CN114239056A - Control method, device, medium and equipment of data access interface - Google Patents
Control method, device, medium and equipment of data access interface Download PDFInfo
- Publication number
- CN114239056A CN114239056A CN202111433788.1A CN202111433788A CN114239056A CN 114239056 A CN114239056 A CN 114239056A CN 202111433788 A CN202111433788 A CN 202111433788A CN 114239056 A CN114239056 A CN 114239056A
- Authority
- CN
- China
- Prior art keywords
- data
- user
- access interface
- information
- storing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
Embodiments disclosed in the present specification provide a method, apparatus, medium, and device for controlling a data access interface. When a second user wants to call a data access interface for accessing the data owned by the first user, the data storage system can judge whether the data accessible by the data access interface called by the second user is stored in the blockchain, and if so, the data access interface can be provided for the second user to call; if the judgment result is negative, the data access interface can be refused to be provided for the second user to be called.
Description
Technical Field
Embodiments of the present disclosure relate to the field of database technologies, and in particular, to a method, an apparatus, a medium, and a device for controlling a data access interface.
Background
Currently, data storage systems may provide data storage and access services to users. A common service mode is that a user of the data storage system can submit own data to the data storage system for storage, the data storage system provides a data access interface for the data, and the user can call the data access interface to access the data.
In practice, other users than the user may also be able to invoke the data access interface, and therefore how to effectively deal with the situation that "other users who do not own the data invoke the data access interface to maliciously tamper with the data" is a technical problem to be solved urgently.
Disclosure of Invention
Embodiments of the present specification provide a method, apparatus, medium, and device for controlling a data access interface.
The technical scheme provided by the embodiments of the specification is as follows:
according to a first aspect of the embodiments of the present specification, a method for controlling a data access interface is provided, which is applied to a data storage system, where the data storage system stores a data set owned by a first user, and the data storage system provides, for each data in the data set, a corresponding data access interface to the outside, and at least part of the data in the data set is certified in a blockchain, and the method includes:
responding to a second user request to call a data access interface, and judging whether data accessible by the data access interface is stored in the block chain; the second user is not the same user as the first user;
if the judgment result is yes, the data access interface is provided for the second user to be called; if the judgment result is negative, the data access interface is refused to be provided for the second user to be called.
According to a second aspect of the embodiments of the present specification, there is provided a control apparatus for a data access interface, which is applied to a data storage system, wherein the data storage system stores data sets owned by a first user, the data storage system provides a corresponding data access interface for each data in the data sets, and at least part of the data in the data sets is stored in a block chain, the apparatus includes:
the judging module is used for responding to the second user request to call the data access interface and judging whether the data accessible by the data access interface is stored in the block chain; the second user is not the same user as the first user;
the processing module is used for providing the data access interface for the second user to call if the judgment result is yes; if the judgment result is negative, the data access interface is refused to be provided for the second user to be called.
According to a third aspect of the various embodiments herein, there is provided a data storage system as in the method of the first aspect.
According to a fourth aspect of the various embodiments of the present description, a computer-readable storage medium is proposed, on which a computer program is stored which, when being executed by a processor, carries out the method of the first aspect.
According to a fifth aspect of various embodiments herein, there is provided a computing device comprising a memory, a processor; the memory is for storing computer instructions executable on the processor for implementing the method of the first aspect when executing the computer instructions.
In the above technical solution, data owned by a first user and stored by a data storage system may be stored in a blockchain, when a second user wants to invoke a data access interface for accessing the data owned by the first user, the data storage system may determine whether data accessible by the data access interface that the second user wants to invoke is stored in the blockchain, and if the determination result is yes, it means that even if the second user tampers with the corresponding data through the data access interface, the first user may also proof data tampering behavior of the second user based on original data stored in the blockchain, and thus, the data access interface may be provided to the second user for invoking; if the result of the judgment is negative, the fact that the second user tampers the corresponding data through the data access interface is difficult to be proved by the first user is meant, and therefore the data access interface can be refused to be provided for the second user to call.
Through the technical scheme, third parties (a user who owns the data and a third party except the data storage system) can be effectively tampered with the data in the data storage system.
Drawings
Fig. 1 is a flowchart illustrating a control method of a data access interface provided in this specification.
Fig. 2 is an architecture diagram of an application including a first user, an application of a second user, a data storage system, and a plurality of evidence services systems provided by the present specification.
Fig. 3 is a schematic diagram of a data storage method provided in this specification.
Fig. 4 is a schematic diagram of a data access method provided in this specification.
Fig. 5 is a schematic structural diagram of a control device of a data access interface provided in this specification.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.
It should be noted that: in other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described herein. In some other embodiments, the method may include more or fewer steps than those described herein. Moreover, a single step described in this specification may be broken down into multiple steps for description in other embodiments; multiple steps described in this specification may be combined into a single step in other embodiments.
The data storage system described herein may refer to a software system having a data storage function, and may be, for example, a cloud storage system, and more specifically, may be, for example, an object storage system, where the object storage system stores objects as data units, and the object storage system may be used to store copyrighted works, such as copyrighted works including music, videos, pictures, and the like, and a copyrighted work is an object.
Current data storage systems may provide data storage and access services to users. The user here may be an individual or an organization. In practice, the user may be, for example, a manager of an internet application, data generated by the internet application may be submitted to the data storage system for storage, and the internet application may also access the data storage system for data reading and data modification according to business needs.
Generally, all parties to data in a data storage system are users who submit data to the data storage system for storage, and generally only users who own the data have authority to modify the data. The data access interface for corresponding data is usually provided externally by the current data storage system, and is a general interface based on the HTTP protocol, so that theoretically, other users besides the user who owns data may also invoke the data access interface, and there are two cases here:
1. the user with the data does not expect the other user to call the data access interface, but the other user uses the technical capability to break the call authority of the data access interface, so that the call of the data access interface is realized.
2. The user who owns the data has a business cooperative relationship with the other users, and the user who owns the data authorizes the other users to call the data access interface, but does not expect the other users to modify the corresponding data without permission.
However, once the other user has the right to invoke the data access interface, the data storage system cannot limit the other user to modify the data corresponding to the data access interface, and if the other user violates the will of the user who owns the data and maliciously tampers the data, the user who owns the data hardly finds the data tampering, and even if the user who owns the data finds the data tampering, it is difficult to prove the data tampering.
For this reason, in the technical solution provided in this specification, data owned by a first user and stored by a data storage system may be stored in a block chain, when a second user (different from the first user) wants to invoke a data access interface for accessing data owned by the first user, the data storage system may determine whether data accessible by the data access interface that the second user wants to invoke is stored in the block chain, and if the determination result is yes, it means that even if the second user tampers with corresponding data through the data access interface, the first user may also proof a data tampering behavior of the second user based on original data stored in the block chain, and thus, the data access interface may be provided to the second user for invocation; if the result of the judgment is negative, the fact that the second user tampers the corresponding data through the data access interface is difficult to be proved by the first user is meant, and therefore the data access interface can be refused to be provided for the second user to call.
Through the technical scheme, third parties (a user who owns the data and a third party except the data storage system) can be effectively tampered with the data in the data storage system.
The technical solution provided in the present specification is described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic flowchart of a method for controlling a data access interface provided in this specification, including the following steps:
s100: and responding to the request of the second user to call the data access interface, judging whether the data accessible by the data access interface is stored in the block chain, if so, executing the step S102, and if not, executing the step S104.
S102: and providing the data access interface for the second user to call.
S104: denying the data access interface for the second user to invoke.
The method flow shown in FIG. 1 applies to a data storage system. The data storage system can store data sets respectively owned by a plurality of users. For convenience of description, the data set owned by the first user is taken as an example for illustration, and the second user is defined as a user other than the first user.
The data storage system can provide a corresponding data access interface for each data in the data set, which is equivalent to exposing the data access interface to an unspecified user. Each data can correspond to one data access interface, and different data correspond to different data access interfaces; multiple data may also correspond to the same data access interface.
At least a portion of the data in the set of data owned by the first user may be deposited in the blockchain. The first user can select at least part of data as data required to be stored in the block chain according to own needs.
In some embodiments, for data that needs to be certified in the blockchain, the first user may submit the data to the data storage system for storage on the one hand and certify the data in the blockchain on the other hand. In other embodiments, the first user may request that the data storage system verify at least a portion of the data in the blockchain.
For example, the first user may be a manager of an internet application, and the internet application may submit generated data (e.g., video, music, and pictures) to a data storage system for storage, and specify that at least a portion of the data needs to be stored in the blockchain, and the data storage system needs to store at least a portion of the data in the blockchain in addition to storing all the data submitted by the internet application.
In some embodiments, the data storage system may interface with at least one vouching service system, with different vouching service systems interfacing with different blockchains. In addition, each credentialing service system can exchange a secure communication certificate with the data storage system in advance due to the requirement of communication security, so that each credentialing service system and the data storage system communicate based on the secure communication certificate of each other. Each of the secure communication enabled credit service systems may be registered with a data storage system to form a list of credit service systems, and the data storage system may provide the list of credit service systems to the first user, from which the first user may select at least one credit service system for crediting data owned by the first user.
In some embodiments, the step of determining that the second user requests to invoke the data access interface may comprise: receiving an access credential and a signature on the access credential; verifying the signature on the access certificate by using the public key of the first user; and if the signature passes the verification and the access certificate records the authorization information that the first user authorizes the second user to call the data access interface, determining that the second user requests to call the data access interface. If the verification is passed, the fact that the second user access certificate is issued by the first user is meant, and if the access certificate records authorization information that the first user authorizes the second user to call the data access interface, the fact that the second user obtains authorization of the first user is meant, and the second user has the authority to request to call the data access interface.
In addition, if the signature on the access certificate is not verified, it means that the access certificate is not issued by the first user and is not legal, the second user does not have the authority to request to invoke the data access interface, and the data storage system may not identify that the second user requests to invoke the data access interface.
In addition, even if the signature on the access credential passes the verification and the access credential does not record the authorization information that the first user authorizes the second user to invoke the data access interface, the second user is not authorized by the first user, and the data storage system may not identify that the second user requests to invoke the data access interface without the permission to invoke the data access interface.
The data storage system, after determining that the second user requests to invoke the data access interface, may invoke the data access interface in response to the second user request to determine which data is accessible by the data access interface.
In some embodiments, there is only one data accessible by the data access interface, in which case, it is determined whether the data is stored in the blockchain, and if yes, the data access interface is provided to the second user for calling; and if the judgment result is negative, refusing to provide the data access interface for the second user to call.
In some embodiments, there are a plurality of data accessible by the data access interface, in which case, it may be determined whether each data is stored in the blockchain, if the determination result is yes, the data access interface is provided to the second user for calling, and if any determination result is no, the data access interface may be denied to be provided to the second user for calling.
In addition, the first user may configure the credentialing policy for the own data. In some embodiments, the data storage system may receive configuration information and a signature on the configuration information, where the configuration information may be sent by the first user or sent by other users, but the configuration information is legal if the signature on the configuration information is a signature of the first user.
The configuration information may include a data identifier and/or a data type identifier for specifying the data that needs to be certified. For example, for an object storage system, its storage structure may include several "buckets," each of which includes several objects. Different buckets may correspond to different data types. The first user may specify the object to be stored with the "bucket" as the granularity, or may specify the object to be stored with the "object" as the granularity.
The data storage system can verify the signature on the configuration information by using the public key of the first user; and if the signature passes the verification, establishing an association relationship between the first user and the configuration information. In some embodiments, it may be determined, for each data in the data set, whether the data matches the configuration information, if so, establishing credential information based on the data, and submitting the credential information corresponding to the data to the blockchain. In this way, it is equivalent to realize that the stock data owned by the first user in the data storage system is stored in the block chain.
In other embodiments, for each piece of data subsequently submitted by the first user, the data may be added to the data set, and it is determined whether the data matches the configuration information, if so, evidence storage information is constructed based on the data, and the evidence storage information corresponding to the data is submitted to the blockchain. It should be noted that the data subsequently submitted by the first user may be modified data submitted for modifying the original data. In this way, the incremental data that is equivalent to the incremental data that the first user submits to the data storage system for storage is also certified in the blockchain.
In addition, in some embodiments, the data storage system may interface with a plurality of credential service systems, and the first user may select at least one credential service system, so that the data storage system may store the credential information corresponding to the data to the block chain to which the credential service system interfaces.
In some embodiments, the credential information may be constructed based on the data and user information of the first user. Thus, the association relationship between the data and the first user is also verified in the blockchain.
In some embodiments, the configuration information may further include an extended information type, which may be understood as a context field associated with the data, and the first user may set a plurality of different context fields as different extended information types. For example, if the data owned by the first user is copyrighted content, the extended information type corresponding to the copyrighted content may include a copyright number, copyright acquisition time, and the like. The data storage system can determine the extension information corresponding to the data according to the extension information type contained in the configuration information, and construct the evidence storage information based on the data and the corresponding extension information.
In some embodiments, the configuration information may further include credential storage mode information for specifying one of the following credential storage modes:
the mode of the certificate storing data is used for packaging the data into the certificate storing information;
the certificate storing data hash mode is used for packaging the hash value of the data into certificate storing information;
the mode of evidence storing data link is used for realizing that a look-up link established by the data storage system for data is encapsulated into evidence storing information;
and storing the data privacy after adding the privacy information (such as the personal privacy of the customer served by the first user) specified by the first user into the data.
In addition, the evidence storing mode can also comprise a mode of sharing evidence storing data, and is used for realizing that the data is stored and verified in a block chain which is connected with a plurality of evidence storing service systems selected by the first user in advance and is also stored and verified in a block chain which is not selected by the first user in advance but is connected with other evidence storing service systems designated temporarily.
The evidence storing mode can also comprise a mode of sharing the privacy of the evidence storing data, namely, the privacy information appointed by the first user is added into the data, and then the mode of sharing the evidence storing data is adopted for the data.
In some embodiments, the data storage system may return a hash value of the credential information corresponding to the data to the first user. In this way, the first user can verify whether the certificate information exists from the blockchain by using the hash value of the certificate information. In addition, the first user can also generate corresponding evidence storing information by himself according to the own data and the configuration information (such as evidence storing mode and extension information) appointed by himself for the data, compare the hash value of the evidence storing information generated by himself with the hash value of the evidence storing information returned by the data storage system, if the hash values are consistent, it means that the data storage system really performs evidence storing processing on the data according to the configuration information appointed by the first user.
In other embodiments, the data storage system may store an association between the hash value of the credential information corresponding to the data and the data. Therefore, if the subsequent data storage system wants to verify whether the data is stored in the block chain, the hash value of the certificate storage information related to the data can be directly provided for the certificate storage service system, the certificate storage service system can search whether the corresponding certificate storage information exists in the butted block chain according to the hash value sent by the data storage system, and if the corresponding certificate storage information exists, a verification success result is returned to the data storage system.
In some embodiments, the step of determining whether the data accessible by the data access interface is stored in the blockchain may specifically include: for data accessible by the data access interface, if it is determined that configuration information matching the data does not exist, determining that the data is not stored in a blockchain; if the configuration information matched with the data is determined to exist, establishing evidence storage information corresponding to the data based on the data and the configuration information; and judging whether the evidence storing information corresponding to the data is stored in the block chain, if so, determining that the data is stored in the block chain, and if not, determining that the data is not stored in the block chain.
In some embodiments, the operation of the second user on the corresponding data through the data access interface may be recorded after the data access interface is provided to the second user for calling. This means that, if the second user modifies the corresponding data according to the data access result, the data storage system may record the modification, and, in combination with the original data stored in the block chain, the tampering behavior of the second user on the data owned by the first user may be relatively truthfully proved.
Of course, the data storage system may also record the second user invoking the data access interface after providing the data access interface to the second user for invocation.
Fig. 2 is an architecture diagram of an application including a first user, an application of a second user, a data storage system, and a plurality of evidence services systems provided by the present specification. As shown in fig. 2, data generated by the application of the first user may be submitted to a data storage system, and the data storage system stores the data submitted by the application of the first user on one hand and certifies the data submitted by the application of the first user to a blockchain interfaced by multiple certificating service systems on the other hand. The application of the second user can initiate the call of the data access interface corresponding to the data owned by the first user on the premise of obtaining the authorization of the first user, and if the data storage system determines that the data accessible by the data access interface is stored in the block chain, the data access interface can be provided for the second user to be called.
Fig. 3 is a schematic diagram of a data storage method provided in this specification. As shown in fig. 3, the application managed by the first user may submit the data to the data storage system, and the data storage system determines whether configuration information (including configuration information of a data identifier or a data type identifier corresponding to the data) matching the data exists in configuration information preset by the first user, and if the configuration information exists, determines that the data needs to be stored in the block chain. Then, the data storage system may construct the credential storage information based on the data, the user information of the first user, and the configuration-specified extension information and credential storage manner, and request the credential storage service system to write the credential storage information into the block chain. After the successful storage of the certificate, the data storage system may store the association relationship between the data and the hash value of the certificate storage information, and may also return the hash value of the certificate storage information to the application managed by the first user.
It should be noted that, as shown in fig. 3, if there is more than one configuration information matched with the data, the configuration information last specified by the first user may be used. In addition, if the configuration information of the data match includes both the configuration information of the data type identifier and the configuration information of the data identifier, the configuration information of the data identifier may be preferentially adopted.
Fig. 4 is a schematic diagram of a data access method provided in this specification. As shown in fig. 4, the application managed by the second user may request to call a data access interface corresponding to data owned by the first user. Typically, the second user needs to pre-obtain authorization of the first user, obtain the access credential signed by the first user, and provide the access credential to the data storage system. The data storage system, after verifying the access credential, may determine data accessible by the data access interface that the second user wants to invoke. And then reading the configuration information matched with the data, and constructing the evidence storage information based on the data, the user information of the first user, the expansion information specified by the configuration information and the evidence storage mode, which is equivalent to obtaining the evidence storage information again by adopting the same algorithm as the data storage stage. The data storage system can send the obtained license information to the license storage service system, request the license storage service system to verify whether the license information is already in the blockchain, if so, the data is determined to be already stored in the blockchain, the second user can be permitted to call the data access interface, and meanwhile, a record of the second user calling the data access interface can be generated.
Fig. 5 is a schematic structural diagram of a control apparatus of a data access interface, which is applied to a data storage system, where the data storage system stores data sets owned by a first user, and the data storage system provides a corresponding data access interface for each data in the data sets, and at least part of the data in the data sets is stored in a block chain, and the apparatus includes:
the determining module 501, responding to the second user request to call the data access interface, and determining whether the data accessible by the data access interface is stored in the block chain; the second user is not the same user as the first user;
the processing module 502, if the determination result is yes, provides the data access interface for the second user to call; if the judgment result is negative, the data access interface is refused to be provided for the second user to be called.
The present specification also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the functionality of a data storage system.
The present specification also provides a computing device comprising a memory, a processor; the memory is for storing computer instructions executable on the processor for implementing the functions of the data storage system when the computer instructions are executed.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the various elements may be implemented in the same one or more software and/or hardware implementations of the present description.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks. In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage media or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In summary, in some embodiments disclosed herein, the digital article and the digital identity are connected by digital identity technology, and the digital identity may further include identity authentication information so that the transaction of the digital article can meet the requirements of KYC regulation. In some embodiments, some or all of the digital identities are fully authenticated by real name, providing a fully authenticated blockchain-based transaction system. The system is beneficial to the operation of anti-money laundering and fraud, and becomes a true credible transaction system. In some embodiments, the recording and verification functions of the digital article and the digital identity are combined, so that transaction elements such as transaction objects, transaction participants and the like can be recorded and verified conveniently, and the convenience and reliability of transactions are improved. In other embodiments, the intelligent contract in the blockchain system may be invoked by the client of the transacting party independently of the digital identity to create tables of associations between the digital item and its owner on the chain and store the tables of associations in the intelligent contract, thereby creditably recording ownership of the digital item on the chain.
The foregoing describes several embodiments of the present specification. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The terminology used in the description of the various embodiments is for the purpose of describing particular embodiments only and is not intended to be limiting of the embodiments herein. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in various embodiments of the present description to describe various information, the information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the various embodiments herein. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the method embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to the partial description of the method embodiment for relevant points. The above-described method embodiments are merely illustrative, wherein the modules described as separate components may or may not be physically separate, and the functions of the modules may be implemented in one or more software and/or hardware when implementing the embodiments of the present specification. And part or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalent replacements, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.
Claims (14)
1. A control method of a data access interface is applied to a data storage system, wherein the data storage system stores a data set owned by a first user, the data storage system provides a corresponding data access interface for each data in the data set, at least part of the data in the data set is certified in a block chain, and the method comprises the following steps:
responding to a second user request to call a data access interface, and judging whether data accessible by the data access interface is stored in the block chain; the second user is not the same user as the first user;
if the judgment result is yes, the data access interface is provided for the second user to be called; if the judgment result is negative, the data access interface is refused to be provided for the second user to be called.
2. The method of claim 1, the step of determining that the second user requests to invoke the data access interface comprising:
receiving an access credential and a signature on the access credential;
verifying the signature on the access certificate by using the public key of the first user;
and if the signature passes the verification and the access certificate records the authorization information that the first user authorizes the second user to call the data access interface, determining that the second user requests to call the data access interface.
3. The method of claim 1, further comprising:
receiving configuration information and a signature on the configuration information; the configuration information comprises a data identifier and/or a data type identifier;
verifying the signature on the configuration information by using the public key of the first user;
if the signature passes the verification, establishing an association relationship between the first user and the configuration information;
judging whether the data is matched with the configuration information or not aiming at each data in the data set, if so, constructing evidence storing information based on the data, and submitting the evidence storing information corresponding to the data to a block chain; and/or adding the data into the data set aiming at each data subsequently submitted by the first user, judging whether the data is matched with the configuration information, if so, constructing evidence storage information based on the data, and submitting the evidence storage information corresponding to the data to the block chain.
4. The method of claim 3, further comprising:
determining at least one evidence-storing service system selected by the first user from a blockchain service system set before receiving the evidence-storing configuration information; different certificate storing service systems are connected with different block chains;
submitting the evidence storage information corresponding to the data to a block chain, comprising:
and submitting the certificate storing information corresponding to the data to each certificate storing service system selected by the first user, so that the certificate storing service system stores the certificate storing information corresponding to the data to a block chain connected with the certificate storing service system.
5. The method of claim 4, wherein each credentialing service system in the blockchain facilitator set exchanges secure communication credentials with the data storage system in advance, such that each credentialing service system and the data storage system communicate based on each other's secure communication credentials.
6. The method of claim 3, wherein constructing the evidence-keeping information based on the data comprises:
and establishing evidence storage information based on the data and the user information of the first user.
7. The method of claim 3, wherein the configuration information further comprises an extension information type;
establishing evidence storage information based on the data, comprising:
determining extension information corresponding to the data based on the extension information type contained in the configuration information;
and establishing evidence storage information based on the data and the extension information corresponding to the data.
8. The method of claim 3, wherein the configuration information further comprises a certificate-keeping mode information for specifying one of the following certificate-keeping modes:
the mode of the certificate storing data is used for packaging the data into the certificate storing information;
the certificate storing data hash mode is used for packaging the hash value of the data into certificate storing information;
the mode of evidence storing data link is used for realizing that a look-up link established by the data storage system for data is encapsulated into evidence storing information;
and the mode of storing the data privacy is used for storing the data after the privacy information specified by the first user is added into the data.
9. The method of claim 3, further comprising:
and returning the hash value of the evidence storing information corresponding to the data to the first user, and/or storing the association relation between the hash value of the evidence storing information corresponding to the data and the data.
10. The method of claim 3, determining whether data accessible to the data access interface is certified in a blockchain, comprising:
for data accessible by the data access interface, if it is determined that configuration information matching the data does not exist, determining that the data is not stored in a blockchain;
if the configuration information matched with the data is determined to exist, establishing evidence storage information corresponding to the data based on the data and the configuration information;
and judging whether the evidence storing information corresponding to the data is stored in the block chain, if so, determining that the data is stored in the block chain, and if not, determining that the data is not stored in the block chain.
11. The method of claim 1, further comprising:
and after the data access interface is provided for the second user to be called, recording the calling of the data access interface by the second user.
12. A data storage system in accordance with the method of any one of claims 1 to 11.
13. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of any one of claims 1 to 11.
14. A computing device comprising a memory, a processor; the memory is for storing computer instructions executable on the processor for implementing the method of any one of claims 1 to 11 when the computer instructions are executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111433788.1A CN114239056A (en) | 2021-11-29 | 2021-11-29 | Control method, device, medium and equipment of data access interface |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111433788.1A CN114239056A (en) | 2021-11-29 | 2021-11-29 | Control method, device, medium and equipment of data access interface |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114239056A true CN114239056A (en) | 2022-03-25 |
Family
ID=80751837
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111433788.1A Pending CN114239056A (en) | 2021-11-29 | 2021-11-29 | Control method, device, medium and equipment of data access interface |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114239056A (en) |
-
2021
- 2021-11-29 CN CN202111433788.1A patent/CN114239056A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11153092B2 (en) | Dynamic access control on blockchain | |
| US11831656B2 (en) | Providing data authorization based on blockchain | |
| CN110457875B (en) | Data authorization method and device based on block chain | |
| WO2021184963A1 (en) | Contract calling method and apparatus | |
| US11057189B2 (en) | Providing data authorization based on blockchain | |
| JP7236992B2 (en) | Methods and systems implemented by blockchain | |
| TWI701573B (en) | Data storage method and device based on blockchain, and electronic equipment | |
| CN111475849B (en) | Private data query method and device based on blockchain account | |
| US20240013210A1 (en) | Data Processing System Utilising Distributed Ledger Technology | |
| CN111681007B (en) | Credit scoring method, transaction method and related device for blockchain | |
| CN110580412B (en) | Permission query configuration method and device based on chain codes | |
| CA3017579A1 (en) | Systems and methods for providing a personal distributed ledger | |
| TW201935377A (en) | Asset management method and device and electronic equipment | |
| CN111475850B (en) | Intelligent contract-based privacy data query method and device | |
| CN111814172A (en) | Method, device and equipment for acquiring data authorization information | |
| CN106559389A (en) | A kind of Service Source issue, call method, device, system and cloud service platform | |
| CN115277122A (en) | Cross-border data flow and supervision system based on block chain | |
| CN114239056A (en) | Control method, device, medium and equipment of data access interface | |
| CN115048672A (en) | Data auditing method and device based on block chain, processor and electronic equipment | |
| CN113507432A (en) | Alliance link authority management method and device | |
| WO2023069505A1 (en) | Non-transferable token | |
| CN116074126A (en) | Identity management method and device based on intelligent contract | |
| Karimli | Cloud Computing Security Problems and Solution Methods | |
| CN115131030A (en) | Copyright transaction method and device based on block chain | |
| CN115664718A (en) | Cross-chain calling method and device for intelligent contract |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |