CN105183799B - Authority management method and client - Google Patents
Authority management method and client Download PDFInfo
- Publication number
- CN105183799B CN105183799B CN201510527526.XA CN201510527526A CN105183799B CN 105183799 B CN105183799 B CN 105183799B CN 201510527526 A CN201510527526 A CN 201510527526A CN 105183799 B CN105183799 B CN 105183799B
- Authority
- CN
- China
- Prior art keywords
- file
- module
- user
- operated
- data information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title description 9
- 238000000034 method Methods 0.000 claims abstract description 66
- 238000012795 verification Methods 0.000 claims abstract description 51
- 238000007689 inspection Methods 0.000 abstract description 6
- 239000002699 waste material Substances 0.000 description 7
- 238000010586 diagram Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/188—Virtual file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for managing authority and a client, wherein the method is applied to the client, the client comprises a kernel module and a VFS module, and the method comprises the following steps: the VFS module acquires a file operation request of a user for a file to be operated; the VFS module determines whether the kernel module can acquire ACL data information; the ACL data information records the relevant information of the operation authority of the file to be operated; when determining that the kernel module can acquire ACL data information, the VFS module triggers the kernel module to acquire the ACL data information of the file to be operated; the kernel module acquires ACL data information of the file to be operated, verifies the authority of the user and sends a verification result to the VFS module; and the VFS module processes the file operation request according to the inspection result. The invention realizes effective management of user authority and ensures the security of the file system.
Description
Technical Field
The present invention relates to the field of file system technologies, and in particular, to a method and a client for managing permissions.
Background
In a distributed file system, the physical storage resources managed by the file system are distributed across multiple nodes connected by a computer network. The distributed file system is based on a client/server model, including a client side and a server side. The server side comprises a metadata server and a data block server, wherein the data block server is used for storing actual data of the file; the metadata server is used as a central node of the distributed file system and is used for storing metadata of files, including information such as the size and the creation date of the files and the positions of the file data stored in the data servers, coordinating the data block servers and ensuring the load balance of the data block servers.
User rights management is a very important part of a file system. In general, users of a file or directory can be classified into: the owner of the directory or file, the group of affiliations, and other users. In consideration of security factors, different users should have different operation permissions for different files, so for a distributed file system, reasonable and effective user permission management is designed to play a critical role in ensuring the security of the distributed file system. In the prior art, the management of user rights is generally performed at a client. The client comprises a user mode module, a VFS module and a kernel module. The VFS module of the client acquires a file operation request of a user for a file to be operated, and triggers the user mode module to acquire ACL data information through the kernel module. The user mode module acquires ACL data information of a file to be operated at the server side, and after acquiring the ACL data information, the user mode module verifies the authority of a user according to the acquired ACL data information and sends a verification result to the VFS module through the kernel module.
In the prior art, when a client processes a file operation of a user, a certain file operation needs to be divided into multiple times. For example, when a user needs to perform a write operation, since the data to be written by the client at one time is limited when the client processes the write operation, when the data to be written by the user is large, the data to be written by the user needs to be divided into a plurality of data segments, and the data needs to be written in units of data segments. The client manages the user authority through the user mode module, the user mode module processes the user mode process of the client, and the VFS module processes the kernel mode process of the client. The user mode module and the VFS module have different operation levels. Therefore, when data is written and the VFS module writes data segments, it is necessary to verify the user authority for each data segment. That is, for each data segment, the VFS module needs to trigger the user mode module to acquire ACL data information of the file to be operated through the kernel module. And the user mode module acquires corresponding ACL data information from the server side and verifies the user authority so as to detect whether the user has the authority for reading the file to be operated. And sends the verification result to the VFS module. Due to the fact that the user mode module and the VFS module are different in operation level, when a user needs to write the file to be operated, the user mode module needs to obtain corresponding ACL data information from the server side through the process, and the user authority is verified to detect whether the user has the authority for writing the file to be operated. And sends the verification results to the VFS module. And when the verification result shows that the user has the write operation right, the VFS module writes the data segment into the file to be operated. Therefore, when the method is used for writing data divided into a plurality of data segments, the user permission needs to be checked for the writing operation of each data segment, and the method for realizing permission management is not flexible enough, has redundant operation and wastes resources of a client.
Disclosure of Invention
In order to solve the technical problems, the invention provides a method for managing the authority and a client, which can flexibly and effectively manage the user authority, ensure the security of a file system and reduce the resource waste of the client.
In order to achieve the object of the present invention, the present invention provides a method for rights management, which is applied to a client, where the client includes a kernel module and a virtual file system VFS module, and the method includes: the VFS module acquires a file operation request of a user for a file to be operated; the VFS module determines whether the kernel module can acquire ACL data information; the ACL data information records the relevant information of the operation authority of the file to be operated; when determining that the kernel module can acquire ACL data information, triggering the kernel module to acquire the ACL data information with the operation file; the kernel module acquires ACL data information of the file to be operated, verifies the authority of the user and sends a verification result to the VFS module; and the VFS module processes the file operation request according to the inspection result.
Optionally, the client further includes: a user mode module; the obtaining, by the kernel module, ACL data information of the file to be operated includes: and the kernel module acquires the ACL data information of the file to be operated through the user mode module.
Optionally, the VFS module, according to the verification result, processing the file operation request includes: and when the verification result indicates that the user has the right of performing file operation on the file to be operated, the VFS module processes the file to be operated according to the file operation request.
Optionally, the VFS module, according to the verification result, processing the file operation request further includes: and when the verification result indicates that the user does not have the authority of performing file operation on the file to be operated, the VFS module does not process the file operation request and returns a message of operation failure to the user.
Optionally, before the VFS module obtains a file operation request of a file to be operated by a user, the method further includes: and the kernel module sends the information to the VFS module, and the kernel module is provided with relevant information of the function of acquiring ACL data information.
Further, an embodiment of the present invention provides a client, which at least includes: a VFS module and a kernel module of the virtual file system; the VFS module is used for acquiring a file operation request of a file to be operated by a user; determining whether the kernel module can acquire ACL data information; the ACL data information records the relevant information of the operation authority of the file to be operated; processing the file operation request according to the verification result; and the kernel module is used for acquiring ACL data information of the file to be operated, verifying the authority of the user and sending a verification result to the VFS module.
Optionally, the client further includes: a user mode module; the kernel module is specifically configured to obtain ACL data information of the file to be operated through the user mode module; and the user mode module is used for acquiring ACL data information of the file to be operated from the server side under the triggering of the kernel module.
Optionally, when the verification result shows that the user has the right to perform the file operation on the file to be operated, the VFS module is further configured to process the file to be operated according to the file operation request.
Optionally, when the verification result shows that the user does not have the right to perform the file operation on the file to be operated, the VFS module is further configured to not process the file operation request, and return a message of operation failure to the user.
Optionally, the kernel module is further configured to send the ACL data information to the VFS module, where the kernel module is provided with related information of a function of acquiring ACL data information.
Compared with the prior art, the method is applied to the client, the client comprises a kernel module and a Virtual File System (VFS) module, and the method comprises the following steps: the VFS module acquires a file operation request of a user for a file to be operated; the VFS module determines whether the kernel module can acquire ACL data information; the ACL data information records the relevant information of the operation authority of the file to be operated; when determining that the kernel module can acquire ACL data information, triggering the kernel module to acquire the ACL data information with the operation file; the kernel module acquires ACL data information of the file to be operated, verifies the authority of the user and sends a verification result to the VFS module; and the VFS module processes the file operation request according to the inspection result. Therefore, when a user accesses the distributed file system, the kernel module in the client needs to check the authority of the user first, and determine whether the user has the authority to perform corresponding file operation on the file to be operated. And the VFS module in the client processes the file operation request of the user according to the verification result of the kernel module. Because the VFS module and the kernel module have the same operation level, when the kernel module checks the user permission according to the ACL data information and the operation of a certain file is divided into multiple times, the user permission can be managed flexibly and effectively only once without multiple checks, the safety of a file system is ensured, and the resource waste of a client is reduced.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the example serve to explain the principles of the invention and not to limit the invention.
Fig. 1 is a flowchart illustrating a method for rights management according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating another method for rights management according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a client according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of another client according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
The embodiment of the invention provides a method for managing authority, which is applied to a client, wherein the client comprises a kernel module and a Virtual File System (VFS) module. The method, as shown in fig. 1, includes:
step 101, a VFS module acquires a file operation request of a file to be operated by a user.
Specifically, when a user needs to perform a file operation on a file to be operated, a file operation request is sent to the VFS module of the client. At this time, the VFS module may receive a file operation request sent by the user. At this time, the file operation request may carry identification information of the user. Therefore, the VFS module can know which user is the file to be operated according to the identification information of the user. That is, the user type of the user is determined.
The file operation refers to an operation which needs to be performed by a user on a file to be operated. For example, there may be an access operation, a write operation, a delete operation, and the like.
Further, the file operation request carries a file identifier of the file to be operated.
The file identifier is an identifier capable of uniquely identifying a file.
In all embodiments of the present invention, the VFS module and the kernel module both process the kernel process of the client, and belong to the same level.
And step 102, the VFS module determines whether the kernel module can acquire ACL data information.
The ACL data information records the relevant information of the operation authority of the file to be operated. That is, the ACL data information records the operation authority of different users of the file to be operated on the ACL data information. For example, when the operating system of the client is a Linux operating system, the users to operate the files may be divided into: the file owner of the file to be operated, the group to which the file belongs and other users. In the ACL data information, the operation authority of the file owner of the file to be operated, the operation authority of the group to which the file belongs, and the operation authority of other users are recorded.
Specifically, after receiving a file operation request sent by a user, the VFS module needs to determine whether the user has a right to operate a file to be operated. And the information related to the operation authority of the file to be operated is stored in the ACL data information, but the VFS module cannot directly acquire the ACL data information and verify the authority of the user. When the kernel module is configured with a function of acquiring ACL data information, the authority of the user can be verified, so that the VFS module needs to determine whether the kernel module can acquire the ACL data information. That is, the VFS module needs to determine whether the kernel module is configured with a function of acquiring ACL data information.
And 103, when the kernel module is determined to be capable of acquiring the ACL data information, triggering the kernel module by the VFS module to acquire the ACL data information of the file to be operated.
Specifically, when determining that the kernel module can acquire the ACL data information, the VFS module sends a trigger message to the kernel module, so that the kernel module acquires the ACL data information of the file to be operated after receiving the trigger message.
The trigger message carries a file identifier, identification information of the user, and information of the file operation required by the user.
And step 104, the kernel module acquires ACL data information of the file to be operated, verifies the authority of the user and sends a verification result to the VFS module.
Specifically, after receiving the trigger message, the kernel module may parse the trigger message to obtain the file identifier, the identifier information of the user, and the information of the file operation that the user needs to perform. And then, obtaining the ACL data information of the file to be operated according to the file identification. After obtaining the ACL data information, the ACL data information can be analyzed, and the operation permissions corresponding to different types of users recorded in the ACL data information are obtained. In this way, the kernel module performs permission verification on the user sending the file operation request according to the ACL data information, the identification information of the user analyzed from the trigger message and the information of the file operation required by the user, so as to determine whether the user sending the file operation request has the permission to perform corresponding file operation on the file. And sends the verification results to the VFS module.
It should be noted that, when the ACL data information is stored in the storage device accessible to the kernel module, the kernel device may access the storage device according to the file identifier, and obtain the ACL data information of the file to be operated in the storage device.
Furthermore, the ACL data information is usually stored in the server side, and at this time, the kernel module cannot directly obtain the required ACL data information from the server side. At this time, the client further includes: and a user state module. Thus, the obtaining, by the kernel module, the ACL data information of the file to be operated includes: and the kernel module acquires ACL data information of the file to be operated through the user mode module.
That is to say, when the kernel module needs to acquire the ACL data information, the kernel module may send a request message for acquiring the ACL data information to the user mode module, where the request message carries the file identifier. After receiving the request message for obtaining the ACL data information, the user mode module may send the request message carrying the file identifier for obtaining the ACL data information to the server. And the server side acquires corresponding ACL data information from the storage space in which the ACL data information is stored according to the file identification, and sends the ACL data information to a user mode module of the client side. And after receiving the ACL data information corresponding to the file identification, the user mode module of the client sends the ACL data information corresponding to the file identification to the kernel module. And the kernel module receives ACL data information corresponding to the file identifier returned by the user mode module.
And 105, the VFS module processes the file operation request according to the verification result.
Specifically, after receiving the check result returned by the kernel module, the VFS module processes the file operation request according to the check result. Because the verification result has two results, the VFS module needs to perform different processing on the file operation request according to the difference of the verification result, which is specifically as follows:
and when the verification result shows that the user has the authority of performing file operation on the file to be operated, the VFS module processes the file to be operated according to the file operation request. That is, when the verification result shows that the user has the right to perform the file operation on the file to be operated, the VFS module may perform the corresponding file operation on the file to be operated according to the file operation that the user needs to perform. For example, the user needs to perform an access operation on the file to be operated, and when the verification result shows that the user has the authority to perform the access operation on the file to be operated, the VFS module may perform the access operation on the file to be operated.
And when the verification result shows that the user does not have the authority of performing the file operation on the file to be operated, the VFS module does not process the file operation request and returns a message of operation failure to the user. That is, when the verification result shows that the user does not have the right to perform the file operation on the file to be operated, the VFS module may not process the file operation request sent by the user, and send a message of operation failure to the user. Further, the operation failure message includes a message of a failure reason. For example, the user needs to write the file to be operated, and when the verification result shows that the user does not have the right to write the file to be operated, the VFS module may not process the request sent by the user to write the file to be operated, and returns a message of operation failure to the user. Further, the operation failure message carries a message of a failure reason of the authority of the write operation without the file to be operated.
Illustratively, a user needs to write data a into a file to be operated 1, and at this time, the user sends a write operation request of the file to be operated 1 to the client. The write operation request includes data a to be written. The VFS module of the client may receive a write operation request of the user to the file 1 to be operated. The VFS module needs to confirm whether the kernel module can obtain ACL data information. When determining that the kernel module can obtain the ACL data information, sending a trigger message to the kernel module to trigger the kernel module to obtain the ACL data information of the file to be operated 1. The trigger message carries the file identifier of the file 1 to be operated, the identifier information of the user and the information that the user needs to write the file 1 to be operated. After receiving the trigger message, the kernel module may obtain ACL data information of the file 1 to be operated through the user mode module. After the ACL data information of the file 1 to be operated is obtained through the user mode module, the ACL data information of the file 1 to be operated can be analyzed, and the operation permissions corresponding to different types of users of the file 1 to be operated recorded in the ACL data information are obtained. And the kernel module performs authority verification on the user according to the identification information of the user and the information of the write operation required by the user, which are carried in the trigger message, so as to determine whether the user has the write operation on the file 1 to be operated. And when the user is determined to have the write operation on the file to be operated 1, sending a verification result which shows that the user has the authority of performing the file operation on the file to be operated to the VFS module, wherein the VFS can perform the write operation on the data A to be written by the user according to the verification result. When data a is written, the data a needs to be divided into 3 data segments because of the limitation of the size of the data written once. Because the VFS module and the kernel module belong to the same operation level, at the moment, after the kernel module verifies the user permission, the VFS module directly writes 3 data segments into the file to be operated 1 respectively. The user authority is verified without writing the data segment once, so that the user authority can be flexibly and effectively managed, the operation is simple, and the resource waste of the client is reduced.
The embodiment of the invention provides a method for managing authority, which is applied to a client, wherein the client comprises a kernel module and a Virtual File System (VFS) module, and the method comprises the following steps: the VFS module acquires a file operation request of a user for a file to be operated; the VFS module determines whether the kernel module can acquire ACL data information; the ACL data information records the relevant information of the operation authority of the file to be operated; when determining that the kernel module can acquire ACL data information, triggering the kernel module to acquire the ACL data information with the operation file; the kernel module acquires ACL data information of the file to be operated, verifies the authority of the user and sends a verification result to the VFS module; and the VFS module processes the file operation request according to the inspection result. Therefore, when a user accesses the distributed file system, the kernel module in the client needs to check the authority of the user first, and determine whether the user has the authority to perform corresponding file operation on the file to be operated. And the VFS module in the client processes the file operation request of the user according to the verification result of the kernel module. Because the VFS module and the kernel module have the same operation level, when the kernel module checks the user permission according to the ACL data information and the operation of a certain file is divided into multiple times, the user permission can be managed flexibly and effectively only once without multiple checks, the safety of a file system is ensured, and the resource waste of a client is reduced.
The embodiment of the invention provides a method for managing authority, which is applied to a client, wherein the client comprises a kernel module and a Virtual File System (VFS) module, and the method comprises the following steps as shown in figure 2:
step 201, the kernel module sends the information to the VFS module, and the kernel module is provided with relevant information of the function of obtaining the ACL data information.
Specifically, in the embodiment of the present invention, after obtaining the ACL data information, the kernel module verifies the authority of the user according to the ACL data information, so that a function of obtaining the ACL data information needs to be preset in the kernel module. After receiving a file operation request sent by a user, the VFS module needs to determine whether the kernel module has a function of acquiring ACL data information, so that after the kernel module finishes setting the function of acquiring ACL data information, the kernel module can send relevant information of the function of acquiring ACL data information to the VFS module. In this way, when determining whether the kernel module has the function of acquiring the ACL data information, the VFS module may detect whether the kernel module receives the relevant information sent by the kernel module and indicating that the kernel module is provided with the function of acquiring the ACL data information. If the relevant information is not detected, it indicates that the kernel module does not have the function of acquiring the ACL data information. If the relevant information can be detected, it indicates that the kernel module has the function of acquiring ACL data information.
Furthermore, an ACL function can be set in the kernel module, so that the ACL function can be called when ACL data information needs to be acquired. At this time, since the VFS module is provided with the ACL hook function, the kernel module can register the ACL function into the ACL hook function provided in the VFS module after the ACL function is set again. At this time, the implementation method for the VFS module to determine whether the kernel module has the function of acquiring ACL data information may be: and the VFS module determines whether the kernel module has an ACL function through the ACL hook function.
The ACL function in this step is used to obtain ACL data information.
Step 202, the VFS module obtains a file operation request of a user for a file to be operated.
Specifically, refer to step 101, which is not described herein again.
Step 203, the VFS module determines whether the kernel module can obtain ACL data information.
And the ACL data information records the relevant information of the operation authority of the file to be operated.
Specifically, refer to step 102 and step 201, which are not described herein again.
And step 204, when the kernel module is determined to be capable of acquiring the ACL data information, the VFS module triggers the kernel module to acquire the ACL data information of the file to be operated.
Specifically, refer to step 103, which is not described herein again.
And step 205, the kernel module acquires ACL data information of the file to be operated, verifies the authority of the user and sends a verification result to the VFS module.
Specifically, refer to step 104, which is not described herein again.
And step 206, the VFS module processes the file operation request according to the detection result.
Specifically, refer to step 105, which is not described herein again.
The embodiment of the invention provides a method for managing authority, which is applied to a client, wherein the client comprises a kernel module and a Virtual File System (VFS) module, and the method comprises the following steps: the VFS module acquires a file operation request of a user for a file to be operated; the VFS module determines whether the kernel module can acquire ACL data information; the ACL data information records the relevant information of the operation authority of the file to be operated; when determining that the kernel module can acquire ACL data information, triggering the kernel module to acquire the ACL data information with the operation file; the kernel module acquires ACL data information of the file to be operated, verifies the authority of the user and sends a verification result to the VFS module; and the VFS module processes the file operation request according to the inspection result. Therefore, when a user accesses the distributed file system, the kernel module in the client needs to check the authority of the user first, and determine whether the user has the authority to perform corresponding file operation on the file to be operated. And the VFS module in the client processes the file operation request of the user according to the verification result of the kernel module. Because the VFS module and the kernel module have the same operation level, when the kernel module checks the user permission according to the ACL data information and the operation of a certain file is divided into multiple times, the user permission can be managed flexibly and effectively only once without multiple checks, the safety of a file system is ensured, and the resource waste of a client is reduced.
An embodiment of the present invention provides a client, as shown in fig. 3, at least including: a virtual file system VFS module 301 and a kernel module 302. Wherein,
the VFS module 301 is configured to obtain a file operation request of a file to be operated by a user. It is determined whether kernel module 302 can obtain ACL data information. And processing the file operation request according to the verification result.
And the ACL data information records the relevant information of the operation authority of the file to be operated.
The kernel module 302 is configured to obtain ACL data information of a file to be operated, check the authority of the user, and send a check result to the VFS module 301.
Specifically, when the verification result shows that the user has the right to perform the file operation on the file to be operated, the VFS module 301 processes the file to be operated according to the file operation request.
When the verification result shows that the user does not have the authority to perform the file operation on the file to be operated, the VFS module 301 does not process the file operation request, and returns a message of operation failure to the user.
Further, as shown in fig. 4, the client further includes: a user mode client 303.
At this time, the kernel module 302 is specifically configured to obtain ACL data information of the file to be operated through the user mode module 303.
And the user mode module 303 is configured to obtain ACL data information of the file to be operated from the server side under the trigger of the kernel module 302.
Further, the kernel module 302 is further configured to send the ACL data information to the VFS module 301, where the kernel module 302 is provided with related information of the function of obtaining the ACL data information.
The embodiment of the invention provides a client, which comprises: the VFS module acquires a file operation request of a user for a file to be operated; the VFS module determines whether the kernel module can acquire ACL data information; the ACL data information records the relevant information of the operation authority of the file to be operated; when determining that the kernel module can acquire ACL data information, triggering the kernel module to acquire the ACL data information with the operation file; the kernel module acquires ACL data information of the file to be operated, verifies the authority of the user and sends a verification result to the VFS module; and the VFS module processes the file operation request according to the inspection result. Therefore, when a user accesses the distributed file system, the kernel module in the client needs to check the authority of the user first, and determine whether the user has the authority to perform corresponding file operation on the file to be operated. And the VFS module in the client processes the file operation request of the user according to the verification result of the kernel module. Because the VFS module and the kernel module have the same operation level, when the kernel module checks the user permission according to the ACL data information and the operation of a certain file is divided into multiple times, the user permission can be managed flexibly and effectively only once without multiple checks, the safety of a file system is ensured, and the resource waste of a client is reduced.
Although the embodiments of the present invention have been described above, the above description is only for the convenience of understanding the present invention, and is not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A method for managing authority is applied to a client, the client comprises a kernel module and a Virtual File System (VFS) module, the kernel module and the VFS module are in the same operation level, and the method comprises the following steps:
the method comprises the steps that a VFS module obtains a file operation request of a file to be operated by a user, wherein the file operation comprises a deleting operation; the file operation request carries identification information of a user, so that the VFS module can know which user is the file to be operated according to the identification information of the user, namely the user type of the user is determined; the file operation request also carries a file identifier of a file to be operated, and the file identifier is an identifier capable of uniquely marking the file;
the VFS module determines whether the kernel module can acquire ACL data information; the ACL data information records the relevant information of the operation authority of the file to be operated, that is, the ACL data information records the operation authority of different users of the file to be operated on the ACL data information, and the users of the file to be operated are divided into: the file owner of the file to be operated, the group to which the file belongs and other users;
when determining that the kernel module can obtain the ACL data information, the VFS module triggers the kernel module to obtain the ACL data information of the file to be operated and sends a triggering message to the kernel module, wherein the triggering message carries a file identifier, identification information of a user and information of file operation required by the user;
the kernel module acquires ACL data information of the file to be operated, verifies the authority of the user and sends a verification result to the VFS module;
and the VFS module processes the file operation request according to the verification result.
2. The method of rights management of claim 1, wherein the client further comprises: a user mode module;
the obtaining, by the kernel module, ACL data information of the file to be operated includes:
and the kernel module acquires the ACL data information of the file to be operated through the user mode module.
3. The method of rights management according to claim 1 or 2, wherein the VFS module processing the file operation request according to the verification result comprises:
and when the verification result indicates that the user has the right of performing file operation on the file to be operated, the VFS module processes the file to be operated according to the file operation request.
4. The method of claim 3, wherein the VFS module processes the file operation request according to the verification result further comprises:
and when the verification result indicates that the user does not have the authority of performing file operation on the file to be operated, the VFS module does not process the file operation request and returns a message of operation failure to the user.
5. The method for managing the authority, according to claim 4, before the VFS module obtains the file operation request of the user to the file to be operated, further comprising:
and the kernel module sends the information to the VFS module, and the kernel module is provided with relevant information of the function of acquiring ACL data information.
6. A client, characterized in that it comprises at least: the system comprises a Virtual File System (VFS) module and a kernel module, wherein the kernel module and the VFS module have the same operation level; wherein,
the VFS module is used for acquiring a file operation request of a file to be operated by a user, wherein the file operation comprises a deleting operation; the file operation request carries identification information of a user, so that the VFS module can know which user is the file to be operated according to the identification information of the user, namely the user type of the user is determined; the file operation request also carries a file identifier of a file to be operated, and the file identifier is an identifier capable of uniquely marking the file; determining whether the kernel module can acquire ACL data information; the ACL data information records the relevant information of the operation authority of the file to be operated, that is, the ACL data information records the operation authority of different users of the file to be operated on the ACL data information, and the users of the file to be operated are divided into: the file owner of the file to be operated, the group to which the file belongs and other users; when determining that the kernel module can obtain the ACL data information, the VFS module triggers the kernel module to obtain the ACL data information of the file to be operated and sends a triggering message to the kernel module, wherein the triggering message carries a file identifier, identification information of a user and information of file operation required by the user; processing the file operation request according to a verification result;
and the kernel module is used for acquiring ACL data information of the file to be operated, verifying the authority of the user and sending a verification result to the VFS module.
7. The client of claim 6, further comprising: a user mode module;
the kernel module is specifically configured to obtain ACL data information of the file to be operated through the user mode module;
and the user mode module is used for acquiring ACL data information of the file to be operated from the server side under the triggering of the kernel module.
8. The client according to claim 6 or 7,
and when the verification result shows that the user has the right of performing file operation on the file to be operated, the VFS module is further used for processing the file to be operated according to the file operation request.
9. The client of claim 8,
and when the verification result shows that the user does not have the authority of performing file operation on the file to be operated, the VFS module is also used for not processing the file operation request and returning a message of operation failure to the user.
10. The client of claim 9,
the kernel module is further configured to send the ACL data information to the VFS module, and the kernel module is provided with relevant information of a function of acquiring ACL data information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510527526.XA CN105183799B (en) | 2015-08-25 | 2015-08-25 | Authority management method and client |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510527526.XA CN105183799B (en) | 2015-08-25 | 2015-08-25 | Authority management method and client |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105183799A CN105183799A (en) | 2015-12-23 |
| CN105183799B true CN105183799B (en) | 2019-12-24 |
Family
ID=54905882
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510527526.XA Active CN105183799B (en) | 2015-08-25 | 2015-08-25 | Authority management method and client |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105183799B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105760164B (en) * | 2016-02-15 | 2020-01-10 | 苏州浪潮智能科技有限公司 | Method for realizing ACL authority in user space file system |
| CN109002727A (en) * | 2018-06-28 | 2018-12-14 | 郑州云海信息技术有限公司 | A kind of method of distributed storage ACL quick response authorization check |
| CN110602164B (en) * | 2019-08-08 | 2022-10-11 | 北京达佳互联信息技术有限公司 | File permission processing method and device, electronic equipment and readable storage medium |
| CN110515906A (en) * | 2019-08-30 | 2019-11-29 | 济南浪潮数据技术有限公司 | Product display method, device, equipment and computer readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101493873A (en) * | 2009-03-04 | 2009-07-29 | 浪潮电子信息产业股份有限公司 | Read-write operation access control method for WIN platform based on inner core layer technology |
| CN103268455A (en) * | 2013-05-09 | 2013-08-28 | 华为技术有限公司 | Method and device for accessing data |
| CN103581187A (en) * | 2013-11-05 | 2014-02-12 | 曙光云计算技术有限公司 | Method and system for controlling access rights |
| CN103841113A (en) * | 2014-03-20 | 2014-06-04 | 武汉理工大学 | Safe network file system based on user mode file system |
| CN103971067A (en) * | 2014-05-30 | 2014-08-06 | 中国人民解放军国防科学技术大学 | Operating system nucleus universal access control method supporting entities inside and outside nucleus |
| CN104735091A (en) * | 2015-04-17 | 2015-06-24 | 三星电子(中国)研发中心 | Linux system-based user access control method and device |
-
2015
- 2015-08-25 CN CN201510527526.XA patent/CN105183799B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101493873A (en) * | 2009-03-04 | 2009-07-29 | 浪潮电子信息产业股份有限公司 | Read-write operation access control method for WIN platform based on inner core layer technology |
| CN103268455A (en) * | 2013-05-09 | 2013-08-28 | 华为技术有限公司 | Method and device for accessing data |
| CN103581187A (en) * | 2013-11-05 | 2014-02-12 | 曙光云计算技术有限公司 | Method and system for controlling access rights |
| CN103841113A (en) * | 2014-03-20 | 2014-06-04 | 武汉理工大学 | Safe network file system based on user mode file system |
| CN103971067A (en) * | 2014-05-30 | 2014-08-06 | 中国人民解放军国防科学技术大学 | Operating system nucleus universal access control method supporting entities inside and outside nucleus |
| CN104735091A (en) * | 2015-04-17 | 2015-06-24 | 三星电子(中国)研发中心 | Linux system-based user access control method and device |
Non-Patent Citations (2)
| Title |
|---|
| Linux访问控制列表机制的缺陷分析;吴秀文等;《2006中国计算机学会体系结构专委会学术年会论文集》;20070723;305-308 * |
| 巧用2.6内核新功能配置文件A C L;马路遥;《开放系统世界》;20040731;74-75 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105183799A (en) | 2015-12-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11334562B2 (en) | Blockchain based data management system and method thereof | |
| CN108108127B (en) | File reading method and system | |
| CN105183799B (en) | Authority management method and client | |
| CN108038384B (en) | High-safety cluster shared storage virtualization method | |
| US10013312B2 (en) | Method and system for a safe archiving of data | |
| WO2015163983A1 (en) | Version control of applications | |
| US10516732B2 (en) | Disconnected ingest in a distributed storage system | |
| CN105681295B (en) | It is associated with big data sharing method and device | |
| US20180188990A1 (en) | Method, apparatus and system for inserting disk | |
| CN113779545A (en) | Data cross-process sharing method, terminal equipment and computer readable storage medium | |
| CN113312656B (en) | Data rotation method, device, equipment and system | |
| CN111124591B (en) | Mirror image transmission method and device, electronic equipment and storage medium | |
| CN109145536A (en) | A kind of webpage integrity assurance and device | |
| CN106529281A (en) | Executable file processing method and device | |
| CN109656884A (en) | A kind of method and device accessing file | |
| CN111324799B (en) | Search request processing method and device | |
| CN116610498A (en) | Data backup and recovery method, system, equipment and medium based on object storage | |
| CN110471906A (en) | Database switching method, device and equipment | |
| CN115309334A (en) | Disk management method, device, equipment and storage medium | |
| CN109725856B (en) | Shared node management method and device, electronic equipment and storage medium | |
| CN114564706A (en) | User authority management method and device, electronic equipment and storage medium | |
| JP5972455B2 (en) | How to delete information | |
| CN115510018A (en) | Database cluster capacity expansion method and system | |
| CN111400269B (en) | IPFS file processing method, node, medium and equipment | |
| CN102752318B (en) | Information security verification method and system based on internet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20191125 Address after: 215100 Building 9, No.1, guanpu Road, Guoxiang street, Wuzhong Economic Development Zone, Wuzhong District, Suzhou City, Jiangsu Province Applicant after: Suzhou Wave Intelligent Technology Co., Ltd. Address before: 100085 Beijing, Haidian District on the road to information on the ground floor, building 2-1, No. 1, C Applicant before: Tide (Beijing) Electronic Information Industry Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |