CN108280367B - Data operation authority management method and device, computing equipment and storage medium - Google Patents
Data operation authority management method and device, computing equipment and storage medium Download PDFInfo
- Publication number
- CN108280367B CN108280367B CN201810057920.5A CN201810057920A CN108280367B CN 108280367 B CN108280367 B CN 108280367B CN 201810057920 A CN201810057920 A CN 201810057920A CN 108280367 B CN108280367 B CN 108280367B
- Authority
- CN
- China
- Prior art keywords
- data
- request
- data operation
- operation request
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title claims abstract description 246
- 238000000034 method Methods 0.000 claims abstract description 55
- 230000001413 cellular effect Effects 0.000 claims description 35
- 230000004044 response Effects 0.000 claims description 25
- 238000012545 processing Methods 0.000 claims description 13
- 238000012986 modification Methods 0.000 claims description 12
- 230000004048 modification Effects 0.000 claims description 12
- 230000006870 function Effects 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 16
- 238000012550 audit Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000013475 authorization Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012806 monitoring device Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000007474 system interaction Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method, a device, a computing device and a storage medium for managing data operation authority. The management method of the data operation authority comprises the following steps: receiving a data operation request from a first client; determining an operation scene identifier corresponding to the data operation request, wherein the operation scene identifier is used for identifying an application scene type corresponding to the data operation request; acquiring a first operation authority strategy corresponding to the operation scene identifier; matching the data operation request with the first operation authority strategy; and executing the data operation request when the data operation request is determined to meet the first operation authority policy.
Description
Technical Field
The present application relates to the field of cloud computing, and in particular, to a method and apparatus for managing data operation rights, a computing device, and a storage medium.
Background
With the development of cloud technology, various cloud data platforms can provide data analysis, data processing and data presentation services in a multi-user environment. As the data of multiple users are stored in the Yun Shuju platform, the management of the operation authority of each user is an important link for ensuring the safety of the platform data.
Disclosure of Invention
According to one aspect of the present application, there is provided a method for managing data operation rights, including: receiving a data operation request from a first client, wherein the data operation request is used to describe an indication related to database table operations; determining an operation scene identifier corresponding to the data operation request, wherein the operation scene identifier is used for identifying an application scene type corresponding to the data operation request; acquiring a first operation authority strategy corresponding to the operation scene identifier; matching the data operation request with the first operation authority strategy; and executing the data operation request when the data operation request is determined to meet the first operation authority policy.
In some embodiments, the management method further comprises: when the data operation request is determined not to meet the first operation authority policy, a first notification message indicating that the data operation request is not executed is generated, and the first notification message is sent to the first client.
In some embodiments, receiving a data manipulation request from a first client comprises: receiving a first user identification and an operation instruction for first target data; before performing the matching operation of the data operation request with the first operation authority policy, the method further includes: querying a second operation authority strategy of the first user identification on the first target data; matching the operation instruction with the second operation authority strategy; when the operation instruction is determined not to match with the second operation authority policy, a second notification message indicating that the operation instruction is not executed is generated, and the second notification message is sent to the first client.
In some embodiments, the management method is performed in a task management system comprising a task management device based on a cellular architecture and a rights management device based on a forestation architecture; the querying the second operation authority policy of the first user identification on the first target data comprises: transmitting a query request for the second operation authority policy to the authority management device in the task management device; and responding to the query request in the authority management device, querying a database table operation instruction set of the first user identification on the second target data, and taking the database table operation instruction set as the second operation authority strategy.
In some embodiments, the task management system further comprises session management means; the determining the operation scene identifier corresponding to the data operation request comprises the following steps: when the session management device receives the data operation request from the first client, determining an operation scene identifier corresponding to the data operation request according to an application scene library, wherein the application scene library is used for describing the association relation between database table operation and the operation scene identifier; setting the operation scene identifier as a parameter of a cellular session corresponding to the first user identifier in the session management device, wherein the cellular session is used for sending the data operation request to the task management device.
In some embodiments, the obtaining the first operation authority policy and performing the matching operation include: when the task management device acquires the data operation request through the honeycomb session, analyzing the data operation request into a corresponding abstract language structure tree; when the generation of the abstract language structure tree is monitored in the task management device in a hook function mode, inquiring a first operation authority strategy corresponding to the abstract language structure tree according to the parameters; in the task management device, it is determined whether the abstract language structure tree satisfies the first operation authority policy.
In some embodiments, the management method further comprises: receiving a right acquisition request of the first client to the second target data in the session management device, wherein the right acquisition request comprises a first user identification and a requested right range; in the session management device, responding to the right acquisition request, sending a corresponding fourth known message to the second client so that the second client returns a response message according to the fourth known message, wherein the fourth known message comprises the right acquisition request; receiving the response message in the session management device; when the response message indicates that the rights acquisition request is granted, transmitting a corresponding rights modification request to the rights management device in the session management device; in the rights management unit, in response to the rights modification request, the scope of the rights of the first user identification to the second target data is modified to the requested scope of rights.
In some embodiments, the task management system further comprises an auditing means based on a search query server architecture, the method further comprising: generating, in the rights management unit, a log record concerning an execution result of the data operation request, and transmitting the log record to the auditing unit; in the auditing device, analyzing the log records according to a preset strategy; and when any log record is determined to not meet at least one rule in the preset strategy, generating a corresponding alarm message in the auditing device, and sending the alarm message to the first client.
In some embodiments, the receiving a data request from a first client comprises: receiving a first user identification and an operation instruction for first target data; before performing the matching operation of the data operation request with the first operation authority policy, the method further includes: inquiring a user identification range with authority to execute the operation instruction on the first target data; matching the first user identifier with the user identifier range; when the first user identification is not matched with the user identification range, generating a third notification message which indicates that the operation instruction is not executed, and sending the third notification message to the first client.
In some embodiments, the obtaining the first operation authority policy corresponding to the operation scene identifier includes: inquiring a first operation instruction set which corresponds to the operation scene identifier and is allowed to be executed; the determining that the data operation request satisfies the first operation authority policy includes: and when determining that the operation instruction in the data operation request belongs to the first operation instruction set, determining that the data operation request meets the first operation authority strategy.
In some embodiments, the obtaining the first operation authority policy corresponding to the operation scene identifier includes: inquiring a second operation instruction set which is forbidden to be executed and corresponds to the operation scene identification; the determining that the data operation request satisfies the first operation authority policy includes: and when the operation instruction in the data operation request is determined not to belong to the second operation instruction set, determining that the data operation request meets the first operation authority policy.
According to still another aspect of the present application, there is provided a management apparatus of data operation authority, including: a receiving unit for receiving a data operation request from a first client; the scene determining unit is used for determining an operation scene identifier corresponding to the data operation request, wherein the operation scene identifier is used for identifying an application scene type corresponding to the data operation request; the first acquisition unit is used for acquiring a first operation authority strategy corresponding to the operation scene identifier; the first matching unit is used for performing matching operation on the data operation request and the first operation authority strategy; and the processing unit is used for executing the data operation request when the first matching unit determines that the data operation request meets the first operation authority policy.
In some embodiments, the management apparatus further includes a notification unit configured to generate a first notification message indicating that the data operation request is not executed, and send the first notification message to the first client, when the first matching unit determines that the data operation request does not satisfy the first operation authority policy.
In some embodiments, the receiving unit receives the data request from the first client according to: receiving a first user identification and an operation instruction for first target data; the management device further includes: the second obtaining unit is used for inquiring a second operation authority strategy of the first user identification on the first target data before the first matching unit performs the matching operation on the data operation request and the first operation authority strategy; and the second matching unit is used for matching the operation instruction with the second operation authority strategy. The notification unit is further configured to generate a second notification message indicating that the operation instruction is not executed, and send the second notification message to the first client, when the second matching unit determines that the operation instruction does not match a second operation authority policy.
In some embodiments, the receiving unit receives the data request from the first client according to: and receiving a first user identification and an operation instruction for the first target data. The management device further includes: the second obtaining unit is used for inquiring the user identification range of the operation instruction which has permission to execute on the first target data before the first matching unit performs the matching operation on the data operation request and the first operation permission strategy; and the second matching unit is used for performing matching operation on the first user identifier and the user identifier range. The notification unit is further configured to generate a third notification message indicating that the operation instruction is not executed when the second matching unit determines that the first user identifier does not match the user identifier range, and send the third notification message to the first client.
In some embodiments, the first obtaining unit obtains a first operation authority policy corresponding to the operation scene identifier according to the following manner: inquiring a first operation instruction set which corresponds to the operation scene identifier and is allowed to be executed; the first matching unit determines that the data operation request meets the first operation authority policy according to the following mode: and when determining that the operation instruction in the data operation request belongs to the first operation instruction set, determining that the data operation request meets the first operation authority strategy.
In some embodiments, the first obtaining unit obtains a first operation authority policy corresponding to the operation scene identifier according to the following manner: inquiring a second operation instruction set which is forbidden to be executed and corresponds to the operation scene identification; the first matching unit determines that the data operation request meets the first operation authority policy according to the following mode: and when the operation instruction in the data operation request is determined not to belong to the second operation instruction set, determining that the data operation request meets the first operation authority policy.
In some embodiments, the receiving unit is further configured to receive a rights acquisition request for the second target data from the first client, where the rights acquisition request includes a first user identification and a requested rights range; the notification unit is further configured to send a corresponding fourth notification message to the second client in response to the rights acquisition request, so that the second client returns a response message according to the fourth notification message, where the fourth notification message includes the rights acquisition request; the receiving unit is further configured to receive the response message; the management device further comprises a rights management unit for modifying the operating rights range of the first user identification to the second target data to the requested rights range when the response message indicates that the rights acquisition request is granted.
In some embodiments, the management device further comprises: an operation recording unit configured to generate a log record concerning an execution result of the data operation request; and the auditing unit analyzes the log records according to a preset strategy, and when any log record is determined to not meet at least one rule in the preset strategy, generates a corresponding alarm message and sends the alarm message to the first client.
According to yet another aspect of the present application, there is provided a computing device comprising: one or more processors, memory, and one or more programs. A program is stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for performing the data operation rights management method of the present application.
According to still another aspect of the present application, there is provided a storage medium storing one or more programs. The one or more programs include instructions. The instructions, when executed by a computing device, cause the computing device to perform the method of managing data operation rights of the present application.
In summary, according to the technical scheme of the application, the data operation authority can be managed according to the application scene by identifying the application scene of the data operation request (namely, determining the operation scene identifier) and performing the matching operation on the operation authority range (namely, the first operation authority strategy) corresponding to the data operation request and the application scene. Therefore, the technical scheme of the application can avoid misoperation of the user in different application scenes.
Drawings
In order to more clearly illustrate the technical solutions of the examples of the present application, the drawings needed in the description of the examples will be briefly introduced below, it being obvious that the drawings in the following description are only some examples of the present application, and that other drawings can be obtained from these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a schematic diagram of an application scenario 100 according to some embodiments of the application;
FIG. 2A illustrates a schematic diagram of a method 200 of managing data operation rights according to some embodiments of the application;
FIGS. 2B and 2C illustrate user interfaces of a client, respectively, according to embodiments of the present application;
FIG. 3 illustrates a schematic diagram of a method 300 of managing data operation rights in accordance with some embodiments of the application;
FIG. 4A illustrates a schematic diagram of a method 400 of managing data operation rights in accordance with some embodiments of the application;
FIGS. 4B and 4C illustrate user interfaces of a first client, respectively, according to embodiments of the present application;
FIG. 5A illustrates a system interaction diagram according to some embodiments of the application;
FIG. 5B illustrates a system schematic according to some embodiments of the applications;
FIG. 5C illustrates a system schematic according to some embodiments of the applications;
FIG. 5D illustrates a system schematic according to some embodiments of the application;
FIG. 6 illustrates a schematic diagram of a management device 600 of data operation rights according to some embodiments of the application;
FIG. 7 illustrates a schematic diagram of a management device 700 of data operation rights according to some embodiments of the application; and
FIG. 8 illustrates a block diagram of the components of a computing device.
Detailed Description
The following description of the embodiments of the present application will be made more clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the application. All other examples, based on examples in this application, which a person of ordinary skill in the art would obtain without making any inventive effort, are within the scope of the application.
Fig. 1 illustrates a schematic diagram of an application scenario 100 according to some embodiments of the application.
As shown in fig. 1, the application scenario 100 may include a task management system 110, a task execution system 120, and a plurality of clients. For example, fig. 1 shows a first client 130 and a second client 140, but is not limited thereto. Here, the task execution system 120 may be implemented as various distributed systems, for example, a system based on Ha Dupu (hadoop) architecture. Task execution system 120 may include a plurality of computing nodes, which may be implemented as a server cluster, for example. Clients may be implemented as various computing devices, such as mobile phones, desktop computers, notebook computers, or tablet computers. The first and second clients may log into the task management system 110 and send data manipulation tasks to the task management system 110. Here, the data manipulation task may be, for example, creating or deleting a database table, inserting in a database table, replacing, deleting, querying, or the like. In this way, the task management system 110 may parse the data manipulation task received from the client and send the parsed task to the task execution system 120. For example, the task management system 110 may be based on a cellular (hive) or like architecture. In addition, the task management system 110 may manage task rights to ensure data security. In other words, the task management system 110 may be considered a data warehouse management system. The manner in which task management system 110 is managed is further described below in conjunction with FIG. 2A.
Fig. 2A illustrates a schematic diagram of a method 200 of managing data operation rights according to some embodiments of the application. The method 200 may be performed, for example, in the task management system 110.
As shown in fig. 2A, the method 200 may include step S201, receiving a data manipulation request from a first client. Here, the data manipulation request may be to create a database table, delete a database table, modify a database table structure (e.g., add or delete columns, for example), perform a data insertion on one or more database tables, load a file into a database table, query a manipulation, and so forth.
In step S202, an operation scenario identifier corresponding to the data operation request is determined. Wherein the data manipulation request is used to describe an indication related to a database table manipulation. The operation scene identifier is used for identifying an application scene type corresponding to the data operation request. The data operation request may indicate a corresponding database table operation. Thus, the application scenario type corresponding to the data operation request also corresponds to the database table operation indicated by the data operation request. Here, the application scenario types may be divided according to the types of operation requests. The type of data operation request may include, for example, a data operation statement (data manipulation language, DML for short) and a data definition statement (data definition language, DDL for short). The DML operation instructions may include, for example, a query instruction (SELECT), an UPDATE instruction (UPDATE), an INSERT Instruction (INSERT), and a DELETE instruction (DELETE). DDL operation instructions may include, for example, a table creation instruction (CREATE), a table structure modification instruction (ALTER), and an object deletion instruction (DROP).
For example, FIGS. 2B and 2C respectively illustrate user interfaces of a client according to embodiments of the present application. FIG. 2B illustrates an interface for creating a database table. Accordingly, FIG. 2B corresponds to an application scenario in which a database table is created. Commands for creating a data table may be obtained through input box 201 in fig. 2B. Upon receiving a data operation request regarding the application scenario in fig. 2B at step S201, step S202 may determine a corresponding operation scenario identification, i.e., a scenario identification representing creation of a database table. FIG. 2C illustrates a user interface for querying a database table. In fig. 2C, the input box 202 may search for the data table in the list box 203 according to user input. The input box 204 is used to receive a command for a query operation. For example, one example of partial code for a query operation request is: select from dual a join dual b on a.key=b.key (representing querying and inlining database tables a and b). Correspondingly, fig. 2C corresponds to an application scenario where a database table is queried. The operation scenario identification determined in step S202 is used to identify an application scenario for querying the database table. In one embodiment, step S201 may determine the data operation scene identifier according to a field in a message corresponding to the data operation request, for example. Specifically, step S202 may determine the corresponding operation scene identifier based on the mapping relationship between the field and the scene identifier. In yet another embodiment, step S202 may parse the data operation request to determine a corresponding operation scenario identification.
In yet another embodiment, the task management system 110 may further include a session management device and a task management device. The session management means may be implemented, for example, based on a lightweight directory access protocol (Lightweight Directory Access Protocol, LDAP for short). The task management device may be implemented, for example, based on a cellular (Hive) architecture. In other words, the task management device may be considered a hive data warehouse tool. In step S202, when a data operation request from a first client is received in the session management apparatus, an operation scenario identifier corresponding to the data operation request is determined according to the application scenario library. The application scene library is used for describing the association relation between database table operation and operation scene identification. Since the data operation request is used to describe the indication related to the database table operation, step S202 may use the operation scene identifier associated with the database table operation as the operation scene identifier corresponding to the data operation request according to the database table operation corresponding to the data operation request. In addition, the session management apparatus may set the operation scenario identification as a parameter of a cellular session (hive session) corresponding to the first user identification. The cellular session refers to session connection between the session management device and the task management device. The cellular session corresponding to the first user identification may be used for sending a data operation request by the session management device to the task management device.
In step S203, a first operation authority policy corresponding to the operation scene identifier is obtained. In step S204, the data operation request is subjected to a matching operation with the first operation authority policy. When it is determined that the data operation request satisfies the first operation authority policy, the method 200 may perform step S205, to perform the data operation request.
In one embodiment, step S203 may query the first operating instruction set that the operating scenario identifies to which execution is allowed. Here, the first operation instruction set is an instruction range that allows execution in the application scenario to which the operation scenario identification corresponds. Step S204 may perform a matching operation of the data operation request with the first operation instruction set. When determining that each operation instruction in the data operation request belongs to the first operation instruction set, step S204 may determine that the data operation request satisfies the first operation authority policy.
In yet another embodiment, step S203 may query the second operation instruction set, which is prohibited from being executed, corresponding to the operation scene identification. Here, the second operation instruction set is an instruction range that is prohibited from being executed in the application scenario to which the operation scenario identification corresponds. Step S204 may request the data operation to perform the matching operation in the second operation instruction set. When it is determined that each operation instruction in the data operation request does not belong to the second operation instruction set, step S204 may determine that the data operation request satisfies the first operation authority policy.
In yet another embodiment, step S203 may parse the data operation request into a corresponding abstract language structure tree (Abstract Structure Tree, abbreviated as AST) when the task management device obtains the data operation request through a cellular session. In the task management device, step S203 may monitor the analysis result of the data operation request through a hook function manner (e.g. a hive hook mechanism). Upon monitoring that the abstract language structure tree is generated, step S203 may query the first operation authority policy corresponding to the abstract language structure tree according to the above parameters. In step S204, it is determined by the task management device whether the abstract language structure tree satisfies the first operation authority policy.
In summary, according to the method 200 of the present application, the data operation authority can be managed according to the application scenario by identifying the application scenario of the data operation request (i.e. determining the operation scenario identifier), and performing the matching operation on the operation authority range (i.e. the first operation authority policy) corresponding to the data operation request and the application scenario. In this way, the method 200 can avoid the user from performing misoperation in different application scenarios.
Fig. 3 illustrates a schematic diagram of a method 300 of managing data operation rights according to some embodiments of the application. The method 300 may be performed, for example, in the task management system 110.
As shown in fig. 3, the method 300 may include step S301 of receiving a data manipulation request from a first client. In one embodiment, the data manipulation request may include a first user identification and a data manipulation instruction for the first target data. Here, the first user identifier may be, for example, various user identity information such as a user account number. The first target data may include, for example, one or more database tables, depending on the particular type of data manipulation instruction.
In step S302, a second operation authority policy of the first user identification on the first target data is queried. In one embodiment, the first target data may include one or more database tables. The operation authority for each database table may be divided into, for example, a read authority, a write authority, and a table operation authority. Here, the read authority may include various table query operations, for example. The table operation authority may include operations such as creating a table, deleting a table, modifying a table structure, and the like. The write permission may include, for example, an insert operation, a replace operation, a delete operation, and the like in the data table. Specifically, step S302 may query the first user identifier for the operation authority of each database table in the first target data. On this basis, the method 300 may execute step S303, where the operation instruction is matched with the second operation authority policy. Specifically, step S303 may match the operation instruction for each database table in the data operation request with the corresponding operation authority. Upon determining that the operation instruction of each database table matches the corresponding operation authority, step S303 may determine that the operation instruction on the first target data matches the second operation authority policy.
In one embodiment, the task management system 110 may include a task management device based on a cellular architecture (i.e., hive architecture) and a rights management device based on a forest architecture (i.e., range architecture). Step S302 may send a query request for the second operation authority policy to the authority management device in the task management device. In this way, the rights management unit may query the database table operation instruction set of the first user identification for the second target data in response to the query request, and take the database table operation instruction set as the second operation rights policy.
When it is determined that the second operation authority policy matches, the method 300 may perform steps S304 to S307. Here, the embodiments of steps S304 to S307 may be implemented to be consistent with steps S202 to S205, and will not be described again.
In addition, when it is determined in step S306 that the data operation request does not satisfy the first operation authority policy, the method 300 may perform step S308 to generate a first notification message indicating that the data operation request is not performed, and transmit the first notification message to the first client.
In addition, when it is determined in step S303 that the operation instruction for the first target data does not match the second operation authority policy, the method 300 may perform step S309, generate a second notification message indicating that the operation instruction is not performed, and transmit the second notification message to the first client.
In summary, the method 300 may perform two operation authority determinations on the data operation request. In the first operation authority determination process, the method 300 may determine whether the user identifier has an authority to perform the data operation request on the first target data. The method 300 may perform a second operational authorization determination when the user identification has authorization to perform the data operation request. In the second operation permission determination process, the method 300 may determine, according to an application scenario corresponding to the data operation request, whether the data operation request meets an operation permission limitation of the application scenario. Thus, although a data operation request satisfies the operation authority range corresponding to the user identifier, the method 300 can avoid the user from performing the misoperation in the application scenario unsuitable for executing the data operation request.
Fig. 4A illustrates a schematic diagram of a method 400 of managing data operation rights according to some embodiments of the application. The method 400 may be performed, for example, in the task management system 110.
As shown in fig. 4A, the method 400 may include step S401 of receiving a data manipulation request from a first client. Here, the data manipulation request may include, for example, a first user identification and an operation instruction for the first target data.
In step S402, a user identification range to which the first target data is authorized to execute the above operation instruction is queried. In step S403, the first user identifier is matched with the user identifier range, that is, it is determined whether the first user identifier belongs to the user identifier range. When step S403 determines that the first user identification matches the user identification range, the method 400 may perform steps S404 to S408. Here, the embodiments of steps S404 to S408 are identical to those of steps S304 to S308, and will not be described again.
In addition, when step S403 determines that the first user identification does not match the user identification range, the method 400 may perform step S409. In step S409, a third notification message indicating that the operation instruction is not executed is generated, and the third notification message is transmitted to the first client.
In addition, the method 400 may further perform step S410 of receiving a rights acquisition request for the second target data from the first client, where the rights acquisition request includes the first user identification and the requested rights range. Fig. 4B shows a user interface of the first client according to an embodiment of the application. As shown in FIG. 4B, the pop-up page 401 may be used to determine the scope of rights requested by the user to the database table. On this basis, the first client 130 may send a rights acquisition request to the task management system 110. In addition, the first client side can also manage the operation authority in a grouping mode. For example, FIG. 4C illustrates a user interface of a first client according to one embodiment of the application. As shown in fig. 4C, when control 402 is clicked, the user interface may pop-up window 403. Here, the user may be selected by selecting the user in control 404 and displayed in area 405. The selected users in the first client may be added to a group, for example. For a group, the system 110 may receive information from a first client regarding added users within the group. In this way, the added user may have the corresponding set of operating rights.
In step S411, in response to the rights acquisition request, a corresponding fourth notification message is sent to the second client, so that the second client returns a response message according to the fourth notification message, where the fourth notification message includes the rights acquisition request. Here, the second target data is, for example, one or more database tables. The second client refers to a user device having management rights to the second target data. When the plurality of database tables in the second target data are managed by the plurality of users, step S411 may also transmit rights acquisition requests to clients corresponding to the respective users, respectively. In step S412, a response message is received. When the response message indicates that the rights acquisition request is granted, the method 400 may perform step S413 of modifying the operating rights range of the first user identification to the second target data to the requested rights range.
In yet another embodiment, the task management system 110 may include a session management device, a task management device based on a cellular architecture (i.e., hive architecture), and a rights management device based on a forest architecture (i.e., range architecture). The rights management means may be, for example, a range service component. Steps S410, S411, and S412 may be performed by the session management apparatus. In step S413, a corresponding rights modification request is transmitted to the rights management unit by the session management unit. In the rights management unit, in response to the rights modification request, the scope of the rights of the first user identification to the second target data is modified to the requested scope of rights.
In addition, the method 400 may further perform step S414 to generate a log record related to the execution result of the data operation request. Here, the log record relating to the execution result may be one or more records, for example. The log record may include, for example, a user identification, data manipulation instructions, a manipulation execution time, and a data manipulation result. In step S415, the log records are analyzed according to a predetermined policy. In one embodiment, the predetermined policy may include, for example, one or more rules. One rule is, for example, that the data manipulation instruction and the data manipulation result need to be matched. Yet another rule is, for example, that the user identifies that the user needs to have the right to execute the data manipulation instruction. For example, a data manipulation instruction is a query for data from a field in a database table. The data manipulation results need to read the record for the query, but not other manipulations such as modifications to the data table. When step S416 determines that any log record does not meet at least one rule in the predetermined policy, a corresponding alert message is generated and sent to the first client or other monitoring device.
In one embodiment, the task management system 110 may include a session management device, a task management device based on a cellular architecture (i.e., hive architecture), a rights management device based on a forest architecture (i.e., range architecture), and an auditing device. Wherein the auditing means may be implemented, for example, based on a search query server (Solr) architecture. In step S414, a log record concerning the execution result of the data operation request is generated by the rights management unit and transmitted to the auditing unit. Thus, the auditing apparatus may perform step S415. When it is determined that any one of the log records does not satisfy at least one rule in the predetermined policy, the auditing apparatus may perform step S416, generate a corresponding alert message, and transmit the alert message to the first client.
To sum up, the method 400 can timely discover abnormal situations of data operation by analyzing (also called auditing) the diary records, so as to timely process the abnormal situations.
Fig. 5A illustrates a system interaction diagram according to some embodiments of the application. As shown in fig. 5A, the task management system 110 may include a session management device 111, a task management device 112, a rights management device 113, and an auditing device 114. In one embodiment, session management device 111 may be implemented, for example, based on a lightweight directory access protocol (Lightweight Directory Access Protocol, LDAP for short). The task management device 112 may be implemented, for example, based on a cellular (Hive) architecture. Rights management unit 113 may be implemented based on a security management framework (e.g., ranger, a centralized security management framework). The auditing means 114 may be implemented, for example, based on a search application server (e.g., solr, a stand-alone enterprise-level search application server, externally providing an API interface similar to Web-service, and the functions that may be implemented include full text retrieval, hit labeling, faceted searching, dynamic clustering, database integration, and rich text processing) architecture.
The first client 130 may perform step S501 to send authentication information, such as account number and password information, for logging in the task management system 110 to the session management device 111. The session management means 111 may make a match judgment for the received authentication information based on locally stored user identity information. When it is determined that the authentication information is authenticated, the session management device 111 may acquire the data management information corresponding to the first client from the rights management device 113. The data management information includes, for example, database table information to be displayed at the first client 130. The database table information to be displayed may include an identification of a database table to which the user has management authority (e.g., read-write authority), an identification of a database table to which the user has read authority, an identification of a database table to which the table name can be checked. In this way, the session management apparatus 111 can perform step S502 of returning a management page related to database table information to be displayed to the first client 130 so as to display the management page at the first client.
The first client 130 may perform step S503 to generate a data operation request for managing database tables in the page. The data manipulation request may include, for example, a first user identification and an implicit query language (Hibernate Query Language, HQL) message. In this way, the session management device 111 can perform step S504 to determine the operation scenario identification from the HQL message. The session management apparatus 111 may further perform step S505 to transmit a data operation request and an operation scene identification to the task management apparatus 112. In one embodiment, the session management device 111 may set parameters regarding an operation scenario on a session (e.g., a hive session) to which the task management device 112 is connected. Here, the code of the setting parameter is exemplified by: set tdf.sql.auth.type=xx where "xx" represents the identification of an operation scene. In this way, the task management device 112 can determine the operation scene identification according to the set parameters.
The task management device 112 may perform step S506 to transmit an operation authority inquiry request to the authority management device 113. The rights management unit 113 may manage the operation rights of the database table. For example, each time the task management device 112 instructs the task execution system 120 to generate a database table, the rights management device 113 may generate a rights record for the database table. The rights record may include, for example: the user, the project and the group. In one embodiment, the affiliated user has administrative rights to the table. The user in the engineering has read authority to the table. Users in the belonging group that do not belong to the belonging project have the right to view the table names. Here, depending on the specific authority policy, the authority management device 113 may perform corresponding configuration on the operation authority of each database table, which is not described herein. In response to the query request, the rights management unit 113 determines whether the data manipulation request matches the second rights manipulation policy, i.e., whether the first user identification has the right to execute the data manipulation request. The rights management unit 113 may perform step S507, returning the rights inquiry result. In this way, the task management device 112 may continue to perform step S508 when it is determined that the first user identification has the authority to perform the data operation according to the authority query result. In step S508, the data operation request is parsed into an abstract language structure tree (Abstract Structure Tree, abbreviated as AST), and the operation scene is queried to identify the corresponding operation authority range (i.e. to determine the first operation authority policy above). Here, the task management device 112 may use a Hook (Hook) function mechanism, for example, to query an operation authority range corresponding to an operation scene identifier associated with an AST every time the AST tree related to the data operation request is generated. In step S509, the task management device 112 may determine whether the operation instruction in the AST is within the queried data operation authority range, that is, whether the data operation request satisfies the first operation authority policy. The task management device 112 may perform step S510 when determining that it belongs to the operation authority range. In step S510, the task management device 112 may transmit a task corresponding to the data operation request to the task execution system 120. In this way, the task execution system 120 can execute the data operation request. In particular, a task execution system may split a task into multiple subtasks and then execute the corresponding subtasks in each compute node.
In addition, the rights management unit 113 may perform step S511 to monitor the execution of HQL and generate a corresponding log record. In step S512, the rights management unit 113 may transmit the log record to the auditing unit 114. Thus, the auditing means 114 may perform step S513, analysing the log records according to a predetermined auditing strategy. Upon determining that there is an abnormality in the diary record, the auditing means 114 may execute step S514. In step S514, the auditing means 114 may generate a notification message regarding the anomaly and send it to the first client 130. In addition, auditing means 114 may also send notification messages to other monitoring devices.
In addition, the first client 130 may also perform step S515 to transmit a rights acquisition request for the second target data to the session management device 111. The session management means 111 may determine the management right of the second target data, for example, the management right belongs to the user corresponding to the second client 140. The session management apparatus 111 may perform step S516 to transmit a notification message regarding the rights acquisition request to the second client 140. The second client 140 may perform step S517 to transmit a confirmation message to the session management apparatus 111 when the grant right acquisition request is input according to the user. In this way, the session management apparatus 111 can perform step S518. In step S518, an operation right modification request is transmitted to the right management device 113. In this way, the rights management unit 113 can execute step S519 to modify the operation rights of the first client to the second target data.
Fig. 5B illustrates a system schematic according to some embodiments of the applications. As shown in fig. 5B, upon receiving the data operation request, the session management apparatus 111 may transmit the data operation request and the operation scene identification to the interface 1121 of the task management apparatus 112. The interface 1121 may send a rights inquiry request to the rights management unit 113. The rights management unit 1131 may query from the rights recording unit 1132 whether the user has the right to perform the data operation request, and return the query result to the interface 1121. When the query result indicates that the user has the execution authority, the compiling unit 1122 may compile the data operation request to obtain a compiling result (for example, an AST tree). For the compiling result, the matching unit 1123 may query the first operation authority policy corresponding to the operation scene identifier, and determine whether the compiling result satisfies the first operation authority policy. When the matching unit 1123 determines that the compiling result satisfies the first operation authority policy, the execution management unit 1124 may submit the operation task corresponding to the data operation request to the task execution system 120. Task management node 121 may assign operational tasks to computing nodes, such as 122, 123, and 124. In this way, each computing node may perform corresponding data processing. In addition, the rights management unit 1131 may also generate a log record of the task execution by the task execution system 120 and send it to the auditing device 114. The audit management unit 1141 may audit the log records according to the audit policy stored by the rule management unit 1142. In this way, the audit management unit 1141 may generate a notification message regarding the anomaly upon determining that the diary record is anomalous. The audit management unit 1141 may send a notification message to a client (e.g., a first client) via the task management system 110.
Fig. 5C illustrates a system schematic according to some embodiments of the applications. As shown in fig. 5C, the session management device 111 may be implemented based on, for example, a lightweight directory access protocol (Lightweight Directory Access Protocol, LDAP for short). The task management device 112 may be implemented, for example, based on a cellular (Hive) architecture. The task execution system 120 may be implemented, for example, based on another resource coordinator (Yet Another Resource Negotiator, YARN) architecture. Here, YARN is a kind of resource manager of ha Du Pu.
The session management apparatus 111 may include a rights management unit 1111 and an application scenario library 1112. The application scenario library 1112 is used for describing association relation between database table operation and operation scenario identification. When the session management apparatus 111 receives the data operation request, the authority management unit 1111 may query the application scenario library 1112 to determine an operation scenario identification corresponding to the received data operation request. In the multi-user application scenario, the rights management unit 1111 may determine, for example, an operation scenario identifier 1 corresponding to the user identifier a and an operation scenario identifier 2 corresponding to the user identifier B. Here, for the user identification a, the session management device 111 establishes a session 1 (i.e., a hive session) with the interface 1121. The session management means 111 may set the operation scenario identification 1 to parameter 1 of session 1. Similarly, session 2 is established with interface 1125 for user identification B by session management means 111. The operation scene identification 2 is set to parameter 2 of session 2. In addition, the session management apparatus 111 may transmit a data operation request corresponding to the user identification a to the compiling unit 1122 through the session 1 and the interface 1121. The compiling unit 1122 may parse the data operation request into an AST. The hook 1126 may monitor the compiling unit 1122. Hook 1126 may implement, for example, the abstract class abstract in Hive, preAnalyze. The hook 1126 may transmit an AST to the matching unit 1123 when acquiring the AST. The matching unit 1123 may determine whether the AST matches the first operation authority policy. Upon determining a match, the matching unit 1123 may send a message to the execution management unit 1124 indicating that the match passed. The execution management unit 1124, upon receiving the message that the match passed, may acquire a task to be executed corresponding to the data operation request from the compiling unit 1122. In this way, the execution management unit 1124 may submit tasks to be executed to the task execution system 120.
Fig. 5D illustrates a system schematic according to some embodiments of the applications. As shown in fig. 5D, the session management device 111 may be implemented based on, for example, a lightweight directory access protocol (Lightweight Directory Access Protocol, LDAP for short). The task management device 112 may be implemented, for example, based on a cellular (Hive) architecture. Rights management unit 113 may be implemented based on a security management framework (e.g., ranger, a centralized security management framework). The auditing means 114 may be implemented, for example, based on a search query server (Solr) architecture. The session management apparatus 111 may include an authentication unit 1113 and a library table management unit 1114. The task management device 112 may include a cellular service unit 1121 and a management plug-in 1131. The rights management device 113 may include a rights management unit 1131 and a rights record repository 1132. Audit device 114 may include an audit unit 1141 and an audit policy store 1142. Here, the rights management unit 1131 may be, for example, a forest Manager (range Manager). The rights record repository 1132 may record the operating rights of the respective database tables.
Specifically, the authentication unit 1113 may perform authentication on a client logging in to the task management system. For example, the client 1 accesses the session management apparatus 111 through authentication information (e.g., a user name, a password, and the like). The authentication unit 1113 may verify the authentication information of the client 1. Upon passing the authentication, the client 1 may transmit a data operation request to the session management apparatus 111. It should be noted that, for example, the type of the data operation request may include a data operation statement (data manipulation language, abbreviated as DML) and a data definition statement (data definition language, abbreviated as DDL). The DML operation instructions may include, for example, a query instruction (SELECT), an UPDATE instruction (UPDATE), an INSERT Instruction (INSERT), and a DELETE instruction (DELETE). DDL operation instructions may include, for example, a table creation instruction (CREATE), a table structure modification instruction (ALTER), an object deletion instruction (DROP). For example, the client 1 may transmit an operation instruction of the DML type to the session management apparatus. The client 2 may transmit an operation instruction of the DDL type to the session management apparatus 111.
The library table management unit 1114 may receive a rights acquisition request sent by one client. Rights acquisition requests refer to requests for operating rights to a target data (e.g., a database table). For example, the client 1 may transmit the rights acquisition request 1 to the library table management unit 1114. Rights acquisition request 1 may include one or more operation rights requests of client 1 to target data 1. The manager of the target data 1 is the user corresponding to the client 2. Upon receiving the rights acquisition request 1, the library table management unit 1114 may transmit the rights acquisition request 1 to the client 2. The client 2 may transmit a response message to the library table management unit 1114. When the response message indicates approval of the rights acquisition request 1, a corresponding rights modification request may be transmitted to the rights management unit 1131. In this way, the rights management unit 1131 can modify the operation rights of the client 1 to the target data 1 in the rights record repository 1132, so that the client 1 acquires the operation rights corresponding to the rights acquisition request 1. In addition, when the task execution system 120 generates a database table, the rights management unit 1131 may generate a corresponding rights record and store the rights record in the rights record library 1132. Here, the rights record may describe rights contents such as the operation rights of the owners and owners of the database tables, for example.
The cellular service unit 1121 may be, for example, a Hive Server2 (a service that may perform Hive query, etc.), but is not limited thereto. The cellular service unit 1121 may establish a cellular session (hive session) with the session management apparatus 111. For example, for the client 1, the cellular service unit 1121 establishes a session 1 with the session management apparatus 111. For the client 2, the cellular service unit 1121 establishes a session 2 with the session management apparatus 111. In this way, the cellular service unit 1121 can receive a data operation request. For example, cellular service unit 1121 may receive data operation request 1 from client 1. The data operation request 1 is, for example, an operation instruction 1 of the user identification a on the target data 1. The cellular service unit 1121 may send a rights inquiry request to the rights management unit 1131 through the management plug-in 1133. In this way, the rights management unit 1131 may query the rights record repository 1132 for the scope of the user identification a's operation rights to the target data 1 (i.e., the second operation rights policy above). On this basis, the rights management unit 1131 may send the second operation rights policy to the cellular service unit 1121 through the management plug-in 1133. Here, the management plug-in 1133 may be, for example, a range plug in service component, but is not limited thereto. In this way, the cellular service unit 1121 can determine whether the operation instruction 1 matches the second operation authority policy. Upon matching the second operation authority policy, the cellular service unit 1121 may further continue to determine whether the operation instruction 1 satisfies the first operation authority policy. Here, the manner in which the cellular service unit 1121 determines whether the operation instruction satisfies the first operation authority policy is identical to the matching unit 1123 in fig. 5C, and will not be described again. In summary, the cellular service unit 1121 may perform operation authority determination twice on the data operation request. In the first judgment process, the cellular service unit 1121 may determine whether the user identification has authority to perform a data operation request on the target data (for example, determine whether the second operation authority policy is satisfied). The cellular service unit 1121 may make a second operation authority judgment when the user identification has authority to perform the data operation request. In the second operation authority determination process, the cellular service unit 1121 may determine, according to an application scenario corresponding to the data operation request, whether the data operation request satisfies an operation authority limit of the application scenario (for example, determine whether the data operation request satisfies the first operation authority policy). In this way, when a data operation request satisfies the operation authority range corresponding to the user identifier, the cellular service unit 1121 can avoid the user from performing an incorrect operation in an application scenario unsuitable for executing the data operation request.
In addition, the rights management unit 1131 may monitor the execution result of the data operation. Here, the rights management unit 1131 may generate a log record related to the execution result and transmit the log record to the auditing apparatus 114. Rule management unit 1142 stores an audit policy for the log records. The audit management unit 1141 may analyze the log records according to the audit policy of the rule management unit 1142.
Fig. 6 illustrates a schematic diagram of a management apparatus 600 of data operation rights according to some embodiments of the present application. The management device 600 may reside, for example, in the task management system 110. The management apparatus 600 may include: a receiving unit 601, a scene determining unit 602, a first acquiring unit 603, a first matching unit 604, and a processing unit 605.
The receiving unit 601 is configured to receive a data operation request from a first client.
The scene determining unit 602 is configured to determine an operation scene identifier corresponding to the data operation request. The operation scene identifier is used for identifying an application scene type corresponding to the data operation request. In other words, the application scenario type corresponds to a database table operation.
The first obtaining unit 603 is configured to obtain a first operation authority policy corresponding to the operation scene identifier.
The first matching unit 604 is configured to perform a matching operation on the data operation request and the first operation authority policy.
In one embodiment, the first obtaining unit 603 may query a first operation instruction set allowed to be executed corresponding to the operation scenario identifier. The first matching unit 604 may determine that the data operation request satisfies the first operation authority policy when determining that the operation instruction in the data operation request belongs to the first operation instruction set.
In yet another embodiment, the first obtaining unit 603 may query the second operation instruction set, which is prohibited from being executed and corresponds to the operation scene identifier. The first matching unit 604 may determine that the data operation request satisfies the first operation authority policy when it is determined that the operation instruction in the data operation request does not belong to the second operation instruction set.
The processing unit 605 is configured to execute the data operation request when the first matching unit 604 determines that the data operation request satisfies the first operation authority policy.
Fig. 7 illustrates a schematic diagram of a management apparatus 700 of data operation rights according to some embodiments of the present application. The management device 600 may reside, for example, in the task management system 110. The management apparatus 700 may include: a receiving unit 701, a scene determining unit 702, a first acquiring unit 703, a first matching unit 704, a processing unit 705, a notifying unit 706, a second acquiring unit 707, a second matching unit 708, a rights management unit 709, an operation recording unit 710, and an auditing unit 711. Among them, the receiving unit 701, the scene determining unit 702, the first acquiring unit 703, the first matching unit 704, and the processing unit 705 may perform operations consistent with those of the receiving unit 601, the scene determining unit 602, the first acquiring unit 603, the first matching unit 604, and the processing unit 605 described above, but are not limited thereto.
In one embodiment, the notification unit 706 is configured to generate a first notification message indicating that the data operation request is not executed, and send the first notification message to the first client, when the first matching unit 704 determines that the data operation request does not satisfy the first operation authority policy.
In one embodiment, the receiving unit 701 may receive the first user identification and an operation instruction on the first target data. The second obtaining unit 707 may query the first user identification for the second operation authority policy of the first target data before the first matching unit 704 performs the matching operation of the data operation request with the first operation authority policy. The second matching unit 708 may perform a matching operation of the operation instruction with the second operation authority policy. The notification unit 706 may further generate a second notification message indicating that the operation instruction is not executed and transmit the second notification message to the first client when the second matching unit 708 determines that the operation instruction does not match the second operation authority policy.
In one embodiment, the receiving unit 701 may receive the first user identification and an operation instruction on the first target data. The second obtaining unit 707 may query the user identification range authorized to perform the operation instruction on the first target data before the first matching unit 704 performs the matching operation on the data operation request and the first operation authorization policy. The second matching unit 708 may perform a matching operation of the first user identification with the user identification range. The notification unit 706 may generate a third notification message indicating that the operation instruction is not performed when the second matching unit 708 determines that the first user identification does not match the user identification range, and transmit the third notification message to the first client.
In one embodiment, the receiving unit 701 may further receive a rights acquisition request of the first client to the second target data. The rights acquisition request includes a first user identification and a requested scope of rights. The notification unit 706 may send a corresponding fourth notification message to the second client in response to the rights acquisition request, so that the second client returns a response message according to the fourth notification message. Wherein the fourth notification message includes a rights acquisition request. The receiving unit 701 may receive the response message. The rights management unit 709 may modify the operation rights range of the first user identification to the second target data to the requested rights range when the response message indicates that the rights acquisition request is granted.
In one embodiment, the operation recording unit 710 may generate a log record regarding the execution result of the data operation request. The audit unit 711 may analyze the log records according to a predetermined policy. When it is determined that any one of the log records does not satisfy at least one rule in the predetermined policy, the audit unit 711 may generate a corresponding alarm message and transmit the alarm message to the first client.
FIG. 8 illustrates a block diagram of the components of a computing device. As shown in fig. 8, the computing device includes one or more processors (CPUs or GPUs) 802, a communication module 804, a memory 806, a user interface 810, and a communication bus 808 for interconnecting these components.
The processor 802 may receive and transmit data via the communication module 804 to enable network communication and/or local communication.
The user interface 810 includes one or more output devices 812, which include one or more speakers and/or one or more visual displays. The user interface 810 also includes one or more input devices 814 including, for example, a keyboard, mouse, voice command input unit or microphone, touch screen display, touch sensitive tablet, gesture capture camera or other input buttons or controls, and the like.
Memory 806 may be a high-speed random access memory such as DRAM, SRAM, DDR RAM, or other random access solid state memory devices; or non-volatile memory such as one or more magnetic disk storage devices, optical disk storage devices, flash memory devices, or other non-volatile solid state storage devices.
Memory 806 stores a set of instructions executable by processor 802, including:
an operating system 816 including programs for handling various basic system services and for performing hardware related tasks;
application 818 includes various programs for implementing the video playback methods described above that enable the process flows in the examples described above, such as may include a video player according to the present application. The video player may include the management apparatus 600 of the data operation authority shown in fig. 6 or the management apparatus 700 of the data operation authority shown in fig. 7.
In addition, each of the examples of the present application may be implemented by a data processing program executed by a data processing apparatus such as a computer. Obviously, the data processing program constitutes the application. In addition, a data processing program typically stored in one storage medium is executed by directly reading the program out of the storage medium or by installing or copying the program into a storage device (such as a hard disk and/or a memory) of the data processing apparatus. Therefore, such a storage medium also constitutes the present application. The storage medium may use any type of recording means, such as paper storage medium (e.g., paper tape, etc.), magnetic storage medium (e.g., floppy disk, hard disk, flash memory, etc.), optical storage medium (e.g., CD-ROM, etc.), magneto-optical storage medium (e.g., MO, etc.), etc.
The present application thus also discloses a non-volatile storage medium in which a data processing program is stored for performing any one of the examples of the above-described method of the present application.
In addition, the method steps of the present application may be implemented by hardware, such as logic gates, switches, application Specific Integrated Circuits (ASIC), programmable logic controllers, embedded microcontrollers, etc., in addition to data processing programs. Such hardware capable of carrying out the methods of the application may therefore also constitute the application.
The foregoing description is only of preferred embodiments of the application and is not intended to limit the application to the particular embodiments disclosed, but on the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the application.
Claims (15)
1. A method for managing data operation rights, comprising:
receiving a data manipulation request from a first client, wherein the data manipulation request is used to describe an indication related to database table manipulation; the data operation request includes: the first user identification and an operation instruction for the first target data;
performing a first operation permission judgment on the data operation request to determine whether the first user identification has permission to perform the data operation request on the first target data;
when the first user identification has the authority to execute the data operation request, executing second operation authority judgment on the data operation request to determine whether the data operation request meets the operation authority of an application scene corresponding to the data operation request;
wherein,
executing a first operation permission judgment on the data operation request, including:
querying a second operation authority strategy of the first user identification on the first target data;
Matching the operation instruction with the second operation authority strategy; and when it is determined that the operation instruction matches the second operation authority policy, determining that the first user identification has an authority to execute the data operation request on the first target data;
or,
inquiring a user identification range with authority to execute the operation instruction on the first target data;
matching the first user identifier with the user identifier range; and determining that the first user identification has the right to perform the data operation request on the first target data when the first user identification is determined to be matched with the user identification range;
executing a second operation permission judgment on the data operation request, including:
determining an operation scene identifier corresponding to the data operation request, wherein the operation scene identifier is used for identifying an application scene type corresponding to the data operation request, and the application scene type is divided according to the type of the data operation request; the types of the data operation requests comprise data operation sentences and data definition sentences;
acquiring a first operation authority strategy corresponding to the operation scene identifier;
Matching the data operation request with the first operation authority strategy; and
and executing the data operation request when the data operation request is determined to meet the first operation authority policy.
2. The management method of claim 1, further comprising: when the data operation request is determined not to meet the first operation authority policy, a first notification message indicating that the data operation request is not executed is generated, and the first notification message is sent to the first client.
3. The management method of claim 1, wherein,
when the operation instruction is determined not to match with the second operation authority policy, a second notification message indicating that the data operation request is not executed is generated, and the second notification message is transmitted to the first client.
4. A management method according to claim 3, wherein the management method is performed in a task management system comprising a task management device based on a honeycomb architecture and a rights management device based on a range architecture; the querying the second operation authority policy of the first user identification on the first target data comprises:
Transmitting a query request for the second operation authority policy to the authority management device in the task management device;
and responding to the query request in the authority management device, querying a database table operation instruction set of the first user identification on the first target data, and taking the database table operation instruction set as the second operation authority strategy.
5. The management method according to claim 4, wherein the task management system further comprises a session management means; the determining the operation scene identifier corresponding to the data operation request comprises the following steps:
when the session management device receives the data operation request from the first client, determining an operation scene identifier corresponding to the data operation request according to an application scene library, wherein the application scene library is used for describing the association relation between database table operation and the operation scene identifier;
setting the operation scene identifier as a parameter of a cellular session corresponding to the first user identifier in the session management device, wherein the cellular session is used for sending the data operation request to the task management device.
6. The method of managing as set forth in claim 5, wherein the obtaining the first operation authority policy corresponding to the operation scene identifier and performing the matching operation include:
When the task management device acquires the data operation request through the honeycomb session, analyzing the data operation request into a corresponding abstract language structure tree;
when the generation of the abstract language structure tree is monitored in the task management device in a hook function mode, inquiring a first operation authority strategy corresponding to the abstract language structure tree according to the parameters;
in the task management device, it is determined whether the abstract language structure tree satisfies the first operation authority policy.
7. The management method according to claim 4, wherein the task management system further comprises a session management means; the method further comprises the steps of:
receiving a right acquisition request of the first client to the second target data in the session management device, wherein the right acquisition request comprises a first user identification and a requested right range;
in the session management device, responding to the right acquisition request, sending a corresponding fourth known message to the second client so that the second client returns a response message according to the fourth known message, wherein the fourth known message comprises the right acquisition request;
Receiving the response message in the session management device;
when the response message indicates that the rights acquisition request is granted, transmitting a corresponding rights modification request to the rights management device in the session management device;
in the rights management unit, in response to the rights modification request, the scope of the rights of the first user identification to the second target data is modified to the requested scope of rights.
8. A method of managing as set forth in claim 4 wherein the task management system further comprises an auditing means based on a search query server architecture, the method further comprising:
generating, in the rights management unit, a log record concerning an execution result of the data operation request, and transmitting the log record to the auditing unit;
in the auditing device, analyzing the log records according to a preset strategy;
and when any log record is determined to not meet at least one rule in the preset strategy, generating a corresponding alarm message in the auditing device, and sending the alarm message to the first client.
9. The management method of claim 1, wherein the method further comprises:
When it is determined that the first user identification does not match the user identification range, a third notification message indicating that the data operation request is not to be performed is generated and sent to the first client.
10. The management method of claim 1, wherein,
the obtaining the first operation authority policy corresponding to the operation scene identifier includes: inquiring a first operation instruction set which corresponds to the operation scene identifier and is allowed to be executed;
the determining that the data operation request satisfies the first operation authority policy includes: and when determining that the operation instruction in the data operation request belongs to the first operation instruction set, determining that the data operation request meets the first operation authority strategy.
11. The management method of claim 1, wherein,
the obtaining the first operation authority policy corresponding to the operation scene identifier includes: inquiring a second operation instruction set which is forbidden to be executed and corresponds to the operation scene identification;
the determining that the data operation request satisfies the first operation authority policy includes: and when the operation instruction in the data operation request is determined not to belong to the second operation instruction set, determining that the data operation request meets the first operation authority policy.
12. A management apparatus of data operation rights, characterized by comprising:
a receiving unit configured to receive a data operation request from a first client, wherein the data operation request is used to describe an indication related to a database table operation; the data operation request includes: the first user identification and an operation instruction for the first target data;
a first permission judgment unit, configured to perform a first operation permission judgment on the data operation request, so as to determine whether the first user identifier has permission to perform the data operation request on the first target data;
the second permission judging unit is used for executing second operation permission judgment on the data operation request when the first user identification has permission to execute the data operation request so as to determine whether the data operation request meets the operation permission of an application scene corresponding to the data operation request;
wherein,
the first authority judging unit includes:
the second acquisition unit is used for inquiring a second operation authority strategy of the first user identification on the first target data;
the second matching unit is used for matching the operation instruction with the second operation authority policy; and when it is determined that the operation instruction matches the second operation authority policy, determining that the first user identification has authority to execute the data operation request on the first target data;
Or,
the second acquisition unit is used for inquiring the user identification range with authority to execute the operation instruction on the first target data;
the second matching unit is used for performing matching operation on the first user identifier and the user identifier range; and determining that the first user identification has the right to perform the data operation request on the first target data when the first user identification is determined to be matched with the user identification range;
the second authority judging unit includes:
the scene determining unit is used for determining an operation scene identifier corresponding to the data operation request, wherein the operation scene identifier is used for identifying an application scene type corresponding to the data operation request, and the application scene type is divided according to the type of the data operation request; the types of the data operation requests comprise data operation sentences and data definition sentences;
the first acquisition unit is used for acquiring a first operation authority strategy corresponding to the operation scene identifier;
the first matching unit is used for performing matching operation on the data operation request and the first operation authority strategy; and
and the processing unit is used for executing the data operation request when the first matching unit determines that the data operation request meets the first operation authority policy.
13. The management apparatus according to claim 12, further comprising a notification unit operable to generate a first notification message indicating that the data operation request is not executed, and to transmit the first notification message to the first client, when the first matching unit determines that the data operation request does not satisfy the first operation authority policy.
14. A computing device, comprising:
one or more processors;
a memory; and
one or more programs stored in the memory and configured to be executed by the one or more processors, the one or more programs comprising instructions for performing the method of any of claims 1-11.
15. A storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a computing device, cause the computing device to perform the method of any of claims 1-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810057920.5A CN108280367B (en) | 2018-01-22 | 2018-01-22 | Data operation authority management method and device, computing equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810057920.5A CN108280367B (en) | 2018-01-22 | 2018-01-22 | Data operation authority management method and device, computing equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108280367A CN108280367A (en) | 2018-07-13 |
| CN108280367B true CN108280367B (en) | 2023-12-15 |
Family
ID=62804355
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810057920.5A Active CN108280367B (en) | 2018-01-22 | 2018-01-22 | Data operation authority management method and device, computing equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108280367B (en) |
Families Citing this family (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109214210A (en) * | 2018-09-14 | 2019-01-15 | 南威软件股份有限公司 | A kind of method and system optimizing honeycomb rights management |
| CN109309686A (en) * | 2018-11-01 | 2019-02-05 | 浪潮软件集团有限公司 | Multi-tenant management method and device |
| CN109683942B (en) * | 2018-11-13 | 2024-05-24 | 平安科技(深圳)有限公司 | Script management method, script management device, script management medium and electronic equipment |
| CN109862072B (en) * | 2018-12-25 | 2020-03-31 | 鼎信信息科技有限责任公司 | Application task response method and device |
| CN110197064B (en) * | 2019-02-18 | 2023-08-25 | 腾讯科技(深圳)有限公司 | Process processing method and device, storage medium and electronic device |
| CN110188573B (en) * | 2019-05-27 | 2024-06-04 | 深圳前海微众银行股份有限公司 | Partition authorization method, partition authorization device, partition authorization equipment and computer readable storage medium |
| CN110333941B (en) * | 2019-06-28 | 2021-08-24 | 苏宁消费金融有限公司 | Big data real-time calculation method based on sql |
| CN110750294A (en) * | 2019-09-18 | 2020-02-04 | 平安银行股份有限公司 | Code library management method and device and computer storage medium |
| CN112580088A (en) * | 2019-09-30 | 2021-03-30 | 北京国双科技有限公司 | Data loading method and device, computer equipment and storage medium |
| CN111797424A (en) * | 2019-11-26 | 2020-10-20 | 北京京东尚科信息技术有限公司 | Method and device for processing request |
| CN110889142B (en) * | 2019-12-20 | 2022-08-26 | 中国银行股份有限公司 | Data authority management method, device, system and equipment |
| CN111339524A (en) * | 2020-02-26 | 2020-06-26 | 浪潮软件股份有限公司 | Multi-tenant permission control method and device |
| CN111651122B (en) * | 2020-05-20 | 2023-07-28 | 远景智能国际私人投资有限公司 | Data deleting method, device, server and storage medium |
| CN113722723A (en) * | 2020-05-25 | 2021-11-30 | 中移(苏州)软件技术有限公司 | Information processing method, system, equipment and computer storage medium |
| CN111723401A (en) * | 2020-06-17 | 2020-09-29 | 北京明略昭辉科技有限公司 | Data access authority control method, device, system, storage medium and equipment |
| CN112860637A (en) * | 2021-02-05 | 2021-05-28 | 广州海量数据库技术有限公司 | Method and system for processing log based on audit strategy |
| CN112861159A (en) * | 2021-03-04 | 2021-05-28 | 深圳市鹰硕云科技有限公司 | Range-based permission determination method and system in intelligent education platform |
| CN113839942A (en) * | 2021-09-22 | 2021-12-24 | 上海妙一生物科技有限公司 | User authority management method, device, equipment and storage medium |
| CN115510480A (en) * | 2022-09-26 | 2022-12-23 | 深圳市中政汇智管理咨询有限公司 | Data management platform |
| CN116415218A (en) * | 2023-06-08 | 2023-07-11 | 天津金城银行股份有限公司 | Data authority management method and device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102402652A (en) * | 2010-09-16 | 2012-04-04 | 金蝶软件(中国)有限公司 | Method, system and terminal for controlling authority |
| CN102520933A (en) * | 2011-11-28 | 2012-06-27 | 深圳市五巨科技有限公司 | Method and device for establishing tree menu based on user right |
| CN103620616A (en) * | 2013-03-28 | 2014-03-05 | 华为技术有限公司 | Access control right management method and device |
| CN106940620A (en) * | 2017-03-22 | 2017-07-11 | 广东小天才科技有限公司 | Control the method and mobile terminal of mobile terminal |
| CN107194272A (en) * | 2017-04-18 | 2017-09-22 | 北京潘达互娱科技有限公司 | Database-access rights application method and device |
| CN107483725A (en) * | 2017-07-31 | 2017-12-15 | 广东欧珀移动通信有限公司 | Resource allocation method and Related product |
-
2018
- 2018-01-22 CN CN201810057920.5A patent/CN108280367B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102402652A (en) * | 2010-09-16 | 2012-04-04 | 金蝶软件(中国)有限公司 | Method, system and terminal for controlling authority |
| CN102520933A (en) * | 2011-11-28 | 2012-06-27 | 深圳市五巨科技有限公司 | Method and device for establishing tree menu based on user right |
| CN103620616A (en) * | 2013-03-28 | 2014-03-05 | 华为技术有限公司 | Access control right management method and device |
| CN106940620A (en) * | 2017-03-22 | 2017-07-11 | 广东小天才科技有限公司 | Control the method and mobile terminal of mobile terminal |
| CN107194272A (en) * | 2017-04-18 | 2017-09-22 | 北京潘达互娱科技有限公司 | Database-access rights application method and device |
| CN107483725A (en) * | 2017-07-31 | 2017-12-15 | 广东欧珀移动通信有限公司 | Resource allocation method and Related product |
Non-Patent Citations (1)
| Title |
|---|
| 嵌入式数据库SQLite的安全性研究;刘琳;《中国优秀硕士学位论文全文数据库 信息科技辑》;38-49 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108280367A (en) | 2018-07-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108280367B (en) | Data operation authority management method and device, computing equipment and storage medium | |
| US10511632B2 (en) | Incremental security policy development for an enterprise network | |
| US9692792B2 (en) | Method and system for managing security policies | |
| US20200358774A1 (en) | Controlling user creation of data resources on a data processing platform | |
| US9135279B2 (en) | Mesh-managing data across a distributed set of devices | |
| CN113711536A (en) | Extracting data from a blockchain network | |
| US10079832B1 (en) | Controlling user creation of data resources on a data processing platform | |
| US11258800B2 (en) | Managing admin controlled access of external resources to group-based communication interfaces via a group-based communication system | |
| US20180262510A1 (en) | Categorized authorization models for graphical datasets | |
| US9639713B2 (en) | Secure endpoint file export in a business environment | |
| CN108287894B (en) | Data processing method, device, computing equipment and storage medium | |
| US10956868B1 (en) | Virtual reality collaborative workspace that is dynamically generated from a digital asset management workflow | |
| CN113761552A (en) | Access control method, device, system, server and storage medium | |
| EP2887703B1 (en) | Application protection in a mobile telecommunication device | |
| US11444903B1 (en) | Contextual discovery and design of application workflow | |
| CN114489772A (en) | Workflow execution method and device, storage medium and equipment | |
| KR102337071B1 (en) | File sharing device based on work object and the method thereof | |
| JP2022108304A (en) | Chatbot control device and chatbot control method | |
| JP2015170263A (en) | workflow integration system | |
| US20230289457A1 (en) | Preventing Illicit Data Transfer and Storage | |
| JP7249452B1 (en) | CONTRACT CONCLUSION PROGRAM, INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING METHOD | |
| US11611519B1 (en) | Event trigger visibility within a group-based communication system | |
| CN117478341A (en) | Method, device, equipment and storage medium for determining service management authority | |
| WO2024013578A1 (en) | Api management for batch processing | |
| CN113609162A (en) | Query method, device, server and storage medium for operation records |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |