CN104363229A - Data center and access method thereof - Google Patents

Data center and access method thereof Download PDF

Info

Publication number
CN104363229A
CN104363229A CN201410648036.0A CN201410648036A CN104363229A CN 104363229 A CN104363229 A CN 104363229A CN 201410648036 A CN201410648036 A CN 201410648036A CN 104363229 A CN104363229 A CN 104363229A
Authority
CN
China
Prior art keywords
user
described
access request
main station
subscriber
Prior art date
Application number
CN201410648036.0A
Other languages
Chinese (zh)
Inventor
曹玲玲
Original Assignee
浪潮(北京)电子信息产业有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 浪潮(北京)电子信息产业有限公司 filed Critical 浪潮(北京)电子信息产业有限公司
Priority to CN201410648036.0A priority Critical patent/CN104363229A/en
Publication of CN104363229A publication Critical patent/CN104363229A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0892Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources

Abstract

The invention discloses a data center based on network storage and an access method of the data center, and relates to the technical field of network storage. The method includes the steps that when the data center receives an access request sent by a user host, a management server of the data center authenticates the identity of the user host; if the user host passes the identity authentication, a network storage device where the user host wants to have access to through the access request judges whether the access request is authorized or not, and if the access request is authorized, corresponding processing is conducted. The invention further discloses the data center. According to the technical scheme, the system performance is improved.

Description

A kind of data center and access method thereof

Technical field

The present invention relates to technical field of network storage, be specifically related to a kind of data center and access method thereof of storage Network Based.

Background technology

Storage system is separated from main frame, independently storage system and traditional subscriber equipment network is coupled together and to be conducted interviews by network and manage, the network storage that Here it is.Network storage technology is a kind of universal network term stored based on data, and network memory structure is roughly divided into three kinds: direct-connected storage (DAS), the network storage equipment (NAS) and storage networking (SAN).The primary memory cell of data center connects the high-performance iSCSI memory node of disk array and the network optical disc database of application NAS technology, the reliability that disk array has higher access performance and brings because introducing redundancy, mainly deposit the data of current application, the data, services of " online " is provided to users.The historical data of enormous quantity is then backed up on disc by recording device, provides data, services by network optical disc database.Network optical disc database is a kind of characteristic memory device being applied to data center, and it is the key realizing data center's Hierarchical storage.

Storage managing server is responsible for centralized management and the maintenance of memory device and the data of disperseing, and it is also a meta data server simultaneously, provides the metadata needed for DASD for query and search and for the application program of user.Storage managing server is the key that data center realizes Storage Virtualization to a certain extent, and actual data transmission procedure is transparent for user, and their visit data center is just as access local hard drive.The memory device support dynamic " hot plug " of data center in addition, plug and play, facilitates expansion and the maintenance of data center, has ensured the service of 24 × 7.

Summary of the invention

Technical problem to be solved by this invention is, provides a kind of data center and access method thereof, to solve the low problem of data center security.

In order to solve the problem, the invention discloses a kind of access method of data center, comprising:

When data center receives the access request of subscriber's main station initiation, the management server of data center carries out authentication to described subscriber's main station;

If described subscriber's main station is by authentication, then the network storage equipment that described access request will be accessed judges whether described access request is Authorized operation, if described access request is Authorized operation, then processes accordingly.

Alternatively, in said method, the network storage equipment that described access request will be accessed judges whether described access request is Authorized operation, if described access request is Authorized operation, then the process of carrying out corresponding process comprises:

The network storage equipment that described access request will be accessed, according to the file access authority of described subscriber's main station, judges whether described subscriber's main station has operating right;

If described subscriber's main station has operating right, the then user ladder of the network storage equipment belonging to the user totem information determination subscriber's main station of described subscriber's main station that will access of described access request, according to the behavior pattern storehouse of determined user's ladder, obtain the user behavior that described access request is corresponding, operate accordingly.

Alternatively, in said method,

Described user totem information comprises user's indications and/or group indications.

Alternatively, in said method,

Described user's ladder comprises: read-only user, read-write user, keeper and system user.

Alternatively, after the network storage equipment that described access request will be accessed obtains user behavior corresponding to described access request, the method also comprises:

Identify whether described user behavior is " body ";

If identify, described user behavior is for " body ", then operates accordingly.

The invention also discloses a kind of data center, at least comprise a management server and multiple network storage equipment, wherein, described management server, carries out authentication to the subscriber's main station of initiating access request;

The described network storage equipment, when the subscriber's main station of present networks memory device being initiated to access request passes through authentication, judges whether described access request is Authorized operation, and when described access request is Authorized operation, processes accordingly.

Alternatively, in above-mentioned data center, the described network storage equipment comprises:

File access authority processing unit, according to the file access authority of the subscriber's main station by authentication, judges whether described subscriber's main station has operating right;

User's ladder processing unit, when described subscriber's main station has operating right, according to the user's ladder belonging to the user totem information determination subscriber's main station of described subscriber's main station, according to the behavior pattern storehouse of determined user's ladder, obtain the user behavior that described access request is corresponding, operate accordingly.

Alternatively, in above-mentioned data center, described user totem information comprises user's indications and/or group indications.

Alternatively, in above-mentioned data center, described user's ladder comprises: read-only user, read-write user, keeper and system user.

Alternatively, in above-mentioned data center, after the described network storage equipment obtains user behavior corresponding to described access request, also identify whether described user behavior is " body ", and when identifying described user behavior for " body ", then operate accordingly.

Technical scheme adopts IP-based memory technology, and achieve the storage organization that user walks around server DASD, this structure can provide higher systematic function relative to server stores.In addition, the security mechanism based on biological immune thought that preferred version proposes effectively can stop abnormal access to data central store node (i.e. each network storage equipment) and operation, and the introducing of abnormality detection system only produces slight influence to systematic function.

Accompanying drawing explanation

Fig. 1 is the security mechanism schematic diagram of the data center that the present invention proposes;

Fig. 2 is the multilayer immune model figure of Network Attached node.

Embodiment

For making the object, technical solutions and advantages of the present invention clearly understand, hereafter will be described in further detail technical solution of the present invention by reference to the accompanying drawings.It should be noted that, when not conflicting, the feature in the embodiment of the application and embodiment can combine arbitrarily mutually.

Embodiment 1

At present, the core concept of the architecture Design of data center is that storage data are directly transmitted between user and memory device without server.The asymmetric storage organization of server is walked around in this employing, greatly can improve systematic function, but is all exposed in user network due to memory device, therefore in fail safe not as the storage system of " centralization ".

For the problems referred to above, present inventor considers to utilize the security mechanism of IP self such as IPSec, SSL etc. to transmit storage data encryption with assuring data security.Such as, in access authorization, first memory device carries out authentication (such as using account/pin mode or CHAP) and guarantees that main frame is authorized user, then adopts the security mechanism of similar object-based storage equipment to judge whether this operation authorizes.

Based on above-mentioned thought, the present embodiment provides a kind of data center and access method thereof, mainly comprises following operation:

When data center receives the access request of subscriber's main station initiation, the management server of data center carries out authentication to this subscriber's main station;

If this subscriber's main station is by authentication, then the network storage equipment that access request will be accessed judges whether access request is Authorized operation, if access request is Authorized operation, then processes accordingly.

Particularly, subscriber's main station first will by the certification of management server and obtain corresponding authority just can accesses network memory device, as shown in Figure 1.Management server, according to security strategy, determines that whether the operation of subscriber's main station request is legal, if the request of subscriber's main station is legal, management server represents the certificate of access rights by authorizing main frame.Request and certificate are sent to the corresponding network storage equipment by subscriber's main station in the lump.If the network storage equipment verifies that the operation of this operation management server mandate really just performs, if not the operation of authorizing, then refuse to perform.Wherein, the integrality of certificate and authenticity can be ensured by the shared key of management server and the network storage equipment.

Some preferred versions, security mechanism is introduced in memory node (i.e. the network storage equipment) in decentralization data-storage system, this security mechanism plays a part with Immune System similar, suffers the invasion of virus and the destruction of abnormal behaviour to prevent data in network.Such as, for setting up multilayer immune model based on the NAS equipment of the Linux system optimized, as shown in Figure 2.Like this, user authentication layer utilizes the restriction of account and password, can stop that the user without authentication enters system; File permission layer arranges different file access authorities to different users, the uncommitted file operation of user can be refused, the user operation of passing two-layer barrier above attaches the necessary information (i.e. user totem information) of user, as user's indications (user id, uid), indications (group id, gid) etc. is organized.At user's flight, " user's sublevel " is divided into read-only user, read-write user, keeper and system user etc. according to user totem information them, different users is on different ladders, in corresponding ladder, preserve the behavior pattern storehouse that these rank user is legal normally, the operational order of user is sent in each self-corresponding ladder according to sublevel information and processes.Specific operation process is as follows:

The network storage equipment that access request will be accessed, according to the file access authority of subscriber's main station, judges that subscriber's main station has operating right (namely determining that this access request have passed user authentication layer and file permission layer);

The user ladder of the network storage equipment belonging to the user totem information determination subscriber's main station of this subscriber's main station that access request will be accessed, according to the behavior pattern storehouse of determined user's ladder, obtain the user behavior that access request is corresponding, operate accordingly.

In addition, abnormality detection system can also be arranged on each user's ladder, be mainly used in the system call sequence analyzing user command request, identify " body " and " allosome ", if user behavior is identified as " body ", then allows it pass the 3rd road barrier and performed by system; If be identified as " allosome ", then carry out immunity, forbid running.Namely, after the network storage equipment that access request will be accessed obtains user behavior corresponding to this access request, also need to identify whether user behavior is " body ", if identify, user behavior is " body ", then operates accordingly.

Embodiment 2

The present embodiment provides a kind of data center, at least comprises a management server and multiple network storage equipment.

Wherein, management server, carries out authentication to the subscriber's main station of initiating access request;

The network storage equipment, when the subscriber's main station of present networks memory device being initiated to access request passes through authentication, judges whether access request is Authorized operation, and when access request is Authorized operation, processes accordingly.

Particularly, the above-mentioned network storage equipment comprises again: file access authority processing unit, according to the file access authority of the subscriber's main station by authentication, judges whether subscriber's main station has operating right;

User's ladder processing unit, when subscriber's main station has operating right, the user's ladder belonging to subscriber's main station is determined according to the user totem information (such as user's indications and/or group indications) of subscriber's main station, according to the behavior pattern storehouse of determined user's ladder, obtain the user behavior that access request is corresponding, operate accordingly.

In the present embodiment, user's ladder comprises: read-only user, read-write user, keeper and system user etc.

Also have some schemes to propose, after the above-mentioned network storage equipment obtains user behavior corresponding to access request, can identify whether user behavior is " body ", and when identifying user behavior for " body ", then operate accordingly.

Be noted that the data center that the present embodiment provides can conduct interviews according to the method for above-described embodiment 1, thus the data center that provides of the present embodiment other in detail operation see the corresponding contents of above-described embodiment 1, can not repeat them here.

The above, be only preferred embodiments of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (10)

1. an access method for data center, is characterized in that,
When data center receives the access request of subscriber's main station initiation, the management server of data center carries out authentication to described subscriber's main station;
If described subscriber's main station is by authentication, then the network storage equipment that described access request will be accessed judges whether described access request is Authorized operation, if described access request is Authorized operation, then processes accordingly.
2. the method for claim 1, is characterized in that, the network storage equipment that described access request will be accessed judges whether described access request is Authorized operation, if described access request is Authorized operation, then the process of carrying out corresponding process comprises:
The network storage equipment that described access request will be accessed, according to the file access authority of described subscriber's main station, judges whether described subscriber's main station has operating right;
If described subscriber's main station has operating right, the then user ladder of the network storage equipment belonging to the user totem information determination subscriber's main station of described subscriber's main station that will access of described access request, according to the behavior pattern storehouse of determined user's ladder, obtain the user behavior that described access request is corresponding, operate accordingly.
3. method as claimed in claim 2, is characterized in that,
Described user totem information comprises user's indications and/or group indications.
4. method as claimed in claim 2, is characterized in that,
Described user's ladder comprises: read-only user, read-write user, keeper and system user.
5. the method as described in any one of claim 2 to 4, is characterized in that, after the network storage equipment that described access request will be accessed obtains user behavior corresponding to described access request, the method also comprises:
Identify whether described user behavior is " body ";
If identify, described user behavior is for " body ", then operates accordingly.
6. a data center, at least comprises a management server and multiple network storage equipment, it is characterized in that,
Described management server, carries out authentication to the subscriber's main station of initiating access request;
The described network storage equipment, when the subscriber's main station of present networks memory device being initiated to access request passes through authentication, judges whether described access request is Authorized operation, and when described access request is Authorized operation, processes accordingly.
7. data center as claimed in claim 6, it is characterized in that, the described network storage equipment comprises:
File access authority processing unit, according to the file access authority of the subscriber's main station by authentication, judges whether described subscriber's main station has operating right;
User's ladder processing unit, when described subscriber's main station has operating right, according to the user's ladder belonging to the user totem information determination subscriber's main station of described subscriber's main station, according to the behavior pattern storehouse of determined user's ladder, obtain the user behavior that described access request is corresponding, operate accordingly.
8. data center as claimed in claim 7, is characterized in that,
Described user totem information comprises user's indications and/or group indications.
9. data center as claimed in claim 7, is characterized in that,
Described user's ladder comprises: read-only user, read-write user, keeper and system user.
10. the data center as described in any one of claim 7 to 9, is characterized in that,
After the described network storage equipment obtains user behavior corresponding to described access request, also identify whether described user behavior is " body ", and when identifying described user behavior for " body ", then operate accordingly.
CN201410648036.0A 2014-11-14 2014-11-14 Data center and access method thereof CN104363229A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410648036.0A CN104363229A (en) 2014-11-14 2014-11-14 Data center and access method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410648036.0A CN104363229A (en) 2014-11-14 2014-11-14 Data center and access method thereof

Publications (1)

Publication Number Publication Date
CN104363229A true CN104363229A (en) 2015-02-18

Family

ID=52530455

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410648036.0A CN104363229A (en) 2014-11-14 2014-11-14 Data center and access method thereof

Country Status (1)

Country Link
CN (1) CN104363229A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104702620A (en) * 2015-03-26 2015-06-10 浪潮集团有限公司 Website protection method based on file mandatory access control

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060106936A1 (en) * 2002-11-15 2006-05-18 Marco De Luca Device and method for centralized data management and a access control to databases
CN101382919A (en) * 2007-09-05 2009-03-11 北京明朝万达科技有限公司 Storage data isolating method based on identity
CN101588360A (en) * 2009-07-03 2009-11-25 深圳市安络大成科技有限公司 Associated equipment and method for internal network security management
CN101917438A (en) * 2010-08-23 2010-12-15 浪潮(北京)电子信息产业有限公司 Access control method and system in network communication system
US20110289561A1 (en) * 2010-05-21 2011-11-24 IVANOV Andrei System and Method for Information Handling System Multi-Level Authentication for Backup Services

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060106936A1 (en) * 2002-11-15 2006-05-18 Marco De Luca Device and method for centralized data management and a access control to databases
CN101382919A (en) * 2007-09-05 2009-03-11 北京明朝万达科技有限公司 Storage data isolating method based on identity
CN101588360A (en) * 2009-07-03 2009-11-25 深圳市安络大成科技有限公司 Associated equipment and method for internal network security management
US20110289561A1 (en) * 2010-05-21 2011-11-24 IVANOV Andrei System and Method for Information Handling System Multi-Level Authentication for Backup Services
CN101917438A (en) * 2010-08-23 2010-12-15 浪潮(北京)电子信息产业有限公司 Access control method and system in network communication system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
孙照焱: "基于生物免疫机制的附网存储关键技术研究", 《中国优秀博硕士学位论文全文数据库 (博士) 信息科技辑》 *
张继征,贾惠波: "柔性网络化数据存储中心", 《计算机工程》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104702620A (en) * 2015-03-26 2015-06-10 浪潮集团有限公司 Website protection method based on file mandatory access control

Similar Documents

Publication Publication Date Title
JP6207697B2 (en) Safe mobile framework
US20180234433A1 (en) Systems and methods for managing digital identities
US20190349426A1 (en) The internet of things
Ali et al. Applications of blockchains in the Internet of Things: A comprehensive survey
US9049195B2 (en) Cross-domain security for data vault
JP6656157B2 (en) Network connection automation
US10534920B2 (en) Distributed data storage by means of authorisation token
US10055561B2 (en) Identity risk score generation and implementation
US20180225466A1 (en) Access control
EP2731041B1 (en) Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method
KR102008885B1 (en) Data custodian and curation system
US9613205B2 (en) Alternate authentication
US9432350B2 (en) System and method for intelligent workload management
US8195743B2 (en) Extensible and programmable multi-tenant service architecture
US8713704B2 (en) Behavioral fingerprint based authentication
CN104144158B (en) Method and apparatus for the automatic agreement based on strategy
CN103441986B (en) Data resource security control method in thin client mode
TWI633455B (en) Social device security in a social network
EP2790370B1 (en) Authentication method and system oriented to heterogeneous network
US10467096B2 (en) Securely storing data in a dispersed storage network
JP3640338B2 (en) Secure electronic data storage and retrieval system and method
US6978366B1 (en) Secure document management system
US7831570B2 (en) Mandatory access control label security
US7814076B2 (en) Data vault
US8544070B2 (en) Techniques for non repudiation of storage in cloud or shared storage environments

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150218

RJ01 Rejection of invention patent application after publication