WO2021072881A1 - Object storage-based request processing method, apparatus and device, and storage medium - Google Patents

Object storage-based request processing method, apparatus and device, and storage medium Download PDF

Info

Publication number
WO2021072881A1
WO2021072881A1 PCT/CN2019/118550 CN2019118550W WO2021072881A1 WO 2021072881 A1 WO2021072881 A1 WO 2021072881A1 CN 2019118550 W CN2019118550 W CN 2019118550W WO 2021072881 A1 WO2021072881 A1 WO 2021072881A1
Authority
WO
WIPO (PCT)
Prior art keywords
request
target
access request
value
access
Prior art date
Application number
PCT/CN2019/118550
Other languages
French (fr)
Chinese (zh)
Inventor
周波
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021072881A1 publication Critical patent/WO2021072881A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/08Error detection or correction by redundancy in data representation, e.g. by using checking codes
    • G06F11/10Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
    • G06F11/1004Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's to protect a block of data words, e.g. CRC or checksum
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/172Caching, prefetching or hoarding of files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • This application relates to the field of computer technology, and in particular to a request processing method, device, device and storage medium based on object storage.
  • the mainstream cloud service providers all provide image archive storage, and the archive storage is charged according to the storage access frequency and capacity. It is found in the application that the access of image data has certain time characteristics. In most of the systems connected, the possibility of data uploaded to the back-end storage is more than 90% accessed within 2 days, and the access after more than 2 days is less than 5%, and the cycle of cloud vendors converting ordinary storage to archive storage Statistics are done on a monthly basis, and the data needs to be charged according to the size of the data when the data is retrieved. Therefore, how to simplify the transmission of file data on the network and the query and retrieval on the server to the greatest extent, and reduce the network when the enterprise is acquiring data Cost has become an urgent problem to be solved.
  • the main purpose of this application is to provide a request processing method, device, equipment and storage medium based on object storage, which aims to solve the inability of the prior art to simplify the transmission of file data in the network and the query and retrieval process on the server side, and reduce the data The technical problem of the network cost at the time of acquisition.
  • this application provides a request processing method based on object storage, and the method includes the following steps:
  • the target data is returned to the initiator of the access request.
  • this application also proposes a request processing device based on object storage, the device including:
  • the request parsing module is used to parse the received access request, and read the request parameters of the preset dimensions from the parsing result;
  • the request authentication module is configured to call a preset object storage gateway function based on the request parameters to perform user authentication on the access request;
  • the parameter acquisition module is configured to search for the local cache field carried in the request header of the access request when the user is authenticated, and read the parameter value corresponding to the local cache field;
  • Numerical value detection module for detecting whether the parameter value is a preset value
  • a data acquisition module configured to acquire the target data requested by the access request from the local storage space when the parameter value is the preset value
  • the data acquisition module is further configured to calculate the current cyclic redundancy check value of the target data using a cyclic redundancy check algorithm, and read the historical cyclic redundancy corresponding to the target data from the local storage space Check value
  • the data acquisition module is further configured to perform a data integrity check on the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value;
  • the data acquisition module is further configured to return the target data to the initiator of the access request when the verification is passed.
  • this application also proposes a request processing device based on object storage, the device including: a memory, a processor, and a computer readable that is stored on the memory and can run on the processor. Instructions, the computer-readable instructions are configured to implement the steps of the object storage-based request processing method as described above.
  • this application also proposes a storage medium with computer-readable instructions stored on the storage medium, and when the computer-readable instructions are executed by a processor, the object storage-based request as described above is realized. Processing method steps.
  • this application first authenticates the request when it receives an access request, when the user is authenticated, it directly determines whether the target data accessed by the request is stored locally according to the parameter value of the local cache field in the request header when the user authentication is passed.
  • the target data is transmitted back to the initiator of the access request, so that the system does not have to obtain and return data from the remote when receiving each access request, thus simplifying the data transmission in the network and the query and retrieval process on the server. Reduce the network cost of data acquisition.
  • FIG. 1 is a schematic structural diagram of a request processing device based on object storage in a hardware operating environment related to a solution of an embodiment of the present application;
  • FIG. 2 is a schematic flowchart of a first embodiment of a request processing method based on object storage according to this application;
  • FIG. 3 is a schematic flowchart of a second embodiment of a request processing method based on object storage according to this application;
  • FIG. 4 is a schematic flowchart of a third embodiment of a request processing method based on object storage according to this application;
  • Fig. 5 is a structural block diagram of a first embodiment of a request processing apparatus based on object storage in this application.
  • FIG. 1 is a schematic structural diagram of a request processing device based on object storage in a hardware operating environment involved in a solution of an embodiment of the application.
  • the request processing device based on object storage may include a processor 1001, such as a central processing unit (Central Processing Unit). Processing Unit, CPU), communication bus 1002, user interface 1003, network interface 1004, memory 1005.
  • the communication bus 1002 is used to implement connection and communication between these components.
  • the user interface 1003 may include a display screen (Display) and an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface.
  • the network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a wireless fidelity (WIreless-FIdelity, WI-FI) interface).
  • WIreless-FIdelity WI-FI
  • the memory 1005 may be a high-speed random access memory (Random Access Memory, RAM) memory, can also be a stable non-volatile memory (Non-Volatile Memory, NVM), such as disk storage.
  • RAM Random Access Memory
  • NVM Non-Volatile Memory
  • the memory 1005 may also be a storage device independent of the aforementioned processor 1001.
  • FIG. 1 does not constitute a limitation on the request processing device based on object storage, and may include more or less components than those shown in the figure, or a combination of certain components, or different components. Component arrangement.
  • the memory 1005 as a storage medium may include an operating system, a data storage module, a network communication module, a user interface module, and computer readable instructions.
  • the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with users; the request processing device based on object storage of this application
  • the processor 1001 and the memory 1005 may be set in a request processing device based on object storage.
  • the request processing device based on object storage uses the processor 1001 to call computer-readable instructions stored in the memory 1005 and execute the The request processing method based on object storage.
  • the embodiment of the present application provides a request processing method based on object storage.
  • FIG. 2 is a schematic flowchart of the first embodiment of the request processing method based on object storage in this application.
  • the request processing method based on object storage includes the following steps:
  • Step S10 Parse the received access request, and read the request parameters of the preset dimensions from the parsing result;
  • the execution subject of the method in this embodiment may be a distributed file system or a cluster (Ceph) that can provide object storage, block storage, and file storage.
  • Ceph has been widely used because of its ability to provide three types of storage: object storage, block storage, and file storage, as well as open source features.
  • cloud storage clusters built using Ceph There are more and more cloud storage clusters built using Ceph, and the storage capacity of a single cluster is also increasing. getting bigger.
  • Ceph object storage is usually used to store massive medical pictures.
  • the object storage-based request processing method proposed in this embodiment is mainly used to optimize user access conditions involved in the medical image storage system, and improve user access efficiency and the security of the medical image storage system.
  • the request parameters of the preset dimensions may include: Uniform Resource Locator (Uniform Resource Locator) carried in the access request.
  • Locator URL
  • Locator in the object name
  • operation action bucket
  • bucket bucket
  • authentication type field message header declaration field
  • Signature signature value field and other parameters.
  • the distributed file system Ceph (hereinafter referred to as the Ceph system) in this embodiment may roughly include: a hypertext transfer protocol (HTTP) front-end module, a presentation layer state transfer application program interface (REST API) Five modules: general processing layer, application program interface operation execution layer, interface adaptation layer and interface layer. For each access request received, the above modules in the Ceph system can work together to respond to the access request.
  • HTTP hypertext transfer protocol
  • REST API presentation layer state transfer application program interface
  • Five modules general processing layer, application program interface operation execution layer, interface adaptation layer and interface layer.
  • the HTTP front-end module in the Ceph system first parses the access request when it receives the access request sent by the application client, and then reads the request parameters of the aforementioned preset dimensions from the analysis result, and then transfers these requests Parameters sent to REST API general processing layer.
  • the operation of reading the request parameters of the preset dimensions from the analysis result can also be performed by REST
  • the API is executed by the general processing layer, which is not limited in this embodiment.
  • Step S20 Call a preset object storage gateway function based on the request parameters to perform user authentication on the access request;
  • the user authentication in this embodiment is to verify whether the access user corresponding to the access request is legal, whether the operation action (read/write/modify of data, etc.) is allowed, and the request URL Whether the name of the access object exists, whether the access user has the access authority to the access object, etc.
  • the preset object storage gateway function may be the rgw_process_authenticated function in the pre-written process_request method.
  • the REST of this embodiment When the API general processing layer performs user authentication operations, it can be implemented based on the information contained in the authentication type field, the message header declaration (SignedHeaders) field, and the signature value (Signature) field.
  • the authentication type field defines the user authentication method or type, such as Basic-Basic authentication method or AWS4 (AWS Signature Version4) Server authentication method, etc., and the authentication type field also specifies the target signature algorithm used for request signature value calculation.
  • the message header declaration field specifies which message headers are used to calculate the signature value of the access request.
  • the signature value field gives the exact signature value that should be obtained after calculating the requested signature value.
  • REST in the Ceph system The API general processing layer can call the rgw_process_authenticated function in the process_request method based on the read request parameters to perform user authentication on the access request.
  • Step S30 when the user is authenticated, search for the local cache field carried in the request header of the access request, and read the parameter value corresponding to the local cache field;
  • this embodiment extends the application program interface of the Ceph system, that is, in the request header (HTTP header, An important part of the Hypertext Transfer Protocol, used for parameter transfer) adds the local cache "Local-cached" field, so that it can be judged whether the local is locally based on the parameter value corresponding to the Local-cached field in the request header of each access request The data required for the access request exists, and follow-up operations are performed according to the judgment result.
  • HTTP header Hypertext Transfer Protocol
  • the application program interface operation execution layer in the Ceph system can query the local cache field carried in the request header of the access request when the user is authenticated, and read the parameter value corresponding to the local cache field.
  • Step S40 Detect whether the parameter value is a preset value
  • the parameter value in this embodiment is True or False, and the preset value is True. If the parameter value corresponding to the local cache field is False, it indicates that the data or access object required by the access request does not exist in the database corresponding to the Ceph system. At this time, the Ceph system needs to obtain the data first, and then send it back to the client. ; If the parameter value corresponding to the local cache field is True, it indicates that the data or access object required by the access request exists in the database corresponding to the Ceph system. At this time, it is only necessary to verify the integrity of the data or access object required by the access request. Then return the access result to the client.
  • the application program interface operation execution layer in the Ceph system can detect whether the parameter value is a preset value when it reads the parameter value corresponding to the local cache field, and then execute the corresponding request response operation according to the detection result.
  • Step S50 If yes, obtain the target data requested by the access request from the local storage space;
  • the target data may be the resource to be accessed by the access request, or the access result returned by the Ceph system to the client after the resource is accessed. Further, it is considered that errors may occur during data transmission or storage, and such errors will cause the original structure of the data to be destroyed, so that the data receiver or the data saver may receive or save the wrong data. Therefore, after reading the target data from the local storage space, the Ceph system of this embodiment will also perform a cyclic redundancy check on the read target data to ensure the integrity of the target data.
  • Step S60 Calculate the current cyclic redundancy check value of the target data using a cyclic redundancy check algorithm, and read the historical cyclic redundancy check value corresponding to the target data from the local storage space;
  • the cyclic redundancy check (Cyclic Redundancy Check) Check, CRC) is a hash function that generates a short fixed-digit check code based on data such as network data packets or computer files. It is mainly used to detect or verify possible errors after data transmission or storage.
  • the historical cyclic redundancy check value is the cyclic redundancy check value calculated by the cyclic redundancy check algorithm before the target data is stored in the local storage space. In practical applications, the check value can be associated with the target data and then saved for subsequent reading and verification.
  • step (3) If the LSB is 0, repeat step (3); if the LSB is 1, it means that the CRC register is XORed with 0x31;
  • the CRC value is the CRC value after the NOR operation is performed on the data of the CRC register and the "exclusive OR value result".
  • Step S70 Perform a data integrity check on the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value;
  • Step S80 When the verification is passed, the target data is returned to the initiator of the access request.
  • the application program interface operation execution layer in the Ceph system detects that the parameter value corresponding to the local cache field is True, it obtains the target data requested by the access request from the local storage space, and then uses the CRC algorithm to After the integrity check of the target data is performed and the verification is passed, the target data is returned to the initiator of the access request to realize a quick response to the access request.
  • this embodiment first authenticates the request when the access request is received, and when the user is authenticated, it directly determines whether the target data accessed by the request is stored locally according to the parameter value of the local cache field in the request header when the user authentication is passed. Directly return the target data to the initiator of the access request, so that the system does not have to obtain and return the data from the remote when receiving each access request, thus simplifying the data transmission in the network and the query and retrieval process on the server , Which reduces the network cost of data acquisition.
  • FIG. 3 is a schematic flowchart of a second embodiment of a request processing method based on object storage in this application.
  • the step S20 includes:
  • Step S201 Read the authentication type field, the message header declaration field, and the signature value field included in the request parameter;
  • the authentication type field defines the method or type of user authentication, such as Basic-Basic authentication method or AWS4 (AWS Signature Version4) Server authentication method, etc., and the authentication type field also specifies the target signature algorithm used for request signature value calculation.
  • the message header declaration field specifies which message headers are used to calculate the signature value of the access request.
  • the signature value field gives the exact signature value that should be obtained after the request signature value calculation is performed. If the calculated signature value is consistent with the exact signature value given in the signature value field, it indicates that the access request is authentic, and vice versa. It is not credible.
  • REST in the Ceph system The API general processing layer can perform user authentication on the access request based on the read request parameters.
  • Step S202 Determine a user authentication method corresponding to the access request according to the authentication type field, where the user authentication method includes a target signature algorithm;
  • the API general processing layer can determine the user authentication method corresponding to the access request and the target signature algorithm used for request signature value calculation according to the authentication type field.
  • the authentication field read by the REST API general processing layer is Authorization: AWS4-HMAC-SHA256 indicates that the authentication method corresponding to the access request is the server identity verification method based on the AWS4 algorithm.
  • the target signature algorithm used in this authentication is the AWS4 algorithm; Hash-based message authentication code (Hash-based Message Authentication Code, HMAC), it stipulates that HMAC operation needs to be performed on the data in the declaration field of the request message header; SHA256 means that the hash value length used by the signature algorithm is 256 bits.
  • Step S203 Calculate the target signature value corresponding to the access request according to the message header declaration field and the target signature algorithm through a preset object storage gateway function;
  • the message header declaration field specifies which message headers are used to calculate the signature value of the access request. At the same time, it also specifies the order of these message headers, so that the subsequent signature calculation will be Canonical.
  • the sequence of message headers spliced by the Request function is consistent with the sequence specified in the message header declaration field. And for access requests, in order to prevent tampering with the request address, the SHA256 value of the requested content, the request timestamp and other information, the host; x-amz-content-sha256; x-amz-date and other parameters in the message header declaration field are required Carry.
  • REST After the API general processing layer obtains the message header declaration field, it first calls the preset object storage gateway function (rgw_process_authenticated function) to extract valid signature data from the request parameters according to the message header declaration field (that is, the message participating in the calculation of the signature value) Header), and then calculate the target signature value corresponding to the access request through the target signature algorithm based on these valid signature data.
  • the API general processing layer can call a preset object storage gateway function to extract valid signature data from the request parameters according to the message header declaration field; and then calculate the access request corresponding to the access request according to the target signature algorithm and the valid signature data. The target signature value.
  • the target signature algorithm is a hash (SHA256) algorithm
  • Step S204 Perform user authentication on the access request based on the signature value field and the target signature value.
  • the signature value field gives the exact signature value that should be obtained after the request signature value calculation is performed.
  • the signature value field Signature 6ab57bc9beb4e6558dc4c9824aa156bdc9a357260150dbabd0a589c74910b624, where the signature value "6ab57bc9beb4e6558dc4c9824aac156bdc9a357589 is the exact value of the signature.
  • REST After the API general processing layer calculates the target signature value, it can compare the target signature value with the exact signature value contained in the signature value field. If the two are exactly the same, it indicates that the access request is credible and the user is authenticated. .
  • the authentication type field, the message header declaration field, and the signature value field contained in the request parameters are read; and then the user authentication method corresponding to the access request is determined according to the authentication type field.
  • the user authentication method includes the target signature algorithm; Suppose the object storage gateway function calculates the target signature value corresponding to the access request according to the message header declaration field and the target signature algorithm; and then authenticates the access request based on the signature value field and the target signature value, thus realizing effective authentication of the access request and avoiding The occurrence of malicious access has ensured the information security of the Ceph system.
  • FIG. 4 is a schematic flowchart of a third embodiment of a request processing method based on object storage in this application.
  • the method further includes:
  • Step S401 If the parameter value is not the preset value, perform data preprocessing on the request parameter to obtain the target request parameter;
  • the data preprocessing in this step may be permission processing on request parameters.
  • the client the initiator of the access request
  • needs to follow corresponding access rules such as bucket access rules or object access rules, when accessing resources/data in the Ceph system.
  • bucket access rules specify the users who have access rights to the objects in the bucket and the types of access rights that these users have.
  • Object access rules specify the users who have object access rights and the types of access rights that these users have. For example, one user may only have read permissions, while another user may have read and write permissions.
  • the application program interface operation execution layer in the Ceph system detects that the parameter value corresponding to the local cache field is False, it will perform data preprocessing on the request parameter carried in the access request to obtain the target request parameter.
  • the identification information corresponding to the initiator of the access request may be extracted from the request parameters; then the corresponding target access rule is searched in the preset access rule table according to the identification information, and the preset access The corresponding relationship between the identification information and the access rule is stored in the rule table; the request parameter is then assigned according to the target access rule to obtain the target request parameter.
  • the identification information may be information that can distinguish the initiators of different access requests, such as Internet Protocol addresses, device serial numbers, and so on.
  • the target access rule may be a pre-created bucket access rule or an object access rule, and these access rules may be associated with the identification information of the initiator and then stored in a preset access rule table.
  • the application program interface operation execution layer detects that the parameter value is not the preset value, it indicates that the data or access object required by the access request does not exist in the database corresponding to the Ceph system.
  • the Ceph system needs to perform the above-mentioned data preprocessing on the request parameters to obtain the target request parameters, and then perform subsequent data pull operations based on the target request parameters.
  • Step S402 Perform authority authentication on the access request based on the target request parameter
  • the authorization authentication is to verify whether the authorization type (such as read, write, change, check, etc.) possessed by the client to access the access object is the same or partially the same as the authorization requested by the access request. If it is, it is determined that the authority authentication is passed.
  • the authorization type such as read, write, change, check, etc.
  • the application program interface operation execution layer after the application program interface operation execution layer assigns the request parameters according to the target access rules to obtain the target request parameters, it can authenticate the access request according to the target request parameters. Specifically, you can read the attribute value corresponding to the host field in the target request parameter (usually Internet Protocol address, IP address), and then query the corresponding permission type in the user permission list according to the attribute value, and then query the corresponding permission type. The permission type is matched with the permission type requested by the access request. If the match is successful, the permission authentication is passed, otherwise, the permission authentication is not passed.
  • the target request parameter usually Internet Protocol address, IP address
  • Step S403 When the authority authentication is passed, encapsulate the access request to obtain a data acquisition request;
  • the rados interface adaptation layer reads the data stored in the underlying rados and obtains the original data of the accessed object, such as target data such as read_version, write_version, status, and size.
  • the application program interface operation execution layer may obtain the access permission corresponding to the access request when the permission authentication is passed; and then add the access permission as a parameter to be added to the request parameter to obtain a new Request parameters; the original request parameters of the access request are replaced with new request parameters to obtain the data acquisition request.
  • Step S404 Send the data acquisition request to the interface adaptation layer, so that the interface adaptation layer returns corresponding target data according to the data acquisition request;
  • the application program interface operation execution layer can send the repackaged data acquisition request to the rados interface adaptation layer, and the rados interface adaptation layer reads the target data stored in the underlying rados according to the data acquisition request.
  • Step S405 Return the target data to the initiator of the access request.
  • the application program interface operation execution layer after the application program interface operation execution layer obtains the target data stored in the bottom layer of rados, it can transmit the target data back to the initiator of the access request to complete the response to the access request.
  • the access request when it is detected that the parameter value is not a preset value, data preprocessing is performed on the request parameter to obtain the target request parameter; the access request is authenticated based on the target request parameter; when the authorization is passed, the access request is performed Encapsulate to obtain the data acquisition request; send the data acquisition request to the interface adaptation layer so that the interface adaptation layer returns the corresponding target data according to the data acquisition request; the target data is returned to the initiator of the access request, so that it can be locally When the target data requested by the access request does not exist in the storage space, the target data can be obtained safely and conveniently, ensuring a smooth response to the access request.
  • the embodiment of the present application also proposes a storage medium, and the storage medium may be a non-volatile readable storage medium or a volatile readable storage medium.
  • the storage medium stores computer-readable instructions, and when the computer-readable instructions are executed by a processor, the steps of the request processing method based on object storage as described above are realized.
  • FIG. 5 is a structural block diagram of a first embodiment of a request processing apparatus based on object storage in this application.
  • the object storage-based request processing apparatus proposed in the embodiment of the present application includes:
  • the request parsing module 501 is used for parsing the received access request, and reading request parameters of preset dimensions from the parsing result;
  • the request authentication module 502 is configured to call a preset object storage gateway function based on the request parameters to perform user authentication on the access request;
  • the parameter acquisition module 503 is configured to search for the local cache field carried in the request header of the access request when the user is authenticated, and read the parameter value corresponding to the local cache field;
  • the value detection module 504 is configured to detect whether the parameter value is a preset value
  • the data acquisition module 505 is configured to acquire the target data requested by the access request from the local storage space when the parameter value is the preset value;
  • the data acquisition module 505 is further configured to use a cyclic redundancy check algorithm to calculate the current cyclic redundancy check value of the target data, and to read the historical cyclic redundancy check value corresponding to the target data from the local storage space. Residual check value;
  • the data acquisition module 505 is further configured to perform a data integrity check on the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value;
  • the data acquisition module 505 is further configured to return the target data to the initiator of the access request when the verification is passed.
  • this embodiment first authenticates the request when the access request is received, and when the user is authenticated, it directly determines whether the target data accessed by the request is stored locally according to the parameter value of the local cache field in the request header when the user authentication is passed. Directly return the target data to the initiator of the access request, so that the system does not have to obtain and return the data from the remote when receiving each access request, thus simplifying the data transmission in the network and the query and retrieval process on the server , Which reduces the network cost of data acquisition.
  • the request authentication module 502 is also used to read the authentication type field, the message header declaration field, and the signature value field contained in the request parameter; determine the corresponding access request according to the authentication type field
  • the user authentication method includes a target signature algorithm; the target signature value corresponding to the access request is calculated according to the message header declaration field and the target signature algorithm through a preset object storage gateway function; based on the signature The value field and the target signature value perform user authentication on the access request.
  • the request authentication module 502 is also used to call a preset object storage gateway function to extract valid signature data from the request parameters according to the message header declaration field; according to the target signature algorithm and the valid signature data Calculate the target signature value corresponding to the access request.
  • the data acquisition module 505 is further configured to perform data preprocessing on the request parameter when the parameter value is not the preset value to obtain the target request parameter; based on the target request parameter pair Perform permission authentication on the access request; when the permission authentication is passed, encapsulate the access request to obtain a data acquisition request; send the data acquisition request to the interface adaptation layer, so that the interface adaptation layer Return corresponding target data according to the data acquisition request; and return the target data to the initiator of the access request.
  • the data acquisition module 505 is further configured to extract the identification information corresponding to the initiator of the access request from the request parameters;
  • the data acquisition module 505 is further configured to obtain the access permission corresponding to the access request when the permission authentication is passed; add the access permission as a parameter to be added to the request parameter to obtain A new request parameter; the access request is encapsulated according to the new request parameter to obtain a data acquisition request.
  • the data acquisition module 505 is also configured to acquire the target data requested by the access request from a local storage space; use a cyclic redundancy check algorithm to calculate the current cyclic redundancy check value of the target data, And read the historical cyclic redundancy check value corresponding to the target data from the local storage space; perform the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value Data integrity check; when the check passes, the target data is returned to the initiator of the access request.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Quality & Reliability (AREA)
  • Storage Device Security (AREA)

Abstract

An object storage-based request processing method, apparatus and device, and a storage medium. The method comprises: parsing a received access request and reading a request parameter of a preset dimension from the parsing result (S10); calling, on the basis of the request parameter, a preset object storage gateway function to perform user authentication on the access request (S20); if the user authentication passes, searching for a local cache field carried by a request header of the access request, and reading a parameter value corresponding to the local cache field (S30); testing whether the parameter value is a preset value (S40); if the parameter value is the preset value, obtaining, from a local storage space, target data requested by the access request (S50); calculating a current cyclic redundancy check value of the target data by using a cyclic redundancy check algorithm, and reading a historical cyclic redundancy check value corresponding to the target data from the local storage space (S60); performing, according to the current cyclic redundancy check value and the historical cyclic redundancy check value, data integrity verification on the target data (S70); and if the verification passes, returning the target data to an initiating end of the access request (S80). User authentication is first performed on the access request. If the authentication passes, it is determined, according to the parameter value of the local cache field in the request header, whether target data to be accessed is stored locally; and if yes, said target data is returned to the initiating end of the access request, so that a system does not need to obtain data from a distal end and return same upon receipt of any access request, which simplifies the data transmission in a network and the query search process at a server, and reduces the network cost of data acquisition.

Description

基于对象存储的请求处理方法、装置、设备及存储介质 Object storage-based request processing method, device, equipment and storage medium To
本申请要求于2019年10月16日提交中国专利局、申请号为201910985628.4、发明名称为“基于对象存储的请求处理方法、装置、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on October 16, 2019, the application number is 201910985628.4, and the invention title is "object storage-based request processing methods, devices, equipment, and storage media", and its entire contents Incorporated in the application by reference.
技术领域Technical field
本申请涉及计算机技术领域,尤其涉及一种基于对象存储的请求处理方法、装置、设备及存储介质。This application relates to the field of computer technology, and in particular to a request processing method, device, device and storage medium based on object storage.
背景技术Background technique
数据是计算乃至业务的基础,数据的可靠保存是云存储提供的服务。随着云计算技术的快速发展,推动了计算、存储的网络化,当前的各大互联网科技企业都推出了云服务。当前的云存储提供商在可靠性投入大量资源并得到了很好的效果。Data is the foundation of computing and even business, and reliable storage of data is a service provided by cloud storage. With the rapid development of cloud computing technology, which has promoted the networking of computing and storage, the current major Internet technology companies have launched cloud services. Current cloud storage providers have invested a lot of resources in reliability and achieved good results.
主流的云服务提供厂商都提供了影像归档存储,并且归档存储根据存储访问频率及容量收费。在应用中发现,影像数据的访问具有一定的时间特征。在接入的大部分系统中,上传至后端存储的数据在2天内访问的可能性在90%以上,超过2天后的访问低于5%,而云厂商将普通存储转换为归档存储的周期按月做统计,且在数据取回时需要按照数据的大小进行收费,因此,如何最大限度的简化文件数据在网络中的传输和在服务端的查询检索,并降低企业在进行数据获取时的网络成本,就成了一个亟待解决的问题。The mainstream cloud service providers all provide image archive storage, and the archive storage is charged according to the storage access frequency and capacity. It is found in the application that the access of image data has certain time characteristics. In most of the systems connected, the possibility of data uploaded to the back-end storage is more than 90% accessed within 2 days, and the access after more than 2 days is less than 5%, and the cycle of cloud vendors converting ordinary storage to archive storage Statistics are done on a monthly basis, and the data needs to be charged according to the size of the data when the data is retrieved. Therefore, how to simplify the transmission of file data on the network and the query and retrieval on the server to the greatest extent, and reduce the network when the enterprise is acquiring data Cost has become an urgent problem to be solved.
发明内容Summary of the invention
本申请的主要目的在于提供了一种基于对象存储的请求处理方法、装置、设备及存储介质,旨在解决现有技术无法简化文件数据在网络中的传输和在服务端的查询检索流程,降低数据获取时的网络成本的技术问题。The main purpose of this application is to provide a request processing method, device, equipment and storage medium based on object storage, which aims to solve the inability of the prior art to simplify the transmission of file data in the network and the query and retrieval process on the server side, and reduce the data The technical problem of the network cost at the time of acquisition.
为实现上述目的,本申请提供了一种基于对象存储的请求处理方法,所述方法包括以下步骤:In order to achieve the above objective, this application provides a request processing method based on object storage, and the method includes the following steps:
对接收到的访问请求进行解析,从解析结果中读取预设维度的请求参数;Analyze the received access request, and read the request parameters of the preset dimensions from the analysis result;
基于所述请求参数调用预设对象存储网关函数对所述访问请求进行用户认证;Calling a preset object storage gateway function based on the request parameters to perform user authentication on the access request;
在所述用户认证通过时,查找所述访问请求的请求头中携带的本地缓存字段,并读取所述本地缓存字段对应的参数值;When the user is authenticated, search for the local cache field carried in the request header of the access request, and read the parameter value corresponding to the local cache field;
检测所述参数值是否为预设数值;Detecting whether the parameter value is a preset value;
若是,则从本地存储空间中获取所述访问请求所请求的目标数据;If yes, obtain the target data requested by the access request from the local storage space;
采用循环冗余校验算法计算所述目标数据的当前循环冗余校验值,并从所述本地存储空间中读取所述目标数据对应的历史循环冗余校验值;Calculating the current cyclic redundancy check value of the target data by using a cyclic redundancy check algorithm, and reading the historical cyclic redundancy check value corresponding to the target data from the local storage space;
根据所述当前循环冗余校验值和所述历史循环冗余校验值对所述目标数据进行数据完整性校验;Performing a data integrity check on the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value;
在校验通过时,将所述目标数据回传至所述访问请求的发起端。When the verification is passed, the target data is returned to the initiator of the access request.
此外,为实现上述目的,本申请还提出一种基于对象存储的请求处理装置,所述装置包括:In addition, in order to achieve the above objective, this application also proposes a request processing device based on object storage, the device including:
请求解析模块,用于对接收到的访问请求进行解析,从解析结果中读取预设维度的请求参数;The request parsing module is used to parse the received access request, and read the request parameters of the preset dimensions from the parsing result;
请求认证模块,用于基于所述请求参数调用预设对象存储网关函数对所述访问请求进行用户认证;The request authentication module is configured to call a preset object storage gateway function based on the request parameters to perform user authentication on the access request;
参数获取模块,用于在所述用户认证通过时,查找所述访问请求的请求头中携带的本地缓存字段,并读取所述本地缓存字段对应的参数值;The parameter acquisition module is configured to search for the local cache field carried in the request header of the access request when the user is authenticated, and read the parameter value corresponding to the local cache field;
数值检测模块,用于检测所述参数值是否为预设数值;Numerical value detection module for detecting whether the parameter value is a preset value;
数据获取模块,用于在所述参数值为所述预设数值时,从本地存储空间中获取所述访问请求所请求的目标数据;A data acquisition module, configured to acquire the target data requested by the access request from the local storage space when the parameter value is the preset value;
所述数据获取模块,还用于采用循环冗余校验算法计算所述目标数据的当前循环冗余校验值,并从所述本地存储空间中读取所述目标数据对应的历史循环冗余校验值;The data acquisition module is further configured to calculate the current cyclic redundancy check value of the target data using a cyclic redundancy check algorithm, and read the historical cyclic redundancy corresponding to the target data from the local storage space Check value
所述数据获取模块,还用于根据所述当前循环冗余校验值和所述历史循环冗余校验值对所述目标数据进行数据完整性校验;The data acquisition module is further configured to perform a data integrity check on the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value;
所述数据获取模块,还用于在校验通过时,将所述目标数据回传至所述访问请求的发起端。The data acquisition module is further configured to return the target data to the initiator of the access request when the verification is passed.
此外,为实现上述目的,本申请还提出一种基于对象存储的请求处理设备,所述设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机可读指令,所述计算机可读指令配置为实现如上文所述的基于对象存储的请求处理方法的步骤。In addition, in order to achieve the above object, this application also proposes a request processing device based on object storage, the device including: a memory, a processor, and a computer readable that is stored on the memory and can run on the processor. Instructions, the computer-readable instructions are configured to implement the steps of the object storage-based request processing method as described above.
此外,为实现上述目的,本申请还提出一种存储介质,所述存储介质上存储有计算机可读指令,所述计算机可读指令被处理器执行时实现如上文所述的基于对象存储的请求处理方法的步骤。In addition, in order to achieve the above-mentioned object, this application also proposes a storage medium with computer-readable instructions stored on the storage medium, and when the computer-readable instructions are executed by a processor, the object storage-based request as described above is realized. Processing method steps.
由于本申请是在接收到访问请求时,先对请求进行用户认证,在用户认证通过时根据请求头中本地缓存字段的参数值来直接判断请求所访问的目标数据是否存储在本地,若是则直接将目标数据回传至访问请求的发起端,使得系统不必在接收到每一个访问请求时都从远端获取并回传数据,从而简化了数据在网络中的传输和在服务端的查询检索流程,降低了数据获取时的网络成本。Since this application first authenticates the request when it receives an access request, when the user is authenticated, it directly determines whether the target data accessed by the request is stored locally according to the parameter value of the local cache field in the request header when the user authentication is passed. The target data is transmitted back to the initiator of the access request, so that the system does not have to obtain and return data from the remote when receiving each access request, thus simplifying the data transmission in the network and the query and retrieval process on the server. Reduce the network cost of data acquisition.
附图说明Description of the drawings
图1是本申请实施例方案涉及的硬件运行环境的基于对象存储的请求处理设备的结构示意图;FIG. 1 is a schematic structural diagram of a request processing device based on object storage in a hardware operating environment related to a solution of an embodiment of the present application;
图2为本申请基于对象存储的请求处理方法第一实施例的流程示意图;2 is a schematic flowchart of a first embodiment of a request processing method based on object storage according to this application;
图3为本申请基于对象存储的请求处理方法第二实施例的流程示意图;3 is a schematic flowchart of a second embodiment of a request processing method based on object storage according to this application;
图4为本申请基于对象存储的请求处理方法第三实施例的流程示意图;4 is a schematic flowchart of a third embodiment of a request processing method based on object storage according to this application;
图5为本申请基于对象存储的请求处理装置第一实施例的结构框图。Fig. 5 is a structural block diagram of a first embodiment of a request processing apparatus based on object storage in this application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization, functional characteristics, and advantages of the purpose of this application will be further described in conjunction with the embodiments and with reference to the accompanying drawings.
具体实施方式Detailed ways
应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。It should be understood that the specific embodiments described here are only used to explain the present application, and are not used to limit the present application.
参照图1,图1为本申请实施例方案涉及的硬件运行环境的基于对象存储的请求处理设备结构示意图。Referring to FIG. 1, FIG. 1 is a schematic structural diagram of a request processing device based on object storage in a hardware operating environment involved in a solution of an embodiment of the application.
如图1所示,该基于对象存储的请求处理设备可以包括:处理器1001,例如中央处理器(Central Processing Unit,CPU),通信总线1002、用户接口1003,网络接口1004,存储器1005。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),可选用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如无线保真(WIreless-FIdelity,WI-FI)接口)。存储器1005可以是高速的随机存取存储器(Random Access Memory,RAM)存储器,也可以是稳定的非易失性存储器(Non-Volatile Memory,NVM),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in FIG. 1, the request processing device based on object storage may include a processor 1001, such as a central processing unit (Central Processing Unit). Processing Unit, CPU), communication bus 1002, user interface 1003, network interface 1004, memory 1005. Among them, the communication bus 1002 is used to implement connection and communication between these components. The user interface 1003 may include a display screen (Display) and an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. The network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a wireless fidelity (WIreless-FIdelity, WI-FI) interface). The memory 1005 may be a high-speed random access memory (Random Access Memory, RAM) memory, can also be a stable non-volatile memory (Non-Volatile Memory, NVM), such as disk storage. Optionally, the memory 1005 may also be a storage device independent of the aforementioned processor 1001.
本领域技术人员可以理解,图1中示出的结构并不构成对基于对象存储的请求处理设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the structure shown in FIG. 1 does not constitute a limitation on the request processing device based on object storage, and may include more or less components than those shown in the figure, or a combination of certain components, or different components. Component arrangement.
如图1所示,作为一种存储介质的存储器1005中可以包括操作系统、数据存储模块、网络通信模块、用户接口模块以及计算机可读指令。As shown in FIG. 1, the memory 1005 as a storage medium may include an operating system, a data storage module, a network communication module, a user interface module, and computer readable instructions.
在图1所示的基于对象存储的请求处理设备中,网络接口1004主要用于与网络服务器进行数据通信;用户接口1003主要用于与用户进行数据交互;本申请基于对象存储的请求处理设备中的处理器1001、存储器1005可以设置在基于对象存储的请求处理设备中,所述基于对象存储的请求处理设备通过处理器1001调用存储器1005中存储的计算机可读指令,并执行本申请实施例提供的基于对象存储的请求处理方法。In the request processing device based on object storage shown in FIG. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with users; the request processing device based on object storage of this application The processor 1001 and the memory 1005 may be set in a request processing device based on object storage. The request processing device based on object storage uses the processor 1001 to call computer-readable instructions stored in the memory 1005 and execute the The request processing method based on object storage.
本申请实施例提供了一种基于对象存储的请求处理方法,参照图2,图2为本申请基于对象存储的请求处理方法第一实施例的流程示意图。The embodiment of the present application provides a request processing method based on object storage. Refer to FIG. 2, which is a schematic flowchart of the first embodiment of the request processing method based on object storage in this application.
本实施例中,所述基于对象存储的请求处理方法包括以下步骤:In this embodiment, the request processing method based on object storage includes the following steps:
步骤S10:对接收到的访问请求进行解析,从解析结果中读取预设维度的请求参数;Step S10: Parse the received access request, and read the request parameters of the preset dimensions from the parsing result;
需要说明的是,本实施例方法的执行主体可以是能够提供对象存储、块存储和文件存储的分布式文件系统或集群(Ceph)。近年来,Ceph因其能够提供对象存储、块存储和文件存储三种存储并具备开源特性,从而得到了广泛的应用,使用Ceph搭建的云存储集群也越来越多,单个集群的存储容量也越来越大。例如,在医疗影像存储系统中,就通常使用Ceph的对象存储进行海量医疗图片的存储。本实施例提出的基于对象存储的请求处理方法主要用于对医疗影像存储系统所涉及的用户访问情况进行优化,提高用户访问效率以及医疗影像存储系统的安全性。It should be noted that the execution subject of the method in this embodiment may be a distributed file system or a cluster (Ceph) that can provide object storage, block storage, and file storage. In recent years, Ceph has been widely used because of its ability to provide three types of storage: object storage, block storage, and file storage, as well as open source features. There are more and more cloud storage clusters built using Ceph, and the storage capacity of a single cluster is also increasing. getting bigger. For example, in a medical image storage system, Ceph object storage is usually used to store massive medical pictures. The object storage-based request processing method proposed in this embodiment is mainly used to optimize user access conditions involved in the medical image storage system, and improve user access efficiency and the security of the medical image storage system.
本步骤中,所述预设维度的请求参数可包括:访问请求携带的统一资源定位符(Uniform Resource Locator,URL)中的对象名称、操作动作、存储桶(Bucket)名称、认证类型字段、消息头声明(SignedHeaders)字段以及签名值(Signature)字段等参数。In this step, the request parameters of the preset dimensions may include: Uniform Resource Locator (Uniform Resource Locator) carried in the access request. Locator (URL) in the object name, operation action, bucket (Bucket) name, authentication type field, message header declaration (SignedHeaders) field and signature value (Signature) field and other parameters.
另外,本实施例中分布式文件系统Ceph(以下简称Ceph系统)可大致包括:超文本传输协议(HTTP)前端模块、表现层状态转移应用程序接口(REST API)通用处理层、应用程序接口操作执行层、接口适配层以及接口层等五个模块。对于每一个接收到的访问请求,Ceph系统中的上述模块都可协同工作对访问请求进行响应处理。In addition, the distributed file system Ceph (hereinafter referred to as the Ceph system) in this embodiment may roughly include: a hypertext transfer protocol (HTTP) front-end module, a presentation layer state transfer application program interface (REST API) Five modules: general processing layer, application program interface operation execution layer, interface adaptation layer and interface layer. For each access request received, the above modules in the Ceph system can work together to respond to the access request.
在具体实现中,Ceph系统中的HTTP前端模块在接收到应用程序客户端发送的访问请求时先对访问请求进行解析,然后从解析结果中读取上述预设维度的请求参数,再将这些请求参数发送至REST API通用处理层。In the specific implementation, the HTTP front-end module in the Ceph system first parses the access request when it receives the access request sent by the application client, and then reads the request parameters of the aforementioned preset dimensions from the analysis result, and then transfers these requests Parameters sent to REST API general processing layer.
当然,在实际应用中,从解析结果中读取预设维度的请求参数的操作也可由REST API通用处理层来执行,本实施例对此不加以限制。Of course, in practical applications, the operation of reading the request parameters of the preset dimensions from the analysis result can also be performed by REST The API is executed by the general processing layer, which is not limited in this embodiment.
步骤S20:基于所述请求参数调用预设对象存储网关函数对所述访问请求进行用户认证;Step S20: Call a preset object storage gateway function based on the request parameters to perform user authentication on the access request;
需要说明的是,本实施例中所述用户认证,也称Auth认证,即验证访问请求对应的访问用户是否合法、(数据的读/写/改等)操作动作是否被允许、请求URL中的访问对象名称是否存在、访问用户是否具有对访问对象的访问权限等。所述预设对象存储网关函数可以是预先编写的process_request方法中的rgw_process_authenticated函数。It should be noted that the user authentication in this embodiment, also called Auth authentication, is to verify whether the access user corresponding to the access request is legal, whether the operation action (read/write/modify of data, etc.) is allowed, and the request URL Whether the name of the access object exists, whether the access user has the access authority to the access object, etc. The preset object storage gateway function may be the rgw_process_authenticated function in the pre-written process_request method.
进一步地,本实施例REST API通用处理层在执行用户认证操作时,可基于认证类型字段、消息头声明(SignedHeaders)字段以及签名值(Signature)字段所包含的信息来实现。通常情况下,认证类型字段定义了用户认证的方式或类型,例如Basic-基本验证方式或AWS4(AWS Signature Version4)服务器身份验证方式等,且认证类型字段还规定了进行请求签名值计算所使用的目标签名算法。消息头声明字段则规定了使用哪些消息头来计算访问请求的签名值。签名值字段则给出了进行请求签名值计算后应该得到的准确签名值。Further, the REST of this embodiment When the API general processing layer performs user authentication operations, it can be implemented based on the information contained in the authentication type field, the message header declaration (SignedHeaders) field, and the signature value (Signature) field. Normally, the authentication type field defines the user authentication method or type, such as Basic-Basic authentication method or AWS4 (AWS Signature Version4) Server authentication method, etc., and the authentication type field also specifies the target signature algorithm used for request signature value calculation. The message header declaration field specifies which message headers are used to calculate the signature value of the access request. The signature value field gives the exact signature value that should be obtained after calculating the requested signature value.
在具体实现中,Ceph系统中的REST API通用处理层可基于读取到的上述请求参数调用process_request方法中的rgw_process_authenticated函数来对访问请求进行用户认证。In the specific implementation, REST in the Ceph system The API general processing layer can call the rgw_process_authenticated function in the process_request method based on the read request parameters to perform user authentication on the access request.
步骤S30:在所述用户认证通过时,查找所述访问请求的请求头中携带的本地缓存字段,并读取所述本地缓存字段对应的参数值;Step S30: when the user is authenticated, search for the local cache field carried in the request header of the access request, and read the parameter value corresponding to the local cache field;
需要说明的是,本实施例对Ceph系统的应用程序接口进行了扩展,即在访问请求的请求头(HTTP header, 超文本传输协议的一个重要部分,用于参数传递)中增加了本地缓存“Local-cached”字段,从而能够根据每一个访问请求的请求头中的Local-cached字段对应的参数值来判断本地是否存在访问请求所需要的数据,并根据判断结果执行后续操作。It should be noted that this embodiment extends the application program interface of the Ceph system, that is, in the request header (HTTP header, An important part of the Hypertext Transfer Protocol, used for parameter transfer) adds the local cache "Local-cached" field, so that it can be judged whether the local is locally based on the parameter value corresponding to the Local-cached field in the request header of each access request The data required for the access request exists, and follow-up operations are performed according to the judgment result.
在具体实现中,Ceph系统中的应用程序接口操作执行层可在用户认证通过时,查询访问请求的请求头中携带的本地缓存字段,并读取所述本地缓存字段对应的参数值。In specific implementation, the application program interface operation execution layer in the Ceph system can query the local cache field carried in the request header of the access request when the user is authenticated, and read the parameter value corresponding to the local cache field.
步骤S40:检测所述参数值是否为预设数值;Step S40: Detect whether the parameter value is a preset value;
应理解的是,本实施例中所述参数值为True或False,所述预设数值为True。若本地缓存字段对应的参数值为False,则表明Ceph系统所对应的数据库中不存在访问请求所需要的数据或访问对象,此时Ceph系统就需要先进行数据获取,然后再回传给客户端;若本地缓存字段对应的参数值为True,则表明Ceph系统所对应的数据库中存在访问请求所需要的数据或访问对象,此时只需要验证访问请求所需要的数据或访问对象的完整性,然后将访问结果回传至客户端即可。It should be understood that the parameter value in this embodiment is True or False, and the preset value is True. If the parameter value corresponding to the local cache field is False, it indicates that the data or access object required by the access request does not exist in the database corresponding to the Ceph system. At this time, the Ceph system needs to obtain the data first, and then send it back to the client. ; If the parameter value corresponding to the local cache field is True, it indicates that the data or access object required by the access request exists in the database corresponding to the Ceph system. At this time, it is only necessary to verify the integrity of the data or access object required by the access request. Then return the access result to the client.
在具体实现中,Ceph系统中的应用程序接口操作执行层在读取到本地缓存字段对应的参数值时可检测该参数值是否为预设数值,然后根据检测结果执行相应的请求响应的操作。In specific implementation, the application program interface operation execution layer in the Ceph system can detect whether the parameter value is a preset value when it reads the parameter value corresponding to the local cache field, and then execute the corresponding request response operation according to the detection result.
步骤S50:若是,则从本地存储空间中获取所述访问请求所请求的目标数据;Step S50: If yes, obtain the target data requested by the access request from the local storage space;
应理解的是,所述目标数据可以是访问请求需要访问的资源,或访问资源后Ceph系统返回给客户端的访问结果。进一步地,考虑到在数据传输或存储过程中可能会出现差错,而这种差错将会导致数据的原有结构被破坏,从而使得数据接收方或数据保存方接收或保存错误的数据。因此,本实施例Ceph系统在从本地存储空间中读取到目标数据之后,还将对读取到的目标数据进行循环冗余校验,以确保目标数据的完整性。It should be understood that the target data may be the resource to be accessed by the access request, or the access result returned by the Ceph system to the client after the resource is accessed. Further, it is considered that errors may occur during data transmission or storage, and such errors will cause the original structure of the data to be destroyed, so that the data receiver or the data saver may receive or save the wrong data. Therefore, after reading the target data from the local storage space, the Ceph system of this embodiment will also perform a cyclic redundancy check on the read target data to ensure the integrity of the target data.
步骤S60:采用循环冗余校验算法计算所述目标数据的当前循环冗余校验值,并从所述本地存储空间中读取所述目标数据对应的历史循环冗余校验值;Step S60: Calculate the current cyclic redundancy check value of the target data using a cyclic redundancy check algorithm, and read the historical cyclic redundancy check value corresponding to the target data from the local storage space;
应理解的是,所述循环冗余校验(Cyclic Redundancy Check,CRC)是一种根据网络数据包或电脑文件等数据产生简短固定位数校验码的一种散列函数,主要用来检测或校验数据传输或者保存后可能出现的错误。相应的本实施例中,所述历史循环冗余校验值,即目标数据在被存放到所述本地存储空间前,通过循环冗余校验算法计算的循环冗余校验值。实际应用中可将该校验值与目标数据关联后进行保存,以便于后续读取并校验。It should be understood that the cyclic redundancy check (Cyclic Redundancy Check) Check, CRC) is a hash function that generates a short fixed-digit check code based on data such as network data packets or computer files. It is mainly used to detect or verify possible errors after data transmission or storage. Correspondingly, in this embodiment, the historical cyclic redundancy check value is the cyclic redundancy check value calculated by the cyclic redundancy check algorithm before the target data is stored in the local storage space. In practical applications, the check value can be associated with the target data and then saved for subsequent reading and verification.
本实施例循环冗余校验算法大致可包括以下几个步骤:The cyclic redundancy check algorithm of this embodiment roughly includes the following steps:
(1)在Ceph系统中设置一个CRC寄存器,并对其赋值为“余数初始值”;(1) Set up a CRC register in the Ceph system and assign it to the "remainder initial value";
(2)将上述目标数据的第一个8-bit字符与CRC寄存器进行异或,并将异或值结果存入CRC寄存器;(2) XOR the first 8-bit character of the above target data with the CRC register, and store the result of the XOR value in the CRC register;
(3)将CRC寄存器向右移一位,对CRC寄存器的最高有效位(Most Significant Bit,MSB)补零,移出并检查最低有效位(Least Significant Bit,LSB);(3) Shift the CRC register to the right by one bit, the most significant bit of the CRC register (Most Significant Bit, MSB) zero padding, move out and check the Least Significant Bit (LSB);
(4)如果LSB为0,则重复步骤(3);若LSB为1,表明CRC寄存器与0x31相异或;(4) If the LSB is 0, repeat step (3); if the LSB is 1, it means that the CRC register is XORed with 0x31;
(5)重复步骤(3)与步骤(4)直至8次移位全部完成,此时一个8-bit数据处理完毕;(5) Repeat steps (3) and (4) until all 8 shifts are completed, at which time an 8-bit data has been processed;
(6)重复步骤(2)至步骤(5)直到所有目标数据全部处理完成;(6) Repeat steps (2) to (5) until all target data are processed;
(7)最终对CRC寄存器的数据与“异或值结果”进行或非操作后即为CRC值。(7) Finally, the CRC value is the CRC value after the NOR operation is performed on the data of the CRC register and the "exclusive OR value result".
步骤S70:根据所述当前循环冗余校验值和所述历史循环冗余校验值对所述目标数据进行数据完整性校验;Step S70: Perform a data integrity check on the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value;
应理解的是,在数据完整性校验过程中,若当前循环冗余校验值和历史循环冗余校验值一致,则表明数据完整性校验通过;若当前循环冗余校验值和历史循环冗余校验值不一致,则表明数据完整性校验不通过。It should be understood that in the data integrity check process, if the current cyclic redundancy check value is consistent with the historical cyclic redundancy check value, it indicates that the data integrity check has passed; if the current cyclic redundancy check value is Inconsistent historical cyclic redundancy check values indicate that the data integrity check failed.
步骤S80:在校验通过时,将所述目标数据回传至所述访问请求的发起端。Step S80: When the verification is passed, the target data is returned to the initiator of the access request.
在具体实现中,Ceph系统中的应用程序接口操作执行层在检测到本地缓存字段对应的参数值为Ture时,从本地存储空间中获取所述访问请求所请求的目标数据,然后通过CRC算法对目标数据进行完整性校验且校验通过后,将目标数据回传至访问请求的发起端,实现对访问请求的快速响应。In specific implementation, when the application program interface operation execution layer in the Ceph system detects that the parameter value corresponding to the local cache field is True, it obtains the target data requested by the access request from the local storage space, and then uses the CRC algorithm to After the integrity check of the target data is performed and the verification is passed, the target data is returned to the initiator of the access request to realize a quick response to the access request.
由于本实施例是在接收到访问请求时,先对请求进行用户认证,在用户认证通过时根据请求头中本地缓存字段的参数值来直接判断请求所访问的目标数据是否存储在本地,若是则直接将目标数据回传至访问请求的发起端,使得系统不必在接收到每一个访问请求时都从远端获取并回传数据,从而简化了数据在网络中的传输和在服务端的查询检索流程,降低了数据获取时的网络成本。Because this embodiment first authenticates the request when the access request is received, and when the user is authenticated, it directly determines whether the target data accessed by the request is stored locally according to the parameter value of the local cache field in the request header when the user authentication is passed. Directly return the target data to the initiator of the access request, so that the system does not have to obtain and return the data from the remote when receiving each access request, thus simplifying the data transmission in the network and the query and retrieval process on the server , Which reduces the network cost of data acquisition.
参考图3,图3为本申请基于对象存储的请求处理方法第二实施例的流程示意图。Referring to FIG. 3, FIG. 3 is a schematic flowchart of a second embodiment of a request processing method based on object storage in this application.
基于上述第一实施例,在本实施例中,所述步骤S20包括:Based on the above-mentioned first embodiment, in this embodiment, the step S20 includes:
步骤S201:读取所述请求参数中包含的认证类型字段、消息头声明字段以及签名值字段;Step S201: Read the authentication type field, the message header declaration field, and the signature value field included in the request parameter;
应理解的是,如第一实施例所述,认证类型字段定义了用户认证的方式或类型,例如Basic-基本验证方式或AWS4(AWS Signature Version4)服务器身份验证方式等,且认证类型字段还规定了进行请求签名值计算所使用的目标签名算法。消息头声明字段则规定了使用哪些消息头来计算访问请求的签名值。签名值字段则给出了进行请求签名值计算后应该得到的准确签名值,若计算获得的签名值与签名值字段中给出的准确签名值一致,则表明访问请求是可信的,反之,则不可信。It should be understood that, as described in the first embodiment, the authentication type field defines the method or type of user authentication, such as Basic-Basic authentication method or AWS4 (AWS Signature Version4) Server authentication method, etc., and the authentication type field also specifies the target signature algorithm used for request signature value calculation. The message header declaration field specifies which message headers are used to calculate the signature value of the access request. The signature value field gives the exact signature value that should be obtained after the request signature value calculation is performed. If the calculated signature value is consistent with the exact signature value given in the signature value field, it indicates that the access request is authentic, and vice versa. It is not credible.
在具体实现中,Ceph系统中的REST API通用处理层可基于读取到的上述请求参数来对访问请求进行用户认证。In the specific implementation, REST in the Ceph system The API general processing layer can perform user authentication on the access request based on the read request parameters.
步骤S202:根据所述认证类型字段确定所述访问请求对应的用户认证方式,所述用户认证方式包括目标签名算法;Step S202: Determine a user authentication method corresponding to the access request according to the authentication type field, where the user authentication method includes a target signature algorithm;
在具体实现中,REST API通用处理层在读取到请求参数中的认证类型字段后,即可根据所述认证类型字段确定所述访问请求对应的用户认证方式以及请求签名值计算所使用的目标签名算法。In concrete implementation, REST After reading the authentication type field in the request parameter, the API general processing layer can determine the user authentication method corresponding to the access request and the target signature algorithm used for request signature value calculation according to the authentication type field.
例如,REST API通用处理层读取到的认证字段为Authorization: AWS4-HMAC-SHA256,则表明访问请求对应的认证方式为基于AWS4算法的服务器身份验证方式,本次认证所使用的目标签名算法为AWS4算法;哈希消息认证码(Hash-based Message Authentication Code,HMAC),则规定了需对请求消息头声明字段中的数据执行HMAC操作;SHA256即签名算法使用的哈希值长度是256位。For example, the authentication field read by the REST API general processing layer is Authorization: AWS4-HMAC-SHA256 indicates that the authentication method corresponding to the access request is the server identity verification method based on the AWS4 algorithm. The target signature algorithm used in this authentication is the AWS4 algorithm; Hash-based message authentication code (Hash-based Message Authentication Code, HMAC), it stipulates that HMAC operation needs to be performed on the data in the declaration field of the request message header; SHA256 means that the hash value length used by the signature algorithm is 256 bits.
步骤S203:通过预设对象存储网关函数根据所述消息头声明字段以及所述目标签名算法计算所述访问请求对应的目标签名值;Step S203: Calculate the target signature value corresponding to the access request according to the message header declaration field and the target signature algorithm through a preset object storage gateway function;
可理解的是,消息头声明字段规定了使用哪些消息头来计算访问请求的签名值,同时它还规定了这些消息头的顺序,使得后续签名计算时Canonical Request函数拼接的消息头的顺序与消息头声明字段中规定的顺序保持一致。且对于访问请求而言,为防止篡改请求地址、请求内容的SHA256值、请求时间戳等信息,消息头声明字段中的host;x-amz-content-sha256;x-amz-date等参数是必须携带的。It is understandable that the message header declaration field specifies which message headers are used to calculate the signature value of the access request. At the same time, it also specifies the order of these message headers, so that the subsequent signature calculation will be Canonical. The sequence of message headers spliced by the Request function is consistent with the sequence specified in the message header declaration field. And for access requests, in order to prevent tampering with the request address, the SHA256 value of the requested content, the request timestamp and other information, the host; x-amz-content-sha256; x-amz-date and other parameters in the message header declaration field are required Carry.
在具体实现中,REST API通用处理层在获取到消息头声明字段后,先调用预设对象存储网关函数(rgw_process_authenticated函数)根据所述消息头声明字段从所述请求参数中提取有效签名数据(即参与签名值计算的消息头),然后基于这些有效签名数据通过所述目标签名算法计算所述访问请求对应的目标签名值。具体的,REST API通用处理层可调用预设对象存储网关函数根据所述消息头声明字段从所述请求参数中提取有效签名数据;然后根据所述目标签名算法以及所述有效签名数据计算所述访问请求对应的目标签名值。In concrete implementation, REST After the API general processing layer obtains the message header declaration field, it first calls the preset object storage gateway function (rgw_process_authenticated function) to extract valid signature data from the request parameters according to the message header declaration field (that is, the message participating in the calculation of the signature value) Header), and then calculate the target signature value corresponding to the access request through the target signature algorithm based on these valid signature data. Specifically, REST The API general processing layer can call a preset object storage gateway function to extract valid signature data from the request parameters according to the message header declaration field; and then calculate the access request corresponding to the access request according to the target signature algorithm and the valid signature data. The target signature value.
例如,调用rgw_process_authenticated函数根据消息头声明字段从请求参数中提取有效签名数据为“host:10.47.193.31”、“x-amz-content-sha256: e3b0c44298fc1c149”和“X-Amz-Date: 20190426T061340Z”,目标签名算法为哈希(SHA256)算法,此时即可根据上述有效签名数据通过SHA256算法计算出目标签名值“Hash(10.47.193.31e3b0c44298fc1c14920190426T061340Z)=6ab57bc9beb4e6558dc4c9824aa156bdc9a357260150dbabd0a589c74910b624”。For example, call the rgw_process_authenticated function to extract the valid signature data from the request parameters according to the message header declaration field as "host:10.47.193.31", "x-amz-content-sha256: e3b0c44298fc1c149" and "X-Amz-Date: 20190426T061340Z", the target signature algorithm is a hash (SHA256) algorithm, and the target signature value "Hash (10.47.193.31e3b0c44298fc1c14920190426T061340Z)=6ab57bc9beb4e6558dc4c9824aa156bdc9a357260150dbab624
步骤S204:基于所述签名值字段以及所述目标签名值对所述访问请求进行用户认证。Step S204: Perform user authentication on the access request based on the signature value field and the target signature value.
应理解的是,所述签字值字段给出了进行请求签名值计算后应该得到的准确签名值,例如签字值字段Signature=6ab57bc9beb4e6558dc4c9824aa156bdc9a357260150dbabd0a589c74910b624,其中,签名值“6ab57bc9beb4e6558dc4c9824aa156bdc9a357260150dbabd0a589c74910b624”即准确签名值。It should be understood that the signature value field gives the exact signature value that should be obtained after the request signature value calculation is performed. For example, the signature value field Signature=6ab57bc9beb4e6558dc4c9824aa156bdc9a357260150dbabd0a589c74910b624, where the signature value "6ab57bc9beb4e6558dc4c9824aac156bdc9a357589 is the exact value of the signature.
在具体实现中,REST API通用处理层在计算出目标签名值后,即可将所述目标签名值与签名值字段中包含的准确签名值进行比对,若两者完全一致,则表明访问请求可信,用户认证通过。In concrete implementation, REST After the API general processing layer calculates the target signature value, it can compare the target signature value with the exact signature value contained in the signature value field. If the two are exactly the same, it indicates that the access request is credible and the user is authenticated. .
本实施例通过读取请求参数中包含的认证类型字段、消息头声明字段以及签名值字段;然后根据认证类型字段确定访问请求对应的用户认证方式,所述用户认证方式包括目标签名算法;通过预设对象存储网关函数根据消息头声明字段以及目标签名算法计算访问请求对应的目标签名值;再基于签名值字段以及目标签名值对访问请求进行用户认证,从而实现了对访问请求的有效认证,避免恶意访问情况的发生,保障了Ceph系统的信息安全。In this embodiment, the authentication type field, the message header declaration field, and the signature value field contained in the request parameters are read; and then the user authentication method corresponding to the access request is determined according to the authentication type field. The user authentication method includes the target signature algorithm; Suppose the object storage gateway function calculates the target signature value corresponding to the access request according to the message header declaration field and the target signature algorithm; and then authenticates the access request based on the signature value field and the target signature value, thus realizing effective authentication of the access request and avoiding The occurrence of malicious access has ensured the information security of the Ceph system.
参考图4,图4为本申请基于对象存储的请求处理方法第三实施例的流程示意图。Referring to FIG. 4, FIG. 4 is a schematic flowchart of a third embodiment of a request processing method based on object storage in this application.
基于上述各实施例,在本实施例中,所述步骤S40之后,所述方法还包括:Based on the foregoing embodiments, in this embodiment, after the step S40, the method further includes:
步骤S401:若所述参数值不为所述预设数值,则对所述请求参数进行数据预处理,以获得目标请求参数;Step S401: If the parameter value is not the preset value, perform data preprocessing on the request parameter to obtain the target request parameter;
需要说明的是,本步骤中所述数据预处理可以是对请求参数进行permission处理。本实施例中客户端(访问请求的发起端)在对Ceph系统中的资源/数据进行访问时需要遵循相应的访问规则,例如存储桶访问规则或对象访问规则。其中,存储桶访问规则指定了拥有对存储桶中对象的访问权限的用户以及这些用户拥有的访问权限的类型。而对象访问规则指定了拥有对象访问权限的用户以及这些用户拥有的访问权限的类型。例如,一个用户可能只有读取权限,而另一个用户可能有读写权限。It should be noted that the data preprocessing in this step may be permission processing on request parameters. In this embodiment, the client (the initiator of the access request) needs to follow corresponding access rules, such as bucket access rules or object access rules, when accessing resources/data in the Ceph system. Among them, bucket access rules specify the users who have access rights to the objects in the bucket and the types of access rights that these users have. Object access rules specify the users who have object access rights and the types of access rights that these users have. For example, one user may only have read permissions, while another user may have read and write permissions.
因此,本实施例中,若Ceph系统中的应用程序接口操作执行层在检测到本地缓存字段对应的参数值为False时,将会对访问请求中携带的请求参数进行数据预处理,获得目标请求参数。具体的,可先从所述请求参数中提取所述访问请求的发起端所对应的标识信息;然后根据所述标识信息在预设访问规则表中查找对应的目标访问规则,所述预设访问规则表中存放有标识信息和访问规则之间的对应关系;再根据所述目标访问规则对所述请求参数进行赋值,以获得目标请求参数。Therefore, in this embodiment, if the application program interface operation execution layer in the Ceph system detects that the parameter value corresponding to the local cache field is False, it will perform data preprocessing on the request parameter carried in the access request to obtain the target request parameter. Specifically, the identification information corresponding to the initiator of the access request may be extracted from the request parameters; then the corresponding target access rule is searched in the preset access rule table according to the identification information, and the preset access The corresponding relationship between the identification information and the access rule is stored in the rule table; the request parameter is then assigned according to the target access rule to obtain the target request parameter.
其中,所述标识信息可以是能够将不同访问请求的发起端进行区分的信息,例如互联网协议地址、设备序列号等。所述目标访问规则可以是预先创建的存储桶访问规则或对象访问规则,这些访问规则可与发起端的标识信息关联后存放于预先设置的访问规则表中。Wherein, the identification information may be information that can distinguish the initiators of different access requests, such as Internet Protocol addresses, device serial numbers, and so on. The target access rule may be a pre-created bucket access rule or an object access rule, and these access rules may be associated with the identification information of the initiator and then stored in a preset access rule table.
在具体实现中,若应用程序接口操作执行层检测到所述参数值不为所述预设数值时,表明Ceph系统所对应的数据库中不存在访问请求所需要的数据或访问对象,此时为能够顺利地为客户端提供访问服务,Ceph系统需要先对请求参数进行上述数据预处理获得目标请求参数后,再基于目标请求参数执行后续的拉取数据操作。In specific implementation, if the application program interface operation execution layer detects that the parameter value is not the preset value, it indicates that the data or access object required by the access request does not exist in the database corresponding to the Ceph system. To be able to provide access services to clients smoothly, the Ceph system needs to perform the above-mentioned data preprocessing on the request parameters to obtain the target request parameters, and then perform subsequent data pull operations based on the target request parameters.
步骤S402:基于所述目标请求参数对所述访问请求进行权限认证;Step S402: Perform authority authentication on the access request based on the target request parameter;
应理解的是,所述权限认证,即验证客户端拥有的对访问对象进行访问的权限类型(如读、写、改、查等)是否与访问请求所请求的权限相同或部分相同。若是,则判定权限认证通过。It should be understood that the authorization authentication is to verify whether the authorization type (such as read, write, change, check, etc.) possessed by the client to access the access object is the same or partially the same as the authorization requested by the access request. If it is, it is determined that the authority authentication is passed.
在具体实现中,应用程序接口操作执行层在根据目标访问规则对请求参数进行赋值获得目标请求参数后,即可根据该目标请求参数对访问请求进行权限认证。具体的,可通过读取目标请求参数中的host字段对应的属性值(通常为互联网协议地址,IP地址),然后根据该属性值在用户权限列表中查询对应的权限类型,再将查询到的权限类型与访问请求所请求的权限类型进行匹配,若匹配成功则表明权限认证通过,反之则表明权限认证未通过。In specific implementation, after the application program interface operation execution layer assigns the request parameters according to the target access rules to obtain the target request parameters, it can authenticate the access request according to the target request parameters. Specifically, you can read the attribute value corresponding to the host field in the target request parameter (usually Internet Protocol address, IP address), and then query the corresponding permission type in the user permission list according to the attribute value, and then query the corresponding permission type. The permission type is matched with the permission type requested by the access request. If the match is successful, the permission authentication is passed, otherwise, the permission authentication is not passed.
步骤S403:在所述权限认证通过时,对所述访问请求进行封装,获得数据获取请求;Step S403: When the authority authentication is passed, encapsulate the access request to obtain a data acquisition request;
应理解的是,在权限认证通过时,表明访问请求能够访问Ceph系统所拥有的目标数据,但由于此时Ceph系统所对应的数据库中不存在访问请求所需要的数据或访问对象,因此需要对访问请求进行重新封装后发送至rados接口适配层,通过rados接口适配层来读取rados底层存储的数据,获取访问对象的原数据,如read_version,write_version,status,size等目标数据。It should be understood that when the permission authentication is passed, it indicates that the access request can access the target data owned by the Ceph system, but since the data or access object required by the access request does not exist in the database corresponding to the Ceph system at this time, it is necessary to check The access request is repackaged and sent to the rados interface adaptation layer. The rados interface adaptation layer reads the data stored in the underlying rados and obtains the original data of the accessed object, such as target data such as read_version, write_version, status, and size.
具体的,应用程序接口操作执行层可在所述权限认证通过时,获取所述访问请求对应的访问权限;然后将所述访问权限作为待添加参数添加至所述请求参数中,以获得新的请求参数;再通过新的请求参数对访问请求原来的请求参数进行替换,获得数据获取请求。Specifically, the application program interface operation execution layer may obtain the access permission corresponding to the access request when the permission authentication is passed; and then add the access permission as a parameter to be added to the request parameter to obtain a new Request parameters; the original request parameters of the access request are replaced with new request parameters to obtain the data acquisition request.
步骤S404:将所述数据获取请求发送至接口适配层,以使所述接口适配层根据所述数据获取请求返回对应的目标数据;Step S404: Send the data acquisition request to the interface adaptation layer, so that the interface adaptation layer returns corresponding target data according to the data acquisition request;
在具体实现中,应用程序接口操作执行层可将重新封装的数据获取请求发送至rados接口适配层,由rados接口适配层根据数据获取请求来读取rados底层存储的目标数据。In a specific implementation, the application program interface operation execution layer can send the repackaged data acquisition request to the rados interface adaptation layer, and the rados interface adaptation layer reads the target data stored in the underlying rados according to the data acquisition request.
步骤S405:将所述目标数据回传至所述访问请求的发起端。Step S405: Return the target data to the initiator of the access request.
在具体实现中,应用程序接口操作执行层在获取到rados底层存储的目标数据后,即可将目标数据回传至所述访问请求的发起端,以完成对访问请求的响应。In a specific implementation, after the application program interface operation execution layer obtains the target data stored in the bottom layer of rados, it can transmit the target data back to the initiator of the access request to complete the response to the access request.
本实施例在检测到参数值不为预设数值时,对请求参数进行数据预处理,以获得目标请求参数;基于目标请求参数对访问请求进行权限认证;在权限认证通过时,对访问请求进行封装,获得数据获取请求;将数据获取请求发送至接口适配层,以使接口适配层根据数据获取请求返回对应的目标数据;将目标数据回传至访问请求的发起端,从而能够在本地存储空间中不存在访问请求所请求的目标数据时,安全、便捷的获取目标数据,保证了对访问请求的顺利响应。In this embodiment, when it is detected that the parameter value is not a preset value, data preprocessing is performed on the request parameter to obtain the target request parameter; the access request is authenticated based on the target request parameter; when the authorization is passed, the access request is performed Encapsulate to obtain the data acquisition request; send the data acquisition request to the interface adaptation layer so that the interface adaptation layer returns the corresponding target data according to the data acquisition request; the target data is returned to the initiator of the access request, so that it can be locally When the target data requested by the access request does not exist in the storage space, the target data can be obtained safely and conveniently, ensuring a smooth response to the access request.
此外,本申请实施例还提出一种存储介质,,所述存储介质可以为非易失性可读存储介质,也可以为易失性可读存储介质。In addition, the embodiment of the present application also proposes a storage medium, and the storage medium may be a non-volatile readable storage medium or a volatile readable storage medium.
所述存储介质上存储有计算机可读指令,所述计算机可读指令被处理器执行时实现如上文所述的基于对象存储的请求处理方法的步骤。The storage medium stores computer-readable instructions, and when the computer-readable instructions are executed by a processor, the steps of the request processing method based on object storage as described above are realized.
其中,该计算机可读指令被执行时所实现的方法可参照本申请基于对象存储的请求处理方法的各个实施例,此处不再赘述。For the method implemented when the computer-readable instruction is executed, refer to the various embodiments of the object storage-based request processing method of this application, which will not be repeated here.
参照图5,图5为本申请基于对象存储的请求处理装置第一实施例的结构框图。Referring to FIG. 5, FIG. 5 is a structural block diagram of a first embodiment of a request processing apparatus based on object storage in this application.
如图5所示,本申请实施例提出的基于对象存储的请求处理装置包括: As shown in Figure 5, the object storage-based request processing apparatus proposed in the embodiment of the present application includes:
请求解析模块501,用于对接收到的访问请求进行解析,从解析结果中读取预设维度的请求参数;The request parsing module 501 is used for parsing the received access request, and reading request parameters of preset dimensions from the parsing result;
请求认证模块502,用于基于所述请求参数调用预设对象存储网关函数对所述访问请求进行用户认证;The request authentication module 502 is configured to call a preset object storage gateway function based on the request parameters to perform user authentication on the access request;
参数获取模块503,用于在所述用户认证通过时,查找所述访问请求的请求头中携带的本地缓存字段,并读取所述本地缓存字段对应的参数值;The parameter acquisition module 503 is configured to search for the local cache field carried in the request header of the access request when the user is authenticated, and read the parameter value corresponding to the local cache field;
数值检测模块504,用于检测所述参数值是否为预设数值;The value detection module 504 is configured to detect whether the parameter value is a preset value;
数据获取模块505,用于在所述参数值为所述预设数值时,从本地存储空间中获取所述访问请求所请求的目标数据;The data acquisition module 505 is configured to acquire the target data requested by the access request from the local storage space when the parameter value is the preset value;
所述数据获取模块505,还用于采用循环冗余校验算法计算所述目标数据的当前循环冗余校验值,并从所述本地存储空间中读取所述目标数据对应的历史循环冗余校验值;The data acquisition module 505 is further configured to use a cyclic redundancy check algorithm to calculate the current cyclic redundancy check value of the target data, and to read the historical cyclic redundancy check value corresponding to the target data from the local storage space. Residual check value;
所述数据获取模块505,还用于根据所述当前循环冗余校验值和所述历史循环冗余校验值对所述目标数据进行数据完整性校验;The data acquisition module 505 is further configured to perform a data integrity check on the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value;
所述数据获取模块505,还用于在校验通过时,将所述目标数据回传至所述访问请求的发起端。The data acquisition module 505 is further configured to return the target data to the initiator of the access request when the verification is passed.
由于本实施例是在接收到访问请求时,先对请求进行用户认证,在用户认证通过时根据请求头中本地缓存字段的参数值来直接判断请求所访问的目标数据是否存储在本地,若是则直接将目标数据回传至访问请求的发起端,使得系统不必在接收到每一个访问请求时都从远端获取并回传数据,从而简化了数据在网络中的传输和在服务端的查询检索流程,降低了数据获取时的网络成本。Because this embodiment first authenticates the request when the access request is received, and when the user is authenticated, it directly determines whether the target data accessed by the request is stored locally according to the parameter value of the local cache field in the request header when the user authentication is passed. Directly return the target data to the initiator of the access request, so that the system does not have to obtain and return the data from the remote when receiving each access request, thus simplifying the data transmission in the network and the query and retrieval process on the server , Which reduces the network cost of data acquisition.
基于本申请上述基于对象存储的请求处理装置第一实施例,提出本申请基于对象存储的请求处理装置的第二实施例。Based on the first embodiment of the request processing apparatus based on object storage in this application, a second embodiment of the request processing apparatus based on object storage in this application is proposed.
在本实施例中,所述请求认证模块502,还用于读取所述请求参数中包含的认证类型字段、消息头声明字段以及签名值字段;根据所述认证类型字段确定所述访问请求对应的用户认证方式,所述用户认证方式包括目标签名算法;通过预设对象存储网关函数根据所述消息头声明字段以及所述目标签名算法计算所述访问请求对应的目标签名值;基于所述签名值字段以及所述目标签名值对所述访问请求进行用户认证。In this embodiment, the request authentication module 502 is also used to read the authentication type field, the message header declaration field, and the signature value field contained in the request parameter; determine the corresponding access request according to the authentication type field The user authentication method includes a target signature algorithm; the target signature value corresponding to the access request is calculated according to the message header declaration field and the target signature algorithm through a preset object storage gateway function; based on the signature The value field and the target signature value perform user authentication on the access request.
进一步地,所述请求认证模块502,还用于调用预设对象存储网关函数根据所述消息头声明字段从所述请求参数中提取有效签名数据;根据所述目标签名算法以及所述有效签名数据计算所述访问请求对应的目标签名值。Further, the request authentication module 502 is also used to call a preset object storage gateway function to extract valid signature data from the request parameters according to the message header declaration field; according to the target signature algorithm and the valid signature data Calculate the target signature value corresponding to the access request.
进一步地,所述数据获取模块505,还用于在所述参数值不为所述预设数值时,对所述请求参数进行数据预处理,以获得目标请求参数;基于所述目标请求参数对所述访问请求进行权限认证;在所述权限认证通过时,对所述访问请求进行封装,获得数据获取请求;将所述数据获取请求发送至接口适配层,以使所述接口适配层根据所述数据获取请求返回对应的目标数据;将所述目标数据回传至所述访问请求的发起端。Further, the data acquisition module 505 is further configured to perform data preprocessing on the request parameter when the parameter value is not the preset value to obtain the target request parameter; based on the target request parameter pair Perform permission authentication on the access request; when the permission authentication is passed, encapsulate the access request to obtain a data acquisition request; send the data acquisition request to the interface adaptation layer, so that the interface adaptation layer Return corresponding target data according to the data acquisition request; and return the target data to the initiator of the access request.
进一步地,所述数据获取模块505,还用于从所述请求参数中提取所述访问请求的发起端所对应的标识信息;Further, the data acquisition module 505 is further configured to extract the identification information corresponding to the initiator of the access request from the request parameters;
根据所述标识信息在预设访问规则表中查找对应的目标访问规则,所述预设访问规则表中存放有标识信息和访问规则之间的对应关系;根据所述目标访问规则对所述请求参数进行赋值,以获得目标请求参数。Find the corresponding target access rule in the preset access rule table according to the identification information, and the corresponding relationship between the identification information and the access rule is stored in the preset access rule table; and the request is made according to the target access rule The parameters are assigned to obtain the target request parameters.
进一步地,所述数据获取模块505,还用于在所述权限认证通过时,获取所述访问请求对应的访问权限;将所述访问权限作为待添加参数添加至所述请求参数中,以获得新的请求参数;根据所述新的请求参数对所述访问请求进行封装,获得数据获取请求。Further, the data acquisition module 505 is further configured to obtain the access permission corresponding to the access request when the permission authentication is passed; add the access permission as a parameter to be added to the request parameter to obtain A new request parameter; the access request is encapsulated according to the new request parameter to obtain a data acquisition request.
进一步地,所述数据获取模块505,还用于从本地存储空间中获取所述访问请求所请求的目标数据;采用循环冗余校验算法计算所述目标数据的当前循环冗余校验值,并从所述本地存储空间中读取所述目标数据对应的历史循环冗余校验值;根据所述当前循环冗余校验值和所述历史循环冗余校验值对所述目标数据进行数据完整性校验;在校验通过时,将所述目标数据回传至所述访问请求的发起端。Further, the data acquisition module 505 is also configured to acquire the target data requested by the access request from a local storage space; use a cyclic redundancy check algorithm to calculate the current cyclic redundancy check value of the target data, And read the historical cyclic redundancy check value corresponding to the target data from the local storage space; perform the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value Data integrity check; when the check passes, the target data is returned to the initiator of the access request.
本申请基于对象存储的请求处理装置的其他实施例或具体实现方式可参照上述各方法实施例,此处不再赘述。For other embodiments or specific implementations of the object storage-based request processing apparatus of the present application, reference may be made to the foregoing method embodiments, which will not be repeated here.

Claims (20)

  1. 一种基于对象存储的请求处理方法,其特征在于,所述方法包括: A request processing method based on object storage, characterized in that the method includes:
    对接收到的访问请求进行解析,从解析结果中读取预设维度的请求参数;Analyze the received access request, and read the request parameters of the preset dimensions from the analysis result;
    基于所述请求参数调用预设对象存储网关函数对所述访问请求进行用户认证;Calling a preset object storage gateway function based on the request parameters to perform user authentication on the access request;
    在所述用户认证通过时,查找所述访问请求的请求头中携带的本地缓存字段,并读取所述本地缓存字段对应的参数值;When the user is authenticated, search for the local cache field carried in the request header of the access request, and read the parameter value corresponding to the local cache field;
    检测所述参数值是否为预设数值;Detecting whether the parameter value is a preset value;
    若是,则从本地存储空间中获取所述访问请求所请求的目标数据;If yes, obtain the target data requested by the access request from the local storage space;
    采用循环冗余校验算法计算所述目标数据的当前循环冗余校验值,并从所述本地存储空间中读取所述目标数据对应的历史循环冗余校验值;Calculating the current cyclic redundancy check value of the target data by using a cyclic redundancy check algorithm, and reading the historical cyclic redundancy check value corresponding to the target data from the local storage space;
    根据所述当前循环冗余校验值和所述历史循环冗余校验值对所述目标数据进行数据完整性校验;Performing a data integrity check on the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value;
    在校验通过时,将所述目标数据回传至所述访问请求的发起端。When the verification is passed, the target data is returned to the initiator of the access request.
  2. 如权利要求1所述的方法,其特征在于,所述基于所述请求参数调用预设对象存储网关函数对所述访问请求进行用户认证的步骤,包括:The method according to claim 1, wherein the step of invoking a preset object storage gateway function based on the request parameters to perform user authentication on the access request comprises:
    读取所述请求参数中包含的认证类型字段、消息头声明字段以及签名值字段;Reading the authentication type field, the message header declaration field, and the signature value field contained in the request parameter;
    根据所述认证类型字段确定所述访问请求对应的用户认证方式,所述用户认证方式包括目标签名算法;Determining a user authentication method corresponding to the access request according to the authentication type field, where the user authentication method includes a target signature algorithm;
    通过预设对象存储网关函数根据所述消息头声明字段以及所述目标签名算法计算所述访问请求对应的目标签名值;Calculating the target signature value corresponding to the access request according to the declaration field of the message header and the target signature algorithm through a preset object storage gateway function;
    基于所述签名值字段以及所述目标签名值对所述访问请求进行用户认证。Perform user authentication on the access request based on the signature value field and the target signature value.
  3. 如权利要求2所述的方法,其特征在于,所述通过预设对象存储网关函数根据所述消息头声明字段以及所述目标签名算法计算所述访问请求对应的目标签名值的步骤,包括:3. The method of claim 2, wherein the step of calculating the target signature value corresponding to the access request according to the message header declaration field and the target signature algorithm through a preset object storage gateway function comprises:
    调用预设对象存储网关函数根据所述消息头声明字段从所述请求参数中提取有效签名数据;Calling a preset object storage gateway function to extract valid signature data from the request parameters according to the message header declaration field;
    根据所述目标签名算法以及所述有效签名数据计算所述访问请求对应的目标签名值。Calculate the target signature value corresponding to the access request according to the target signature algorithm and the valid signature data.
  4. 如权利要求1所述的方法,其特征在于,所述检测所述参数值是否为预设数值的步骤之后,所述方法还包括:5. The method of claim 1, wherein after the step of detecting whether the parameter value is a preset value, the method further comprises:
    若所述参数值不为所述预设数值,则对所述请求参数进行数据预处理,以获得目标请求参数;If the parameter value is not the preset value, perform data preprocessing on the request parameter to obtain the target request parameter;
    基于所述目标请求参数对所述访问请求进行权限认证;Performing authority authentication on the access request based on the target request parameter;
    在所述权限认证通过时,对所述访问请求进行封装,获得数据获取请求;When the authority authentication is passed, encapsulate the access request to obtain a data acquisition request;
    将所述数据获取请求发送至接口适配层,以使所述接口适配层根据所述数据获取请求返回对应的目标数据;Sending the data acquisition request to the interface adaptation layer, so that the interface adaptation layer returns corresponding target data according to the data acquisition request;
    将所述目标数据回传至所述访问请求的发起端。The target data is sent back to the initiator of the access request.
  5. 如权利要求4所述的方法,其特征在于,所述对所述请求参数进行数据预处理,以获得目标请求参数的步骤,包括:The method according to claim 4, wherein the step of performing data preprocessing on the request parameters to obtain target request parameters comprises:
    从所述请求参数中提取所述访问请求的发起端所对应的标识信息;Extracting the identification information corresponding to the initiator of the access request from the request parameters;
    根据所述标识信息在预设访问规则表中查找对应的目标访问规则,所述预设访问规则表中存放有标识信息和访问规则之间的对应关系;Searching for a corresponding target access rule in a preset access rule table according to the identification information, and the preset access rule table stores a correspondence between the identification information and the access rule;
    根据所述目标访问规则对所述请求参数进行赋值,以获得目标请求参数。The request parameter is assigned according to the target access rule to obtain the target request parameter.
  6. 如权利要求4所述的方法,其特征在于,所述在所述权限认证通过时,对所述访问请求进行封装,获得数据获取请求的步骤,包括:The method according to claim 4, wherein the step of encapsulating the access request to obtain the data acquisition request when the authority authentication is passed includes:
    在所述权限认证通过时,获取所述访问请求对应的访问权限;When the authority authentication is passed, obtain the access authority corresponding to the access request;
    将所述访问权限作为待添加参数添加至所述请求参数中,以获得新的请求参数;Adding the access authority as a parameter to be added to the request parameter to obtain a new request parameter;
    根据所述新的请求参数对所述访问请求进行封装,获得数据获取请求。The access request is encapsulated according to the new request parameter to obtain a data acquisition request.
  7. 一种基于对象存储的请求处理装置,其特征在于,所述装置包括:A request processing device based on object storage, characterized in that the device comprises:
    请求解析模块,用于对接收到的访问请求进行解析,从解析结果中读取预设维度的请求参数;The request parsing module is used to parse the received access request, and read the request parameters of the preset dimensions from the parsing result;
    请求认证模块,用于基于所述请求参数调用预设对象存储网关函数对所述访问请求进行用户认证;The request authentication module is configured to call a preset object storage gateway function based on the request parameters to perform user authentication on the access request;
    参数获取模块,用于在所述用户认证通过时,查找所述访问请求的请求头中携带的本地缓存字段,并读取所述本地缓存字段对应的参数值;The parameter acquisition module is configured to search for the local cache field carried in the request header of the access request when the user is authenticated, and read the parameter value corresponding to the local cache field;
    数值检测模块,用于检测所述参数值是否为预设数值;Numerical value detection module for detecting whether the parameter value is a preset value;
    数据获取模块,用于在所述参数值为所述预设数值时,从本地存储空间中获取所述访问请求所请求的目标数据;A data acquisition module, configured to acquire the target data requested by the access request from the local storage space when the parameter value is the preset value;
    所述数据获取模块,还用于采用循环冗余校验算法计算所述目标数据的当前循环冗余校验值,并从所述本地存储空间中读取所述目标数据对应的历史循环冗余校验值;The data acquisition module is further configured to calculate the current cyclic redundancy check value of the target data using a cyclic redundancy check algorithm, and read the historical cyclic redundancy corresponding to the target data from the local storage space Check value
    所述数据获取模块,还用于根据所述当前循环冗余校验值和所述历史循环冗余校验值对所述目标数据进行数据完整性校验;The data acquisition module is further configured to perform a data integrity check on the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value;
    所述数据获取模块,还用于在校验通过时,将所述目标数据回传至所述访问请求的发起端。The data acquisition module is further configured to return the target data to the initiator of the access request when the verification is passed.
  8. 如权利要求7所述的装置,其特征在于,所述请求认证模块,还用于读取所述请求参数中包含的认证类型字段、消息头声明字段以及签名值字段;根据所述认证类型字段确定所述访问请求对应的用户认证方式,所述用户认证方式包括目标签名算法;通过预设对象存储网关函数根据所述消息头声明字段以及所述目标签名算法计算所述访问请求对应的目标签名值;基于所述签名值字段以及所述目标签名值对所述访问请求进行用户认证。The device according to claim 7, wherein the request authentication module is further configured to read the authentication type field, the message header declaration field, and the signature value field contained in the request parameter; according to the authentication type field Determine the user authentication method corresponding to the access request, where the user authentication method includes a target signature algorithm; calculate the target signature corresponding to the access request according to the message header declaration field and the target signature algorithm through a preset object storage gateway function Value; user authentication is performed on the access request based on the signature value field and the target signature value.
  9. 如权利要求8所述的装置,其特征在于,所述请求认证模块,还用于调用预设对象存储网关函数根据所述消息头声明字段从所述请求参数中提取有效签名数据;根据所述目标签名算法以及所述有效签名数据计算所述访问请求对应的目标签名值。The device according to claim 8, wherein the request authentication module is further configured to call a preset object storage gateway function to extract valid signature data from the request parameters according to the message header declaration field; The target signature algorithm and the valid signature data calculate the target signature value corresponding to the access request.
  10. 如权利要求7所述的装置,其特征在于,所述数据获取模块,还用于在所述参数值不为所述预设数值时,对所述请求参数进行数据预处理,以获得目标请求参数;基于所述目标请求参数对所述访问请求进行权限认证;在所述权限认证通过时,对所述访问请求进行封装,获得数据获取请求;将所述数据获取请求发送至接口适配层,以使所述接口适配层根据所述数据获取请求返回对应的目标数据;将所述目标数据回传至所述访问请求的发起端。The device according to claim 7, wherein the data acquisition module is further configured to perform data preprocessing on the request parameter when the parameter value is not the preset value, so as to obtain the target request Parameters; perform permission authentication on the access request based on the target request parameters; when the permission authentication is passed, encapsulate the access request to obtain a data acquisition request; send the data acquisition request to the interface adaptation layer , So that the interface adaptation layer returns corresponding target data according to the data acquisition request; and transmits the target data back to the initiator of the access request.
  11. 如权利要求10所述的装置,其特征在于,所述数据获取模块,还用于从所述请求参数中提取所述访问请求的发起端所对应的标识信息;根据所述标识信息在预设访问规则表中查找对应的目标访问规则,所述预设访问规则表中存放有标识信息和访问规则之间的对应关系;根据所述目标访问规则对所述请求参数进行赋值,以获得目标请求参数。The device according to claim 10, wherein the data acquisition module is further configured to extract the identification information corresponding to the initiator of the access request from the request parameter; and preset the identification information according to the identification information. Find the corresponding target access rule in the access rule table, the preset access rule table stores the correspondence between identification information and the access rule; assign values to the request parameters according to the target access rule to obtain the target request parameter.
  12. 如权利要求10所述的装置,其特征在于,所述数据获取模块,还用于在所述权限认证通过时,获取所述访问请求对应的访问权限;将所述访问权限作为待添加参数添加至所述请求参数中,以获得新的请求参数;根据所述新的请求参数对所述访问请求进行封装,获得数据获取请求。The device according to claim 10, wherein the data acquisition module is further configured to acquire the access permission corresponding to the access request when the permission authentication is passed; add the access permission as a parameter to be added To the request parameter to obtain a new request parameter; encapsulate the access request according to the new request parameter to obtain a data acquisition request.
  13. 一种基于对象存储的请求处理设备,其特征在于,所述设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机可读指令,所述计算机可读指令被所述处理器执行时,使得所述处理器执行以下步骤:A request processing device based on object storage, characterized in that, the device includes: a memory, a processor, and computer-readable instructions stored on the memory and running on the processor, and the computer readable When the instruction is executed by the processor, the processor is caused to execute the following steps:
    对接收到的访问请求进行解析,从解析结果中读取预设维度的请求参数;Analyze the received access request, and read the request parameters of the preset dimensions from the analysis result;
    基于所述请求参数调用预设对象存储网关函数对所述访问请求进行用户认证;Calling a preset object storage gateway function based on the request parameters to perform user authentication on the access request;
    在所述用户认证通过时,查找所述访问请求的请求头中携带的本地缓存字段,并读取所述本地缓存字段对应的参数值;When the user is authenticated, search for the local cache field carried in the request header of the access request, and read the parameter value corresponding to the local cache field;
    检测所述参数值是否为预设数值;Detecting whether the parameter value is a preset value;
    若是,则从本地存储空间中获取所述访问请求所请求的目标数据;If yes, obtain the target data requested by the access request from the local storage space;
    采用循环冗余校验算法计算所述目标数据的当前循环冗余校验值,并从所述本地存储空间中读取所述目标数据对应的历史循环冗余校验值;Calculating the current cyclic redundancy check value of the target data by using a cyclic redundancy check algorithm, and reading the historical cyclic redundancy check value corresponding to the target data from the local storage space;
    根据所述当前循环冗余校验值和所述历史循环冗余校验值对所述目标数据进行数据完整性校验;Performing a data integrity check on the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value;
    在校验通过时,将所述目标数据回传至所述访问请求的发起端。When the verification is passed, the target data is returned to the initiator of the access request.
  14. 如权利要求13所述的设备,其特征在于,所述基于所述请求参数调用预设对象存储网关函数对所述访问请求进行用户认证的步骤,包括:The device according to claim 13, wherein the step of calling a preset object storage gateway function based on the request parameters to perform user authentication on the access request comprises:
    读取所述请求参数中包含的认证类型字段、消息头声明字段以及签名值字段;Reading the authentication type field, the message header declaration field, and the signature value field contained in the request parameter;
    根据所述认证类型字段确定所述访问请求对应的用户认证方式,所述用户认证方式包括目标签名算法;Determining a user authentication method corresponding to the access request according to the authentication type field, where the user authentication method includes a target signature algorithm;
    通过预设对象存储网关函数根据所述消息头声明字段以及所述目标签名算法计算所述访问请求对应的目标签名值;Calculating the target signature value corresponding to the access request according to the declaration field of the message header and the target signature algorithm through a preset object storage gateway function;
    基于所述签名值字段以及所述目标签名值对所述访问请求进行用户认证。Perform user authentication on the access request based on the signature value field and the target signature value.
  15. 如权利要求14所述的设备,其特征在于,所述通过预设对象存储网关函数根据所述消息头声明字段以及所述目标签名算法计算所述访问请求对应的目标签名值的步骤,包括:The device according to claim 14, wherein the step of calculating the target signature value corresponding to the access request according to the message header declaration field and the target signature algorithm through a preset object storage gateway function comprises:
    调用预设对象存储网关函数根据所述消息头声明字段从所述请求参数中提取有效签名数据;Calling a preset object storage gateway function to extract valid signature data from the request parameters according to the message header declaration field;
    根据所述目标签名算法以及所述有效签名数据计算所述访问请求对应的目标签名值。Calculate the target signature value corresponding to the access request according to the target signature algorithm and the valid signature data.
  16. 如权利要求13所述的设备,其特征在于,所述检测所述参数值是否为预设数值的步骤之后,所述方法还包括:The device according to claim 13, wherein after the step of detecting whether the parameter value is a preset value, the method further comprises:
    若所述参数值不为所述预设数值,则对所述请求参数进行数据预处理,以获得目标请求参数;If the parameter value is not the preset value, perform data preprocessing on the request parameter to obtain the target request parameter;
    基于所述目标请求参数对所述访问请求进行权限认证;Performing authority authentication on the access request based on the target request parameter;
    在所述权限认证通过时,对所述访问请求进行封装,获得数据获取请求;When the authority authentication is passed, encapsulate the access request to obtain a data acquisition request;
    将所述数据获取请求发送至接口适配层,以使所述接口适配层根据所述数据获取请求返回对应的目标数据;Sending the data acquisition request to the interface adaptation layer, so that the interface adaptation layer returns corresponding target data according to the data acquisition request;
    将所述目标数据回传至所述访问请求的发起端。The target data is sent back to the initiator of the access request.
  17. 如权利要求16所述的设备,其特征在于,所述对所述请求参数进行数据预处理,以获得目标请求参数的步骤,包括:The device according to claim 16, wherein the step of performing data preprocessing on the request parameters to obtain target request parameters comprises:
    从所述请求参数中提取所述访问请求的发起端所对应的标识信息;Extracting the identification information corresponding to the initiator of the access request from the request parameters;
    根据所述标识信息在预设访问规则表中查找对应的目标访问规则,所述预设访问规则表中存放有标识信息和访问规则之间的对应关系;Searching for a corresponding target access rule in a preset access rule table according to the identification information, and the preset access rule table stores a correspondence between the identification information and the access rule;
    根据所述目标访问规则对所述请求参数进行赋值,以获得目标请求参数。The request parameter is assigned according to the target access rule to obtain the target request parameter.
  18. 一种存储介质,其特征在于,所述存储介质上存储有计算机可读指令,所述计算机可读指令被处理器执行时,使得所述处理器执行以下步骤:A storage medium, characterized in that computer-readable instructions are stored on the storage medium, and when the computer-readable instructions are executed by a processor, the processor is caused to perform the following steps:
    对接收到的访问请求进行解析,从解析结果中读取预设维度的请求参数;Analyze the received access request, and read the request parameters of the preset dimensions from the analysis result;
    基于所述请求参数调用预设对象存储网关函数对所述访问请求进行用户认证;Calling a preset object storage gateway function based on the request parameters to perform user authentication on the access request;
    在所述用户认证通过时,查找所述访问请求的请求头中携带的本地缓存字段,并读取所述本地缓存字段对应的参数值;When the user is authenticated, search for the local cache field carried in the request header of the access request, and read the parameter value corresponding to the local cache field;
    检测所述参数值是否为预设数值;Detecting whether the parameter value is a preset value;
    若是,则从本地存储空间中获取所述访问请求所请求的目标数据;If yes, obtain the target data requested by the access request from the local storage space;
    采用循环冗余校验算法计算所述目标数据的当前循环冗余校验值,并从所述本地存储空间中读取所述目标数据对应的历史循环冗余校验值;Calculating the current cyclic redundancy check value of the target data by using a cyclic redundancy check algorithm, and reading the historical cyclic redundancy check value corresponding to the target data from the local storage space;
    根据所述当前循环冗余校验值和所述历史循环冗余校验值对所述目标数据进行数据完整性校验;Performing a data integrity check on the target data according to the current cyclic redundancy check value and the historical cyclic redundancy check value;
    在校验通过时,将所述目标数据回传至所述访问请求的发起端。When the verification is passed, the target data is returned to the initiator of the access request.
  19. 如权利要求18所述的存储介质,其特征在于,所述基于所述请求参数调用预设对象存储网关函数对所述访问请求进行用户认证的步骤,包括:18. The storage medium of claim 18, wherein the step of calling a preset object storage gateway function based on the request parameters to perform user authentication on the access request comprises:
    读取所述请求参数中包含的认证类型字段、消息头声明字段以及签名值字段;Reading the authentication type field, the message header declaration field, and the signature value field contained in the request parameter;
    根据所述认证类型字段确定所述访问请求对应的用户认证方式,所述用户认证方式包括目标签名算法;Determining a user authentication method corresponding to the access request according to the authentication type field, where the user authentication method includes a target signature algorithm;
    通过预设对象存储网关函数根据所述消息头声明字段以及所述目标签名算法计算所述访问请求对应的目标签名值;Calculating the target signature value corresponding to the access request according to the declaration field of the message header and the target signature algorithm through a preset object storage gateway function;
    基于所述签名值字段以及所述目标签名值对所述访问请求进行用户认证。Perform user authentication on the access request based on the signature value field and the target signature value.
  20. 如权利要求18所述的存储介质,其特征在于,所述检测所述参数值是否为预设数值的步骤之后,所述方法还包括:18. The storage medium of claim 18, wherein after the step of detecting whether the parameter value is a preset value, the method further comprises:
    若所述参数值不为所述预设数值,则对所述请求参数进行数据预处理,以获得目标请求参数;If the parameter value is not the preset value, perform data preprocessing on the request parameter to obtain the target request parameter;
    基于所述目标请求参数对所述访问请求进行权限认证;Performing authority authentication on the access request based on the target request parameter;
    在所述权限认证通过时,对所述访问请求进行封装,获得数据获取请求;When the authority authentication is passed, encapsulate the access request to obtain a data acquisition request;
    将所述数据获取请求发送至接口适配层,以使所述接口适配层根据所述数据获取请求返回对应的目标数据;Sending the data acquisition request to the interface adaptation layer, so that the interface adaptation layer returns corresponding target data according to the data acquisition request;
    将所述目标数据回传至所述访问请求的发起端。 The target data is sent back to the initiator of the access request.
PCT/CN2019/118550 2019-10-16 2019-11-14 Object storage-based request processing method, apparatus and device, and storage medium WO2021072881A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910985628.4 2019-10-16
CN201910985628.4A CN110888838B (en) 2019-10-16 2019-10-16 Request processing method, device, equipment and storage medium based on object storage

Publications (1)

Publication Number Publication Date
WO2021072881A1 true WO2021072881A1 (en) 2021-04-22

Family

ID=69746247

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/118550 WO2021072881A1 (en) 2019-10-16 2019-11-14 Object storage-based request processing method, apparatus and device, and storage medium

Country Status (2)

Country Link
CN (1) CN110888838B (en)
WO (1) WO2021072881A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660096A (en) * 2021-08-11 2021-11-16 挂号网(杭州)科技有限公司 Request signature method and device, electronic equipment and storage medium
CN113973139A (en) * 2021-10-20 2022-01-25 北京沃东天骏信息技术有限公司 Message processing method and device
US20220100878A1 (en) * 2020-09-25 2022-03-31 EMC IP Holding Company LLC Facilitating an object protocol based access of data within a multiprotocol environment
CN116032652A (en) * 2023-01-31 2023-04-28 湖南创亿达实业发展有限公司 Gateway authentication method and system based on intelligent interactive touch panel

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835523B (en) * 2020-05-25 2023-05-30 北京齐尔布莱特科技有限公司 Data request method, system and computing device
CN114489486B (en) * 2021-12-28 2023-07-14 无锡宇宁智能科技有限公司 Industry data long storage method, equipment and storage medium
CN114428591A (en) * 2022-01-27 2022-05-03 北京海纳川汽车部件股份有限公司 Data storage method, reading method and device for vehicle-mounted gateway

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150067001A1 (en) * 2013-08-30 2015-03-05 International Business Machines Corporation Cache management in a computerized system
CN107807792A (en) * 2017-10-27 2018-03-16 郑州云海信息技术有限公司 A kind of data processing method and relevant apparatus based on copy storage system
CN108710639A (en) * 2018-04-17 2018-10-26 桂林电子科技大学 A kind of mass small documents access optimization method based on Ceph
CN108833369A (en) * 2018-05-28 2018-11-16 郑州云海信息技术有限公司 A kind of method, device and equipment accessing file system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110232292A (en) * 2019-05-06 2019-09-13 平安科技(深圳)有限公司 Data access authority authentication method, server and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150067001A1 (en) * 2013-08-30 2015-03-05 International Business Machines Corporation Cache management in a computerized system
CN107807792A (en) * 2017-10-27 2018-03-16 郑州云海信息技术有限公司 A kind of data processing method and relevant apparatus based on copy storage system
CN108710639A (en) * 2018-04-17 2018-10-26 桂林电子科技大学 A kind of mass small documents access optimization method based on Ceph
CN108833369A (en) * 2018-05-28 2018-11-16 郑州云海信息技术有限公司 A kind of method, device and equipment accessing file system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220100878A1 (en) * 2020-09-25 2022-03-31 EMC IP Holding Company LLC Facilitating an object protocol based access of data within a multiprotocol environment
US11928228B2 (en) * 2020-09-25 2024-03-12 EMC IP Holding Company LLC Facilitating an object protocol based access of data within a multiprotocol environment
CN113660096A (en) * 2021-08-11 2021-11-16 挂号网(杭州)科技有限公司 Request signature method and device, electronic equipment and storage medium
CN113973139A (en) * 2021-10-20 2022-01-25 北京沃东天骏信息技术有限公司 Message processing method and device
CN116032652A (en) * 2023-01-31 2023-04-28 湖南创亿达实业发展有限公司 Gateway authentication method and system based on intelligent interactive touch panel
CN116032652B (en) * 2023-01-31 2023-08-25 湖南创亿达实业发展有限公司 Gateway authentication method and system based on intelligent interactive touch panel

Also Published As

Publication number Publication date
CN110888838A (en) 2020-03-17
CN110888838B (en) 2024-03-08

Similar Documents

Publication Publication Date Title
WO2021072881A1 (en) Object storage-based request processing method, apparatus and device, and storage medium
WO2016169410A1 (en) Login method and device, server and login system
WO2021002692A1 (en) Method for providing virtual asset service based on decentralized identifier and virtual asset service providing server using them
WO2020220413A1 (en) Zero knowledge proving method and system for personal information, and storage medium
WO2017135670A1 (en) Method and server for providing notary service for file and verifying file recorded by notary service
WO2017135669A1 (en) Method and server for providing notary service for file and verifying file recorded by notary service
WO2021003975A1 (en) Gateway interface test method, terminal device, storage medium and apparatus
WO2014101023A1 (en) Method and device for preventing service illegal access
WO2014069777A1 (en) Transit control for data
WO2019127973A1 (en) Authority authentication method, system and device for mirror repository, and storage medium
WO2020224246A1 (en) Block chain-based data management method and apparatus, device and storage medium
WO2015069018A1 (en) System for secure login, and method and apparatus for same
WO2020164280A1 (en) Data transmission encryption method, device, storage medium and server
WO2021006616A1 (en) Method for providing relational decentralized identifier service and blockchain node using the same
WO2020077832A1 (en) Cloud desktop access method, apparatus and device, and storage medium
WO2017054444A1 (en) System login method, server, system, and network attached storage device
WO2018035929A1 (en) Method and apparatus for processing verification code
WO2014185594A1 (en) Single sign-on system and method in vdi environment
WO2020062644A1 (en) Json hijack bug detection method, apparatus and device, and storage medium
WO2020253120A1 (en) Webpage registration method, system and device, and computer storage medium
WO2020233073A1 (en) Blockchain environment test method, device and apparatus, and storage medium
WO2013094837A1 (en) Method for managing server load distribution by using hash function results, and apparatus for same
WO2020141660A1 (en) Electronic apparatus managing data based on block chain and method for managing data
WO2015199271A1 (en) Method and system for sharing files over p2p
WO2014077458A1 (en) Method for distinguishing type of communication network and method for providing content using same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19949013

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19949013

Country of ref document: EP

Kind code of ref document: A1