CN108280367A - Management method, device, computing device and the storage medium of data manipulation permission - Google Patents
Management method, device, computing device and the storage medium of data manipulation permission Download PDFInfo
- Publication number
- CN108280367A CN108280367A CN201810057920.5A CN201810057920A CN108280367A CN 108280367 A CN108280367 A CN 108280367A CN 201810057920 A CN201810057920 A CN 201810057920A CN 108280367 A CN108280367 A CN 108280367A
- Authority
- CN
- China
- Prior art keywords
- data
- operation request
- operating right
- request
- data operation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000007726 management method Methods 0.000 title claims abstract description 219
- 238000000034 method Methods 0.000 claims description 41
- 238000012550 audit Methods 0.000 claims description 33
- 230000004044 response Effects 0.000 claims description 27
- 238000012545 processing Methods 0.000 claims description 13
- 230000006399 behavior Effects 0.000 claims description 10
- 238000012986 modification Methods 0.000 claims description 10
- 230000004048 modification Effects 0.000 claims description 10
- 238000013475 authorization Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000006870 function Effects 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 5
- 230000001413 cellular effect Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 14
- 230000002159 abnormal effect Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 238000003780 insertion Methods 0.000 description 3
- 230000037431 insertion Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 239000002131 composite material Substances 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000007474 system interaction Effects 0.000 description 2
- 238000005284 basis set Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 210000003205 muscle Anatomy 0.000 description 1
- 238000013486 operation strategy Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
This application discloses the management method of data manipulation permission, device, computing device and storage mediums.Wherein, the management method of data manipulation permission, including:Data operation request is received from the first client;Determine the corresponding operation scenario mark of the data operation request, wherein the operation scenario mark is for identifying the application scenarios type corresponding to the data operation request;It obtains the operation scenario and identifies corresponding first operating right strategy;The data operation request and the first operating right strategy are subjected to matching operation;When determining that the data operation request meets the first operating right strategy, the data operation request is executed.
Description
Technical field
This application involves the management method of field of cloud calculation more particularly to data manipulation permission, device, computing device and deposit
Storage media.
Background technology
With the development of cloud, various cloud data platforms can provide data analysis under multi-user environment, at data
Reason and data displaying service.Since the data of multi-user are stored in cloud data platform, the operating right of each user is carried out
Management is to ensure the important link of platform data safety.
Invention content
On one side according to the application, a kind of management method of data manipulation permission is provided, including:From the first client
Data operation request is received, wherein the data operation request operates related instruction for describing with database table;Determine institute
State the corresponding operation scenario mark of data operation request, wherein the operation scenario mark is asked for identifying the data manipulation
Seek corresponding application scenarios type;It obtains the operation scenario and identifies corresponding first operating right strategy;By the data
Operation requests carry out matching operation with the first operating right strategy;And described in meeting when the determining data operation request
When the first operating right strategy, the data operation request is executed.
In some embodiments, management method further includes:When determine the data operation request be unsatisfactory for it is described first behaviour
When making authorization policy, the first notification message for indicating not execute the data operation request is generated, and first notice is disappeared
Breath is sent to first client.
In some embodiments, data operation request is received from the first client, including:Receive the first user identifier and right
The operational order of first object data;The data operation request is matched with the first operating right strategy executing
Before operation, this method further includes:Inquire second operating right plan of first user identifier to the first object data
Slightly;The operational order and the second operating right strategy are subjected to matching operation;When determining the operational order and second
When operating right strategy mismatches, the second notification message for indicating not execute the operational order is generated, and described second is led to
Know that message is sent to first client.
In some embodiments, the management method executes in task management system, and the task management system includes
Task management device based on honeycomb framework and the rights management device based on forester's framework;Inquiry first user
The second operating right strategy to the first object data is identified, including:To the permission in the task management device
Managing device sends the inquiry request to the second operating right strategy;It is looked into response to described in the rights management device
Request is ask, inquires the database table operational order collection of first user identifier to second target data, and by the data
Table handling instruction set in library is as the second operating right strategy.
In some embodiments, the task management system further includes session management device;The determination data behaviour
Make to ask corresponding operation scenario mark, including:When the session management device receives the institute from first client
When stating data operation request, determine that the corresponding operation scenario of the data operation request identifies according to application scenarios library, wherein institute
State incidence relation of the application scenarios library for descriptive data base table handling and operation scenario mark;In the session management device
Operation scenario mark is set to the parameter of the corresponding honeycomb session of first user identifier, wherein the honeycomb session
For the data operation request to be sent to the task management device.
In some embodiments, the first operating right strategy of the acquisition and the progress matching operation, including:Described
Task management device is by the way that when data operation request, phase is resolved to by the data operation request described in the honeycomb acquisition conversation
The abstract language structure tree answered;In the task management device, monitoring to generate described be abstracted by Hook Function mode
When language structure tree, according to the parameter, the first operating right strategy corresponding with the abstract language structure tree is inquired;Institute
It states in task management device, determines whether the abstract language structure tree meets the first operating right strategy.
In some embodiments, management method further includes:First client is received in the session management device
To the authority acquiring request of the second target data, which includes the first user identifier and requested permission model
It encloses;In the session management device, in response to the authority acquiring request, corresponding 4th notice is sent to the second client
Message, so that the second client is according to the 4th notification message returning response message, wherein the 4th notice message package includes institute
State authority acquiring request;The response message is received in the session management device;When the response message indicates to agree to institute
When stating authority acquiring request, asked to the corresponding permission modification of rights management device transmission in the session management device
It asks;In the rights management device, changes and ask in response to the permission, by first user identifier to second mesh
The operating right range of mark data is revised as requested extent of competence.
In some embodiments, the task management system further includes the audit dress based on search inquiry server architecture
It sets, this method further includes:In the rights management device, day related with the implementing result of the data operation request is generated
Will records, and the log recording is sent to the audit device;In the audit device, institute is analyzed according to predetermined policy
State log recording;When determining that log recording described in any bar does not meet at least one rule in the predetermined policy, in institute
It states and generates corresponding alarm information in audit device, and the alarm information is sent to first client.
In some embodiments, described to receive request of data from the first client, including:Receive the first user identifier and right
The operational order of first object data;The data operation request is matched with the first operating right strategy executing
Before operation, this method further includes:Inquiry has permission the user identifier that the first object data are executed with the operational order
Range;First user identifier and the user identifier range are subjected to matching operation;When determining first user identifier
When being mismatched with the user identifier range, the third notice message for indicating not execute the operational order is generated, and will be described
Third notice message is sent to first client.
In some embodiments, the acquisition operation scenario identifies corresponding first operating right strategy, including:It looks into
Ask corresponding the first operational order collection for being allowed to execute of the operation scenario mark;The determination data operation request
Meet the first operating right strategy, including:Operational order belongs to first behaviour in determining the data operation request
When making instruction set, determine that the data operation request meets the first operating right strategy.
In some embodiments, the acquisition operation scenario identifies corresponding first operating right strategy, including:It looks into
Ask corresponding the second operational order collection for being prohibited to execute of the operation scenario mark;The determination data operation request
Meet the first operating right strategy, including:Operational order is not belonging to described second in determining the data operation request
When operational order collection, determine that the data operation request meets the first operating right strategy.
According to application another aspect, a kind of managing device of data manipulation permission is provided, including:Receiving unit is used for
Data operation request is received from the first client;Scene determination unit, for determining the corresponding operation of the data operation request
Scene identity, wherein the operation scenario mark is for identifying the application scenarios type corresponding to the data operation request;First
Acquiring unit identifies corresponding first operating right strategy for obtaining the operation scenario;First matching unit is used for institute
It states data operation request and carries out matching operation with the first operating right strategy;Processing unit, for when first matching
When unit determines that the data operation request meets the first operating right strategy, the data operation request is executed.
In some embodiments, which further includes notification unit, and institute is determined for working as first matching unit
When stating data operation request and being unsatisfactory for the first operating right strategy, generates and indicate not executing the of the data operation request
One notification message, and first notification message is sent to first client.
In some embodiments, the receiving unit receives request of data according to following manner from the first client:It receives
First user identifier and operational order to first object data;The managing device further includes:Second acquisition unit, in institute
It states the first matching unit to execute before the data operation request and the first operating right strategy progress matching operation, look into
Ask second operating right strategy of first user identifier to the first object data;Second matching unit is used for institute
It states operational order and carries out matching operation with the second operating right strategy.The notification unit is additionally operable to, when described second
When determining that the operational order and the second operating right strategy mismatch with unit, generates and indicate not executing the operational order
Second notification message, and the second notification message is sent to first client.
In some embodiments, the receiving unit receives request of data according to following manner from the first client:It receives
First user identifier and operational order to first object data.The managing device further includes:Second acquisition unit, in institute
The first matching unit is stated by before the data operation request and the first operating right strategy progress matching operation, inquiry has
Permission executes the first object data user identifier range of the operational order;Second matching unit, being used for will be described
First user identifier carries out matching operation with the user identifier range.The notification unit is additionally operable to, when second matching
When unit determines that first user identifier is mismatched with the user identifier range, generates and indicate not executing the operational order
Third notice message, and the third notice message is sent to first client.
In some embodiments, the first acquisition unit is corresponding according to the following manner acquisition operation scenario mark
First operating right strategy:Inquire corresponding the first operational order collection for being allowed to execute of the operation scenario mark;It is described
First matching unit determines that the data operation request meets the first operating right strategy according to following manner:Determining
When stating operational order in data operation request and belonging to the first operational order collection, determine that the data operation request meets described in
First operating right strategy.
In some embodiments, the first acquisition unit is corresponding according to the following manner acquisition operation scenario mark
First operating right strategy:Inquire corresponding the second operational order collection for being prohibited to execute of the operation scenario mark;It is described
First matching unit determines that the data operation request meets the first operating right strategy according to following manner:Determining
When stating operational order in data operation request and being not belonging to the second operational order collection, determine that the data operation request meets institute
State the first operating right strategy.
In some embodiments, the receiving unit is additionally operable to, and receives second target data of the first client pair
Authority acquiring request, the authority acquiring request include the first user identifier and requested extent of competence;The notification unit is also
For in response to the authority acquiring request, corresponding 4th notification message being sent to the second client, so as to the second client
According to the 4th notification message returning response message, wherein the 4th notice message package includes the authority acquiring request;It is described
Receiving unit is additionally operable to, and receives the response message;The managing device further includes rights management unit, is disappeared for working as the response
When breath agrees the authority acquiring request, by first user identifier to the operating right model of second target data
It encloses and is revised as requested extent of competence.
In some embodiments, which further includes:Operation note unit is asked for generating with the data manipulation
The related log recording of implementing result asked;Auditable unit analyzes the log recording according to predetermined policy, when determining any bar
When the log recording does not meet at least one rule in the predetermined policy, corresponding alarm information is generated, by the announcement
Alert message is sent to first client.
According to the application another aspect, a kind of computing device is provided, including:One or more processors, memory with
And one or more programs.Program is stored in the memory and is configured as being executed by one or more of processors, institute
State the instruction that one or more programs include the management method of the data manipulation permission for executing the application.
According to the application another aspect, a kind of storage medium is provided, is stored with one or more programs.It is one or
Multiple programs include instruction.Described instruction is when executed by a computing apparatus so that the computing device executes the data of the application
The management method of operating right.
To sum up, according to the technical solution of the application, by identifying that the application scenarios of data operation request (determine operation field
Scape identifies), and by by data operation request operating right range corresponding with application scenarios (i.e. the first operating right strategy)
Matching operation is carried out, so as to be managed to data operating right according to application scenarios.In this way, the technical solution of the application
Maloperation can be carried out in different application scene to avoid user.
Description of the drawings
It, below will be to needed in example description in order to illustrate more clearly of the technical solution in present application example
Attached drawing is briefly described, it should be apparent that, the accompanying drawings in the following description is only some examples of the application, for this field
For those of ordinary skill, without having to pay creative labor, it can also be obtained according to these attached drawings other attached
Figure.
Fig. 1 shows the schematic diagram of the application scenarios 100 according to the application some embodiments;
Fig. 2A shows the schematic diagram of the management method 200 of the data manipulation permission according to the application some embodiments;
Fig. 2 B and 2C respectively illustrate the user interface of a client according to the embodiment of the present application;
Fig. 3 shows the schematic diagram of the management method 300 of the data manipulation permission according to the application some embodiments;
Fig. 4 A show the schematic diagram of the management method 400 of the data manipulation permission according to the application some embodiments;
Fig. 4 B and 4C respectively illustrate the user interface of the first client according to the embodiment of the present application;
Fig. 5 A show the system interaction figure according to some embodiments of the application;
Fig. 5 B show the system schematic according to some embodiments of the application;
Fig. 5 C show the system schematic according to some embodiments of the application;
Fig. 5 D show the system schematic according to some embodiments of the application;
Fig. 6 shows the schematic diagram of the managing device 600 of the data manipulation permission according to the application some embodiments;
Fig. 7 shows the schematic diagram of the managing device 700 of the data manipulation permission according to the application some embodiments;And
Fig. 8 shows the composite structural diagram of a computing device.
Specific implementation mode
Below in conjunction with the attached drawing in present application example, the technical solution in present application example is carried out clearly and completely
Description, it is clear that described example is only a part of example of the application, rather than whole examples.Based on the reality in the application
Example, every other example obtained by those of ordinary skill in the art without making creative efforts belong to this
Apply for the range of protection.
Fig. 1 shows the schematic diagram of the application scenarios 100 according to the application some embodiments.
As shown in Figure 1, application scenarios 100 may include task management system 110, task execution system 120 and multiple visitors
Family end.For example, Fig. 1 shows the first client 130 and the second client 140, but not limited to this.Here, task execution system
120 may be implemented as various distributed systems, for example, the system based on Ha Dupu (hadoop) framework.Task execution system
120 may include multiple calculate nodes, such as may be implemented as server cluster.Client may be implemented as mobile electricity
The various computing devices such as words, desktop computer, laptop or tablet computer.First and second clients, which can log in, appoints
The management system of being engaged in 110, and to 110 transmission data operation task of task management system.Here, data manipulation task for example can be
Create or delete database table, the insertion in database table, replacement, deletion, inquiry operation etc..In this way, task management system
System 110 can parse the data manipulation task received from client, and the task after parsing is sent to task execution
System 120.For example, task management system 110 can be based on the frameworks such as honeycomb (hive).In addition, task management system 110 can be with
Task right is managed, with assuring data security.In other words, task management system 110 is considered a number
According to warehouse management system.The way to manage of task management system 110 is further illustrated with reference to Fig. 2A.
Fig. 2A shows the schematic diagram of the management method 200 of the data manipulation permission according to the application some embodiments.Side
Method 200 can for example execute in task management system 110.
As shown in Figure 2 A, method 200 may include step S201, and data operation request is received from the first client.Here,
Data operation request can be create database table, delete database table, modification database table structure (for example, for example increase or
Delete row), data insertions, load document, inquiry operation etc. into database table are carried out to one or more database tables.
In step S202, the corresponding operation scenario mark of data operation request is determined.Wherein, data operation request is used for
Description operates related instruction with database table.Operation scenario mark is for identifying and the application corresponding to the data operation request
Scene type.Data operation request can indicate corresponding database table operation.In this way, the application corresponding to data operation request
Scene type is also corresponding with the database table operation indicated by the data operation request.Here, application scenarios type can by by
It is divided according to the type of operation requests.The type of data operation request for example may include data manipulation sentence (data
Manipulation language, abbreviation DML) and data definition statement (data definition language, referred to as
DDL).Wherein, DML operational orders for example may include inquiry instruction (SELECT), more new command (UPDATE), inserting instruction
(INSERT) and deletion instructs (DELETE).DDL operational orders for example may include that table creates instruction (CREATE), table structure is repaiied
Change instruction (ALTER) and object deletes instruction (DROP).
For example, Fig. 2 B and 2C respectively illustrate the user interface of a client according to the embodiment of the present application.Fig. 2 B show
The interface of an establishment database table is gone out.Correspondingly, Fig. 2 B correspond to the application scenarios of an establishment database table.In Fig. 2 B
It can be obtained about the order for creating tables of data by input frame 201.The application scenarios in step S201 is received about Fig. 2 B
Data operation request when, step S202 can determine corresponding operation scenario mark, that is, indicate the scene for creating database table
Mark.Fig. 2 C show the user interface of an inquiry database table.In fig. 2 c, input frame 202 can be inputted according to user
Tables of data in search listing frame 203.Input frame 204 is used to receive the order of inquiry operation.For example, what an inquiry operation was asked
Partial code example is:Select*from dual a join dual b on a.key=b.key (indicate inquiry database
Table a and b, and the two carried out inline).Correspondingly, Fig. 2 C correspond to the application scenarios of an inquiry database table.Step S202
Application scenarios of middle the determined operation scenario mark for identifying inquiry database table.In one embodiment, step S201
As that can determine data manipulation scene identity according to a field in message corresponding to data operation request.Specifically, step
S202 can be based on the field and scene identity mapping relations, determine corresponding operation scenario mark.In another embodiment
In, step S202 can parse data operation request, so that it is determined that corresponding operation scenario mark.
In yet another embodiment, task management system 110 can also include session management device and task management device.
Session management device can for example be based on LDAP (Lightweight Directory Access
Protocol, abbreviation LDAP) and realize.Task management device can for example be based on honeycomb (Hive) framework and realize.In other words,
Task management device is considered a hive Tool for Data Warehouse.In step S202, when being connect in session management device
When receiving the data operation request from the first client, the corresponding operation field of data operation request is determined according to application scenarios library
Scape identifies.Wherein, incidence relation of the application scenarios library for descriptive data base table handling and operation scenario mark.Since data are grasped
Make request and operate related instruction with database table for describing, step S202 can be according to the number corresponding to data operation request
According to library table handling, which is operated into associated operation scenario mark as the operation corresponding to the data operation request
Scene identity.In addition, session management device, which can identify operation scenario, is set as the corresponding honeycomb session of the first user identifier
The parameter of (hive session).Wherein, honeycomb session refers to session connection between session management device and task management device.
The corresponding honeycomb session of first user identifier can be used for that data operation request is sent to task management by session management device
Device.
In step S203, obtains operation scenario and identify corresponding first operating right strategy.In step S204, it will count
Matching operation is carried out according to operation requests and the first operating right strategy.When determine data operation request meet the first operating right plan
When slightly, method 200 can execute step S205, execute data operation request.
In one embodiment, step S203 can be to be allowed to the execute first behaviour corresponding to inquiry operation scene identity
Make instruction set.Here, the first operational order collection is to allow to identify the instruction executed in corresponding application scenarios in the operation scenario
Range.Data operation request and the first operational order collection can be carried out matching operation by step S204.Determining that data manipulation asks
When each operational order belongs to the first operational order collection in asking, step S204 can determine that data operation request meets the first operation
Authorization policy.
In yet another embodiment, step S203 can be be prohibited to execute second corresponding to inquiry operation scene identity
Operational order collection.Here, the second operational order collection is inhibited in the operation scenario and identifies executes in corresponding application scenarios
Range of instructions.Data operation request can be carried out matching operation by step S204 in the second operational order collection.Determining data behaviour
When each operational order is not admitted to the second operational order collection in asking, step S204 can determine that data operation request meets the
One operating right strategy.
In yet another embodiment, step S203 can be asked in task management device by honeycomb acquisition conversation data manipulation
When asking, data operation request is resolved into corresponding abstract language structure tree (Abstract Structure Tree, abbreviation
AST).In task management device, step S203 can pass through Hook Function mode (such as hive hook mechanism) monitoring data
The analysis result of operation requests.When monitoring to generate abstract language structure tree, step S203 can be inquired according to above-mentioned parameter
The first operating right strategy corresponding with abstract language structure tree.In step S204, abstract language is determined by task management device
Whether speech structure tree meets the first operating right strategy.
To sum up, according to the present processes 200, by identifying that the application scenarios of data operation request (determine operation field
Scape identifies), and by by data operation request operating right range corresponding with application scenarios (i.e. the first operating right strategy)
Matching operation is carried out, so as to be managed to data operating right according to application scenarios.In this way, method 200 can be to avoid
User carries out maloperation in different application scene.
Fig. 3 shows the schematic diagram of the management method 300 of the data manipulation permission according to the application some embodiments.Method
300 can for example execute in task management system 110.
As shown in figure 3, method 300 may include step S301, data operation request is received from the first client.At one
In embodiment, data operation request may include the first user identifier and the data manipulation instruction to first object data.Here,
First user identifier is such as can be with various subscriber identity informations user account.Depending on the concrete type of data manipulation instruction,
First object data for example may include one or more database tables.
In step s 302, second operating right strategy of the first user identifier of inquiry to first object data.At one
In embodiment, first object data may include one or more database tables.For the operating right example of each database table
Read right, write permission and table handling permission can be such as divided into.Here, read right for example may include various table inquiry behaviour
Make.The operation such as may include establishment table, deletion table, modification table structure of table handling permission.Write permission for example may include
Insertion operation, replacement operation and delete operation etc. in tables of data.Specifically, step S302 can inquire the first user identifier
Respectively to the operating right of each database table in first object data.On this basis, method 300 can execute step S303,
Operational order and the second operating right strategy are subjected to matching operation.Specifically, step S303 can be by data manipulation
Operational order in request for each database table is matched with corresponding operating right.In the operation for determining each database table
When instruction is with corresponding operating permission match, step S303 can determine the operational order and the second operating rights to first object data
Limit strategy matching.
In one embodiment, task management system 110 may include the task based on honeycomb framework (i.e. hive frameworks)
Managing device and the rights management device for being based on forester's framework (i.e. Ranger frameworks).Step S302 can be filled in task management
Set the middle inquiry request sent to rights management device to the second operating right strategy.In this way, rights management device can respond
In inquiry request, the database table operational order collection of first the second target data of user identifier pair is inquired, and by the database table
Operational order collection is as the second operating right strategy.
When determining with the second operating right strategy matching, method 300 can execute step S304 to S307.Here, it walks
Suddenly the embodiment of S304 to S307 may be implemented as consistent with step S202 to S205, and which is not described herein again.
In addition, when step S306 determines that data operation request is unsatisfactory for the first operating right strategy, method 300 can be held
Row step S308 generates the first notification message for indicating not execute institute's data operation request, and the first notification message is sent to
First client.
In addition, being mismatched for the operational order of first object data and the second operating right strategy when step S303 is determined
When, method 300 can execute step S309, generate the second notification message for indicating not execute operational order, and second is notified
Message is sent to first client.
To sum up, method 300 can carry out data operation request operating right judgement twice.Sentence in first time operating right
During disconnected, method 300 can determine whether user identifier has first object data the permission for executing data operation request.
When user identifier has the permission for executing data operation request, method 300 can carry out second of operating right judgement.
In secondary operation permission deterministic process, method 300 can determine data manipulation according to the corresponding application scenarios of data operation request
Whether request meets the operating right limitation of the application scenarios.In this way, although a data operation request meets user identifier pair
The operating right range answered, method 300 can to avoid user be not suitable for execute the data operation request application scenarios in into
Row maloperation.
Fig. 4 A show the schematic diagram of the management method 400 of the data manipulation permission according to the application some embodiments.Side
Method 400 can for example execute in task management system 110.
As shown in Figure 4 A, method 400 may include step S401, and data operation request is received from the first client.Here,
Data operation request for example may include the first user identifier and the operational order to first object data.
In step S402, inquiry has permission the user identifier range that first object data are executed with aforesaid operations instruction.
In step S403, the first user identifier and user identifier range are subjected to matching operation, that is, whether judge the first user identifier
Belong to user identifier range.When step S403 determines the first user identifier with the user identifier commensurate in scope, method 400 can
To execute step S404 to S408.Here, the embodiment of step S404 to S408 is consistent with step S304 to S308, here not
It repeats again.
In addition, when step S403 determines that the first user identifier and the user identifier range mismatch, method 400 can be with
Execute step S409.In step S409, the third notice message for indicating not execute operational order is generated, and third notice is disappeared
Breath is sent to the first client.
In addition, step S410 can also be performed in method 400, the authority acquiring of first the second target data of client pair is received
Request, the authority acquiring request include the first user identifier and requested extent of competence.Fig. 4 B are shown according to the application reality
Apply the user interface of the first client of example.As shown in Figure 4 B, popup web page 401 is determined for user to database table institute
The extent of competence of request.On this basis, the first client 130 can be obtained to 110 sending permission of task management system and be asked.
In addition illustrate, the first client can also be managed operating right by packet mode.For example, Fig. 4 C show root
According to the user interface of first client of the application one embodiment.As shown in Figure 4 C, when control 402 is clicked, Yong Hujie
It face can be with pop-up window 403.Here, user can select user and be shown in area by selecting user in control 404
In domain 405.Selected user can for example be added in a group in first client.For a group, system
110 can receive the information about added user in group from the first client.In this way, added user can have the group pair
The operating right answered.
In step S411, in response to authority acquiring request, corresponding 4th notification message is sent to the second client, with
Just the second client is according to the 4th notification message returning response message, wherein the 4th notice message package includes authority acquiring request.
Here, the second target data is, for example, one or more database tables.Second client refers to having pipe to the second target data
Manage the user equipment of permission.When multiple database tables are by multiple user managements in the second target data, step S411 can be with
Respectively request is obtained to the corresponding client sending permission of each user.In step S412, response message is received.Work as response message
When agreeing the authority acquiring request, method 400 can execute step S413, by first the second number of targets of user identifier pair
According to operating right range be revised as requested extent of competence.
In yet another embodiment, task management system 110 may include session management device, be based on honeycomb framework (i.e.
Hive frameworks) task management device and based on forester's framework (i.e. Ranger frameworks) rights management device.Rights management
Device for example can be Ranger serviced components.Step S410, S411 and S412 can be executed by session management device.In step
In S413, corresponding permission modification request is sent from session management device to rights management device.In rights management device, ring
It should change and ask in permission, the operating right range of first the second target data of user identifier pair is revised as requested permission
Range.
In addition, step S414 can also be performed in method 400, daily record related with the implementing result of data operation request is generated
Record.Here, log recording related with implementing result for example can be one or more of records.Log recording for example can be with
Time and data operating result are executed including user identifier, data manipulation instruction, operation.In step S415, according to predetermined plan
Slightly analyze log recording.In one embodiment, predetermined policy for example may include one or more rule.One rule is for example
It is data manipulation instruction to need to match with data manipulation result.Another rule is, for example, that user identifier needs have execution data behaviour
Make the permission instructed.For example, data manipulation instruction is the data for inquiring a field in a database table.Data manipulation result
It needs to read record for inquiry, rather than to other operations such as modification of the tables of data.When step S416 is determined when determination is any
When log recording does not meet at least one rule in predetermined policy, corresponding alarm information is generated, and alarm information is sent out
It is sent to the first client or other monitoring devices.
In one embodiment, task management system 110 may include session management device, be based on honeycomb framework (i.e.
Hive frameworks) task management device, be based on forester's framework (i.e. Ranger frameworks) rights management device and audit device.
Wherein, audit device can for example be based on search inquiry server (Solr) framework and realize.In step S414, by permission pipe
It manages device and generates log recording related with the implementing result of data operation request, and log recording is sent to audit device.
In this way, audit device can execute step S415.When determining that any bar log recording do not meet at least one in predetermined policy
When regular, audit device can execute step S416, generate corresponding alarm information, and alarm information is sent to the first client
End.
To sum up, method 400 can find that data are grasped in time by being analyzed journal record and (being referred to as auditing)
Make abnormal conditions, to handle in time abnormal conditions.
Fig. 5 A show the system interaction figure according to some embodiments of the application.As shown in Figure 5A, task management system 110
May include session management device 111, task management device 112, rights management device 113 and audit device 114.In a reality
It applies in example, session management device 111 can for example be based on LDAP (Lightweight Directory
Access Protocol, abbreviation LDAP) and realize.Task management device 112 can for example be based on honeycomb (Hive) framework and reality
It is existing.Rights management device 113 can be based on safety management frame (such as Ranger, be a kind of centralized security management frame) and
It realizes.Audit device 114 can for example be based on search application server, and (such as Solr is that an independent enterprise-level search is answered
With server, the api interface similar to Web-service is externally provided, the function that may be implemented includes full-text search, hit mark
Show, facet search, the processing of dynamic clustering, geo-database integration and rich text) framework and realize.
First client 130 can execute step S501, be sent to session management device 111 for logging in task management system
The authentication information of system 110, for example, account and encrypted message.Session management device 111 can be according to the use being locally stored
Family identity information carries out matching judgment to the authentication information received.When determining that authentication information passes through verification, meeting
The corresponding data management information of the first client can be obtained from rights management device 113 by talking about managing device 111.Data management is believed
Breath is for example including the database table information to be shown in the first client 130.Database table information to be shown may include using
The mark of database table of the family with administration authority (such as access limit), the mark of the database table with read right, can
Check the mark of the database table of table name.In this way, session management device 111 can execute step S502, to the first client
130 return to the administration page information-related with database table to be shown, to show the administration page in the first client.
First client 130 can execute step S503, and the data manipulation generated for database table in administration page is asked
It asks.Data operation request for example may include the first user identifier and implicit queries language (Hibernate Query
Language, abbreviation HQL) message.In this way, session management device 111 can execute step S504, is determined and grasped according to HQL message
Make scene identity.Step S505 can also be performed in session management device 111, and data operation request and operation scenario mark are sent
To task management device 112.In one embodiment, session management device 111 can be in the meeting of connection task management device 112
Talk about the parameter being arranged on (such as hive session) about operation scenario.Here, the example code of arrange parameter is:set
Wherein, " xx " indicates the mark of operation scenario to tdf.sql.auth.type=xx.In this way, task management device 112 can basis
Set parameter determines that operation scenario identifies.
Task management device 112 can execute step S506, and sending operating right inquiry to rights management device 113 asks
It asks.Rights management device 113 can manage the operating right of database table.For example, in task management device 112, instruction is appointed every time
When execution system 120 of being engaged in generates a database table, rights management device 113 can generate the authority records of the database table.
Authority records for example may include:Owning user, affiliated engineering and affiliated group.In one embodiment, owning user is to the table
With administration authority.User has read right to the table in affiliated engineering.The user of engineering belonging to being not belonging in affiliated group has
Check the permission of table name.Here, specific authorization policy is depended on, rights management device 113 can be to each database table
Operating right carries out corresponding configuration, and which is not described herein again.Rights management device 113 determines that data are grasped in response to the inquiry request
Ask whether with the second limiting operation strategy matching, that is, determine whether the first user identifier has and execute above-mentioned data manipulation and ask
The permission asked.Rights management device 113 can execute step S507, return to permission query result.In this way, task management device
112, when determining that the first user identifier has the permission for executing data manipulation according to permission query result, can continue to execute step
Rapid S508.In step S508, data operation request is resolved into abstract language structure tree (Abstract Structure
Tree, abbreviation AST), and the corresponding operating right range of inquiry operation scene identity (determines above the first operating right plan
Slightly).Here, hook (Hook) function mechanism for example may be used in task management device 112, is generated about data manipulation each
When the AST trees of request, inquires the associated operation scenarios of the AST and identify corresponding operating right range.In step S509, task
Managing device 112 may determine that whether operational order is in inquired data manipulation extent of competence in AST, that is, judges data
Whether operation requests meet the first operating right strategy.Task management device 112 determine belong to operating right range when, can be with
Execute step S510.In step S510, task management device 112 can be operated to 120 transmission data of task execution system and be asked
Seek corresponding task.In this way, task execution system 120 can execute the data operation request.Specifically, task execution system
Task can be split into multiple subtasks, corresponding subtask is then executed in each calculate node.
In addition, rights management device 113 can execute step S511, the implementation procedure of HQL is monitored, generates corresponding daily record
Record.In step S512, rights management device 113 can send log recording to audit device 114.In this way, audit device
114 can execute step S513, be analyzed log recording according to predetermined audit strategy.Audit device 114 is determining diary
Record is deposited when abnormal, and step S514 can be executed.In step S514, audit device 114 can be generated to be led to about abnormal
Know information and sending to the first client 130.It is set in addition, audit device 114 can also transmit notification messages to other monitorings
It is standby.
In addition, step S515 can also be performed in the first client 130, sent to session management device 111 to the second target
The authority acquiring request of data.Session management device 111 can determine the administration authority of the second target data, such as administration authority
Belong to 140 corresponding user of the second client.Session management device 111 can execute step S516, be sent out to the second client 140
Send the notification message about authority acquiring request.Second client 140, can when inputting agreement authority acquiring request according to user
To execute step S517, confirmation message is sent to session management device 111.In this way, session management device 111 can execute step
S518.In step S518, operating right modification request is sent to rights management device 113.In this way, rights management device 113
Step S519 can be executed, the operating right of first the second target data of client pair is changed.
Fig. 5 B show the system schematic according to some embodiments of the application.As shown in Figure 5 B, session management device 111
When receiving data operation request, the data operation request and operation scenario mark can be sent to task management device
112 interface 1121.Interface 1121 can be to 113 sending permission inquiry request of rights management device.Rights management unit 1131
It can inquire whether user has the permission for executing data operation request from authority records unit 1132, and be returned to interface 1121
Return query result.Indicating that user prescribes a time limit with right of execution in query result, compilation unit 1122 can compile data operation request,
To obtain compiling result (being, for example, AST trees).For compiling as a result, matching unit 1123 can be corresponded to inquiry operation scene identity
The first operating right strategy, judge compile result whether meet the first operating right strategy.It determines and compiles in matching unit 1123
When translating result the first operating right strategy of satisfaction, executing administrative unit 1124 can be by the corresponding operation task of data operation request
It is submitted to task execution system 120.Operation task can be assigned to each calculate node by task management node 121, such as 122,
123 and 124.In this way, each calculate node can carry out corresponding data processing.In addition, rights management unit 1131 can also give birth to
The log recording of task execution is carried out at task execution system 120, and is sent to audit device 114.Audit management unit 1141
The audit strategy that can be stored according to regulation management unit 1142, audits to log recording.In this way, audit management unit
1141 can deposit when abnormal determining journal record, can generate about abnormal notification message.Audit management unit 1141
Client (such as first client) can be transmitted notification messages to by task management system 110.
Fig. 5 C show the system schematic according to some embodiments of the application.As shown in Figure 5 C, session management device 111
Such as LDAP (Lightweight Directory Access Protocol, abbreviation can be based on
LDAP it) realizes.Task management device 112 can for example be based on honeycomb (Hive) framework and realize.Task execution system 120
Another resource coordination person (Yet Another Resource Negotiator, YARN) framework such as can be based on and realized.This
In, YARN is a kind of explorer of Ha Dupu.
Session management device 111 may include rights management unit 1111 and application scenarios library 1112.Wherein, application scenarios
Incidence relation of the library 1112 for descriptive data base table handling and operation scenario mark.Number is received in session management device 111
When according to operation requests, rights management unit 1111 can inquire application scenarios library 1112, be operated with received data with determining
Corresponding operation scenario is asked to identify.In multi-user's application scenarios, rights management unit 1111 can for example determine that user marks
Know the corresponding operation scenario marks 1 of A, determines that the corresponding operation scenarios of user identifier B identify 2.Here, for user identifier A, meeting
Words managing device 111 has session 1 (i.e. a hive session) with the foundation of interface 1121.Session management device 111 can incite somebody to action
Operation scenario mark 1 is set as the parameter 1 of session 1.Similarly, for user identifier B, session management device 111 and interface
1125 foundation have session 2.Operation scenario mark 2 is arranged to the parameter 2 of session 2.In addition, session management device 111 can incite somebody to action
The corresponding data operation requests of user identifier A are transferred to compilation unit 1122 by session 1 and interface 1121.Compilation unit 1122
Data operation request can be resolved to AST.Hook 1126 can monitor compilation unit 1122.Hook 1126 for example may be implemented
The method preAnalyze of abstract class AbstractSemanticAnalyzerHook in Hive.Hook 1126 when obtaining AST,
AST can be transmitted to matching unit 1123.Matching unit 1123 can determine AST whether with the first operating right strategy
Match.Determining that matching unit 1123 can send the message for indicating to fit through to administrative unit 1124 is executed when matching.It holds
Row administrative unit 1124 can obtain data operation request from compilation unit 1122 and correspond to when receiving the message fitted through
Pending task.In this way, task execution system 120 can be submitted to by pending task by executing administrative unit 1124.
Fig. 5 D show the system schematic according to some embodiments of the application.As shown in Figure 5 D, session management device 111
Such as LDAP (Lightweight Directory Access Protocol, abbreviation can be based on
LDAP it) realizes.Task management device 112 can for example be based on honeycomb (Hive) framework and realize.Rights management device 113 can
It is realized with being based on safety management frame (such as Ranger, be a kind of centralized security management frame).Audit device 114 is for example
It can be based on search inquiry server (Solr) framework and realize.Session management device 111 may include 1113 He of authenticating unit
Library table administrative unit 1114.Task management device 112 may include cellular services unit 1121 and management plug-in unit 1131.Permission pipe
It may include rights management unit 1131 and authority records library 1132 to manage device 113.Audit device 114 may include auditable unit
1141 and audit strategy library 1142.Here, rights management unit 1131 for example can be forester's manager (Ranger
Manager).Authority records library 1132 can record the operating right of each database table.
Specifically, authenticating unit 1113 can carry out authentication to the client for logging in task management system.For example,
Client 1 passes through authentication information (for example, username and password etc.) access session managing device 111.Authenticating unit 1113
The authentication information of client 1 can be verified.When passing through authentication, client 1 can be filled to session management
Set 111 transmission data operation requests.It should be noted that the type of data operation request for example may include data manipulation sentence
(data manipulation language, abbreviation DML) data definition statement (data definition language, letter
Claim DDL).Wherein, DML operational orders for example may include inquiry instruction (SELECT), more new command (UPDATE), inserting instruction
(INSERT), instruction (DELETE) is deleted.DDL operational orders for example may include that table creates instruction (CREATE), table structure is repaiied
Change instruction (ALTER), object deletes instruction (DROP).For example, client 1 can send DML types to session management device
Operational order.Client 2 can send the operational order of DDL types to session management device 111.
Library table administrative unit 1114 can receive authority acquiring request transmitted by a client.Authority acquiring request refers to
To the request of operation authority an of target data (such as a database table).For example, client 1 can be to library table administrative unit
1114 sending permissions obtain request 1.Authority acquiring request 1 may include one or more operations of the client 1 to target data 1
Authority request.The manager of target data 1 is the user corresponding to client 2.When receiving authority acquiring request 1, library table
Authority acquiring request 1 can be sent to client 2 by administrative unit 1114.Client 2 can be sent out to library table administrative unit 1114
Send response message.When response message indicates that Right of Consent limit obtains request 1, can be sent to rights management unit 1131 accordingly
Permission modification request.In this way, rights management unit 1131 can be with client 1 in modification authority record storehouse 1132 to target data 1
Operating right so that client 1 obtains corresponding with authority acquiring request 1 operating right.In addition illustrate, it is in office
When execution system 120 of being engaged in generates a database table, rights management unit 1131 can generate corresponding authority records, and store
In authority records library 1132.Here, authority records for example can be with the operating rights of the owner of descriptive data base table and the owner
The authority contents such as limit.
Cellular services unit 1121 such as can be Hive Server2 (can execute hive inquiry service) component, but
It is without being limited thereto.Cellular services unit 1121 can establish honeycomb session (hive session) with session management device 111.Example
Such as, for client 1, cellular services unit 1121 has session 1 with the foundation of session management device 111.For client 2, honeycomb
Service unit 1121 has session 2 with the foundation of session management device 111.In this way, cellular services unit 1121 can receive data behaviour
It asks.For example, cellular services unit 1121 can receive the data operation request 1 from client 1.Data operation request 1
Operational orders 1 of the e.g. user identifier A to target data 1.Cellular services unit 1121 can by manage plug-in unit 1133 to
1131 sending permission inquiry request of rights management unit.In this way, rights management unit 1131 can be in authority records library 1132
Inquire operating right ranges (i.e. above second operating right strategy) of the user identifier A to target data 1.On this basis,
Second operating right strategy can be sent to cellular services unit 1121 by rights management unit 1131 by managing plug-in unit 1133.
Here, management plug-in unit 1133 for example can be Ranger Plugin serviced components, but not limited to this.In this way, cellular services unit
1121 can determine whether operational order 1 matches the second operating right strategy.When matching the second operating right strategy, honeycomb clothes
Business unit 1121 can also continue to judge whether operational order 1 meets the first operating right strategy.Here, cellular services unit
1121 to judge whether operational order meets the mode of the first operating right strategy consistent with matching unit 1123 in Fig. 5 C, here not
It repeats again.To sum up, cellular services unit 1121 can carry out data operation request operating right judgement twice.Sentence for the first time
During disconnected, cellular services unit 1121 can determine whether user identifier has target data and execute data operation request
Permission (for example, it is determined whether meeting the second operating right strategy).There is the permission for executing data operation request in user identifier
When, cellular services unit 1121 can carry out second of operating right judgement.In second of operating right deterministic process, honeycomb
Service unit 1121 can determine whether data operation request meets the application according to the corresponding application scenarios of data operation request
The operating right limitation (for example, determining whether data operation request meets the first operating right strategy) of scene.In this way, at one
When data operation request meets user identifier corresponding operating right range, cellular services unit 1121 can be to avoid user not
It is suitably executed in the application scenarios of the data operation request and carries out maloperation.
In addition, rights management unit 1131 can monitor the implementing result to data manipulation.Here, rights management unit
1131 can generate log recording related with implementing result, and log recording is sent to audit device 114.Regulation management list
Member 1142 is stored with the audit strategy to log recording.Audit management unit 1141 can examining according to regulation management unit 1142
Count analysis of strategies log recording.
Fig. 6 shows the schematic diagram of the managing device 600 of the data manipulation permission according to the application some embodiments.Management
Device 600 for example may reside in task management system 110.Managing device 600 may include:Receiving unit 601, scene are true
Order member 602, first acquisition unit 603, the first matching unit 604 and processing unit 605.
Receiving unit 601 is used to receive data operation request from the first client.
Scene determination unit 602 is for determining the corresponding operation scenario mark of data operation request.Wherein, operation scenario mark
Know for identifying the application scenarios type corresponding to the data operation request.In other words, application scenarios type is grasped with database table
It corresponds to.
First acquisition unit 603 identifies corresponding first operating right strategy for obtaining operation scenario.
First matching unit 604 is used to data operation request and the first operating right strategy carrying out matching operation.
In one embodiment, first acquisition unit 603 can inquire is allowed to corresponding to the operation scenario mark
The the first operational order collection executed.First matching unit 604 can belong to described by operational order in determining data operation request
When the first operational order collection, determine that data operation request meets the first operating right strategy.
In yet another embodiment, first acquisition unit 603 can inquire banned corresponding to the operation scenario mark
The the second operational order collection only executed.First matching unit 604 operational order can be not belonging in determining data operation request
When the second operational order collection, determine that data operation request meets the first operating right strategy.
Processing unit 605 is used to determine that data operation request meets the first operating right strategy when the first matching unit 604
When, execute data operation request.
Fig. 7 shows the schematic diagram of the managing device 700 of the data manipulation permission according to the application some embodiments.Management
Device 600 for example may reside in task management system 110.Managing device 700 may include:Receiving unit 701, scene are true
Order member 702, first acquisition unit 703, the first matching unit 704, processing unit 705, notification unit 706, second obtain single
First 707, second matching unit 708, rights management unit 709, operation note unit 710 and auditable unit 711.Wherein, it receives
Unit 701, scene determination unit 702, first acquisition unit 703, the first matching unit 704 and processing unit 705 can execute
With above-mentioned receiving unit 601, scene determination unit 602, first acquisition unit 603, the first matching unit 604 and processing unit
605 consistent operations, but not limited to this.
In one embodiment, notification unit 706 is used to determine that data operation request is unsatisfactory for when the first matching unit 704
It when the first operating right strategy, generates and indicates not executing the first notification message of data operation request, and by the first notification message
It is sent to the first client.
In one embodiment, receiving unit 701 can receive the first user identifier and the operation to first object data
Instruction.Second acquisition unit 707 can be executed in the first matching unit 704 by data operation request and the first operating right strategy
Before carrying out matching operation, second operating right strategy of the first user identifier of inquiry to first object data.Second matching is single
Operational order and the second operating right strategy can be carried out matching operation by member 708.Notification unit 706 can also be when the second matching
When unit 708 determines that operational order and the second operating right strategy mismatch, generates and indicate that do not execute operational order second is logical
Know message, and second notification message is sent to the first client.
In one embodiment, receiving unit 701 can receive the first user identifier and the operation to first object data
Instruction.Second acquisition unit 707 can carry out data operation request and the first operating right strategy in the first matching unit 704
Before matching operation, inquiry has permission the user identifier range that first object data are executed with operational order.Second matching unit
First user identifier and user identifier range can be carried out matching operation by 708.Notification unit 706 can be when the second matching unit
When 708 the first user identifiers of determination are mismatched with user identifier range, generates and indicate that the third notice for not executing operational order disappears
Breath, and third notice message is sent to the first client.
In one embodiment, receiving unit 701 can also receive the permission of first the second target data of client pair and obtain
Take request.The authority acquiring request includes the first user identifier and requested extent of competence.Notification unit 706 is in response to permission
Request is obtained, corresponding 4th notification message can be sent to the second client, so that the second client is according to the 4th notice
Message returning response message.Wherein, the 4th notice message package includes authority acquiring request.Receiving unit 701 can receive response and disappear
Breath.Rights management unit 709 can be when response message indicates that Right of Consent limit obtains request, by first the second mesh of user identifier pair
The operating right range of mark data is revised as requested extent of competence.
In one embodiment, operation note unit 710 can generate related with the implementing result of data operation request
Log recording.Auditable unit 711 can analyze log recording according to predetermined policy.When determining that it is pre- that any bar log recording does not meet
When determining at least one rule in strategy, auditable unit 711 can generate corresponding alarm information, and alarm information is sent to
First client.
Fig. 8 shows the composite structural diagram of a computing device.As shown in figure 8, the computing device is including one or more
A processor (CPU or GPU) 802, communication module 804, memory 806, user interface 810, and for interconnecting these components
Communication bus 808.
Processor 802 can send and receive data to realize network communication and/or local communication by communication module 804.
User interface 810 includes one or more output equipments 812 comprising one or more speakers and/or one
Or multiple visual displays.User interface 810 also includes one or more input equipments 814 comprising such as, keyboard, mouse
Mark, voice command input unit or loudspeaker, touch screen displays, touch sensitive tablet, posture capture camera or other inputs are pressed
Button or control etc..
Memory 806 can be high-speed random access memory, such as DRAM, SRAM, DDR RAM or other deposit at random
Take solid storage device;Or nonvolatile memory, such as one or more disk storage equipments, optical disc memory apparatus, sudden strain of a muscle
Deposit equipment or other non-volatile solid-state memory devices.
Memory 806 stores the executable instruction set of processor 802, including:
Operating system 816 includes the program for handling various basic system services and for executing hardware dependent tasks;
Include the various programs for realizing above-mentioned video broadcasting method using 818, this program can be realized above-mentioned each
Process flow in example, for example may include the video player according to the application.Video player may include shown in Fig. 6
Data manipulation permission managing device 600 or data manipulation permission shown in Fig. 7 managing device 700.
In addition, each example of the application can pass through the data processing journey by data processing equipment such as computer execution
Sequence is realized.Obviously, data processor constitutes the application.In addition, at the data being generally stored inside in a storage medium
Reason program by program by directly reading out storage medium or by installing or copying to depositing for data processing equipment by program
It stores up in equipment (such as hard disk and/or memory) and executes.Therefore, such storage medium also constitutes the present invention.Storage medium can make
With any kind of recording mode, such as paper storage medium (such as paper tape), magnetic storage medium (such as floppy disk, hard disk, flash memory
Deng), optical storage media (such as CD-ROM), magnetic-optical storage medium (such as MO) etc..
Therefore disclosed herein as well is a kind of non-volatile memory mediums, wherein it is stored with data processor, the data
Processing routine is used to execute any type example of the application above method.
In addition, method and step described herein is with data processor in addition to can be realized, can also by hardware Lai
It realizes, for example, can be by logic gate, switch, application-specific integrated circuit (ASIC), programmable logic controller (PLC) and embedding microcontroller etc.
To realize.Therefore this hardware that herein described method may be implemented can also constitute the application.
The foregoing is merely the preferred embodiments of the application, all in spirit herein not to limit the application
Within principle, any modification, equivalent substitution, improvement and etc. done should be included within the scope of the application protection.
Claims (15)
1. a kind of management method of data manipulation permission, which is characterized in that including:
Data operation request is received from the first client, wherein the data operation request is for describing to have with database table operation
The instruction of pass;
Determine the corresponding operation scenario mark of the data operation request, wherein the operation scenario mark is described for identifying
Application scenarios type corresponding to data operation request;
It obtains the operation scenario and identifies corresponding first operating right strategy;
The data operation request and the first operating right strategy are subjected to matching operation;And
When determining that the data operation request meets the first operating right strategy, the data operation request is executed.
2. management method as described in claim 1, further includes:When determine the data operation request be unsatisfactory for it is described first behaviour
When making authorization policy, the first notification message for indicating not execute the data operation request is generated, and first notice is disappeared
Breath is sent to first client.
3. management method as described in claim 1, wherein it is described to receive data operation request from the first client, including:It connects
Receive the first user identifier and the operational order to first object data;The data operation request and described first are grasped executing
Before making authorization policy progress matching operation, this method further includes:
Inquire second operating right strategy of first user identifier to the first object data;
The operational order and the second operating right strategy are subjected to matching operation;
When determining that the operational order and the second operating right strategy mismatch, generates and indicate not executing the operational order
Second notification message, and the second notification message is sent to first client.
4. management method as claimed in claim 3, wherein the management method executes in task management system, described
Management system of being engaged in includes the task management device based on honeycomb framework and the rights management device based on forester's framework;It is described to look into
Second operating right strategy of first user identifier to the first object data is ask, including:
The inquiry of the second operating right strategy is asked to rights management device transmission in the task management device
It asks;
In response to the inquiry request in the rights management device, first user identifier is inquired to second target
The database table operational order collection of data, and using the database table operational order collection as the second operating right strategy.
5. management method as claimed in claim 4, wherein the task management system further includes session management device;It is described
Determine the corresponding operation scenario mark of the data operation request, including:
When the session management device receives the data operation request from first client, according to applied field
Jing Ku determines the corresponding operation scenario mark of the data operation request, wherein the application scenarios library is used for descriptive data base
The incidence relation of table handling and operation scenario mark;
It sets operation scenario mark to the corresponding honeycomb meeting of first user identifier in the session management device
The parameter of words, wherein the honeycomb session is used to the data operation request being sent to the task management device.
6. management method as claimed in claim 5, wherein the first operating right strategy of the acquisition and the progress matching behaviour
Make, including:
When the task management device is by data operation request described in the honeycomb acquisition conversation, the data manipulation is asked
It asks and resolves to corresponding abstract language structure tree;
In the task management device, by Hook Function mode when monitoring to generate the abstract language structure tree, root
According to the parameter, the first operating right strategy corresponding with the abstract language structure tree is inquired;
In the task management device, determine whether the abstract language structure tree meets the first operating right strategy.
7. management method as claimed in claim 3, further includes:
The authority acquiring request of second target data of the first client pair, the permission are received in the session management device
It includes the first user identifier and requested extent of competence to obtain request;
In the session management device, in response to the authority acquiring request, corresponding four-way is sent to the second client
Message is known, so that the second client is according to the 4th notification message returning response message, wherein the 4th notice message package includes
The authority acquiring request;
The response message is received in the session management device;
When the response message indicates to agree to the authority acquiring request, to the permission pipe in the session management device
It manages device and sends corresponding permission modification request;
In the rights management device, changes and ask in response to the permission, by first user identifier to described second
The operating right range of target data is revised as requested extent of competence.
8. management method as claimed in claim 3, wherein the task management system further includes being based on search inquiry server
The audit device of framework, this method further include:
In the rights management device, log recording related with the implementing result of the data operation request is generated, and will
The log recording is sent to the audit device;
In the audit device, the log recording is analyzed according to predetermined policy;
When determining that log recording described in any bar does not meet at least one rule in the predetermined policy, filled in the audit
The middle corresponding alarm information of generation is set, and the alarm information is sent to first client.
9. management method as described in claim 1, wherein it is described to receive request of data from the first client, including:Receive the
One user identifier and operational order to first object data;It is executing the data operation request and first operating rights
Before limit strategy carries out matching operation, this method further includes:
Inquiry has permission the user identifier range that the first object data are executed with the operational order;
First user identifier and the user identifier range are subjected to matching operation;
When determining that first user identifier is mismatched with the user identifier range, generation indicates that not executing the operation refers to
The third notice message of order, and the third notice message is sent to first client.
10. management method as described in claim 1, wherein
The acquisition operation scenario identifies corresponding first operating right strategy, including:Inquire the operation scenario mark
Corresponding the first operational order collection for being allowed to execute;
The determination data operation request meets the first operating right strategy, including:Determining the data manipulation
When operational order belongs to the first operational order collection in request, determine that the data operation request meets first operating rights
Limit strategy.
11. management method as described in claim 1, wherein
The acquisition operation scenario identifies corresponding first operating right strategy, including:Inquire the operation scenario mark
Corresponding the second operational order collection for being prohibited to execute;
The determination data operation request meets the first operating right strategy, including:Determining the data manipulation
When operational order is not belonging to the second operational order collection in request, determine that the data operation request meets first operation
Authorization policy.
12. a kind of managing device of data manipulation permission, which is characterized in that including:
Receiving unit, for from the first client receive data operation request, wherein the data operation request for describe with
Database table operates related instruction;
Scene determination unit, for determining the corresponding operation scenario mark of the data operation request, wherein the operation scenario
Mark is for identifying the application scenarios type corresponding to the data operation request;
First acquisition unit identifies corresponding first operating right strategy for obtaining the operation scenario;
First matching unit, for the data operation request and the first operating right strategy to be carried out matching operation;With
And
Processing unit determines that the data operation request meets the first operating right plan for working as first matching unit
When slightly, the data operation request is executed.
13. managing device as claimed in claim 9 further includes notification unit, institute is determined for working as first matching unit
When stating data operation request and being unsatisfactory for the first operating right strategy, generates and indicate not executing the of the data operation request
One notification message, and first notification message is sent to first client.
14. a kind of computing device, it is characterised in that including:
One or more processors;
Memory;And
One or more programs are stored in the memory and are configured as being executed by one or more of processors, described
One or more programs include that the instruction of any one of 1-11 the methods is required for perform claim.
15. a kind of storage medium, is stored with one or more programs, one or more of programs include instruction, described instruction
When executed by a computing apparatus so that the computing device executes the method as described in any one of claim 1-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810057920.5A CN108280367B (en) | 2018-01-22 | 2018-01-22 | Data operation authority management method and device, computing equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810057920.5A CN108280367B (en) | 2018-01-22 | 2018-01-22 | Data operation authority management method and device, computing equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108280367A true CN108280367A (en) | 2018-07-13 |
| CN108280367B CN108280367B (en) | 2023-12-15 |
Family
ID=62804355
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810057920.5A Active CN108280367B (en) | 2018-01-22 | 2018-01-22 | Data operation authority management method and device, computing equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108280367B (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109214210A (en) * | 2018-09-14 | 2019-01-15 | 南威软件股份有限公司 | A kind of method and system optimizing honeycomb rights management |
| CN109309686A (en) * | 2018-11-01 | 2019-02-05 | 浪潮软件集团有限公司 | Multi-tenant management method and device |
| CN109862072A (en) * | 2018-12-25 | 2019-06-07 | 鼎信信息科技有限责任公司 | The response method and device of application task |
| CN110188573A (en) * | 2019-05-27 | 2019-08-30 | 深圳前海微众银行股份有限公司 | Subregion authorization method, device, equipment and computer readable storage medium |
| CN110197064A (en) * | 2019-02-18 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Process handling method and device, storage medium and electronic device |
| CN110333941A (en) * | 2019-06-28 | 2019-10-15 | 苏宁消费金融有限公司 | A kind of real-time computing platform of big data based on sql and method |
| CN110750294A (en) * | 2019-09-18 | 2020-02-04 | 平安银行股份有限公司 | Code library management method and device and computer storage medium |
| CN110889142A (en) * | 2019-12-20 | 2020-03-17 | 中国银行股份有限公司 | Data authority management method, device, system and equipment |
| CN111339524A (en) * | 2020-02-26 | 2020-06-26 | 浪潮软件股份有限公司 | Multi-tenant permission control method and device |
| CN111651122A (en) * | 2020-05-20 | 2020-09-11 | 远景智能国际私人投资有限公司 | Data deleting method, device, server and storage medium |
| CN111723401A (en) * | 2020-06-17 | 2020-09-29 | 北京明略昭辉科技有限公司 | Data access authority control method, device, system, storage medium and equipment |
| CN111797424A (en) * | 2019-11-26 | 2020-10-20 | 北京京东尚科信息技术有限公司 | Method and device for processing request |
| CN112580088A (en) * | 2019-09-30 | 2021-03-30 | 北京国双科技有限公司 | Data loading method and device, computer equipment and storage medium |
| CN112861159A (en) * | 2021-03-04 | 2021-05-28 | 深圳市鹰硕云科技有限公司 | Range-based permission determination method and system in intelligent education platform |
| CN112860637A (en) * | 2021-02-05 | 2021-05-28 | 广州海量数据库技术有限公司 | Method and system for processing log based on audit strategy |
| CN113722723A (en) * | 2020-05-25 | 2021-11-30 | 中移(苏州)软件技术有限公司 | Information processing method, system, equipment and computer storage medium |
| CN113839942A (en) * | 2021-09-22 | 2021-12-24 | 上海妙一生物科技有限公司 | User authority management method, device, equipment and storage medium |
| CN115510480A (en) * | 2022-09-26 | 2022-12-23 | 深圳市中政汇智管理咨询有限公司 | Data management platform |
| CN116415218A (en) * | 2023-06-08 | 2023-07-11 | 天津金城银行股份有限公司 | Data authority management method and device, electronic equipment and storage medium |
| CN112836237B (en) * | 2021-02-05 | 2023-08-15 | 广州海量数据库技术有限公司 | Method and system for performing forced access control in content database |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102402652A (en) * | 2010-09-16 | 2012-04-04 | 金蝶软件(中国)有限公司 | Method, system and terminal for controlling authority |
| CN103620616A (en) * | 2013-03-28 | 2014-03-05 | 华为技术有限公司 | Access control right management method and device |
| CN107194272A (en) * | 2017-04-18 | 2017-09-22 | 北京潘达互娱科技有限公司 | Database-access rights application method and device |
| CN107483725A (en) * | 2017-07-31 | 2017-12-15 | 广东欧珀移动通信有限公司 | Resource allocation method and Related product |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102520933A (en) * | 2011-11-28 | 2012-06-27 | 深圳市五巨科技有限公司 | Method and device for establishing tree menu based on user right |
| CN106940620A (en) * | 2017-03-22 | 2017-07-11 | 广东小天才科技有限公司 | Control the method and mobile terminal of mobile terminal |
-
2018
- 2018-01-22 CN CN201810057920.5A patent/CN108280367B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102402652A (en) * | 2010-09-16 | 2012-04-04 | 金蝶软件(中国)有限公司 | Method, system and terminal for controlling authority |
| CN103620616A (en) * | 2013-03-28 | 2014-03-05 | 华为技术有限公司 | Access control right management method and device |
| CN107194272A (en) * | 2017-04-18 | 2017-09-22 | 北京潘达互娱科技有限公司 | Database-access rights application method and device |
| CN107483725A (en) * | 2017-07-31 | 2017-12-15 | 广东欧珀移动通信有限公司 | Resource allocation method and Related product |
Non-Patent Citations (1)
| Title |
|---|
| 刘琳: "嵌入式数据库SQLite的安全性研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》, pages 38 - 49 * |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109214210A (en) * | 2018-09-14 | 2019-01-15 | 南威软件股份有限公司 | A kind of method and system optimizing honeycomb rights management |
| CN109309686A (en) * | 2018-11-01 | 2019-02-05 | 浪潮软件集团有限公司 | Multi-tenant management method and device |
| CN109862072A (en) * | 2018-12-25 | 2019-06-07 | 鼎信信息科技有限责任公司 | The response method and device of application task |
| CN109862072B (en) * | 2018-12-25 | 2020-03-31 | 鼎信信息科技有限责任公司 | Application task response method and device |
| CN110197064A (en) * | 2019-02-18 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Process handling method and device, storage medium and electronic device |
| CN110197064B (en) * | 2019-02-18 | 2023-08-25 | 腾讯科技(深圳)有限公司 | Process processing method and device, storage medium and electronic device |
| CN110188573A (en) * | 2019-05-27 | 2019-08-30 | 深圳前海微众银行股份有限公司 | Subregion authorization method, device, equipment and computer readable storage medium |
| WO2020238359A1 (en) * | 2019-05-27 | 2020-12-03 | 深圳前海微众银行股份有限公司 | Partition authorization method, apparatus and device, and computer-readable storage medium |
| CN110333941A (en) * | 2019-06-28 | 2019-10-15 | 苏宁消费金融有限公司 | A kind of real-time computing platform of big data based on sql and method |
| CN110333941B (en) * | 2019-06-28 | 2021-08-24 | 苏宁消费金融有限公司 | Big data real-time calculation method based on sql |
| CN110750294A (en) * | 2019-09-18 | 2020-02-04 | 平安银行股份有限公司 | Code library management method and device and computer storage medium |
| CN112580088A (en) * | 2019-09-30 | 2021-03-30 | 北京国双科技有限公司 | Data loading method and device, computer equipment and storage medium |
| CN111797424A (en) * | 2019-11-26 | 2020-10-20 | 北京京东尚科信息技术有限公司 | Method and device for processing request |
| CN110889142A (en) * | 2019-12-20 | 2020-03-17 | 中国银行股份有限公司 | Data authority management method, device, system and equipment |
| CN111339524A (en) * | 2020-02-26 | 2020-06-26 | 浪潮软件股份有限公司 | Multi-tenant permission control method and device |
| CN111651122A (en) * | 2020-05-20 | 2020-09-11 | 远景智能国际私人投资有限公司 | Data deleting method, device, server and storage medium |
| CN111651122B (en) * | 2020-05-20 | 2023-07-28 | 远景智能国际私人投资有限公司 | Data deleting method, device, server and storage medium |
| CN113722723A (en) * | 2020-05-25 | 2021-11-30 | 中移(苏州)软件技术有限公司 | Information processing method, system, equipment and computer storage medium |
| CN111723401A (en) * | 2020-06-17 | 2020-09-29 | 北京明略昭辉科技有限公司 | Data access authority control method, device, system, storage medium and equipment |
| CN112860637A (en) * | 2021-02-05 | 2021-05-28 | 广州海量数据库技术有限公司 | Method and system for processing log based on audit strategy |
| CN112836237B (en) * | 2021-02-05 | 2023-08-15 | 广州海量数据库技术有限公司 | Method and system for performing forced access control in content database |
| CN112861159A (en) * | 2021-03-04 | 2021-05-28 | 深圳市鹰硕云科技有限公司 | Range-based permission determination method and system in intelligent education platform |
| CN113839942A (en) * | 2021-09-22 | 2021-12-24 | 上海妙一生物科技有限公司 | User authority management method, device, equipment and storage medium |
| CN115510480A (en) * | 2022-09-26 | 2022-12-23 | 深圳市中政汇智管理咨询有限公司 | Data management platform |
| CN116415218A (en) * | 2023-06-08 | 2023-07-11 | 天津金城银行股份有限公司 | Data authority management method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108280367B (en) | 2023-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108280367A (en) | Management method, device, computing device and the storage medium of data manipulation permission | |
| CN111488595B (en) | Method for realizing authority control and related equipment | |
| US8255409B2 (en) | Systems and methods for generating a change log for files in a managed network | |
| US8307404B2 (en) | Policy-management infrastructure | |
| US8955037B2 (en) | Access management architecture | |
| JP2022529967A (en) | Extracting data from the blockchain network | |
| CN108134764B (en) | Distributed data sharing and exchanging method and system | |
| US9053136B2 (en) | Systems and methods for identifying contacts as users of a multi-tenant database and application system | |
| CN103793656B (en) | The safety realized by metadata telegon | |
| CN109510840A (en) | Sharing method, device, computer equipment and the storage medium of unstructured data | |
| CN111861140A (en) | Service processing method, device, storage medium and electronic device | |
| US10789300B2 (en) | Method and system for providing security in a data federation system | |
| MX2022010227A (en) | Authentication server function selection in authentication and key management. | |
| Hosseini et al. | Towards engineering transparency as a requirement in socio-technical systems | |
| Lican et al. | Virtual and dynamic hierarchical architecture for E-science grid | |
| CN112597511A (en) | Remote government affair service cooperation method and device | |
| CN114780214B (en) | Task processing method, device, system and equipment | |
| Goyal et al. | Policy-based event-driven services-oriented architecture for cloud services operation & management | |
| CN115865537B (en) | Privacy computing method based on centralized system management, electronic equipment and storage medium | |
| US11477296B2 (en) | Dynamic user group management in group-based communication systems | |
| CN115222375B (en) | Government affair data monitoring, analyzing and processing method and system based on big data | |
| US11632375B2 (en) | Autonomous data source discovery | |
| CN105071959A (en) | Plug-and-play management method and system based on unified registration of power network devices | |
| Maresca | The spreadsheet space: Eliminating the boundaries of data cross-referencing | |
| Waqas et al. | ReSA: Architecture for resources sharing between clouds |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |