CN116150090A

CN116150090A - File verification method and related equipment

Info

Publication number: CN116150090A
Application number: CN202111388448.1A
Authority: CN
Inventors: 沈晴霓; 付鹏程; 初泽良; 汪硕; 陈涛; 吴闻博; 张洪啸; 杨雅辉; 冯新宇; 李聪; 李家欣
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2021-11-22
Filing date: 2021-11-22
Publication date: 2023-05-23
Also published as: WO2023088090A1

Abstract

The application provides a file verification method and related equipment, and relates to the field of data processing. In the present application, the second node may send a first request to the first node, where the first request is for requesting access to the first file in the first node. The first node may acquire a copy of the first file from a third node that has accessed the first file, and when the first access control list included in the first file is the same as the access control policy corresponding to the second node in the second access control list included in the copy of the first file, and it is determined that the second node has access rights to the first file, respond to the first request and return a first request result of the first request to the second node, where the first request result indicates the access rights of the second node to the first file or return information that the access to the first file is successful, so that the second node may access the first file in the first node. The access control strength to the first file can be improved, and the security of the first file is enhanced.

Description

File verification method and related equipment

Technical Field

The present disclosure relates to the field of data processing, and in particular, to a method and related device for verifying a file.

Background

A distributed file system (distributed file system, DFS) is a file system that allows files to be shared across a network on multiple hosts, supporting sharing of files and storage space between multiple hosts.

In a distributed file system, each host may be considered a node (or storage node) of the distributed file system. When a certain node wants to request a certain file, if the local node owns the file, the file can be directly read from the local node; if the local node does not have the file, the file may be read from other nodes in the distributed file system that own the file over the network.

Disclosure of Invention

The application provides a file verification method and related equipment, which can improve the access control intensity to a file and enhance the security of the file.

In a first aspect, the present application provides a method for verifying a file, where the method is applied to a first node, the method includes: a first request is received from a second node, the first request requesting access to a first file in the first node, the first file including a first access control list. And obtaining a copy of the first file from the third node, wherein the third node accesses the first file, and the copy of the first file comprises a second access control list. The first access control list and the second access control list each include an access control policy corresponding to the second node. And responding to the first request, and when the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same and the second node is determined to have the access right to the first file, returning a first request result of the first request to the second node, wherein the first request result indicates the access right of the second node to the first file or the return information of success in accessing the first file, so that the second node can access the first file in the first node.

In the file verification method, when the first node determines that the second node has the access right to the first file, the first node returns an access result (namely the first request result) corresponding to the access right of the second node to the second node, when the access control policy corresponding to the second node in the first access control list included in the first file and the access control policy corresponding to the second node in the second access control list included in the copy of the first file are the same, the access control strength to the file (such as the first file) stored in the distributed file system can be improved, and the security of the file stored in the distributed file system is enhanced.

Optionally, the method further comprises: and responding to the first request, and when the access control strategies corresponding to the second nodes in the first access control list and the second access control list are different, returning a second request result of the first request to the second node, wherein the second request result indicates that the second node cannot access the first file in the first node.

Optionally, the method further comprises: and responding to the first request, and when the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same and the second node is determined to not have the access right to the first file, returning a third request result of the first request to the second node, wherein the third request result indicates that the second node cannot access the first file in the first node.

In one possible implementation, the node that accessed the first file includes a plurality of nodes; the third node is the node with the highest equipment grade in the plurality of nodes accessed to the first file; or the third node is a node with the shortest time from the historical access time of the first file to the first node to the first request among the plurality of nodes accessed to the first file; alternatively, the third node is a node having the highest calculation power among the plurality of nodes having accessed the first file.

And taking the node with the highest equipment level or the node with the highest calculation power in the plurality of nodes accessed to the first file as a third node, so that the verification efficiency of the file verification method can be effectively improved by using more powerful computing resources of the third node.

When a node with the shortest time from the historical access time of the first file to the first node to the first request is taken as a third node, the probability of tampering control lists in the first node and the third node is smaller, and the reliability of the file verification method can be higher.

In one possible implementation, the first file conforms to the first type.

By way of example, the first type may include one or more of the following: higher importance, higher security requirement, higher privacy, etc.

In some possible implementations, whether the file conforms to the first type may be actively configured by the user, such as: the user may add a label to the file that may be used to indicate that the file corresponds to the first type. When the file does not include the tag, it is indicated that the file does not conform to the first type.

In other possible ways, whether the file conforms to the first type may also be automatically configured by the device (node) in which the file is located according to some preset rules, which may be manually configured. For example, the preset rules may include: when the file is a photo, a tag corresponding to the first type is added to the file, and when the device in which the file is located detects that the file is the photo, the tag can be automatically added to the photo, and the tag can be used for indicating that the file accords with the first type. Likewise, when the file does not include the tag, it is indicated that the file does not conform to the first type.

Optionally, the method further comprises: receiving a second request from a second node, the second request being for requesting access to a second file in the first node, wherein the second file includes a third access control list including access control policies corresponding to the second node; the second file does not conform to the first type. And responding to the second request, and when the access control strategy corresponding to the second node in the third access control list determines that the second node has the access right to the second file, returning a fourth request result of the second request to the second node, wherein the fourth request result indicates the access right of the second node to the second file or the return information of success in accessing the second file, so that the second node can access the second file in the first node. Or when the access control policy corresponding to the second node in the third access control list determines that the second node does not have access to the second file, returning a fifth request result of the second request to the second node, wherein the fifth request result indicates that the second node cannot access the second file in the first node.

In one possible implementation, the copy of the first file is generated by copying the complete first file when the third node accesses the first file.

Or in another possible implementation manner, the copy of the first file is generated by copying a part of the first file containing the first control list when the third node accesses the first file.

For example, the aforementioned partial file containing the first control list may be an extended attribute of an inode of the first file.

In still another possible implementation manner, the copy of the first file is generated by copying the first control list in the first file when the third node accesses the first file.

Optionally, the return information that the second node succeeds in accessing the first file includes one or more of: context information of the first file, handle information of the first file.

Optionally, the first node, the second node, and the third node all belong to the same local area network; alternatively, the first node, the second node, and the third node all belong to the same distributed file system.

In a possible implementation manner, the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and the method includes: the first access control list and the second access control list are identical.

In this implementation manner, when the first access control list and the second access control list are the same, the first node may further determine whether the second node has access rights to the first file according to an access control policy corresponding to the second node in the first access control list, and when determining that the second node has access rights to the first file, return, to the second node, an access result corresponding to the access rights provided by the second node, e.g., the first request result.

Optionally, after the first request result of the first request is returned to the second node, the method further includes: recording an access record of the second node to the first file, wherein the access record of the second node to the first file comprises: the identification information of the second node, and a path along which the second node stores a copy of the first file.

And after the first node returns the first request result to the second node, the second node successfully accesses the first file in the first node. For this access, the first node may continue to maintain an access record of the first file regarding the access of the second node to the first file. When other nodes access the first file later, the second node can also serve as the third node to provide a copy of the first file for the first node.

In a second aspect, the present application provides a file verification apparatus, where the apparatus may be applied to an electronic device of a first node (e.g. a terminal device of the first node), so that the electronic device implements a file verification method according to the first aspect and any one of possible implementation manners of the first aspect. The functions of the device can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software comprises one or more modules or units corresponding to the steps in the file verification method according to the first aspect and any possible implementation manner of the first aspect.

For example, the apparatus comprises: a transceiver unit and a processing unit; and the receiving and transmitting unit is used for receiving a first request from the second node, wherein the first request is used for requesting to access a first file in the first node, and the first file comprises a first access control list. The receiving and transmitting unit is further configured to obtain a copy of the first file from the third node, where the third node accesses the first file, and the copy of the first file includes the second access control list. The first access control list and the second access control list each include an access control policy corresponding to the second node. And the processing unit is used for responding to the first request, and when the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same and the second node is determined to have the access right to the first file, the first request result of the first request is returned to the second node through the receiving and sending unit, and the first request result indicates the access right of the second node to the first file or the return information of success in accessing the first file, so that the second node can access the first file in the first node.

Optionally, the processing unit is further configured to, in response to the first request, when the access control policies corresponding to the second node in the first access control list and the second access control list are different, return, by the transceiver unit, a second request result of the first request to the second node, where the second request result indicates that the second node cannot access the first file in the first node.

Optionally, the processing unit is further configured to, in response to the first request, when the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and it is determined that the second node does not have access rights to the first file, return, through the transceiver unit, a third request result of the first request to the second node, where the third request result indicates that the second node cannot access the first file in the first node.

In one possible implementation, the first file conforms to the first type.

Optionally, the transceiver unit is further configured to receive a second request from a second node, where the second request is for requesting access to a second file in the first node, and the second file includes a third access control list, and the third access control list includes an access control policy corresponding to the second node; the second file does not conform to the first type. And the processing unit is further used for responding to the second request, and when the access control strategy corresponding to the second node in the third access control list determines that the second node has the access right to the second file, the receiving and transmitting unit returns a fourth request result of the second request to the second node, wherein the fourth request result indicates the access right of the second node to the second file or the return information of success in accessing the second file, so that the second node can access the second file in the first node. Or when the access control policy corresponding to the second node in the third access control list determines that the second node does not have the access right to the second file, a fifth request result of the second request is returned to the second node through the transceiver unit, and the fifth request result indicates that the second node cannot access the second file in the first node.

Optionally, the processing unit is further configured to record an access record of the second node to the first file, where the access record of the second node to the first file includes: the identification information of the second node, and a path along which the second node stores a copy of the first file.

In a third aspect, the present application provides an electronic device, e.g. the electronic device may be a terminal device of the first node described above. An electronic device includes: a processor, a memory for storing processor-executable instructions; the processor is configured to execute the instructions, to cause the electronic device to implement the file verification method according to the first aspect and any one of the possible implementation manners of the first aspect.

In a fourth aspect, the present application provides a computer-readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by an electronic device, cause the electronic device to implement a file verification method as described in the first aspect and any one of the possible implementations of the first aspect.

In a fifth aspect, the present application provides a computer program product comprising computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, which when run in an electronic device, causes a processor in the electronic device to implement a file verification method according to the first aspect and any one of the possible implementations of the first aspect.

The advantages of the second to fifth aspects are described with reference to the first aspect, and are not described herein.

In a sixth aspect, the present application provides a method for verifying a file, the method being applied to a first node, the method comprising: a first request is received from a second node, the first request requesting access to a first file in the first node, the first file including a first access control list. Transmitting a first access control list to a third node; the third node accesses the first file, the third node comprises a copy of the first file, and the copy of the first file comprises a second access control list. The first access control list and the second access control list each include an access control policy corresponding to the second node. And receiving first information returned by the third node, wherein the first information is used for indicating that the access control strategies corresponding to the second node in the first access control list and the second access control list are the same or different. And responding to the first request, and when the first information indicates that the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same and the second node is determined to have the access right to the first file, returning a first request result of the first request to the second node, wherein the first request result indicates the access right of the second node to the first file or the return information of success in accessing the first file, so that the second node can access the first file in the first node.

Optionally, the method further comprises: and responding to the first request, and when the first information indicates that the access control strategies corresponding to the second nodes in the first access control list and the second access control list are different, returning a second request result of the first request to the second nodes, wherein the second request result indicates that the second nodes cannot access the first files in the first nodes.

Optionally, the method further comprises: and responding to the first request, and when the first information indicates that the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same and the second node is determined to not have access rights to the first file, returning a third request result of the first request to the second node, wherein the third request result indicates that the second node cannot access the first file in the first node.

In one possible implementation, the first file conforms to the first type.

The advantages of the sixth aspect may be referred to in the first aspect and are not described here.

In a seventh aspect, the present application provides a file verification apparatus, where the apparatus may be applied to an electronic device of a first node (such as a terminal device of the first node), so that the electronic device implements a file verification method according to any one of the sixth aspect and any one of possible implementation manners of the sixth aspect. The functions of the device can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software comprises one or more modules or units corresponding to the steps in the file verification method according to any one of the possible implementation manners of the sixth aspect and the sixth aspect.

For example, the apparatus comprises: a transceiver unit and a processing unit; and the receiving and transmitting unit is used for receiving a first request from the second node, wherein the first request is used for requesting to access a first file in the first node, and the first file comprises a first access control list. The receiving and transmitting unit is further used for transmitting the first access control list to the third node; the third node accesses the first file, the third node comprises a copy of the first file, and the copy of the first file comprises a second access control list. The first access control list and the second access control list each include an access control policy corresponding to the second node. The receiving and transmitting unit is further configured to receive first information returned by the third node, where the first information is used to indicate that access control policies corresponding to the second node in the first access control list and the second access control list are the same or different. And the processing unit is used for responding to the first request, and when the first information indicates that the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same and the second node is determined to have the access right to the first file, the first request result of the first request is returned to the second node through the receiving and sending unit, and the first request result indicates the access right of the second node to the first file or the return information of success in accessing the first file, so that the second node can access the first file in the first node.

Optionally, the processing unit is further configured to, in response to the first request, when the first information indicates that access control policies corresponding to the second node in the first access control list and the second access control list are different, return, by the transceiver unit, a second request result of the first request to the second node, where the second request result indicates that the second node cannot access the first file in the first node.

Optionally, the processing unit is further configured to, in response to the first request, when the first information indicates that access control policies corresponding to the first access control list and the second node in the second access control list are the same, and it is determined that the second node does not have access rights to the first file, return, by the transceiver unit, a third request result of the first request to the second node, where the third request result indicates that the second node cannot access the first file in the first node.

In an eighth aspect, the present application provides an electronic device, e.g. an electronic device may be a terminal device of the first node. An electronic device includes: a processor, a memory for storing processor-executable instructions; the processor is configured to execute the instructions to cause the electronic device to implement the file verification method according to any one of the sixth aspect and any one of the possible implementation manners of the sixth aspect.

In a ninth aspect, the present application provides a computer-readable storage medium having computer program instructions stored thereon; the computer program instructions, when executed by an electronic device, cause the electronic device to implement the method of file verification as described in any one of the sixth aspect and any one of the possible implementations of the sixth aspect.

In a tenth aspect, the present application provides a computer program product comprising computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, which when run in an electronic device, causes a processor in the electronic device to implement a file verification method according to any one of the possible implementations of the sixth aspect and the sixth aspect.

Advantageous effects of the seventh to tenth aspects described above may be referred to in the sixth aspect, and will not be described here again.

In an eleventh aspect, the present application provides a method for verifying a file, where the method is applied to a third node, and the third node accesses a first file in a first node; the first node comprises a first file, and the first file comprises a first access control list; the third node includes a copy of the first file, the copy of the first file including a second access control list; the first access control list and the second access control list respectively comprise access control strategies corresponding to the second node; the method comprises the following steps:

Receiving a first access control list from a first node; the first access control list is sent by the first node after receiving a first request from the second node; the first request is for requesting access to a first file. And comparing whether the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same or not to obtain a comparison result. And returning the first information to the first node according to the comparison result, so that the first node returns a request result of the first request to the second node according to the first information.

The first information is used for indicating that the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same or different.

In one possible implementation, the first file conforms to the first type.

The advantages of the eleventh aspect may be referred to in the first aspect and are not described here.

In a twelfth aspect, the present application provides a file verification apparatus, which may be applied to an electronic device of a third node (such as a terminal device of the third node), so that the electronic device implements a file verification method according to any one of the eleventh aspect and the eleventh possible implementation manner. The functions of the device can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software comprises one or more modules or units corresponding to the steps in the file verification method according to any one of the eleventh aspect and the possible implementation manner of the eleventh aspect.

For example, the apparatus comprises: a transceiver unit and a processing unit; a transceiver unit for receiving a first access control list from a first node; the first access control list is sent by the first node after receiving a first request from the second node; the first request is for requesting access to a first file. And the processing unit is used for comparing whether the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same or not to obtain a comparison result. And the processing unit is also used for returning the first information to the first node through the receiving and transmitting unit according to the comparison result, so that the first node returns a request result of the first request to the second node according to the first information.

In a thirteenth aspect, the present application provides an electronic device, e.g. an electronic device may be a terminal device of the third node described above. An electronic device includes: a processor, a memory for storing processor-executable instructions; the processor is configured to execute the instructions to cause the electronic device to implement the file verification method according to any one of the eleventh aspect and the possible implementation manner of the eleventh aspect.

In a fourteenth aspect, the present application provides a computer-readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by an electronic device, cause the electronic device to implement the file verification method as described in any one of the eleventh and eleventh possible implementation manners.

In a fifteenth aspect, the present application provides a computer program product comprising computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, which when run in an electronic device, causes a processor in the electronic device to implement a file verification method as described in any one of the eleventh and eleventh possible implementations.

Advantageous effects of the twelfth to fifteenth aspects described above may be referred to in the eleventh aspect, and will not be described here.

In a sixteenth aspect, the present application provides a file verification method, the method being applied to a first node, the method comprising: a first request is received from a second node, the first request requesting access to a first file in the first node, the first file including a first access control list. Transmitting a first access control list to a third node; the third node accesses the first file, the third node comprises a copy of the first file, and the copy of the first file comprises a second access control list. The first access control list and the second access control list each include an access control policy corresponding to the second node. And receiving second information returned by the third node, wherein the second information is used for indicating that the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same and the second node has the access right to the first file, or is used for indicating that the access control strategies corresponding to the second nodes in the first access control list and the second access control list are different, or is used for indicating that the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same and the second node does not have the access right to the first file. And returning a request result of the first request to the second node according to the second information.

In one possible implementation, the first file conforms to the first type.

The advantages of the sixteenth aspect are described with reference to the first aspect and are not described here.

In a seventeenth aspect, the present application provides a file verification apparatus, where the apparatus may be applied to an electronic device of a first node (such as a terminal device of the first node), so that the electronic device implements a file verification method according to any one of the sixteenth and sixteenth possible implementation manners of the present invention. The functions of the device can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software comprises one or more modules or units corresponding to the steps in the file verification method according to any one of the sixteenth aspect and the possible implementation manner of the sixteenth aspect.

For example, the apparatus comprises: a transceiver unit and a processing unit; and the receiving and transmitting unit is used for receiving a first request from the second node, wherein the first request is used for requesting to access a first file in the first node, and the first file comprises a first access control list. The receiving and transmitting unit is further used for transmitting the first access control list to the third node; the third node accesses the first file, the third node comprises a copy of the first file, and the copy of the first file comprises a second access control list. The first access control list and the second access control list each include an access control policy corresponding to the second node. The receiving and transmitting unit is further configured to receive second information returned by the third node, where the second information is used to indicate that access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and the second node has access rights to the first file, or is used to indicate that access control policies corresponding to the second nodes in the first access control list and the second access control list are different, or is used to indicate that access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and the second node does not have access rights to the first file. And the processing unit is used for returning a request result of the first request to the second node through the receiving and transmitting unit according to the second information.

In an eighteenth aspect, the present application provides an electronic device, e.g. the electronic device may be a terminal device of the first node. An electronic device includes: a processor, a memory for storing processor-executable instructions; the processor is configured to execute the instructions to cause the electronic device to implement the file verification method as described in any one of the possible implementations of the sixteenth and sixteenth aspects.

In a nineteenth aspect, the present application provides a computer-readable storage medium having computer program instructions stored thereon; the computer program instructions, when executed by an electronic device, cause the electronic device to implement the file verification method as described in any one of the possible implementations of the sixteenth and sixteenth aspects.

In a twentieth aspect, the present application provides a computer program product comprising computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, which when run in an electronic device, causes a processor in the electronic device to implement the file verification method according to any one of the sixteenth and sixteenth possible implementations.

The advantageous effects of the seventeenth to twentieth aspects may be referred to as the sixteenth aspect, and are not described herein.

In a twenty-first aspect, the present application provides a method for verifying a file, where the method is applied to a third node, and the third node accesses a first file in a first node; the first node comprises a first file, and the first file comprises a first access control list; the third node includes a copy of the first file, the copy of the first file including a second access control list; the first access control list and the second access control list respectively comprise access control strategies corresponding to the second node; the method comprises the following steps:

receiving a first access control list from a first node; the first access control list is sent by the first node after receiving a first request from the second node; the first request is for requesting access to a first file. And comparing whether the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same, determining whether the second nodes have access rights to the first file, and obtaining second information. And returning the second information to the first node so that the first node returns a request result of the first request to the second node according to the second information.

In one possible implementation, the first file conforms to the first type.

The advantages of the twenty-first aspect may be referred to in the first aspect and are not described here in detail.

In a twenty-second aspect, the present application provides a file verification apparatus, where the apparatus may be applied to an electronic device of a third node (such as a terminal device of the third node), so that the electronic device implements a file verification method according to any one of the foregoing possible implementation manners of the twenty-first aspect and the twenty-first aspect. The functions of the device can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software comprises one or more modules or units corresponding to the steps in the file verification method according to any one of the twenty-first aspect and the twenty-first aspect.

For example, the apparatus comprises: a transceiver unit and a processing unit; a transceiver unit for receiving a first access control list from a first node; the first access control list is sent by the first node after receiving a first request from the second node; the first request is for requesting access to a first file. And the processing unit is used for comparing whether the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same or not, determining whether the second nodes have access rights to the first file or not and obtaining second information. The receiving and transmitting unit is further used for returning second information to the first node so that the first node returns a request result of the first request to the second node according to the second information.

In a twenty-third aspect, the present application provides an electronic device, e.g. the electronic device may be a terminal device of the first node described above. An electronic device includes: a processor, a memory for storing processor-executable instructions; the processor is configured to execute the instructions, to cause the electronic device to implement the file verification method according to any one of the possible implementations of the twenty-first and twenty-first aspects.

In a twenty-fourth aspect, the present application provides a computer-readable storage medium having computer program instructions stored thereon; the computer program instructions, when executed by an electronic device, cause the electronic device to implement the file verification method as described in any one of the possible implementations of the twenty-first and twenty-first aspects.

In a twenty-fifth aspect, the present application provides a computer program product comprising computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, which when run in an electronic device, a processor in the electronic device implements a file verification method according to any one of the twenty-first and twenty-first possible implementations.

The advantageous effects of the above twenty-second to twenty-fifth aspects may be referred to in the twenty-first aspect, and are not described herein.

In a twenty-sixth aspect, the present application provides a distributed file system, comprising: a first node, a second node, and a third node. The first node includes a first file. The second node sends a first request to the first node, the first request requesting access to a first file, the first file including a first access control list. The first node obtains a copy of the first file from a third node, wherein the third node has accessed the first file, and the copy of the first file includes a second access control list. The first access control list and the second access control list each include an access control policy corresponding to the second node. And responding to the first request, when the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same, and the second nodes are determined to have the access right to the first file, the first node returns a first request result of the first request to the second nodes, and the first request result indicates the access right of the second nodes to the first file or the return information of success in accessing the first file, so that the second nodes can access the first file in the first node.

Optionally, in response to the first request, when the access control policies corresponding to the second node in the first access control list and the second access control list are different, the first node returns a second request result of the first request to the second node, where the second request result indicates that the second node cannot access the first file in the first node.

Optionally, in response to the first request, when the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and it is determined that the second node does not have access rights to the first file, the first node returns a third request result of the first request to the second node, where the third request result indicates that the second node cannot access the first file in the first node.

The advantageous effects of the twenty-sixth aspect may be referred to in the first aspect, and are not described here.

It should be appreciated that the description of technical features, aspects, benefits or similar language in this application does not imply that all of the features and advantages may be realized with any single embodiment. Conversely, it should be understood that the description of features or advantages is intended to include, in at least one embodiment, the particular features, aspects, or advantages. Therefore, the description of technical features, technical solutions or advantageous effects in this specification does not necessarily refer to the same embodiment. Furthermore, the technical features, technical solutions and advantageous effects described in the present embodiment may also be combined in any appropriate manner. Those of skill in the art will appreciate that an embodiment may be implemented without one or more particular features, aspects, or benefits of a particular embodiment. In other embodiments, additional features and advantages may be recognized in certain embodiments that may not be present in all embodiments.

Drawings

FIG. 1 is a schematic diagram of a distributed file system according to an embodiment of the present disclosure;

fig. 2 is a schematic structural diagram of a node according to an embodiment of the present application;

FIG. 3 is a schematic flow chart of a document verification method according to an embodiment of the present disclosure;

fig. 4 is a schematic diagram of an application scenario provided in an embodiment of the present application;

FIG. 5 is another flow chart of a document verification method according to an embodiment of the present disclosure;

FIG. 6 is a schematic flow chart of a document verification method according to an embodiment of the present disclosure;

FIG. 7 is a schematic flow chart of a document verification method according to an embodiment of the present disclosure;

FIG. 8 is a schematic flow chart of a document verification method according to an embodiment of the present disclosure;

fig. 9 is a schematic structural diagram of a document verification device according to an embodiment of the present application;

FIG. 10 is another schematic structural diagram of a document verification apparatus according to an embodiment of the present disclosure;

FIG. 11 is a schematic diagram of another structure of a document verification apparatus according to an embodiment of the present disclosure;

FIG. 12 is a schematic diagram of another structure of a document verification apparatus according to an embodiment of the present disclosure;

fig. 13 is a schematic structural diagram of a document verification apparatus according to an embodiment of the present application.

Detailed Description

The terminology used in the following embodiments is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification and the appended claims, the singular forms "a," "an," "the," and "the" are intended to include, for example, "one or more" such forms of expression, unless the context clearly indicates to the contrary. It should also be understood that in the various embodiments herein below, "at least one", "one or more" means one or more than two (including two). The character "/" generally indicates that the context-dependent object is an "or" relationship.

Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise. The term "coupled" includes both direct and indirect connections, unless stated otherwise.

The terms "first" and "second" are used below for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature.

In the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as examples, illustrations, or descriptions. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.

In some embodiments, a host in a distributed file system may include: one or more of a terminal device, a server or a Virtual Machine (VM), etc. The terminal device may include: a mobile phone, a tablet computer, a smart television, a router, a car machine, a watch, a desktop computer, a laptop computer, a handheld computer, a notebook computer, an ultra-mobile personal computer (ultra-mobile personal computer, UMPC), a netbook, a cellular phone, a personal digital assistant (personal digital assistant, PDA), an augmented reality (augmented reality, AR) \virtual reality (VR) device, and the like, the specific form of the terminal device is not particularly limited in the embodiments of the present application.

For example, in one possible implementation scenario, devices such as a mobile phone, a tablet, a smart tv, a router, a car set, a watch, etc. may form a distributed file system, each device may serve as a host in the distributed file system, and files and storage space may be shared between different devices. Such as: the mobile phone can access the files in the tablet, the intelligent television can access the files in the mobile phone, and the like.

In a distributed file system, each host may be considered a node (or storage node) of the distributed file system. When a certain node requests to access a certain file, if the node locally owns the file, the file can be directly accessed from the local; if the file is not locally available, the file may be accessed over the network from other nodes in the distributed file system that own the file.

The embodiment of the application provides a file verification method which can be applied to the distributed file system. In the method, each file stored by each node in the distributed file system may include an access control list (access control list, ACL) corresponding to the file, and each file may include one or more access control policies (or referred to as access control rules) corresponding to the file. The access control policies in the access control list are used to determine access rights to the file.

Taking an example that a first node in the distributed file system comprises a first file, the first file may comprise a first access control list, when a second node in the distributed file system requests to access the first file in the first node, the first node may obtain a copy of the first file from a third node that has accessed the first file, and the copy of the first file may comprise a second access control list; the first access control list and the second access control list may include access control policies corresponding to the second node, respectively; the first node may compare whether the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same (or referred to as consistent).

When the access control policies corresponding to the second node in the first access control list and the second access control list are the same, the first node may determine whether the second node has permission to access the first file (i.e. whether the second node has access permission to the first file) according to the access control policy corresponding to the second node in the first access control list, and return a corresponding access result to the second node.

When the access control policies corresponding to the second nodes in the first access control list and the second access control list are different, the first node can directly return an access result of refusing access to the second node. The copy of the first file is copied from the first node when the third node accesses the first file.

The method can improve the access control intensity of the files stored in the distributed file system and enhance the security of the files stored in the distributed file system.

The document verification method provided in the embodiment of the present application is described below in detail with reference to a specific example.

Illustratively, fig. 1 is a schematic diagram of the composition of a distributed file system according to an embodiment of the present application. As shown in fig. 1, the distributed file system may include: and N nodes such as node 1, node 2, … and node N, wherein N is an integer greater than or equal to 3. Any two of the N nodes can be connected through a wired network or a wireless network.

In the distributed file system shown in fig. 1, each file stored in each node may include an access control list corresponding to the file, and each access control list corresponding to the file may include one or more access control policies. The access control policies in the access control list are used to determine access rights to the file.

The file verification method provided by the embodiment of the application can be applied to the distributed file system shown in fig. 1. The first node in the method may be any one of the N nodes shown in fig. 1, the second node may be any one node except the first node, and the third node is a node that accesses the first file on the first node among other nodes except the first node and the second node.

Alternatively, the wireless communication protocol used when the two nodes establish a connection in a wireless manner may be a wireless fidelity (wireless fidelity, wi-Fi) protocol, bluetooth (bluetooth) protocol, zigBee protocol, near field communication (near field communication, NFC) protocol, various cellular network protocols, or the like, which are not particularly limited herein.

Taking a certain node in the distributed file system as an example of a mobile phone, fig. 2 is a schematic structural diagram of the node according to an embodiment of the present application. As shown in fig. 2, the node may include: processor 210, external memory interface 220, internal memory 221, universal serial bus (universal serial bus, USB) interface 230, charge management module 240, power management module 241, battery 242, antenna 1, antenna 2, mobile communication module 250, wireless communication module 260, audio module 270, speaker 270A, receiver 270B, microphone 270C, headset interface 270D, sensor module 280, keys 290, motor 291, indicator 292, camera 293, display 294, and subscriber identity module (subscriber identification module, SIM) card interface 295, among others.

Processor 210 may include one or more processing units such as, for example: the processor 210 may include an application processor (application processor, AP), a modem processor, a graphics processor (graphics processing unit, GPU), an image signal processor (image signal processor, ISP), a controller, a memory, a video codec, a digital signal processor (digital signal processor, DSP), a baseband processor, and/or a neural network processor (neural-network processing unit, NPU), etc. Wherein the different processing units may be separate devices or may be integrated in one or more processors.

The controller can be a neural center and a command center of the electronic device. The controller can generate operation control signals according to the instruction operation codes and the time sequence signals to finish the control of instruction fetching and instruction execution.

A memory may also be provided in the processor 210 for storing instructions and data. In some embodiments, the memory in the processor 210 is a cache memory. The memory may hold instructions or data that the processor 210 has just used or recycled.

In some embodiments, processor 210 may include one or more interfaces. The interfaces may include an integrated circuit (inter-integrated circuit, I2C) interface, an integrated circuit built-in audio (inter-integrated circuit sound, I2S) interface, a pulse code modulation (pulse code modulation, PCM) interface, a universal asynchronous receiver transmitter (universal asynchronous receiver/transmitter, UART) interface, a mobile industry processor interface (mobile industry processor interface, MIPI), a general-purpose input/output (GPIO) interface, a subscriber identity module (subscriber identity module, SIM) interface, and/or a universal serial bus (universal serial bus, USB) interface, among others.

It should be understood that the connection relationship between the modules illustrated in this embodiment is only illustrative, and does not limit the structure of the node. In other embodiments, the node may also use different interfacing manners in the foregoing embodiments, or a combination of multiple interfacing manners.

The charge management module 240 is configured to receive a charge input from a charger. The charging management module 240 may also provide power to the electronic device through the power management module 241 while charging the battery 242.

The power management module 241 is used for connecting the battery 242, and the charge management module 240 and the processor 210. The power management module 241 receives input from the battery 242 and/or the charge management module 240 and provides power to the processor 210, the internal memory 221, the external memory, the display 294, the camera 293, the wireless communication module 260, and the like. The power management module 241 may also be configured to monitor battery capacity, battery cycle times, battery health (leakage, impedance), and other parameters. In other embodiments, the power management module 241 may also be disposed in the processor 210. In other embodiments, the power management module 241 and the charge management module 240 may be disposed in the same device.

The wireless communication function of the electronic device may be implemented by the antenna 1, the antenna 2, the mobile communication module 250, the wireless communication module 260, a modem processor, a baseband processor, and the like.

The antennas 1 and 2 are used for transmitting and receiving electromagnetic wave signals. The mobile communication module 250 may provide a solution for wireless communication including 2G/3G/4G/5G etc. applied on the node. The mobile communication module 250 may include at least one filter, switch, power amplifier, low noise amplifier (low noise amplifier, LNA), etc. The mobile communication module 250 may receive electromagnetic waves from the antenna 1, perform processes such as filtering, amplifying, and the like on the received electromagnetic waves, and transmit the processed electromagnetic waves to the modem processor for demodulation. The mobile communication module 250 can amplify the signal modulated by the modem processor, and convert the signal into electromagnetic waves through the antenna 1 to radiate. In some embodiments, at least some of the functional modules of the mobile communication module 250 may be disposed in the processor 210. In some embodiments, at least some of the functional modules of the mobile communication module 250 may be provided in the same device as at least some of the modules of the processor 210.

The modem processor may include a modulator and a demodulator. In some embodiments, the modem processor may be a stand-alone device. In other embodiments, the modem processor may be provided in the same device as the mobile communication module 250 or other functional module, independent of the processor 210.

The wireless communication module 260 may provide solutions for wireless communication including wireless local area network (wireless local area networks, WLAN) (e.g., wireless fidelity (wireless fidelity, wi-Fi) network), bluetooth (BT), global navigation satellite system (global navigation satellite system, GNSS), frequency modulation (frequency modulation, FM), near field wireless communication technology (near field communication, NFC), infrared technology (IR), etc. as applied at the node. The wireless communication module 260 may be one or more devices that integrate at least one communication processing module. The wireless communication module 260 receives electromagnetic waves via the antenna 2, modulates the electromagnetic wave signals, filters the electromagnetic wave signals, and transmits the processed signals to the processor 210. The wireless communication module 260 may also receive a signal to be transmitted from the processor 210, frequency modulate it, amplify it, and convert it to electromagnetic waves for radiation via the antenna 2.

In some embodiments, the node's antenna 1 and mobile communication module 250 are coupled, and the antenna 2 and wireless communication module 260 are coupled, so that the node can communicate with the network and other nodes through wireless communication techniques. The wireless communication techniques may include the Global System for Mobile communications (global system for mobile communications, GSM), general packet radio service (general packet radio service, GPRS), code division multiple access (code division multiple access, CDMA), wideband code division multiple access (wideband code division multiple access, WCDMA), time division code division multiple access (time-division code division multiple access, TD-SCDMA), long term evolution (long term evolution, LTE), BT, GNSS, WLAN, NFC, FM, and/or IR techniques, among others. The GNSS may include a global satellite positioning system (global positioning system, GPS), a global navigation satellite system (global navigation satellite system, GLONASS), a beidou satellite navigation system (beidou navigation satellite system, BDS), a quasi zenith satellite system (quasi-zenith satellite system, QZSS) and/or a satellite based augmentation system (satellite based augmentation systems, SBAS). For example, in the embodiment of the present application, the first node may establish a wireless connection with the second node, the third node, and the like through a wireless communication technology using the wireless communication module 260. Based on the established wireless connection, the first node may send information or messages to the second node, the third node, etc., and may also receive information or messages from the second node, the third node, etc.

The nodes may implement display functions via GPUs, display screens 294, application processors, and the like. The GPU is a microprocessor for image processing, and is connected to the display screen 294 and the application processor. Processor 210 may include one or more GPUs that execute program instructions to generate or change display information.

The display 294 is used to display images, videos, and the like. The display 294 includes a display panel. The display panel may employ a liquid crystal display (liquid crystal display, LCD), an organic light-emitting diode (OLED), an active-matrix organic light emitting diode (AMOLED), a flexible light-emitting diode (flex), a mini, a Micro-OLED, a quantum dot light-emitting diode (quantum dot light emitting diodes, QLED), or the like. In some embodiments, a node may include 1 or N displays 294, N being a positive integer greater than 1.

The nodes may implement photographing functions through ISPs, cameras 293, video codecs, GPUs, display screens 294, application processors, and the like. The ISP is used to process the data fed back by the camera 293. In some embodiments, the ISP may be provided in the camera 293. The camera 293 is used to capture still images or video. In some embodiments, a node may include 1 or N cameras 293, N being a positive integer greater than 1. Video codecs are used to compress or decompress digital video. The electronic device may support one or more video codecs.

The external memory interface 220 may be used to connect an external memory card, such as a Micro SD card, to enable expansion of the memory capabilities of the node. The external memory card communicates with the processor 210 through an external memory interface 220 to implement data storage functions. For example, files such as music, video, etc. are stored in an external memory card.

Internal memory 221 may be used to store computer executable program code that includes instructions. The processor 210 executes various functional applications of the node and data processing by executing instructions stored in the internal memory 221. For example, in the present embodiment, the processor 210 may establish a connection with other nodes and interact data with other nodes through the wireless communication module 260 by executing instructions stored in the internal memory 221. The internal memory 221 may include a storage program area and a storage data area. The storage program area may store an application program (such as a sound playing function, an image playing function, etc.) required for at least one function of the operating system, etc. The storage data area may store data created during use of the electronic device (e.g., audio data, phonebook, etc.), and so forth. In addition, the internal memory 221 may include a high-speed random access memory, and may further include a nonvolatile memory such as at least one magnetic disk storage device, a flash memory device, a universal flash memory (universal flash storage, UFS), and the like.

The nodes may implement audio functions through audio module 270, speaker 270A, receiver 270B, microphone 270C, headphone interface 270D, and an application processor, among others. Such as talking, music playing, recording, etc.

The sensor module 280 may include a pressure sensor 280A, a gyroscope sensor 280B, a barometric pressure sensor 280C, a magnetic sensor 280D, an acceleration sensor 280E, a distance sensor 280F, a proximity sensor 280G, a fingerprint sensor 280H, a temperature sensor 280J, a touch sensor 280K, an ambient light sensor 280L, a bone conduction sensor 280M, and the like.

It will be appreciated that the structure of the node shown in fig. 2 does not constitute a specific limitation on the node. In other embodiments, when the node in the distributed file system is a server or virtual machine, a tablet, a smart television, a router, a car machine, a watch, a desktop computer, a laptop computer, a handheld computer, a notebook computer, an ultra mobile personal computer, a netbook, and other devices such as a cellular telephone, a personal digital assistant, an augmented reality/virtual reality device, the node may include more or fewer components than those shown in FIG. 2, or may combine certain components, split certain components, or a different arrangement of components. The components shown in fig. 2 may be implemented in hardware, software, or a combination of software and hardware. The embodiment of the application does not limit the specific structure of the nodes in the distributed file system.

Alternatively, the operating system of the nodes in the distributed file system may be hong Monte ^TM (Harmony) System and android ^TM (android) System, ios ^TM System and windows ^TM System, mac ^TM System, linux ^TM System, EMUI ^TM 、Android Wear ^TM System, lite OS ^TM 、Tizen ^TM System, watch os ^TM A system, etc. Alternatively, some nodes may have no operating system, neither of which is limiting.

Taking an example that a first node in the distributed file system includes a first file and a second node requests to access the first file in the first node as an example, fig. 3 is a flowchart of a file verification method provided in an embodiment of the present application. As shown in fig. 3, the method may include:

s301, a second node sends a first request to a first node, wherein the first request is used for requesting access to a first file, and the first file comprises a first access control list.

Optionally, the first request may include identification information of the first file, such as: file name of the first file, file path, etc.

One or more access control policies may be included in the first access control list, such as: the access control policy may be an access control policy corresponding to the second node.

Accordingly, the first node receives a first request from the second node.

The first file may be a picture, a document, a video file, a music file, or the like, or may be a folder or an access page, or the like, which is not limited in the specific type of the first file.

S302, the first node acquires a copy of the first file from the third node, wherein the copy of the first file comprises a second access control list.

The third node is a node which has previously accessed the first file, and the copy of the first file is copied from the first node when the third node accesses the first file. It should be understood that "before" as used herein may refer to before the first node receives the first request, i.e., before the first node receives the request from the second node to access the first file.

For example, the third node may obtain and save a copy of the first file from the first node when accessing the first file in the first node. For example, the first node may copy the first file to generate a copy of the first file and send the copy of the first file to the third node.

In this embodiment, each file stored by each node in the distributed file system may include an access control list corresponding to the file (for example, the first file), and when other nodes copy the file, copies of the file generated may also include the access control list corresponding to the file. For example, the third node may copy the first file to generate a copy of the first file, and may also include an access control list in the first file, where for distinction, the access control list in the copy of the first file may be referred to as a second access control list. One or more access control policies may also be included in the second access control list, such as: the access control policy may be an access control policy corresponding to the second node.

In some embodiments, each node in the distributed file system stores a corresponding access control list for each file that may be present in the extended attributes of the index node (inode) for that file. The index node of the file stores meta information related to the file, for example, the meta information may include byte number of the file, identification information of an owner of the file, a timestamp of the file, and the like.

For example, taking the first file as an example, the first access control list may be stored in an extended attribute of an inode of the first file. Taking the operating system of the first node as the linux system as an example, the extended attribute of the inode of the first file may be "system. The first node may configure an access control policy of the first file by calling a "setacl ()" method, and convert the access control policy into an extended attribute stored in an extended attribute "system_place_access" of an inode of the first file by calling a "setxattr ()" method. When the first node receives the first request of the second node, the first node can acquire the access control strategy of the first file by calling a 'getacl ()' method, and the extended attribute of the index node stored in the first file is converted into a specific access control strategy by calling a 'getxattr ()'.

In one possible implementation, the copy of the first file may be generated by copying the complete first file when the third node accesses the first file. That is, the copy of the first file includes all information in the first file, such as: attributes of the first file, extended attributes of the first file, contents of the first file, and the like.

Alternatively, in another possible implementation manner, the copy of the first file may be generated by copying a portion of the first file that includes the first control list when the third node accesses the first file. That is, only a portion of the files comprising the first control list may be included in the copy of the first file. For example, the aforementioned partial file containing the first control list may be an extended attribute of an inode of the first file.

In still another possible implementation manner, the copy of the first file may be generated by copying the first control list in the first file when the third node accesses the first file. That is, only the first control list (referred to as the second control list in the copy of the first file) may be included in the copy of the first file.

Optionally, in the embodiment of the present application, each node in the distributed file system may maintain an access record for each stored file, where the access record of each file records identification information (such as a device name, a device number, etc.) of other nodes that have accessed the file, and paths of other nodes to store a copy of the file. For example, when the third node accesses the first file in the first node, the first node may newly add a record about the access of the third node to the first file in the access record of the first file, where identification information of the third node and a path of the third node storing a copy of the first file are recorded.

Illustratively, in one possible implementation, the data structure of the access record maintained by each node in the distributed file system for each file stored may be as follows:

wherein "struct access_list" represents an access record; "unsigned int a_count" represents the number of access records; "struct access_list_entries" is used to mark specific access records; "int device_id" means device identification information of a node for identifying a device having accessed the file; "char path_name" indicates a path for storing a copy of a file on a node (device) identified by "int device_id".

In S302, when the first node obtains the copy of the first file from the third node, the copy of the first file may be obtained from the third node by querying the access record of the first file, according to the identification information of the third node and the path of the third node storing the copy of the first file.

S303, the first node determines a request result of the first request according to the access control strategy corresponding to the second node in the first access control list and the access control strategy corresponding to the second node in the second access control list.

In S303, after the first node obtains the copy of the first file from the third node, the first node may compare whether the access control policies corresponding to the second nodes included in the first access control list and the second access control list are the same, for example: the access control policy corresponding to the second node in the first access control list may be referred to as a first access control policy, the access control policy corresponding to the second node in the second access control list may be referred to as a second access control policy, and the first node may compare whether the first access control policy and the second access control policy are the same.

When the access control policies corresponding to the second nodes included in the first access control list and the second access control list are the same, the first node may further determine whether the second node has access rights to the first file according to the access control policy corresponding to the second node in the first access control list.

In one possible implementation, an access control policy may be represented by "< tag, perm, id >" where "tag" represents a type of an object corresponding to "id", where "perm" represents an access right granted to the object corresponding to "id", where "id" is identification information (e.g., uid) of a specified user or a specified user group, and "id" is identification information (e.g., gid) of a specified user or a specified user group. Such as: the specified user may be some application running on the second node or the specified user group may be some type of application running on the second node. Wherein "perm" may include three types of access rights: "read", "write", "execute", and "x". In the first access control list, the access rights ("perm") of the object corresponding to the "id" in each access control policy to the first file may be expressed as a combination of the three types "r", "w", and "x".

Optionally, the access control policy corresponding to the second node may include: the "id" is access control policy of identification information of the second node or identification information of an application running on the second node.

For example, "perm" in one possible access control policy may be: "rwxr-r-" where "-" indicates that there is no corresponding access right, "rwx" indicates that the access right of the owner (owner) of the first file to the first file includes "read", "write", and "execute", the first "r-" indicates that the access right of the user in the same group as the owner (owner) of the first file to the first file includes "read", and the second "r-" indicates that the access right of other users or groups to the first file includes "read".

According to the above manner, the first node may determine, according to the access control policy corresponding to the second node in the first access control list, whether the second node has access rights to the first file, for example: when the access right of the second node to the first file includes at least one of the above-mentioned "read", "write", and "execute", the first node may determine that the second node has the access right to the first file.

In one possible implementation scenario, the access control policies corresponding to the second nodes included in the first access control list and the second access control list are the same, and the second nodes have access rights to the first file. For this scenario, when the access control policies corresponding to the second nodes included in the first access control list and the second access control list are the same, and the second node has access rights to the first file, the first node may determine that the request result of the first request is an access result corresponding to the access rights possessed by the second node, and the access result may be referred to as a first request result. The first request result may indicate an access right of the second node to the first file or return information that the first file is successfully accessed, so that the second node may access the first file in the first node. Illustratively, the return information that the second node successfully accesses the first file may include one or more of: the context information of the first file, handle information of the first file, and the like are not limited herein.

For example, if the second node's access rights to the first file include only "read", the first request result may include the first file allowing only read operations; if the access authority of the second node to the first file includes "read" and "write", the first request result may include the first file allowing the read-write operation, and the like, which will not be described in detail.

In another possible implementation scenario, the access control policies corresponding to the second nodes included in the first access control list and the second access control list are different. For this scenario, when the access control policies corresponding to the second nodes included in the first access control list and the second access control list respectively are different, the first node may directly determine that the request result of the first request is to reject the second node to access the first file, where the request result may be referred to as a second request result. The second request result may indicate that the second node cannot access the first file in the first node. Such as: the second request result may be a message denying access or failing access. The second request result is the access result of the access refusal.

Illustratively, the access control policies corresponding to the second nodes respectively included in the first access control list and the second access control list are different, and may include: the content of the access control policy corresponding to the second node in the first access control list is not identical to the content of the access control policy corresponding to the second node in the second access control list, for example, the access authority of the second node given by the access control policy corresponding to the second node in the first access control list to the first file is "read", but the access authority of the second node given by the access control policy corresponding to the second node in the second access control list to the first file is "read" and "write", which indicates that the access control policies corresponding to the second nodes respectively included in the first access control list and the second access control list are different. When the access control policies corresponding to the second nodes respectively included in the first access control list and the second access control list are different, the first node can determine that the request result of the first request is the second request result no matter whether the second node has access rights to the first file.

Optionally, when the access control policies corresponding to the second nodes included in the first access control list and the second access control list are different, the first node may not determine whether the second node has access rights to the first file according to the access control policy corresponding to the second node in the first access control list.

In still another possible implementation scenario, the access control policies corresponding to the second nodes included in the first access control list and the second access control list are the same, and the second nodes do not have access rights to the first file. For this scenario, when the access control policies corresponding to the second nodes included in the first access control list and the second access control list are the same, and the second node does not have access to the first file, the first node may determine that the request result of the first request is also to reject the second node to access the first file, and the request result may be referred to as a third request result. The third request result may indicate that the second node cannot access the first file in the first node. Such as: the third request result may also be a message denying access or failing access. Alternatively, the third request result may be the same as the second request result or may be different.

Illustratively, the second node does not have access to the first file, and may include: the second node has neither the right to "read" and "write" the first file nor the right to "execute" the first file.

As described above, in S303, the first node may determine a request result of the first request according to the access control policy corresponding to the second node in the first access control list and the access control policy corresponding to the second node in the second access control list, where the request result of the first request may include any one of the following three types: a first request result, a second request result, and a third request result. After determining the request result of the first request, the first node may respond to the first request and send the request result of the first request to the second node. For example, S304 may be performed.

S304, responding to the first request, and returning a request result of the first request to the second node by the first node.

It is understood that the request result of the first request returned by the first node to the second node in S304 may be any one of the first request result, the second request result, and the third request result.

When the first node returns the first request result to the second node, the second node may access the first file according to the access right of the second node to the first file, for example: and reading, writing and the like are performed on the first file. When the first node returns the second request result or the third request result to the second node, the second node cannot access the first file no matter whether the second node has access rights to the first file or not.

In the file verification method provided by the embodiment of the present application, when the first node has the same access control policy corresponding to the second node in the first access control list included in the first file and the second access control list included in the copy of the first file, and it is determined that the second node has access rights to the first file, an access result corresponding to the access rights of the second node (i.e., the first request result) is returned to the second node, so that the access control strength to the file (such as the first file) stored in the distributed file system can be improved, and the security of the file stored in the distributed file system can be enhanced.

For example, in some possible scenarios, the first file or the first access control list included in the first file may be tampered with by an attacker, and in the method, confidentiality of the first file may be ensured by introducing the third node as a third-party cross-validation node, so that an unauthorized node is prevented from intentionally or unintentionally uncovering the content of the first file. The distributed file system can effectively improve the security of the file by applying the file verification method provided by the embodiment of the application.

Fig. 4 is a schematic diagram of an application scenario provided in an embodiment of the present application. As shown in fig. 4, in one possible application scenario, the distributed file system may include: network attached storage (NAS: network Attached Storage) server 410, cell phone 420, computer 430, and television 440. Any two devices among the network attached storage (NAS: network Attached Storage) server 410, the mobile phone 420, the computer 430, and the television 440 may be connected through a wired network or a wireless network.

The network attached storage server 410, the mobile phone 420, the computer 430, and the television 440 may form a distributed file system, each device may be a host (i.e., a node) in the distributed file system, and different devices may share files and storage space. Such as: the mobile phone 420 can access files stored in the network additional storage server 410, the computer 430, and the television 440, respectively, and the computer 430 can access files stored in the network additional storage server 410, the mobile phone 420, and the television 440, respectively, and so on.

In one possible implementation, the network additional storage server 410 may be the first node described in the foregoing embodiment, and the first file stored in the network additional storage server 410 may be a photograph. The mobile phone 420 may be the second node described in the foregoing embodiments, and the computer 430 or the television 440 may be the third node described in the foregoing embodiments.

For example, an application may be running on the mobile phone 420, and the user may perform an operation of opening the first file on an interface of the application. The mobile phone 420 may acquire and open the first file in response to an operation of opening the first file.

When the mobile phone 420 locally stores the first file, the mobile phone 420 may directly open the first file.

When the handset 420 does not have the first file locally, the handset 420 may send a first request to the network attached storage server 410 requesting access to the first file. After the network attached storage server 410 receives the first file, a copy of the first file may be obtained from the computer 430 or the television 440. The network attached storage server 410 may compare whether the access control policy corresponding to the handset 420 in the first access control list included in the first file is the same as the access control policy corresponding to the handset 420 in the second access control list included in the copy of the first file. When the access control policy corresponding to the mobile phone 420 in the first access control list is the same as the access control policy corresponding to the mobile phone 420 in the second access control list, the network additional storage server 410 may determine whether the mobile phone 420 has access rights to the first file according to the access control policy corresponding to the mobile phone 420 in the first access control list, and when the mobile phone 420 has access rights to the first file, return a first request result to the mobile phone 420, where the first request result may indicate the access rights of the mobile phone 420 to the first file or return information that the access to the first file is successful, so that the mobile phone 420 may access the first file in the network additional storage server 410. When the mobile phone 420 does not have access rights to the first file, or when the access control policy corresponding to the mobile phone 420 in the first access control list is different from the access control policy corresponding to the mobile phone 420 in the second access control list, the network additional storage server 410 may return a second request result or a third request result to the mobile phone 420, where both the second request result and the third request result may indicate that the mobile phone 420 cannot access the first file in the network additional storage server 410.

In this example, the first file or the first access control list included in the first file may be tampered by an attacker, by introducing the computer 430 or the television 440 as a third party cross-validation node, the network additional storage server 410 performs access control on the first file, where the access control policy corresponds to the mobile phone 420 in the first access control list included in the first file and the access control policy corresponds to the mobile phone 420 in the second access control list included in the copy of the first file are the same, and when the network additional storage server 410 determines that the mobile phone 420 has access rights to the first file according to the access control policy corresponding to the mobile phone 420 in the first access control list, returns a first request result to the mobile phone 420, so as to improve access control strength to the first file, enhance security of the first file, and avoid intentional or unintentional uncovering of the content of the first file by an unauthorized node.

The example given in fig. 4 is only one possible implementation scenario of a distributed file system, and in other possible examples, the implementation scenario of the distributed file system may also be a scenario in which at least three terminal devices perform multi-device collaboration. For example, a plurality of (e.g., at least three) terminal devices such as a mobile phone, a tablet computer, a personal computer (personal computer, PC), a smart home device (e.g., a television) may be cooperatively used, and a scenario in which a plurality of terminal devices cooperate may be referred to as a multi-device cooperation scenario. In a multi-device collaboration scenario, a user may have multiple devices that can cooperate, such as: terminal device 1, terminal device 2, terminal device 3, etc. Wherein the terminal device 1 may comprise a first file, the terminal device 1 may be a first node as described in the previous embodiments, the terminal device 2 may be a second node as described in the previous embodiments, the terminal device 3 may be a third node as described in the previous embodiments, etc. The embodiment of the application does not limit the specific implementation scene of the distributed file system.

Alternatively, the first node, the second node, and the third node described in the embodiments of the present application may belong to a distributed file system, or belong to a local area network.

It should be understood that any node in the distributed file system may be used as the first node in the present application, for example, when there is a request from node 1 to access the first file in node 2, node 2 is the first node described in the foregoing embodiment, and node 1 is the second node described in the foregoing embodiment. Alternatively, when there is a request from the node 2 to access the first file in the node 1, the node 1 is the first node described in the foregoing embodiment, and the node 2 is the second node described in the foregoing embodiment.

In some embodiments, the present application may add a security module by using a linux security module (linux security module, LSM) framework in the kernel of the operating system of each node in the distributed file system, where the function of the first node described in the foregoing embodiment may be implemented by using the security module when the node is used as the first node. The LSM is a lightweight general access control framework of the linux kernel, so that various different security access control models can be realized in the form of a linux loadable kernel module, and a user can select a proper security module to load into the linux kernel according to the requirements of the user, thereby greatly improving the flexibility and usability of a linux security access control mechanism.

The above embodiment describes an example of whether the first node compares whether the access control policies corresponding to the second node in the first access control list and the second access control list are the same, and when the access control policies corresponding to the second node in the first access control list and the second access control list are the same, the first node further determines whether the second node has the access authority to the first file according to the access control policies corresponding to the second node in the first access control list. In other embodiments, after the first node obtains the copy of the first file from the third node, it may also determine, according to the access control policy corresponding to the second node in the first access control list, whether the second node has access rights to the first file, and then compare whether the access control policies corresponding to the second node in the first access control list and the second access control list are the same.

For example, the first node may first determine, according to an access control policy corresponding to the second node in the first access control list, whether the second node has access rights to the first file. When the second node has access rights to the first file, the second node may compare whether access control policies corresponding to the second node in the first access control list and the second access control list are the same.

Optionally, when the second node does not have access to the first file, the second node may not compare whether the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same.

Alternatively, in some embodiments, the step of determining, by the first node, whether the second node has access rights to the first file according to the access control policy corresponding to the second node in the first access control list may be performed simultaneously with the step of comparing whether the access control policies corresponding to the second node in the first access control list and the second access control list are the same, or may be performed before the step of the first node obtaining the copy of the first file from the third node, where the order of execution between the steps is not limited in this application.

Optionally, in some embodiments, when the access control policies corresponding to the second nodes included in the first access control list and the second access control list are the same, the first node may also determine whether the second node has access rights to the first file according to the access control policy corresponding to the second node in the second access control list, which is not limited in this application.

Optionally, after the first node returns the first request result to the second node, the first node indicates that the second node successfully accesses the first file in the first node. For this access, the first node may continue to maintain an access record of the first file regarding the access of the second node to the first file. When other nodes access the first file later, the second node can also serve as the third node to provide a copy of the first file for the first node.

For example, after the first request result of the first request is returned to the second node, the method further includes: recording an access record of the second node to the first file, wherein the access record of the second node to the first file comprises: the identification information of the second node, and a path along which the second node stores a copy of the first file.

In a possible implementation manner, the step that the first node compares whether the access control policies corresponding to the second nodes included in the first access control list and the second access control list are the same may include: the first node compares whether the first access control list and the second access control list are identical, and when the first access control list and the second access control list are identical, the access control strategies corresponding to the second nodes respectively included in the first access control list and the second access control list are identical. For example, when the number and contents of the access control policies in the first access control list and the access control policies in the second access control list are identical, it may be determined that the first access control list and the second access control list are identical.

Optionally, when the first access control list and the second access control list are different, the access control policy corresponding to the second node in the first access control list and the access control policy corresponding to the second node in the second access control list may be the same or different. The first node may further compare whether the access control policies corresponding to the second nodes included in the first access control list and the second access control list are the same, and perform the subsequent steps in the manner described in the foregoing embodiments.

In some possible implementation scenarios, when the first node obtains a copy of the first file, the node that accessed the first file may include one or more. When the node accessing the first file includes one node, the only node accessing the first file is the third node. When the node that accessed the first file includes a plurality (e.g., at least two) of nodes, the first node may select one from the plurality of nodes that accessed the first file as the third node.

In a possible implementation, when the node that has accessed the first file includes a plurality of nodes, the first node may arbitrarily (randomly) select one from the plurality of nodes that have accessed the first file as the third node.

In another possible implementation manner, when the node that accessed the first file includes a plurality of nodes, the first node may select, as the third node, a node that has been accessed recently from the plurality of nodes that accessed the first file. That is, the first node may select, as the third node, a node having a shortest historical access time to the first file from the current time, from among the plurality of nodes having accessed the first file, such as: the current time may be a time when the first request is received by the first node, and the historical access time may be a time when the node that accessed the first file sent the first request to the first node when accessing the first file.

For example, as described in the foregoing embodiments, in the embodiments of the present application, each node in the distributed file system may maintain an access record for each stored file, where the access record of each file records identification information (such as a device name, a device number, etc.) of other nodes that accessed the file, and paths along which other nodes store copies of the file. The first node can obtain which node the newly added node corresponding to the access record is by inquiring the access record of the first file, and the first node can take the node as a third node.

By way of example, in one possible example, a distributed file system may include node 1, node 2, node 3, and node 4, where node 1 stores a first file, node 2 requests access to the first file in node 1, and nodes 3 and 4 are all nodes that have accessed the first file. At this time, the node 1 is the first node described in the foregoing embodiment, and the node 2 is the second node described in the foregoing embodiment. When node 1 receives the request sent by node 2 to access the first file, node 1 may determine which node is the third node from nodes 3 and 4 by querying the access record of the first file.

Suppose that the access record of the first file is as shown in table 1 below.

TABLE 1

In table 1, the first column records identification information of a node having accessed the first file, and the second column records a path along which a node corresponding to the identification information of the first column stores a copy of the first file. When there is a newly added access record, node 1 may record the newly added access record by adding a row below table 1.

In this example, node 1 may obtain, by looking up table 1, that node 4 is the most recently accessed node of the first file, and node 4 may be selected as the third node. Node 1 may obtain a copy of the first file from node 4.

Optionally, a time stamp of the accessed file may be added to the access record of the file, where the time corresponding to the time stamp may be the historical access time, and the first node may also select, as the third node, a node that has been accessed recently through the time stamp corresponding to the access record, which is not limited herein.

In another possible implementation manner, when the node that has accessed the first file includes a plurality of nodes, the first node may also select, as the third node, a node with the highest device class of the devices corresponding to the nearest node from the plurality of nodes that have accessed the first file. The device level may be divided according to whether the resources of the device are abundant, whether the device can be independently networked and/or man-machine interaction, and the like. Such as: the devices may be divided into zero-level to five-level, corresponding to L0 to L5, respectively, according to the capabilities of the running memory (random access memory, RAM), the storage memory (ROM), the CPU, etc. of the devices, the higher the level of the devices, the stronger the performance. The manner of division of the device levels is not limited herein.

For example, the distributed file system may also include, for example, node 1, node 2, node 3, and node 4, where node 1 stores a first file, node 2 requests access to the first file in node 1, node 3 and node 4 are all nodes that have accessed the first file, node 1 is the first node described in the foregoing embodiment, and node 2 is the second node described in the foregoing embodiment. When the device level of the node 3 is higher than that of the node 4, the node 3 is the third node described in the foregoing embodiment. When the device level of the node 4 is higher than that of the node 3, the node 4 is the third node described in the foregoing embodiment.

Optionally, in this implementation, the access record maintained by each node in the distributed file system for each stored file may further include a device level of each node that accessed the file.

For example, the data structure of the access record maintained by each node in the distributed file system for each file stored may be as follows:

wherein "struct access_list" represents an access record; "unsigned int a_count" represents the number of access records; "struct access_list_entries" is used to mark specific access records; "int device_id" means device identification information of a node for identifying a device having accessed the file; "short security_level" represents the device level of the node (device) identified by "int device_id"; "char path_name" indicates a path for storing a copy of a file on a node (device) identified by "int device_id".

In still other possible implementations, when the node accessing the first file includes multiple nodes, the first node may further select a node with higher computing power (or highest computing power) from the multiple nodes accessing the first file as the third node, or select a node with richer CPU resources, memory resources, storage resources, and the like as the third node, which is not limited in the selection manner of the third node.

Optionally, when the number of nodes that access the first file is 0, that is, when there is no node that accesses the first file, the first node may not perform the step of obtaining the copy of the first file from the third node, and the first node may directly determine whether the second node has access rights to the first file according to an access control policy corresponding to the second node in the first access control list. When the second node has access to the first file, the first node may return a first request result to the second node. When the second node does not have access to the first file, the first node may return a third request result to the second node.

Optionally, in still other embodiments of the present application, when a node in the distributed file system receives an access request from another node to access a file on the node, the node may first determine whether a file type of the file that the other node requests to access meets a first type, and when the file type meets the first type, the node may perform file verification on the file according to the file verification method provided by the embodiment of the present application as the first node. When the first type is not met, the node can directly determine whether other nodes have access rights to the file according to access control policies in an access control list included in the file which other nodes request to access. When the other node has the access right to the file, the node may return an access result corresponding to the access right possessed by the other node to the other node. When the other node does not have the access right to the file, the node may return an access result of refusing access to the other node.

Taking an example that a first node in the distributed file system includes a first file and a second file, where the first file is a file conforming to the first type, and the second file is a file not conforming to the first type as an example, fig. 5 is another flow chart of the file verification method provided in the embodiment of the present application. As shown in fig. 5, in the file verification method provided in the embodiment of the present application, for a scenario in which a second node requests to access a first file in a first node, a process of performing file verification by the first node may include:

S501, a first node receives a first request from a second node, wherein the first request is used for requesting to access a first file, and the first file comprises a first access control list.

S501 may be specifically described in the above explanation of S301, and will not be described again.

S502, the first node acquires a copy of the first file from the third node, wherein the copy of the first file comprises a second access control list.

S502 may be specifically described in S302, and will not be described again.

S503, the first node judges whether the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same or not.

If yes, that is, if the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, executing S505; if not, that is, if the access control policies corresponding to the second nodes in the first access control list and the second access control list are different, S504 is executed.

S504, the first node returns a second request result to the second node.

S505, the first node determines whether the second node has access rights to the first file according to an access control policy corresponding to the second node in the first access control list.

If yes, the first node determines that the second node has access to the first file, S506 is executed; if not, that is, if the first node determines that the second node does not have the access right to the first file, S507 is executed.

S506, the first node returns a first request result to the second node.

S507, the first node returns a third request result to the second node.

S503 to S507 may be specifically described in the foregoing embodiments, and are not described in detail.

Fig. 6 is a schematic flow chart of a file verification method according to an embodiment of the present application. As shown in fig. 6, in the file verification method provided in the embodiment of the present application, for a scenario in which a second node requests to access a second file in a first node, a process of performing file verification by the first node may include:

s601, the first node receives a second request from a second node, wherein the second request is used for requesting to access a second file, and the second file comprises a third access control list.

For example, the access control list in the second file may be referred to as a third access control list, which may include access control policies corresponding to the second node.

S601 is similar to S501 and will not be described again.

S602, the first node determines whether the second node has access rights to the second file according to the access control strategy corresponding to the second node in the third access control list.

If yes, the first node determines that the second node has access to the second file, S603 is executed; if not, that is, if the first node determines that the second node does not have the access right to the second file, S604 is executed.

S603, the first node returns a fourth request result to the second node.

The fourth request result may indicate an access right of the second node to the second file or return information that the second file is successfully accessed, so that the second node may access the second file in the first node.

Illustratively, the return information that the second node successfully accesses the second file may include one or more of: the context information of the second file, handle information of the second file, etc., are not limited herein.

S604, the first node returns a fifth request result to the second node.

The fifth request result may indicate that the second node cannot access the second file in the first node. Such as: the fifth request result may be a message denying access or failing access.

That is, in this embodiment of the present application, when the second node sends a second request to the first node, where the second request is used to request to access a second file that does not conform to the first type, the first node may respond to the second request, and when an access control policy corresponding to the second node in a third access control list included in the second file determines that the second node has access rights to the second file, a fourth request result of the second request is returned to the second node. Or when the access control policy corresponding to the second node in the third access control list determines that the second node does not have access to the second file, returning a fifth request result of the second request to the second node.

By way of example, in some possible embodiments, the first type may include one or more of the following: higher importance, higher security requirement, higher privacy, etc.

In some embodiments, a tag indicating whether the file meets the first type may be stored via an extended attribute of the file. That is, a tag indicating whether the file conforms to the first type may be stored in an extended attribute of the file.

For example, the device where the file is located may mark the extended attribute of the file by using the linux system command "setfat", and a tag, such as a first tag, for indicating that the file conforms to the first type, is added to the extended attribute of the file.

Optionally, in this embodiment of the present application, when the first node receives a request for accessing a certain file from the second node, the first node may first determine whether the file requested to be accessed by the second node meets a first type, verify a file meeting the first type according to a flow of the first file, and verify a file not meeting the first type according to a flow of the second file. For example, the step of the first node determining whether the file conforms to the first type may include: the first node calls a 'sechmdfs_check_sensitivity' function to check whether the extension attribute of the file contains a first tag, and when the extension attribute of the file contains the first tag, the first node determines that the file accords with the first type.

Optionally, in the embodiment of the present application, when the first node receives the first request from the second node, if the first node does not include the first file, the first node may directly return an access result of the access failure to the second node, for example: the access result of the access failure may be "the first file cannot be found".

Similarly, when the first node receives the second request from the second node, if the first node does not include the second file, the first node may also directly return an access result of the access failure to the second node, such as: the access result of the access failure may be "the second file cannot be found".

The embodiment above describes the file verification method provided by the embodiment of the application by taking the example that the first node actively obtains the copy of the first file from the third node, and determines to return the request result of the first request to the second node according to the access control policy corresponding to the second node in the first access control list and the access control policy corresponding to the second node in the second access control list.

Optionally, in some other embodiments, in the file verification method provided in the embodiment of the present application, the step of determining, according to an access control policy corresponding to the second node in the first access control list and an access control policy corresponding to the second node in the second access control list, a request result of returning the first request to the second node may be completed by the third node, and the first node may not need to obtain a copy of the first file from the third node.

For example, taking a case that the first node in the distributed file system includes a first file and the second node requests to access the first file in the first node as an example, fig. 7 is a schematic flow chart of a file verification method provided in the embodiment of the present application. As shown in fig. 7, the method may include:

s701, the second node sends a first request to the first node, where the first request is for requesting access to a first file, and the first file includes a first access control list.

S701 may be described in S301, and will not be described again.

Accordingly, the first node receives a first request from the second node.

S702, the first node sends a first access control list to a third node.

Accordingly, the third node receives the first access control list from the first node.

In a possible implementation manner, the first node sends a first access control list to the third node, which may include: the first node sends only the first access control list to the third node. For example, the first node may acquire an access control policy of the first file by calling a "getacl ()" method, and convert an extended attribute of an inode stored in the first file into a specific access control policy by calling a "getxattr ()" method, thereby obtaining a first access control list and transmitting the first access control list to the third node.

Alternatively, in another possible implementation manner, the first node sending the first access control list to the third node may include: the first node sends a complete first file to the third node, the first file including a first access control list.

In still another possible implementation manner, the sending, by the first node, the first access control list to the third node may include: the first node sends a part of the first file containing the first control list to the third node. For example, the aforementioned partial file containing the first control list may be an extended attribute of an inode of the first file.

Optionally, the determining manner of the third node in this embodiment may be referred to the foregoing embodiment, which is not described herein.

In some embodiments, after the first node sends the first access control list to the third node, the first access control list may trigger or instruct the third node to perform steps described in S703 to S704, that is, may instruct the third node to determine a request result of the first request according to an access control policy corresponding to the second node in the first access control list and an access control policy corresponding to the second node in the second access control list, and return the determined request result of the first request to the first node.

In other embodiments, the first node may send an indication, such as the first indication, to the third node not only when sending the first access control list to the third node, where the first indication may instruct the third node to perform the steps described in S703-S704 below. For example, S702 may include: the first node sends a first access control list, and a first indication, to a third node.

S703, the third node determines a request result of the first request according to the access control policy corresponding to the second node in the first access control list and the access control policy corresponding to the second node in the second access control list.

The step of determining, by the third node, the request result of the first request according to the access control policy corresponding to the second node in the first access control list and the access control policy corresponding to the second node in the second access control list may refer to the step of determining, by the first node, the request result of the first request according to the access control policy corresponding to the second node in the first access control list and the access control policy corresponding to the second node in the second access control list, which are described in the foregoing embodiment, and will not be described herein.

The third node determines, according to the access control policy corresponding to the second node in the first access control list and the access control policy corresponding to the second node in the second access control list, a request result of the first request, where the request result may include any one of the following three types: a first request result, a second request result, and a third request result.

S704, the third node sends a request result of the first request to the first node.

Accordingly, the first node receives a request result from the first request sent by the third node.

S705, in response to the first request, the first node returns a request result of the first request to the second node.

Accordingly, the second node receives a request result from the first request transmitted by the first node.

It is understood that the request result of the first request returned by the first node to the second node in S705 may be any one of the first request result, the second request result, and the third request result.

Optionally, in S704, the third node may not directly send the request result of the first request to the first node, and the third node may send second information to the first node, where the second information is used to indicate that the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and the second node has access rights to the first file, or is used to indicate that the access control policies corresponding to the second nodes in the first access control list and the second access control list are different, or is used to indicate that the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and the second node does not have access rights to the first file. The first node may return a request result of the first request to the second node according to the second information.

Optionally, in still other embodiments, in the file verification method provided in the embodiments of the present application, the third node may only perform a step of comparing whether access control policies corresponding to the second nodes included in the first access control list and the second access control list are the same, and return a comparison result to the first node, where the comparison result includes: the access control strategies corresponding to the second nodes respectively included in the first access control list and the second access control list are the same, or the access control strategies corresponding to the second nodes respectively included in the first access control list and the second access control list are different. After receiving the comparison result, the first node may perform the subsequent step of returning the request result of the first request to the second node according to the comparison result in the manner described in the foregoing embodiment.

For example, taking a case that the first node in the distributed file system includes the first file and the second node requests to access the first file in the first node as an example, fig. 8 is a further flowchart of a file verification method provided in the embodiment of the present application. As shown in fig. 8, the method may include:

s801, the second node sends a first request to the first node, where the first request is for requesting access to a first file, and the first file includes a first access control list.

Accordingly, the first node receives a first request from the second node.

S801 may be described in S301, and will not be described again.

S802, the first node sends a first access control list to the third node.

The implementation manner of sending the first access control list to the third node by the first node in S802 may refer to the description in S702, and the determination manner of the third node in this embodiment may refer to the description in the foregoing embodiment, which is not repeated.

In some embodiments, after the first node sends the first access control list to the third node, the first access control list may trigger or instruct the third node to perform steps described in S803-S804, that is, instruct the third node to compare whether access control policies corresponding to the second nodes included in the first access control list and the second access control list are the same, and return a comparison result to the first node.

In other embodiments, the first node may send an indication, such as a second indication, to the third node not only when sending the first access control list to the third node, where the second indication may instruct the third node to perform the steps described in S803-S804 below. For example, S802 may include: the first node sends a first access control list, and a second indication to the third node.

S803, the third node compares whether the access control strategies corresponding to the second nodes respectively included in the first access control list and the second access control list are the same or not, and a comparison result is obtained.

As described above, the comparison result may include: the access control strategies corresponding to the second nodes respectively included in the first access control list and the second access control list are the same, or the access control strategies corresponding to the second nodes respectively included in the first access control list and the second access control list are different.

S804, the third node transmits the comparison result to the first node.

Accordingly, the first node receives the comparison result from the third node.

S805, the first node determines a request result of the first request according to the comparison result and an access control policy corresponding to the second node in the first access control list.

S805 may include: when the comparison result is that the access control strategies corresponding to the second nodes respectively included in the first access control list and the second access control list are the same, the first node determines whether the second node has access authority to the first file according to the access control strategy corresponding to the second node in the first access control list.

When the comparison result is that the access control strategies corresponding to the second nodes respectively included in the first access control list and the second access control list are the same, and the second nodes have access rights to the first file, the first node determines that the request result of the first request is the first request result.

When the comparison result is that the access control strategies corresponding to the second nodes respectively included in the first access control list and the second access control list are different, the first node determines that the request result of the first request is the second request result.

When the comparison result is that the access control strategies corresponding to the second nodes respectively included in the first access control list and the second access control list are the same, and the second nodes do not have access rights to the first file, the first node determines that the request result of the first request is a third request result.

The first request result, the second request result, and the third request result may be described with reference to the foregoing embodiments, and will not be described again.

S806, responding to the first request, and returning a request result of the first request to the second node by the first node.

It is understood that the request result of the first request returned by the first node to the second node in S806 may be any one of the first request result, the second request result, and the third request result.

Alternatively, the third node in S804 may not directly send the comparison result to the first node, and the third node may return first information to the first node according to the comparison result, where the first information may indicate the comparison result, or indicate a request result of the first request. The first node may return a request result of the first request to the second node according to the first information.

For example, the first information is used to indicate that the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same or different.

The above embodiments are all exemplary, and the execution subject of the steps of the execution of the document authentication method is not limited in this application.

It should be noted that, in the above embodiment, the file verification method provided in the embodiment of the present application is described by taking a distributed file system as an example, but the application scenario of the file verification method is not limited to the distributed file system. In other scenarios where a plurality of nodes can exist and at least three nodes among the plurality of nodes can access each other to the other node, the file verification method provided by the embodiment of the application is also applicable. Some application scenarios described in the foregoing embodiments are examples of embodiments of the present application, and the application scenario of the file verification method is not limited in the present application.

It should be understood that what has been described in the foregoing embodiments is merely illustrative of the methods of document authentication provided by embodiments of the present application. In other possible implementations, some of the steps performed in the embodiments described above may be omitted or added, or the order of some of the steps described in the embodiments may be modified, which is not limited in this application.

Corresponding to the file verification method described in the foregoing embodiments, the present application provides a distributed file system, which may implement the file verification method described in the foregoing embodiments.

For example, a distributed file system comprising: a first node, a second node, and a third node. The first node includes a first file. The second node sends a first request to the first node, the first request requesting access to a first file, the first file including a first access control list. The first node obtains a copy of the first file from a third node, wherein the third node has accessed the first file, and the copy of the first file includes a second access control list. The first access control list and the second access control list each include an access control policy corresponding to the second node. And responding to the first request, when the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same, and the second nodes are determined to have the access right to the first file, the first node returns a first request result of the first request to the second nodes, and the first request result indicates the access right of the second nodes to the first file or the return information of success in accessing the first file, so that the second nodes can access the first file in the first node.

In one possible implementation, the first file conforms to the first type.

Optionally, the first node may further receive a second request from a second node, where the second request is for requesting access to a second file in the first node, and the second file includes a third access control list, and the third access control list includes an access control policy corresponding to the second node; the second file does not conform to the first type. Responding to the second request, when the access control strategy corresponding to the second node in the third access control list determines that the second node has access to the second file, the first node returns a fourth request result of the second request to the second node, and the fourth request result indicates the access authority of the second node to the second file or the return information of successful access to the second file, so that the second node can access the second file in the first node. Or when the access control policy corresponding to the second node in the third access control list determines that the second node does not have access to the second file, the first node returns a fifth request result of the second request to the second node, and the fifth request result indicates that the second node cannot access the second file in the first node.

Optionally, the first node, the second node, and the third node all belong to the same local area network.

Optionally, after the first request result of the first request is returned to the second node, the first node may record an access record of the second node to the first file, where the access record of the second node to the first file includes: the identification information of the second node, and a path along which the second node stores a copy of the first file.

Similarly, the distributed file system may implement functions corresponding to all the steps of the file verification method described in the foregoing embodiments, which are not described in detail herein.

The embodiment of the application also provides a file verification device, which can be applied to the electronic equipment (such as the terminal equipment of the first node) of the first node, so that the electronic equipment realizes the steps executed by the first node in the file verification method in the previous embodiment. The functions of the device can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules or units corresponding to the steps performed by the first node in the file verification method described in the foregoing embodiments.

For example, fig. 9 is a schematic structural diagram of a document verification device provided in an embodiment of the present application. As shown in fig. 9, the apparatus may include: a transceiver unit 901, a processing unit 902, and the like.

A transceiver unit 901 and a processing unit 902; the transceiver unit 901 is configured to receive a first request from a second node, where the first request is for requesting access to a first file in a first node, and the first file includes a first access control list. The receiving and transmitting unit is further configured to obtain a copy of the first file from the third node, where the third node accesses the first file, and the copy of the first file includes the second access control list. The first access control list and the second access control list each include an access control policy corresponding to the second node. And the processing unit 902 is configured to respond to the first request, and when the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and it is determined that the second node has access rights to the first file, return, through the transceiver unit 901, a first request result of the first request to the second node, where the first request result indicates the access rights of the second node to the first file or return information that the second node successfully accesses the first file, so that the second node can access the first file in the first node.

Optionally, the processing unit 902 is further configured to, in response to the first request, when the access control policies corresponding to the second node in the first access control list and the second access control list are different, return, by the transceiver unit 901, a second request result of the first request to the second node, where the second request result indicates that the second node cannot access the first file in the first node.

Optionally, the processing unit 902 is further configured to, in response to the first request, when the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and it is determined that the second node does not have access rights to the first file, return, by the transceiver unit 901, a third request result of the first request to the second node, where the third request result indicates that the second node cannot access the first file in the first node.

In one possible implementation, the first file conforms to the first type.

Optionally, the transceiver unit 901 is further configured to receive a second request from a second node, where the second request is used to request access to a second file in the first node, and the second file includes a third access control list, and the third access control list includes an access control policy corresponding to the second node; the second file does not conform to the first type. The processing unit 902 is further configured to, in response to the second request, when the access control policy corresponding to the second node in the third access control list determines that the second node has access rights to the second file, return, through the transceiver unit 901, a fourth request result of the second request to the second node, where the fourth request result indicates the access rights of the second node to the second file or return information that the second file is successfully accessed, so that the second node can access the second file in the first node. Or when the access control policy corresponding to the second node in the third access control list determines that the second node does not have the access right to the second file, a fifth request result of the second request is returned to the second node through the transceiver unit 901, and the fifth request result indicates that the second node cannot access the second file in the first node.

Optionally, the processing unit 902 is further configured to record an access record of the second node to the first file, where the access record of the second node to the first file includes: the identification information of the second node, and a path along which the second node stores a copy of the first file.

For another example, fig. 10 is another schematic structural diagram of the document verification device provided in the embodiment of the present application. As shown in fig. 10, the apparatus may include: a transceiver unit 1001, a processing unit 1002, and the like.

The transceiver unit 1001 is configured to receive a first request from a second node, where the first request is for requesting access to a first file in a first node, and the first file includes a first access control list. The transceiver 1001 is further configured to send a first access control list to a third node; the third node accesses the first file, the third node comprises a copy of the first file, and the copy of the first file comprises a second access control list. The first access control list and the second access control list each include an access control policy corresponding to the second node. The transceiver 1001 is further configured to receive first information returned by the third node, where the first information is used to indicate that access control policies corresponding to the second node in the first access control list and the second access control list are the same or different. The processing unit 1002 is configured to respond to the first request, and when the first information indicates that access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and it is determined that the second node has access rights to the first file, return, through the transceiver unit 1001, a first request result of the first request to the second node, where the first request result indicates the access rights of the second node to the first file or return information that the second node successfully accesses the first file, so that the second node can access the first file in the first node.

Optionally, the processing unit 1002 is further configured to, in response to the first request, when the first information indicates that the access control policies corresponding to the second node in the first access control list and the second access control list are different, return, by the transceiver unit 1001, a second request result of the first request to the second node, where the second request result indicates that the second node cannot access the first file in the first node.

Optionally, the processing unit 1002 is further configured to, in response to the first request, when the first information indicates that the access control policies corresponding to the first access control list and the second node in the second access control list are the same, and it is determined that the second node does not have access rights to the first file, return, by the transceiver unit 1001, a third request result of the first request to the second node, where the third request result indicates that the second node cannot access the first file in the first node.

For another example, fig. 11 is a schematic structural diagram of a document verification apparatus according to an embodiment of the present application. As shown in fig. 11, the apparatus may include: a transceiver unit 1101, a processing unit 1102, and the like.

The transceiver 1101 is configured to receive a first request from a second node, where the first request is for requesting access to a first file in a first node, and the first file includes a first access control list. The transceiver 1101 is further configured to send the first access control list to the third node; the third node accesses the first file, the third node comprises a copy of the first file, and the copy of the first file comprises a second access control list. The first access control list and the second access control list each include an access control policy corresponding to the second node. The transceiver 1101 is further configured to receive second information returned by the third node, where the second information is used to indicate that access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and the second node has access rights to the first file, or is used to indicate that access control policies corresponding to the second nodes in the first access control list and the second access control list are different, or is used to indicate that access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and the second node does not have access rights to the first file. The processing unit 1102 is configured to return a request result of the first request to the second node through the transceiver unit 1101 according to the second information.

The embodiment of the application also provides a file verification device, which can be applied to the electronic equipment (such as the terminal equipment of the third node) of the third node, so that the electronic equipment realizes the steps executed by the third node in the file verification method in the previous embodiment. The functions of the device can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules or units corresponding to the steps performed by the third node in the file verification method described in the foregoing embodiments.

For example, fig. 12 is a schematic structural diagram of a document verification apparatus according to an embodiment of the present application. As shown in fig. 12, the apparatus may include: a transceiver unit 1201, a processing unit 1202, etc.

A transceiver unit 1201, configured to receive a first access control list from a first node; the first access control list is sent by the first node after receiving a first request from the second node; the first request is for requesting access to a first file. And a processing unit 1202, configured to compare whether access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, and obtain a comparison result. The processing unit 1202 is further configured to return, according to the comparison result, first information to the first node through the transceiver unit 1201, so that the first node returns, according to the first information, a request result of the first request to the second node.

For another example, fig. 13 is a schematic structural diagram of a document verification apparatus according to an embodiment of the present application. As shown in fig. 13, the apparatus may include: a transceiver unit 1301, a processing unit 1302, and the like.

A transceiver unit 1301 configured to receive a first access control list from a first node; the first access control list is sent by the first node after receiving a first request from the second node; the first request is for requesting access to a first file. The processing unit 1302 is configured to compare whether the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, determine whether the second nodes have access rights to the first file, and obtain second information. The transceiver unit 1301 is further configured to return second information to the first node, so that the first node returns a request result of the first request to the second node according to the second information.

The embodiment of the application also provides a file verification device, which can be applied to the electronic equipment of the second node (such as the terminal equipment of the second node), so that the electronic equipment realizes the steps executed by the second node in the file verification method in the previous embodiment. The functions of the device can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules or units corresponding to the steps performed by the third node in the file verification method described in the foregoing embodiments. For example, the apparatus may include a transceiver unit that may be configured to send the first request or the second request to the first node via the transceiver unit, and a processing unit that may be configured to receive a request result from the first node, such as a first request result, a second request result, a third request result, a fourth request result, a fifth request result, and so on. The drawings are not further described herein.

It should be understood that the division of the units (or called modules) in the above apparatus is merely a division of logic functions, and may be fully or partially integrated into one physical entity or may be physically separated. And the units in the device can be all realized in the form of software calls through the processing element; or can be realized in hardware; it is also possible that part of the units are implemented in the form of software, which is called by the processing element, and part of the units are implemented in the form of hardware.

For example, each unit may be a processing element that is set up separately, may be implemented as integrated in a certain chip of the apparatus, or may be stored in a memory in the form of a program, and the functions of the unit may be called and executed by a certain processing element of the apparatus. Furthermore, all or part of these units may be integrated together or may be implemented independently. The processing element described herein, which may also be referred to as a processor, may be an integrated circuit with signal processing capabilities. In implementation, each step of the above method or each unit above may be implemented by an integrated logic circuit of hardware in a processor element or in the form of software called by a processing element.

In one example, the units in the above apparatus may be one or more integrated circuits configured to implement the above method, for example: one or more application specific integrated circuits (application specific integrated circuit, ASIC), or one or more digital signal processors (digital signal process, DSP), or one or more field programmable logic gate arrays (field programmable gate array, FPGA), or a combination of at least two of these integrated circuit forms.

For another example, when the units in the apparatus may be implemented in the form of a scheduler of processing elements, the processing elements may be general-purpose processors, such as a central processing unit (central processing unit, CPU) or other processor that may invoke the program. For another example, the units may be integrated together and implemented in the form of a system-on-a-chip (SOC).

In one implementation, the above means for implementing each corresponding step in the above method may be implemented in the form of a processing element scheduler. For example, the file verification apparatus may include a processing element and a storage element, where the processing element invokes a program stored in the storage element to perform a step performed by the first node, a step performed by the second node, or a step performed by the third node in the file verification method described in the above method embodiment. The memory element may be a memory element on the same chip as the processing element, i.e. an on-chip memory element.

In another implementation, the program for performing the above method may be on a memory element on a different chip than the processing element, i.e. an off-chip memory element. At this time, the processing element calls or loads a program from the off-chip storage element onto the on-chip storage element to call and execute the step executed by the first node, the step executed by the second node, or the step executed by the third node in the file verification method described in the above method embodiment.

The embodiment of the application also provides electronic equipment. The electronic device may be a terminal device of the first node. An electronic device includes: a processor, a memory for storing processor-executable instructions; the processor is configured to, when executing the instructions, cause the electronic device to implement the steps performed by the first node in the file verification method as described in the method embodiments above. The memory may be located within the electronic device or may be located external to the electronic device. And the processor includes one or more.

The embodiment of the application also provides electronic equipment. The electronic device may be a terminal device of the second node. An electronic device includes: a processor, a memory for storing processor-executable instructions; the processor is configured to, when executing the instructions, cause the electronic device to implement the steps performed by the second node in the file verification method as described in the method embodiments above. The memory may be located within the electronic device or may be located external to the electronic device. And the processor includes one or more.

The embodiment of the application also provides electronic equipment. The electronic device may be a terminal device of the third node. An electronic device includes: a processor, a memory for storing processor-executable instructions; the processor is configured to, when executing the instructions, cause the electronic device to implement the steps performed by the third node in the file verification method as described in the method embodiments above. The memory may be located within the electronic device or may be located external to the electronic device. And the processor includes one or more.

In yet another implementation, the unit of the electronic device implementing each step in the above method may be configured as one or more processing elements, where the processing elements may be integrated circuits, for example: one or more ASICs, or one or more DSPs, or one or more FPGAs, or a combination of these types of integrated circuits. These integrated circuits may be integrated together to form a chip.

For example, the embodiment of the application also provides a chip, and the chip can be applied to the electronic equipment. The chip includes one or more interface circuits and one or more processors; the interface circuit and the processor are interconnected through a circuit; the processor receives and executes computer instructions from the memory of the electronic device through the interface circuit to implement the steps performed by the first node, or the steps performed by the second node, or the steps performed by the third node in the file verification method as described in the method embodiments above.

From the foregoing description of the embodiments, it will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to implement all or part of the functions described above.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a readable storage medium.

With such understanding, the technical solutions of the embodiments of the present application may be essentially or partly contributing to the prior art or all or part of the technical solutions may be embodied in the form of a software product, such as: and (5) program. The software product is stored in a program product, such as a computer readable storage medium, comprising instructions for causing a device (which may be a single-chip microcomputer, chip or the like) or processor (processor) to perform all or part of the steps of the methods described in the various embodiments of the application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.

For example, embodiments of the present application also provide a computer-readable storage medium having computer program instructions stored thereon; the computer program instructions, when executed by the electronic device, cause the electronic device to implement the steps performed by the first node, or the steps performed by the second node, or the steps performed by the third node in the file verification method as described in the method embodiments above.

For another example, embodiments of the present application also provide a computer program product comprising: computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, which when executed in an electronic device, causes a processor in the electronic device to implement a step performed by a first node, or a step performed by a second node, or a step performed by a third node in a file verification method as described in the method embodiments above.

The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method of document authentication, the method being applied to a first node, the method comprising:

receiving a first request from a second node, the first request for requesting access to a first file in the first node, the first file comprising a first access control list;

obtaining a copy of the first file from a third node, wherein the third node has accessed the first file, and the copy of the first file comprises a second access control list;

the first access control list and the second access control list respectively comprise access control strategies corresponding to the second node;

and responding to the first request, and when the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same and the second node is determined to have the access right to the first file, returning a first request result of the first request to the second node, wherein the first request result indicates the access right of the second node to the first file or the return information of success in accessing the first file, so that the second node can access the first file in the first node.

2. The method according to claim 1, wherein the method further comprises:

and responding to the first request, and when the access control strategies corresponding to the second nodes in the first access control list and the second access control list are different, returning a second request result of the first request to the second node, wherein the second request result indicates that the second node cannot access the first file in the first node.

3. The method according to claim 1 or 2, characterized in that the method further comprises:

and responding to the first request, and when the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same and the second node is determined to not have the access right to the first file, returning a third request result of the first request to the second node, wherein the third request result indicates that the second node cannot access the first file in the first node.

4. A method according to any of claims 1-3, wherein the nodes that have accessed the first file comprise a plurality of;

The third node is the node with the highest equipment grade in a plurality of nodes accessed to the first file;

or the third node is a node with the shortest time from the first node to the first request, wherein the node has the shortest time from the historical access time of the first file to the first node, among a plurality of nodes accessed to the first file;

alternatively, the third node is a node having the highest calculation power among the plurality of nodes having accessed the first file.

5. The method of any of claims 1-4, wherein the first file conforms to a first type.

6. The method of claim 5, wherein the method further comprises:

receiving a second request from a second node, the second request being for requesting access to a second file in the first node, wherein the second file includes a third access control list including access control policies corresponding to the second node; the second file does not conform to the first type;

responding to the second request, and when the access control strategy corresponding to the second node in the third access control list determines that the second node has access rights to the second file, returning a fourth request result of the second request to the second node, wherein the fourth request result indicates the access rights of the second node to the second file or the return information of success in accessing the second file, so that the second node can access the second file in the first node;

Or when the access control policy corresponding to the second node in the third access control list determines that the second node does not have access rights to the second file, returning a fifth request result of the second request to the second node, wherein the fifth request result indicates that the second node cannot access the second file in the first node.

7. The method of any of claims 1-6, wherein the copy of the first file is generated by copying the complete first file when the third node accesses the first file;

or, the copy of the first file is generated by copying a part of files containing the first control list in the first file when the third node accesses the first file;

or, the copy of the first file is generated by copying the first control list in the first file when the third node accesses the first file.

8. The method of any of claims 1-7, wherein the return information that the second node successfully accessed the first file comprises one or more of:

Context information of the first file and handle information of the first file.

9. The method according to any of claims 1-8, wherein the first node, the second node, and the third node all belong to the same local area network;

or, the first node, the second node, and the third node all belong to the same distributed file system.

10. The method according to any of claims 1-9, wherein the access control policies corresponding to the second nodes in the first access control list and the second access control list are the same, comprising:

the first access control list and the second access control list are the same.

11. The method according to any of claims 1-10, wherein after the returning of the first request result of the first request to the second node, the method further comprises:

recording an access record of the second node to the first file, wherein the access record of the second node to the first file comprises: the identification information of the second node, and a path along which the second node stores a copy of the first file.

12. A document authentication apparatus, the apparatus being applied to a first node, the apparatus comprising: a transceiver unit and a processing unit;

the receiving and transmitting unit is used for receiving a first request from a second node, wherein the first request is used for requesting to access a first file in the first node, and the first file comprises a first access control list;

the receiving and transmitting unit is further configured to obtain a copy of the first file from a third node, where the third node accesses the first file, and the copy of the first file includes a second access control list;

and the processing unit is used for responding to the first request, and when the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same and the second node is determined to have the access right to the first file, the first request result of the first request is returned to the second node through the receiving and sending unit, and the first request result indicates the access right of the second node to the first file or the return information of success in accessing the first file so that the second node can access the first file in the first node.

13. A distributed file system, comprising: a first node, a second node, and a third node; the first node comprises a first file;

the second node sends a first request to the first node, the first request being for requesting access to the first file, the first file including a first access control list;

the first node obtains a copy of the first file from the third node, wherein the third node accesses the first file, and the copy of the first file comprises a second access control list;

and responding to the first request, when the access control strategies corresponding to the second nodes in the first access control list and the second access control list are the same, and the second nodes are determined to have access rights to the first files, the first nodes return first request results of the first requests to the second nodes, and the first request results indicate the access rights of the second nodes to the first files or return information of successful access to the first files, so that the second nodes can access the first files in the first nodes.

14. An electronic device, comprising: a processor, a memory for storing instructions executable by the processor;

the processor is configured to, when executing the instructions, cause the electronic device to implement the method of any one of claims 1-11.

15. A computer readable storage medium having stored thereon computer program instructions; characterized in that the computer program instructions, when executed by an electronic device, cause the electronic device to implement the method of any one of claims 1-11.

16. A computer program product comprising computer readable code, or a non-transitory computer readable storage medium carrying computer readable code, characterized in that a processor in an electronic device implements the method of any one of claims 1-11 when the computer readable code is run in the electronic device.