CN113868681A - HBase permission configuration method, device and storage medium - Google Patents

HBase permission configuration method, device and storage medium Download PDF

Info

Publication number
CN113868681A
CN113868681A CN202111140221.5A CN202111140221A CN113868681A CN 113868681 A CN113868681 A CN 113868681A CN 202111140221 A CN202111140221 A CN 202111140221A CN 113868681 A CN113868681 A CN 113868681A
Authority
CN
China
Prior art keywords
level
authority
permission
target
target data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111140221.5A
Other languages
Chinese (zh)
Inventor
王超
李建伟
孙永良
陈维强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hisense TransTech Co Ltd
Original Assignee
Hisense TransTech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hisense TransTech Co Ltd filed Critical Hisense TransTech Co Ltd
Priority to CN202111140221.5A priority Critical patent/CN113868681A/en
Publication of CN113868681A publication Critical patent/CN113868681A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The disclosure relates to the field of computers, and discloses a method, a device and a storage medium for configuring HBase authority, wherein the method comprises the following steps: the method comprises the steps of responding to a permission calling request of a client, determining an operation permission set corresponding to the permission calling request, wherein the permission calling request is used for representing the operation of the client on a position level to which target data belongs, the operation permission is established based on an implementation function of an API in a permission control code of HBase, the operation permission comprises at least one permission level, the operation permission set comprises at least one operation permission, a target permission level matched with the position level is determined based on the position level to which the target data belongs, the operation permission corresponding to the target permission level is taken as the target permission and authorized to the position level corresponding to the permission calling request, and the operation permission is established through the API so that the HBase permission is divided more finely, and therefore the position accurate level to which the client wants to execute the operation is matched with the corresponding target permission.

Description

HBase permission configuration method, device and storage medium
Technical Field
The present application relates to computer technologies, and in particular, to a method, an apparatus, and a storage medium for configuring HBase permissions.
Background
At present, smart cities are going to fall to the ground from concepts and to be popularized from trial points, wherein the big data technology is unavailable. Big data technology provides strong support for various fields of the smart city, and is distributed throughout various systems in the smart city like blood.
The NoSQL database has high-efficiency management capability on mass data, so that the NoSQL database is widely applied to various production scenes of large data. HBase is used as a NoSQL database, and not only can storage be conveniently carried out, but also data can be conveniently processed and operated. However, in the process of use, HBase can only provide five kinds of operation rights to the outside, which are admin (a), create (c), write (w), read (r), execute (x). Thus, if a user applies for write authority, a write operation such as put, delete, ap-pend, etc. can be performed in the HBase. However, in practical production applications, if the user is controlled to write (write) data but not delete (delete) data, the user cannot satisfy such operation control requirements according to the conventional coarse-grained authorization of HBase.
Disclosure of Invention
The embodiment of the disclosure provides an HBase permission configuration method, an HBase permission configuration device and a storage medium, which are used for improving the matching accuracy of HBase permission and position level.
The specific technical scheme provided by the disclosure is as follows:
in a first aspect, an HBase permission configuration method includes:
responding to a permission calling request of a client, and determining an operation permission set corresponding to the permission calling request, wherein the permission calling request is used for representing the operation of the client on the position level to which target data belongs, the operation permission is created based on the implementation function of an Application Programming Interface (API) in a permission control code of HBase, the operation permission comprises at least one permission level, and the operation permission set comprises at least one operation permission;
determining a target permission level matched with the position level based on the position level to which the target data belongs;
and taking the operation authority corresponding to the target authority level as a target authority, and authorizing the position level corresponding to the authority calling request.
In some possible embodiments, determining, in response to a permission call request of a client, an operation permission set corresponding to the permission call request includes:
responding to a permission calling request of a client, determining the position level of the target data based on the permission calling request, and determining the operation of the client on the target data;
screening out operation authority for executing operation on the position level based on the position level;
and determining operation authorities corresponding to the operation in the screened operation authorities, and creating an operation authority set based on the determined operation authorities.
In some possible embodiments, the operating right is determined by:
determining the implementation function of the API in the permission control code based on the operation which can be implemented by the API in the permission control code of the HBase on the data of each position level;
and establishing the same API for realizing the functions belonging to the same position level as the same operation authority, wherein the number of the APIs contained in the same operation authority is at least one.
In some possible embodiments, the privilege levels include a global privilege level, a namespace privilege level, a table privilege level, a column family privilege level, and a column privilege level, with priorities from high to low;
setting the authority level of the operation authority by the following method:
calculating a first matching degree between the operation authority and the global authority level, and if the first matching degree is greater than a first matching threshold, taking the global authority level as the authority level corresponding to the operation authority;
calculating a second matching degree between the operation authority and the namespace authority level, and if the second matching degree is greater than a second matching threshold value, and when a first parent authority level corresponding to the operation authority exists, taking both the first parent authority level and the namespace authority level as the authority level corresponding to the operation authority, wherein the first parent authority level is a global authority level;
calculating a third matching degree between the operation authority and the table authority level, and if the third matching degree is greater than a third matching threshold value and a second parent authority level corresponding to the operation authority exists, taking the second parent authority level and the table authority level as the authority levels corresponding to the operation authority, wherein the second parent authority level is a global authority level and/or a name space authority level;
calculating a fourth matching degree between the operation authority and the column authority level, and if the fourth matching degree is greater than a fourth matching threshold value and a third parent authority level corresponding to the operation authority exists, taking the third parent authority level and the column authority level as authority levels corresponding to the operation authority, wherein the third parent authority level is a global authority level, a namespace authority level and/or a table authority level;
and calculating the matching degree between the operation authority and the column authority level, and if the matching degree is greater than a fifth matching threshold, and when a fourth parent authority level corresponding to the operation authority exists, taking the fourth parent authority level and the column authority level as the authority levels corresponding to the operation authority, wherein the fourth parent authority level is a global authority level, a name space authority level, a table authority level and/or a column family authority level.
In some possible embodiments, determining the target permission level matching the location level based on the location level to which the target data belongs includes:
based on the position level to which the target data belongs, if the global authority level is determined to be matched with the position level, taking the global authority level as a target authority level;
based on the position level to which the target data belongs, if the namespace authority level is determined to be matched with the position level, taking the global authority level and the namespace authority level as target authority levels;
based on the position level to which the target data belongs, if the table authority level is determined to be matched with the position level, taking the global authority level, the name space authority level and the table authority level as target authority levels;
based on the position level to which the target data belongs, if the column group authority level is determined to be matched with the position level, taking the global authority level, the name space authority level, the table authority level and the column group authority level as target authority levels;
and based on the position level to which the target data belongs, if the column permission level is determined to be matched with the position level, taking the global permission level, the name space permission level, the table permission level, the column family permission level and the column permission level as target permission levels.
In some possible embodiments, after authorizing, as the target permission, the location level corresponding to the permission invocation request with the operation permission of the permission level corresponding to the target permission level, the method further includes:
responding to the operation corresponding to the target authority executed by the client to the target data at the position level, and confirming whether the client can execute the operation corresponding to the target authority to the target data through the access controller, wherein the access controller is an authority limit code created based on the operation authority;
if the access controller confirms that the data passes the verification, allowing the client to execute the operation corresponding to the target authority on the target data of the position level;
and if the access controller does not confirm the target data passes the confirmation, the client is prohibited from executing the operation corresponding to the target authority to the target data of the position level.
In some possible embodiments, the method further comprises:
and responding to the withdrawing call request of the client to the position level, and setting the target authority of the position level corresponding to the withdrawing call request to be null.
In a second aspect, an HBase permission configuration device includes:
the response module is used for responding to a permission calling request of the client and determining an operation permission set corresponding to the permission calling request, wherein the permission calling request is used for representing the operation of the client on the position level to which the target data belongs, the operation permission is created based on the implementation function of an Application Programming Interface (API) in a permission control code of HBase, the operation permission comprises at least one permission level, and the operation permission set comprises at least one operation permission;
the determining module is used for determining a target authority level matched with the position level based on the position level to which the target data belongs;
and the authorization module is used for taking the operation authority corresponding to the target authority level as the target authority and authorizing the position level corresponding to the authority calling request.
In a third aspect, a server comprises:
a memory for storing a computer program executable by the controller;
the controller is coupled to the memory and configured to perform the method of any of the first aspects described above.
In a fourth aspect, a computer-readable storage medium, wherein instructions, when executed by a processor, enable the processor to perform the method of any of the first aspect.
In summary, in the embodiments of the present disclosure, an HBase permission configuration method, an apparatus, and a storage medium are disclosed, where the HBase permission configuration method includes: the method comprises the steps of responding to a permission calling request of a client, determining an operation permission set corresponding to the permission calling request, wherein the permission calling request is used for representing the operation of the client on a position level to which target data belongs, the operation permission is established based on an implementation function of an API in a permission control code of HBase, the operation permission comprises at least one permission level, the operation permission set comprises at least one operation permission, a target permission level matched with the position level is determined based on the position level to which the target data belongs, the operation permission corresponding to the target permission level is taken as the target permission and authorized to the position level corresponding to the permission calling request, and the operation permission is established through the API to enable the HBase permission to be divided more finely, so that the corresponding target permission can be accurately matched for the position level to which the client wants to execute the operation.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is an application scenario diagram of an HBase permission configuration method provided in an embodiment of the present application;
fig. 2 is a schematic flowchart of an HBase permission configuration method according to an embodiment of the present application;
FIG. 3 is a schematic flowchart of creating an operation permission set according to an embodiment of the present application;
FIG. 4 is a schematic diagram illustrating a process for determining a target privilege level according to an embodiment of the present application;
FIG. 5 is a flowchart illustrating the process of the access controller confirming the target authority in the embodiment of the present application;
fig. 6 is a schematic diagram of a logic architecture of an HBase permission configuration apparatus according to an embodiment of the present disclosure;
fig. 7 is a schematic physical architecture diagram of a server according to an embodiment of the disclosure.
Detailed Description
In order to make the technical solutions of the present application better understood by those of ordinary skill in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings.
It is noted that the terms "first," "second," and the like in the description and in the claims of the present application are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The HBase is a relational database deployed on a server, can be simply expanded by adding cheap nodes, can well horizontally split data, can be conveniently stored, and can conveniently process and operate the data, which is the most core characteristic of the HBase.
Currently, HBase provides five kinds of operation permissions, that is, a shell command aggregates APIs in HBase into five kinds of operation permissions for a client to use, where the five kinds of operation permissions are admin (a), create (c), write (w), read (r), and execute (x). If the write right is authorized to a certain client, after the client has the write right, the write operations such as put, delete, and ap-pend included in the write right can be executed.
Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Referring to fig. 1, in the embodiment of the present disclosure, in a case where a server executes an HBase permission configuration method, a client sends a permission call request to the server, and the server matches a corresponding target permission for a location level of an operation to be executed after responding to the permission call request. Referring to fig. 2, in the embodiment of the present disclosure, a specific flow of the HBase permission configuration method is as follows:
step 201: responding to a permission calling request of a client, and determining an operation permission set corresponding to the permission calling request, wherein the permission calling request is used for representing the operation of the client on the position level to which target data belongs, the operation permission is created based on the implementation function of an Application Programming Interface (API) in a permission control code of HBase, the operation permission comprises at least one permission level, and the operation permission set comprises at least one operation permission.
In the embodiment of the present application, the operation permissions are created based on APIs, and each API corresponds to an operation permission, where the following determination manner of each operation permission in the embodiment of the present application is introduced as follows:
(1) and determining the implementation function of the API in the permission control code based on the operation which can be implemented by the API in the permission control code of the HBase on the data of each position level.
Because each API in the permission control code of the HBase is encapsulated with a corresponding code for realizing a corresponding function, in the implementation process, the realization function of the API in the permission control code is determined according to the operation which can be realized by the API in the permission control code of the HBase. For example, if the operation that can be implemented by one API is to delete data, the implementation function of one API is determined to be to delete data according to the operation to delete data.
It should be added that, since the operation object for which the authority call request of the client is directed may be a table, an entire column in the table, or a certain data in a column, that is, the data corresponding to the authority call request, which needs to be operated, is directed to each location level. Accordingly, when determining the implementation function of each API, it is also necessary to specifically determine which location level or levels the API is specifically directed to. Still in the above example, after determining that the implementation function of one API is deletion data, it is further determined whether the deletion data is for the entire table data or for the column data.
(2) And establishing the same API for realizing the functions belonging to the same position level as the same operation authority, wherein the number of the APIs contained in the same operation authority is at least one.
Generally, the number of APIs capable of performing the same operation for realizing the function on the same location level is one, for example, there is one API for performing an a operation on the entire table data, there is one API for performing an a operation on the entire column data, and so on, and therefore, the number of APIs included in the same operation authority is at least one. However, when the number of the APIs for executing the same operation for realizing the function for the same location level is more than one, the APIs capable of executing the same operation for realizing the function are all created as the same operation authority.
It should be added that, in the implementation process, if it is considered that the operation permission granularity of the shell command set is too coarse, and the operation permission granularity directly created according to each API is too fine, the APIs that execute the same type of operation for implementing the function on the same position level may be classified as one operation permission.
In the implementation process, considering that the position level of the operation that can be executed by each operation authority includes not only the position level of the direct operation determined when the operation authority is determined, but also the operation authority of the previous level inherited by the operation authority, the authority level of the operation authority needs to be set by the following method:
here, it is first explained that the authority levels in the HBase include a global authority level, a namespace authority level, a table authority level, a column authority level and a column authority level, where the priority levels are from high to low, that is, one global authority level includes a plurality of namespace authority levels set below, one namespace authority level includes a plurality of table authority levels set below, one table authority level includes a plurality of column authority levels set below, and one column authority level includes a plurality of column authority levels set below.
1) Calculating a first matching degree between the operation authority and the global authority level, and if the first matching degree is greater than a first matching threshold, taking the global authority level as the authority level corresponding to the operation authority;
in the implementation process, the authority level of each operation authority is determined by calculating the matching degree, wherein the calculation of the matching degree is mainly to compare the overlapping degree of the operation authority with the operable position level range of the global authority level, namely if a certain operation authority is completely overlapped with the operable position level range of the global authority level, the first matching degree is 100%; if the range of the operable position level of a certain operation authority and the range of the operable position level of the global authority level are completely not overlapped, the first matching degree is 0%.
And for each operation authority, calculating a first matching degree between the operation authority and the global authority level from the global authority level, presetting a first matching threshold value for judging whether the operation authority has the global authority level, wherein the first matching threshold value is the lowest value for judging the operation authority to have the global authority level, and if the first matching degree is greater than the first matching threshold value, taking the global authority level as the authority level corresponding to the operation authority.
2) Calculating a second matching degree between the operation authority and the namespace authority level, and if the second matching degree is greater than a second matching threshold value, and when a first parent authority level corresponding to the operation authority exists, taking both the first parent authority level and the namespace authority level as the authority level corresponding to the operation authority, wherein the first parent authority level is a global authority level;
similarly, whether each operation authority has the namespace authority level or not is determined by calculating a second matching degree, wherein the second matching degree is calculated by mainly comparing the overlapping degree of the operation authority with the operable position level range of the namespace authority level, namely if a certain operation authority is completely overlapped with the operable position level range of the namespace authority level, the second matching degree is 100%; if the range of the operable position level of a certain operation authority and the range of the operable position level of the name space authority level are completely not overlapped, the second matching degree is 0%.
And for each operation authority, in order to judge whether the operation authority has a namespace authority level, a second matching threshold is preset, wherein the second matching threshold is the lowest value for judging the operation authority to have the namespace authority level, and if the second matching degree is greater than the second matching threshold, the namespace authority level is taken as the authority level corresponding to the operation authority.
In addition, considering that the operation authority can automatically inherit the operation authority of the previous level, on the basis of judging that the second matching degree is greater than the second matching threshold, when the first parent authority level corresponding to the operation authority exists, whether the parent authority level of the name space authority level exists is searched, and if the first parent authority level exists, namely the global authority level, is also used as the authority level corresponding to the operation authority.
3) Calculating a third matching degree between the operation authority and the table authority level, and if the third matching degree is greater than a third matching threshold value and a second parent authority level corresponding to the operation authority exists, taking the second parent authority level and the table authority level as the authority levels corresponding to the operation authority, wherein the second parent authority level is a global authority level and/or a name space authority level;
similarly, whether each operation authority has the table authority level or not is determined by calculating a third matching degree, wherein the third matching degree is calculated mainly by comparing the overlapping degree of the operation authority with the operable position level range of the table authority level, that is, if a certain operation authority is completely overlapped with the operable position level range of the table authority level, the third matching degree is 100%; if the range of the operable position level of one of the operation authorities and the table authority level is completely not overlapped, the third matching degree is 0%.
And for each operation authority, in order to judge whether the operation authority has the list authority level, a third matching threshold is preset, wherein the third matching threshold is the lowest value for judging the operation authority to have the list authority level, and if the third matching degree is greater than the third matching threshold, the list authority level is taken as the authority level corresponding to the operation authority.
In addition, considering that the operation authority can automatically inherit the operation authority of the previous level, on the basis of judging that the third matching degree is greater than the third matching threshold, judging whether a second parent authority level corresponding to the operation authority exists, namely, searching whether the parent authority level of the table exists, if so, taking the second parent authority level, namely, a global authority level and/or a namespace authority level as the authority level corresponding to the operation authority, and specifically, when the second parent authority level comprises the global authority level and the namespace authority level, taking the global authority level and the namespace authority level as the authority level corresponding to the operation authority; and when the second parent authority level only comprises one of the global authority level or the namespace authority level, taking the global authority level or the namespace authority level as the authority level corresponding to the operation authority.
4) Calculating a fourth matching degree between the operation authority and the column authority level, and if the fourth matching degree is greater than a fourth matching threshold value and a third parent authority level corresponding to the operation authority exists, taking the third parent authority level and the column authority level as authority levels corresponding to the operation authority, wherein the third parent authority level is a global authority level, a namespace authority level and/or a table authority level;
similarly, whether each operation right has the column group right level is determined by calculating a fourth matching degree, wherein the fourth matching degree is calculated by mainly comparing the overlapping degree of the operation right and the operable position level range of the column group right level, that is, if a certain operation right and the operable position level range of the column group right level are completely overlapped, the fourth matching degree is 100%; if the range of the operable position level of one of the operation rights and the column right level does not overlap at all, the fourth matching degree is 0%.
For each operation authority, a fourth matching threshold is preset to judge whether the operation authority has the column authority level, wherein the fourth matching threshold is the lowest value for judging the operation authority to have the column authority level, and if the fourth matching degree is greater than the fourth matching threshold, the column authority level is taken as the authority level corresponding to the operation authority.
In addition, considering that the operation authority can automatically inherit the operation authority of the previous level, on the basis of judging that the fourth matching degree is greater than the fourth matching threshold, when the third parent authority level corresponding to the operation authority exists, that is, whether the parent authority level of the row of family authority levels exists is searched, if the third parent authority level exists, the third parent authority level, that is, the global authority level, the namespace authority level and/or the table authority level is also used as the authority level corresponding to the operation authority, and specifically, when the third parent authority level includes the global authority level, the namespace authority level and the table authority level, the global authority level, the namespace authority level and the table authority level are all used as the authority levels corresponding to the operation authority; and when the third parent authority level only comprises one of the global authority level, the namespace authority level or the table authority level, taking one of the global authority level, the namespace authority level or the table authority level as the authority level corresponding to the operation authority.
5) And calculating the matching degree between the operation authority and the column authority level, and if the matching degree is greater than a fifth matching threshold, and when a fourth parent authority level corresponding to the operation authority exists, taking the fourth parent authority level and the column authority level as the authority levels corresponding to the operation authority, wherein the fourth parent authority level is a global authority level, a name space authority level, a table authority level and/or a column family authority level.
Similarly, whether each operation authority has the column authority level is determined by calculating a fifth matching degree, wherein the fifth matching degree is mainly calculated by comparing the overlapping degree of the operation authority with the operable position level range of the column authority level, that is, if a certain operation authority is completely overlapped with the operable position level range of the column authority level, the fifth matching degree is 100%; if the range of the operable position level of one operation authority and the range of the operable position level of the column authority level are not overlapped at all, the fifth matching degree is 0%.
For each operation authority, in order to judge whether the operation authority has a column authority level, a fifth matching threshold is preset, wherein the fifth matching threshold is the lowest value for judging the operation authority as having the column authority level, and if the fifth matching degree is greater than the fifth matching threshold, the column authority level is taken as the authority level corresponding to the operation authority.
In addition, considering that the operation authority can automatically inherit the operation authority of the previous level, on the basis of judging that the fifth matching degree is greater than the fifth matching threshold, when judging that the fourth parent authority level corresponding to the operation authority exists, whether the parent authority level of the row of authority levels exists is searched, and if yes, the fourth parent authority level, namely the global authority level, the name space authority level, the table authority level and/or the row authority level, is also used as the authority level corresponding to the operation authority; and when the fourth parent permission level only comprises one of the global permission level, the namespace permission level, the table permission level or the column family permission level, taking one of the global permission level, the namespace permission level, the table permission level or the column family permission level as the permission level corresponding to the operation permission.
After the operation permission is determined according to the implementation function of the API in the permission control code and the permission level of each operation permission is respectively determined, a specific permission call request of the client can be assigned with the matched operation permission.
Specifically, responding to the permission call request of the client, determining the operation permission set corresponding to the permission call request, as shown in fig. 3, includes:
step 2011: responding to the authority calling request of the client, determining the position level of the target data based on the authority calling request, and determining the operation of the client on the target data.
In the implementation process, after responding to the authority calling request of the client, the authority calling request is analyzed, and the position level of the target data contained in the authority calling request and the operation of the client on the target data are obtained, for example, when the authority calling request is to delete the target data in the row 2 and column 3 in the table 1, the position level of the target data is determined to be the column, and the operation of the client on the target data is to delete.
Step 2012: and screening out the operation authority for executing the operation on the position level based on the position level.
After the position level to which the target data belongs is determined, selecting operation permission capable of executing operation on the position level from the operation permissions created according to the API, namely screening a plurality of operation permissions according to the position level, wherein the screened plurality of operation permissions can operate on the target data of the position level.
For example, when the authority calling request is to delete target data in row 2 and column 3 in table 1, after determining that the position level of the target data belongs to the column, the operation authority capable of executing operations on the column is screened from the operation authorities, including deletion, writing, addition and the like.
Step 2013: and determining operation authorities corresponding to the operation in the screened operation authorities, and creating an operation authority set based on the determined operation authorities.
In order to match the authority calling request of the client, after a plurality of operation authorities for the location level are screened out, an operation authority corresponding to the operation is further determined, for example, after the authority calling request is to delete the target data in row 2 and column 3 in table 1, the operation authority corresponding to the deletion operation is determined from the operation authorities for performing the operation for the location level screened out in step 2012.
Because more than one operation authority is provided for a certain position level, an operation authority set is created according to the determined operation authority, and the operation authority set comprises all operation authorities capable of executing operation on the position level.
Step 202: and determining a target authority level matched with the position level based on the position level to which the target data belongs.
Because each operation authority has different authority levels, and the operation authority can automatically inherit the operation authority of a parent level. After the operation permission corresponding to the permission calling request of the client is determined, the permission level of the operation permission corresponding to the permission calling request is further determined. Specifically, as shown in fig. 4, the method includes:
step 2021: and based on the position level to which the target data belongs, if the global authority level is determined to be matched with the position level, taking the global authority level as the target authority level.
In the implementation process, the authority levels matched with the position levels to which the target data belongs are judged one by one according to the sequence of the priority levels from high to low, specifically, whether the global authority level is matched with the position level is judged firstly, preferably, the judgment can be carried out according to the overlapping degree of the range in which the global authority level can execute the operation and the range in which the position level can execute the operation, when the overlapping degree reaches a preset set value, the judgment that the global authority level is matched with the position level can be carried out, and then the global authority level is taken as the target authority level.
Step 2022: and based on the position level to which the target data belongs, if the namespace authority level is determined to be matched with the position level, taking the global authority level and the namespace authority level as the target authority level.
Similarly, whether the namespace authority level is matched with the location level is judged, preferably, the namespace authority level is judged according to the overlapping degree of the range in which the namespace authority level can execute the operation and the range in which the location level can execute the operation, when the overlapping degree reaches a preset set value, the namespace authority level is judged to be matched with the location level, and then the namespace authority level is used as the target authority level.
After the parent-level operation authority of the namespace authority level is judged to exist, the namespace authority level can automatically inherit the global authority level, and after the target authority level corresponding to the position level of the target data is determined to be the namespace authority level, the position level of the target data can automatically inherit the global authority level. For example, a scan operation is performed on a namespace authority level, the scan operation of the namespace authority level is determined as an operation authority corresponding to a target authority level in the step, and on the basis, a parent-level operation authority of the namespace authority level is also determined to be stored when the scan operation of the global authority level exists, so that the namespace authority level performs the scan operation, and the scan operation of the global authority level is allowed to be also applicable to target data corresponding to the namespace authority level.
And if the parent-level operation authority of the name space authority level does not exist, determining the target authority level corresponding to the position level to which the target data belongs as the name space authority level.
Step 2023: and based on the position level to which the target data belongs, if the table authority level is determined to be matched with the position level, taking the global authority level, the name space authority level and the table authority level as the target authority level.
Similarly, it is determined whether the table authority level matches the location level, and preferably, the determination may be made according to an overlapping degree of a range in which the table authority level can perform an operation and a range in which the location level can perform an operation, and when the overlapping degree reaches a preset set value, it may be determined that the table authority level matches the location level, and the table authority level is taken as the target authority level.
After the operation authority of the parent level of the table authority level is judged to exist, the table authority level can automatically inherit the global authority level and/or the namespace authority level, and after the target authority level corresponding to the position level of the target data is determined to be the table authority level, the position level of the target data can also automatically inherit the global authority level and/or the namespace authority level. For example, a scanning operation is performed on the table authority level, the scanning operation of the table authority level is determined as an operation authority corresponding to the target authority level in the step, and on the basis, it is also determined that a parent-level operation authority of the table authority level exists even when the scanning operation of the global authority level and/or the namespace authority level exists, the scanning operation of the global authority level and/or the namespace authority level is allowed to be applied to the target data corresponding to the table authority level while the scanning operation of the table authority level is performed.
And if the operation authority of the parent level of the table authority level does not exist, only determining the target authority level corresponding to the position level to which the target data belongs as the table authority level.
Step 2024: and based on the position level to which the target data belongs, if the column group authority level is determined to be matched with the position level, taking the global authority level, the name space authority level, the table authority level and the column group authority level as target authority levels.
Similarly, it is determined whether the column group authority level matches the location level, and preferably, the determination may be made according to an overlapping degree of a range in which the column group authority level can perform an operation and a range in which the location level can perform an operation, and when the overlapping degree reaches a preset set value, it may be determined that the column group authority level matches the location level, and the column group authority level may be set as the target authority level.
After the operation authority of the parent level of the column group authority level is judged to exist, the column group authority level can automatically inherit the global authority level, the namespace authority level and/or the table authority level, and after the target authority level corresponding to the position level of the target data is determined to be the column group authority level, the position level of the target data can also automatically inherit the global authority level, the namespace authority level and/or the table authority level. For example, a scan operation is performed on a column group authority level, and in this step, it is determined that the scan operation at the column group authority level is an operation authority corresponding to a target authority level, and on this basis, it is also determined that a parent-level operation authority at the column group authority level exists, and even if a scan operation for a global authority level, a namespace authority level, and/or a table authority level exists, the scan operation at the global authority level, the namespace authority level, and/or the table authority level is allowed to be applied to target data corresponding to the column group authority level while the scan operation at the column group authority level is performed on the column group authority level.
And if the parent level operation authority of the column group authority level does not exist, determining the target authority level corresponding to the position level to which the target data belongs as the column group authority level.
Step 2025: and based on the position level to which the target data belongs, if the column permission level is determined to be matched with the position level, taking the global permission level, the name space permission level, the table permission level, the column family permission level and the column permission level as target permission levels.
Similarly, it is determined whether the column permission level matches the location level, and preferably, the determination may be made according to an overlapping degree of a range in which the column permission level can perform the operation and a range in which the location level can perform the operation, and when the overlapping degree reaches a preset set value, it may be determined that the column permission level matches the location level, and then the column permission level is taken as the target permission level.
After the operation authority of the parent level of the column authority level is judged to exist, the column authority level can automatically inherit the global authority level, the namespace authority level, the table authority level and/or the column family authority level, and after the target authority level corresponding to the position level of the target data is determined to be the column authority level, the position level of the target data can automatically inherit the global authority level, the namespace authority level, the table authority level and/or the column family authority level. For example, a scanning operation is performed on a column permission level, the scanning operation of the column permission level is determined as an operation permission corresponding to a target permission level in the step, and on the basis, it is also determined that a parent-level operation permission of the column permission level exists, and when the scanning operation exists for a global permission level, a namespace permission level, a table permission level and/or a column group permission level, the scanning operation of the global permission level, the namespace permission level, the table permission level and/or the column group permission level is allowed to be also applicable to target data corresponding to the column permission level while the scanning operation of the column permission level is executed for the scanning operation of the global permission level, the namespace permission level, the table permission level and/or the column group permission level.
And if the operation authority of the parent level of the column authority level does not exist, only determining the target authority level corresponding to the position level to which the target data belongs as the column authority level.
Step 203: and taking the operation authority corresponding to the target authority level as a target authority, and authorizing the position level corresponding to the authority calling request.
In the implementation process, after the target permission level corresponding to the permission calling request is determined, the operation permission corresponding to the target permission level is further obtained, and the operation permission is used as the target permission and is authorized to the position level corresponding to the permission calling request. The specific authorization statements are not described in detail here.
For example, when the authority invocation request is to delete the target data in row 2, column 3 in table 1, and the target authority level is determined to be the column authority level, delete is granted to row 2, column 3 in table 1 as the target authority, so that the client can delete the target data in row 2, column 3 in table 1.
In the implementation process, after the operation right of the right level corresponding to the target right level is used as the target right and is authorized to the location level corresponding to the right call request, the operation right of the location level to which the target right is authorized is also confirmed by the access controller, that is, only after the confirmation by the access controller, the client is allowed to execute the operation corresponding to the target right on the location level, as shown in fig. 5, the method further includes:
step 2041: and responding to the client to execute the operation corresponding to the target authority on the target data at the position level, and confirming whether the client can execute the operation corresponding to the target authority on the target data through the access controller, wherein the access controller is an authority limit code created based on the operation authority.
In the implementation process, when the client wants to execute a corresponding operation on the target data at the position level, the server responds to the client to execute the operation corresponding to the target authority on the target data at the position level, and enables the access controller to confirm whether the client can execute the operation corresponding to the target authority on the target data, specifically, the access controller executes the confirmation process through the authority limit code.
For example, when the right call request is to delete target data in row 2 and column 3 in table 1, the access controller defines, by the right restriction code, that the operation performed on row 2 and column 3 in table 1 is a deletion operation at a column right level, and if the access controller confirms that the operation (e.g., delete) that the client wants to perform on the target data matches the operation corresponding to the location level (e.g., the operation performed on column 2 and column 3 in table 1 is a deletion operation at a column right level), step 2042 is performed; if the access controller determines that the operation (e.g., put) performed by the client on the target data does not match the operation corresponding to the location level (e.g., the operation performed on the 2 nd row and the 3 rd column in table 1 is a delete operation at the column authority level), step 2043 is performed.
Step 2042: and allowing the client to execute the operation corresponding to the target authority on the target data at the position level.
In the implementation process, after the access controller confirms that the client has the authority to execute the operation corresponding to the target authority on the position level, the client is allowed to execute the operation corresponding to the target authority on the target data on the position level, namely, the client can operate the target data.
For example, when the right call request is to delete the target data in row 2 and column 3 in table 1, the client may delete the target data in row 2 and column 3 after confirmation by the access controller.
Step 2043: and forbidding the client to execute the operation corresponding to the target authority to the target data at the position level.
In the implementation process, after the access controller confirms that the client does not have the authority to execute the operation corresponding to the target authority on the position level, the client is prohibited from executing the operation corresponding to the target authority on the position level, namely, the client is not permitted to operate the target data.
For example, when the right call request is to delete the target data in row 2, column 3 in table 1, and the access controller does not confirm the request, the client does not have the right to delete the target data in row 2, column 3.
It should be noted that, the HBase permission configuration method includes not only authorizing the operation permission to the location level, but also revoking the corresponding operation permission to the location level. Specifically, in response to a request for removing the rights from the client to the location level, the target rights of the location level corresponding to the request for removing the rights are set to null, that is, the null value replaces the original target rights of the location level.
For example, in the case of deleting the target data, after the target authority of delete is granted to the 2 nd row and 3 rd column in table 1 corresponding to the authority invoking request, after the client responds to the request for withdrawing the authority invoking to the 2 nd row and 3 rd column in table 1, the target authority of delete may be replaced by null (null value), so that the client is no longer allowed to execute the operation of deleting the target data on the 2 nd row and 3 rd column.
Referring to fig. 6, after introducing the HBase permission configuration method provided by the embodiment of the present application, based on the same inventive concept, the HBase permission configuration device provided by the embodiment of the present application is described in detail below:
the response module 601 is configured to respond to a permission call request of a client, and determine an operation permission set corresponding to the permission call request, where the permission call request is used to characterize an operation of the client on a location level to which target data belongs, the operation permission is created based on an implementation function of an application programming interface API in a permission control code of an HBase, the operation permission includes at least one permission level, and the operation permission set includes at least one operation permission;
a determining module 602, configured to determine, based on a location level to which the target data belongs, a target permission level matching the location level;
the authorization module 603 is configured to authorize the location level corresponding to the permission call request, with the operation permission corresponding to the target permission level as the target permission.
Referring to fig. 7, after introducing the HBase authority configuration device provided in the embodiment of the present application, based on the same inventive concept, a server provided in the embodiment of the present application is described in detail below:
a memory 701 for storing a computer program executable by the controller 702;
the controller 702 is connected to the memory 701, and is configured to perform:
responding to a permission calling request of a client, and determining an operation permission set corresponding to the permission calling request, wherein the permission calling request is used for representing the operation of the client on the position level to which target data belongs, the operation permission is created based on the implementation function of an Application Programming Interface (API) in a permission control code of HBase, the operation permission comprises at least one permission level, and the operation permission set comprises at least one operation permission;
determining a target permission level matched with the position level based on the position level to which the target data belongs;
and taking the operation authority corresponding to the target authority level as a target authority, and authorizing the position level corresponding to the authority calling request.
In some possible embodiments, the controller 702 is configured to execute, in response to a permission call request of a client, determining an operation permission set corresponding to the permission call request, including:
responding to a permission calling request of a client, determining the position level of the target data based on the permission calling request, and determining the operation of the client on the target data;
screening out operation authority for executing operation on the position level based on the position level;
and determining operation authorities corresponding to the operation in the screened operation authorities, and creating an operation authority set based on the determined operation authorities.
In some possible embodiments, the controller 702 is configured to determine the operation right by:
determining the implementation function of the API in the permission control code based on the operation which can be implemented by the API in the permission control code of the HBase on the data of each position level;
and establishing the same API for realizing the functions belonging to the same position level as the same operation authority, wherein the number of the APIs contained in the same operation authority is at least one.
In some possible embodiments, the controller 702 is configured to execute the privilege levels including a global privilege level, a namespace privilege level, a table privilege level, a column family privilege level, and a column privilege level, with priorities from high to low;
setting the authority level of the operation authority by the following method:
calculating a first matching degree between the operation authority and the global authority level, and if the first matching degree is greater than a first matching threshold, taking the global authority level as the authority level corresponding to the operation authority;
calculating a second matching degree between the operation authority and the namespace authority level, and if the second matching degree is greater than a second matching threshold value, and when a first parent authority level corresponding to the operation authority exists, taking both the first parent authority level and the namespace authority level as the authority level corresponding to the operation authority, wherein the first parent authority level is a global authority level;
calculating a third matching degree between the operation authority and the table authority level, and if the third matching degree is greater than a third matching threshold value and a second parent authority level corresponding to the operation authority exists, taking the second parent authority level and the table authority level as the authority levels corresponding to the operation authority, wherein the second parent authority level is a global authority level and/or a name space authority level;
calculating a fourth matching degree between the operation authority and the column authority level, and if the fourth matching degree is greater than a fourth matching threshold value and a third parent authority level corresponding to the operation authority exists, taking the third parent authority level and the column authority level as authority levels corresponding to the operation authority, wherein the third parent authority level is a global authority level, a namespace authority level and/or a table authority level;
and calculating the matching degree between the operation authority and the column authority level, and if the matching degree is greater than a fifth matching threshold, and when a fourth parent authority level corresponding to the operation authority exists, taking the fourth parent authority level and the column authority level as the authority levels corresponding to the operation authority, wherein the fourth parent authority level is a global authority level, a name space authority level, a table authority level and/or a column family authority level.
In some possible embodiments, the controller 702 is configured to perform determining the target permission level matching the location level based on the location level to which the target data belongs, including:
based on the position level to which the target data belongs, if the global authority level is determined to be matched with the position level, taking the global authority level as a target authority level;
based on the position level to which the target data belongs, if the namespace authority level is determined to be matched with the position level, taking the global authority level and the namespace authority level as target authority levels;
based on the position level to which the target data belongs, if the table authority level is determined to be matched with the position level, taking the global authority level, the name space authority level and the table authority level as target authority levels;
based on the position level to which the target data belongs, if the column group authority level is determined to be matched with the position level, taking the global authority level, the name space authority level, the table authority level and the column group authority level as target authority levels;
and based on the position level to which the target data belongs, if the column permission level is determined to be matched with the position level, taking the global permission level, the name space permission level, the table permission level, the column family permission level and the column permission level as target permission levels.
In some possible embodiments, after the controller 702 is configured to execute, as the target authority, the operation authority of the authority level corresponding to the target authority level and grant the authority level corresponding to the authority invocation request, the controller 702 is further configured to execute:
responding to the operation corresponding to the target authority executed by the client to the target data at the position level, and confirming whether the client can execute the operation corresponding to the target authority to the target data through the access controller, wherein the access controller is an authority limit code created based on the operation authority;
if the access controller confirms that the data passes the verification, allowing the client to execute the operation corresponding to the target authority on the target data of the position level;
and if the access controller does not confirm the target data passes the confirmation, the client is prohibited from executing the operation corresponding to the target authority to the target data of the position level.
In some possible embodiments, the controller 702 is further configured to perform:
and responding to the withdrawing call request of the client to the position level, and setting the target authority of the position level corresponding to the withdrawing call request to be null.
Having described a server provided by an embodiment of the present application, based on the same inventive concept, an embodiment of the present application provides a computer-readable storage medium, where instructions, when executed by a processor, enable the processor to perform: .
Responding to a permission calling request of a client, and determining an operation permission set corresponding to the permission calling request, wherein the permission calling request is used for representing the operation of the client on the position level to which target data belongs, the operation permission is created based on the implementation function of an Application Programming Interface (API) in a permission control code of HBase, the operation permission comprises at least one permission level, and the operation permission set comprises at least one operation permission;
determining a target permission level matched with the position level based on the position level to which the target data belongs;
and taking the operation authority corresponding to the target authority level as a target authority, and authorizing the position level corresponding to the authority calling request.
To sum up, in the embodiment of the present application, an HBase permission configuration method, an apparatus, and a storage medium are disclosed, where the HBase permission configuration method is: the method comprises the steps of responding to a permission calling request of a client, determining an operation permission set corresponding to the permission calling request, wherein the permission calling request is used for representing the operation of the client on a position level to which target data belongs, the operation permission is established based on an implementation function of an API in a permission control code of HBase, the operation permission comprises at least one permission level, the operation permission set comprises at least one operation permission, a target permission level matched with the position level is determined based on the position level to which the target data belongs, the operation permission corresponding to the target permission level is taken as the target permission and authorized to the position level corresponding to the permission calling request, and the operation permission is established through the API to enable the HBase permission to be divided more finely, so that the corresponding target permission can be accurately matched for the position level to which the client wants to execute the operation.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product system. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product system embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program product systems according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if these changes and modifications of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include these changes and modifications.

Claims (10)

1. An HBase permission configuration method is characterized by comprising the following steps:
responding to a permission calling request of a client, and determining an operation permission set corresponding to the permission calling request, wherein the permission calling request is used for representing the operation of the client on the position level of target data, the operation permission is created based on the implementation function of an Application Programming Interface (API) in a permission control code of HBase, the operation permission comprises at least one permission level, and the operation permission set comprises at least one operation permission;
determining a target permission level matching the location level based on the location level to which the target data belongs;
and taking the operation authority corresponding to the target authority level as a target authority, and authorizing the position level corresponding to the authority calling request.
2. The method of claim 1, wherein the determining, in response to a permission call request of a client, an operation permission set corresponding to the permission call request comprises:
responding to the authority calling request of the client, determining the position level of the target data based on the authority calling request, and determining the operation of the client on the target data;
screening out the operation authority for executing the operation on the position level based on the position level;
and determining the operation authority corresponding to the operation in the screened operation authorities, and creating the operation authority set based on the determined operation authority.
3. The method of claim 1, wherein the operational privilege is determined by:
determining the implementation function of the API in the permission control code based on the operation which can be implemented by the API in the permission control code of the HBase on the data of each position level;
and establishing the same API for realizing the functions belonging to the same position level as the same operation authority, wherein the number of the APIs contained in the same operation authority is at least one.
4. The method of claim 1, wherein the privilege levels comprise a global privilege level, a namespace privilege level, a table privilege level, a column family privilege level, and a column privilege level, with priorities from high to low;
setting the permission level of the operation permission by:
calculating a first matching degree between the operation authority and the global authority level, and if the first matching degree is greater than a first matching threshold, taking the global authority level as the authority level corresponding to the operation authority; and
calculating a second matching degree between the operation authority and the namespace authority level, if the second matching degree is greater than a second matching threshold, and when a first parent authority level corresponding to the operation authority exists, taking both the first parent authority level and the namespace authority level as the authority level corresponding to the operation authority, wherein the first parent authority level is a global authority level; and
calculating a third matching degree between the operation authority and the table authority level, and if the third matching degree is greater than a third matching threshold value and a second parent authority level corresponding to the operation authority exists, taking the second parent authority level and the table authority level as the authority level corresponding to the operation authority, wherein the second parent authority level is the global authority level and/or the namespace authority level; and
calculating a fourth matching degree between the operation authority and the column right level, and if the fourth matching degree is greater than a fourth matching threshold value, and if a third parent right level corresponding to the operation authority exists, taking the third parent right level and the column right level as the right levels corresponding to the operation authority, wherein the third parent right level is the global right level, the namespace right level and/or the table right level; and
and calculating the matching degree between the operation authority and the column authority level, and if the matching degree is greater than a fifth matching threshold value, and if a fourth parent authority level corresponding to the operation authority exists, taking the fourth parent authority level and the column authority level as the authority levels corresponding to the operation authority, wherein the fourth parent authority level is the global authority level, the namespace authority level, the table authority level and/or the column family authority level.
5. The method of claim 4, wherein said determining a target permission level matching the location level based on the location level to which the target data pertains comprises:
based on the position level to which the target data belongs, if the global authority level is determined to be matched with the position level, taking the global authority level as the target authority level;
based on the position level to which the target data belongs, if the namespace permission level is determined to be matched with the position level, taking the global permission level and the namespace permission level as the target permission level;
based on the position level to which the target data belongs, if the table permission level is determined to be matched with the position level, taking the global permission level, the namespace permission level and the table permission level as the target permission level;
based on the position level to which the target data belongs, if it is determined that the column right level matches the position level, taking a global right level, the namespace right level, the table right level and the column right level as the target right level;
based on the location level to which the target data belongs, if it is determined that the column permission level matches the location level, taking a global permission level, the namespace permission level, the table permission level, the column family permission level, and the column permission level as the target permission level.
6. The method of claim 1, wherein after authorizing the location level corresponding to the permission invocation request with the operation permission corresponding to the target permission level as a target permission, further comprising:
responding to the operation corresponding to the target authority executed by the client on the target data of the position level, and confirming whether the client can execute the operation corresponding to the target authority on the target data or not through an access controller, wherein the access controller is an authority limit code created based on the operation authority;
if the access controller confirms that the data passes the confirmation, allowing the client to execute the operation corresponding to the target authority on the target data of the position level;
and if the access controller does not confirm the target data of the position level is not passed, the client is prohibited from executing the operation corresponding to the target authority to the target data of the position level.
7. The method of any of claims 1 to 6, further comprising:
and responding to a withdrawing call request of the client to the position level, and setting the target authority of the position level corresponding to the withdrawing call request to be null.
8. An HBase right configuration device, comprising:
the response module is used for responding to a permission calling request of a client and determining an operation permission set corresponding to the permission calling request, wherein the permission calling request is used for representing the operation of the client on the position level of target data, the operation permission is created based on the implementation function of an Application Programming Interface (API) in a permission control code of HBase, the operation permission comprises at least one permission level, and the operation permission set comprises at least one operation permission;
a determining module, configured to determine, based on the location level to which the target data belongs, a target permission level matching the location level;
and the authorization module is used for taking the operation permission corresponding to the target permission level as a target permission and authorizing the position level corresponding to the permission calling request.
9. A server, comprising:
a memory for storing a computer program executable by the controller;
a controller is coupled to the memory and configured to perform the method of any of claims 1-7.
10. A computer-readable storage medium, wherein instructions in the storage medium, when executed by a processor, enable the processor to perform the method of any of claims 1-7.
CN202111140221.5A 2021-09-28 2021-09-28 HBase permission configuration method, device and storage medium Pending CN113868681A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111140221.5A CN113868681A (en) 2021-09-28 2021-09-28 HBase permission configuration method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111140221.5A CN113868681A (en) 2021-09-28 2021-09-28 HBase permission configuration method, device and storage medium

Publications (1)

Publication Number Publication Date
CN113868681A true CN113868681A (en) 2021-12-31

Family

ID=78991526

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111140221.5A Pending CN113868681A (en) 2021-09-28 2021-09-28 HBase permission configuration method, device and storage medium

Country Status (1)

Country Link
CN (1) CN113868681A (en)

Similar Documents

Publication Publication Date Title
US7539680B2 (en) Revision control for database of evolved design
JP3081619B2 (en) Computer systems and security methods
CN102081710B (en) Authority setting method and authority control method
CN107239710B (en) Database permission implementation method and system
CN107203715B (en) Method and device for executing system call
CN109144978B (en) Authority management method and device
CN105051749A (en) Policy based data protection
CN101558386A (en) Confirmation method of API by the information at call-stack
CN115309766B (en) Method and device for executing database service
CN112329065A (en) Dynamic authority management method, device, terminal and storage medium for block chain nodes
US7127675B1 (en) Method and system for automatically revising software help documentation
US20170344627A1 (en) System for lightweight objects
CN113868681A (en) HBase permission configuration method, device and storage medium
CN111427863A (en) Data migration method, device and equipment based on domain model
US9009731B2 (en) Conversion of lightweight object to a heavyweight object
CN115718666A (en) Fine-grained dynamic authority control method and system for WEB service
CN110717153B (en) Authority verification method and device
US9600606B2 (en) Method for the temporary separation of object data of design models
US20130268503A1 (en) Database navigation of changes at commit time
CN108376227B (en) File access method and system of security chip
US20140115005A1 (en) System and methods for live masking file system access control entries
CN111767534A (en) Data processing method, computing device and storage medium
CN112149070A (en) Authority control method and device
CN111737293A (en) Data warehouse authority management method, device, equipment and storage medium
CN110659328B (en) Data query method, device, equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination