CN106790304A - Data access method, device, node and server cluster - Google Patents
Data access method, device, node and server cluster Download PDFInfo
- Publication number
- CN106790304A CN106790304A CN201710184332.3A CN201710184332A CN106790304A CN 106790304 A CN106790304 A CN 106790304A CN 201710184332 A CN201710184332 A CN 201710184332A CN 106790304 A CN106790304 A CN 106790304A
- Authority
- CN
- China
- Prior art keywords
- metadata
- back end
- mandate
- access request
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Abstract
This application discloses a kind of data access method, device, node and server cluster, in application scheme, credible cryptographic hardware modules are provided with metadata node, the metadata node is received after the access request by encryption that back end sends, and calls the credible cryptographic hardware modules to be decrypted the access request by encryption;If based on the mandate mark that Data Identification and the back end are decrypted from the access request by encryption, and the mandate of the back end is when being designated legal mandate and identifying, then from the metadata of metadata node storage, the target metadata corresponding to the Data Identification is obtained;The target metadata is sent to the back end.The scheme of the application can improve the security of data in server cluster.
Description
Technical field
The application is related to communication technical field, more specifically to a kind of data access method, device, node and
Server cluster.
Background technology
Information Security is the key problem that big data platform must be solved, such as the distributed field system based on Hadoop
Information Security in system (Hadoop Distributed File System, HDFS) and other data-storage systems is asked
Topic.However, with the continuous development of network technology, the safety issue of big data platform becomes increasingly conspicuous.Therefore, how to improve big
The Information Security of data platform, those skilled in the art's technical problem in the urgent need to address.
The content of the invention
In view of this, this application provides a kind of data access method, device, node and server cluster, to improve
The Information Security of data-storage system.
To achieve these goals, it is proposed that scheme it is as follows:
A kind of data access method, is applied to metadata node, and credible encryption hardware is provided with the metadata node
Module, methods described includes:
The access request by encryption that back end sends is received, the access request is used to ask to access first number
According to the metadata in node;
The credible cryptographic hardware modules are called to be decrypted the access request by encryption;
If based on the credible cryptographic hardware modules Data Identification is decrypted from the access request by encryption
And the mandate mark of the back end, then verify that the mandate of the back end identifies whether to be identified for legal mandate;
When the mandate of the back end is designated legal mandate to be identified, from first number of metadata node storage
In, the target metadata corresponding to the Data Identification is obtained;
The target metadata is sent to the back end.
Preferably, the metadata for being stored in the metadata node is based on after the credible cryptographic hardware modules encryption
Metadata;
In the metadata stored from the metadata node, the target element number corresponding to the Data Identification is obtained
According to, including:
Based on the Data Identification, the metadata after the encryption of metadata node storage is decrypted, and determine
Go out target metadata corresponding with the Data Identification.
Preferably, the mandate of the checking back end identifies whether to be identified for legal mandate, including:
Verify that the mandate of the back end identifies whether to belong to preset legal authorization mark, it is described preset legal to award
Power is designated the mandate mark for distributing to the back end in data-storage system.
Preferably, also include:
Failure is decrypted to the access request by encryption if based on the credible cryptographic hardware modules, then abandons institute
State access request.
Preferably, while the access request is abandoned, also include:
Again for each back end distribution in data-storage system authorizes mark, and the mandate mark that will be redistributed
Stored as current legal authorization mark.
On the other hand, the embodiment of the present application additionally provides another data access method, is applied to metadata node, described
Credible cryptographic hardware modules are provided with metadata node, methods described includes:
The access request that back end sends is received, the access request is used to ask to access in the metadata node
Metadata;
Parse entrained Data Identification in the access request;
The credible cryptographic hardware modules are called to be decrypted the metadata encrypted in the metadata node;
From the metadata for decrypting, it is determined that target metadata corresponding with the Data Identification;
The target metadata is sent to the back end.
Preferably, it is described call the credible cryptographic hardware modules in the metadata node encrypt metadata carry out
Decryption, including:
According to the Data Identification, from the metadata by encryption of metadata node storage, determine pending
Encrypting metadata;
The credible cryptographic hardware modules are called to be decrypted the pending encrypting metadata.
On the other hand, the embodiment of the present application additionally provides a kind of metadata node, and the metadata node includes:
Memory, credible cryptographic hardware modules, communication interface and processor;
Wherein, the memory is used to store metadata;
The communication interface, the access request by encryption for receiving back end transmission, the access request is used
The metadata in the metadata node is accessed in request;
The credible cryptographic hardware modules are used under the calling of the processor, to the access request by encryption
It is decrypted;
Processor, for being decrypted from the access request by encryption if based on the credible cryptographic hardware modules
Go out the mandate mark of Data Identification and the back end, then verify that the mandate of the back end is identified whether as legal
Authorize mark;When the mandate of the back end is designated legal mandate to be identified, from the metadata of the memory storage
In, obtain the target metadata corresponding to the Data Identification;
The communication interface is additionally operable to, and the target metadata is sent into the back end.
Preferably, the credible cryptographic hardware modules are additionally operable to, and are receiving the process encryption that the back end sends
Access request before, metadata is encrypted;
Metadata is stored in the memory to specifically include:Storage is based on the unit after the credible cryptographic hardware modules encryption
Data;
The processor obtains the target element corresponding to the Data Identification from the metadata of the memory storage
During data, specifically, being based on the Data Identification, the metadata after the encryption of metadata node storage is decrypted,
And determine target metadata corresponding with the Data Identification.
Preferably, the processor is when mandates for verifying the back end is identified whether as legal mandate mark,
The legal authorization that mandates specifically for verifying the back end identifies whether to belong to preset is identified, described preset legal to award
Power is designated the mandate mark for distributing to the back end in data-storage system.
Preferably, the processor is additionally operable to, and passes through what is encrypted to described if based on the credible cryptographic hardware modules
Access request decryption failure, then abandon the access request;Again for each back end distribution in storage system authorizes mark
Know, and the mandate mark that will be redistributed is stored as current legal authorization mark.
On the other hand, the embodiment of the present application additionally provides another metadata node, including:
Memory, credible cryptographic hardware modules, communication interface and processor;
Wherein, the memory, the metadata for storing encryption;
The communication interface is used to receive the access request of back end transmission, and the access request is used to ask to access institute
State the metadata in metadata node;
The processor, for parsing entrained Data Identification in the access request;Call the credible encryption
Hardware module, is decrypted with the metadata to the encryption stored in the memory;From the metadata for decrypting, it is determined that with
The corresponding target metadata of the Data Identification;
The metadata that the credible cryptographic hardware modules are used for the encryption to being stored in the memory is decrypted;
The communication interface, is additionally operable to for the target metadata to be sent to the back end.
Preferably, the processor, calls the credible cryptographic hardware modules, with to encryption in the metadata node
Metadata is decrypted, including:
The processor passes through in the metadata encrypted according to the Data Identification from what metadata node was stored, it is determined that
Go out pending encrypting metadata;The credible cryptographic hardware modules are called, is carried out with to the pending encrypting metadata
Decryption.
On the other hand, the embodiment of the present application additionally provides a kind of DAA, is applied to metadata node, the unit
Credible cryptographic hardware modules are provided with back end, described device includes:
Request reception unit, the access request by encryption for receiving back end transmission, the access request is used
The metadata in the metadata node is accessed in request;
Module call unit, for calling the credible cryptographic hardware modules to carry out the access request by encryption
Decryption;
Identity verification unit, for if based on the credible cryptographic hardware modules from the access request by encryption
In decrypt the mandate mark of Data Identification and the back end, then verify the back end mandate identify whether for
Legal mandate mark;
Data capture unit, for when the mandate of the back end is designated legal mandate and identifies, from the unit
In the metadata of back end storage, the target metadata corresponding to the Data Identification is obtained;
Data transmission unit, for the target metadata to be sent into the back end.
On the other hand, the embodiment of the present application additionally provides another DAA, is applied to metadata node, described
Credible cryptographic hardware modules are provided with metadata node, described device includes:
Request reception unit, the access request for receiving back end transmission, the access request is used to ask to access
Metadata in the metadata node;
Request analysis unit, for parsing entrained Data Identification in the access request;
Module call unit, for call the credible cryptographic hardware modules in the metadata node encrypt first number
According to being decrypted;
Data determination unit, for from the metadata for decrypting, it is determined that target element number corresponding with the Data Identification
According to;
Data transmission unit, for the target metadata to be sent into the back end.
On the other hand, the embodiment of the present application additionally provides a kind of server cluster, including:
Metadata node and at least one back end, the metadata node pass through network phase with the back end
Connect, and credible cryptographic hardware modules are provided with the metadata node and back end;
Wherein, the back end is used to obtain the mandate mark of Data Identification and the back end to be visited;
Call the credible cryptographic hardware modules of the back end is carried out to the mandate mark of the Data Identification and the back end
Encryption, and using the mandate mark of the Data Identification by encryption and back end, generate access request;To the metadata section
Point sends the access request;
The metadata node, calls the credible cryptographic hardware modules to solve the access request by encryption
It is close;If based on the credible cryptographic hardware modules Data Identification and institute are decrypted from the access request by encryption
The mandate mark of back end is stated, then verifies that the mandate of the back end identifies whether to be identified for legal mandate;When described
When the mandate of back end is designated legal mandate mark, from the metadata of metadata node storage, obtain described
Target metadata corresponding to Data Identification;The target metadata is sent to the back end.
On the other hand, the embodiment of the present application also provides another server cluster, including:
Metadata node and at least one back end, the metadata node pass through network phase with the back end
Connect, and credible cryptographic hardware modules are provided with the metadata node and back end;
The back end, for sending access request to the metadata node, the access request is used to ask to visit
Ask the metadata in the metadata node;
The metadata node, for parsing entrained Data Identification in the access request;Call described credible
Cryptographic hardware modules are decrypted to the metadata encrypted in the metadata node;From the metadata for decrypting, it is determined that with
The corresponding target metadata of the Data Identification;The target metadata is sent to the back end.
It can be seen that, in the embodiment of the present application, the characteristics of using TCM chips security and reliability in itself, in service
Back end and metadata node in device cluster carry out encryption and decryption by TCM chips, be conducive to improve whole system in
The security of access, the first number for effectively reducing illegal back end and being accessed by sending access request in metadata node
According to situation, improve the security of metadata, and then improve the security of data in whole server cluster.
Meanwhile, each back end is respectively provided with mandate mark, and the access request that back end sends in server cluster
The mandate mark of the back end can be carried, only metadata node verifies the mandate of the back end and is designated legal awarding
Token is known, and the metadata node also can return to corresponding metadata for back end, such that it is able to effectively prevent server cluster
Outside other insecure back end access the middle metadata of the metadata node, improve the security of metadata, enter
And improve the security of data in server cluster.
Brief description of the drawings
In order to illustrate more clearly of the technical scheme of the embodiment of the present application, below will be to be used needed for embodiment description
Accompanying drawing be briefly described, it should be apparent that, drawings in the following description are only embodiments herein, for this area
For those of ordinary skill, on the premise of not paying creative work, can also obtain other attached according to the accompanying drawing for providing
Figure.
Fig. 1 is a kind of composition structural representation of server cluster of the application example;
Fig. 2 is a kind of schematic flow sheet of data access method one embodiment of the application;
Fig. 3 is a kind of schematic flow sheet of another embodiment of data access method of the application;
Fig. 4 is a kind of composition structural representation of metadata node of the application;
Fig. 5 is the schematic flow sheet of another data access method one embodiment of the application;
Fig. 6 is a kind of composition structural representation of DAA one embodiment of the application;
Fig. 7 is the composition structural representation of another DAA one embodiment of the application.
Specific embodiment
The embodiment of the present application provides a kind of data access method, device, node and server cluster, to improve data
The Information Security of storage system.The scheme of the embodiment of the present application can apply to arbitrary data storage system, e.g., distributed number
According to storage system, or centralized data-storage system.
Such as, referring to Fig. 1, it illustrates a kind of a kind of composition structural representation of server cluster used in this application.By
Fig. 1 understands that the server cluster 100 can include the back end 102 of metadata node 101 and at least one.Wherein, this yuan
Can be connected by network between back end and back end, be such as connected by wired or wireless network.The server
Cluster can also actually regard a data-storage system, such as distributed data-storage system as.
Wherein, the metadata node is used to managing the metadata information of the data, such as file or package name, size,
Position, attribute, creation time and modification time etc. information.
In the embodiment of the present application, it is provided with credible encryption hardware mould in metadata node 101 and back end 102
Block (Trusted Cryptography Module, TCM), the features such as have stability and reliability due to TCM chips, is setting
Put after the TCM chips, the general safety rank of physical hardware can be greatly improved.
In one embodiment, back end 102, for obtaining Data Identification to be visited and the back end
Authorize mark;Call mandate of the credible cryptographic hardware modules of the back end to the Data Identification and the back end identify into
Row encryption, and using the mandate mark of the Data Identification by encryption and back end, generate access request;To the metadata
Node sends the access request.
Accordingly, metadata node 101, call the credible cryptographic hardware modules in the metadata node to described by adding
Close access request is decrypted;Solved from the access request by encryption if based on the credible cryptographic hardware modules
It is close go out Data Identification and the back end mandate mark, then verify that the mandate of the back end is identified whether as legal
Mandate mark;When the mandate of the back end is designated legal mandate to be identified, from metadata node storage
In metadata, the target metadata corresponding to the Data Identification is obtained;The target metadata is sent to the data section
Point.
With reference to above general character, a kind of data access method of the application is introduced.
Referring to Fig. 2, it illustrates a kind of schematic flow sheet of data access method one embodiment of the application, the present embodiment
It is described from metadata node side, the method for the present embodiment can include:
201, receive the access request by encryption that back end sends.
Wherein, the access request is used to ask to access the metadata in the metadata node.
Unlike existing, in the embodiment of the present application, the access request that the back end sends is by encryption
Access request, such that it is able to avoid access request from maliciously being kidnapped, and the data band stored in server cluster is pacified
Full property is threatened.
Simultaneously as back end and metadata node are respectively provided with TCM chips, in order to improve Information Security, all numbers
It is required to be encrypted by calling TCM chips according to node.Therefore, if the back end is reliable back end, should
Back end should be after being encrypted to the access request by calling the TCM chips in the back end, will be by encryption
Access request be sent to the metadata node.
202, call the credible cryptographic hardware modules in the metadata node to solve the access request that the process is encrypted
It is close.
Such as, the access request that the process is encrypted is sent to TCM chips by metadata node, and indicates the TCM chips to this
The access request of encryption is decrypted.
Optionally, metadata node can be with preset decruption key, or decryption preset in the TCM chips in advance is close
The encryption key that the access request used is encrypted in key, the decruption key and back end to match, so, metadata node
TCM chips can be called, and the access request by encryption is decrypted according to the decruption key by the TCM chips.
203, decrypt Data Identification in the access request encrypted from the process if based on the credible cryptographic hardware modules
And the mandate mark of the back end, then verify that the mandate of the back end identifies whether to be identified for legal mandate.
Wherein, the Data Identification is used to identify the metadata that the back end asks to access.
The mandate mark of the back end is for identifying the back end in the server cluster.Being identified by the mandate can
Whether the back end that access request is sent to recognize is back end in server cluster, so as to verify that the back end is
No is reliable back end.
Optionally, in server cluster different pieces of information node mandate mark can with difference, therefore, mandate mark can be with
A back end in unique mark server cluster.
Wherein, the mandate mark of the back end can be pre-configured in the back end, and in metadata node
Safeguard the mandate mark of different pieces of information node.The mandate mark of the back end can also be distributed by metadata node, and
Distributed mandate is stored by metadata node to identify, e.g., metadata node is by the data section having in server cluster
Generation authorizes mark, and the mandate mark that will be generated for the back end to distribute to the back end and stored to point respectively.
Wherein, verify that the mandate of the back end is identified whether as legal mandate mark can detect mandate mark
Whether it is the mandate mark stored in metadata node, if the mandate is designated the mandate mark stored in metadata node,
Then can confirm that the mandate is designated legal authorization mark.For example, the metadata node mandate that decrypts of detection identify whether for
The metadata node is the mandate mark that the back end in server cluster is distributed, if the mandate for decrypting is designated this
The mandate mark that metadata node is distributed, then illustrate that the mandate is designated legal mandate mark.
If it is understood that metadata node cannot be added by calling the TCM chips of the metadata node to passing through
Close access request is decrypted, and illustrating the back end for sending the access request may be not belonging in the server cluster
Back end, then metadata node cannot process the access request.
Accordingly, if the mandate mark of the back end that decrypts of the metadata node is not legal mandate mark,
Then it can be assumed that the back end is not belonging to the authentic data node in the server cluster, in that case, metadata section
Point can equally be not responding to the access request.
Optionally, if metadata node is based on credible cryptographic hardware modules to the access request decryption by encryption
Failure, or the mandate mark of the back end for decrypting is not belonging to legal mandate mark, then metadata node can be abandoned
The access request.
204, when the mandate of the back end is designated legal mandate to be identified, from first number of metadata node storage
In, the target metadata corresponding to the Data Identification is obtained.
If the mandate carried in access request is designated legal mandate mark, metadata node can be in response to the visit
Request is asked, the metadata that the back end asks to access is obtained.Wherein, for the ease of distinguishing, the application is by the access request
Ask the metadata i.e. corresponding metadata of the Data Identification, referred to as target metadata for accessing.
The mode that metadata node obtains the target metadata can have various, e.g., can be inquired about according to the Data Identification
The storage address of the metadata that the Data Identification is characterized, and the mesh is read out from the memory space pointed by the storage address
Mark metadata.Certainly, the mode for other acquisition target metadatas is applied equally to the embodiment of the present application, is not subject to herein
Limitation.
205, target metadata is sent to the back end.
It is understood that if back end could obtain metadata, could be according to metadata access server set
Data in group.And due to TCM chips in itself the characteristics of, the reliability of data encrypting and deciphering can be improved, therefore, server cluster
In back end and metadata node encryption and decryption is carried out by TCM chips, be conducive to improve whole system in access
Security, effectively reduces illegal back end and is accessed by sending access request the feelings of the metadata in metadata node
Condition, improves the security of metadata, and then improves the security of data in whole server cluster.
It can be seen that, in the embodiment of the present application, it is provided with the back end and metadata node in server cluster
Credible cryptographic hardware modules, and back end is using credible in back end to the access request transmitted by metadata node
The encrypted access request of cryptographic hardware modules, accordingly, metadata node is also required to using the credible encryption hardware mould of itself
Block is decrypted to the access request that back end sends, as long as to the access request successful decryption by encryption, the metadata
Node can just process the access request, be conducive to improving the reliability of data access, it is to avoid insecure back end is maliciously
Access request is sent to metadata node, so as to be conducive to improving the security of data.
Meanwhile, each back end is respectively provided with mandate mark, and data section in the server cluster of the embodiment of the present application
The access request that point sends can carry the mandate mark of the back end, and only metadata node verifies awarding for the back end
Power is designated legal mandate mark, and the metadata node also can return to corresponding metadata for back end, such that it is able to have
Effect prevents other the insecure back end outside server cluster from accessing the middle metadata of the metadata node, improves unit
The security of data, and then improve the security of data in server cluster.
It is understood that in the embodiment of the present application, in order to further improve the security of metadata, the metadata section
Point can be encrypted storage afterwards to the metadata for storing, specifically, can be stored in the metadata node credible by this
Metadata after cryptographic hardware modules encryption.The metadata for storing is entered using credible cryptographic hardware modules in metadata node
After row encryption, even if there is the illegality equipments such as other equipment or server invades the metadata node by network, but
Because illegality equipment cannot be encrypted to the metadata in metadata node, also cause that illegality equipment cannot get this yuan of number
According to the metadata stored in node, so as to further increase the security of metadata.
Accordingly, after metadata node determines that the mandate of back end is designated legal authorization mark, this yuan of number
The metadata by encryption for also needing to store it according to node is decrypted, and then from the metadata for decrypting, determines
In the corresponding target metadata of the Data Identification.
Wherein, metadata node can carry out the key of encryption and decryption to metadata with preset, and call itself set this can
Letter cryptographic hardware modules, are encrypted and decrypted according to the key by the credible cryptographic hardware modules to the metadata.
Referring to Fig. 3, it illustrates a kind of schematic flow sheet of another embodiment of data access method of the application, this implementation
The method of example is described from metadata node side, and the method for the present embodiment can include:
301, receive the access request by encryption that back end sends.
Wherein, the access request is used to ask to access the metadata in the metadata node.
302, call the credible cryptographic hardware modules in the metadata node to solve the access request that the process is encrypted
It is close.
Step S301 and S302 may refer to the related introduction of preceding embodiment, will not be repeated here.
303, decrypt Data Identification in the access request encrypted from the process if based on the credible cryptographic hardware modules
And the mandate mark of the back end, then verify that the mandate of the back end identifies whether to belong to preset legal authorization mark
Know, if it is, performing step S304;If it is not, then performing step S306;
Wherein, the preset legal authorization is designated metadata node and distributes to back end in data-storage system
Authorize mark.The data-storage system may be considered above-mentioned server cluster.
Certainly, the present embodiment is introduced so that legal mandate mark is allocated in advance by metadata node as an example, but
It is preset in back end for other modes to authorize mark, and carry out corresponding checking and be applied equally to the application, herein
It is not any limitation as.
304, based on the Data Identification, the metadata after the encryption of metadata node storage is decrypted, and determine
Target metadata corresponding with the Data Identification.
In the present embodiment, the credible encryption during the metadata of storage is based on the metadata node in metadata node is hard
Metadata after the encryption of part module.
It is understood that in the embodiment of the present application, it is also that metadata node is led to that the metadata to encrypting is encrypted
Cross call the credible cryptographic hardware modules of itself to realize.
Optionally, in the embodiment of the present application, in order to determine target metadata corresponding with Data Identification, can be by unit
The all metadata stored in back end are decrypted, but this kind of mode can cause data processing amount excessive.In order to subtract
Few data processing amount, can be according to the Data Identification, the unit to be decrypted of decryption needed for being determined from the encrypting metadata of storage
Data, the metadata to be decrypted is the part metadata of storage in metadata node, and calls the credible cryptographic hardware modules pair
The metadata to be decrypted is decrypted, and from the metadata for decrypting, it is determined that target metadata corresponding with the Data Identification.
Wherein, according to Data Identification, determine that metadata to be decrypted can be, deposit in advance from the metadata of the encryption of storage
The corresponding memory space of storage different pieces of information mark, and will be stored in being referred to as treating by the metadata encrypted in the memory space
Decrypted metadata, so as to be decrypted the metadata to be decrypted, can obtain at least including the corresponding target of the Data Identification
Metadata is in interior metadata.
305, the target metadata is returned into the back end.
After target metadata returned into back end, metadata node completes the treatment to the access request.
306, abandon the access request.
If the mandate mark that metadata node is decrypted from the access request of the encryption is not belonging to legal mandate mark
Know, then metadata node can judge that the access request is sent by reliable back end in server cluster, so that meeting
Directly abandon the access request.
307, again for each back end distribution in data-storage system authorizes mark, and the mandate that will be redistributed
Identify and stored as current legal authorization mark.
If it is understood that carrying mandate mark in the access request received in metadata node, but be somebody's turn to do
Authorize mark to be not belonging to reliable mandate to identify, then allocated mandate mark there may exist wind in illustrating server cluster
Danger, in that case, metadata node again for back end distribution authorizes mark, and most newly assigned can will authorize mark
Stored as legal mandate mark, and allocated mandate of history is identified into removing.
In order to realize data above access method, the embodiment of the present application additionally provides a kind of metadata node.Such as referring to figure
4, it illustrates a kind of composition structural representation of metadata node of the application.
As shown in Figure 4, the metadata node includes:Memory 401, credible cryptographic hardware modules 402, communication interface 403
With processor 404.Wherein, processor can be connected with memory 401, credible cryptographic hardware modules 402, communication interface 403, with
The control to these parts is realized, e.g., processor, credible cryptographic hardware modules, communication interface 403 can be by communication bus phases
Even.
Wherein, the memory 401 is used to store metadata;
The communication interface 403, the access request by encryption for receiving back end transmission, the access request
For asking to access the metadata in the metadata node;
The credible cryptographic hardware modules 402, under the calling of the processor, to the access by encryption
Request is decrypted;
Processor 404, for passing through in the access request encrypted from described if based on the credible cryptographic hardware modules
The mandate mark of Data Identification and the back end is decrypted, then verifies that the mandate of the back end is identified whether to close
The mandate mark of method;When the mandate of the back end is designated legal mandate to be identified, from the unit of the memory storage
In data, the target metadata corresponding to the Data Identification is obtained;
The communication interface 403 is additionally operable to, and the target metadata is sent into the back end.
Optionally, the credible cryptographic hardware modules are additionally operable to, and are receiving the process encryption that the back end sends
Access request before, metadata is encrypted;
Metadata is stored in the memory to specifically include:Storage is based on the unit after the credible cryptographic hardware modules encryption
Data;
The processor obtains the target element corresponding to the Data Identification from the metadata of the memory storage
During data, specifically, being based on the Data Identification, the metadata after the encryption of metadata node storage is decrypted,
And determine target metadata corresponding with the Data Identification.
Optionally, the processor is when mandates for verifying the back end is identified whether as legal mandate mark,
The legal authorization that mandates specifically for verifying the back end identifies whether to belong to preset is identified, described preset legal to award
Power is designated the mandate mark for distributing to the back end in data-storage system.
Optionally, the processor is additionally operable to, and passes through what is encrypted to described if based on the credible cryptographic hardware modules
Access request decryption failure, then abandon the access request;Again for each back end distribution in storage system authorizes mark
Know, and the mandate mark that will be redistributed is stored as current legal authorization mark.
On the other hand, in the application another embodiment, present invention also provides another server cluster.The service
The composition structure of device cluster is identical with the composition structure of the server cluster shown in Fig. 1.
Difference is that in the embodiment of the present application, the back end is accessed for being sent to the metadata node
Request, the access request is used to ask to access the metadata in the metadata node;
Accordingly, metadata node, for parsing entrained Data Identification in the access request;Call described
Credible cryptographic hardware modules are decrypted to the metadata encrypted in the metadata node;From the metadata for decrypting, really
Fixed target metadata corresponding with the Data Identification;The target metadata is sent to the back end.
On the basis of the server cluster of the embodiment, the embodiment of the present application additionally provides another data access side
Method.Such as, referring to Fig. 5, it illustrates the schematic flow sheet of another data access method one embodiment of the application, the present embodiment
Method be described from metadata node side, the method for the present embodiment can include:
501, receive the access request that back end sends.
Wherein, the access request is used to ask to access the metadata in the metadata node.
502, parse entrained Data Identification in the access request.
Wherein, the Data Identification is used to characterize the metadata that access request asks to access.
503, call the credible cryptographic hardware modules of the metadata node is carried out to the metadata encrypted in metadata node
Decryption.
In the present embodiment, the metadata in the metadata node is the first number after credible cryptographic hardware modules are encrypted
According to.The security of data encryption and decryption can be improved due to credible cryptographic hardware modules, therefore, using credible encryption hardware
Module is encrypted to metadata, can improve the security of metadata.
Wherein, metadata node calls credible cryptographic hardware modules to be decrypted the metadata encrypted can be, by unit
The processor of back end sends to the credible cryptographic hardware modules and calls instruction, and indicates the credible cryptographic hardware modules to warp
The metadata for crossing encryption is decrypted.Certainly, after processor calls the credible cryptographic hardware modules, it is also possible to automatic triggering
This is credible, and cryptographic hardware modules are decrypted to the metadata by encryption.
Optionally, metadata node can carry out the key of encryption and decryption to metadata with preset, and call what is itself set to be somebody's turn to do
Credible cryptographic hardware modules, are encrypted and decrypted according to the key by the credible cryptographic hardware modules to the metadata.
504, from the metadata for decrypting, it is determined that target metadata corresponding with the Data Identification.
First number that access request asks to access can be oriented from the metadata for decrypting according to Data Identification
According in the embodiment of the present application, the metadata corresponding to the Data Identification is referred to as target metadata.
505, target metadata is sent to back end.
In the embodiment of the present application, in order to improve the security of data in server cluster, the first number in metadata node
According to being the metadata after credible cryptographic hardware modules are encrypted, be conducive to improving the security of metadata, so, even if service
The other equipment malicious access metadata node outside device cluster, also due to cannot be encrypted to metadata, and cannot steal
Metadata is got, so that the data that cannot be stored in access server cluster, and then the security of data can be improved.
Meanwhile, in embodiment is applied for, in order to improve Information Security, only in metadata node in server cluster
Metadata be encrypted and decrypt, it is also possible to data caused by avoiding being encrypted all data in service cluster
The excessive problem for the treatment of capacity, on the premise of assuring data security, reduces data processing amount.
Optionally, in the present embodiment, during target metadata is inquired about, in order to avoid entering to all metadata
Row is decrypted and causes the excessive problem of data processing amount, can be added from the process of metadata node storage according to the Data Identification
In close metadata, pending encrypting metadata is determined;Then, the credible cryptographic hardware modules are called to add pending
Close metadata is decrypted.Specifically, may refer to the related introduction of preceding embodiment, will not be repeated here.
In order to realize the above another data access method, the embodiment of the present application additionally provides another back end, should
The composition structure of back end is similar to Fig. 4.
Difference is, in the present embodiment, the memory, the metadata for storing encryption;
The communication interface, the access request for receiving back end transmission, the access request is used to ask to access
Metadata in the metadata node;
The processor, for parsing entrained Data Identification in the access request;Call the credible encryption
Hardware module, is decrypted with the metadata to the encryption stored in the memory;From the metadata for decrypting, it is determined that with
The corresponding target metadata of the Data Identification;
The credible cryptographic hardware modules.Metadata for the encryption to being stored in the memory is decrypted;
The communication interface, is additionally operable to for the target metadata to be sent to the back end.
Optionally, the processor, calls the credible cryptographic hardware modules, with to encryption in the metadata node
Metadata is decrypted, including:
The processor passes through in the metadata encrypted according to the Data Identification from what metadata node was stored, it is determined that
Go out pending encrypting metadata;The credible cryptographic hardware modules are called, is carried out with to the pending encrypting metadata
Decryption.
On the other hand, a kind of data access method of correspondence the application, the embodiment of the present application additionally provides a kind of data and visits
Ask device.Such as referring to Fig. 6, it illustrates a kind of composition structural representation of DAA one embodiment of the application.
The device of the present embodiment is applied to metadata node, and credible cryptographic hardware modules are provided with the metadata node,
Described device includes:
Request reception unit 601, the access request by encryption for receiving back end transmission, the access request
For asking to access the metadata in the metadata node;
Module call unit 602, for calling the credible cryptographic hardware modules to the access request by encryption
It is decrypted;
Identity verification unit 603, for if based on the credible cryptographic hardware modules from the access by encryption
The mandate mark of Data Identification and the back end is decrypted in request, then verifying the mandate mark of the back end is
No is legal mandate mark;
Data capture unit 604, for when the mandate of the back end is designated legal mandate and identifies, from described
In the metadata of metadata node storage, the target metadata corresponding to the Data Identification is obtained;
Data transmission unit 605, for the target metadata to be sent into the back end.
Optionally, the metadata for being stored in the metadata node is based on after the credible cryptographic hardware modules encryption
Metadata;
The data capture unit obtains the Data Identification institute right in the metadata stored from the metadata node
During the target metadata answered, specifically for based on the Data Identification, to the first number after the encryption of metadata node storage
According to being decrypted, and determine target metadata corresponding with the Data Identification.
The identity verification unit has when the mandate for verifying the back end identifies whether to be identified for legal mandate
Body is used to verify that the mandate of the back end to identify whether to belong to preset legal authorization mark, the preset legal authorization
It is designated the mandate mark for distributing to the back end in data-storage system.
Described device also includes:
Request discarding unit, for passing through the access request encrypted to described if based on the credible cryptographic hardware modules
Decryption failure, then abandon the access request.
Further, described device can also include:
Mark reassigns unit, for being again that each back end distribution in data-storage system authorizes mark, and
The mandate mark that will be redistributed is stored as current legal authorization mark.
On the other hand, another data access method of correspondence the application, the embodiment of the present application additionally provides another number
According to access mechanism.
Such as, referring to Fig. 7, it illustrates the composition structural representation of another DAA one embodiment of the application
Figure, the device of the present embodiment can apply to metadata node, credible cryptographic hardware modules be provided with the metadata node,
Described device includes:
Request reception unit 701, the access request for receiving back end transmission, the access request is used to ask to visit
Ask the metadata in the metadata node;
Request analysis unit 702, for parsing entrained Data Identification in the access request;
Module call unit 703, for calling the credible cryptographic hardware modules to encryption in the metadata node
Metadata is decrypted;
Data determination unit 704, for from the metadata for decrypting, it is determined that target element corresponding with the Data Identification
Data;
Data transmission unit 705, for the target metadata to be sent into the back end.
Optionally, the module call unit, including:
Data screening unit, for according to the Data Identification, from the metadata by encryption of metadata node storage
In, determine pending encrypting metadata;
Module calls subelement, for calling the credible cryptographic hardware modules to enter the pending encrypting metadata
Row decryption.
Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relational terms be used merely to by
One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these entities or operation
Between there is any this actual relation or order.And, term " including ", "comprising" or its any other variant meaning
Covering including for nonexcludability, so that process, method, article or equipment including a series of key elements not only include that
A little key elements, but also other key elements including being not expressly set out, or also include for this process, method, article or
The intrinsic key element of equipment.In the absence of more restrictions, the key element limited by sentence "including a ...", does not arrange
Except also there is other identical element in the process including the key element, method, article or equipment.
Each embodiment is described by the way of progressive in this specification, and what each embodiment was stressed is and other
The difference of embodiment, between each embodiment identical similar portion mutually referring to.
The foregoing description of the disclosed embodiments, enables professional and technical personnel in the field to realize or uses the application.
Various modifications to these embodiments will be apparent for those skilled in the art, as defined herein
General Principle can in other embodiments be realized in the case where spirit herein or scope is not departed from.Therefore, the application
The embodiments shown herein is not intended to be limited to, and is to fit to and principles disclosed herein and features of novelty phase one
The scope most wide for causing.
Claims (17)
1. a kind of data access method, it is characterised in that be applied to metadata node, be provided with the metadata node credible
Cryptographic hardware modules, methods described includes:
The access request by encryption that back end sends is received, the access request is used to ask to access the metadata section
Metadata in point;
The credible cryptographic hardware modules are called to be decrypted the access request by encryption;
If based on the credible cryptographic hardware modules from it is described by encryption access request in decrypt Data Identification and
The mandate mark of the back end, then verify that the mandate of the back end identifies whether to be identified for legal mandate;
When the mandate of the back end is designated legal mandate to be identified, from the metadata of metadata node storage
In, obtain the target metadata corresponding to the Data Identification;
The target metadata is sent to the back end.
2. data access method according to claim 1, it is characterised in that the metadata stored in the metadata node
It is based on the metadata after the credible cryptographic hardware modules encryption;
It is described to obtain the target metadata corresponding to the Data Identification from the metadata of metadata node storage, wrap
Include:
Based on the Data Identification, the metadata after the encryption of metadata node storage is decrypted, and determine with
The corresponding target metadata of the Data Identification.
3. data access method according to claim 1, it is characterised in that the mandate mark of the checking back end
Whether know is legal mandate mark, including:
Verify that the mandate of the back end identifies whether to belong to preset legal authorization mark, the preset legal authorization mark
Know the mandate to distribute to the back end in data-storage system to identify.
4. data access method according to claim 1, it is characterised in that also include:
Failure is decrypted to the access request by encryption if based on the credible cryptographic hardware modules, then abandons the visit
Ask request.
5. data access method according to claim 4, it is characterised in that while the access request is abandoned, also
Including:
Again for each back end distribution in data-storage system authorizes mark, and the mandate mark that will be redistributed as
Current legal authorization mark is stored.
6. a kind of data access method, it is characterised in that be applied to metadata node, be provided with the metadata node credible
Cryptographic hardware modules, methods described includes:
The access request that back end sends is received, the access request is used to ask to access the first number in the metadata node
According to;
Parse entrained Data Identification in the access request;
The credible cryptographic hardware modules are called to be decrypted the metadata encrypted in the metadata node;
From the metadata for decrypting, it is determined that target metadata corresponding with the Data Identification;
The target metadata is sent to the back end.
7. data access method according to claim 1, it is characterised in that described to call the credible cryptographic hardware modules
Metadata to being encrypted in the metadata node is decrypted, including:
According to the Data Identification, from the metadata by encryption of metadata node storage, pending encryption is determined
Metadata;
The credible cryptographic hardware modules are called to be decrypted the pending encrypting metadata.
8. a kind of metadata node, it is characterised in that the metadata node includes:
Memory, credible cryptographic hardware modules, communication interface and processor;
Wherein, the memory is used to store metadata;
The communication interface, the access request by encryption for receiving back end transmission, the access request is used for please
Seek the metadata accessed in the metadata node;
The credible cryptographic hardware modules are used under the calling of the processor, and the access request by encryption is carried out
Decryption;
Processor, for decrypting number from the access request by encryption if based on the credible cryptographic hardware modules
Identified according to the mandate of mark and the back end, then verify the mandate of the back end identifies whether to be legal mandate
Mark;When the mandate of the back end is designated legal mandate to be identified, from the metadata of the memory storage, obtain
Take the target metadata corresponding to the Data Identification;
The communication interface is additionally operable to, and the target metadata is sent into the back end.
9. metadata node according to claim 8, it is characterised in that the credible cryptographic hardware modules are additionally operable to,
Before receiving the access request by encryption that the back end sends, metadata is encrypted;
Metadata is stored in the memory to specifically include:Storage is based on the first number after the credible cryptographic hardware modules encryption
According to;
The processor obtains the target metadata corresponding to the Data Identification from the metadata of the memory storage
When, specifically, being based on the Data Identification, the metadata after the encryption of metadata node storage is decrypted, and really
Make target metadata corresponding with the Data Identification.
10. metadata node according to claim 8, it is characterised in that the processor is verifying the back end
Mandate identify whether for legal mandate identify when, the mandate specifically for verifying the back end identifies whether to belong to pre-
The legal authorization mark put, the preset legal authorization is designated the mandate for distributing to the back end in data-storage system
Mark.
11. metadata nodes according to claim 8, it is characterised in that the processor is additionally operable to, if based on described
Credible cryptographic hardware modules decrypt failure to the access request by encryption, then abandon the access request;Again it is to deposit
Each back end distribution in storage system authorizes mark, and the mandate that will be redistributed to identify as current legal authorization mark
Knowledge is stored.
A kind of 12. metadata nodes, it is characterised in that including:
Memory, credible cryptographic hardware modules, communication interface and processor;
Wherein, the memory, the metadata for storing encryption;
The communication interface is used to receive the access request of back end transmission, and the access request is used to ask to access the unit
Metadata in back end;
The processor, for parsing entrained Data Identification in the access request;Call the credible encryption hardware
Module, is decrypted with the metadata to the encryption stored in the memory;From the metadata for decrypting, it is determined that with it is described
The corresponding target metadata of Data Identification;
The metadata that the credible cryptographic hardware modules are used for the encryption to being stored in the memory is decrypted;
The communication interface, is additionally operable to for the target metadata to be sent to the back end.
13. metadata nodes according to claim 12, it is characterised in that the processor, call the credible encryption
Hardware module, is decrypted with to the metadata encrypted in the metadata node, including:
The processor from the metadata by encryption of metadata node storage, is determined and treated according to the Data Identification
The encrypting metadata for the treatment of;The credible cryptographic hardware modules are called, is decrypted with to the pending encrypting metadata.
14. a kind of DAAs, it is characterised in that be applied to metadata node, being provided with the metadata node can
Letter cryptographic hardware modules, described device includes:
Request reception unit, the access request by encryption for receiving back end transmission, the access request is used for please
Seek the metadata accessed in the metadata node;
Module call unit, for calling the credible cryptographic hardware modules to solve the access request by encryption
It is close;
Identity verification unit, for being solved from the access request by encryption if based on the credible cryptographic hardware modules
It is close go out Data Identification and the back end mandate mark, then verify that the mandate of the back end is identified whether as legal
Mandate mark;
Data capture unit, for when the mandate of the back end is designated legal mandate and identifies, from the metadata
In the metadata of node storage, the target metadata corresponding to the Data Identification is obtained;
Data transmission unit, for the target metadata to be sent into the back end.
15. a kind of DAAs, it is characterised in that be applied to metadata node, being provided with the metadata node can
Letter cryptographic hardware modules, described device includes:
Request reception unit, the access request for receiving back end transmission, the access request is used to ask to access described
Metadata in metadata node;
Request analysis unit, for parsing entrained Data Identification in the access request;
Module call unit, for calling the credible cryptographic hardware modules to enter the metadata encrypted in the metadata node
Row decryption;
Data determination unit, for from the metadata for decrypting, it is determined that target metadata corresponding with the Data Identification;
Data transmission unit, for the target metadata to be sent into the back end.
A kind of 16. server clusters, it is characterised in that including:
Metadata node and at least one back end, the metadata node are connected with the back end by network,
And credible cryptographic hardware modules are provided with the metadata node and back end;
Wherein, the back end is used to obtain the mandate mark of Data Identification and the back end to be visited;Call
The credible cryptographic hardware modules of the back end are encrypted to the mandate mark of the Data Identification and the back end,
And using the mandate mark of the Data Identification by encryption and back end, generate access request;Sent out to the metadata node
Send the access request;
The metadata node, calls the credible cryptographic hardware modules to be decrypted the access request by encryption;
If based on the credible cryptographic hardware modules Data Identification and described is decrypted from the access request by encryption
The mandate mark of back end, then verify that the mandate of the back end identifies whether to be identified for legal mandate;When the number
When being designated legal mandate mark according to the mandate of node, from the metadata of metadata node storage, the number is obtained
According to the target metadata corresponding to mark;The target metadata is sent to the back end.
A kind of 17. server clusters, it is characterised in that including:
Metadata node and at least one back end, the metadata node are connected with the back end by network,
And credible cryptographic hardware modules are provided with the metadata node and back end;
The back end, for sending access request to the metadata node, the access request is used to ask to access institute
State the metadata in metadata node;
The metadata node, for parsing entrained Data Identification in the access request;Call the credible encryption
Hardware module is decrypted to the metadata encrypted in the metadata node;From the metadata for decrypting, it is determined that with it is described
The corresponding target metadata of Data Identification;The target metadata is sent to the back end.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710184332.3A CN106790304A (en) | 2017-03-24 | 2017-03-24 | Data access method, device, node and server cluster |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710184332.3A CN106790304A (en) | 2017-03-24 | 2017-03-24 | Data access method, device, node and server cluster |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106790304A true CN106790304A (en) | 2017-05-31 |
Family
ID=58966385
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710184332.3A Pending CN106790304A (en) | 2017-03-24 | 2017-03-24 | Data access method, device, node and server cluster |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106790304A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110011956A (en) * | 2018-12-12 | 2019-07-12 | 阿里巴巴集团控股有限公司 | A kind of data processing method and device |
CN110708291A (en) * | 2019-09-10 | 2020-01-17 | 平安普惠企业管理有限公司 | Data authorization access method, device, medium and electronic equipment in distributed network |
WO2021238583A1 (en) * | 2020-05-27 | 2021-12-02 | 华为技术有限公司 | Method and apparatus for operating data object, and computing device and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102200925A (en) * | 2010-03-22 | 2011-09-28 | 联想(北京)有限公司 | Data access method of application virtual domains, virtual machine manager and computer |
CN103563330A (en) * | 2011-05-23 | 2014-02-05 | 高通股份有限公司 | Facilitating data access control in peer-to-peer overlay networks |
CN103843299A (en) * | 2011-07-29 | 2014-06-04 | 高通股份有限公司 | Facilitating access control in peer-to-peer overlay networks |
US20160098573A1 (en) * | 2014-10-03 | 2016-04-07 | Zettaset, Inc. | Securing a Distributed File System |
CN105516110A (en) * | 2015-12-01 | 2016-04-20 | 成都汇合乾元科技有限公司 | Mobile equipment secure data transmission method |
-
2017
- 2017-03-24 CN CN201710184332.3A patent/CN106790304A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102200925A (en) * | 2010-03-22 | 2011-09-28 | 联想(北京)有限公司 | Data access method of application virtual domains, virtual machine manager and computer |
CN103563330A (en) * | 2011-05-23 | 2014-02-05 | 高通股份有限公司 | Facilitating data access control in peer-to-peer overlay networks |
CN103843299A (en) * | 2011-07-29 | 2014-06-04 | 高通股份有限公司 | Facilitating access control in peer-to-peer overlay networks |
US20160098573A1 (en) * | 2014-10-03 | 2016-04-07 | Zettaset, Inc. | Securing a Distributed File System |
CN105516110A (en) * | 2015-12-01 | 2016-04-20 | 成都汇合乾元科技有限公司 | Mobile equipment secure data transmission method |
Non-Patent Citations (2)
Title |
---|
张晓杰: "基于HDFS的可信分布式文件系统研究与设计", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
沈晴霓: "基于动态域划分的MapReduce安全冗余调度策略", 《通信学报》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110011956A (en) * | 2018-12-12 | 2019-07-12 | 阿里巴巴集团控股有限公司 | A kind of data processing method and device |
US11038673B2 (en) | 2018-12-12 | 2021-06-15 | Advanced New Technologies Co., Ltd. | Data processing method and apparatus |
CN110708291A (en) * | 2019-09-10 | 2020-01-17 | 平安普惠企业管理有限公司 | Data authorization access method, device, medium and electronic equipment in distributed network |
WO2021238583A1 (en) * | 2020-05-27 | 2021-12-02 | 华为技术有限公司 | Method and apparatus for operating data object, and computing device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9774595B2 (en) | Method of authentication by token | |
RU2620998C2 (en) | Method and authentication device for unlocking administrative rights | |
CN101026455B (en) | Secure processor | |
CN109450633B (en) | Information encryption transmission method and device, electronic equipment and storage medium | |
CN104216907A (en) | Method, device and system for providing database access control | |
CN109714171B (en) | Safety protection method, device, equipment and medium | |
CN106302606B (en) | Across the application access method and device of one kind | |
CN106033503A (en) | Method, device and system of online writing application secret key into digital content equipment | |
CN106027473A (en) | Identity card reading terminal and cloud authentication platform data transmission method and system | |
CN113572791B (en) | Video Internet of things big data encryption service method, system and device | |
CN104243452B (en) | A kind of cloud computing access control method and system | |
CN107040520A (en) | A kind of cloud computing data-sharing systems and method | |
CN106790304A (en) | Data access method, device, node and server cluster | |
US11245699B2 (en) | Token-based device access restriction systems | |
CN106992978A (en) | Network safety managing method and server | |
CN105430649B (en) | WIFI cut-in method and equipment | |
CN113328979B (en) | Method and device for recording access behaviors | |
CN111988262B (en) | Authentication method, authentication device, server and storage medium | |
CN109802927B (en) | Security service providing method and device | |
CN108900555A (en) | A kind of data processing method and device | |
CN111338841A (en) | Data processing method, device, equipment and storage medium | |
CN108243158A (en) | A kind of method and apparatus of safety certification | |
CN106415565B (en) | Protect software project | |
CN113326489A (en) | User information authentication system and method | |
CN107919958A (en) | A kind of processing method of data encryption, device and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170531 |