimacy, i.e., judge user ask whether In authorization message, if user's request judges that user right is legal, otherwise, user right is illegal in authorization message.
CN201710972256.2A 2017-10-18 2017-10-18 Method for enhancing reliability of media data authority control Active CN107657182B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710972256.2A CN107657182B (en) 2017-10-18 2017-10-18 Method for enhancing reliability of media data authority control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710972256.2A CN107657182B (en) 2017-10-18 2017-10-18 Method for enhancing reliability of media data authority control

Publications (2)

Publication Number Publication Date
CN107657182A true CN107657182A (en) 2018-02-02
CN107657182B CN107657182B (en) 2020-12-01

Family

ID=61118400

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710972256.2A Active CN107657182B (en) 2017-10-18 2017-10-18 Method for enhancing reliability of media data authority control

Country Status (1)

Country Link
CN (1) CN107657182B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227285A (en) * 2008-01-29 2008-07-23 中兴通讯股份有限公司 System and method for dynamic controlling terminal user authority
CN102546664A (en) * 2012-02-27 2012-07-04 中国科学院计算技术研究所 User and authority management method and system for distributed file system
CN103077354A (en) * 2013-02-19 2013-05-01 成都索贝数码科技股份有限公司 Method for controlling Windows file system access permissions
US20140343989A1 (en) * 2013-05-16 2014-11-20 Phantom Technologies, Inc. Implicitly linking access policies using group names
CN105227315A (en) * 2015-08-31 2016-01-06 青岛海尔智能家电科技有限公司 A kind of Web application authentication method, server and system thereof
CN106685955A (en) * 2016-12-28 2017-05-17 武汉微创光电股份有限公司 Radius-based video monitoring platform security certification method
CN107026825A (en) * 2016-02-02 2017-08-08 中国移动通信集团陕西有限公司 A kind of method and system for accessing big data system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227285A (en) * 2008-01-29 2008-07-23 中兴通讯股份有限公司 System and method for dynamic controlling terminal user authority
CN102546664A (en) * 2012-02-27 2012-07-04 中国科学院计算技术研究所 User and authority management method and system for distributed file system
CN103077354A (en) * 2013-02-19 2013-05-01 成都索贝数码科技股份有限公司 Method for controlling Windows file system access permissions
US20140343989A1 (en) * 2013-05-16 2014-11-20 Phantom Technologies, Inc. Implicitly linking access policies using group names
CN105227315A (en) * 2015-08-31 2016-01-06 青岛海尔智能家电科技有限公司 A kind of Web application authentication method, server and system thereof
CN107026825A (en) * 2016-02-02 2017-08-08 中国移动通信集团陕西有限公司 A kind of method and system for accessing big data system
CN106685955A (en) * 2016-12-28 2017-05-17 武汉微创光电股份有限公司 Radius-based video monitoring platform security certification method

Also Published As

Publication number Publication date
CN107657182B (en) 2020-12-01

Similar Documents

Publication Publication Date Title
US20220263809A1 (en) Method and system for digital rights management of documents
EP3447667B1 (en) Cryptographic security for a distributed data storage
EP2492839B1 (en) Method and system for authenticating a user
DE602004009354T2 (en) Registering or sub-registering a digital rights management server in a digital rights management architecture
CN109190410A (en) A kind of log behavior auditing method based on block chain under cloud storage environment
EP2332313B1 (en) Method for storing data, computer program product, id token and computer system
CA2623141A1 (en) Content cryptographic firewall system
CN101729550A (en) Digital content safeguard system based on transparent encryption and decryption method thereof
DE60026137T2 (en) REGISTRATION OF COPY-PROOF MATERIAL IN A DEPOSIT / RESERVE SYSTEM
CA2448555A1 (en) Digital rights management
DE102013108020A1 (en) Authentication scheme for activating a special privilege mode in a secure electronic control unit
CN107301544A (en) A kind of safe Wallet System of block chain
CN107968763B (en) Group file management system and method
CN101739361A (en) Access control method, access control device and terminal device
KR20030096248A (en) Method and apparatus for tracking status of resource in a system for managing use of the resources
CN107609408B (en) Method for controlling file operation behavior based on filter driver
CN102724137B (en) Method and system for safely using credible mobile storage medium in off-line state
CN115242383A (en) Block chain-based data right multiparty sharing management method
CN110633172A (en) USB flash disk and data synchronization method thereof
US8296826B1 (en) Secure transfer of files
US8321915B1 (en) Control of access to mass storage system
CN107657182A (en) A kind of method for strengthening media data control of authority reliability
WO2018059964A1 (en) Method for the secured access of data of a vehicle
CN107247907A (en) A kind of electric automobile interconnects Information Security Defending System
CN105205403A (en) Method and system for managing and controlling file data of local area network based on file filtering

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant