CN113282628A - Big data platform access method and device, big data platform and electronic equipment - Google Patents

Big data platform access method and device, big data platform and electronic equipment Download PDF

Info

Publication number
CN113282628A
CN113282628A CN202110642468.0A CN202110642468A CN113282628A CN 113282628 A CN113282628 A CN 113282628A CN 202110642468 A CN202110642468 A CN 202110642468A CN 113282628 A CN113282628 A CN 113282628A
Authority
CN
China
Prior art keywords
access request
information
data
accessed
requested
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110642468.0A
Other languages
Chinese (zh)
Inventor
吴文钦
周泉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202110642468.0A priority Critical patent/CN113282628A/en
Publication of CN113282628A publication Critical patent/CN113282628A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24553Query execution of query operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Automation & Control Theory (AREA)
  • Mathematical Physics (AREA)
  • Medical Informatics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the specification discloses a big data platform access method and device, a big data platform and electronic equipment. And when the authority passes the verification, the access request is released, otherwise, the access request is intercepted.

Description

Big data platform access method and device, big data platform and electronic equipment
Technical Field
The embodiment of the specification relates to the technical field of computers, in particular to a big data platform access method and device, a big data platform and electronic equipment.
Background
The big data is a data set with large scale which greatly exceeds the capability range of the traditional database software tools in the aspects of acquisition, storage, management and analysis, and has the characteristics of massive data scale, rapid data circulation, various data types and the like. The big data platform is a set of infrastructure mainly used for processing scenes such as massive big data storage, calculation, uninterrupted stream data real-time calculation and the like, and integrates a plurality of engines such as Hadoop, Flink, Spark and HBase to process data storage, calculation, circulation and the like.
How to ensure the privacy and security of data in a big data platform is a topic to be considered in the industry.
Disclosure of Invention
In view of this, embodiments of the present specification provide a big data platform access method and apparatus for improving data privacy security in a big data platform, and a big data platform and an electronic device.
The embodiment of the specification adopts the following technical scheme:
an embodiment of the present specification provides a big data platform access method, which is applied to a security gateway configured in a big data platform, and the method includes:
the security gateway receives an access request to a target engine in the engine system;
performing authority verification on the access request;
if the authority passes the verification, the access request is released;
and if the permission verification is not passed, intercepting the access request. .
An embodiment of the present specification further provides a big data platform, including:
an engine system;
and the security gateway is configured at the upstream of the engine system, receives an access request to a target engine in the engine system, performs authority verification on the access request, if the authority verification passes, the access request is released, and if the authority verification fails, the access request is intercepted.
An embodiment of the present specification further provides a big data platform access device, which is applied to a security gateway configured in a big data platform, and the device includes:
the receiving module is used for receiving an access request to a target engine in the engine system;
the authority verification module is used for performing authority verification on the access request;
the releasing module releases the access request if the authority verification passes;
and the interception module intercepts the access request if the permission verification fails. .
An embodiment of the present specification further provides a security gateway applied to a configuration in a big data platform, where the electronic device includes:
a processor; and
a memory configured to store a computer program that, when executed, causes the processor to:
the security gateway receives an access request to a target engine in the engine system;
performing authority verification on the access request;
if the authority passes the verification, the access request is released;
and if the permission verification is not passed, intercepting the access request. .
The embodiment of the specification adopts at least one technical scheme which can achieve the following beneficial effects:
by configuring the security gateway on the big data platform, the security gateway can intercept any access request to the engine system and carry out authority verification on the access request. And when the authority passes the verification, the access request is released, otherwise, the access request is intercepted. The security gateway can break through the limitation of different engine interface languages, and realizes unified privacy security control on all engines in the engine system, so that the privacy data in the target engine are prevented from being revealed to a requester user, and the data privacy security in the big data platform is improved. Meanwhile, the control water level of the unified safety control can be kept consistent, and efficient control is achieved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the specification and are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the specification and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a block diagram of a big data platform framework provided by an embodiment of the present disclosure;
FIG. 2 is a flowchart of a big data platform access method provided by an embodiment of the present specification;
FIG. 3 is a flow diagram of an alternative embodiment of a big data platform access method provided by an embodiment of the present description;
FIG. 4 is a flow diagram of an alternative embodiment of a big data platform access method provided by an embodiment of the present description;
FIG. 5 is a flow diagram of an alternative embodiment of a big data platform access method provided by an embodiment of the present description;
fig. 6 is a frame structure diagram of a security gateway according to an embodiment of the present disclosure;
FIG. 7 is a block diagram of a big data platform access device provided by an embodiment of the present disclosure;
FIG. 8 is a block diagram of an alternative embodiment of a large data platform access device provided by embodiments of the present description;
FIG. 9 is a block diagram of an alternative embodiment of a large data platform access device provided by embodiments of the present description;
FIG. 10 is a block diagram of an alternative embodiment of a large data platform access device provided by embodiments of the present description;
fig. 11 is a more specific hardware architecture diagram of a computing device provided by the embodiments of the present specification.
Detailed Description
When the prior art is analyzed, the fact that in the prior art, each engine in a big data platform is responsible for safety control over own data privacy safety is found, and privacy safety control water levels of the engines are inconsistent.
The embodiment of the present specification provides a technical solution, in which a security gateway is configured at an upstream of an engine system, and the security gateway is configured to perform a prior authority verification on an access request to the engine system, and determine whether the access request is released according to a result of the authority verification, so as to avoid that private data is leaked due to access bypassing the security gateway.
In order to make the objects, technical solutions and advantages of the present application more clear, the technical solutions of the present application will be clearly and completely described below with reference to the specific embodiments of the present specification and the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present disclosure, and not all embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step are within the scope of the present application.
The technical solutions provided by the embodiments of the present description are described in detail below with reference to the accompanying drawings.
Fig. 1 is a frame diagram of a big data platform provided in an embodiment of the present specification, where the big data platform includes:
an engine system 101;
and the security gateway 102 is configured upstream of the engine system 101, receives an access request to a target engine in the engine system 101, performs authority verification on the access request, if the authority verification passes, the access request is released, and if the authority verification fails, the access request is intercepted.
In this embodiment, the access request may include a data query, a task submission, a data inflow, and the like, and is not specifically limited herein.
Specifically, the engine system 101 configures a series of engines for computing, storing, or data processing, such as Hadoop, Flink, Spark, Hbase, and the like, and is not particularly limited herein.
Fig. 2 is a flowchart of a big data platform access method provided in an embodiment of the present specification, where the method is applied to a security gateway configured in a big data platform, an execution subject of the method is the security gateway, and a scheme of the method is specifically described as follows.
Step 202: the security gateway receives an access request to a target engine in the engine system.
Step 204: and performing authority verification on the access request.
Step 206: and if the authority verification is passed, the access request is released.
Step 208: and if the permission verification is not passed, intercepting the access request.
In the embodiments of the present specification, the access request may be from a data research platform, a data analysis platform, a data modeling platform, or a data application platform, and is not particularly limited herein.
The format of the access request may be a message or a structured Query language (sql). A message (message) is a data unit exchanged and transmitted in the network, that is, a data block to be sent by a station at a time, and the message includes complete data information to be sent. SQL is a special purpose programming language for managing a relational database management system (RDBMS), or stream processing in a relational stream data management system (RDSMS).
The access request carries identification information of the target engine, such as an interface identification of the target engine, so that the security gateway can identify the target engine to be accessed.
The right verification of the access request may include:
and authenticating the requester of the access request.
Thus, the authentication result can be used as the authority authentication result. And if the identity authentication is passed, determining that the authority authentication is passed, and if the identity authentication is not passed, determining that the authority authentication is not passed.
The identity authentication may specifically be to authenticate the authenticity of the interface information of the requester of the access request, and determine whether the interface of the requester is spoofed.
The authentication policy is stored in the security gateway, so that the authentication policy can be called to perform authentication. The security gateway can be configured with an authentication plug-in, and the authentication plug-in runs an authentication policy.
In another embodiment, if the identity authentication is passed, it can be further verified whether the data requested to be accessed by the access request is within the access authority range configured by the target engine; and if so, determining that the authority verification is passed. In this embodiment, the authentication is a prerequisite for the authentication of the access right scope, the authentication is used to verify the authenticity of the identity of the requestor, and the access right scope is used to verify whether the requestor has the right to access the target engine.
The verifying whether the data requested to be accessed by the access request is within the access authority range configured by the target engine may include two layers of cases:
verifying the principal authority of the requester, namely whether the requester has the authority to access the target engine;
and verifying whether the data requested to be accessed by the requester is in the access authority range.
There may be a progressive relationship between the two, i.e. the former is a precondition for the latter. In this case, the access authority range is specifically set according to the requester body.
The two may be in a parallel relationship. For example, the target engine has a limit on subject rights and no limit on data access scope. It is also possible that the target engine has no restrictions on subject rights, but on data access rights.
In this embodiment of the present specification, the data flow engine may be requested to verify whether the data requested to be accessed by the access request is within the range of the access authority configured by the target engine, and the data flow engine performs the verification process.
In another embodiment, it is also possible that the security gateway performs an authentication procedure, which includes:
performing information analysis on the access request to obtain data information requested to be accessed;
inquiring metadata of the data information requested to be accessed;
access rights to the target engine are extracted from the metadata.
Metadata is data that describes data. Specifically, the metadata refers to structured data (such as title, version, publication data, related description, including search point, etc.) extracted from the data resources and used for organizing, describing, searching, saving, managing information and knowledge resources.
The metadata mentioned in the embodiments of the present specification may be obtained by performing unified metadata on data resources of the engines in the engine system. Specifically, metadata are extracted from data resources of all engines and stored uniformly, so that uniform data authority and data access control support for data of multiple engines are realized.
Thus, querying the metadata of the data information requested to be accessed may include:
and utilizing the engine identification of the target engine to query the metadata of the data information requested to be accessed.
With the solution of the embodiment of the present specification, the access request is released, that is, the security gateway forwards the access request to the target engine in the engine system. In an application scenario, if the access request is a storage request, the security gateway sends data carried in the access request to the target engine for storage. In another application scenario, the access request is an inquiry request, and then the security gateway sends the access request to the target engine, receives inquiry data returned by the target engine, and forwards the inquiry data to the requester.
Fig. 3 is a flowchart of a big data platform access method provided in an embodiment of the present specification. The execution subject of the method may be a security gateway.
Steps 301 and 303 refer to steps 202 and 204 above, respectively, and are not described in detail here.
Step 305: and if the authority passes the verification, performing information analysis on the access request to obtain the data information requested to be accessed.
Step 307: identifying preset sensitive information in the data information requested to be accessed;
if no sensitive information is identified, go to step 309: and releasing the access request.
If sensitive information is identified, step 311 is executed: generating prompt information for the sensitive information;
step 309 is executed: and releasing the access request carrying the prompt information, so that the target engine desensitizes the sensitive information contained in the data requested to be accessed according to the prompt information.
The prompt message has the function of prompting the target engine to desensitize the sensitive message, so that the sensitive message is prevented from being viewed by a requester when the requester accesses the corresponding data, and the sensitive message is prevented from being leaked.
The sensitive information described in the embodiment of the present specification may be private information, such as user identity information, name, mobile phone number, home address, and the like, and is not limited specifically herein. The sensitive information may also be confidential information, such as commercial secrets, technical data or other confidential information, and is not specifically limited herein.
Specifically, two possible embodiments may be included for identifying the preset sensitive information in the data information requested to be accessed.
In one embodiment, the data information requested to be accessed may be sent to a wind control engine, so that the wind control engine identifies preset sensitive information in the data information requested to be accessed. In this case, the security gateway and the wind control engine are connected through communication, and the security gateway calls the wind control engine from the engine system to realize instant recognition of sensitive information.
In another embodiment, the data information requested to be accessed is utilized to run a wind control plug-in configured in the security gateway, so that the wind control plug-in identifies preset sensitive information in the data information requested to be accessed.
In other embodiments of the present description, reference is made to fig. 4:
step 401: identifying preset sensitive information in the data information requested to be accessed;
if the preset sensitive information is identified, step 403 is executed: desensitizing sensitive information in the access request;
step 405: passing the access request for desensitization processing;
if no preset sensitive information is identified, step 405 is performed.
In this embodiment, the security gateway may actively desensitize the sensitive information itself, so that the target engine may exclude the access data including the sensitive information according to the desensitized data information, and thus the access data provided to the requester does not include the sensitive information.
Data desensitization refers to data deformation of some sensitive information through desensitization rules, and reliable protection of sensitive private data is achieved. Desensitization means include concealment, encryption or modification.
If the access request is written in the SQL format, sensitive information is rewritten through the SQL, and anonymization is achieved.
Fig. 5 is a flowchart of a big data platform access method provided in an embodiment of this specification, where the method specifically includes the following steps:
step 501: receiving access requests to at least two target engines in an engine system;
step 503: analyzing the access requests of the at least two target engines respectively;
step 505: generating a unified request message according to the data information obtained by analyzing each access request;
step 507: identifying preset sensitive information for the unified request information;
if sensitive information is not identified, step 509 is performed: each access request is passed.
If sensitive information is identified, step 511 is performed: desensitizing access requests containing sensitive information;
step 509 is performed based on the desensitized access request.
Fig. 6 is a frame structure diagram of a security gateway provided in an embodiment of this specification, where the security gateway specifically includes:
an access layer 601 that receives an access request to the engine system 600;
the analysis layer 602 analyzes the access request, and may include message analysis, task analysis, SQL analysis, or service analysis according to the specific form of the access request;
and the execution layer 603 is configured with a data transfer plug-in, a wind control plug-in, an authority verification plug-in or other plug-ins, and is configured to perform corresponding detection on the analyzed data information and send an access request to the engine system 600.
Fig. 7 is a structural diagram of a big data platform access device provided in an embodiment of the present specification, where the device includes:
a receiving module 701, which receives an access request to a target engine in an engine system;
a permission verification module 702, configured to perform permission verification on the access request;
a releasing module 703, configured to release the access request if the permission verification passes;
and the intercepting module 704 intercepts the access request if the permission verification fails.
Fig. 8 is a block diagram of an alternative embodiment of a large data platform access device provided in an embodiment of the present specification, where the device may further include, compared with the embodiment shown in fig. 7:
the analysis module 801 is used for performing information analysis on the access request to obtain data information requested to be accessed if the permission verification passes;
an identifying module 802, configured to identify preset sensitive information in the data information requested to be accessed;
if the preset sensitive information is not identified, the releasing module 803 releases the access request.
Fig. 9 is a block diagram of an alternative embodiment of a large data platform access device provided in an embodiment of the present specification, where the device may further include, compared with the embodiment shown in fig. 8:
a generating module 901, configured to generate a prompt message for a preset sensitive message if the preset sensitive message is identified;
a releasing module 902, configured to release the access request carrying the prompt information, so that the target engine desensitizes the sensitive information included in the data requested to be accessed according to the prompt information.
Fig. 10 is a block diagram of an alternative embodiment of a large data platform access device provided in an embodiment of the present specification, where the device may further include, compared with the embodiment shown in fig. 8:
a desensitization module 1001, configured to perform desensitization processing on the sensitive information in the access request if preset sensitive information is identified;
a release module 1002 that releases the access request for desensitization processing.
Based on the same inventive concept, an embodiment of the present specification further provides an electronic device, including:
a processor; and
a memory configured to store a computer program that, when executed, causes the processor to perform the method of any of the embodiments of fig. 2-6.
Based on the same inventive concept, there is also provided in an embodiment of this specification a computer-readable storage medium comprising a computer program for use with an electronic device, the computer program being executable by a processor to perform the steps of any of the embodiments of fig. 1-6.
Fig. 11 is a more specific hardware structure diagram of a computing device provided in an embodiment of the present specification, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
Bus 1050 includes a path that transfers information between various components of the device, such as processor 1010, memory 1020, input/output interface 1030, and communication interface 1040.
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (18)

1. A big data platform access method is applied to a security gateway configured in a big data platform, and comprises the following steps:
the security gateway receives an access request to a target engine in the engine system;
performing authority verification on the access request;
if the authority passes the verification, the access request is released;
and if the permission verification is not passed, intercepting the access request.
2. The method of claim 1, performing rights verification on the access request, comprising:
and authenticating the requester of the access request.
3. The method of claim 2, performing rights verification on the access request, further comprising:
if the identity authentication is passed, verifying whether the data requested to be accessed by the access request is within the access authority range configured by the target engine;
and if so, determining that the authority verification is passed.
4. The method of claim 3, verifying whether the data requested to be accessed by the access request is within the scope of the access rights configured by the target engine, comprising:
the request data stream transfer engine verifies whether the data requested to be accessed by the access request is within the access authority range configured by the target engine.
5. The method of claim 3, verifying whether the data requested to be accessed by the access request is within the scope of the access rights configured by the target engine, comprising:
performing information analysis on the access request to obtain data information requested to be accessed;
inquiring metadata of the data information requested to be accessed;
access rights to the target engine are extracted from the metadata.
6. The method of claim 5, wherein the metadata is obtained by performing unified metadata on data resources of the engines in the engine system, and the querying the metadata of the data information requested to be accessed comprises:
querying metadata of the data information requested to be accessed with an engine identification of the target engine.
7. The method of claim 1, if the rights verification passes, the method further comprising:
performing information analysis on the access request to obtain data information requested to be accessed;
identifying preset sensitive information in the data information requested to be accessed;
and if the preset sensitive information is not identified, the access request is released.
8. The method of claim 7, further comprising:
if the preset sensitive information is identified, generating prompt information aiming at the sensitive information;
passing the access request, comprising:
and releasing the access request carrying the prompt information, so that the target engine desensitizes the sensitive information contained in the data requested to be accessed according to the prompt information.
9. The method of claim 7, if the preset sensitive information is identified, the method further comprising:
desensitizing the sensitive information in the access request;
passing the access request, comprising:
the access request for desensitization processing is passed.
10. The method of claim 7, wherein identifying preset sensitive information in the data information requested to be accessed comprises:
and sending the data information requested to be accessed to a wind control engine, so that the wind control engine identifies preset sensitive information in the data information requested to be accessed.
11. The method of claim 7, wherein identifying preset sensitive information in the data information requested to be accessed comprises:
and operating the wind control plug-in configured in the security gateway by using the data information which is requested to be accessed, so that the wind control plug-in identifies preset sensitive information in the data information which is requested to be accessed.
12. The method of claim 1, if access requests are received to at least two target engines in the engine layer, the method further comprising:
analyzing the at least two access requests respectively;
generating access request information according to each analysis information;
performing authority verification on the access request, including:
and performing authority verification on the generated access request information.
13. A big data platform, comprising:
an engine system;
and the security gateway is configured at the upstream of the engine system, receives an access request to a target engine in the engine system, performs authority verification on the access request, if the authority verification passes, the access request is released, and if the authority verification fails, the access request is intercepted.
14. A big data platform access device applied to a security gateway configured in a big data platform, the device comprising:
the receiving module is used for receiving an access request to a target engine in the engine system;
the authority verification module is used for performing authority verification on the access request;
the releasing module releases the access request if the authority verification passes;
and the interception module intercepts the access request if the permission verification fails.
15. The apparatus of claim 14, the apparatus further comprising:
the analysis module is used for carrying out information analysis on the access request to obtain data information requested to be accessed if the authority passes the verification;
the identification module is used for identifying preset sensitive information in the data information which is requested to be accessed;
and if the preset sensitive information is not identified, the releasing module releases the access request.
16. The apparatus of claim 15, the apparatus further comprising:
the generating module is used for generating prompt information aiming at the sensitive information if the preset sensitive information is identified;
passing the access request, comprising:
and releasing the access request carrying the prompt information, so that the target engine desensitizes the sensitive information contained in the data requested to be accessed according to the prompt information.
17. The apparatus of claim 15, the apparatus further comprising:
the desensitization module is used for desensitizing the sensitive information in the access request if the preset sensitive information is identified;
passing the access request, comprising:
the access request for desensitization processing is passed.
18. An electronic device applied to a security gateway configured in a big data platform, the electronic device comprising:
a processor; and
a memory configured to store a computer program that, when executed, causes the processor to:
the security gateway receives an access request to a target engine in the engine system;
performing authority verification on the access request;
if the authority passes the verification, the access request is released;
and if the permission verification is not passed, intercepting the access request.
CN202110642468.0A 2021-06-09 2021-06-09 Big data platform access method and device, big data platform and electronic equipment Pending CN113282628A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110642468.0A CN113282628A (en) 2021-06-09 2021-06-09 Big data platform access method and device, big data platform and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110642468.0A CN113282628A (en) 2021-06-09 2021-06-09 Big data platform access method and device, big data platform and electronic equipment

Publications (1)

Publication Number Publication Date
CN113282628A true CN113282628A (en) 2021-08-20

Family

ID=77283773

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110642468.0A Pending CN113282628A (en) 2021-06-09 2021-06-09 Big data platform access method and device, big data platform and electronic equipment

Country Status (1)

Country Link
CN (1) CN113282628A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114244598A (en) * 2021-12-14 2022-03-25 浙江太美医疗科技股份有限公司 Intranet data access control method, device, equipment and storage medium
CN117972794A (en) * 2024-03-29 2024-05-03 蚂蚁科技集团股份有限公司 Privacy protection method in large model access process and user terminal
CN117993018A (en) * 2024-03-29 2024-05-07 蚂蚁科技集团股份有限公司 Access method of third party large language model and gateway server

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109150908A (en) * 2018-10-08 2019-01-04 四川大学 A kind of big data platform protective device and its guard method being deployed in gateway
CN112073400A (en) * 2020-08-28 2020-12-11 腾讯科技(深圳)有限公司 Access control method, system and device and computing equipment
CN112165455A (en) * 2020-09-04 2021-01-01 杭州安恒信息技术股份有限公司 Data access control method and device, computer equipment and storage medium
CN112702336A (en) * 2020-12-22 2021-04-23 数字广东网络建设有限公司 Security control method and device for government affair service, security gateway and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109150908A (en) * 2018-10-08 2019-01-04 四川大学 A kind of big data platform protective device and its guard method being deployed in gateway
CN112073400A (en) * 2020-08-28 2020-12-11 腾讯科技(深圳)有限公司 Access control method, system and device and computing equipment
CN112165455A (en) * 2020-09-04 2021-01-01 杭州安恒信息技术股份有限公司 Data access control method and device, computer equipment and storage medium
CN112702336A (en) * 2020-12-22 2021-04-23 数字广东网络建设有限公司 Security control method and device for government affair service, security gateway and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114244598A (en) * 2021-12-14 2022-03-25 浙江太美医疗科技股份有限公司 Intranet data access control method, device, equipment and storage medium
CN114244598B (en) * 2021-12-14 2024-01-19 浙江太美医疗科技股份有限公司 Intranet data access control method, device, equipment and storage medium
CN117972794A (en) * 2024-03-29 2024-05-03 蚂蚁科技集团股份有限公司 Privacy protection method in large model access process and user terminal
CN117993018A (en) * 2024-03-29 2024-05-07 蚂蚁科技集团股份有限公司 Access method of third party large language model and gateway server

Similar Documents

Publication Publication Date Title
CN110990804B (en) Resource access method, device and equipment
CN113282628A (en) Big data platform access method and device, big data platform and electronic equipment
CN113079200A (en) Data processing method, device and system
CN110445769B (en) Access method and device of business system
CN111680305A (en) Data processing method, device and equipment based on block chain
CN107203715B (en) Method and device for executing system call
CN110943961A (en) Data processing method, device and storage medium
JP2016527608A (en) Process authentication and resource permissions
CN111311251A (en) Binding processing method, device and equipment
CN111400681B (en) Data authority processing method, device and equipment
CN113704826A (en) Privacy protection-based business risk detection method, device and equipment
Blasco et al. Automated generation of colluding apps for experimental research
CN113239853B (en) Biological identification method, device and equipment based on privacy protection
CN112000992B (en) Data leakage prevention protection method and device, computer readable medium and electronic equipment
CN115374481B (en) Data desensitization processing method and device, storage medium and electronic equipment
CN112182506A (en) Data compliance detection method, device and equipment
CN113221142A (en) Authorization service processing method, device, equipment and system
CN115134067A (en) Method for detecting private data leakage
CN112287376A (en) Method and device for processing private data
CN111737304B (en) Processing method, device and equipment of block chain data
CN114638005A (en) Data processing method, device and system based on block chain and storage medium
CN113282959A (en) Service data processing method and device and electronic equipment
CN111078435A (en) Service processing method and device and electronic equipment
CN112100610B (en) Processing method, device and equipment for login and user login related services
CN114553516A (en) Data processing method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination