CN113489689B - Authentication method and device for access request, storage medium and electronic equipment - Google Patents

Authentication method and device for access request, storage medium and electronic equipment Download PDF

Info

Publication number
CN113489689B
CN113489689B CN202110687187.7A CN202110687187A CN113489689B CN 113489689 B CN113489689 B CN 113489689B CN 202110687187 A CN202110687187 A CN 202110687187A CN 113489689 B CN113489689 B CN 113489689B
Authority
CN
China
Prior art keywords
authority
access
access request
list
management server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110687187.7A
Other languages
Chinese (zh)
Other versions
CN113489689A (en
Inventor
梁海昆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN202110687187.7A priority Critical patent/CN113489689B/en
Publication of CN113489689A publication Critical patent/CN113489689A/en
Application granted granted Critical
Publication of CN113489689B publication Critical patent/CN113489689B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an authentication method and device for an access request, a storage medium and electronic equipment, and belongs to the field of cloud computing. Wherein the method comprises the following steps: receiving an access request of a client, wherein the access request is used for requesting a Hadoop node to access a Hadoop service; acquiring a first authority list from an authority management server in real time by taking the access request as a triggering condition, wherein the authority management server is used for configuring and storing authority policy data of a plurality of Hadoop clusters; and authenticating the access request by adopting the first authority list. The invention solves the technical problem that the Hadoop cluster in the related technology can not manage the user permission, improves the response speed of the Hadoop service, and improves the safety of the Hadoop cluster.

Description

Authentication method and device for access request, storage medium and electronic equipment
Technical Field
The invention relates to the field of cloud computing, in particular to an authentication method and device for an access request, a storage medium and electronic equipment.
Background
In the related art, hadoop implements a distributed file system (HDFS, hadoop Distributed File System, hadoop distributed file system), in which one component is HDFS, which has the characteristic of high fault tolerance and is designed to be deployed on low-cost hardware; and it provides high throughput access to data of applications suitable for those with very large data sets.
In the related art, mainly used Hadoop service is used for solving the business problem, the isolation and the security of the data are important, the Hadoop is not provided with security authentication, and in order to solve the problem of user security authentication, the Hadoop is mainly based on a Kerberos tool, and the Kerberos provides the security authentication capability, but does not provide the management of user rights.
In view of the above problems in the related art, no effective solution has been found yet.
Disclosure of Invention
The embodiment of the application provides an authentication method and device for an access request, a storage medium and electronic equipment.
According to an aspect of an embodiment of the present application, there is provided an authentication method of an access request, including: receiving an access request of a client, wherein the access request is used for requesting a Hadoop node to access a Hadoop service; acquiring a first authority list from an authority management server in real time by taking the access request as a triggering condition, wherein the authority management server is used for configuring and storing authority policy data of a plurality of Hadoop clusters; and authenticating the access request by adopting the first authority list.
Further, authenticating the access request with the first permission list includes: analyzing an access account number and an access object in the access request; searching authority configuration data corresponding to the access account from the first authority list, wherein the authority configuration data comprises a plurality of Hadoop resources allowing the access account to operate; judging whether the permission configuration data contains the access object or not; if the authority configuration data contains the access object, determining that the authentication passes; and if the access object is not contained in the authority configuration data, determining that the authentication fails.
Further, the method further comprises: if the first authority list is failed to be acquired from the authority management server in real time, the history authority list of the local cache is read; and authenticating the access request by adopting the historical permission list.
Further, before reading the locally cached historical rights list, the method further comprises: according to a preset period, accessing the right management server at regular time, and establishing a first communication link between the Hadoop node and the right management server; and pulling a second authority list from the authority management server based on the first communication link, wherein the second authority list is used for updating the historical authority list.
Further, before reading the locally cached historical rights list, the method further comprises: responding to a connection request of the right management server, and establishing a second communication link between the Hadoop node and the right management server, wherein the connection request is generated after the right management server locally updates right policy data; and receiving a third authority list issued by the authority management server based on the second communication link, wherein the third authority list is used for updating the historical authority list.
Further, after acquiring the first rights list from the rights management server in real time, the method further comprises: judging whether the first authority list is consistent with a history authority list locally pre-stored by the Hadoop node; and if the first authority list is inconsistent with the history authority list locally pre-stored by the Hadoop node, updating the history authority list into the first authority list.
Further, receiving the access request of the client includes one of: receiving a first access request of a client, wherein the first access request is used for requesting a namespace node to access a distributed file system (HDFS) service; receiving a second access request of the client, wherein the second access request is used for requesting the namespace node to access the distributed column storage system HBase service; receiving a third access request of the client, wherein the third access request is used for requesting the namespace node to access the Hive service of the data warehouse; receiving a fourth access request of the client, wherein the fourth access request is used for requesting the namespace node to access a distributed publish-subscribe message system (Kafka) service; a fifth access request is received from the client, wherein the fifth access request is for requesting access to the distributed search service from the namespace node.
According to another aspect of the embodiment of the present application, there is also provided an authentication apparatus for an access request, including: the first receiving module is used for receiving an access request of the client, wherein the access request is used for requesting the Hadoop node to access the Hadoop service; the acquisition module is used for acquiring a first authority list from the authority management server in real time by taking the access request as a trigger condition, wherein the authority management server is used for configuring and storing authority policy data of a plurality of Hadoop clusters; and the first authentication module is used for authenticating the access request by adopting the first authority list.
Further, the first authentication module includes: the analysis unit is used for analyzing the access account number and the access object in the access request; the searching unit is used for searching authority configuration data corresponding to the access account from the first authority list, wherein the authority configuration data comprises a plurality of Hadoop resources allowing the access account to operate; a judging unit, configured to judge whether the rights configuration data includes the access object; the authentication unit is used for determining that the authentication passes if the access object is contained in the authority configuration data; and if the access object is not contained in the authority configuration data, determining that the authentication fails.
Further, the apparatus further comprises: the reading module is used for reading the history authority list of the local cache if the first authority list is failed to be obtained from the authority management server in real time; and the second authentication module is used for authenticating the access request by adopting the history authority list.
Further, the apparatus further comprises: the first creating module is used for accessing the rights management server at regular time according to a preset period before the reading module reads the locally cached historical rights list, and establishing a first communication link between the Hadoop node and the rights management server; and the pulling module is used for pulling the second authority list from the authority management server based on the first communication link.
Further, the apparatus further comprises: the second creating module is used for responding to a connection request of the rights management server before the reading module reads the locally cached historical rights list, and establishing a second communication link between the Hadoop node and the rights management server, wherein the connection request is generated after the rights management server locally updates the rights policy data; and the second receiving module is used for receiving a third authority list issued by the authority management server based on the second communication link.
Further, the apparatus further comprises: the judging module is used for judging whether the first authority list is consistent with a history authority list locally pre-stored by the Hadoop node after the acquiring module acquires the first authority list from the authority management server in real time; and the updating module is used for updating the history authority list into the first authority list if the first authority list is inconsistent with the history authority list locally pre-stored by the Hadoop node.
Further, the first receiving module includes one of: a first receiving unit, configured to receive a first access request of a client, where the first access request is used to request a namespace node to access a distributed file system HDFS service; the second receiving unit is used for receiving a second access request of the client, wherein the second access request is used for requesting the namespace node to access the distributed column storage system HBase service; a fourth receiving unit, configured to receive a third access request of the client, where the third access request is used to request the namespace node to access to a Hive service of the data repository; a fifth receiving unit, configured to receive a fourth access request of the client, where the fourth access request is used to request access to a distributed publish-subscribe message system Kafka service from the namespace node; and a sixth receiving unit, configured to receive a fifth access request of the client, where the fifth access request is used to request access to the distributed search service from the namespace node.
According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program that performs the above steps when running.
According to another aspect of the embodiment of the present application, there is also provided an electronic device including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus; wherein: a memory for storing a computer program; and a processor for executing the steps of the method by running a program stored on the memory.
Embodiments of the present application also provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the steps of the above method.
According to the method and the device for authenticating the Hadoop cluster, the access request of the client is received, the access request is used for requesting the Hadoop node for accessing the Hadoop service, the access request is used as a trigger condition, the first authority list is acquired from the authority management server in real time, finally the first authority list is adopted for authenticating the access request, the authority list is acquired from the authority management server in real time, the real-time authentication of the Hadoop node for the access request is realized, the technical problem that the Hadoop cluster in the related art cannot manage the user authority is solved, the response speed of the Hadoop service is improved, and meanwhile the safety of the Hadoop cluster is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a block diagram of the hardware architecture of a server according to an embodiment of the present application;
fig. 2 is a flow chart of a method of authenticating an access request according to an embodiment of the application;
FIG. 3 is an authentication flow chart of an embodiment of the present application;
fig. 4 is a block diagram of an authentication apparatus for an access request according to an embodiment of the present application;
fig. 5 is a block diagram of an electronic device embodying an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application. It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
The method according to the first embodiment of the present application may be implemented in a server, a computer, or a similar computing device. Taking the operation on a server as an example, fig. 1 is a block diagram of a hardware structure of a server according to an embodiment of the present application. As shown in fig. 1, the server may include one or more (only one is shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those skilled in the art that the structure shown in fig. 1 is merely illustrative, and is not intended to limit the structure of the server described above. For example, the server may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a server program, for example, a software program of application software and a module, such as a server program corresponding to an authentication method of an access request in an embodiment of the present invention, and the processor 102 executes the server program stored in the memory 104, thereby performing various functional applications and data processing, that is, implementing the above-mentioned method. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely located with respect to the processor 102, which may be connected to a server via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of a server. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is configured to communicate with the internet wirelessly.
In this embodiment, an authentication method of an access request is provided, fig. 2 is a flowchart of an authentication method of an access request according to an embodiment of the present invention, and as shown in fig. 2, the flowchart includes the following steps:
step S202, an access request of a client is received, wherein the access request is used for requesting a Hadoop node to access a Hadoop service;
according to the difference of Hadoop services, the Hadoop nodes in this embodiment may be name nodes (name nodes), data nodes (data nodes), service nodes (server nodes), resource manager (resource manager), and the like, and authenticate access requests in different Hadoop distributed scenarios respectively.
Step S204, taking an access request as a trigger condition, acquiring a first authority list from an authority management server in real time, wherein the authority management server is used for configuring and storing authority policy data of a plurality of Hadoop clusters;
optionally, the rights management server configures an authentication management process, the Hadoop node configures an authentication interface, the authentication management process communicates with the authentication interface, and when the same rights management server manages a plurality of clusters, the rights management server communicates with the authentication interfaces of the clusters through the authentication management process.
Step S206, the access request is authenticated by adopting the first authority list.
After the authentication is passed, operations of allowing access and denying access may be further performed on the access request based on the authentication result.
Through the steps, the access request of the client is received, the access request is used for requesting the Hadoop node to access the Hadoop service, the access request is used as a trigger condition, the first authority list is obtained from the authority management server in real time, finally the first authority list is adopted to authenticate the access request, and the authority list is obtained from the authority management server in real time, so that the real-time authentication of the Hadoop node to the access request is realized, the technical problem that the Hadoop cluster in the related technology cannot manage the user authority is solved, the response speed of the Hadoop service is improved, and the safety of the Hadoop cluster is improved.
In this embodiment, the authentication of the access request using the first permission list includes:
s11, analyzing an access account number and an access object in the access request;
in one example, a Hadoop client sends an access request to a Hadoop node (e.g., name node, data node) to request access to a Hadoop service, the access object may be a data resource, a node server (e.g., a data node), etc.
S12, searching authority configuration data corresponding to the access account from a first authority list, wherein the authority configuration data comprises a plurality of Hadoop resources allowing the access account to operate;
optionally, the first permission list includes a user account allowed to access the Hadoop node, or a user account allowed to access a Hadoop cluster where the Hadoop node is located, and access permissions (accessible resource information, accessible node information, accessible Hadoop service information, etc.) of all registered users. For example, { user: "Zhang San", service: "HDFS", access: "rwx" }; { user: "Lifour", service: "Hive", db: "school", table: "student", access: "select" }.
S13, judging whether the permission configuration data contains an access object or not;
in one example, the authority configuration data of the access account user1 is a white list, such as { a, B, C }, that is, access to a, B, C is allowed through the Hadoop node, whether an access object requesting access is any one of a, B, C is determined, whether the white list is hit, if hit, the determination is yes, if not hit, the determination is no. In another example, the permission configuration data of the access account is a blacklist, such as { M, N }, that is, the access account user1 is not allowed to access M, N through the Hadoop node, and it is determined whether the access object requesting access is any one of M, N, if hit, it is determined that no hit, if miss, it is determined that yes, or of course, a mode of combining the blacklist and the blacklist may also be adopted.
S14, if the authority configuration data contains an access object, determining that the authentication passes; if the authority configuration data does not contain the access object, determining that the authentication fails.
Further, after the authentication is determined to pass, executing the access operation of the Hadoop service on the Hadoop node, or forwarding the access request to a corresponding service node, for example, forwarding the access request to a data node where the target resource is located by the name node.
In another aspect of this embodiment, further comprising: if the first authority list is failed to be acquired from the authority management server in real time, the history authority list of the local cache is read; and authenticating the access request by using the historical permission list.
In one implementation manner of this embodiment, before reading the locally cached history rights list, the second rights list is also obtained by interacting with the limit management server in advance according to a period. Comprising the following steps: according to a preset period, accessing the rights management server at regular time, and establishing a first communication link between the Hadoop node and the rights management server; and pulling a second rights list from the rights management server based on the first communication link, wherein the second rights list is used for updating the historical rights list.
By pre-pulling the second authority list from the authority management server, the failure of the real-time authentication connection with the authority management server when the access request is received and the first authority list is acquired in real time can be prevented, the authentication can be performed by using a local cache file, the normal function of the existing authority is ensured, and a spam mechanism is realized.
In another implementation manner of this embodiment, before reading the locally cached history authority list, the method further includes: responding to a connection request of the rights management server, and establishing a second communication link between the Hadoop node and the rights management server, wherein the connection request is generated after the rights management server locally updates the rights policy data; and receiving a third authority list issued by the authority management server based on the second communication link, wherein the third authority list is used for updating the historical authority list.
In the embodiment of pulling the second permission list based on the first communication link, if the permission management server configures permission policy data frequently or the update time is less than the pulling period, it is possible that the permission policy data configured on the permission management server cannot be synchronized to the Hadoop node in time. In order to prevent the situation, the resource expense of the Hadoop node can be saved, so that the Hadoop node processes more resources to service requests from clients, and the concurrency capability of the Hadoop system is improved.
The two embodiments may be combined or alternatively used according to a scene or user setting.
Optionally, after the first rights list is obtained from the rights management server in real time, the method further includes: judging whether the first authority list is consistent with a history authority list locally pre-stored by the Hadoop node; and if the first authority list is inconsistent with the history authority list locally pre-stored by the Hadoop node, updating the history authority list into the first authority list.
By updating, the latest first authority list is used for updating a history authority list locally pre-stored by the Hadoop node, the Hadoop node can directly use the latest first authority list when responding to the access request next time, a real-time access authority management server does not need to be initiated again, the authentication flow is simplified, the authentication speed is improved, and the authentication time is saved.
Alternatively, the access request of the receiving client may be, but is not limited to,: receiving a first access request of a client, wherein the first access request is used for requesting a namespace node to access a distributed file system (HDFS) service; receiving a second access request of the client, wherein the second access request is used for requesting the namespace node to access the distributed column storage system HBase service; receiving a third access request of the client, wherein the third access request is used for requesting the namespace node to access the Hive service of the data warehouse; receiving a fourth access request of the client, wherein the fourth access request is used for requesting the namespace node to access a distributed publish-subscribe message system (Kafka) service; a fifth access request is received for the client, wherein the fifth access request is for requesting access to the distributed search service from the namespace node. Again, by way of example only, the application scenario of the present embodiment may be applied to other Hadoop services.
Fig. 3 is an authentication flow chart of an embodiment of the present invention, taking an HDFS service as an example to illustrate only an authentication process when a user accesses the HDFS service, where other Hadoop services are similar, and the rights management server provides functions of rights management, access monitoring, and data encryption for a particular resource (such as a particular table in HBase) for a range. The Ranger comprises a range admin (range management service) and a range plug in (range interface), wherein the range admin is a main program of the range, and a user login page carries out authority management on the Hadoop service, provides RESTful (representing state transition, representation state transfer) API and receives a query request of the plug in; ranger plug in is an expansion plug-in of Hadoop service, and depends on the Hadoop service to run, and different Hadoop services have corresponding plug in. The authorization operation of the user can be completed by matching with a Ranger, such as a directory/file in an HDSF, a DB/Table in a Hive, a Table in an HBase and the like. Taking HDSF as an example, the process includes:
s31, an administrator edits and inputs rights corresponding to all users through a web UI (web configuration interface);
s32, a Ranger plug in (Ranger interface) in the HDFS accesses a Ranger admin in a Ranger server at regular time, and pulls an existing policy list;
S33, when a user accesses the HDFS, authentication is firstly carried out through a range plug in;
s34, directly connecting the Ranger plugin with the Ranger admin, and reading a policy list to authenticate;
s35, the client side accesses the resources in the HDFS normally through authentication; authentication fails and access is denied.
Ranger plug in is deployed in a corresponding Hadoop service (referred to herein as HDFS), and when the HDFS receives an access request of a client, real-time authentication can be performed through Ranger admin. On the other hand, the plugin can interact with the Ranger server at regular time to acquire the latest authority policy list, and the policy is cached in a json file form in a host where the plugin is located. When a user accesses the Hadoop service, the plug in reads authority information from the cache json file to verify, and the verification result is returned.
By adopting the scheme of the embodiment, the plug in is subjected to function expansion, and is directly interacted with the Ranger server during authentication to obtain the actual authority configuration of the server, the synchronous policy function is reserved, the timing is synchronous with the server, when the Ranger server is unavailable, the real-time authentication connection with the server fails, the authentication is performed by using a local cache file, the normal access authentication mode on Hadoop is ensured, the problem that the Hadoop authority is delayed to take effect is solved, and after the administrator grants or cancels the grant to the user, the user accesses the target resource and immediately returns the corresponding operation authority.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
Example 2
The embodiment also provides an authentication device for an access request, which is used for implementing the foregoing embodiments and preferred embodiments, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 4 is a block diagram of an authentication apparatus for an access request according to an embodiment of the present invention, as shown in fig. 4, the apparatus including: a first receiving module 40, an acquisition module 42, a first authentication module 44, wherein,
a first receiving module 40, configured to receive an access request of a client, where the access request is used to request to a Hadoop node to access Hadoop service;
the acquiring module 42 is configured to acquire, in real time, a first permission list from a permission management server, where the permission management server is configured to configure and store permission policy data of a plurality of Hadoop clusters, with the access request as a trigger condition;
a first authentication module 44 is configured to authenticate the access request using the first permission list.
Optionally, the first authentication module includes: the analysis unit is used for analyzing the access account number and the access object in the access request; the searching unit is used for searching authority configuration data corresponding to the access account from the first authority list, wherein the authority configuration data comprises a plurality of Hadoop resources allowing the access account to operate; a judging unit, configured to judge whether the rights configuration data includes the access object; the authentication unit is used for determining that the authentication passes if the access object is contained in the authority configuration data; and if the access object is not contained in the authority configuration data, determining that the authentication fails.
Optionally, the apparatus further includes: the reading module is used for reading the history authority list of the local cache if the first authority list is failed to be obtained from the authority management server in real time; and the second authentication module is used for authenticating the access request by adopting the history authority list.
Optionally, the apparatus further includes: the first creating module is used for accessing the rights management server at regular time according to a preset period before the reading module reads the locally cached historical rights list, and establishing a first communication link between the Hadoop node and the rights management server; and the pulling module is used for pulling the second authority list from the authority management server based on the first communication link.
Optionally, the apparatus further includes: the second creating module is used for responding to a connection request of the rights management server before the reading module reads the locally cached historical rights list, and establishing a second communication link between the Hadoop node and the rights management server, wherein the connection request is generated after the rights management server locally updates the rights policy data; and the second receiving module is used for receiving a third authority list issued by the authority management server based on the second communication link.
Optionally, the apparatus further includes: the judging module is used for judging whether the first authority list is consistent with a history authority list locally pre-stored by the Hadoop node after the acquiring module acquires the first authority list from the authority management server in real time; and the updating module is used for updating the history authority list into the first authority list if the first authority list is inconsistent with the history authority list locally pre-stored by the Hadoop node.
Optionally, the first receiving module includes one of: a first receiving unit, configured to receive a first access request of a client, where the first access request is used to request a namespace node to access a distributed file system HDFS service; the second receiving unit is used for receiving a second access request of the client, wherein the second access request is used for requesting the namespace node to access the distributed column storage system HBase service; a fourth receiving unit, configured to receive a third access request of the client, where the third access request is used to request the namespace node to access to a Hive service of the data repository; a fifth receiving unit, configured to receive a fourth access request of the client, where the fourth access request is used to request access to a distributed publish-subscribe message system Kafka service from the namespace node; and a sixth receiving unit, configured to receive a fifth access request of the client, where the fifth access request is used to request access to the distributed search service from the namespace node.
It should be noted that each of the above modules may be implemented by software or hardware, and for the latter, it may be implemented by, but not limited to: the modules are all located in the same processor; alternatively, the above modules may be located in different processors in any combination.
Example 3
The embodiment of the application also provides an electronic device, and fig. 5 is a structural diagram of the electronic device according to the embodiment of the application, as shown in fig. 5, including a processor 51, a communication interface 52, a memory 53 and a communication bus 54, where the processor 51, the communication interface 52 and the memory 53 complete communication with each other through the communication bus 54, and the memory 53 is used for storing a computer program; the processor 51 is configured to execute a program stored in the memory 53, and implement the following steps: receiving an access request of a client, wherein the access request is used for requesting a Hadoop node to access a Hadoop service; acquiring a first authority list from an authority management server in real time by taking the access request as a triggering condition, wherein the authority management server is used for configuring and storing authority policy data of a plurality of Hadoop clusters; and authenticating the access request by adopting the first authority list.
Further, authenticating the access request with the first permission list includes: analyzing an access account number and an access object in the access request; searching authority configuration data corresponding to the access account from the first authority list, wherein the authority configuration data comprises a plurality of Hadoop resources allowing the access account to operate; judging whether the permission configuration data contains the access object or not; if the authority configuration data contains the access object, determining that the authentication passes; and if the access object is not contained in the authority configuration data, determining that the authentication fails.
Further, the method further comprises: if the first authority list is failed to be acquired from the authority management server in real time, the history authority list of the local cache is read; and authenticating the access request by adopting the historical permission list.
Further, before reading the locally cached historical rights list, the method further comprises: according to a preset period, accessing the right management server at regular time, and establishing a first communication link between the Hadoop node and the right management server; and pulling a second authority list from the authority management server based on the first communication link, wherein the second authority list is used for updating the historical authority list.
Further, before reading the locally cached historical rights list, the method further comprises: responding to a connection request of the right management server, and establishing a second communication link between the Hadoop node and the right management server, wherein the connection request is generated after the right management server locally updates right policy data; and receiving a third authority list issued by the authority management server based on the second communication link, wherein the third authority list is used for updating the historical authority list.
After obtaining the first rights list from the rights management server in real time, the method further comprises: judging whether the first authority list is consistent with a history authority list locally pre-stored by the Hadoop node; if the first authority list is inconsistent with the history authority list locally pre-stored by the Hadoop node, updating the history authority list into the first authority list, wherein the method further comprises the following steps: if the real-time right management is carried out.
Further, receiving the access request of the client includes one of: receiving a first access request of a client, wherein the first access request is used for requesting a namespace node to access a distributed file system (HDFS) service; receiving a second access request of the client, wherein the second access request is used for requesting the namespace node to access the distributed column storage system HBase service; receiving a third access request of the client, wherein the third access request is used for requesting the namespace node to access the Hive service of the data warehouse; receiving a fourth access request of the client, wherein the fourth access request is used for requesting the namespace node to access a distributed publish-subscribe message system (Kafka) service; a fifth access request is received from the client, wherein the fifth access request is for requesting access to the distributed search service from the namespace node.
The communication bus mentioned by the above terminal may be a peripheral component interconnect standard (Peripheral Component Interconnect, abbreviated as PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated as EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the terminal and other devices.
The memory may include random access memory (Random Access Memory, RAM) or non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (Digital Signal Processing, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
In yet another embodiment of the present application, a computer readable storage medium is provided, in which instructions are stored, which when run on a computer, cause the computer to perform the method of authenticating an access request according to any of the above embodiments.
In a further embodiment of the present application, a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of authenticating an access request as described in any of the above embodiments is also provided.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), etc.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application are included in the protection scope of the present application.
The foregoing is only a specific embodiment of the application to enable those skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (7)

1. A method for authenticating an access request, comprising:
receiving an access request of a client, wherein the access request is used for requesting a Hadoop node to access a Hadoop service;
acquiring a first authority list from an authority management server in real time by taking the access request as a triggering condition, wherein the authority management server is used for configuring and storing authority policy data of a plurality of Hadoop clusters;
Authenticating the access request by adopting the first authority list;
wherein the authentication of the access request with the first permission list comprises: analyzing an access account number and an access object in the access request, wherein the access object is a node server; searching authority configuration data corresponding to the access account from the first authority list, wherein the authority configuration data comprises a plurality of Hadoop resources allowing the access account to operate; judging whether the permission configuration data contains the access object or not; if the authority configuration data contains the access object, determining that the authentication passes; if the authority configuration data does not contain the access object, determining authentication failure;
wherein the method further comprises: if the first authority list is failed to be acquired from the authority management server in real time, the history authority list of the local cache is read; authenticating the access request by adopting the history authority list;
wherein, before reading the locally cached historical rights list, the method further comprises: responding to a connection request of the right management server, and establishing a second communication link between the Hadoop node and the right management server, wherein the connection request is generated after the right management server locally updates right policy data; and receiving a third authority list issued by the authority management server based on the second communication link, wherein the third authority list is used for updating the historical authority list.
2. The method of claim 1, wherein prior to reading the locally cached historical rights list, the method further comprises:
according to a preset period, accessing the right management server at regular time, and establishing a first communication link between the Hadoop node and the right management server;
and pulling a second authority list from the authority management server based on the first communication link, wherein the second authority list is used for updating the historical authority list.
3. The method of claim 1, wherein after obtaining the first rights list from the rights management server in real time, the method further comprises:
judging whether the first authority list is consistent with a history authority list locally pre-stored by the Hadoop node;
and if the first authority list is inconsistent with the history authority list locally pre-stored by the Hadoop node, updating the history authority list into the first authority list.
4. The method of claim 1, wherein receiving the access request of the client comprises one of:
receiving a first access request of a client, wherein the first access request is used for requesting a namespace node to access a distributed file system (HDFS) service;
Receiving a second access request of the client, wherein the second access request is used for requesting the namespace node to access the distributed column storage system HBase service;
receiving a third access request of the client, wherein the third access request is used for requesting the namespace node to access the Hive service of the data warehouse;
receiving a fourth access request of the client, wherein the fourth access request is used for requesting the namespace node to access a distributed publish-subscribe message system (Kafka) service;
a fifth access request is received from the client, wherein the fifth access request is for requesting access to the distributed search service from the namespace node.
5. An authentication device for an access request, comprising:
the first receiving module is used for receiving an access request of the client, wherein the access request is used for requesting the Hadoop node to access the Hadoop service;
the acquisition module is used for acquiring a first authority list from the authority management server in real time by taking the access request as a trigger condition, wherein the authority management server is used for configuring and storing authority policy data of a plurality of Hadoop clusters;
the first authentication module is used for authenticating the access request by adopting the first authority list;
Wherein the first authentication module comprises: the analysis unit is used for analyzing the access account number and the access object in the access request, wherein the access object is a node server; the searching unit is used for searching authority configuration data corresponding to the access account from the first authority list, wherein the authority configuration data comprises a plurality of Hadoop resources allowing the access account to operate; the judging unit is used for judging whether the access object is contained in the permission configuration data, wherein the access object is a node server; the authentication unit is used for determining that the authentication passes if the access object is contained in the authority configuration data; if the authority configuration data does not contain the access object, determining authentication failure;
wherein the apparatus further comprises: the reading module is used for reading the history authority list of the local cache if the first authority list is failed to be obtained from the authority management server in real time; the second authentication module is used for authenticating the access request by adopting the history authority list;
wherein the apparatus further comprises: the second creating module is used for responding to a connection request of the rights management server before the reading module reads the locally cached historical rights list, and establishing a second communication link between the Hadoop node and the rights management server, wherein the connection request is generated after the rights management server locally updates the rights policy data; and the second receiving module is used for receiving a third authority list issued by the authority management server based on the second communication link, wherein the third authority list is used for updating the historical authority list.
6. A storage medium storing a computer program, wherein the computer program when run by a processor performs the method steps of any of the preceding claims 1 to 4.
7. An electronic device comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus; wherein:
a memory for storing a computer program;
a processor for performing the method steps of any of claims 1 to 4 by running a computer program stored on a memory.
CN202110687187.7A 2021-06-21 2021-06-21 Authentication method and device for access request, storage medium and electronic equipment Active CN113489689B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110687187.7A CN113489689B (en) 2021-06-21 2021-06-21 Authentication method and device for access request, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110687187.7A CN113489689B (en) 2021-06-21 2021-06-21 Authentication method and device for access request, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN113489689A CN113489689A (en) 2021-10-08
CN113489689B true CN113489689B (en) 2023-09-19

Family

ID=77935714

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110687187.7A Active CN113489689B (en) 2021-06-21 2021-06-21 Authentication method and device for access request, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN113489689B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070612A (en) * 2021-11-15 2022-02-18 北京天融信网络安全技术有限公司 Network authentication processing method and device
CN116743511B (en) * 2023-08-15 2023-11-03 中移(苏州)软件技术有限公司 Authentication method, device, server and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109902497A (en) * 2019-02-26 2019-06-18 南威软件股份有限公司 A kind of access authority management method and system towards big data cluster
CN110519285A (en) * 2019-08-30 2019-11-29 浙江大搜车软件技术有限公司 User authen method, device, computer equipment and storage medium
CN112948842A (en) * 2019-12-10 2021-06-11 华为技术有限公司 Authentication method and related equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109902497A (en) * 2019-02-26 2019-06-18 南威软件股份有限公司 A kind of access authority management method and system towards big data cluster
CN110519285A (en) * 2019-08-30 2019-11-29 浙江大搜车软件技术有限公司 User authen method, device, computer equipment and storage medium
CN112948842A (en) * 2019-12-10 2021-06-11 华为技术有限公司 Authentication method and related equipment

Also Published As

Publication number Publication date
CN113489689A (en) 2021-10-08

Similar Documents

Publication Publication Date Title
US9197639B2 (en) Method for sharing data of device in M2M communication and system therefor
US11096051B2 (en) Connection establishment method, device, and system
EP4167625A1 (en) Communication method and apparatus
US9537862B2 (en) Relayed network access control systems and methods
CN110493184B (en) Method and device for processing login page in client and electronic device
CN113489689B (en) Authentication method and device for access request, storage medium and electronic equipment
US20150278510A1 (en) Credential Sharing
KR20160114620A (en) Methods, devices and systems for dynamic network access administration
CN112995163B (en) Authentication method and device for resource access, storage medium and electronic equipment
CN111400777B (en) Network storage system, user authentication method, device and equipment
CN113014593B (en) Access request authentication method and device, storage medium and electronic equipment
CN112948842A (en) Authentication method and related equipment
CN113672896A (en) Interface authority verification method, system, electronic device and storage medium
CN113169970A (en) Access control method, device and storage medium
CN108009439B (en) Resource request method, device and system
CN112995164B (en) Resource access authentication method and device, storage medium and electronic equipment
CN111866993B (en) Wireless local area network connection management method, device, software program and storage medium
WO2016090927A1 (en) Management method and system for sharing wlan and wlan sharing registration server
CN111492358B (en) Device authentication
CN114125812B (en) Data synchronization method, device, server and storage medium
CN116094814A (en) VPN access method, device, electronic equipment and storage medium
EP3318077B1 (en) Circumventing wireless device spatial tracking based on wireless device identifiers
CN110048864B (en) Method and apparatus for authenticating an administrator of a device-specific message group
AU2020470364A1 (en) Method and apparatus for establishing secure communication
CN116114219A (en) Access token processing method and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant