CN104182503A - Cloud platform data access safety isolation method - Google Patents

Cloud platform data access safety isolation method Download PDF

Info

Publication number
CN104182503A
CN104182503A CN201410406589.5A CN201410406589A CN104182503A CN 104182503 A CN104182503 A CN 104182503A CN 201410406589 A CN201410406589 A CN 201410406589A CN 104182503 A CN104182503 A CN 104182503A
Authority
CN
China
Prior art keywords
node
authority
data
leaf node
cloud platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410406589.5A
Other languages
Chinese (zh)
Inventor
顾永立
高念高
王战英
须秋梦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Triman Information & Technology Co Ltd
Original Assignee
Shanghai Triman Information & Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Triman Information & Technology Co Ltd filed Critical Shanghai Triman Information & Technology Co Ltd
Priority to CN201410406589.5A priority Critical patent/CN104182503A/en
Publication of CN104182503A publication Critical patent/CN104182503A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2453Query optimisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • G06F16/2246Trees, e.g. B+trees
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2453Query optimisation
    • G06F16/24534Query rewriting; Transformation
    • G06F16/24537Query rewriting; Transformation of operators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet

Abstract

The invention discloses a cloud platform data access safety isolation method. The method includes the following steps: 1, creating an access-right tree of all users according to different user levels, wherein the access-right tree is of a one-way pointer multilayer tree structure, users with high access rights are positioned on root nodes on low layers, and users with low access rights are positioned on leaf nodes on upper layers; 2, creating different inquiry sentences for the nodes on different layers, wherein the inquiry sentences of the root nodes can downwards inquire data of the leaf nodes at the same time, and the inquiry sentences of the leaf nodes cannot upwards inquire data of the root nodes and cannot inquire data of the nodes on same layers. By adopting the technical scheme, access-right management can be customized for graded administrative departments, so that safety isolation under different access rights during data access is realized better.

Description

Cloud platform data access security partition method
Technical field
The present invention relates to data access method, more particularly, relate to a kind of cloud platform data access security partition method.
Background technology
The most key problem of cloud structure system lower support platform is the virtual of computational resource, storage resources, and virtual resource distribution is called and the calculated equilibrium that distributes.Development along with modern information technologies, current many manufacturers research and develop a large amount of cloud computings, virtualization system product, there are the network equipment, server, memory device, software product etc., but these products might not meet the realization of various application demands, manufacturer will " cloud computing product does a wild boastly especially in the market.
In addition, for use scenes multi-level, multi-user, existing cloud computing has various means aspect isolation safely at data access, but consider the occasion that some are special, for example be applied in hierarchical administrative department, need to customize respectively the data isolation scheme with different rights for different grades, and prior art is aspect authority isolation and imperfection.
Summary of the invention
Object of the present invention aims to provide a kind of cloud platform data access security partition method, solves authority and the access security of data access platform in prior art and isolates incomplete problem.
According to the present invention, a kind of cloud platform data access security partition method is provided, comprise the following steps: step 1, according to different user gradations, set up all users' authority tree; Wherein, authority tree is unidirectional pointer multilayer tree structure, and the user that authority is larger is positioned at compared with on the root node of bottom, and the user that authority is less is positioned at compared with on the leaf node on upper strata; Step 2, sets up different query statements to the node of different layers, the data that the query statement of root node can be inquired about leaf node downwards simultaneously, but the query statement of leaf node can not upwards be inquired about the data of root node, the data that can not inquire about same layer node.
According to one embodiment of the invention, also comprise: step 3, each root node is stored the pointer of its affiliated leaf node.
According to one embodiment of the invention, high in the clouds data comprise authority models, and authority models comprises that any root node is to the shortest path of leaf node.
According to one embodiment of the invention, the corresponding database with concrete actual location of the leaf node of each bottom.
According to one embodiment of the invention, root node comprises the pointer of its affiliated leaf node of direct sensing, and pointed reads and writes data.
According to one embodiment of the invention, the user of root node has the authority of read-write leaf node data, and leaf node user does not have the authority of read-write root node data.
Adopted technical scheme of the present invention, can manage for administrative department's customizes rights with rank, thus the safety isolation while realizing better the visit data under different rights.
Accompanying drawing explanation
In the present invention, identical Reference numeral represents identical feature all the time, wherein:
Fig. 1 is the authority tree construction schematic diagram of cloud platform data access security partition method of the present invention.
Embodiment
Below in conjunction with drawings and Examples, further illustrate technical scheme of the present invention.
For the demand with the administrative department of rank, in management of information resources cloud application platform, there is a large amount of users on a platform, to carry out different business operations simultaneously, cloud application platform need to be moved various application programs.And due to the singularity of administration business, require user's independent operating and can not occur the intersection of data and calculating separately.
Therefore,, for the demand of above-mentioned application and terminal user's isolation safe, the present invention proposes a kind of technology of unidirectional pointer layering user isolation of catalogue mapping.This catalogue mapping method adopts the tree-shaped structure organization of unidirectional pointer, relevant with the position of the residing authority tree of this user to the access rights of system, the upper layer node of directory node can obtain the pointer of lower level node, and lower level node is not allow its upper layer node of inverted access, with node layer, also can not carry out access mutually, only have the root directory of file system to there is the highest file access authority, the application that has root directory authority possesses the authority of access system All Files, but for the safe General System root directory authority of system data, can not distribute to any application uses.
According to above-mentioned principle, cloud platform data access security partition method of the present invention comprises the following steps:
Step 1, according to different user gradations, sets up all users' authority tree.Wherein, authority tree is unidirectional pointer multilayer tree structure, and the user that authority is larger is positioned at compared with on the root node of bottom, and the user that authority is less is positioned at compared with on the leaf node on upper strata.
Step 2, sets up different query statements to the node of different layers, the data that the query statement of root node can be inquired about leaf node downwards simultaneously, but the query statement of leaf node can not upwards be inquired about the data of root node, the data that can not inquire about same layer node.
Setting different statements is the key character that coordinates authority tree construction of the present invention.Take Fig. 1 as example, suppose that the query statement of No. 2 nodes is (2#)+(concrete query statement), and the query statement of No. 4 nodes is (4#)+(concrete query statement).Therefore in other words, the present invention had added a prefix before common query statement, and this prefix is relevant to the position of authority tree node, when same statement is used by the user of different rights, can have different Query Results.
Step 3, each root node is stored the pointer of its affiliated leaf node, and root node comprises the pointer of its affiliated leaf node of direct sensing, and pointed reads and writes data, and the user of root node has the authority of read-write leaf node data, leaf node user does not have the authority of read-write root node data.
Take Fig. 1 as example, No. 1 node is root node, the leaf node that No. 2 and No. 3 nodes are No. 1 nodes, and No. 2 nodes have No. 4, leaf node and No. 5, No. 3 node has leaf node No. 6, and No. 4 nodes have No. 7, leaf node and No. 8, No. 5 and No. 6 nodes have common leaf node No. 9, and No. 6 node also has separately No. 10 leaf nodes.
In access rights, No. 1 node has the authority of other all nodes of access, and No. 2 nodes have the authority of accessing 4,5,7,8, No. 9 nodes, and No. 3 nodes have the authority of 6,9, No. 10 nodes of access, but No. 2, No. 3 nodes all can not be accessed node No. 1.The access rights of other nodes by that analogy.
In said structure, all intermediate nodes are all the character of file, only store the catalogue of next stage or leaf node pointer and real concrete storage mode and the position of storage file in distributed file system not, concrete memory location and the mode of only having the data structure of leaf node just to store a certain file, in other words, the corresponding database with concrete actual location of the leaf node of each bottom.
In this case each be applied in while carrying out data access can be from the catalogue layer at its authority place along unidirectional pointer until leaf node could obtain the storage information of these data.This file directory enterprise schema has realized the isolation of user data effectively, isolation is that the one-way of being shone upon by catalogue completes and can not isolate in the physical storage locations of data, the data of different application in physical storage locations without adopting quarantine measures.
In addition, high in the clouds data comprise authority models, and authority models comprises that any root node is to the shortest path of leaf node.This pattern is also for the file isolation of each application establishment oneself provides convenience, because their subprime directories can be used by oneself freely creating and distribute to different son application after certain application is assigned to a certain catalogue layer, due to the one-way of directory pointer, the application of subprime directory is impossible go beyond the bibliographic structure of this application.
For example, personnel inquiry is applied in and in cloud system, has been assigned with an empty list layer as the root directory of this application, by this catalogue of one-way principle of pointer, be not access other any application directory permissions in this cloud system, the root directory owner of application only has and creates and the authority of access dotted line in-list.Because application need to create storage space for each user, therefore this application meeting creates a lot of sub-directories under the catalogue layer of oneself, and also can not mutually access between sub-directory, between different users, data are also isolated, but the root directory of application can be realized the control and management to all sub-directories.And application sub-directory also can create as required oneself next stage catalogue or leaf node, only have to leaf node just can the true preservation position of real storage file in system.
Those of ordinary skill in the art will be appreciated that, above instructions is only one or more embodiments in the numerous embodiment of the present invention, and not uses limitation of the invention.Any equalization variation, modification for the above embodiment and be equal to the technical schemes such as alternative, as long as connotation scope according to the invention, all will drop in the scope that claims of the present invention protect.

Claims (6)

1. a cloud platform data access security partition method, is characterized in that, comprises the following steps:
Step 1, according to different user gradations, sets up all users' authority tree;
Wherein, described authority tree is unidirectional pointer multilayer tree structure, and the user that authority is larger is positioned at compared with on the root node of bottom, and the user that authority is less is positioned at compared with on the leaf node on upper strata;
Step 2, sets up different query statements to the node of different layers, the data that the query statement of root node can be inquired about leaf node downwards simultaneously, but the query statement of leaf node can not upwards be inquired about the data of root node, the data that can not inquire about same layer node.
2. cloud platform data access security partition method as claimed in claim 1, is characterized in that, also comprises:
Step 3, described in each, root node is stored the pointer of its affiliated leaf node.
3. cloud platform data access security partition method as claimed in claim 2, is characterized in that, described high in the clouds data comprise authority models, and described authority models comprises that any root node is to the shortest path of leaf node.
4. cloud platform data access security partition method as claimed in claim 2, is characterized in that, the corresponding database with concrete actual location of the leaf node of the bottom described in each.
5. cloud platform data access security partition method as claimed in claim 2, is characterized in that, described root node comprises the pointer of its affiliated leaf node of direct sensing, and described pointed reads and writes data.
6. cloud platform data access security partition method as claimed in claim 5, is characterized in that, the user of described root node has the authority of read-write leaf node data, and described leaf node user does not have the authority of read-write root node data.
CN201410406589.5A 2014-08-18 2014-08-18 Cloud platform data access safety isolation method Pending CN104182503A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410406589.5A CN104182503A (en) 2014-08-18 2014-08-18 Cloud platform data access safety isolation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410406589.5A CN104182503A (en) 2014-08-18 2014-08-18 Cloud platform data access safety isolation method

Publications (1)

Publication Number Publication Date
CN104182503A true CN104182503A (en) 2014-12-03

Family

ID=51963542

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410406589.5A Pending CN104182503A (en) 2014-08-18 2014-08-18 Cloud platform data access safety isolation method

Country Status (1)

Country Link
CN (1) CN104182503A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105653982A (en) * 2015-12-31 2016-06-08 中国建设银行股份有限公司 Method and system used for data permission control
CN108090083A (en) * 2016-11-23 2018-05-29 北京国双科技有限公司 A kind of menu queries method and server
CN109246079A (en) * 2018-08-02 2019-01-18 网易乐得科技有限公司 Right management method, system, medium and electronic equipment
CN109802858A (en) * 2019-01-14 2019-05-24 北京纷扬科技有限责任公司 Data management system and method
CN111027091A (en) * 2019-11-13 2020-04-17 北京字节跳动网络技术有限公司 Method, device, medium and electronic equipment for managing authority

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6219667B1 (en) * 1998-05-28 2001-04-17 International Business Machines Corporation Efficient large-scale access control for internet/intranet information systems
US20080288532A1 (en) * 2003-03-31 2008-11-20 Maurice Aboukrat Computer Device for Managing Documents in Multi-User Mode
CN101325481A (en) * 2008-07-29 2008-12-17 成都卫士通信息产业股份有限公司 Grouping authorization control method
CN101938497A (en) * 2010-09-26 2011-01-05 深圳大学 Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6219667B1 (en) * 1998-05-28 2001-04-17 International Business Machines Corporation Efficient large-scale access control for internet/intranet information systems
US20080288532A1 (en) * 2003-03-31 2008-11-20 Maurice Aboukrat Computer Device for Managing Documents in Multi-User Mode
CN101325481A (en) * 2008-07-29 2008-12-17 成都卫士通信息产业股份有限公司 Grouping authorization control method
CN101938497A (en) * 2010-09-26 2011-01-05 深圳大学 Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105653982A (en) * 2015-12-31 2016-06-08 中国建设银行股份有限公司 Method and system used for data permission control
CN108090083A (en) * 2016-11-23 2018-05-29 北京国双科技有限公司 A kind of menu queries method and server
CN109246079A (en) * 2018-08-02 2019-01-18 网易乐得科技有限公司 Right management method, system, medium and electronic equipment
CN109246079B (en) * 2018-08-02 2021-09-24 网易乐得科技有限公司 Authority management method, system, medium and electronic device
CN109802858A (en) * 2019-01-14 2019-05-24 北京纷扬科技有限责任公司 Data management system and method
CN111027091A (en) * 2019-11-13 2020-04-17 北京字节跳动网络技术有限公司 Method, device, medium and electronic equipment for managing authority
CN111027091B (en) * 2019-11-13 2022-04-22 北京字节跳动网络技术有限公司 Method, device, medium and electronic equipment for managing authority

Similar Documents

Publication Publication Date Title
US20200334373A1 (en) Nested namespaces for selective content sharing
CN103902632B (en) The method, apparatus and electronic equipment of file system are built in key assignments storage system
US9003477B2 (en) Model for managing hosted resources using logical scopes
CN104182503A (en) Cloud platform data access safety isolation method
US9589016B2 (en) Materialized query tables with shared data
US20130238557A1 (en) Managing tenant-specific data sets in a multi-tenant environment
CN104123359A (en) Resource management method of distributed object storage system
US8578460B2 (en) Automating cloud service reconnections
US20180060382A1 (en) Managing multiple locks for data set members in a data set index
US10242014B2 (en) Filesystem with isolated independent filesets
US20200050583A1 (en) Storing and retrieving restricted datasets to and from a cloud network with non-restricted datasets
CN107147728A (en) A kind of management method of object storage system multi-tenant
US10754971B2 (en) Referenced access control list
US11675927B2 (en) System and method for external users in groups of a multitenant system
US20100125893A1 (en) Techniques for enforcing access rights during directory access
JP6578356B2 (en) Access control for objects with attributes defined for a hierarchically organized domain containing a fixed number of values
CN106874357A (en) A kind of Resources Customization method and apparatus of Web applications
US20220067180A1 (en) Security policy management for database
CN102609448A (en) Multi-user-version hierarchical document mapping method
CN109150964A (en) A kind of transportable data managing method and services migrating method
WO2021094885A1 (en) Intelligent data pool
CN103870548A (en) Access control method of spatial database
US20160034700A1 (en) Search permissions within hierarchically associated data
CN103793635A (en) Multi-level menu permission establishing method
US20130067269A1 (en) Object based storage system and method of operating thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20141203

RJ01 Rejection of invention patent application after publication