CN114372254A

CN114372254A - Authentication method, data access control method, server, equipment and system

Info

Publication number: CN114372254A
Application number: CN202110937408.1A
Authority: CN
Inventors: 唐祎飞; 刘锦; 杨芬; 刘婧; 覃艺; 赵志翔
Original assignee: Cec Cyberspace Great Wall Co ltd
Current assignee: Cec Cyberspace Great Wall Co ltd
Priority date: 2021-08-16
Filing date: 2021-08-16
Publication date: 2022-04-19
Anticipated expiration: 2041-08-16
Also published as: CN114372254B

Abstract

The application discloses an authentication method, a data access control method, a server, equipment and a system. The method comprises the following steps: according to the preset terminal information and the acquired information of the terminal to be connected, performing first authentication on the terminal to be connected to obtain a first authentication result; under the condition that the first authentication result is that the terminal to be connected passes authentication and a communication security certificate is obtained, generating and sending a connection request to cloud agent analysis equipment according to the communication security certificate and the information of the terminal to be connected so that the cloud agent analysis equipment can authenticate the terminal to be connected again; and responding to a connection response fed back by the cloud agent analysis equipment, and determining whether the terminal to be connected has the authority of accessing the data, wherein the connection response is determined by analyzing the communication security certificate of the terminal to be connected based on the data access strategy configured by the data authorization management server by the cloud agent analysis equipment. The data stored in the big data platform is prevented from being stolen by an illegal terminal, and the safety of data access is improved.

Description

Authentication method, data access control method, server, equipment and system

Technical Field

The present application relates to the field of data security technologies, and in particular, to an authentication method, a data access control method, a server, a device, and a system.

Background

With the development of big data technology, more and more data is stored on big data platforms. The big data platform can support the integration of heterogeneous data and realize the sharing and exchange of data across platforms, industries and departments. Data services that a big data platform can provide include: any one or more of adding data, deleting data, modifying data, looking up data, and access control for services. In general, a distributed storage architecture may be employed to store data centrally on a large data platform.

Wherein the distributed storage architecture comprises: client, metadata server and data server. The client side is responsible for sending read-write requests to cache file metadata and file data. The metadata server is responsible for managing metadata and processing requests of the client and is a core component of the whole system. The data server is responsible for storing file data and ensuring the availability and integrity of the data. Although the storage architecture can simultaneously expand the system performance and the data capacity, when a client accesses data, the data access security cannot be guaranteed because an illegal user accesses a large data platform due to the fact that the client is verified incorrectly.

Disclosure of Invention

Therefore, the application provides an authentication method, a data access control method, a server, equipment and a system, and solves the problem of how to improve the security of data access.

In order to achieve the above object, a first aspect of the present application provides an authentication method, including: according to the preset terminal information and the acquired information of the terminal to be connected, performing first authentication on the terminal to be connected to obtain a first authentication result; under the condition that the first authentication result is that the terminal to be connected passes authentication and a communication security certificate is obtained, generating and sending a connection request to cloud agent analysis equipment according to the communication security certificate and the information of the terminal to be connected so that the cloud agent analysis equipment can authenticate the terminal to be connected again; and responding to a connection response fed back by the cloud agent analysis equipment, and determining whether the terminal to be connected has the authority of accessing the data, wherein the connection response is determined by analyzing the communication security certificate of the terminal to be connected based on the data access strategy configured by the data authorization management server by the cloud agent analysis equipment.

In some specific implementations, according to preset terminal information and acquired information of a terminal to be connected, performing first authentication on the terminal to be connected to obtain a first authentication result, including:

receiving a registration application message sent by a terminal to be connected, wherein the registration application message comprises information of the terminal to be connected;

comparing preset terminal information with information of a terminal to be connected;

determining that the terminal to be connected passes authentication under the condition that the preset terminal information is the same as the information of the terminal to be connected;

and generating and sending a registration response to the terminal to be connected and the cloud agent analysis equipment, wherein the registration response comprises a communication security certificate, and the communication security certificate comprises a user right corresponding to the terminal to be connected.

In some specific implementations, in a case that it is determined that the first authentication result is that the terminal to be connected passes authentication and the communication security credential is obtained, before generating and sending the connection request to the cloud agent analysis device according to the communication security credential and the information of the terminal to be connected, the method further includes:

the method comprises the steps that an identification of a target cloud agent analysis device configured by a data authorization management server for a current server is obtained, the target cloud agent analysis device is a device which is obtained by the data authorization management server through screening from a plurality of cloud agent analysis devices according to a user right corresponding to a preset terminal and a preset data type and under the condition that the user right corresponding to a terminal to be connected is the same as the user right corresponding to the preset terminal;

and establishing a communication connection between the current server and the target cloud agent analysis equipment.

In some specific implementations, determining whether the terminal to be connected has the right to access the data in response to the connection response fed back by the cloud agent analysis device includes:

receiving a connection response fed back by the target cloud agent analysis equipment, wherein the connection response comprises an analysis result;

determining that the terminal to be connected has the authority to access the data of the preset data type under the condition that the analysis result is that the terminal to be connected passes the verification of the target cloud agent analysis equipment; otherwise, determining that the terminal to be connected does not have the authority of accessing the data of the preset data type.

In some specific implementations, after determining whether the terminal to be connected has the right to access the data in response to the connection response fed back by the cloud agent analysis device, the method further includes:

and under the condition that the terminal to be connected is determined to have the authority of accessing the data of the preset data type, logging in a data server corresponding to the cloud agent analysis equipment, so that the terminal to be connected acquires the data of the preset data type provided by the data server.

In order to achieve the above object, a second aspect of the present application provides an authentication method, the method including:

acquiring a data access strategy and a preset access authority configured by a data authorization management server, wherein the preset access authority is used for representing the authority of data type information accessible by current equipment;

receiving a connection request sent by an authentication server, wherein the connection request comprises: the terminal to be connected comprises information of the terminal to be connected and a communication security certificate, wherein the communication security certificate is used for representing that an authentication server passes authentication of the terminal to be connected, and the information of the terminal to be connected comprises user authority corresponding to the terminal to be connected;

determining whether the terminal to be connected has the authority to access the current equipment or not according to the user authority corresponding to the terminal to be connected and the preset access authority;

under the condition that the terminal to be connected is determined to have the authority of accessing the current equipment, analyzing the communication security certificate of the terminal to be connected according to the data access strategy to generate an analysis result;

generating and sending a connection response to the authentication server according to the analysis result so that the authentication server determines whether the terminal to be connected has the authority of accessing the data;

and sending the analysis result to the data authorization management server so that the data authorization management server checks the analysis result and determines whether the terminal to be connected is allowed to access the data.

In some implementations, the data access policy includes: any one or more of user permissions corresponding to the preset terminals, multiple preset data types, identifications of the cloud agent analysis devices and identifications of the authentication servers;

the authentication server corresponds to a plurality of cloud agent analysis devices, and the cloud agent analysis devices have the authority of accessing data of preset data types.

In some implementations, the communication security credentials include user permissions corresponding to the terminals to be connected; under the condition that the terminal to be connected is determined to have the authority of accessing the current equipment, analyzing the communication security certificate of the terminal to be connected according to the data access strategy to generate an analysis result, wherein the analysis result comprises the following steps:

matching user permissions corresponding to terminals to be connected with user permissions corresponding to a plurality of preset terminals to obtain user permissions corresponding to a target terminal, wherein the user permissions corresponding to the target terminal are the same as the user permissions corresponding to the terminals to be connected, the target terminal corresponds to current equipment, and the current equipment has the permission of accessing data of a target data type;

and determining that the terminal to be connected passes the verification according to the user right corresponding to the target terminal, and generating an analysis result, wherein the analysis result is used for representing that the current equipment passes the verification of the connection terminal.

In some specific implementations, after analyzing the communication security credential of the terminal to be connected according to the data access policy, generating and sending a connection response to the data access permission determining device, the method further includes:

acquiring a data access request sent by a terminal to be connected;

and verifying the data access request and determining the legality of the data access request.

In order to achieve the above object, a third aspect of the present application provides a data access control method, including:

generating and sending a plurality of data access strategies to a plurality of cloud agent analysis devices, so that the cloud agent analysis devices analyze communication security credentials of the terminal to be connected according to the data access strategies under the condition that the cloud agent analysis devices obtain a connection request sent by the terminal to be connected and forwarded by an authentication server, and generate and send a connection response to the authentication server, so that the authentication server determines whether the terminal to be connected has the authority of accessing data, wherein the connection request comprises: information and communication security credentials of the terminal to be connected;

obtaining an analysis result sent by the cloud agent analysis equipment, wherein the analysis result is used for representing whether the cloud agent analysis equipment passes the verification of the terminal to be connected;

and determining whether the terminal to be connected is allowed to access the data or not according to the analysis result.

In some implementations, after determining whether to allow the terminal to be connected to access the data according to the analysis result, the method further includes:

under the condition that the terminal to be connected is determined to be allowed to access data, monitoring the data access process of the terminal to be connected, and generating data access control log information;

wherein the data access control log information includes: any one or more of data access time, data access user information, data access matching policy information, data resource information, data type information, access result information, and access terminal information.

In some specific implementations, after generating and sending the plurality of data access policies to the plurality of cloud agent analysis devices, the method further includes:

updating a plurality of data access strategies at preset time intervals;

and sending the updated data access strategy to the cloud agent analysis equipment according to the identification of the cloud agent analysis equipment.

In order to achieve the above object, a fourth aspect of the present application provides an authentication server comprising:

the authentication module is configured to perform first authentication on the terminal to be connected according to preset terminal information and the acquired information of the terminal to be connected, and obtain a first authentication result;

the processing module is configured to generate and send a connection request to the cloud proxy analysis equipment according to the communication security certificate and the information of the terminal to be connected under the condition that the first authentication result is that the terminal to be connected passes the authentication and the communication security certificate is obtained, so that the cloud proxy analysis equipment can authenticate the terminal to be connected again;

and the permission determining module is configured to determine whether the terminal to be connected has permission to access the data in response to a connection response fed back by the cloud agent analysis device, wherein the connection response is a connection response obtained by analyzing and determining the communication security certificate of the terminal to be connected based on a data access policy configured by the data authorization management server by the cloud agent analysis device.

In order to achieve the above object, a fifth aspect of the present application provides a cloud agent analysis device, including:

the first acquisition module is configured to acquire a data access policy and a preset access authority configured by the data authorization management server, wherein the preset access authority is used for representing the authority of data type information accessible by current equipment;

a receiving module configured to receive a connection request sent by an authentication server, the connection request including: the terminal to be connected comprises information of the terminal to be connected and a communication security certificate, wherein the communication security certificate is used for representing that an authentication server passes authentication of the terminal to be connected, and the information of the terminal to be connected comprises user authority corresponding to the terminal to be connected;

the determining module is configured to determine whether the terminal to be connected has the authority to access the current device according to the user authority corresponding to the terminal to be connected and a preset access authority;

the analysis module is configured to analyze the communication security certificate of the terminal to be connected according to the data access strategy under the condition that the terminal to be connected is determined to have the authority of accessing the current equipment, and an analysis result is generated;

the first sending module is configured to generate and send a connection response to the authentication server according to the analysis result so that the authentication server determines whether the terminal to be connected has the authority of accessing the data, wherein the connection response comprises the analysis result;

and the second sending module is configured to send the analysis result to the data authorization management server so that the data authorization management server checks the analysis result and determines whether the terminal to be connected is allowed to access the data.

In order to achieve the above object, a sixth aspect of the present application provides a data-grant management server, including:

the policy generation module is configured to generate and send a plurality of data access policies to a plurality of cloud proxy analysis devices, so that the cloud proxy analysis devices analyze communication security credentials of the to-be-connected terminal according to the data access policies and generate and send a connection response to the authentication server under the condition that the cloud proxy analysis devices obtain a connection request sent by the to-be-connected terminal forwarded by the authentication server, so that the authentication server determines whether the to-be-connected terminal has the authority to access data, wherein the connection request includes: information and communication security credentials of the terminal to be connected;

the second acquisition module is configured to acquire an analysis result sent by the cloud agent analysis equipment, wherein the analysis result is used for representing whether the cloud agent analysis equipment passes the verification of the terminal to be connected;

and the determining module is configured to determine whether the terminal to be connected is allowed to access the data according to the analysis result.

In order to achieve the above object, a seventh aspect of the present application provides an authentication system comprising: the terminal to be connected is configured to acquire user information, generate and send a registration application message to the authentication server according to the user information, the identifier of the terminal to be connected and the security identifier of the terminal to be connected, and acquire data of a preset data type stored in the big data platform under the condition that the authentication of the authentication server, the cloud agent analysis equipment and the data authorization management server is confirmed; an authentication server configured to execute an authentication method implemented by any one of the authentication servers in the embodiments of the present application; the cloud agent analysis device is configured to execute the authentication method implemented by any cloud agent analysis device in the embodiment of the application; the data authorization management server is configured to execute any data access control method in the embodiment of the application; and the big data platform is configured to store data of preset data types for the terminal to be connected to use.

According to the authentication method, the data access control method, the server, the equipment and the system, the terminal to be connected is authenticated for the first time according to the preset terminal information and the acquired information of the terminal to be connected, so that a first authentication result is obtained, and the information of the terminal to be connected can be verified firstly, so that a communication security certificate is obtained; then, under the condition that the first authentication result is that the terminal to be connected passes authentication and a communication security certificate is obtained, a connection request is generated and sent to the cloud agent analysis equipment according to the communication security certificate and the information of the terminal to be connected, so that the cloud agent analysis equipment authenticates the terminal to be connected again, and the accuracy of the terminal to be connected is improved; and responding to a connection response fed back by the cloud agent analysis equipment, and determining whether the terminal to be connected has the authority of accessing the data, wherein the connection response is determined by analyzing the communication security certificate of the terminal to be connected based on a data access strategy configured by the data authorization management server by the cloud agent analysis equipment. The data access authority of the terminal to be connected is verified through the multiple devices, so that the data stored in the big data platform is prevented from being stolen or tampered by an illegal terminal, and the security of data access is improved.

Drawings

The accompanying drawings are included to provide a further understanding of the embodiments of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the principles of the application. The above and other features and advantages will become more apparent to those skilled in the art by describing in detail exemplary embodiments thereof with reference to the attached drawings, in which:

fig. 1 shows a schematic flowchart of an authentication method according to an embodiment of the present application.

Fig. 2 is a schematic flowchart illustrating an authentication method according to another embodiment of the present application.

Fig. 3 is a flowchart illustrating an authentication method according to still another embodiment of the present application.

Fig. 4 is a schematic flowchart illustrating a data access control method according to an embodiment of the present application.

Fig. 5 shows a block diagram of an authentication server according to an embodiment of the present application.

Fig. 6 shows a block diagram of a cloud agent analysis device according to an embodiment of the present application.

Fig. 7 shows a block diagram of a data authorization management server according to an embodiment of the present application.

Fig. 8 shows a block diagram of an authentication system according to an embodiment of the present application.

Fig. 9 is a schematic flowchart illustrating a working method of an authentication system according to an embodiment of the present application.

Detailed Description

The following detailed description of embodiments of the present application will be made with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present application, are given by way of illustration and explanation only, and are not intended to limit the present application. It will be apparent to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present application by illustrating examples thereof.

At present, the security authorization method of the big data platform includes: an open source entry Apache range based Access Control mechanism, Sentry, and Access Control List (ACL) based Access Control Lists native to large data platforms. Wherein Aapache Range represents: a centralized security management framework and addresses access authorization and auditing of data.

However, the access control mechanism has certain problems in some application scenarios with high requirements on the security of the big data platform, and has potential safety hazards for network access of the big data platform. For example, the problem that data stored in a communication link or a physical link is monitored can easily cause the phenomenon that the terminal is operated without authorization because the terminal breaks away from the supervision of an access control mechanism when accessing the data remotely, and the problem that the data is leaked because the data is stolen by an illegal terminal because the existing access control mechanism cannot monitor the access of the illegal terminal to a large data platform can be easily caused.

Based on the above problem, the present application provides an authentication method, which is described in detail as follows. Fig. 1 shows a schematic flowchart of an authentication method according to an embodiment of the present application. The authentication method is applicable to an authentication server. As shown in fig. 1, the authentication method in the embodiment of the present application may include the following steps.

And S101, performing first authentication on the terminal to be connected according to the preset terminal information and the acquired information of the terminal to be connected, and acquiring a first authentication result.

The information of the terminal to be connected is information corresponding to the terminal to be connected, which is acquired by a client installed in the terminal to be connected (for example, application software provided for user operation). For example, the information of the terminal to be connected may include: using any one or more of information of a user of the terminal to be connected, an identifier of the terminal to be connected, and a security identifier of the terminal to be connected. The preset terminal information is information of a plurality of preset terminals which have passed the security authentication and are stored in advance by the authentication server.

For example, according to the identifier of the terminal to be connected, searching for the preset terminal information, searching for the preset terminal matched with the terminal to be connected, and if it is determined that the preset terminal identical to the identifier of the terminal to be connected is found in the plurality of pieces of preset terminal information, determining that the terminal to be connected passes authentication; otherwise, determining that the authentication of the terminal to be connected is not passed.

For example, if it is determined that a preset terminal identical to the information of the user of the terminal to be connected is found in the plurality of pieces of preset terminal information, it is determined that the terminal to be connected passes authentication; otherwise, determining that the authentication of the terminal to be connected is not passed.

For example, if it is determined that a preset terminal identical to the security identifier of the terminal to be connected is found in the plurality of pieces of preset terminal information, it is determined that the terminal to be connected passes authentication; otherwise, determining that the authentication of the terminal to be connected is not passed.

And step S102, under the condition that the first authentication result is that the terminal to be connected passes the authentication and the communication security certificate is obtained, generating and sending a connection request to the cloud agent analysis equipment according to the communication security certificate and the information of the terminal to be connected.

And when receiving the connection request, the cloud agent analysis equipment analyzes the message of the connection request, acquires the communication security certificate and the information of the terminal to be connected, and authenticates the terminal to be connected again based on the communication security certificate and the information of the terminal to be connected so as to ensure that the terminal to be connected is a legal terminal.

Step S103, responding to the connection response fed back by the cloud agent analysis equipment, and determining whether the terminal to be connected has the authority of accessing data.

The connection response is determined by analyzing the communication security certificate of the terminal to be connected based on the data access strategy configured by the data authorization management server by the cloud agent analysis equipment.

It should be noted that, in the case that it is determined that the connection response includes an identifier that the cloud agent analysis device verifies that the terminal to be connected passes, it is determined that the terminal to be connected has the right to access data; otherwise, determining that the terminal to be connected does not have the authority of accessing the data.

In the embodiment, the terminal to be connected is authenticated for the first time according to the preset terminal information and the acquired information of the terminal to be connected to obtain a first authentication result, and the information of the terminal to be connected can be verified firstly to obtain a communication security certificate; then, under the condition that the first authentication result is that the terminal to be connected passes authentication and a communication security certificate is obtained, a connection request is generated and sent to the cloud agent analysis equipment according to the communication security certificate and the information of the terminal to be connected, so that the cloud agent analysis equipment authenticates the terminal to be connected again, and the accuracy of the terminal to be connected is improved; and responding to a connection response fed back by the cloud agent analysis equipment, and determining whether the terminal to be connected has the authority of accessing the data, wherein the connection response is determined by analyzing the communication security certificate of the terminal to be connected based on a data access strategy configured by the data authorization management server by the cloud agent analysis equipment. The data access authority of the terminal to be connected is verified through the multiple devices, so that the data stored in the big data platform is prevented from being stolen or tampered by an illegal terminal, and the security of data access is improved.

In some specific implementations, according to preset terminal information and acquired information of a terminal to be connected, performing first authentication on the terminal to be connected to obtain a first authentication result, including: receiving a registration application message sent by a terminal to be connected, wherein the registration application message comprises information of the terminal to be connected; comparing preset terminal information with information of a terminal to be connected; determining that the terminal to be connected passes authentication under the condition that the preset terminal information is the same as the information of the terminal to be connected; and generating and sending a registration response to the terminal to be connected and the cloud agent analysis equipment.

The registration response comprises a communication security certificate, and the communication security certificate comprises a user right corresponding to the terminal to be connected.

Comparing preset terminal information with information of a terminal to be connected, for example, comparing information of a user using the terminal to be connected with user information of the preset terminal to obtain a first comparison result; comparing the identifier of the terminal to be connected with the identifier of the preset terminal to obtain a second comparison result; and comparing the security identifier of the terminal to be connected with the preset security identifier of the preset terminal to obtain a third comparison result, determining that the terminal to be connected passes the authentication under the condition that the three comparison results are the same, and sending a communication security certificate to the terminal to be connected so that the terminal to be connected can be safely accessed into the network.

And meanwhile, sending a registration response including the communication security certificate to the terminal to be connected and the cloud agent analysis equipment, so that the cloud agent analysis equipment can know that the terminal to be connected passes the authentication of the authentication server.

Fig. 2 is a schematic flowchart illustrating an authentication method according to another embodiment of the present application. The authentication method is applicable to an authentication server. As shown in fig. 2, the authentication method in the embodiment of the present application may include the following steps.

Step S201, according to the preset terminal information and the obtained information of the terminal to be connected, the terminal to be connected is authenticated for the first time, and a first authentication result is obtained.

It should be noted that step S201 in this embodiment is the same as step S101 in the previous embodiment, and is not described herein again.

Step S202, acquiring the identifier of the target cloud agent analysis device configured by the data authorization management server for the current server.

The target cloud agent analysis device is a device which is obtained by determining a plurality of cloud agent analysis devices by the data authorization management server according to the user authority corresponding to the preset terminal and the preset data type and screening the plurality of cloud agent analysis devices under the condition that the user authority corresponding to the terminal to be connected is the same as the user authority corresponding to the preset terminal.

It should be noted that one cloud agent analysis device corresponds to a data server in the big data platform one to one, and each cloud agent analysis device is configured to access data of a preset data type, is a unique entry device for accessing the corresponding data server, and can monitor the operation of a terminal accessing the data server to ensure the security of a data access process.

Step S203, establishing a communication connection between the current server and the target cloud proxy analysis device.

For example, the current server may send a connection establishment request to the target cloud proxy analysis device, and determine to establish a communication connection with the target cloud proxy analysis device if it is determined that the connection establishment response fed back by the target cloud proxy analysis device includes an identifier that agrees to establish a communication connection.

And step S204, under the condition that the first authentication result is that the terminal to be connected passes the authentication and the communication security certificate is obtained, generating and sending a connection request to the cloud agent analysis equipment according to the communication security certificate and the information of the terminal to be connected.

And the cloud agent analysis equipment authenticates the terminal to be connected again under the condition of receiving the connection request. For example, the cloud agent analysis device may compare a communication security credential in a connection request sent by the terminal to be connected with a pre-stored communication security credential, and check whether information of the terminal to be connected conforms to preset terminal information. When the communication security certificate stored in advance is determined to be the same as the communication security certificate in the connection request sent by the terminal to be connected, and the user right corresponding to the terminal to be connected is determined to be the same as the user right corresponding to the preset terminal, the cloud proxy analysis equipment determines that the terminal to be connected passes the verification again, and allows the terminal to be connected to access the data of the preset data type corresponding to the preset terminal; otherwise, the cloud agent analysis device determines that the terminal to be connected is not verified, and the terminal to be connected cannot access the related data. The validity of the identity of the terminal to be connected is further ensured.

Step S205, in response to the connection response fed back by the cloud agent analysis device, determining whether the terminal to be connected has the right to access the data.

Wherein the connection response comprises: the cloud agent analysis equipment passes the verification of the terminal to be connected, or the cloud agent analysis equipment does not pass the verification of the terminal to be connected.

Under the condition that the cloud agent analysis equipment is confirmed to pass the verification of the terminal to be connected, the terminal to be connected is confirmed to have the authority of accessing data; otherwise, determining that the terminal to be connected does not have the authority of accessing the data.

In some specific implementations, determining whether the terminal to be connected has the right to access the data in response to the connection response fed back by the cloud agent analysis device includes: receiving a connection response fed back by the target cloud agent analysis equipment, wherein the connection response comprises an analysis result; determining that the terminal to be connected has the authority to access the data of the preset data type under the condition that the analysis result is that the terminal to be connected passes the verification of the target cloud agent analysis equipment; otherwise, determining that the terminal to be connected does not have the authority of accessing the data of the preset data type.

It should be noted that the analysis result is a result obtained by analyzing and determining the communication security credentials and the information of the terminal to be connected by the target cloud agent analysis device according to the data access policy configured by the data authorization management server, and can reflect a verification result of the data authorization management server for the data access policies corresponding to different terminals, so as to verify the terminal to be connected for the third time, and further ensure the validity and the security of the data access of the terminal to be connected.

In this embodiment, by obtaining the identifier of the target cloud proxy analysis device configured by the data authorization management server for the current server, the current server can establish communication connection with the target cloud proxy analysis device, so as to facilitate the subsequent target cloud proxy analysis device to perform re-verification on the terminal to be connected; under the condition that the first authentication result is that the terminal to be connected passes authentication and the communication security certificate is obtained, a connection request is generated and sent to the cloud agent analysis equipment according to the communication security certificate and the information of the terminal to be connected, so that the cloud agent analysis equipment verifies the terminal to be connected again, and the verification accuracy of the terminal to be connected is improved; and responding to the connection response fed back by the cloud agent analysis equipment, and determining whether the terminal to be connected has the authority of accessing the data. The cloud agent analysis equipment can analyze the communication security certificate and the information of the terminal to be connected by combining a data access strategy configured by the data authorization management server, so that third-level verification is realized, the legality of the terminal to be connected is further ensured, and the verification accuracy is improved.

The cloud proxy analysis device is the only entry device for accessing data in the data server, the terminal to be connected indirectly obtains data of a preset data type provided by the data server forwarded by the cloud proxy analysis device by logging in the cloud proxy analysis device, tampering and over-authority operation of the terminal to be connected on the data in the data server can be avoided, the data is prevented from being damaged, and data access safety is improved.

Fig. 3 is a flowchart illustrating an authentication method according to still another embodiment of the present application. The authentication method can be applied to the cloud agent analysis equipment. As shown in fig. 3, the authentication method in the embodiment of the present application may include the following steps.

Step S301, obtaining a data access policy and a preset access authority configured by the data authorization management server.

The preset access right is used for representing the right of data type information accessible by the current device (namely the cloud agent analysis device).

It should be noted that the data access policy is a policy determined by a plurality of data servers in the big data platform through data access control information and data attribute information, and the big data platform sends the data access policy to the data authorization management server, so that the data authorization management server can configure different data access policies for different cloud agent analysis devices.

In some implementations, the data access policy includes: any one or more of user permissions corresponding to the preset terminals, multiple preset data types, identifications of the cloud agent analysis devices and identifications of the authentication servers; the authentication server corresponds to a plurality of cloud agent analysis devices, and the cloud agent analysis devices have the authority of accessing data of preset data types.

Step S302, receiving a connection request sent by the authentication server.

Wherein the connection request includes: the information of the terminal to be connected and the communication security certificate are used for representing that the authentication server passes the authentication of the terminal to be connected, and the information of the terminal to be connected comprises: and the user right corresponding to the terminal to be connected.

Step S303, determining whether the terminal to be connected has the authority to access the current device according to the user authority corresponding to the terminal to be connected and the preset access authority.

For example, the user right corresponding to the terminal to be connected may have access rights to data of multiple data types (e.g., access rights to first required data, access rights to second required data, … …, access rights to kth required data, and the like, where K is the number of types of required data, and K is an integer greater than or equal to 1); the preset access authority may also include multiple types (e.g., a first preset data access authority, a second preset data access authority, … …, a pth preset data access authority, and so on, where P is the number of types of preset data, and P is an integer greater than or equal to 1), and if the access authority of the first required data is the same as a third preset data access authority, it represents that the terminal to be connected has an authority to access third preset data, and the third preset data is data stored in a data server corresponding to the current cloud proxy analysis device.

And step S304, under the condition that the terminal to be connected is determined to have the authority of accessing the current equipment, analyzing the communication security certificate of the terminal to be connected according to the data access strategy, and generating an analysis result.

Wherein, the analysis result comprises: and the authentication of the terminal to be connected passes or the authentication of the terminal to be connected does not pass.

For example, if the data access policy includes a communication security credential of the terminal to be connected, it is determined that the terminal to be connected passes authentication; otherwise, determining that the authentication of the terminal to be connected is not passed. The terminal to be connected can be quickly authenticated, and authentication efficiency is improved.

Step S305, generating and sending a connection response to the authentication server according to the analysis result.

Wherein the connection response includes the analysis result. When receiving the connection response, the authentication server can determine whether the terminal to be connected has the authority to access the data according to the analysis result in the connection response.

Step S306, sending the analysis result to the data authorization management server.

In the case where it is determined that the data authority management server receives the analysis result, the data authority management server checks the analysis result and determines whether to allow the terminal to be connected to access the data.

In the embodiment, the information and the communication security certificate of the terminal to be connected are acquired by receiving a connection request sent by an authentication server; then, according to the user authority corresponding to the terminal to be connected and the acquired preset access authority configured by the data authorization management server, determining whether the terminal to be connected has the authority to access the current equipment, namely, authenticating the access authority of the terminal to be connected; under the condition that the terminal to be connected is determined to have the authority of accessing the current equipment, analyzing the communication security certificate of the terminal to be connected according to the acquired data access strategy configured by the data authorization management server to generate an analysis result, namely authenticating the communication security certificate of the terminal to be connected; generating and sending a connection response to the authentication server according to the analysis result so that the authentication server determines whether the terminal to be connected has the authority of accessing the data; and meanwhile, sending the analysis result to the data authorization management server so that the data authorization management server checks the analysis result and determines whether the terminal to be connected is allowed to access the data. The method comprises the steps of analyzing and authenticating a terminal to be connected through multiple dimensions, determining whether the terminal to be connected has the authority of accessing data of a preset data type, informing an authentication server and a data authorization management server, ensuring synchronization of authentication information, avoiding illegal access of the data of the terminal to be connected which does not pass authentication, and improving data security.

In some implementations, a communication security credential includes: the user right corresponding to the terminal to be connected; under the condition that the terminal to be connected is determined to have the authority of accessing the current equipment, analyzing the communication security certificate of the terminal to be connected according to the data access strategy to generate an analysis result, wherein the analysis result comprises the following steps: matching the user right corresponding to the terminal to be connected with the user rights corresponding to a plurality of preset terminals to obtain the user right corresponding to the target terminal; and determining that the terminal to be connected passes the verification according to the user right corresponding to the target terminal, and generating an analysis result, wherein the analysis result is used for representing that the current equipment passes the verification of the connection terminal.

The user right corresponding to the target terminal is the same as the user right corresponding to the terminal to be connected, the target terminal corresponds to the current equipment, and the current equipment has the right of accessing the data of the target data type.

It should be noted that, data of a target data type is stored in a data server corresponding to a current device, where the target data type is a type of data that a target terminal can access, and if the target terminal wishes to access the data of the target data type, it is necessary to access the data server corresponding to the current device through the current device, and enable the current device to monitor a data access process of the target terminal, so as to ensure security of data access. Correspondingly, the user right corresponding to the target terminal is the same as the user right corresponding to the terminal to be connected, so that the terminal to be connected also needs to obtain the monitoring of the current device in the process of accessing the data of the target data type stored in the data server through the current device, so as to ensure the legality and safety of the data accessed by the terminal to be connected.

In some specific implementations, after analyzing the communication security credential of the terminal to be connected according to the data access policy, generating and sending a connection response to the data access permission determining device, the method further includes: acquiring a data access request sent by a terminal to be connected; and verifying the data access request and determining the legality of the data access request.

Wherein the data access request comprises: the data type of the data that the terminal to be connected desires to access. The validity of the data access request can be determined by matching the data type with a pre-stored data type corresponding to the user authority of the terminal to be connected.

For example, if the pre-stored data type corresponding to the user permission of the terminal to be connected includes the data type of the data that the terminal to be connected expects to access, it is determined that the data access request is legal, and the terminal to be connected can access and use the data corresponding to the data access request; otherwise, determining that the terminal to be connected cannot access the data corresponding to the data access request.

Through further verification of the data access request, data accessed and used by the terminal to be connected is monitored in real time, tampering of the data by the terminal to be connected is avoided, and safety of the data is guaranteed.

Fig. 4 is a schematic flowchart illustrating a data access control method according to an embodiment of the present application. The authentication method can be applied to a data authorization management server. As shown in fig. 4, the data access control method in the embodiment of the present application may include the following steps.

Step S401, generating and sending a plurality of data access policies to a plurality of cloud agent analysis devices.

Under the condition that the cloud agent analysis equipment obtains a connection request transmitted by the terminal to be connected and forwarded by the authentication server, the cloud agent analysis equipment analyzes a communication security certificate of the terminal to be connected according to a data access strategy, generates and transmits a connection response to the authentication server, so that the authentication server determines whether the terminal to be connected has the authority of accessing data.

Wherein the connection request includes: information of the terminal to be connected and communication security credentials.

It should be noted that the data access policy corresponds to the cloud proxy analysis device, each cloud proxy analysis device has the corresponding data access policy, and according to the data access policy, different cloud proxy analysis devices have access to data of different data types, so that the data access efficiency is improved, and the security of data access can be ensured.

Step S402, obtaining an analysis result sent by the cloud agent analysis equipment.

The analysis result is used for representing whether the cloud agent analysis equipment passes the verification of the terminal to be connected. The analysis results include: the cloud agent analysis equipment passes the authentication of the terminal to be connected, or the cloud agent analysis equipment does not pass the authentication of the terminal to be connected.

Step S403, determining whether to allow the terminal to be connected to access the data according to the analysis result.

Determining that the terminal to be connected is allowed to access data under the condition that the analysis result is that the cloud agent analysis device passes the authentication of the terminal to be connected; otherwise, the terminal to be connected is not allowed to access the data.

In this embodiment, a plurality of data access policies are generated and sent to a plurality of cloud agent analysis devices, so that each cloud agent analysis device can acquire the corresponding data access policy, different data access policies are adopted, access modes of data of different data types can be correspondingly controlled, and the cloud agent analysis devices are used as unique entries of data access, so that data can be prevented from being stolen, and the security of data access is improved; obtaining an analysis result sent by the cloud agent analysis equipment, and determining whether the cloud agent analysis equipment passes the verification of the terminal to be connected according to the analysis result; according to the analysis result, whether the terminal to be connected is allowed to access the data or not is determined, and the terminal to be connected is allowed to access the data under the condition that the cloud agent analysis equipment is determined to pass the authentication of the terminal to be connected, so that the data can be guaranteed to be accessed by a legal terminal, the data is prevented from being embezzled by an illegal terminal, and the safety of data access is improved.

In some implementations, after determining whether to allow the terminal to be connected to access the data according to the analysis result, the method further includes: and under the condition that the terminal to be connected is determined to be allowed to access the data, monitoring the data access process of the terminal to be connected, and generating data access control log information.

It should be noted that, the data access control log information can record the data access process from multiple dimensions, so as to facilitate the subsequent analysis of the data access process; the time of the terminal to be connected for specifically accessing the data, the data access matching strategy information (for example, a pre-configured data access strategy and the like) used for accessing the data, and the data resource information (for example, resources such as the size of a used memory space and the like) can be obtained through the data access control log information; and the quantity type of the accessed data, the terminal finally accesses result information (for example, any one or more of data modification, data addition, data deletion or data search) of the data, the access process of the data is comprehensively monitored, and the security of the data is improved.

In some specific implementations, after generating and sending the plurality of data access policies to the plurality of cloud agent analysis devices, the method further includes: updating a plurality of data access strategies at preset time intervals; and sending the updated data access strategy to the cloud agent analysis equipment according to the identification of the cloud agent analysis equipment.

The preset time period may be a preset time length such as 1 minute and 5 minutes.

Different cloud agent analysis devices correspond to different data access strategies, the updating frequency of the data access strategies corresponding to the cloud agent analysis devices is different, and under the condition that the data access strategies corresponding to certain data types in the big data platform are determined to be changed, the updated data access strategies are sent to the cloud agent analysis devices corresponding to the data types according to the identification of the cloud agent analysis devices, so that the cloud agent analysis devices can access the data through the latest data access strategies, and the data access efficiency is improved.

An authentication server according to an embodiment of the present application is described in detail below with reference to the accompanying drawings. Fig. 5 shows a block diagram of an authentication server according to an embodiment of the present application. As shown in fig. 5, the authentication server 500 may include the following modules.

The authentication module 501 is configured to perform first authentication on the terminal to be connected according to preset terminal information and the acquired information of the terminal to be connected, so as to obtain a first authentication result; the processing module 502 is configured to generate and send a connection request to the cloud proxy analysis device according to the communication security credential and the information of the terminal to be connected, so that the cloud proxy analysis device performs re-authentication on the terminal to be connected, when it is determined that the primary authentication result is that the terminal to be connected passes authentication and the communication security credential is obtained; the permission determining module 503 is configured to determine whether the terminal to be connected has permission to access data in response to a connection response fed back by the cloud agent analysis device, where the connection response is a connection response obtained by analyzing and determining the communication security credential of the terminal to be connected based on the data access policy configured by the data authorization management server by the cloud agent analysis device.

In some implementations, the authentication module 501 is specifically configured to: receiving a registration application message sent by a terminal to be connected, wherein the registration application message comprises information of the terminal to be connected; comparing preset terminal information with information of a terminal to be connected; determining that the terminal to be connected passes authentication under the condition that the preset terminal information is the same as the information of the terminal to be connected; and generating and sending a registration response to the terminal to be connected and the cloud agent analysis equipment, wherein the registration response comprises a communication security certificate, and the communication security certificate comprises a user right corresponding to the terminal to be connected.

In some implementations, the authentication server 500 further includes: the method comprises the steps that an identification of a target cloud agent analysis device configured by a data authorization management server for a current server is obtained, the target cloud agent analysis device is a device which is obtained by the data authorization management server through screening from a plurality of cloud agent analysis devices according to a user right corresponding to a preset terminal and a preset data type and under the condition that the user right corresponding to a terminal to be connected is the same as the user right corresponding to the preset terminal; and establishing a communication connection between the current server and the target cloud agent analysis equipment.

In some specific implementations, the permission determination module 503 is specifically configured to: receiving a connection response fed back by the target cloud agent analysis equipment, wherein the connection response comprises an analysis result; determining that the terminal to be connected has the authority to access the data of the preset data type under the condition that the analysis result is that the terminal to be connected passes the verification of the target cloud agent analysis equipment; otherwise, determining that the terminal to be connected does not have the authority of accessing the data of the preset data type.

In some implementations, the authentication server 500 further includes: and the login module is used for logging in a data server corresponding to the cloud agent analysis equipment under the condition that the to-be-connected terminal is determined to have the authority of accessing the data of the preset data type, so that the to-be-connected terminal can acquire the data of the preset data type provided by the data server.

In this embodiment, the authentication module performs first authentication on the terminal to be connected according to preset terminal information and acquired information of the terminal to be connected to obtain a first authentication result, and can verify the information of the terminal to be connected to obtain a communication security credential; then, under the condition that the first authentication result is that the terminal to be connected passes the authentication and the communication security certificate is obtained, a processing module is used for generating and sending a connection request to cloud proxy analysis equipment according to the communication security certificate and the information of the terminal to be connected, so that the cloud proxy analysis equipment can authenticate the terminal to be connected again, and the accuracy of the terminal to be connected is improved; the use permission determining module responds to a connection response fed back by the cloud agent analysis device, and determines whether the terminal to be connected has permission to access data, wherein the connection response is a connection response obtained by analyzing and determining a communication security certificate of the terminal to be connected based on a data access strategy configured by the data authorization management server by the cloud agent analysis device. The data access authority of the terminal to be connected is verified through the multiple devices, so that the data stored in the big data platform is prevented from being stolen or tampered by an illegal terminal, and the security of data access is improved.

Fig. 6 shows a block diagram of a cloud agent analysis device according to an embodiment of the present application. As shown in fig. 6, the cloud agent analysis apparatus 600 may include the following modules.

A first obtaining module 601, configured to obtain a data access policy and a preset access right configured by a data authorization management server, where the preset access right is used to represent a right of data type information accessible by a current device; a receiving module 602 configured to receive a connection request sent by an authentication server, where the connection request includes: the information of the terminal to be connected and the communication security certificate are used for representing that the authentication server passes the authentication of the terminal to be connected, and the information of the terminal to be connected comprises: the user right corresponding to the terminal to be connected; the determining module 603 is configured to determine whether the terminal to be connected has the authority to access the current device according to the user authority corresponding to the terminal to be connected and a preset access authority; the analysis module 604 is configured to analyze the communication security credential of the terminal to be connected according to the data access policy and generate an analysis result under the condition that it is determined that the terminal to be connected has the right to access the current device; a first sending module 605 configured to generate and send a connection response to the authentication server according to the analysis result, so that the authentication server determines whether the terminal to be connected has the authority to access the data, wherein the connection response includes the analysis result; a second sending module 606 configured to send the analysis result to the data authorization management server, so that the data authorization management server checks the analysis result and determines whether to allow the to-be-connected terminal to access the data.

In some implementations, the communication security credentials include user permissions corresponding to the terminals to be connected; the analysis module 604 is specifically configured to: matching user permissions corresponding to terminals to be connected with user permissions corresponding to a plurality of preset terminals to obtain user permissions corresponding to a target terminal, wherein the user permissions corresponding to the target terminal are the same as the user permissions corresponding to the terminals to be connected, the target terminal corresponds to current equipment, and the current equipment has the permission of accessing data of a target data type; and determining that the terminal to be connected passes the verification according to the user right corresponding to the target terminal, and generating an analysis result, wherein the analysis result is used for representing that the current equipment passes the verification of the connection terminal.

In some implementations, the cloud agent analysis device 600 further includes: acquiring a data access request sent by a terminal to be connected; and verifying the data access request and determining the legality of the data access request.

In the embodiment, a receiving module receives a connection request sent by an authentication server, and acquires information and a communication security certificate of a terminal to be connected; then, a determining module is used for determining whether the terminal to be connected has the authority to access the current equipment or not according to the user authority corresponding to the terminal to be connected and the acquired preset access authority configured by the data authorization management server, namely, the terminal to be connected is authenticated for the access authority; under the condition that the terminal to be connected is determined to have the authority of accessing the current equipment, analyzing the communication security certificate of the terminal to be connected by using an analysis module according to the acquired data access strategy configured by the data authorization management server to generate an analysis result, namely authenticating the communication security certificate of the terminal to be connected; generating and sending a connection response to the authentication server by using the first sending module according to the analysis result so that the authentication server determines whether the terminal to be connected has the authority of accessing the data; and meanwhile, sending the analysis result to the data authorization management server by using a second sending module so that the data authorization management server checks the analysis result and determines whether the terminal to be connected is allowed to access the data. The method comprises the steps of analyzing and authenticating a terminal to be connected through multiple dimensions, determining whether the terminal to be connected has the authority of accessing data of a preset data type, informing an authentication server and a data authorization management server, ensuring synchronization of authentication information, avoiding illegal access of the data of the terminal to be connected which does not pass authentication, and improving data security.

Fig. 7 shows a block diagram of a data authorization management server according to an embodiment of the present application. As shown in fig. 7, the data authority management server 700 may include the following modules.

The policy generating module 701 is configured to generate and send a plurality of data access policies to a plurality of cloud proxy analysis devices, so that when the cloud proxy analysis devices obtain a connection request sent by a terminal to be connected and forwarded by an authentication server, the cloud proxy analysis devices analyze communication security credentials of the terminal to be connected according to the data access policies, and generate and send a connection response to the authentication server, so that the authentication server determines whether the terminal to be connected has a right to access data, where the connection request includes: information and communication security credentials of the terminal to be connected; a second obtaining module 702, configured to obtain an analysis result sent by the cloud agent analysis device, where the analysis result is used to represent whether the cloud agent analysis device passes verification on the terminal to be connected; a data access right determining module 703 configured to determine whether to allow the terminal to be connected to access the data according to the analysis result.

In some implementations, the data authorization management server 700 further includes: the log generation module is configured to monitor the data access process of the terminal to be connected and generate data access control log information under the condition that the terminal to be connected is determined to be allowed to access the data;

In some implementations, the data authorization management server 700 further includes: the updating module is configured to update the plurality of data access strategies at preset time intervals; and sending the updated data access strategy to the cloud agent analysis equipment according to the identification of the cloud agent analysis equipment.

In this embodiment, a plurality of data access policies are generated and sent to a plurality of cloud agent analysis devices through a policy generation module, so that each cloud agent analysis device can acquire the corresponding data access policy, access modes of data of different data types can be correspondingly controlled by adopting different data access policies, and the cloud agent analysis devices are used as unique entries of data access, so that data can be prevented from being stolen, and the security of data access is improved; the second acquisition module is used for acquiring an analysis result sent by the cloud agent analysis equipment, and whether the cloud agent analysis equipment passes the verification of the terminal to be connected can be determined according to the analysis result; the data access permission determining module is used for determining whether the terminal to be connected is allowed to access the data or not according to the analysis result, and determining that the terminal to be connected is allowed to access the data under the condition that the cloud agent analysis equipment is determined to pass the authentication of the terminal to be connected, so that the data can be ensured to be accessed by a legal terminal, the data is prevented from being stolen by an illegal terminal, and the security of data access is improved.

It is to be understood that the invention is not limited to the particular arrangements and instrumentality described in the above embodiments and shown in the drawings. For convenience and brevity of description, detailed description of a known method is omitted here, and for the specific working processes of the system, the module and the unit described above, reference may be made to corresponding processes in the foregoing method embodiments, which are not described herein again.

Fig. 8 shows a block diagram of an authentication system according to an embodiment of the present application. As shown in fig. 8, the authentication system may include the following devices.

The terminal 810 to be connected, the authentication server 820, a plurality of cloud proxy analysis devices (e.g., a first cloud proxy analysis device 831, a second cloud proxy analysis device 832, … …, an nth cloud proxy analysis device 83N), a data authorization management server 840, a big data platform 850, and a plurality of clients 860 (e.g., application software provided for user operations, etc.).

Wherein N represents the number of cloud agent analysis devices, and N is an integer greater than or equal to 1.

The terminal 810 to be connected is configured to acquire user information, generate and send a registration application message to the authentication server 820 according to the user information, the identifier of the terminal 810 to be connected, and the security identifier of the terminal 810 to be connected, and acquire data of a preset data type (for example, data stored by the first data server 851) stored in the big data platform 850 when it is determined that the authentication by the authentication server 820, the cloud agent analysis device (for example, the first cloud agent analysis device 831), and the data authorization management service 840 is passed.

An authentication server 820 configured to perform an authentication method implemented by any one of the authentication servers in the embodiments of the present application.

The cloud agent analysis device (e.g., the first cloud agent analysis device 831 or the second cloud agent analysis device 832, etc.) is configured to execute the authentication method implemented by any one of the cloud agent analysis devices in the embodiments of the present application.

A data authorization management server 840 configured to execute any data access control method in the embodiments of the present application.

And a big data platform 850 configured to store data of a preset data type for use by the terminal 810 to be connected. Big data platform 850 includes a plurality of data servers (e.g., first data server 851, second data servers 852, … …, mth data server 85M). Wherein M represents the number of data servers, and M is an integer greater than or equal to 1. The big data platform 850 can realize unified management of a plurality of data servers, and improve the management efficiency of data.

As shown in fig. 8, if a terminal 810 to be connected wants to access data stored in a first data server 851 in a big data cluster, it needs to go through three layers of authentication, namely authentication of an authentication server 820 based on a network boundary layer, verification of a cloud agent analysis device based on a cloud computing environment layer, and monitoring and management of a data authorization management server 840 based on a big data cluster layer, to determine whether it is qualified to access the data stored in the first data server 851.

The authentication server 820 is based on authentication of a hardware device (i.e., information of a terminal to be connected), that is, it needs to be confirmed that the terminal 810 to be connected is a trusted terminal, and each cloud proxy analysis device of the cloud computing environment layer is a device corresponding to each data server and is a unique entry device for accessing the corresponding data server, and the cloud proxy analysis device can authorize and verify the terminal, and monitor the whole process of accessing data by the terminal, so as to realize secure access of the terminal to data in the big data platform 850.

Fig. 9 is a schematic flowchart illustrating a working method of an authentication system according to an embodiment of the present application. As shown in fig. 9, the operation method of the authentication system may include the following steps.

In step S901, a plurality of data servers in the big data platform 850 determine a plurality of data access policies through the data access control information and the data attribute information, and send the plurality of data access policies to the data authorization management server 840 at regular intervals (e.g., every 10 seconds, every 2 minutes, etc.).

For example, the first cloud agent analysis device 831 may determine the type of data accessible by the cloud agent analysis device and the related interface information through the first data access policy; the second cloud agent analysis device 832 may determine the type of data and related interface information, etc. that it may access through the second data access policy.

It should be noted that the data access policy may further include: any one or more of user permission corresponding to the preset terminals, multiple preset data types, identifications of the cloud agent analysis devices and identifications of the authentication servers.

The authentication server 820 corresponds to a plurality of cloud agent analysis devices, and each cloud agent analysis device has a right to access data of a preset data type. For example, first cloud proxy analytics device 831 is provided with access to a preset amount of types of data on first data server 851 in big data platform 850.

Under the condition that the user right corresponding to the terminal 810 to be connected is determined, according to the data access policy, the terminal 810 to be connected can access the preset amount of types of data on the first data server 851 by logging in the first cloud agent analysis device 831. When the terminal 810 to be connected is registered to the authentication server 820, it may be displayed that the cloud proxy analysis device that the terminal 810 to be connected can log in is the first cloud proxy analysis device 831, that is, the first cloud proxy analysis device 831 is the target cloud proxy analysis device of the terminal to be connected.

In step S902, the data authorization management server 840 sends the acquired latest data access policy to the plurality of cloud agent analysis devices (for example, to the first cloud agent analysis device 831) at intervals of a preset time (for example, the preset time is 10 seconds or 2 minutes). So that each cloud agent analysis device can learn what types of data are currently accessible in big data platform 850, the identity of the authentication server to which the cloud agent analysis device can connect, and so on.

In step S903, the to-be-connected terminal 810 sends a registration application message to the authentication server 820.

The registration application message includes information of the terminal 810 to be connected. For example, the information of the to-be-connected terminal 810 may include: any one or more of information of a client corresponding to the terminal to be connected 810 (i.e., information of a user using the terminal to be connected 810), an identifier of the terminal to be connected, and a security identifier of the terminal to be connected.

It should be noted that the registration application message is encrypted by the terminal 810 to be connected, so that the security of the registration application message in the transmission process can be ensured. Moreover, when receiving the encrypted registration application message, the authentication server 820 decrypts the registration application message to obtain the original registration application message, and an encryption/decryption password is preset between the to-be-connected terminal 810 and the authentication server 820 to prevent an illegal terminal from accessing the authentication server 820.

In step S904, the authentication server 820 authenticates the information of the terminal 810 to be connected according to the stored preset terminal information, and obtains an authentication result.

Wherein, the authentication result includes: the terminal 810 to be connected passes the authentication, or the terminal 810 to be connected does not pass the authentication.

For example, comparing the preset terminal information with the information of the terminal to be connected 810, and determining that the terminal to be connected 810 passes authentication when the preset terminal information is determined to be the same as the information of the terminal to be connected 810; otherwise, it is determined that the terminal 810 to be connected fails to be authenticated.

Step S905, under the condition that the terminal 810 to be connected is determined to pass the authentication, the authentication server 820 generates a registration response according to the authentication result and the communication security certificate, encrypts the registration response and generates an encrypted registration response; and transmits the encrypted registration response message to the to-be-connected terminal 810 so that the to-be-connected terminal 810 obtains the communication security credentials and the authentication result.

Wherein the communication security credentials comprise: the user right corresponding to the terminal 810 to be connected, for example, information such as a data type that the terminal 810 to be connected can access.

Step S906, the to-be-connected terminal 810 decrypts the received encrypted registration response message to obtain the communication security credential and the authentication result, confirms that the authentication has passed through the authentication server 820 according to the authentication result, and can access the network through the authentication server 820 to perform communication.

It should be noted that, at the same time of executing step S905, the authentication server 820 needs to synchronously execute step S907.

In step S907, according to the information obtained in step S901, the target cloud proxy analysis device corresponding to the terminal 810 to be connected is the first cloud proxy analysis device 831, and the authentication server 820 needs to establish a communication connection with the first cloud proxy analysis device 831. In a case where it is determined that the authentication server 820 and the first cloud agent analysis device 831 successfully establish a communication connection, the encrypted registration response message is sent to the first cloud agent analysis device 831, so that the first cloud agent analysis device 831 knows that the to-be-connected terminal 810 has passed the authentication of the authentication server 820, and obtains a communication security credential.

In step S908, the terminal 810 to be connected generates and sends a connection request to the authentication server 820 according to the communication security credentials and the information of the terminal 810 to be connected, so that the authentication server 820 forwards the connection request to the first cloud proxy analysis device 831.

In step S909, the first cloud agent analysis device 831 re-verifies the communication security credential in the connection request sent by the terminal 810 to be connected according to the communication security credential acquired in step S907, and checks whether the information of the terminal 810 to be connected meets the user right corresponding to the preset terminal and the data of the preset data type accessible by the preset terminal.

For example, if it is determined that the communication security credential acquired in step S907 is the same as the communication security credential in the connection request sent by the terminal to be connected 810, and the user right corresponding to the terminal to be connected 810 is the same as the user right corresponding to the preset terminal, it may be determined that the terminal to be connected 810 passes the authentication again, and the terminal to be connected 810 may access data of the preset data type corresponding to the preset terminal; otherwise, it is determined that the terminal 810 to be connected fails to verify, and the terminal 810 to be connected cannot access the related data.

In step S910, in a case where it is determined that the first cloud agent analysis device 831 passes verification of the to-be-connected terminal 810 again, a verification result is generated and sent to the authentication server 820, so that the authentication server 820 forwards the verification result to the to-be-connected terminal 810.

Wherein, the verification result comprises: the first cloud agent analysis device 831 verifies the to-be-connected terminal 810.

In step S911, the terminal 810 to be connected remotely logs in the first cloud proxy analysis device 831, so that the data of the preset data type stored in the first data server 851 is acquired through the first cloud proxy analysis device 831.

It should be noted that, according to the data access policy configured in step S901, the first cloud proxy analysis device 831 is a data access device in one-to-one correspondence with the first data server 851, and the terminal to be connected can obtain data stored in the first data server 851 only through the first cloud proxy analysis device 831.

In step S912, the first cloud agent analysis device 831 performs security supervision on each piece of access information sent by the to-be-connected terminal 810 to ensure security of data access.

In step S913, the data authorization management server 840 monitors the data access process according to the data access policy (e.g., verifies whether each data access request sent by the first cloud agent analysis device 831 meets the requirement of the data access policy, etc.) during the process that the first cloud agent analysis device 831 accesses the data in the first data server 851, so as to determine the security of the data access process.

In some implementations, the data authorization management server 840 monitors the data access process and generates data access control log information during the process of the first cloud agent analysis device 831 accessing data in the first data server 851. The data access control log information includes: any one or more of data access time, data access user information, data access matching policy information, data resource information, data type information, access result information, and access terminal information.

It should be noted that, in the data access monitoring process in step S912 and step S913, if it is determined that there is an abnormality (for example, an illegal operation (for example, an operation such as deleting data or implanting a virus) is carried in the data access request sent by the terminal 810 to be connected), the first cloud agent analysis device immediately cancels the access authority of the terminal 810 to be connected, and enables the data authorization management server 840 to repair the data in the first data server 851 according to the emergency measure (for example, perform a virus check and kill on the data in the first data server 851, or perform an operation such as backing up the data).

In the embodiment, by adopting a structured hierarchical authorization mode, the data access authority of the terminal to be connected is verified by using multiple devices, so that the phenomenon that an illegal terminal steals or tampers data stored in a big data platform is avoided, and the security of data access is improved. The terminal can access and use the data of various data types stored in the big data platform based on legal authorization and effective supervision conditions of the cloud agent analysis equipment; three access control domains (namely a network boundary domain, a cloud computing environment domain and a big data cluster domain) with different levels are adopted to monitor and manage the access process of the terminal to access the data in the big data platform, so that the data in the big data platform can be effectively ensured to only enter and not exit; and the data access process is subjected to bidirectional auditing and monitoring by using the data authorization management server and the cloud agent analysis equipment, and traceability of the data using process of the terminal is ensured by applying data authorization, retaining data application and access evidence, and the safety of the data is effectively improved.

It is to be understood that the above embodiments are merely exemplary embodiments that are employed to illustrate the principles of the present application, and that the present application is not limited thereto. It will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the application, and these changes and modifications are to be considered as the scope of the application.

Claims

1. An authentication method, the method comprising:

according to preset terminal information and acquired information of a terminal to be connected, performing first authentication on the terminal to be connected to obtain a first authentication result;

under the condition that the first authentication result is that the terminal to be connected is authenticated and a communication security certificate is obtained, generating and sending a connection request to cloud agent analysis equipment according to the communication security certificate and the information of the terminal to be connected so that the cloud agent analysis equipment can authenticate the terminal to be connected again;

and responding to a connection response fed back by the cloud agent analysis equipment, and determining whether the terminal to be connected has the authority of accessing data, wherein the connection response is the connection response determined by analyzing the communication security certificate of the terminal to be connected by the cloud agent analysis equipment based on the data access strategy configured by the data authorization management server.

2. The method according to claim 1, wherein the first authentication of the terminal to be connected is performed according to preset terminal information and the obtained information of the terminal to be connected to obtain a first authentication result, and the method comprises:

receiving a registration application message sent by the terminal to be connected, wherein the registration application message comprises information of the terminal to be connected;

comparing the preset terminal information with the information of the terminal to be connected;

and generating and sending a registration response to the terminal to be connected and the cloud agent analysis device, wherein the registration response comprises a communication security certificate, and the communication security certificate comprises a user right corresponding to the terminal to be connected.

3. The method according to claim 1, wherein before generating and sending a connection request to a cloud agent analysis device according to the communication security credential and the information of the terminal to be connected when it is determined that the first authentication result is that the terminal to be connected passes authentication and a communication security credential is obtained, the method further comprises:

acquiring an identifier of a target cloud agent analysis device configured by a data authorization management server for a current server, wherein the target cloud agent analysis device is a device obtained by determining a plurality of cloud agent analysis devices by the data authorization management server according to a user right corresponding to a preset terminal and a preset data type and screening the cloud agent analysis devices from the plurality of cloud agent analysis devices under the condition that the user right corresponding to a terminal to be connected is the same as the user right corresponding to the preset terminal;

and establishing communication connection between the current server and the target cloud agent analysis equipment.

4. The method according to claim 3, wherein the determining whether the terminal to be connected has the right to access data in response to the connection response fed back by the cloud agent analysis device comprises:

receiving a connection response fed back by the target cloud agent analysis device, wherein the connection response comprises an analysis result;

determining that the terminal to be connected has the authority to access the data of the preset data type under the condition that the analysis result is that the terminal to be connected passes the verification of the target cloud agent analysis device; otherwise, determining that the terminal to be connected does not have the authority of accessing the data of the preset data type.

5. The method according to any one of claims 1 to 4, wherein after determining whether the terminal to be connected has the right to access data in response to the connection response fed back by the cloud agent analysis device, the method further comprises:

and under the condition that the terminal to be connected is determined to have the authority of accessing the data of the preset data type, logging in a data server corresponding to the cloud agent analysis equipment so that the terminal to be connected can acquire the data of the preset data type provided by the data server.

6. An authentication method, the method comprising:

acquiring a data access policy and a preset access right configured by a data authorization management server, wherein the preset access right is used for representing the right of data type information accessible by current equipment;

receiving a connection request sent by an authentication server, wherein the connection request comprises: the terminal to be connected comprises information of the terminal to be connected and a communication security certificate, wherein the communication security certificate is used for representing that the authentication server passes the authentication of the terminal to be connected, and the information of the terminal to be connected comprises user authority corresponding to the terminal to be connected;

generating and sending a connection response to the authentication server according to the analysis result so that the authentication server determines whether the terminal to be connected has the authority of accessing data;

and sending the analysis result to the data authorization management server so that the data authorization management server checks the analysis result and determines whether to allow the terminal to be connected to access the data.

7. The method of claim 6, wherein the data access policy comprises: any one or more of user permissions corresponding to the preset terminals, multiple preset data types, identifications of the cloud agent analysis devices and identifications of the authentication servers;

the authentication server corresponds to a plurality of cloud agent analysis devices, and the cloud agent analysis devices have the authority of accessing the data of the preset data types.

8. The method according to claim 7, wherein the communication security credentials comprise user rights corresponding to the terminal to be connected;

under the condition that the terminal to be connected is determined to have the authority of accessing the current equipment, analyzing the communication security certificate of the terminal to be connected according to the data access strategy to generate an analysis result, wherein the analysis result comprises the following steps:

matching the user authority corresponding to the terminal to be connected with the user authorities corresponding to the preset terminals to obtain the user authority corresponding to a target terminal, wherein the user authority corresponding to the target terminal is the same as the user authority corresponding to the terminal to be connected, the target terminal corresponds to the current equipment, and the current equipment has the authority of accessing data of a target data type;

9. The method according to claim 6, wherein after analyzing the communication security credentials of the terminal to be connected according to the data access policy, and generating and sending a connection response to the data access right determining apparatus, the method further comprises:

acquiring a data access request sent by the terminal to be connected;

and verifying the data access request and determining the validity of the data access request.

10. A method for controlling access to data, the method comprising:

generating and sending a plurality of data access policies to a plurality of cloud agent analysis devices, so that the cloud agent analysis devices analyze communication security credentials of a terminal to be connected according to the data access policies and generate and send a connection response to an authentication server under the condition that the cloud agent analysis devices obtain a connection request sent by the terminal to be connected and forwarded by the authentication server, so that the authentication server determines whether the terminal to be connected has the authority of accessing data, wherein the connection request comprises: information and communication security credentials of the terminal to be connected;

and determining whether the terminal to be connected is allowed to access data or not according to the analysis result.

11. The method according to claim 10, wherein after determining whether to allow the terminal to be connected to access data according to the analysis result, the method further comprises:

12. The method according to claim 10 or 11, wherein after generating and sending the plurality of data access policies to the plurality of cloud agent analysis devices, further comprising:

updating a plurality of data access strategies at preset time intervals;

13. An authentication server, characterized in that it comprises:

the authentication module is configured to perform first authentication on the terminal to be connected according to preset terminal information and acquired information of the terminal to be connected, and acquire a first authentication result;

the processing module is configured to generate and send a connection request to cloud agent analysis equipment according to the communication security certificate and the information of the terminal to be connected under the condition that the first authentication result is that the terminal to be connected is authenticated and the communication security certificate is obtained, so that the cloud agent analysis equipment can authenticate the terminal to be connected again;

and the authority determining module is configured to determine whether the terminal to be connected has the authority to access data in response to a connection response fed back by the cloud agent analysis device, wherein the connection response is determined by analyzing the communication security credentials of the terminal to be connected based on a data access policy configured by the data authorization management server by the cloud agent analysis device.

14. A cloud agent analysis device, characterized in that it comprises:

the device comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is configured to acquire a data access policy and a preset access authority configured by a data authorization management server, and the preset access authority is used for representing the authority of data type information accessible by current equipment;

a receiving module configured to receive a connection request sent by an authentication server, the connection request including: the terminal to be connected comprises information of the terminal to be connected and a communication security certificate, wherein the communication security certificate is used for representing that the authentication server passes the authentication of the terminal to be connected, and the information of the terminal to be connected comprises user authority corresponding to the terminal to be connected;

the determining module is configured to determine whether the terminal to be connected has the authority to access the current device according to the user authority corresponding to the terminal to be connected and the preset access authority;

the first sending module is configured to generate and send a connection response to the authentication server according to the analysis result so that the authentication server determines whether the terminal to be connected has the authority of accessing data;

and the second sending module is configured to send the analysis result to the data authorization management server so that the data authorization management server checks the analysis result and determines whether to allow the terminal to be connected to access data.

15. A data authorization management server, characterized in that it comprises:

the policy generation module is configured to generate and send a plurality of data access policies to a plurality of cloud agent analysis devices, so that when the cloud agent analysis devices obtain a connection request sent by a terminal to be connected and forwarded by an authentication server, the cloud agent analysis devices analyze communication security credentials of the terminal to be connected according to the data access policies, and generate and send a connection response to the authentication server, so that the authentication server determines whether the terminal to be connected has a right to access data, wherein the connection request includes: information and communication security credentials of the terminal to be connected;

the second obtaining module is configured to obtain an analysis result sent by the cloud agent analysis device, and the analysis result is used for representing whether the cloud agent analysis device passes verification on the terminal to be connected;

a determining module configured to determine whether to allow the terminal to be connected to access data according to the analysis result.

16. An authentication system, comprising:

and the terminal to be connected is configured to acquire user information, generate and send a registration application message to the authentication server according to the user information, the identifier of the terminal to be connected and the security identifier of the terminal to be connected, and acquire data of a preset data type stored in the big data platform under the condition of determining that the authentication is passed through the authentication server, the cloud agent analysis equipment and the data authorization management server.

The authentication server configured to perform the authentication method of any one of claims 1-5;

the cloud agent analysis device configured to perform the authentication method of any one of claims 6-9;

the data authorization management server configured to perform the data access control method of any one of claims 10-12;

the big data platform is configured to store data of preset data types for the terminal to be connected to use.