CN104363229A - Data center and access method thereof - Google Patents
Data center and access method thereof Download PDFInfo
- Publication number
- CN104363229A CN104363229A CN201410648036.0A CN201410648036A CN104363229A CN 104363229 A CN104363229 A CN 104363229A CN 201410648036 A CN201410648036 A CN 201410648036A CN 104363229 A CN104363229 A CN 104363229A
- Authority
- CN
- China
- Prior art keywords
- user
- access request
- subscriber
- main station
- data center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
Abstract
The invention discloses a data center based on network storage and an access method of the data center, and relates to the technical field of network storage. The method includes the steps that when the data center receives an access request sent by a user host, a management server of the data center authenticates the identity of the user host; if the user host passes the identity authentication, a network storage device where the user host wants to have access to through the access request judges whether the access request is authorized or not, and if the access request is authorized, corresponding processing is conducted. The invention further discloses the data center. According to the technical scheme, the system performance is improved.
Description
Technical field
The present invention relates to technical field of network storage, be specifically related to a kind of data center and access method thereof of storage Network Based.
Background technology
Storage system is separated from main frame, independently storage system and traditional subscriber equipment network is coupled together and to be conducted interviews by network and manage, the network storage that Here it is.Network storage technology is a kind of universal network term stored based on data, and network memory structure is roughly divided into three kinds: direct-connected storage (DAS), the network storage equipment (NAS) and storage networking (SAN).The primary memory cell of data center connects the high-performance iSCSI memory node of disk array and the network optical disc database of application NAS technology, the reliability that disk array has higher access performance and brings because introducing redundancy, mainly deposit the data of current application, the data, services of " online " is provided to users.The historical data of enormous quantity is then backed up on disc by recording device, provides data, services by network optical disc database.Network optical disc database is a kind of characteristic memory device being applied to data center, and it is the key realizing data center's Hierarchical storage.
Storage managing server is responsible for centralized management and the maintenance of memory device and the data of disperseing, and it is also a meta data server simultaneously, provides the metadata needed for DASD for query and search and for the application program of user.Storage managing server is the key that data center realizes Storage Virtualization to a certain extent, and actual data transmission procedure is transparent for user, and their visit data center is just as access local hard drive.The memory device support dynamic " hot plug " of data center in addition, plug and play, facilitates expansion and the maintenance of data center, has ensured the service of 24 × 7.
Summary of the invention
Technical problem to be solved by this invention is, provides a kind of data center and access method thereof, to solve the low problem of data center security.
In order to solve the problem, the invention discloses a kind of access method of data center, comprising:
When data center receives the access request of subscriber's main station initiation, the management server of data center carries out authentication to described subscriber's main station;
If described subscriber's main station is by authentication, then the network storage equipment that described access request will be accessed judges whether described access request is Authorized operation, if described access request is Authorized operation, then processes accordingly.
Alternatively, in said method, the network storage equipment that described access request will be accessed judges whether described access request is Authorized operation, if described access request is Authorized operation, then the process of carrying out corresponding process comprises:
The network storage equipment that described access request will be accessed, according to the file access authority of described subscriber's main station, judges whether described subscriber's main station has operating right;
If described subscriber's main station has operating right, the then user ladder of the network storage equipment belonging to the user totem information determination subscriber's main station of described subscriber's main station that will access of described access request, according to the behavior pattern storehouse of determined user's ladder, obtain the user behavior that described access request is corresponding, operate accordingly.
Alternatively, in said method,
Described user totem information comprises user's indications and/or group indications.
Alternatively, in said method,
Described user's ladder comprises: read-only user, read-write user, keeper and system user.
Alternatively, after the network storage equipment that described access request will be accessed obtains user behavior corresponding to described access request, the method also comprises:
Identify whether described user behavior is " body ";
If identify, described user behavior is for " body ", then operates accordingly.
The invention also discloses a kind of data center, at least comprise a management server and multiple network storage equipment, wherein, described management server, carries out authentication to the subscriber's main station of initiating access request;
The described network storage equipment, when the subscriber's main station of present networks memory device being initiated to access request passes through authentication, judges whether described access request is Authorized operation, and when described access request is Authorized operation, processes accordingly.
Alternatively, in above-mentioned data center, the described network storage equipment comprises:
File access authority processing unit, according to the file access authority of the subscriber's main station by authentication, judges whether described subscriber's main station has operating right;
User's ladder processing unit, when described subscriber's main station has operating right, according to the user's ladder belonging to the user totem information determination subscriber's main station of described subscriber's main station, according to the behavior pattern storehouse of determined user's ladder, obtain the user behavior that described access request is corresponding, operate accordingly.
Alternatively, in above-mentioned data center, described user totem information comprises user's indications and/or group indications.
Alternatively, in above-mentioned data center, described user's ladder comprises: read-only user, read-write user, keeper and system user.
Alternatively, in above-mentioned data center, after the described network storage equipment obtains user behavior corresponding to described access request, also identify whether described user behavior is " body ", and when identifying described user behavior for " body ", then operate accordingly.
Technical scheme adopts IP-based memory technology, and achieve the storage organization that user walks around server DASD, this structure can provide higher systematic function relative to server stores.In addition, the security mechanism based on biological immune thought that preferred version proposes effectively can stop abnormal access to data central store node (i.e. each network storage equipment) and operation, and the introducing of abnormality detection system only produces slight influence to systematic function.
Accompanying drawing explanation
Fig. 1 is the security mechanism schematic diagram of the data center that the present invention proposes;
Fig. 2 is the multilayer immune model figure of Network Attached node.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly understand, hereafter will be described in further detail technical solution of the present invention by reference to the accompanying drawings.It should be noted that, when not conflicting, the feature in the embodiment of the application and embodiment can combine arbitrarily mutually.
Embodiment 1
At present, the core concept of the architecture Design of data center is that storage data are directly transmitted between user and memory device without server.The asymmetric storage organization of server is walked around in this employing, greatly can improve systematic function, but is all exposed in user network due to memory device, therefore in fail safe not as the storage system of " centralization ".
For the problems referred to above, present inventor considers to utilize the security mechanism of IP self such as IPSec, SSL etc. to transmit storage data encryption with assuring data security.Such as, in access authorization, first memory device carries out authentication (such as using account/pin mode or CHAP) and guarantees that main frame is authorized user, then adopts the security mechanism of similar object-based storage equipment to judge whether this operation authorizes.
Based on above-mentioned thought, the present embodiment provides a kind of data center and access method thereof, mainly comprises following operation:
When data center receives the access request of subscriber's main station initiation, the management server of data center carries out authentication to this subscriber's main station;
If this subscriber's main station is by authentication, then the network storage equipment that access request will be accessed judges whether access request is Authorized operation, if access request is Authorized operation, then processes accordingly.
Particularly, subscriber's main station first will by the certification of management server and obtain corresponding authority just can accesses network memory device, as shown in Figure 1.Management server, according to security strategy, determines that whether the operation of subscriber's main station request is legal, if the request of subscriber's main station is legal, management server represents the certificate of access rights by authorizing main frame.Request and certificate are sent to the corresponding network storage equipment by subscriber's main station in the lump.If the network storage equipment verifies that the operation of this operation management server mandate really just performs, if not the operation of authorizing, then refuse to perform.Wherein, the integrality of certificate and authenticity can be ensured by the shared key of management server and the network storage equipment.
Some preferred versions, security mechanism is introduced in memory node (i.e. the network storage equipment) in decentralization data-storage system, this security mechanism plays a part with Immune System similar, suffers the invasion of virus and the destruction of abnormal behaviour to prevent data in network.Such as, for setting up multilayer immune model based on the NAS equipment of the Linux system optimized, as shown in Figure 2.Like this, user authentication layer utilizes the restriction of account and password, can stop that the user without authentication enters system; File permission layer arranges different file access authorities to different users, the uncommitted file operation of user can be refused, the user operation of passing two-layer barrier above attaches the necessary information (i.e. user totem information) of user, as user's indications (user id, uid), indications (group id, gid) etc. is organized.At user's flight, " user's sublevel " is divided into read-only user, read-write user, keeper and system user etc. according to user totem information them, different users is on different ladders, in corresponding ladder, preserve the behavior pattern storehouse that these rank user is legal normally, the operational order of user is sent in each self-corresponding ladder according to sublevel information and processes.Specific operation process is as follows:
The network storage equipment that access request will be accessed, according to the file access authority of subscriber's main station, judges that subscriber's main station has operating right (namely determining that this access request have passed user authentication layer and file permission layer);
The user ladder of the network storage equipment belonging to the user totem information determination subscriber's main station of this subscriber's main station that access request will be accessed, according to the behavior pattern storehouse of determined user's ladder, obtain the user behavior that access request is corresponding, operate accordingly.
In addition, abnormality detection system can also be arranged on each user's ladder, be mainly used in the system call sequence analyzing user command request, identify " body " and " allosome ", if user behavior is identified as " body ", then allows it pass the 3rd road barrier and performed by system; If be identified as " allosome ", then carry out immunity, forbid running.Namely, after the network storage equipment that access request will be accessed obtains user behavior corresponding to this access request, also need to identify whether user behavior is " body ", if identify, user behavior is " body ", then operates accordingly.
Embodiment 2
The present embodiment provides a kind of data center, at least comprises a management server and multiple network storage equipment.
Wherein, management server, carries out authentication to the subscriber's main station of initiating access request;
The network storage equipment, when the subscriber's main station of present networks memory device being initiated to access request passes through authentication, judges whether access request is Authorized operation, and when access request is Authorized operation, processes accordingly.
Particularly, the above-mentioned network storage equipment comprises again: file access authority processing unit, according to the file access authority of the subscriber's main station by authentication, judges whether subscriber's main station has operating right;
User's ladder processing unit, when subscriber's main station has operating right, the user's ladder belonging to subscriber's main station is determined according to the user totem information (such as user's indications and/or group indications) of subscriber's main station, according to the behavior pattern storehouse of determined user's ladder, obtain the user behavior that access request is corresponding, operate accordingly.
In the present embodiment, user's ladder comprises: read-only user, read-write user, keeper and system user etc.
Also have some schemes to propose, after the above-mentioned network storage equipment obtains user behavior corresponding to access request, can identify whether user behavior is " body ", and when identifying user behavior for " body ", then operate accordingly.
Be noted that the data center that the present embodiment provides can conduct interviews according to the method for above-described embodiment 1, thus the data center that provides of the present embodiment other in detail operation see the corresponding contents of above-described embodiment 1, can not repeat them here.
The above, be only preferred embodiments of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. an access method for data center, is characterized in that,
When data center receives the access request of subscriber's main station initiation, the management server of data center carries out authentication to described subscriber's main station;
If described subscriber's main station is by authentication, then the network storage equipment that described access request will be accessed judges whether described access request is Authorized operation, if described access request is Authorized operation, then processes accordingly.
2. the method for claim 1, is characterized in that, the network storage equipment that described access request will be accessed judges whether described access request is Authorized operation, if described access request is Authorized operation, then the process of carrying out corresponding process comprises:
The network storage equipment that described access request will be accessed, according to the file access authority of described subscriber's main station, judges whether described subscriber's main station has operating right;
If described subscriber's main station has operating right, the then user ladder of the network storage equipment belonging to the user totem information determination subscriber's main station of described subscriber's main station that will access of described access request, according to the behavior pattern storehouse of determined user's ladder, obtain the user behavior that described access request is corresponding, operate accordingly.
3. method as claimed in claim 2, is characterized in that,
Described user totem information comprises user's indications and/or group indications.
4. method as claimed in claim 2, is characterized in that,
Described user's ladder comprises: read-only user, read-write user, keeper and system user.
5. the method as described in any one of claim 2 to 4, is characterized in that, after the network storage equipment that described access request will be accessed obtains user behavior corresponding to described access request, the method also comprises:
Identify whether described user behavior is " body ";
If identify, described user behavior is for " body ", then operates accordingly.
6. a data center, at least comprises a management server and multiple network storage equipment, it is characterized in that,
Described management server, carries out authentication to the subscriber's main station of initiating access request;
The described network storage equipment, when the subscriber's main station of present networks memory device being initiated to access request passes through authentication, judges whether described access request is Authorized operation, and when described access request is Authorized operation, processes accordingly.
7. data center as claimed in claim 6, it is characterized in that, the described network storage equipment comprises:
File access authority processing unit, according to the file access authority of the subscriber's main station by authentication, judges whether described subscriber's main station has operating right;
User's ladder processing unit, when described subscriber's main station has operating right, according to the user's ladder belonging to the user totem information determination subscriber's main station of described subscriber's main station, according to the behavior pattern storehouse of determined user's ladder, obtain the user behavior that described access request is corresponding, operate accordingly.
8. data center as claimed in claim 7, is characterized in that,
Described user totem information comprises user's indications and/or group indications.
9. data center as claimed in claim 7, is characterized in that,
Described user's ladder comprises: read-only user, read-write user, keeper and system user.
10. the data center as described in any one of claim 7 to 9, is characterized in that,
After the described network storage equipment obtains user behavior corresponding to described access request, also identify whether described user behavior is " body ", and when identifying described user behavior for " body ", then operate accordingly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410648036.0A CN104363229A (en) | 2014-11-14 | 2014-11-14 | Data center and access method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410648036.0A CN104363229A (en) | 2014-11-14 | 2014-11-14 | Data center and access method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104363229A true CN104363229A (en) | 2015-02-18 |
Family
ID=52530455
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410648036.0A Pending CN104363229A (en) | 2014-11-14 | 2014-11-14 | Data center and access method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104363229A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104702620A (en) * | 2015-03-26 | 2015-06-10 | 浪潮集团有限公司 | Website protection method based on file mandatory access control |
| CN108140038A (en) * | 2015-10-02 | 2018-06-08 | 微软技术许可有限责任公司 | Across data center interactive operation and communication |
| CN110770731A (en) * | 2017-06-28 | 2020-02-07 | 苹果公司 | Authorization system |
| US11777798B2 (en) | 2015-05-01 | 2023-10-03 | Microsoft Technology Licensing, Llc | Cloud-mastered settings |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060106936A1 (en) * | 2002-11-15 | 2006-05-18 | Marco De Luca | Device and method for centralized data management and a access control to databases |
| CN101382919A (en) * | 2007-09-05 | 2009-03-11 | 北京明朝万达科技有限公司 | Storage data isolating method based on identity |
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN101917438A (en) * | 2010-08-23 | 2010-12-15 | 浪潮(北京)电子信息产业有限公司 | Access control method and system in network communication system |
| US20110289561A1 (en) * | 2010-05-21 | 2011-11-24 | IVANOV Andrei | System and Method for Information Handling System Multi-Level Authentication for Backup Services |
-
2014
- 2014-11-14 CN CN201410648036.0A patent/CN104363229A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060106936A1 (en) * | 2002-11-15 | 2006-05-18 | Marco De Luca | Device and method for centralized data management and a access control to databases |
| CN101382919A (en) * | 2007-09-05 | 2009-03-11 | 北京明朝万达科技有限公司 | Storage data isolating method based on identity |
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| US20110289561A1 (en) * | 2010-05-21 | 2011-11-24 | IVANOV Andrei | System and Method for Information Handling System Multi-Level Authentication for Backup Services |
| CN101917438A (en) * | 2010-08-23 | 2010-12-15 | 浪潮(北京)电子信息产业有限公司 | Access control method and system in network communication system |
Non-Patent Citations (2)
| Title |
|---|
| 孙照焱: "基于生物免疫机制的附网存储关键技术研究", 《中国优秀博硕士学位论文全文数据库 (博士) 信息科技辑》 * |
| 张继征,贾惠波: "柔性网络化数据存储中心", 《计算机工程》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104702620A (en) * | 2015-03-26 | 2015-06-10 | 浪潮集团有限公司 | Website protection method based on file mandatory access control |
| US11777798B2 (en) | 2015-05-01 | 2023-10-03 | Microsoft Technology Licensing, Llc | Cloud-mastered settings |
| CN108140038A (en) * | 2015-10-02 | 2018-06-08 | 微软技术许可有限责任公司 | Across data center interactive operation and communication |
| CN110770731A (en) * | 2017-06-28 | 2020-02-07 | 苹果公司 | Authorization system |
| US11663310B2 (en) | 2017-06-28 | 2023-05-30 | Apple Inc. | Entitlement system |
| CN110770731B (en) * | 2017-06-28 | 2023-11-28 | 苹果公司 | Authorization system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108737370B (en) | Block chain-based Internet of things cross-domain authentication system and method | |
| CN102947797B (en) | The online service using directory feature extending transversely accesses and controls | |
| US11928233B2 (en) | Distributed data rights management for peer data pools | |
| CN102077193B (en) | Cluster shared volumes | |
| CN103023993B (en) | A kind of enterprise information system based on cloud computing | |
| CN109040077B (en) | Method and system for data sharing and privacy protection | |
| CN103098070B (en) | For the methods, devices and systems of Data Position in monitoring network service | |
| CN104580395B (en) | A kind of cloudy collaboration Storage Middleware Applying system based on existing cloud storage platform | |
| CN101901315B (en) | Security isolation and monitoring management method of USB mobile storage media | |
| CN104660578B (en) | A kind of system and method for realizing data safety storage and data access control | |
| CN102546664A (en) | User and authority management method and system for distributed file system | |
| CN105027498A (en) | A method, system and device for securely storing data files at a remote location by splitting and reassembling said files | |
| BRPI0809083A2 (en) | PROGRAMMABLE EXTENSIBLE SERVICE ARCHITECTURE OF MULTIPLE RENTERS | |
| CN104718526A (en) | Secure mobile framework | |
| CN112398860A (en) | Safety control method and device | |
| US20110161370A1 (en) | Apparatus, program, and method for file management | |
| CN103095720B (en) | A kind of method for managing security of cloud storage system of dialogue-based management server | |
| US20160078244A1 (en) | Secured file system management | |
| CN109446259B (en) | Data processing method and device, processor and storage medium | |
| CN104301301B (en) | A kind of Data Migration encryption method based between cloud storage system | |
| US11038835B2 (en) | Systems and methods for managing domain name information | |
| CN108289098A (en) | Right management method and device, server, the medium of distributed file system | |
| CN112732829B (en) | Data transaction system and method | |
| CN104363229A (en) | Data center and access method thereof | |
| CN113114498A (en) | Architecture system of trusted block chain service platform and construction method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150218 |