CN113282628A - Big data platform access method and device, big data platform and electronic equipment - Google Patents
Big data platform access method and device, big data platform and electronic equipment Download PDFInfo
- Publication number
- CN113282628A CN113282628A CN202110642468.0A CN202110642468A CN113282628A CN 113282628 A CN113282628 A CN 113282628A CN 202110642468 A CN202110642468 A CN 202110642468A CN 113282628 A CN113282628 A CN 113282628A
- Authority
- CN
- China
- Prior art keywords
- access request
- information
- data
- accessed
- requested
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24553—Query execution of query operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Bioethics (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Automation & Control Theory (AREA)
- Mathematical Physics (AREA)
- Medical Informatics (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the specification discloses a big data platform access method and device, a big data platform and electronic equipment. And when the authority passes the verification, the access request is released, otherwise, the access request is intercepted.
Description
Technical Field
The embodiment of the specification relates to the technical field of computers, in particular to a big data platform access method and device, a big data platform and electronic equipment.
Background
The big data is a data set with large scale which greatly exceeds the capability range of the traditional database software tools in the aspects of acquisition, storage, management and analysis, and has the characteristics of massive data scale, rapid data circulation, various data types and the like. The big data platform is a set of infrastructure mainly used for processing scenes such as massive big data storage, calculation, uninterrupted stream data real-time calculation and the like, and integrates a plurality of engines such as Hadoop, Flink, Spark and HBase to process data storage, calculation, circulation and the like.
How to ensure the privacy and security of data in a big data platform is a topic to be considered in the industry.
Disclosure of Invention
In view of this, embodiments of the present specification provide a big data platform access method and apparatus for improving data privacy security in a big data platform, and a big data platform and an electronic device.
The embodiment of the specification adopts the following technical scheme:
an embodiment of the present specification provides a big data platform access method, which is applied to a security gateway configured in a big data platform, and the method includes:
the security gateway receives an access request to a target engine in the engine system;
performing authority verification on the access request;
if the authority passes the verification, the access request is released;
and if the permission verification is not passed, intercepting the access request. .
An embodiment of the present specification further provides a big data platform, including:
an engine system;
and the security gateway is configured at the upstream of the engine system, receives an access request to a target engine in the engine system, performs authority verification on the access request, if the authority verification passes, the access request is released, and if the authority verification fails, the access request is intercepted.
An embodiment of the present specification further provides a big data platform access device, which is applied to a security gateway configured in a big data platform, and the device includes:
the receiving module is used for receiving an access request to a target engine in the engine system;
the authority verification module is used for performing authority verification on the access request;
the releasing module releases the access request if the authority verification passes;
and the interception module intercepts the access request if the permission verification fails. .
An embodiment of the present specification further provides a security gateway applied to a configuration in a big data platform, where the electronic device includes:
a processor; and
a memory configured to store a computer program that, when executed, causes the processor to:
the security gateway receives an access request to a target engine in the engine system;
performing authority verification on the access request;
if the authority passes the verification, the access request is released;
and if the permission verification is not passed, intercepting the access request. .
The embodiment of the specification adopts at least one technical scheme which can achieve the following beneficial effects:
by configuring the security gateway on the big data platform, the security gateway can intercept any access request to the engine system and carry out authority verification on the access request. And when the authority passes the verification, the access request is released, otherwise, the access request is intercepted. The security gateway can break through the limitation of different engine interface languages, and realizes unified privacy security control on all engines in the engine system, so that the privacy data in the target engine are prevented from being revealed to a requester user, and the data privacy security in the big data platform is improved. Meanwhile, the control water level of the unified safety control can be kept consistent, and efficient control is achieved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the specification and are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the specification and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a block diagram of a big data platform framework provided by an embodiment of the present disclosure;
FIG. 2 is a flowchart of a big data platform access method provided by an embodiment of the present specification;
FIG. 3 is a flow diagram of an alternative embodiment of a big data platform access method provided by an embodiment of the present description;
FIG. 4 is a flow diagram of an alternative embodiment of a big data platform access method provided by an embodiment of the present description;
FIG. 5 is a flow diagram of an alternative embodiment of a big data platform access method provided by an embodiment of the present description;
fig. 6 is a frame structure diagram of a security gateway according to an embodiment of the present disclosure;
FIG. 7 is a block diagram of a big data platform access device provided by an embodiment of the present disclosure;
FIG. 8 is a block diagram of an alternative embodiment of a large data platform access device provided by embodiments of the present description;
FIG. 9 is a block diagram of an alternative embodiment of a large data platform access device provided by embodiments of the present description;
FIG. 10 is a block diagram of an alternative embodiment of a large data platform access device provided by embodiments of the present description;
fig. 11 is a more specific hardware architecture diagram of a computing device provided by the embodiments of the present specification.
Detailed Description
When the prior art is analyzed, the fact that in the prior art, each engine in a big data platform is responsible for safety control over own data privacy safety is found, and privacy safety control water levels of the engines are inconsistent.
The embodiment of the present specification provides a technical solution, in which a security gateway is configured at an upstream of an engine system, and the security gateway is configured to perform a prior authority verification on an access request to the engine system, and determine whether the access request is released according to a result of the authority verification, so as to avoid that private data is leaked due to access bypassing the security gateway.
In order to make the objects, technical solutions and advantages of the present application more clear, the technical solutions of the present application will be clearly and completely described below with reference to the specific embodiments of the present specification and the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present disclosure, and not all embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step are within the scope of the present application.
The technical solutions provided by the embodiments of the present description are described in detail below with reference to the accompanying drawings.
Fig. 1 is a frame diagram of a big data platform provided in an embodiment of the present specification, where the big data platform includes:
an engine system 101;
and the security gateway 102 is configured upstream of the engine system 101, receives an access request to a target engine in the engine system 101, performs authority verification on the access request, if the authority verification passes, the access request is released, and if the authority verification fails, the access request is intercepted.
In this embodiment, the access request may include a data query, a task submission, a data inflow, and the like, and is not specifically limited herein.
Specifically, the engine system 101 configures a series of engines for computing, storing, or data processing, such as Hadoop, Flink, Spark, Hbase, and the like, and is not particularly limited herein.
Fig. 2 is a flowchart of a big data platform access method provided in an embodiment of the present specification, where the method is applied to a security gateway configured in a big data platform, an execution subject of the method is the security gateway, and a scheme of the method is specifically described as follows.
Step 202: the security gateway receives an access request to a target engine in the engine system.
Step 204: and performing authority verification on the access request.
Step 206: and if the authority verification is passed, the access request is released.
Step 208: and if the permission verification is not passed, intercepting the access request.
In the embodiments of the present specification, the access request may be from a data research platform, a data analysis platform, a data modeling platform, or a data application platform, and is not particularly limited herein.
The format of the access request may be a message or a structured Query language (sql). A message (message) is a data unit exchanged and transmitted in the network, that is, a data block to be sent by a station at a time, and the message includes complete data information to be sent. SQL is a special purpose programming language for managing a relational database management system (RDBMS), or stream processing in a relational stream data management system (RDSMS).
The access request carries identification information of the target engine, such as an interface identification of the target engine, so that the security gateway can identify the target engine to be accessed.
The right verification of the access request may include:
and authenticating the requester of the access request.
Thus, the authentication result can be used as the authority authentication result. And if the identity authentication is passed, determining that the authority authentication is passed, and if the identity authentication is not passed, determining that the authority authentication is not passed.
The identity authentication may specifically be to authenticate the authenticity of the interface information of the requester of the access request, and determine whether the interface of the requester is spoofed.
The authentication policy is stored in the security gateway, so that the authentication policy can be called to perform authentication. The security gateway can be configured with an authentication plug-in, and the authentication plug-in runs an authentication policy.
In another embodiment, if the identity authentication is passed, it can be further verified whether the data requested to be accessed by the access request is within the access authority range configured by the target engine; and if so, determining that the authority verification is passed. In this embodiment, the authentication is a prerequisite for the authentication of the access right scope, the authentication is used to verify the authenticity of the identity of the requestor, and the access right scope is used to verify whether the requestor has the right to access the target engine.
The verifying whether the data requested to be accessed by the access request is within the access authority range configured by the target engine may include two layers of cases:
verifying the principal authority of the requester, namely whether the requester has the authority to access the target engine;
and verifying whether the data requested to be accessed by the requester is in the access authority range.
There may be a progressive relationship between the two, i.e. the former is a precondition for the latter. In this case, the access authority range is specifically set according to the requester body.
The two may be in a parallel relationship. For example, the target engine has a limit on subject rights and no limit on data access scope. It is also possible that the target engine has no restrictions on subject rights, but on data access rights.
In this embodiment of the present specification, the data flow engine may be requested to verify whether the data requested to be accessed by the access request is within the range of the access authority configured by the target engine, and the data flow engine performs the verification process.
In another embodiment, it is also possible that the security gateway performs an authentication procedure, which includes:
performing information analysis on the access request to obtain data information requested to be accessed;
inquiring metadata of the data information requested to be accessed;
access rights to the target engine are extracted from the metadata.
Metadata is data that describes data. Specifically, the metadata refers to structured data (such as title, version, publication data, related description, including search point, etc.) extracted from the data resources and used for organizing, describing, searching, saving, managing information and knowledge resources.
The metadata mentioned in the embodiments of the present specification may be obtained by performing unified metadata on data resources of the engines in the engine system. Specifically, metadata are extracted from data resources of all engines and stored uniformly, so that uniform data authority and data access control support for data of multiple engines are realized.
Thus, querying the metadata of the data information requested to be accessed may include:
and utilizing the engine identification of the target engine to query the metadata of the data information requested to be accessed.
With the solution of the embodiment of the present specification, the access request is released, that is, the security gateway forwards the access request to the target engine in the engine system. In an application scenario, if the access request is a storage request, the security gateway sends data carried in the access request to the target engine for storage. In another application scenario, the access request is an inquiry request, and then the security gateway sends the access request to the target engine, receives inquiry data returned by the target engine, and forwards the inquiry data to the requester.
Fig. 3 is a flowchart of a big data platform access method provided in an embodiment of the present specification. The execution subject of the method may be a security gateway.
Step 305: and if the authority passes the verification, performing information analysis on the access request to obtain the data information requested to be accessed.
Step 307: identifying preset sensitive information in the data information requested to be accessed;
if no sensitive information is identified, go to step 309: and releasing the access request.
If sensitive information is identified, step 311 is executed: generating prompt information for the sensitive information;
step 309 is executed: and releasing the access request carrying the prompt information, so that the target engine desensitizes the sensitive information contained in the data requested to be accessed according to the prompt information.
The prompt message has the function of prompting the target engine to desensitize the sensitive message, so that the sensitive message is prevented from being viewed by a requester when the requester accesses the corresponding data, and the sensitive message is prevented from being leaked.
The sensitive information described in the embodiment of the present specification may be private information, such as user identity information, name, mobile phone number, home address, and the like, and is not limited specifically herein. The sensitive information may also be confidential information, such as commercial secrets, technical data or other confidential information, and is not specifically limited herein.
Specifically, two possible embodiments may be included for identifying the preset sensitive information in the data information requested to be accessed.
In one embodiment, the data information requested to be accessed may be sent to a wind control engine, so that the wind control engine identifies preset sensitive information in the data information requested to be accessed. In this case, the security gateway and the wind control engine are connected through communication, and the security gateway calls the wind control engine from the engine system to realize instant recognition of sensitive information.
In another embodiment, the data information requested to be accessed is utilized to run a wind control plug-in configured in the security gateway, so that the wind control plug-in identifies preset sensitive information in the data information requested to be accessed.
In other embodiments of the present description, reference is made to fig. 4:
step 401: identifying preset sensitive information in the data information requested to be accessed;
if the preset sensitive information is identified, step 403 is executed: desensitizing sensitive information in the access request;
step 405: passing the access request for desensitization processing;
if no preset sensitive information is identified, step 405 is performed.
In this embodiment, the security gateway may actively desensitize the sensitive information itself, so that the target engine may exclude the access data including the sensitive information according to the desensitized data information, and thus the access data provided to the requester does not include the sensitive information.
Data desensitization refers to data deformation of some sensitive information through desensitization rules, and reliable protection of sensitive private data is achieved. Desensitization means include concealment, encryption or modification.
If the access request is written in the SQL format, sensitive information is rewritten through the SQL, and anonymization is achieved.
Fig. 5 is a flowchart of a big data platform access method provided in an embodiment of this specification, where the method specifically includes the following steps:
step 501: receiving access requests to at least two target engines in an engine system;
step 503: analyzing the access requests of the at least two target engines respectively;
step 505: generating a unified request message according to the data information obtained by analyzing each access request;
step 507: identifying preset sensitive information for the unified request information;
if sensitive information is not identified, step 509 is performed: each access request is passed.
If sensitive information is identified, step 511 is performed: desensitizing access requests containing sensitive information;
step 509 is performed based on the desensitized access request.
Fig. 6 is a frame structure diagram of a security gateway provided in an embodiment of this specification, where the security gateway specifically includes:
an access layer 601 that receives an access request to the engine system 600;
the analysis layer 602 analyzes the access request, and may include message analysis, task analysis, SQL analysis, or service analysis according to the specific form of the access request;
and the execution layer 603 is configured with a data transfer plug-in, a wind control plug-in, an authority verification plug-in or other plug-ins, and is configured to perform corresponding detection on the analyzed data information and send an access request to the engine system 600.
Fig. 7 is a structural diagram of a big data platform access device provided in an embodiment of the present specification, where the device includes:
a receiving module 701, which receives an access request to a target engine in an engine system;
a permission verification module 702, configured to perform permission verification on the access request;
a releasing module 703, configured to release the access request if the permission verification passes;
and the intercepting module 704 intercepts the access request if the permission verification fails.
Fig. 8 is a block diagram of an alternative embodiment of a large data platform access device provided in an embodiment of the present specification, where the device may further include, compared with the embodiment shown in fig. 7:
the analysis module 801 is used for performing information analysis on the access request to obtain data information requested to be accessed if the permission verification passes;
an identifying module 802, configured to identify preset sensitive information in the data information requested to be accessed;
if the preset sensitive information is not identified, the releasing module 803 releases the access request.
Fig. 9 is a block diagram of an alternative embodiment of a large data platform access device provided in an embodiment of the present specification, where the device may further include, compared with the embodiment shown in fig. 8:
a generating module 901, configured to generate a prompt message for a preset sensitive message if the preset sensitive message is identified;
a releasing module 902, configured to release the access request carrying the prompt information, so that the target engine desensitizes the sensitive information included in the data requested to be accessed according to the prompt information.
Fig. 10 is a block diagram of an alternative embodiment of a large data platform access device provided in an embodiment of the present specification, where the device may further include, compared with the embodiment shown in fig. 8:
a desensitization module 1001, configured to perform desensitization processing on the sensitive information in the access request if preset sensitive information is identified;
a release module 1002 that releases the access request for desensitization processing.
Based on the same inventive concept, an embodiment of the present specification further provides an electronic device, including:
a processor; and
a memory configured to store a computer program that, when executed, causes the processor to perform the method of any of the embodiments of fig. 2-6.
Based on the same inventive concept, there is also provided in an embodiment of this specification a computer-readable storage medium comprising a computer program for use with an electronic device, the computer program being executable by a processor to perform the steps of any of the embodiments of fig. 1-6.
Fig. 11 is a more specific hardware structure diagram of a computing device provided in an embodiment of the present specification, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (18)
1. A big data platform access method is applied to a security gateway configured in a big data platform, and comprises the following steps:
the security gateway receives an access request to a target engine in the engine system;
performing authority verification on the access request;
if the authority passes the verification, the access request is released;
and if the permission verification is not passed, intercepting the access request.
2. The method of claim 1, performing rights verification on the access request, comprising:
and authenticating the requester of the access request.
3. The method of claim 2, performing rights verification on the access request, further comprising:
if the identity authentication is passed, verifying whether the data requested to be accessed by the access request is within the access authority range configured by the target engine;
and if so, determining that the authority verification is passed.
4. The method of claim 3, verifying whether the data requested to be accessed by the access request is within the scope of the access rights configured by the target engine, comprising:
the request data stream transfer engine verifies whether the data requested to be accessed by the access request is within the access authority range configured by the target engine.
5. The method of claim 3, verifying whether the data requested to be accessed by the access request is within the scope of the access rights configured by the target engine, comprising:
performing information analysis on the access request to obtain data information requested to be accessed;
inquiring metadata of the data information requested to be accessed;
access rights to the target engine are extracted from the metadata.
6. The method of claim 5, wherein the metadata is obtained by performing unified metadata on data resources of the engines in the engine system, and the querying the metadata of the data information requested to be accessed comprises:
querying metadata of the data information requested to be accessed with an engine identification of the target engine.
7. The method of claim 1, if the rights verification passes, the method further comprising:
performing information analysis on the access request to obtain data information requested to be accessed;
identifying preset sensitive information in the data information requested to be accessed;
and if the preset sensitive information is not identified, the access request is released.
8. The method of claim 7, further comprising:
if the preset sensitive information is identified, generating prompt information aiming at the sensitive information;
passing the access request, comprising:
and releasing the access request carrying the prompt information, so that the target engine desensitizes the sensitive information contained in the data requested to be accessed according to the prompt information.
9. The method of claim 7, if the preset sensitive information is identified, the method further comprising:
desensitizing the sensitive information in the access request;
passing the access request, comprising:
the access request for desensitization processing is passed.
10. The method of claim 7, wherein identifying preset sensitive information in the data information requested to be accessed comprises:
and sending the data information requested to be accessed to a wind control engine, so that the wind control engine identifies preset sensitive information in the data information requested to be accessed.
11. The method of claim 7, wherein identifying preset sensitive information in the data information requested to be accessed comprises:
and operating the wind control plug-in configured in the security gateway by using the data information which is requested to be accessed, so that the wind control plug-in identifies preset sensitive information in the data information which is requested to be accessed.
12. The method of claim 1, if access requests are received to at least two target engines in the engine layer, the method further comprising:
analyzing the at least two access requests respectively;
generating access request information according to each analysis information;
performing authority verification on the access request, including:
and performing authority verification on the generated access request information.
13. A big data platform, comprising:
an engine system;
and the security gateway is configured at the upstream of the engine system, receives an access request to a target engine in the engine system, performs authority verification on the access request, if the authority verification passes, the access request is released, and if the authority verification fails, the access request is intercepted.
14. A big data platform access device applied to a security gateway configured in a big data platform, the device comprising:
the receiving module is used for receiving an access request to a target engine in the engine system;
the authority verification module is used for performing authority verification on the access request;
the releasing module releases the access request if the authority verification passes;
and the interception module intercepts the access request if the permission verification fails.
15. The apparatus of claim 14, the apparatus further comprising:
the analysis module is used for carrying out information analysis on the access request to obtain data information requested to be accessed if the authority passes the verification;
the identification module is used for identifying preset sensitive information in the data information which is requested to be accessed;
and if the preset sensitive information is not identified, the releasing module releases the access request.
16. The apparatus of claim 15, the apparatus further comprising:
the generating module is used for generating prompt information aiming at the sensitive information if the preset sensitive information is identified;
passing the access request, comprising:
and releasing the access request carrying the prompt information, so that the target engine desensitizes the sensitive information contained in the data requested to be accessed according to the prompt information.
17. The apparatus of claim 15, the apparatus further comprising:
the desensitization module is used for desensitizing the sensitive information in the access request if the preset sensitive information is identified;
passing the access request, comprising:
the access request for desensitization processing is passed.
18. An electronic device applied to a security gateway configured in a big data platform, the electronic device comprising:
a processor; and
a memory configured to store a computer program that, when executed, causes the processor to:
the security gateway receives an access request to a target engine in the engine system;
performing authority verification on the access request;
if the authority passes the verification, the access request is released;
and if the permission verification is not passed, intercepting the access request.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110642468.0A CN113282628A (en) | 2021-06-09 | 2021-06-09 | Big data platform access method and device, big data platform and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110642468.0A CN113282628A (en) | 2021-06-09 | 2021-06-09 | Big data platform access method and device, big data platform and electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113282628A true CN113282628A (en) | 2021-08-20 |
Family
ID=77283773
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110642468.0A Pending CN113282628A (en) | 2021-06-09 | 2021-06-09 | Big data platform access method and device, big data platform and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113282628A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114244598A (en) * | 2021-12-14 | 2022-03-25 | 浙江太美医疗科技股份有限公司 | Intranet data access control method, device, equipment and storage medium |
CN117972794A (en) * | 2024-03-29 | 2024-05-03 | 蚂蚁科技集团股份有限公司 | Privacy protection method in large model access process and user terminal |
CN117993018A (en) * | 2024-03-29 | 2024-05-07 | 蚂蚁科技集团股份有限公司 | Access method of third party large language model and gateway server |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109150908A (en) * | 2018-10-08 | 2019-01-04 | 四川大学 | A kind of big data platform protective device and its guard method being deployed in gateway |
CN112073400A (en) * | 2020-08-28 | 2020-12-11 | 腾讯科技(深圳)有限公司 | Access control method, system and device and computing equipment |
CN112165455A (en) * | 2020-09-04 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Data access control method and device, computer equipment and storage medium |
CN112702336A (en) * | 2020-12-22 | 2021-04-23 | 数字广东网络建设有限公司 | Security control method and device for government affair service, security gateway and storage medium |
-
2021
- 2021-06-09 CN CN202110642468.0A patent/CN113282628A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109150908A (en) * | 2018-10-08 | 2019-01-04 | 四川大学 | A kind of big data platform protective device and its guard method being deployed in gateway |
CN112073400A (en) * | 2020-08-28 | 2020-12-11 | 腾讯科技(深圳)有限公司 | Access control method, system and device and computing equipment |
CN112165455A (en) * | 2020-09-04 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Data access control method and device, computer equipment and storage medium |
CN112702336A (en) * | 2020-12-22 | 2021-04-23 | 数字广东网络建设有限公司 | Security control method and device for government affair service, security gateway and storage medium |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114244598A (en) * | 2021-12-14 | 2022-03-25 | 浙江太美医疗科技股份有限公司 | Intranet data access control method, device, equipment and storage medium |
CN114244598B (en) * | 2021-12-14 | 2024-01-19 | 浙江太美医疗科技股份有限公司 | Intranet data access control method, device, equipment and storage medium |
CN117972794A (en) * | 2024-03-29 | 2024-05-03 | 蚂蚁科技集团股份有限公司 | Privacy protection method in large model access process and user terminal |
CN117993018A (en) * | 2024-03-29 | 2024-05-07 | 蚂蚁科技集团股份有限公司 | Access method of third party large language model and gateway server |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110990804B (en) | Resource access method, device and equipment | |
CN113282628A (en) | Big data platform access method and device, big data platform and electronic equipment | |
CN113079200A (en) | Data processing method, device and system | |
CN110445769B (en) | Access method and device of business system | |
CN111680305A (en) | Data processing method, device and equipment based on block chain | |
CN107203715B (en) | Method and device for executing system call | |
CN110943961A (en) | Data processing method, device and storage medium | |
JP2016527608A (en) | Process authentication and resource permissions | |
CN111311251A (en) | Binding processing method, device and equipment | |
CN111400681B (en) | Data authority processing method, device and equipment | |
CN113704826A (en) | Privacy protection-based business risk detection method, device and equipment | |
Blasco et al. | Automated generation of colluding apps for experimental research | |
CN113239853B (en) | Biological identification method, device and equipment based on privacy protection | |
CN112000992B (en) | Data leakage prevention protection method and device, computer readable medium and electronic equipment | |
CN115374481B (en) | Data desensitization processing method and device, storage medium and electronic equipment | |
CN112182506A (en) | Data compliance detection method, device and equipment | |
CN113221142A (en) | Authorization service processing method, device, equipment and system | |
CN115134067A (en) | Method for detecting private data leakage | |
CN112287376A (en) | Method and device for processing private data | |
CN111737304B (en) | Processing method, device and equipment of block chain data | |
CN114638005A (en) | Data processing method, device and system based on block chain and storage medium | |
CN113282959A (en) | Service data processing method and device and electronic equipment | |
CN111078435A (en) | Service processing method and device and electronic equipment | |
CN112100610B (en) | Processing method, device and equipment for login and user login related services | |
CN114553516A (en) | Data processing method, device and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |