CN104182503A - Cloud platform data access safety isolation method - Google Patents
Cloud platform data access safety isolation method Download PDFInfo
- Publication number
- CN104182503A CN104182503A CN201410406589.5A CN201410406589A CN104182503A CN 104182503 A CN104182503 A CN 104182503A CN 201410406589 A CN201410406589 A CN 201410406589A CN 104182503 A CN104182503 A CN 104182503A
- Authority
- CN
- China
- Prior art keywords
- node
- authority
- data
- leaf node
- cloud platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2453—Query optimisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2228—Indexing structures
- G06F16/2246—Trees, e.g. B+trees
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2453—Query optimisation
- G06F16/24534—Query rewriting; Transformation
- G06F16/24537—Query rewriting; Transformation of operators
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
Abstract
The invention discloses a cloud platform data access safety isolation method. The method includes the following steps: 1, creating an access-right tree of all users according to different user levels, wherein the access-right tree is of a one-way pointer multilayer tree structure, users with high access rights are positioned on root nodes on low layers, and users with low access rights are positioned on leaf nodes on upper layers; 2, creating different inquiry sentences for the nodes on different layers, wherein the inquiry sentences of the root nodes can downwards inquire data of the leaf nodes at the same time, and the inquiry sentences of the leaf nodes cannot upwards inquire data of the root nodes and cannot inquire data of the nodes on same layers. By adopting the technical scheme, access-right management can be customized for graded administrative departments, so that safety isolation under different access rights during data access is realized better.
Description
Technical field
The present invention relates to data access method, more particularly, relate to a kind of cloud platform data access security partition method.
Background technology
The most key problem of cloud structure system lower support platform is the virtual of computational resource, storage resources, and virtual resource distribution is called and the calculated equilibrium that distributes.Development along with modern information technologies, current many manufacturers research and develop a large amount of cloud computings, virtualization system product, there are the network equipment, server, memory device, software product etc., but these products might not meet the realization of various application demands, manufacturer will " cloud computing product does a wild boastly especially in the market.
In addition, for use scenes multi-level, multi-user, existing cloud computing has various means aspect isolation safely at data access, but consider the occasion that some are special, for example be applied in hierarchical administrative department, need to customize respectively the data isolation scheme with different rights for different grades, and prior art is aspect authority isolation and imperfection.
Summary of the invention
Object of the present invention aims to provide a kind of cloud platform data access security partition method, solves authority and the access security of data access platform in prior art and isolates incomplete problem.
According to the present invention, a kind of cloud platform data access security partition method is provided, comprise the following steps: step 1, according to different user gradations, set up all users' authority tree; Wherein, authority tree is unidirectional pointer multilayer tree structure, and the user that authority is larger is positioned at compared with on the root node of bottom, and the user that authority is less is positioned at compared with on the leaf node on upper strata; Step 2, sets up different query statements to the node of different layers, the data that the query statement of root node can be inquired about leaf node downwards simultaneously, but the query statement of leaf node can not upwards be inquired about the data of root node, the data that can not inquire about same layer node.
According to one embodiment of the invention, also comprise: step 3, each root node is stored the pointer of its affiliated leaf node.
According to one embodiment of the invention, high in the clouds data comprise authority models, and authority models comprises that any root node is to the shortest path of leaf node.
According to one embodiment of the invention, the corresponding database with concrete actual location of the leaf node of each bottom.
According to one embodiment of the invention, root node comprises the pointer of its affiliated leaf node of direct sensing, and pointed reads and writes data.
According to one embodiment of the invention, the user of root node has the authority of read-write leaf node data, and leaf node user does not have the authority of read-write root node data.
Adopted technical scheme of the present invention, can manage for administrative department's customizes rights with rank, thus the safety isolation while realizing better the visit data under different rights.
Accompanying drawing explanation
In the present invention, identical Reference numeral represents identical feature all the time, wherein:
Fig. 1 is the authority tree construction schematic diagram of cloud platform data access security partition method of the present invention.
Embodiment
Below in conjunction with drawings and Examples, further illustrate technical scheme of the present invention.
For the demand with the administrative department of rank, in management of information resources cloud application platform, there is a large amount of users on a platform, to carry out different business operations simultaneously, cloud application platform need to be moved various application programs.And due to the singularity of administration business, require user's independent operating and can not occur the intersection of data and calculating separately.
Therefore,, for the demand of above-mentioned application and terminal user's isolation safe, the present invention proposes a kind of technology of unidirectional pointer layering user isolation of catalogue mapping.This catalogue mapping method adopts the tree-shaped structure organization of unidirectional pointer, relevant with the position of the residing authority tree of this user to the access rights of system, the upper layer node of directory node can obtain the pointer of lower level node, and lower level node is not allow its upper layer node of inverted access, with node layer, also can not carry out access mutually, only have the root directory of file system to there is the highest file access authority, the application that has root directory authority possesses the authority of access system All Files, but for the safe General System root directory authority of system data, can not distribute to any application uses.
According to above-mentioned principle, cloud platform data access security partition method of the present invention comprises the following steps:
Step 1, according to different user gradations, sets up all users' authority tree.Wherein, authority tree is unidirectional pointer multilayer tree structure, and the user that authority is larger is positioned at compared with on the root node of bottom, and the user that authority is less is positioned at compared with on the leaf node on upper strata.
Step 2, sets up different query statements to the node of different layers, the data that the query statement of root node can be inquired about leaf node downwards simultaneously, but the query statement of leaf node can not upwards be inquired about the data of root node, the data that can not inquire about same layer node.
Setting different statements is the key character that coordinates authority tree construction of the present invention.Take Fig. 1 as example, suppose that the query statement of No. 2 nodes is (2#)+(concrete query statement), and the query statement of No. 4 nodes is (4#)+(concrete query statement).Therefore in other words, the present invention had added a prefix before common query statement, and this prefix is relevant to the position of authority tree node, when same statement is used by the user of different rights, can have different Query Results.
Step 3, each root node is stored the pointer of its affiliated leaf node, and root node comprises the pointer of its affiliated leaf node of direct sensing, and pointed reads and writes data, and the user of root node has the authority of read-write leaf node data, leaf node user does not have the authority of read-write root node data.
Take Fig. 1 as example, No. 1 node is root node, the leaf node that No. 2 and No. 3 nodes are No. 1 nodes, and No. 2 nodes have No. 4, leaf node and No. 5, No. 3 node has leaf node No. 6, and No. 4 nodes have No. 7, leaf node and No. 8, No. 5 and No. 6 nodes have common leaf node No. 9, and No. 6 node also has separately No. 10 leaf nodes.
In access rights, No. 1 node has the authority of other all nodes of access, and No. 2 nodes have the authority of accessing 4,5,7,8, No. 9 nodes, and No. 3 nodes have the authority of 6,9, No. 10 nodes of access, but No. 2, No. 3 nodes all can not be accessed node No. 1.The access rights of other nodes by that analogy.
In said structure, all intermediate nodes are all the character of file, only store the catalogue of next stage or leaf node pointer and real concrete storage mode and the position of storage file in distributed file system not, concrete memory location and the mode of only having the data structure of leaf node just to store a certain file, in other words, the corresponding database with concrete actual location of the leaf node of each bottom.
In this case each be applied in while carrying out data access can be from the catalogue layer at its authority place along unidirectional pointer until leaf node could obtain the storage information of these data.This file directory enterprise schema has realized the isolation of user data effectively, isolation is that the one-way of being shone upon by catalogue completes and can not isolate in the physical storage locations of data, the data of different application in physical storage locations without adopting quarantine measures.
In addition, high in the clouds data comprise authority models, and authority models comprises that any root node is to the shortest path of leaf node.This pattern is also for the file isolation of each application establishment oneself provides convenience, because their subprime directories can be used by oneself freely creating and distribute to different son application after certain application is assigned to a certain catalogue layer, due to the one-way of directory pointer, the application of subprime directory is impossible go beyond the bibliographic structure of this application.
For example, personnel inquiry is applied in and in cloud system, has been assigned with an empty list layer as the root directory of this application, by this catalogue of one-way principle of pointer, be not access other any application directory permissions in this cloud system, the root directory owner of application only has and creates and the authority of access dotted line in-list.Because application need to create storage space for each user, therefore this application meeting creates a lot of sub-directories under the catalogue layer of oneself, and also can not mutually access between sub-directory, between different users, data are also isolated, but the root directory of application can be realized the control and management to all sub-directories.And application sub-directory also can create as required oneself next stage catalogue or leaf node, only have to leaf node just can the true preservation position of real storage file in system.
Those of ordinary skill in the art will be appreciated that, above instructions is only one or more embodiments in the numerous embodiment of the present invention, and not uses limitation of the invention.Any equalization variation, modification for the above embodiment and be equal to the technical schemes such as alternative, as long as connotation scope according to the invention, all will drop in the scope that claims of the present invention protect.
Claims (6)
1. a cloud platform data access security partition method, is characterized in that, comprises the following steps:
Step 1, according to different user gradations, sets up all users' authority tree;
Wherein, described authority tree is unidirectional pointer multilayer tree structure, and the user that authority is larger is positioned at compared with on the root node of bottom, and the user that authority is less is positioned at compared with on the leaf node on upper strata;
Step 2, sets up different query statements to the node of different layers, the data that the query statement of root node can be inquired about leaf node downwards simultaneously, but the query statement of leaf node can not upwards be inquired about the data of root node, the data that can not inquire about same layer node.
2. cloud platform data access security partition method as claimed in claim 1, is characterized in that, also comprises:
Step 3, described in each, root node is stored the pointer of its affiliated leaf node.
3. cloud platform data access security partition method as claimed in claim 2, is characterized in that, described high in the clouds data comprise authority models, and described authority models comprises that any root node is to the shortest path of leaf node.
4. cloud platform data access security partition method as claimed in claim 2, is characterized in that, the corresponding database with concrete actual location of the leaf node of the bottom described in each.
5. cloud platform data access security partition method as claimed in claim 2, is characterized in that, described root node comprises the pointer of its affiliated leaf node of direct sensing, and described pointed reads and writes data.
6. cloud platform data access security partition method as claimed in claim 5, is characterized in that, the user of described root node has the authority of read-write leaf node data, and described leaf node user does not have the authority of read-write root node data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410406589.5A CN104182503A (en) | 2014-08-18 | 2014-08-18 | Cloud platform data access safety isolation method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410406589.5A CN104182503A (en) | 2014-08-18 | 2014-08-18 | Cloud platform data access safety isolation method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104182503A true CN104182503A (en) | 2014-12-03 |
Family
ID=51963542
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410406589.5A Pending CN104182503A (en) | 2014-08-18 | 2014-08-18 | Cloud platform data access safety isolation method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104182503A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105653982A (en) * | 2015-12-31 | 2016-06-08 | 中国建设银行股份有限公司 | Method and system used for data permission control |
CN108090083A (en) * | 2016-11-23 | 2018-05-29 | 北京国双科技有限公司 | A kind of menu queries method and server |
CN109246079A (en) * | 2018-08-02 | 2019-01-18 | 网易乐得科技有限公司 | Right management method, system, medium and electronic equipment |
CN109802858A (en) * | 2019-01-14 | 2019-05-24 | 北京纷扬科技有限责任公司 | Data management system and method |
CN111027091A (en) * | 2019-11-13 | 2020-04-17 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for managing authority |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6219667B1 (en) * | 1998-05-28 | 2001-04-17 | International Business Machines Corporation | Efficient large-scale access control for internet/intranet information systems |
US20080288532A1 (en) * | 2003-03-31 | 2008-11-20 | Maurice Aboukrat | Computer Device for Managing Documents in Multi-User Mode |
CN101325481A (en) * | 2008-07-29 | 2008-12-17 | 成都卫士通信息产业股份有限公司 | Grouping authorization control method |
CN101938497A (en) * | 2010-09-26 | 2011-01-05 | 深圳大学 | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof |
-
2014
- 2014-08-18 CN CN201410406589.5A patent/CN104182503A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6219667B1 (en) * | 1998-05-28 | 2001-04-17 | International Business Machines Corporation | Efficient large-scale access control for internet/intranet information systems |
US20080288532A1 (en) * | 2003-03-31 | 2008-11-20 | Maurice Aboukrat | Computer Device for Managing Documents in Multi-User Mode |
CN101325481A (en) * | 2008-07-29 | 2008-12-17 | 成都卫士通信息产业股份有限公司 | Grouping authorization control method |
CN101938497A (en) * | 2010-09-26 | 2011-01-05 | 深圳大学 | Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105653982A (en) * | 2015-12-31 | 2016-06-08 | 中国建设银行股份有限公司 | Method and system used for data permission control |
CN108090083A (en) * | 2016-11-23 | 2018-05-29 | 北京国双科技有限公司 | A kind of menu queries method and server |
CN109246079A (en) * | 2018-08-02 | 2019-01-18 | 网易乐得科技有限公司 | Right management method, system, medium and electronic equipment |
CN109246079B (en) * | 2018-08-02 | 2021-09-24 | 网易乐得科技有限公司 | Authority management method, system, medium and electronic device |
CN109802858A (en) * | 2019-01-14 | 2019-05-24 | 北京纷扬科技有限责任公司 | Data management system and method |
CN111027091A (en) * | 2019-11-13 | 2020-04-17 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for managing authority |
CN111027091B (en) * | 2019-11-13 | 2022-04-22 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for managing authority |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20200334373A1 (en) | Nested namespaces for selective content sharing | |
CN103902632B (en) | The method, apparatus and electronic equipment of file system are built in key assignments storage system | |
US9003477B2 (en) | Model for managing hosted resources using logical scopes | |
CN104182503A (en) | Cloud platform data access safety isolation method | |
US9589016B2 (en) | Materialized query tables with shared data | |
US20130238557A1 (en) | Managing tenant-specific data sets in a multi-tenant environment | |
CN104123359A (en) | Resource management method of distributed object storage system | |
US8578460B2 (en) | Automating cloud service reconnections | |
US20180060382A1 (en) | Managing multiple locks for data set members in a data set index | |
US10242014B2 (en) | Filesystem with isolated independent filesets | |
US20200050583A1 (en) | Storing and retrieving restricted datasets to and from a cloud network with non-restricted datasets | |
CN107147728A (en) | A kind of management method of object storage system multi-tenant | |
US10754971B2 (en) | Referenced access control list | |
US11675927B2 (en) | System and method for external users in groups of a multitenant system | |
US20100125893A1 (en) | Techniques for enforcing access rights during directory access | |
JP6578356B2 (en) | Access control for objects with attributes defined for a hierarchically organized domain containing a fixed number of values | |
CN106874357A (en) | A kind of Resources Customization method and apparatus of Web applications | |
US20220067180A1 (en) | Security policy management for database | |
CN102609448A (en) | Multi-user-version hierarchical document mapping method | |
CN109150964A (en) | A kind of transportable data managing method and services migrating method | |
WO2021094885A1 (en) | Intelligent data pool | |
CN103870548A (en) | Access control method of spatial database | |
US20160034700A1 (en) | Search permissions within hierarchically associated data | |
CN103793635A (en) | Multi-level menu permission establishing method | |
US20130067269A1 (en) | Object based storage system and method of operating thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141203 |
|
RJ01 | Rejection of invention patent application after publication |