CN105608149A

CN105608149A - Relational database-based data space access method

Info

Publication number: CN105608149A
Application number: CN201510956592.9A
Authority: CN
Inventors: 潘颖; 元昌安; 李政奇; 黎珍利
Original assignee: Guangxi Teachers College
Current assignee: Guangxi Teachers College
Priority date: 2015-12-19
Filing date: 2015-12-19
Publication date: 2016-05-25

Abstract

The invention discloses a relational database-based data space access method. According to the method, data updating and authorization judgement are synthesized into an access request; and through executing the access request, the data updating and the authorization judgement are completed at once, so that the data access efficiency is improved.

Description

The access method of the data space based on relational database

Technical field

The present invention relates to the access control field of data space. More particularly, the present invention relates to one based on relational databaseThe access method of data space.

Background technology

Data space (datespace) is a kind of novel Db Management Model, and main thought is to drop into extremely low front current costBy integrating with certain tissue or individual all relevant information, to the management of these information realizations pay-as-you-go.Compare with integrated system with traditional relational database system, data space is more suitable for managing that real world distributes, isomery andThe data of dynamic change. In recent years, along with going deep into of data space application and research, the secure access of data space becomes heatPoint problem.

The access control of data space has special requirement: 1) data space need to be described the data source of various granularities, because of the visitAsk that control must be fine-grained, can effectively access different levels, varigrained data. 2) data spaceBe dynamic and progressive process to the description of data source, visitor's authority is also along with the factor such as data attribute, environmental condition is movingThe variation of state. Therefore, data space must be supported dynamic access. The research of the current access control for data spaceFew, Main has: 1) data spatial model iDM is expanded, add the assembly for describing authority information,Thereby support the secure access of user to iDM. This way is for specific model iDM, instead of towards general model,Thereby be unfavorable for applying. 2) access control system of the data space of structure based on relational database, utilizes and closes coefficientRealize the access control of data space according to the access technique in storehouse. Deficiency is: there is no the visit that dynamically updates in supported data spaceAsk control. The present invention further improves on this basis, thereby realizes the data space access control that support dynamically updates.

Summary of the invention

An object of the present invention is to solve at least the problems referred to above, and provide at least below by the advantage of explanation.

A further object of the invention is to provide a kind of access method of the data space based on relational database, when user's logarithmWhile renewal according to the data in space, i.e., when user's executing data insertion, data modification and data deletion action, system canInstant according to user's access control right, stop or allow user's behavior, and then protection significant data is not modified.

In order to realize according to these objects of the present invention and other advantage, provide a kind of data space based on relational databaseAccess method, inclusion relation table in described relational database, the method will be converted to corresponding pass the access of data spaceThe access of system's table, the access rule of data space is described by the access rule of relation table, comprises the following steps:

Step 1, the request of access of input to data space, described request of access refers to be carried out and writes the data in data spaceThe request of operation;

Step 2, according to the content of this request of access, retrieve all relation table access rules relevant with this write operation, relationThe operating right that table access rule description has data accessed in relation table, each relation table access rule is with tableShow the mark of positive or negative mandate;

Step 3, rewrite request of access according to the above-mentioned relation table access rule that retrieves, make to authorize and judge and merge to accessIn request, first calculate to adopting to ship with the access rule of sure mandate mark the sure authorization resources of extracting, secondly toNegate to authorize the access rule of mark to adopt the negative authorization resources of union conjunction, then by authorization resources certainly obtained aboveCarry out difference operation with negative authorization resources, the result of difference operation is added in the request of access in step 1, after obtaining rewriteeingRequest of access;

Step 4, carry out request of access output access result after described rewriting.

Preferably, data space uses graph model G:=(N, E) to carry out data and the contact thereof in data of description space, wherein, and GFor data space, N is set of node { N₁,...,N_k, node N_iBy attribute-value, (attribute-value) formed, be designated asRepresentation node N_iThe attribute series having,Represent value corresponding to this attribute series,Work as N_iWhen=Φ, claim N_iFor empty node, E is the set on limit, and limit is designated as (N_i,N_j, L), wherein N_i,N_j∈ N, i ≠ j, L representsThe label on limit, and L can be null value.

Preferably, by mapping function C and write operation collection, the dynamic data of data space is mapped to relational database, passes throughSupport the mapping function M of write operation the access rule of data space to be mapped to the access rule of relation table, thereby by dataThe access in space is converted to the access to corresponding relation table; Wherein, in data space, data are designated as D_G, data in relation tableBe designated as D_R, data space is designated as C (D to the mapping function C of relation table_G)＝D_R。

Preferably, the write operation that data space occurs comprises Create, Delete and Update operation, wherein, uses Create(nodeID, attribute, value) describes interpolation node and attribute-it is right to be worth; Describe with Create (nodeID, label, nodeID)Add internodal limit; Describe and delete whole node with Delete (nodeID), its attribute-value is to also deleted; Use Delete(nodeID, attribute, value) describe in deletion of node attribute-it is right to be worth; Describe with Delete (nodeID, label, nodeID)Limit between deletion of node; The right content of attribute in new node more-be worth is described with Update (nodeID, attribute, value);Describe the content of upgrading internodal limit with Update (nodeID, label, nodeID), said n odeID is the ID of node,Attribute is attribute, and label is the label on limit.

Preferably, the mapping ruler of described mapping function C comprises:

1) limit of G is mapped to relation table Edge (source, label, target), and wherein, source and target are respectively limitDraw node and introduce node, the label that label is limit;

2) attribute-value of the node of G is to being mapped to relation table Attribute (nodeID, value), and wherein, nodeID is jointThe ID of point, the property value that field value is node;

3) there is the situation of Create operation in data space: when Create (nodeID, attribute, value), use insertStatement is by added node and attribute thereof-be worth right content to be inserted into corresponding Attribute table, if this attribute does not haveAttribute table, first newly-built Attribute table inserts again; When Create (nodeID, label, nodeID), use insertAdded internodal limit is inserted into Edge table by statement;

4) there is the situation of Delete operation in data space: when Delete (nodeID), use delete statement to deleteAll the elements of this node during Attribute table and Edge show, if this node has that attribute-it is right to be worth, are used delete languageIn sentence deletion Attribute table, these attributes-it is right to be worth; If this node has limit to be connected with other node, use delete languageThese limits in Edge table deleted in sentence, when Delete (nodeID, attribute, value), uses delete statement to deleteIn Attribute table this node attribute-it is right to be worth, when Delete (nodeID, label, nodeID), use delete statementDelete this limit in Edge table;

5) there is the situation of update operation in data space: when Update (nodeID, attribute, value), use updateStatement upgrades the right content of the attribute of this node in Attribute table-be worth; When Update (nodeID, label, nodeID),Use update statement to upgrade the content on this limit in Edge table.

Preferably, the access rule R of described relation table_R＝{subject_R,object_R,action_R,sign_RBe described, itsIn, R_RFor the access rule of relation table, subject_RRepresent the user that relation table is conducted interviews; Object_RExpression relationThe access control object of table, i.e. accessed resource, is used " selectFfromTwhereP " to describe object_R, whereinT represents the set of the table (table) that authority relates to; F representative is subject to the set of the field (fields) of Permission Constraints, and F is included in TSet of fields in, be designated as:P is the predicate relevant to T.fields, represents restrictive condition; Action_RTableShow the create that user carries out resource, delete or update operation; Sign_RComprise mark "+" and "-", wherein, "+" tableShow sure mandate, "-" represents to negate to authorize.

Preferably, the access rule R of described data space_G＝{subject_R,M(object_G),action_R,sign_RRetouchState, use M:object_G→object_RObject is described_GTo object_RMapping function, be designated as: M (object_G)＝object_R＝SelectFfromTwhereP, wherein object_GRepresent accessed resource in G, object_R∈D_R,object_G∈D_G，

T &SubsetEqual; (e d g e, a t t r i b u t e), F &SubsetEqual; (e d g e \cdot f i e l d s \cup a t t r i b u t e . f i e l d s),

P＝P_attribute∧P_edge∧P_join,P_attributeIn wordDuan Jun is from Table A ttribute, P_edgeIn field all from table Edge, connect predicate P_joinFor a word from multiple tablesSection couples together.

Preferably, the request of access A described in step 1_G：＝(u_G,o_G,a_G) description u_GTo o_GExecutable operations a_GAccess pleaseAsk, wherein u_GRepresent user, o_GRepresent accessed resource, a_GRepresent operation corresponding create, delete and updateStatement, access resources o_GThe approximate object of describing mode_R，u_G∈subject_R，o_G∈object_G，a_G∈action_R。

The present invention at least comprises following beneficial effect:

1) support fine granularity, the data space access control dynamically updating

The node in supported data of the present invention space, the fine-grained mandate on limit, upgrade the data of data space userTime, can, immediately according to user's access control right, stop or allow user's behavior.

2) access efficiency is higher

The present invention merges to user by request of access rewrite method by the access control rule of data space and upgrades in operation,Judge a synthetic request of access by Data Update and mandate, carry out this request of access and just equal once to have completed Data UpdateJudge with authorizing, and then improve the efficiency of data access.

Other advantage of the present invention, target and feature embody the explanation of part by below, and part also will be by the present inventionResearch and practice and understood by those skilled in the art.

Brief description of the drawings

Fig. 1 is the architectural framework figure of the inventive method access control system of being applied to the data space based on relational database;

Fig. 2 is the flow chart of data space access control method of the present invention;

Fig. 3 is the data space schematic diagram of describing scholar's information in embodiment 1;

Fig. 4 is that the data space of describing scholar's information in embodiment 1 is insinuated relation table Edge (limit table) and Attribute(attribute list)

Detailed description of the invention

Below in conjunction with embodiment, the present invention is described in further detail, to make those skilled in the art with reference to description wordCan implement according to this.

The invention provides a kind of access method of the data space based on relational database, inclusion relation in described relational databaseTable, the method will be converted to the access to corresponding relation table to the access of data space, and the access rule of data space is by closingThe access rule of system's table is described, and comprises the following steps:

Data space uses graph model G:=(N, E) to carry out data and the contact thereof in data of description space, and wherein, G is data skyBetween, N is set of node { N₁,...,N_k, node N_iBy attribute-value, (attribute-value) formed, be designated asRepresentation node N_iThe attribute series having,Represent value corresponding to this attribute series,Work as N_iWhen=Φ, claim N_iFor empty node, E is the set on limit, and limit is designated as (N_i,N_j, L), wherein N_i,N_j∈ N, i ≠ j, L representsThe label on limit, and L can be null value.

By mapping function C and write operation collection, the dynamic data of data space is mapped to relational database, writes behaviour by supportThe mapping function M doing is mapped to the access rule of data space the access rule of relation table, thereby by the visit of data spaceAsk the access being converted to corresponding relation table; Wherein, in data space, data are designated as D_G, in relation table, data are designated as D_R，Data space is designated as C (D to the mapping function C of relation table_G)＝D_R。

The write operation that data space occurs comprises Create, Delete and Update operation, wherein, uses Create(nodeID, attribute, value) describes interpolation node and attribute-it is right to be worth; Describe with Create (nodeID, label, nodeID)Add internodal limit; Describe and delete whole node with Delete (nodeID), its attribute-value is to also deleted; Use Delete(nodeID, attribute, value) describe in deletion of node attribute-it is right to be worth; Describe with Delete (nodeID, label, nodeID)Limit between deletion of node; The right content of attribute in new node more-be worth is described with Update (nodeID, attribute, value);Describe the content of upgrading internodal limit with Update (nodeID, label, nodeID), said n odeID is the ID of node,Attribute is attribute, and label is the label on limit.

The mapping ruler of described mapping function C comprises:

The access rule R of described relation table_R＝{subject_R,object_R,action_R,sign_RBe described, wherein, R_RFor the access rule of relation table, subject_RRepresent the user that relation table is conducted interviews; Object_RRepresent the access of relation tableControl object, i.e. accessed resource, is used " selectFfromTwhereP " to describe object_R, wherein T representationThe set of the table (table) that limit relates to; F representative is subject to the set of the field (fields) of Permission Constraints, and F is included in the field of TIn set, be designated as:P is the predicate relevant to T.fields, represents restrictive condition; Action_RRepresent to useThe create that carry out resource at family, delete or update operation; Sign_RComprise mark "+" and "-", wherein, "+" represents to agreeFixed mandate, "-" represents to negate to authorize.

The access rule R of described data space_G＝{subject_R,M(object_G),action_R,sign_RBe described, useM:object_G→object_RObject is described_GTo object_RMapping function, be designated as: M (object_G)＝object_R＝SelectFfromTwhereP, wherein object_GRepresent accessed resource in G, object_R∈D_R,object_G∈D_G，

T &SubsetEqual; (e d g e, a t t r i b u t e), F &SubsetEqual; (e d g e . f i e l d s \cup a t t r i b u t e . f i e l d s),

Request of access A described in step 1_G：＝(u_G,o_G,a_G) description u_GTo o_GExecutable operations a_GRequest of access, whereinu_GRepresent user, o_GRepresent accessed resource, a_GRepresent operation corresponding create, delete and update statement,Access resources o_GThe approximate object of describing mode_R，u_G∈subject_R，o_G∈object_G，a_G∈action_R。

The present invention is applied in the data space access control system based on relational database, this architectural framework as shown in Figure 1:

1) by mapping function C and renewal operation set, the dynamic data of data space is mapped to relational database;

2) the mapping function M that upgrades operation by support is mapped to the access rule of data space the access rule of relation table, thus the fine granularity access control of data space is converted to the access control to corresponding relation table;

3), in the time that user proposes request of access, request of access rewrites algorithm and first retrieves the visit relevant with this user's write operationAsk control law, then according to these rule overwriting request of access, make it comprise associated rights information, carry out the visit after rewriteeingAsk request, the relation table of mapping is carried out to fine-grained access.

As shown in Figure 2, the invention provides a kind of data space access control method of dynamically updating supported, be applied to based on passBe in the access control system of data space of database, comprise the following steps:

Step 1, user input the request of access to data space to system;

The request of access of data space refers to: user/role carries out the request of write operation to the data in data space. Especially, in the data space access control system based on relational database, the create of the corresponding SQL of write operation, delete andUpdate statement, wherein insert is update, and update upgrades operation, and delete is deletion action.

Step 2, according to the content of this request of access, the relevant relational database of system retrieval and this user's write operation is visitedAsk control law;

The kind of the user who relates to according to this request of access, accessed data and write operation, one by one retrieval and this user write behaviourRelevant access control rule { the R of data space that work mates_G1,…,R_Gn}。

The relevant access rule that step 3, basis retrieve rewrites request of access, makes Data Update and authorizes judgement to merge toIn request of access;

First calculated data space correlation access control rule { R, successively_G1,…,R_GnIn

M(object_Gi)＝object_Ri＝selectF_ifromT_iwhereP_iIf, sign_GiFor "+"Calculate by shipping of SQL the sure authorization resources of extracting; If sign_GiFor "-"?Negate authorization resources by the union conjunction of SQL. Then calculate by the difference operation of SQLFinally by S_RAdd data space request of access A to_GSQL describe where condition in, obtain rewrite after access pleaseAsk A_G'.

Request of access A after step 4, execution rewrite_G' and output access result;

The result of request of access refers to sure Authorization execution result and the negative Authorization execution knot of accessing operation in access resourcesReally.

In order further to understand the present invention, specifically describe application of the present invention below in conjunction with embodiment

Embodiment 1

As shown in Figure 3 and Figure 4, the mapped function C of data space of description scholar information is mapped to relation table Edge (limitTable) and Attribute (attribute list), wherein attribute list has comprised the table such as Aemail, Aname.

Suppose that user user1 wants to upgrade email information in data space, the request of access of user1 is: A_G＝(user1，M(object_G)=select*fromAemail, Update). The access control rule in tentation data space is:

{user1,M(object_G)＝select*fromAemailwhereuser1id＝nodeID,Create(nodeID,email,value),+}；

{user1,M(object_G)＝select*fromAemailwhereuser1id＝nodeID,Delete(nodeID,email,value),+}；

{user1,M(object_G)＝select*fromAemailwhereuser1id＝nodeID,Update(nodeID,email,value),+}；

{user1,M(object_G)＝select*fromAemailwherevaluelike‘gxtc.edu.cn’,Update(nodeID,email,value),-}；

{user1,M(object_G)＝select*fromAemail,Update(nodeID,email,value),+}；

{user1,M(object_G)＝select*fromAname,Update(nodeID,name,value),-}；

{user2,M(object_G)＝select*fromAemailwhereuser1id＝nodeID,Update(nodeID,email,value),+}。

, according to the content of this request of access, system retrieval update that arrive and user user1 operates, access resources AemailShowing relevant data space access control rule has:

{user1,M(object_G)＝select*fromAemail,Update(nodeID,email,value),+}；

Analyze these relevant data space access control rule known, system constraint user user1 does not revise others' EmailThe authority of information, can only revise oneself, and does not comprise the Email information of suffix gxtc.edu.cn. HereGxtc.edu.cn refers to the mailbox of Guangxi Teachers College.

Calculate successively the M (object in relevant data space access control rule_G), if sign_GiFor "+" passes throughThe sure authorization resources of extracting is calculated in shipping of SQL, calculatesObtain

{object}_{R}^{+} = s e l e c t * f r o m A e m a i l w h e r e u s e r l i d = n o d e I D,

If sign_GiFor "-" calculatedNegate authorization resources by the union conjunction of SQL, obtainAemailwherevaluelike ' gxtc.edu.cn '. Then calculate by the difference operation of SQLObtain S_R=select*fromAemailwhereuser1id=nodeIDandvaluenotlike ' gxtc.edu.cn '. FinallyBy S_RAdd A to_GSQL describe where condition in, obtain rewrite after request of access A_G'＝(user1，M(object_G)=select*fromAemailwhereuser1id=nodeIDandvaluenotlike ' gxtc.edu.cn ', Update), makeThe A that must rewrite_G' comprise authority information, wherein, condition user1id=nodeID represents: when user's login ID equalsWhen node ID, the information that this user can access node, thus ensure that user can only revise the Email information of oneself; BarPart valuenotlike ' gxtc.edu.cn ' represents: the value that does not comprise suffix gxtc.edu.cn. A_G' SQL be described as:UpdateAemailsetemail=valuewhereuser1id=nodeIDandvaluenot like ' gxtc.edu.cn ', visitsAsk request A_G' result be: Update operates in select*fromAemailwhereuser1id=nodeIDandvalueSure Authorization execution result on notlike ' gxtc.edu.cn', that is, user1 can revise oneself, and does not compriseThe Email information of gxtc.edu.cn suffix.

From example 1, the present invention merges to user by request of access rewrite method by the access control rule of data spaceUpgrade in operation, judge a synthetic request of access by Data Update and mandate, can be immediately according to user's access controlAuthority, stops or allows user's access behavior.

Industrial applicibility of the present invention

1) support fine granularity, the data space access control dynamically updating

2) access efficiency is higher

Although embodiment of the present invention are open as above, it is not restricted to listed fortune in description and embodimentWith, it can be applied to various applicable the field of the invention completely, for those skilled in the art, and can be easilyRealize other amendment, therefore do not deviating under the universal that claim and equivalency range limit, the present invention does not limitIn specific details with illustrate here and the embodiment describing.

Claims

1. an access method for the data space based on relational database, inclusion relation table in described relational database, shouldMethod will be converted to the access to corresponding relation table to the access of data space, and the access rule of data space is by relation tableAccess rule is described, and it is characterized in that, comprises the following steps:

2. the access method of the data space based on relational database as claimed in claim 1, is characterized in that, dataSpace is used graph model G:=(N, E) to carry out data and the contact thereof in data of description space, and wherein, G is data space, and N isSet of node { N₁,...,N_k, node N_iBy attribute-value, (attribute-value) formed, be designated as Representation node N_iThe attribute series having,Represent value corresponding to this attribute series, work as N_iWhen=Φ, claim N_iForEmpty node, E is the set on limit, limit is designated as (N_i,N_j, L), wherein N_i,N_j∈ N, i ≠ j, L represents the label on limit, and L can beNull value.

3. the access method of the data space based on relational database as claimed in claim 2, is characterized in that, passes throughThe dynamic data of data space is mapped to relational database by mapping function C and write operation collection, by supporting the mapping of write operationFunction M is mapped to the access rule of data space the access rule of relation table, thereby the access of data space is converted toTo the access of corresponding relation table; Wherein, in data space, data are designated as D_G, in relation table, data are designated as D_R, data skyBetween be designated as C (D to the mapping function C of relation table_G)＝D_R。

4. the access method of the data space based on relational database as claimed in claim 3, is characterized in that, dataThe write operation that space occurs comprises Create, Delete and Update operation, wherein, and with Create (nodeID, attribute, value)Node is added in description and attribute-it is right to be worth; Describe and add internodal limit with Create (nodeID, label, nodeID); WithDelete (nodeID) describes and deletes whole node, and its attribute-value is to also deleted; With Delete (nodeID, attribute, value)Describe in deletion of node attribute-it is right to be worth; With the limit between Delete (nodeID, label, nodeID) description deletion of node; WithUpdate (nodeID, attribute, value) describes the right content of attribute in new node more-be worth; With Update (nodeID, label,NodeID) describe the content of upgrading internodal limit, said n odeID is the ID of node, and attribute is attribute, labelBe the label on limit.

5. the access method of the data space based on relational database as claimed in claim 4, is characterized in that, described inThe mapping ruler of mapping function C comprises:

6. the access method of the data space based on relational database as claimed in claim 5, is characterized in that, described inThe access rule R of relation table_R＝{subject_R,object_R,action_R,sign_RBe described, wherein, R_RFor relation tableAccess rule, subject_RRepresent the user that relation table is conducted interviews; Object_RRepresent the access control object of relation table,Be accessed resource, use " selectFfromTwhereP " to describe object_R, wherein T represents the table that authority relates to(table) set; F representative is subject to the set of the field (fields) of Permission Constraints, and F is included in the set of fields of T, noteFor:P is the predicate relevant to T.fields, represents restrictive condition; Action_RRepresent that user enters resourceThe create of row, delete or update operation; Sign_RComprise mark "+" and "-", wherein, "+" represents certainly to authorize, "-"Represent to negate to authorize.

7. the access method of the data space based on relational database as claimed in claim 6, is characterized in that, described inThe access rule R of data space_G＝{subject_R,M(object_G),action_R,sign_RBe described, useM:object_G→object_RObject is described_GTo object_RMapping function, be designated as: M (object_G)＝object_R＝SelectFfromTwhereP, wherein object_GRepresent accessed resource in G, object_R∈D_R,object_G∈D_G，P_attributeIn wordDuan Jun is from Table A ttribute, P_edgeIn field all from table Edge, connect predicate P_joinFor a word from multiple tablesSection couples together.

8. the access method of the data space based on relational database as claimed in claim 7, is characterized in that, stepRequest of access A described in one_G：＝(u_G,o_G,a_G) description u_GTo o_GExecutable operations a_GRequest of access, wherein u_GRepresentUser, o_GRepresent accessed resource, a_GRepresent operation corresponding create, delete and update statement, access moneySource o_GThe approximate object of describing mode_R，u_G∈subject_R，o_G∈object_G，a_G∈action_R。