CN108289098A - Right management method and device, server, the medium of distributed file system - Google Patents
Right management method and device, server, the medium of distributed file system Download PDFInfo
- Publication number
- CN108289098A CN108289098A CN201810031104.7A CN201810031104A CN108289098A CN 108289098 A CN108289098 A CN 108289098A CN 201810031104 A CN201810031104 A CN 201810031104A CN 108289098 A CN108289098 A CN 108289098A
- Authority
- CN
- China
- Prior art keywords
- user
- access request
- file system
- distributed file
- permission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Abstract
The embodiment of the invention discloses a kind of right management method of distributed file system and device, server, medium, wherein this method includes:In response to the access request to distributed file system, user name corresponding with access request and IP address are obtained;If access request comes from entrance machine server, then the user name of acquisition and IP address are matched with the permission user collection obtained in advance, access request is determined whether according to matching result, wherein, it is the permission user collection for first passing through the Web service of distributed file system in advance by user and configuring to allow user to collect.The embodiment of the present invention is without being arranged fire wall, solve in the access rights management of distributed file system in the prior art that there are security breaches, it is susceptible to the problem of illegal user carries out illegal operation, improves the safety that distributed file system accesses and stores data.
Description
Technical field
The present embodiments relate to field of computer technology more particularly to a kind of rights management sides of distributed file system
Method and device, server, medium.
Background technology
Hadoop distributed file systems (Hadoop Distributed File System, HDFS) are that Hadoop is provided
A kind of distributed file system.Due to there is HDFS high fault tolerance, streaming to access, be suitble to batch processing/big data processing and
Can build economic machines it is first-class it is many a little, have in multiple fields such as image procossing, architecture management and e-commerce
It is widely applied.
HDFS includes mainly two components of NameNode (name node) and DataNode (back end).Wherein,
NameNode is responsible for metadata, including bibliographic structure, authority information and file block storage information etc. as host node,
DataNode is as the storage for being responsible for specific data block from node.NameNode is the manager of HDFS, any reading file
Operation must pass through it.Specifically, externally there are three interfaces by NameNode, it is remote procedure call (Remote respectively
Procedure Call, RPC) protocol interface, Hypertext Transport Protocol (Hyper File Transfer Protocol, HFTP)
Interface and distributed file system (Web Hadoop Distributed File System, WebHDFS) protocol interface, user
HDFS can be accessed by the either interface in above three interface.
Currently, the client-side program acquiescence of Hadoop platform reads HADOOP_ from the environmental variance of current server
USER_NAME obtains current operation system user as Hadoop as user name if HADOOP_USER_NAME is sky
User, allow its access HDFS.This resulted in only need to client change HADOOP_USER_NAME environmental variances can
Forge the problem of user carries out illegal operation.Therefore, the prior art typically uses firewall technology limitation RPC protocol interfaces
It accesses, to improve access security.But using the method for firewall technology raising access security for HDFS, still
So at least there are the following problems:
1) for RPC protocol interfaces, though it is the increase in fire wall, but fire wall can only detect whether entrance machine closes
Method but can not be detected entrance machine using whether user is legal, therefore, still result in the counterfeit legal use of illegal user
Family carries out the problem of illegal operation.
2) since HFTP and WebHDFS protocol interfaces cannot add fire wall, it will result in illegal user so still
It can so be accessed by HFTP and WebHDFS protocol interfaces.
Invention content
The embodiment of the present invention provides a kind of right management method and device, server, medium of distributed file system, with
Improve the safety that distributed file system accesses and stores data.
In a first aspect, an embodiment of the present invention provides a kind of right management method of distributed file system, this method packet
It includes:
In response to the access request to distributed file system, with obtaining user name corresponding with the access request and IP
Location;
If the access request comes from entrance machine server, by the user name and IP address and acquisition in advance
Permission user collection match, the access request is determined whether according to matching result, wherein the permissions user collects
It is the permission user collection for the Web service configuration for first passing through the distributed file system in advance by user.
Second aspect, the embodiment of the present invention additionally provide a kind of rights management device of distributed file system, the device
Including:
Access request module, in response to the access request to distributed file system, obtaining and the access request
Corresponding user name and IP address;
Authentication module is accessed, if entrance machine server is come from for the access request, by the user name
It is matched with the permission user collection obtained in advance with IP address, the access request is determined whether according to matching result,
Wherein, described that user's collection is allowed to be the permission user for first passing through the Web service of the distributed file system in advance by user and configuring
Collection.
The third aspect, the embodiment of the present invention additionally provide a kind of server, including:
One or more processors;
Storage device, for storing one or more programs,
When one or more of programs are executed by one or more of processors so that one or more of processing
Device realizes the right management method of the distributed file system as described in any embodiment of the present invention.
Fourth aspect, the embodiment of the present invention additionally provide a kind of computer readable storage medium, are stored thereon with computer
Program realizes the rights management of the distributed file system as described in any embodiment of the present invention when the program is executed by processor
Method.
The embodiment of the present invention is by response to the access request to distributed file system, obtaining corresponding with access request
User name and IP address are matched being concentrated using the preconfigured permission user of Web service, then true according to matching result
It is fixed whether to allow access request, it is not necessary that fire wall is arranged, solve the access rights pipe of distributed file system in the prior art
There are security breaches in reason, are susceptible to the problem of illegal user carries out illegal operation, improve distributed file system visit
Ask and store the safety of data.
Description of the drawings
Fig. 1 is the flow chart of the right management method for the distributed file system that the embodiment of the present invention one provides;
Fig. 2 is the flow chart of the right management method of distributed file system provided by Embodiment 2 of the present invention;
Fig. 3 is the flow chart of the right management method for the distributed file system that the embodiment of the present invention three provides;
Fig. 4 is the structural schematic diagram of the rights management device for the distributed file system that the embodiment of the present invention four provides;
Fig. 5 is a kind of structural schematic diagram for server that the embodiment of the present invention five provides.
Specific implementation mode
The present invention is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched
The specific embodiment stated is used only for explaining the present invention rather than limitation of the invention.It also should be noted that in order to just
Only the parts related to the present invention are shown in description, attached drawing rather than entire infrastructure.
Embodiment one
Fig. 1 is the flow chart of the right management method for the distributed file system that the embodiment of the present invention one provides, this implementation
The case where example is applicable to be managed the permission of distributed file system, this method can be by the power of distributed file system
Managing device is limited to execute, which may be used software and/or the mode of hardware is realized, and can integrate in the server.Such as
Shown in Fig. 1, this method specifically includes:
S110, in response to the access request to distributed file system, obtain user name corresponding with access request and IP
Address.
NameNode is responsible for metadata as host node, and metadata includes mainly bibliographic structure, authority information and text
Part piecemeal stores information, and DataNode is used as from node, is responsible for the storage of specific data block.Illustratively, bibliographic structure packet
Include the subdirectory and file under catalogue;Authority information includes the owner of catalogue or file, with the user of group and other users
Reading and writing, access entitlements;File block storage information includes that file is divided into several data blocks and which clothes is data block be stored in
It is engaged on device.Since NameNode is the manager of entire file system, any operation for reading file must pass through it.Work as user
When login service device accesses NameNode, the rights management device of distributed file system can respond the access request of user, obtain
Take the IP address that family logs in the user name and server that use.IP address can further enhance the safety for accessing data file
Property.
According to rights management, user is divided into three classes:Administrator, business responsible person and ordinary user.Administrator
The business responsible person that service groups and the service groups can be added creates corresponding database and catalogue, and the institute of corresponding catalogue
The person of having (owner) is assigned to the group.Business responsible person changes the permission of oneself catalogue as needed, such as does not allow other users to read
The entrance machine server etc. for taking the data of certain database, adding the user of oneself group and adding oneself group.
If S120, access request come from entrance machine server, by the user name of acquisition and IP address and in advance
Acquisition permission user collection matches, access request is determined whether according to matching result, wherein allow user collect be by
User first passes through the permission user collection of the Web service configuration of distributed file system in advance.
Entrance machine server is user accesses data and submits the server of distributed program, so needing to using entrance
The user of machine server controls.When access request reaches NameNode, the rights management device of distributed file system
Whether the user that this entrance machine server can be verified has access rights, if the user is the illegal use for pretending to be other users
Family, access right exception of directly dishing out.
Specifically, configuration item dfs.namenode.inode.attributes.provider.class there are one HDFS,
This configuration item can obtain external access controller using the method for getExternalAccessControlEnforcer,
The user name of acquisition and IP address are matched with the permission user collection obtained in advance, that is, realize the outside access control to user
First heavy purview certification process of system, if user name and the equal successful match of IP address, then it represents that the permission of outside access control
Certification passes through.It should be noted that if IP address is not allowing user to concentrate, for example, certain service groups is now with an entrance
Then machine feels not enough, directly the program needed for entrance machine is copied to and is run on another new entrance machine, and due to new
The addresses ip of entrance machine be added to user is allowed to concentrate not yet, therefore can no longer carry out the matching of user name, directly refuse
This exhausted access request.The access request for allowing user is again determined whether according to matching result, that is, realizes the inside to user
Second heavy purview certification process of access control, specifically, if passed through to the purview certification of the outside access control of user, after
It is continuous that the ordinary file permission of user is authenticated.
It is the permission user collection for first passing through the Web service of distributed file system in advance by user and configuring to allow user to collect,
Include the user name set for allowing to access and IP address set.It is external by the host node to HDFS in compared with the prior art
Protocol interface setting fire wall come improve distributed file system access safety for, utilize Web service configuration allow
User collects, and has the following advantages:
1) user's access entrance disunity can be solved the problems, such as.In the prior art, fire wall only is added to RPC protocol interfaces,
And HFTP protocol interfaces and WebHDFS protocol interfaces be since the Web service with NameNode is the same interface, so cannot add
Add fire wall.The access of RPC interfaces is limited using firewall technology, gives one boundary of cluster, user, which accesses cluster, to be passed through
The entrance machine server having permission, and other servers cannot access cluster by RPC protocol interfaces.But user can operate
Entrance machine server, counterfeit any user read data by HFTP and WebHDFS protocol interfaces.This has resulted in user and has existed
Skimble-scamble problem is accessed on same server, data can be accessed by some agreements, and other agreements are not all right.And this
Without adding fire wall in inventive embodiments, therefore the skimble-scamble problem of user's access entrance will not be caused, then avoided not
The counterfeit any validated user of method user is by HFTP and WebHDFS protocol interfaces come the problem of reading data.
In addition, being to prevent user from being created on the entrance machine server for allowing RPC protocol access NameNode in the prior art
It builds other users and carries out illegal cluster operation, the root password of entrance machine server is recycled, this entrance machine service
Device is put into fire wall white list.But some business are the daily records that the service on line generates, and need to utilize the softwares handles such as Flume
Daily record uploads on Hadoop, withdraws root password, and when server that will cause user's O&M oneself encounters difficulties.If with
Family is copied data in advance in the entrance machine server of distribution, and can increase more transfer costs of data.This finally leads
Family of applying is inconvenient using cluster.And fire wall is added due to being not necessarily in the embodiment of the present invention, the above problem is avoided naturally, no
User can be caused inconvenient using cluster.
2) defect that can make up the user of fire wall None- identified logentry machine server, can pass through to avoid user
Set HADOOP_USER_NAME, and counterfeit other users operate cluster and cause the risk of leaking data and loss.
If there are two user accounts under a certain service groups:Zhang San and Li Si, i.e. the business responsible person of the service groups are in addition entrance machine
When be added to the two accounts.So, if Zhang San is before accessing hadoop, user is made by changing environmental variance
Search, to read the privately owned file of search.At this moment the user name for being transmitted to Namenode is search.When purview certification,
Corresponding user list, including Zhang San and Li Si are first found according to IP address, search is found and do not included after matching, is at this moment thrown
Go out exception, Zhang San is prevented to carry out this access.
Allow user to collect using Web service configuration in the present embodiment, fire wall need not be additionally set, need not also be recycled
Effectively external visit may be implemented in root password, the matching collected with permission user by the user name and IP address that access user
It asks control, avoids the access request of counterfeit illegal user, the cluster of user can also be facilitated to access.
Optionally, user name includes the user name of the user name and non-super account of super account.
The super account of Hadoop starts the user of Hadoop services, have all permissions.In the prior art, user
Purview certification will not be carried out when logging in super account operation document system, i.e. Hadoop scope checks program encounters super account and visits
When asking, visual examination program can be skipped.And a switchgear distribution can be set in this case technology scheme, for super account to be arranged
Number whether skip visual examination program.When being arranged to false, visual examination program can also be run for the access of super account,
The matching for equally carrying out user name and IP address to super account and user being allowed to collect.If successful match, super account is judged
Number whether carry out ordinary file scope check.When super account needs to execute file permission inspection, operation meeting is carried out to file
Become ordinary user, the file of other users cannot be deleted, the file permission of other users setting cannot be read to other users
For 0 file, only has the function of cluster maintenance.By switchgear distribution, either super account or non-super account are both needed to
The purview certification for carrying out the purview certification and inter access control of outside access control, in this way can be to avoid counterfeit super account
Data access is carried out, prevents leaking data, avoiding can not be extensive because caused by super account can read and delete all data
Multiple major accident.
The technical solution of the present embodiment passes through in response to the access request to distributed file system, acquisition and access request
Corresponding user name and IP address are matched being concentrated using the preconfigured permission user of Web service, then according to matching
As a result it determines whether access request, it is not necessary that fire wall is arranged, solves the access of distributed file system in the prior art
There are security breaches in rights management, are susceptible to the problem of illegal user carries out illegal operation, improve distributed document
System accesses and the safety of storage data, and the control of permission can be also realized to super account, avoids cluster appearance can not
The major accident of recovery.
Embodiment two
Fig. 2 is the flow chart of the right management method of distributed file system provided by Embodiment 2 of the present invention, this implementation
Example is further to optimize on the basis of the above embodiments.As shown in Fig. 2, this method specifically includes:
S210, in response to the access request to distributed file system, obtain user name corresponding with access request and IP
Address.
If S220, access request come from entrance machine server, by the user name of acquisition and IP address and in advance
The permission user collection of acquisition matches.
If S230, user name and IP address match with user's collection is allowed, according to the corresponding user name of access request
It is written and read scope check, wherein it includes each entrance machine server at least one entrance machine server to allow user to concentrate
IP address and corresponding at least one permission user name.
Business responsible person can only add the user of oneself service groups in distributed file system, cannot add other users group
User.Illustratively, the flow of business responsible person addition entrance machine server is as follows:
(1) web interface adds entrance machine information, inputs host name, IP address and this entrance of entrance machine server
Which user is allowed to access on machine server.The server of NameNode can be this entrance machine server and the user for allowing to access
It is added in the outside access control system of NameNode.Entrance machine server is put into entrance machine list simultaneously, to upgrade
It is used when Hadoop programs and update collection swarm parameter.
(2) web interface downloading portal machine server setup and with root accounts execute.Illustratively, entrance is installed
The following operations need to be performed for machine server:1) the Hadoop accounts of installation user are created.2) create directory/usr/local/
Platform, and the owner of this catalogue is distributed to this user.3) the public private of distribution entrance machine server Hadoop accounts
Key is put into authorized_keys files, distributes Hadoop programs later and Hadoop accounts are only used in configuration.4) it is taken from Web
Hadoop installation procedures, which are downloaded, on business device to the machine and decompresses program.5) setting/usr/local/platform/hadoop links
To decompression catalogue.6) HADOOP_HOME is set, and the environmental variances such as PATH make this entrance machine server to/etc/profile
User can execute Hadoop orders.
(3) business responsible person creates the user account created on Web on entrance machine server, including user name and
Modification logging.Since this entrance machine server platform group does not have root authority, so business responsible person oneself is needed to create.
According to aforesaid operations, business responsible person can the service groups of oneself add at least one entrance machine server and
The corresponding at least one permission user of each entrance machine server, then, the IP address of each entrance machine server and it is corresponding at least
One allows user name just to constitute the permission user collection.If access request comes from entrance machine server, and user
Name and IP address match with user's collection is allowed, then it represents that the first heavy purview certification process controlled by outside access is gone forward side by side
One step carries out user by being realized to the access limit inspection of access request the second heavy purview certification mistake of inter access control
Journey realizes the ordinary file purview certification of user.
It should be noted that the common permission of Hadoop file system, is similar portable operating system interface
The permission and accesses control list of (Portable Operating System Interface of UNIX, POSIX)
(Access Control List, ACL) addition exception.POSIX by the permission of file and catalogue be divided into file owner, same group
User and other three parts.The permission of each part includes reading and writing, executes three kinds, one binary representation of each permission,
Such as binary one expression has permission, 0 indicates no permission.Illustratively, the permission of a file is 750, specifically, 7 conversions
It is 111 at binary system, indicates that file owner there can be reading and writing to file, execute three kinds of permissions;5, which are converted into binary system, is
101, it indicates that file is only read and executes two kinds of permissions with group user, without write permission;0 be converted into binary system be 000, indicate
Other users do not have any permission to file.If one user of others needs to read this document now, can be added with ACL
It can be that a user adds exception to add exception, ACL, or group addition exception can add reading exception, can also add
Read-write exception.
S240, access request is allowed to execute the operation being consistent with the result of its access limit inspection.
After user passes through the access limit certification of file, user can carry out corresponding limiting operation to file.
The technical solution of the present embodiment passes through in response to the access request to distributed file system, acquisition and access request
Corresponding user name and IP address are then carried out according to the corresponding user name of access request after allowing user to concentrate successful match
The access limit inspection for accessing user realizes the dual purview certification of the outside access control and inter access control to user
There is safety leakage in the access rights management for solving distributed file system in the prior art it is not necessary that fire wall is arranged in process
Hole is susceptible to the problem of illegal user carries out illegal operation, improves distributed file system and accesses and store data
Safety realizes effective management to the permission of distributed file system.
Embodiment three
Fig. 3 is the flow chart of the right management method for the distributed file system that the embodiment of the present invention three provides, this implementation
Example is further to optimize on the basis of the above embodiments.As shown in figure 3, this method specifically includes:
S310, in response to the access request to distributed file system, obtain user name corresponding with access request and IP
Address.
If S320, access request come from entrance machine server, by the user name of acquisition and IP address and in advance
Acquisition permission user collection matches, access request is determined whether according to matching result, wherein allow user collect be by
User first passes through the permission user collection of the Web service configuration of distributed file system in advance.
Optionally, the acquisition that permission user collects, which operates, includes:
Obtaining and updating according to predetermined period allows user to collect, and specifically includes:
At the time of obtaining last update according to predetermined period allows user to collect, and the last time renewable time is sent to
Web service, so that Web service judges that current time allows user to collect whether have update according to last renewable time;
If returning the result for Web service has update to allow user to collect, updated permission user is obtained from Web service
Collection.
Illustratively, during being obtained according to predetermined period and updating permission user's collection, distributed file system
Rights management device calls timing load configurator program timing to execute the reading configured and parsing module, such as predetermined period can
To be set as 30 seconds.In order to reduce overhead, if last time reads with postponing, user or entrance machine server are not added,
Without the user of the present entrance machine server of modification, then do not have to repeat to load yet.Timing loading procedure remains the last of configuration
Load time first calls the hasUpdate methods of configuration supplier (referring to Web service), use last load time of configuration as
Parameter.If do not updated after the last load time, false is returned, just configuration is called to provide when only returning to true
The reload methods of person are reloaded.If Reload methods are called, returning to all entrance machine servers allows to use
The mapping of family collection.
Configure supplier can there are many, for example, can be based on file, Restful call or database execute configuration
Configuration in the configuration file that supplier provides.Configuration supplier is required for providing hasUpdate methods and reload methods.
If S330, access request come from the node administration server of distributed file system, asked according to access
It asks corresponding user name to be written and read scope check, and access request execution is allowed to be consistent with the result of its access limit inspection
Operation.
The server for accessing NameNode, other than entrance machine server, also node administration server
(NodeManager).The distributed program submitted due to running all users on NodeManager, and because user cannot
Log on to and run on NodeManager, all NodeManager servers allow all users to access.External access controller
It can identify whether access request source belongs to NodeManager by IP address, if it is, directly according to access request
Corresponding user name is written and read scope check, can improve the efficiency of user right certification.
The technical solution of the present embodiment passes through in response to the access request to distributed file system, acquisition and access request
Corresponding user name and IP address judge the source of access request according to IP address, if access request comes from entrance machine
Server then determines whether access request according in the matching result for allowing user to concentrate;If access request comes from
Node administration server, then be directly written and read scope check.The present embodiment solves distributed file system in the prior art
Access rights management in there are security breaches, be susceptible to the problem of illegal user carries out illegal operation, it is anti-without setting
Wall with flues improves the safety that distributed file system accesses and stores data.
Example IV
Fig. 4 is the structural schematic diagram of the rights management device for the distributed file system that the embodiment of the present invention four provides, this
Embodiment is applicable to the case where being managed to the permission of distributed file system.The distribution that the embodiment of the present invention is provided
The rights management device of file system can perform the rights management for the distributed file system that any embodiment of the present invention is provided
Method has the corresponding function module of execution method and advantageous effect.As shown in figure 4, the device includes access request module 410
With access authentication module 420, wherein:
Access request module 410, in response to the access request to distributed file system, obtaining and access request pair
The user name and IP address answered.
Optionally, user name includes the user name of the user name and non-super account of super account.
Authentication module 420 is accessed, if entrance machine server is come from for access request, by the user name of acquisition
It is matched with the permission user collection obtained in advance with IP address, access request is determined whether according to matching result, wherein
It is the permission user collection for first passing through the Web service of distributed file system in advance by user and configuring to allow user to collect.
Optionally, accessing authentication module 420 includes:
Identities match unit, if coming from entrance machine server for access request, by the user name of acquisition and
IP address is matched with the permission user collection obtained in advance;
Scope check unit, if matched with user's collection is allowed for user name and IP address, according to access request
Corresponding user name is written and read scope check, wherein it includes respectively entering at least one entrance machine server to allow user to concentrate
The IP address and corresponding at least one permission user name of mouth machine server;
Operation execution unit, the operation being consistent with the result of its access limit inspection for allowing access request to execute.
Further, it further includes that user is allowed to collect acquiring unit to access authentication module 420, for being obtained according to predetermined period
And updating allows user to collect.Wherein, permission user collection acquiring unit includes:
Moment transmission sub-unit, at the time of allowing user to collect for obtaining last update according to predetermined period, and should
Last renewable time is sent to Web service, so that Web service judges that current time allows user according to last renewable time
Whether collection has update;
Subelement is obtained, if having update for returning the result for Web service to allow user to collect, is obtained from Web service
Updated permission user collection.
Based on the above technical solution, optionally, which further includes:
Access checking module, if coming from the node administration server of distributed file system for access request,
Scope check is then written and read according to the corresponding user name of access request, and access request is allowed to execute and its access limit inspection
The operation that is consistent of result.
The technical solution of the present embodiment passes through in response to the access request to distributed file system, acquisition and access request
Corresponding user name and IP address are matched being concentrated using the preconfigured permission user of Web service, then according to matching
As a result access request is determined whether.The present embodiment solves the access rights management of distributed file system in the prior art
In there are security breaches, be susceptible to the problem of illegal user carries out illegal operation, it is not necessary that fire wall is arranged, improve distribution
Formula file system accesses and the safety of storage data, realizes pair of the outside access control and inter access control to user
Weight purview certification process, realizes effective management to the permission of distributed file system.
Embodiment five
Fig. 5 is a kind of structural schematic diagram for server that the embodiment of the present invention five provides.Fig. 5 is shown suitable for being used for realizing
The block diagram of the exemplary servers 512 of embodiment of the present invention.The server 512 that Fig. 5 is shown is only an example, should not be right
The function and use scope of the embodiment of the present invention bring any restrictions.
As shown in figure 5, server 512 is showed in the form of generic server.The component of server 512 may include but not
It is limited to:One or more processor 516, storage device 528, connection different system component (including storage device 528 and processing
Device 516) bus 518.
Bus 518 indicates one or more in a few class bus structures, including storage device bus or storage device control
Device processed, peripheral bus, graphics acceleration port, processor or total using the local of the arbitrary bus structures in a variety of bus structures
Line.For example, these architectures include but not limited to industry standard architecture (Industry Subversive
Alliance, ISA) bus, microchannel architecture (Micro Channel Architecture, MAC) bus is enhanced
Isa bus, Video Electronics Standards Association (Video Electronics Standards Association, VESA) local are total
Line and peripheral component interconnection (Peripheral Component Interconnect, PCI) bus.
Server 512 typically comprises a variety of computer system readable media.These media can be it is any being capable of bedding and clothing
The usable medium that business device 512 accesses, including volatile and non-volatile media, moveable and immovable medium.
Storage device 528 may include the computer system readable media of form of volatile memory, such as arbitrary access
Memory (Random Access Memory, RAM) 530 and/or cache memory 532.Server 512 can be further
Including other removable/nonremovable, volatile/non-volatile computer system storage mediums.Only as an example, storage system
System 534 can be used for reading and writing immovable, non-volatile magnetic media (Fig. 5 do not show, commonly referred to as " hard disk drive ").To the greatest extent
It is not shown in pipe Fig. 5, the disc driver for being read and write to moving non-volatile magnetic disk (such as " floppy disk ") can be provided, with
And to moving anonvolatile optical disk, such as CD-ROM (Compact Disc Read-Only Memory, CD-ROM), number
Word optic disk (Digital Video Disc-Read Only Memory, DVD-ROM) or other optical mediums) read-write CD
Driver.In these cases, each driver can be connected by one or more data media interfaces with bus 518.
Storage device 528 may include at least one program product, which has one group of (for example, at least one) program module,
These program modules are configured to perform the function of various embodiments of the present invention.
Program/utility 540 with one group of (at least one) program module 542 can be stored in such as storage dress
In setting 528, such program module 542 includes but not limited to operating system, one or more application program, other program moulds
Block and program data may include the realization of network environment in each or certain combination in these examples.Program module
542 usually execute function and/or method in embodiment described in the invention.
Server 512 can also be with one or more external equipments 514 (such as keyboard, sensing equipment, display 524 etc.)
Communication, can also be enabled a user to one or more equipment interact with the server 512 communicate, and/or with make the clothes
Any equipment (such as network interface card, modem etc.) that business device 512 can be communicated with one or more of the other computing device
Communication.This communication can be carried out by input/output (I/O) interface 522.Also, server 512 can also be suitable by network
Orchestration 520 and one or more network (such as LAN (Local Area Network, LAN), wide area network (Wide Area
Network, WAN) and/or public network, such as internet) communication.As shown in figure 5, network adapter 520 passes through bus 518
It is communicated with other modules of server 512.It should be understood that although not shown in the drawings, can be used in conjunction with server 512 other hard
Part and/or software module, including but not limited to:Microcode, device driver, redundant processor, external disk drive array, magnetic
Disk array (Redundant Arrays of Independent Disks, RAID) system, tape drive and data backup
Storage system etc..
Processor 516 is stored in the program in storage device 528 by operation, to perform various functions application and number
According to processing, such as realize the right management method for the distributed file system that the embodiment of the present invention is provided.
Embodiment six
The embodiment of the present invention six additionally provides a kind of computer readable storage medium, is stored thereon with computer program, should
The right management method of the distributed file system provided such as the embodiment of the present invention is provided when program is executed by processor.
The arbitrary of one or more computer-readable media may be used in the computer storage media of the embodiment of the present invention
Combination.Computer-readable medium can be computer-readable signal media or computer readable storage medium.It is computer-readable
Storage medium for example may be-but not limited to-the system of electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor, device or
Device, or the arbitrary above combination.The more specific example (non exhaustive list) of computer readable storage medium includes:Tool
There are one or the electrical connection of multiple conducting wires, portable computer diskette, hard disk, random access memory (RAM), read-only memory
(ROM), erasable programmable read only memory (Erasable Programmable Read Only Memory, EPROM, or
Flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), light storage device, magnetic memory device or above-mentioned
Any appropriate combination.In this document, can be any include computer readable storage medium or tangible Jie of storage program
Matter, the program can be commanded the either device use or in connection of execution system, device.
Computer-readable signal media may include in a base band or as the data-signal that a carrier wave part is propagated,
Wherein carry computer-readable program code.Diversified forms may be used in the data-signal of this propagation, including but unlimited
In electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be that computer can
Any computer-readable medium other than storage medium is read, which can send, propagates or transmit and be used for
By instruction execution system, device either device use or program in connection.
The program code for including on computer-readable medium can transmit with any suitable medium, including --- but it is unlimited
In wireless, electric wire, optical cable, radio frequency (Radio Frequency, RF) etc. or above-mentioned any appropriate combination.
It can be write with one or more programming languages or combinations thereof for executing the computer that operates of the present invention
Program code, described program design language include object oriented program language-such as Java, Smalltalk, C++,
Further include conventional procedural programming language-such as " C " language or similar programming language.Program code can be with
It fully executes, partly execute on the user computer on the user computer, being executed as an independent software package, portion
Divide and partly executes or executed on a remote computer or server completely on the remote computer on the user computer.
Be related in the situation of remote computer, remote computer can pass through the network of any kind --- including LAN (LAN) or
Wide area network (WAN)-be connected to subscriber computer, or, it may be connected to outer computer (such as carried using Internet service
It is connected by internet for quotient).
Note that above are only presently preferred embodiments of the present invention and institute's application technology principle.It will be appreciated by those skilled in the art that
The present invention is not limited to specific embodiments described here, can carry out for a person skilled in the art it is various it is apparent variation,
It readjusts and substitutes without departing from protection scope of the present invention.Therefore, although being carried out to the present invention by above example
It is described in further detail, but the present invention is not limited only to above example, without departing from the inventive concept, also
May include other more equivalent embodiments, and the scope of the present invention is determined by scope of the appended claims.
Claims (12)
1. a kind of right management method of distributed file system, which is characterized in that including:
In response to the access request to distributed file system, user name corresponding with the access request and IP address are obtained;
If the access request comes from entrance machine server, the user name and IP address are permitted with what is obtained in advance
Family collection allowable is matched, and the access request is determined whether according to matching result, wherein permission user collection be by
User first passes through the permission user collection of the Web service configuration of the distributed file system in advance.
2. according to the method described in claim 1, it is characterized in that, described determine whether the access according to matching result
Request, including:
If the user name and IP address match with permission user collection, according to the corresponding user of the access request
Name is written and read scope check, wherein it includes each entrance machine clothes at least one entrance machine server that the permission user, which concentrates,
The IP address and corresponding at least one permission user name of business device;
The access request is allowed to execute the operation being consistent with the result of its access limit inspection.
3. method according to claim 1 or 2, which is characterized in that the user name include super account user name and
The user name of non-super account.
4. according to the method described in claim 1, it is characterized in that, the method further includes:
If the access request comes from the node administration server of distributed file system, according to the access request
Corresponding user name is written and read scope check, and the access request execution is allowed to be consistent with the result of its access limit inspection
Operation.
5. according to the method described in claim 1, it is characterized in that, the acquisition for allowing user to collect operation includes:
The permission user collection is obtained and updated according to predetermined period, is specifically included:
At the time of updating the permission user collection according to predetermined period acquisition is last, and the last time renewable time is sent to
The Web service, so that the Web service judges that allowing user to collect described in current time is according to the last renewable time
It is no to have update;
If returning the result for the Web service has update for permission user collection, obtained from the Web service updated
User is allowed to collect.
6. a kind of rights management device of distributed file system, which is characterized in that including:
Access request module, in response to the access request to distributed file system, obtaining corresponding with the access request
User name and IP address;
Authentication module is accessed, if entrance machine server is come from for the access request, by the user name and IP
Address is matched with the permission user collection obtained in advance, and the access request is determined whether according to matching result, wherein
It is described that user's collection is allowed to be the permission user collection for first passing through the Web service of the distributed file system in advance by user and configuring.
7. device according to claim 6, which is characterized in that the access authentication module includes:
Identities match unit, if entrance machine server is come from for the access request, by the user name and IP
Address is matched with the permission user collection obtained in advance;
Scope check unit, if matched with permission user collection for the user name and IP address, according to
The corresponding user name of access request is written and read scope check, wherein the permission user concentrate include it is at least one described in enter
The IP address and corresponding at least one permission user name of each entrance machine server in mouth machine server;
Operation execution unit, the operation being consistent with the result of its access limit inspection for allowing the access request to execute.
8. the device described according to claim 6 or 7, which is characterized in that the user name include super account user name and
The user name of non-super account.
9. device according to claim 6, which is characterized in that described device further includes:
Access checking module, if coming from the node administration server of distributed file system for the access request,
Scope check is then written and read according to the corresponding user name of the access request, and the access request execution is allowed to be read and write with it
The operation that the result of scope check is consistent.
10. device according to claim 6, which is characterized in that the access authentication module further includes allowing user to collect to obtain
Unit is taken, for the permission user collection to be obtained and updated according to predetermined period;
The permission user collects acquiring unit:
Moment transmission sub-unit, at the time of collection for obtaining the last update permission user according to predetermined period, and should
Last renewable time is sent to the Web service, so that the Web service judges currently according to the last renewable time
User is allowed to collect whether have update described in moment;
Subelement is obtained, if having update for returning the result for the Web service for permission user collection, from the Web
The updated permission user collection of service acquisition.
11. a kind of server, which is characterized in that including:
One or more processors;
Storage device, for storing one or more programs,
When one or more of programs are executed by one or more of processors so that one or more of processors are real
The now right management method of the distributed file system as described in any in Claims 1 to 5.
12. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor
The right management method of the distributed file system as described in any in Claims 1 to 5 is realized when execution.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810031104.7A CN108289098B (en) | 2018-01-12 | 2018-01-12 | Authority management method and device of distributed file system, server and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810031104.7A CN108289098B (en) | 2018-01-12 | 2018-01-12 | Authority management method and device of distributed file system, server and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108289098A true CN108289098A (en) | 2018-07-17 |
| CN108289098B CN108289098B (en) | 2021-07-06 |
Family
ID=62835195
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810031104.7A Active CN108289098B (en) | 2018-01-12 | 2018-01-12 | Authority management method and device of distributed file system, server and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108289098B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108696540A (en) * | 2018-07-18 | 2018-10-23 | 安徽云图信息技术有限公司 | A kind of authorizing secure system and its authorization method |
| CN109299617A (en) * | 2018-09-19 | 2019-02-01 | 中国农业银行股份有限公司贵州省分行 | A kind of file encryption and decryption system |
| CN111049869A (en) * | 2018-10-15 | 2020-04-21 | 航天信息股份有限公司 | User management method and system in Hadoop cluster |
| CN111104666A (en) * | 2018-10-25 | 2020-05-05 | 戴尔产品有限公司 | Method, apparatus and computer program product for accessing services |
| CN111427861A (en) * | 2020-02-28 | 2020-07-17 | 云知声智能科技股份有限公司 | Distributed file system configuration method and device |
| CN112579557A (en) * | 2019-09-27 | 2021-03-30 | 北京沃东天骏信息技术有限公司 | Request response method, device, system, computer system and readable storage medium |
| CN112579525A (en) * | 2019-09-30 | 2021-03-30 | 成都长虹网络科技有限责任公司 | WEB-based unified file processing method and system |
| CN113158169A (en) * | 2021-03-30 | 2021-07-23 | 北京大米科技有限公司 | Hadoop cluster-based verification method and device, storage medium and electronic equipment |
| CN113779609A (en) * | 2021-09-22 | 2021-12-10 | 北方健康医疗大数据科技有限公司 | Data management method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102341809A (en) * | 2009-03-12 | 2012-02-01 | 国际商业机器公司 | Distributed filesystem access |
| CN102546664A (en) * | 2012-02-27 | 2012-07-04 | 中国科学院计算技术研究所 | User and authority management method and system for distributed file system |
| US20140330815A1 (en) * | 2013-05-03 | 2014-11-06 | Splunk Inc. | Processing a system search request across disparate data collection systems |
| CN107196951A (en) * | 2017-06-12 | 2017-09-22 | 北京明朝万达科技股份有限公司 | The implementation method and firewall system of a kind of HDFS systems fire wall |
| CN107257334A (en) * | 2017-06-08 | 2017-10-17 | 中国电子科技集团公司第三十二研究所 | Identity authentication method for Hadoop cluster |
-
2018
- 2018-01-12 CN CN201810031104.7A patent/CN108289098B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102341809A (en) * | 2009-03-12 | 2012-02-01 | 国际商业机器公司 | Distributed filesystem access |
| CN102546664A (en) * | 2012-02-27 | 2012-07-04 | 中国科学院计算技术研究所 | User and authority management method and system for distributed file system |
| US20140330815A1 (en) * | 2013-05-03 | 2014-11-06 | Splunk Inc. | Processing a system search request across disparate data collection systems |
| CN107257334A (en) * | 2017-06-08 | 2017-10-17 | 中国电子科技集团公司第三十二研究所 | Identity authentication method for Hadoop cluster |
| CN107196951A (en) * | 2017-06-12 | 2017-09-22 | 北京明朝万达科技股份有限公司 | The implementation method and firewall system of a kind of HDFS systems fire wall |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108696540A (en) * | 2018-07-18 | 2018-10-23 | 安徽云图信息技术有限公司 | A kind of authorizing secure system and its authorization method |
| CN109299617A (en) * | 2018-09-19 | 2019-02-01 | 中国农业银行股份有限公司贵州省分行 | A kind of file encryption and decryption system |
| CN111049869B (en) * | 2018-10-15 | 2022-09-02 | 航天信息股份有限公司 | User management method and system in Hadoop cluster |
| CN111049869A (en) * | 2018-10-15 | 2020-04-21 | 航天信息股份有限公司 | User management method and system in Hadoop cluster |
| CN111104666A (en) * | 2018-10-25 | 2020-05-05 | 戴尔产品有限公司 | Method, apparatus and computer program product for accessing services |
| CN111104666B (en) * | 2018-10-25 | 2023-09-05 | 戴尔产品有限公司 | Method, apparatus and computer readable medium for accessing services |
| CN112579557A (en) * | 2019-09-27 | 2021-03-30 | 北京沃东天骏信息技术有限公司 | Request response method, device, system, computer system and readable storage medium |
| CN112579525A (en) * | 2019-09-30 | 2021-03-30 | 成都长虹网络科技有限责任公司 | WEB-based unified file processing method and system |
| CN111427861A (en) * | 2020-02-28 | 2020-07-17 | 云知声智能科技股份有限公司 | Distributed file system configuration method and device |
| CN111427861B (en) * | 2020-02-28 | 2023-05-05 | 云知声智能科技股份有限公司 | Distributed file system configuration method and device |
| CN113158169A (en) * | 2021-03-30 | 2021-07-23 | 北京大米科技有限公司 | Hadoop cluster-based verification method and device, storage medium and electronic equipment |
| CN113779609A (en) * | 2021-09-22 | 2021-12-10 | 北方健康医疗大数据科技有限公司 | Data management method and device, electronic equipment and storage medium |
| CN113779609B (en) * | 2021-09-22 | 2024-03-22 | 北方健康医疗大数据科技有限公司 | Data management method, device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108289098B (en) | 2021-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108289098A (en) | Right management method and device, server, the medium of distributed file system | |
| US10880287B2 (en) | Out of box experience application API integration | |
| US11792199B2 (en) | Application-assisted login for a web browser | |
| RU2387003C2 (en) | Method, system and device for detecting data sources and connection to data sources | |
| US9805209B2 (en) | Systems and methodologies for managing document access permissions | |
| US8381306B2 (en) | Translating role-based access control policy to resource authorization policy | |
| US10484383B2 (en) | Pre-authorizing a client application to access a user account on a content management system | |
| US7334039B1 (en) | Techniques for generating rules for a dynamic rule-based system that responds to requests for a resource on a network | |
| CN109479062B (en) | Usage tracking in hybrid cloud computing systems | |
| US20130061335A1 (en) | Method, Apparatus, Computer Readable Media for a Storage Virtualization Middleware System | |
| US10891357B2 (en) | Managing the display of hidden proprietary software code to authorized licensed users | |
| EP3889971A1 (en) | Online diagnosis platform, permission management method and permission management system for online diagnosis platform | |
| CN101268468A (en) | Method and apparatus to authenticate source of a scripted code | |
| US7243138B1 (en) | Techniques for dynamic rule-based response to a request for a resource on a network | |
| US20140283023A1 (en) | Common location of user managed authorization | |
| CN104580210A (en) | Hotlinking prevention method, hotlinking prevention assembly and cloud platform under cloud platform environment | |
| US20220255914A1 (en) | Identity information linking | |
| JP2020038438A (en) | Management device, management system and program | |
| JP2004046460A (en) | File management system and access control system | |
| JP7106078B2 (en) | Data distributed integrated management system | |
| CN114297598B (en) | User permission processing method and device | |
| US20220385596A1 (en) | Protecting integration between resources of different services using service-generated dependency tags | |
| CN107800715A (en) | A kind of portal authentication method and access device | |
| CN105763532A (en) | Method and device for logging in to virtual desktop | |
| Kim et al. | Vulnerability detection mechanism based on open API for multi-user's convenience |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |