CN108289098B - Authority management method and device of distributed file system, server and medium - Google Patents

Authority management method and device of distributed file system, server and medium Download PDF

Info

Publication number
CN108289098B
CN108289098B CN201810031104.7A CN201810031104A CN108289098B CN 108289098 B CN108289098 B CN 108289098B CN 201810031104 A CN201810031104 A CN 201810031104A CN 108289098 B CN108289098 B CN 108289098B
Authority
CN
China
Prior art keywords
user
access request
allowed
file system
distributed file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810031104.7A
Other languages
Chinese (zh)
Other versions
CN108289098A (en
Inventor
侯志贞
季石磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201810031104.7A priority Critical patent/CN108289098B/en
Publication of CN108289098A publication Critical patent/CN108289098A/en
Application granted granted Critical
Publication of CN108289098B publication Critical patent/CN108289098B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Abstract

The embodiment of the invention discloses a method and a device for managing authority of a distributed file system, a server and a medium, wherein the method comprises the following steps: responding to an access request of the distributed file system, and acquiring a user name and an IP address corresponding to the access request; and if the access request is from the portal server, matching the acquired user name and IP address with a pre-acquired allowed user set, and determining whether to allow the access request according to a matching result, wherein the allowed user set is the allowed user set which is configured by the user through the Web service of the distributed file system in advance. The embodiment of the invention does not need to set a firewall, solves the problems that in the prior art, security holes exist in the access authority management of the distributed file system, and illegal operation of an illegal user is easy to occur, and improves the security of data access and storage of the distributed file system.

Description

Authority management method and device of distributed file system, server and medium
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method and a device for managing authority of a distributed file system, a server and a medium.
Background
A Hadoop Distributed File System (HDFS) is a Distributed File System provided by Hadoop. HDFS has many advantages such as high fault tolerance, streaming access, suitability for batch/big data processing, and being able to be built on cheap machines, and has wide application in many fields such as image processing, infrastructure management, and electronic commerce.
The HDFS mainly includes two components, NameNode and DataNode. The NameNode is used as a main node to manage metadata, and comprises a directory structure, authority information, file block storage information and the like, and the DataNode is used as a slave node to store specific data blocks. The NameNode is the manager of the HDFS, through which any operation that reads a file must pass. Specifically, the NameNode has three external interfaces, which are a Remote Procedure Call (RPC) Protocol interface, a Hyper File Transfer Protocol (HFTP) interface, and a Distributed File System (WebHDFS) Protocol interface, and a user can access the HDFS through any one of the three interfaces.
At present, a client program of a Hadoop platform defaults to read Hadoop _ USER _ NAME from an environment variable of a current server as a USER NAME, and if the Hadoop _ USER _ NAME is empty, a current operating system USER is acquired as a Hadoop USER, and the Hadoop USER is allowed to access the HDFS. This poses a problem that the USER can be forged to perform illegal operations only by modifying the HADOOP _ USER _ NAME environment variable at the client. Therefore, the prior art generally uses firewall technology to limit the access of the RPC protocol interface to improve the access security. However, the method for improving access security by using firewall technology still has at least the following problems for HDFS:
1) for the RPC protocol interface, even if the firewall is added, the firewall can only detect whether the portal machine is legal, but cannot detect whether the user using the portal machine is legal, so that the problem that an illegal user imitates a legal user to perform illegal operation is still caused.
2) Since the HFTP and WebHDFS protocol interfaces cannot be added with firewalls, an illegal user can still access the HFTP and WebHDFS protocol interfaces.
Disclosure of Invention
The embodiment of the invention provides a method and a device for managing the authority of a distributed file system, a server and a medium, which are used for improving the safety of accessing and storing data of the distributed file system.
In a first aspect, an embodiment of the present invention provides a method for managing permissions of a distributed file system, where the method includes:
responding to an access request to a distributed file system, and acquiring a user name and an IP address corresponding to the access request;
and if the access request is from an entrance machine server, matching the user name and the IP address with a pre-acquired allowed user set, and determining whether to allow the access request according to a matching result, wherein the allowed user set is the allowed user set which is configured by a user through the Web service of the distributed file system in advance.
In a second aspect, an embodiment of the present invention further provides a rights management apparatus for a distributed file system, where the apparatus includes:
the access request module is used for responding to an access request to the distributed file system and acquiring a user name and an IP address corresponding to the access request;
and the access verification module is used for matching the user name and the IP address with a pre-acquired allowed user set if the access request is from an entry machine server, and determining whether to allow the access request according to a matching result, wherein the allowed user set is the allowed user set which is configured by a user through the Web service of the distributed file system in advance.
In a third aspect, an embodiment of the present invention further provides a server, including:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for rights management of a distributed file system according to any embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a rights management method of a distributed file system according to any embodiment of the present invention.
The embodiment of the invention acquires the user name and the IP address corresponding to the access request in response to the access request of the distributed file system, performs matching in a centralized manner on the allowed users configured in advance by using Web service, and then determines whether to allow the access request according to the matching result without setting a firewall, thereby solving the problems that in the prior art, the access authority management of the distributed file system has security holes and illegal operation of illegal users is easy to occur, and improving the security of accessing and storing data of the distributed file system.
Drawings
Fig. 1 is a flowchart of a rights management method of a distributed file system according to an embodiment of the present invention;
fig. 2 is a flowchart of a rights management method of a distributed file system according to a second embodiment of the present invention;
fig. 3 is a flowchart of a rights management method of a distributed file system according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a rights management apparatus of a distributed file system according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a server according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a method for managing permissions of a distributed file system according to an embodiment of the present invention, where the embodiment is applicable to a case of managing permissions of the distributed file system, and the method may be executed by a permission management apparatus of the distributed file system, where the apparatus may be implemented in a software and/or hardware manner, and may be integrated in a server. As shown in fig. 1, the method specifically includes:
and S110, responding to the access request to the distributed file system, and acquiring a user name and an IP address corresponding to the access request.
The NameNode is used as a main node to manage metadata, the metadata mainly comprises a directory structure, authority information and file block storage information, and the DataNode is used as a slave node to store specific data blocks. Illustratively, the directory structure includes subdirectories and files under a directory; the authority information comprises read, write and access authorities of an owner of a directory or a file, users in the same group and other users; the file blocking storage information includes the file being divided into several data blocks and on which servers the data blocks are stored. Since the NameNode is the administrator of the entire file system, any operation that reads a file must pass through it. When a user logs in a server to access the NameNode, the authority management device of the distributed file system can respond to an access request of the user and acquire a user name used by the user for logging in and an IP address of the server. The IP address may further enhance the security of accessing the data file.
According to rights management, users are divided into three categories: administrator users, business responsible persons and general users. An administrator user may add a service group and the service owner for the service group, create a corresponding database and directory, and assign the owner (owner) of the corresponding directory to the group. The service responsible person modifies the authority of the own directory according to the requirement, for example, other users are not allowed to read the data of a certain database, the users who add the own group and the portal server which adds the own group, and the like.
And S120, if the access request is from the portal server, matching the acquired user name and the IP address with a pre-acquired allowed user set, and determining whether to allow the access request according to a matching result, wherein the allowed user set is the allowed user set which is configured by the user through the Web service of the distributed file system in advance.
The portal server is a server where users access data and submit distributed programs, so there is a need to control the users who use the portal server. When the access request reaches NameNode, the authority management device of the distributed file system can verify whether the user of the portal server has the access authority, and if the user is an illegal user pretending to be other users, the access authority exception is directly thrown out.
Specifically, the HDFS has a configuration item dfs, name, inode, attributes, provider, class, which may obtain an external access controller by using a method of getextra access control entity, match the obtained user name and IP address with a pre-obtained allowed user set, that is, implement a first re-authorization authentication process for external access control of the user, and indicate that authorization authentication of the external access control passes if both the user name and the IP address are successfully matched. It should be noted that, if the IP address is not in the allowed user set, for example, a certain service group currently has an entry machine and then feels insufficient, the program required by the entry machine is directly copied to another new entry machine for running, and since the IP address of the new entry machine is not added to the allowed user set, the matching of the user name is not performed any more, and the access request is directly rejected. And determining whether the access request of the user is allowed again according to the matching result, namely realizing a second permission authentication process of internal access control of the user, and specifically, if the permission authentication of external access control of the user passes, continuing to authenticate the common file permission of the user.
The set of allowed users is a set of allowed users previously configured by the user through the Web service of the distributed file system, including a set of usernames and a set of IP addresses allowed to access. Compared with the prior art that the access security of the distributed file system is improved by setting a firewall on an external protocol interface of a master node of the HDFS, the method has the advantages that the Web service configuration is utilized to allow the user set, and the method has the following advantages:
1) the problem that the access entries of the users are not uniform can be solved. In the prior art, only a firewall is added to an RPC protocol interface, but the HFTP protocol interface and the WebHDFS protocol interface cannot be added with the firewall because the interfaces are the same as the Web service of the NameNode. The access of the RPC interface is limited by using a firewall technology, a boundary is given to the cluster, a user must access the cluster through an authorized entrance machine server, and other servers cannot access the cluster through the RPC protocol interface. But the user can operate the portal server to emulate any user reading data through the HFTP and WebHDFS protocol interfaces. This creates the problem of the user accessing non-uniformly on the same server, with some protocols being able to access data, while others are not. In the embodiment of the invention, no firewall is required to be added, so that the problem of nonuniform access entries of users is avoided, and the problem that illegal users counterfeit any legal users to read data through HFTP and WebHDFS protocol interfaces is avoided.
In addition, in the prior art, in order to prevent a user from creating other users on a portal server allowing an RPC protocol to access a NameNode to perform illegal cluster operation, a root password of the portal server is recycled, and the portal server is placed in a firewall white list. However, some services are logs generated by online services, and the logs need to be uploaded to Hadoop by using software such as flash and the like, and a root password is recovered, so that difficulty occurs when a user operates and maintains the server of the user. If the user copies the data to the distributed portal server in advance, the multiple transit cost of the data is increased. This ultimately results in inconvenience for the user to use the cluster. In the embodiment of the invention, because a firewall is not required to be added, the problems are naturally avoided, and the inconvenience of using the cluster by a user is avoided.
2) The method can make up the defect that the firewall cannot identify the USER logging in the portal server, and can avoid the risk of data leakage and loss caused by the fact that the USER imitates other USER operation clusters by setting the environment variable HADOOP _ USER _ NAME. If, there are two user accounts under a certain service group: zhang san and lie si, i.e. the service responsible person of the service group adds these two account numbers when adding the portal machine. Then if Zhang three changed the user to search by modifying the environment variable before accessing hadoop to read the private file of search. The username passed to the Namenode at this time is search. When the authority is authenticated, a corresponding user list including Zhang III and Liqu is found according to the IP address, after matching, the user list does not contain search, and then abnormity is thrown out to prevent Zhang III from accessing the user list.
In the embodiment, the Web service is used for configuring the allowed user set, no firewall needs to be additionally arranged, and no root password needs to be recycled.
Optionally, the user name includes a user name of a super account and a user name of a non-super account.
The super account of the Hadoop, i.e. the user who starts the Hadoop service, has all permissions. In the prior art, the user does not perform permission authentication when logging in the super account operating file system, that is, when the Hadoop permission check program encounters access of the super account, the external check program is skipped. In the technical solution of this example, a switch configuration may be set to set whether the super account skips an external inspection program. When false is set, an external check program is also run for super account access, i.e. matching of the user name and IP address with the set of allowed users is also performed for the super account. And if the matching is successful, judging whether the super account carries out the common file permission check. When the super account needs to execute file authority check, the file operation becomes a common user, the files of other users cannot be deleted, the files of which the file authority set by other users is 0 to other users cannot be read, and only the cluster maintenance function is realized. Through switch configuration, no matter super account number or non-super account number, all need carry out the authority authentication of outside access control and the authority authentication of inside access control, can avoid imitating super account number like this and carry out data access, prevent that data from revealing, avoid because of super account number can read and delete all data and the irrecoverable major accident that arouses.
According to the technical scheme, the user name and the IP address corresponding to the access request are obtained in response to the access request of the distributed file system, centralized matching is carried out on allowed users configured in advance by using Web service, whether the access request is allowed or not is determined according to the matching result, and a firewall does not need to be set.
Example two
Fig. 2 is a flowchart of a rights management method of a distributed file system according to a second embodiment of the present invention, and this embodiment is further optimized based on the foregoing embodiment. As shown in fig. 2, the method specifically includes:
s210, responding to the access request of the distributed file system, and acquiring a user name and an IP address corresponding to the access request.
And S220, if the access request is from the portal server, matching the acquired user name and IP address with the pre-acquired allowed user set.
And S230, if the user name and the IP address are matched with an allowed user set, performing read-write permission check according to the user name corresponding to the access request, wherein the allowed user set comprises the IP address of each portal server in at least one portal server and at least one corresponding allowed user name.
The service responsible person in the distributed file system can only add users of the service group of the person, but can not add users of other user groups. Exemplarily, the flow of adding the portal server by the service responsible person is as follows:
(1) the Web interface adds portal information, enters the host name, IP address of the portal server, and which users are allowed to access on this portal server. The server of the NameNode will add this portal server and the users allowed access to the external access control system of the NameNode. Meanwhile, the portal machine server is put into a portal machine list so as to be used when the Hadoop program is upgraded and cluster parameters are updated.
(2) The Web interface downloads the portal server installer and executes it with the root account number. Illustratively, installing a portal server requires performing the following operations: 1) and creating a Hadoop account number of the installation user. 2) Create directory/usr/local/platform and assign the owner of this directory to this user. 3) And (3) putting the public private key of the Hadoop account of the distribution entry machine server into an authorized _ keys file, and then distributing the Hadoop program and configuring the Hadoop account only. 4) And downloading the Hadoop installation program from the Web server to the local computer and decompressing the program. 5) Set/usr/local/platform/hadoop links to the decompressed directory. 6) And setting environment variables such as HADOOP _ HOME, PATH and the like to be/etc/profile, so that the user of the portal machine server can execute a Hadoop command.
(3) And the service responsible person creates a user account number which is created on the Web on the portal server, wherein the user account number comprises a user name and a login password. Since this portal server platform group has no root authority, it needs the service responsible person to create itself.
According to the operation, the service responsible person can add at least one portal server and at least one allowed user corresponding to each portal server in the own service group, so that the IP address of each portal server and the corresponding at least one allowed user name form the allowed user set. If the access request comes from the portal server and the user name and the IP address are matched with the allowed user set, the first re-authority authentication process of external access control is indicated, and the second re-authority authentication process of internal access control on the user is further realized through the read-write authority check of the access request, namely the common file authority authentication of the user is realized.
It should be noted that the common permissions of the Hadoop file System are exceptions to permissions and Access Control Lists (ACL) similar to a Portable Operating System Interface (UNIX, POSIX). POSIX divides file and directory permissions into file owners, peer groups of users, and other three parts. The authority of each part comprises three types of reading, writing and executing, wherein each type of authority is represented by a one-bit binary, for example, binary 1 represents that the authority is available, and 0 represents that the authority is not available. Illustratively, the authority of a file is 750, specifically, 7 is converted into a binary system of 111, which indicates that the file owner can have three authorities of reading, writing and executing on the file; 5, converting the file into a binary system of 101, wherein the same group of users only have two rights of reading and executing the file and have no writing right; 0 is converted to a binary value of 000, indicating that the other users do not have any rights to the file. Now, if another user needs to read the file, an exception may be added by using an ACL, where the ACL may add an exception to the user, may add an exception to a group, may add a read exception, and may add a read-write exception.
S240, allowing the access request to execute the operation corresponding to the read-write permission check result.
And when the read-write authority authentication of the user on the file is passed, the user can perform corresponding authority operation on the file.
According to the technical scheme, the user name and the IP address corresponding to the access request are obtained in response to the access request of the distributed file system, after the user is allowed to be successfully matched in a centralized mode, the read-write permission check of the access user is carried out according to the user name corresponding to the access request, the double permission authentication process of external access control and internal access control of the user is achieved, a firewall does not need to be arranged, the problems that in the prior art, security holes exist in the access permission management of the distributed file system, illegal operation of an illegal user is prone to occurring are solved, the safety of access and data storage of the distributed file system is improved, and the permission of the distributed file system is effectively managed.
EXAMPLE III
Fig. 3 is a flowchart of a rights management method of a distributed file system according to a third embodiment of the present invention, and this embodiment is further optimized based on the foregoing embodiments. As shown in fig. 3, the method specifically includes:
s310, responding to the access request of the distributed file system, and acquiring a user name and an IP address corresponding to the access request.
And S320, if the access request is from the portal server, matching the acquired user name and the IP address with a pre-acquired allowed user set, and determining whether to allow the access request according to a matching result, wherein the allowed user set is the allowed user set which is configured by the user through the Web service of the distributed file system in advance.
Optionally, the operation of allowing the user set to obtain includes:
acquiring and updating an allowed user set according to a preset period, specifically comprising:
acquiring the time of updating the allowed user set last time according to a preset period, and sending the last updating time to the Web service so that the Web service can judge whether the allowed user set at the current time is updated or not according to the last updating time;
and if the returned result of the Web service is that the allowed user set is updated, acquiring the updated allowed user set from the Web service.
Illustratively, in the process of acquiring and updating the allowed user set according to a preset period, the rights management device of the distributed file system calls a read and parse module for executing the configuration at regular time by the program of the timed loading configurator, for example, the preset period may be set to 30 seconds. To reduce system overhead, if no user or portal server has been added after the last read configuration, and no user is modifying the current portal server, then no reloading is necessary. The timed loader reserves the last loading time of the configuration, calls the hasUpdate method of the configuration provider (referred to as Web service) first, and uses the last loading time of the configuration as a parameter. If there is no update since the last load time, false is returned and the configuration provider's reload method is called to reload only if true is returned. The Reload method, if invoked, returns a mapping of the set of allowed users for all of the portal servers.
The configuration provider may be various, for example, the configuration in the configuration file provided by the configuration provider may be performed based on a file, Restful call, or database, etc. The configuration provider needs to provide a hasUpdate method and a load method.
S330, if the access request is from the node management server of the distributed file system, performing read-write permission check according to the user name corresponding to the access request, and allowing the access request to execute the operation corresponding to the read-write permission check result.
The server accessing the NameNode includes a node management server (NodeManager) in addition to the portal server. Since the NodeManager runs a distributed program submitted by all users, and since users cannot log on to run on the NodeManager, all NodeManager servers allow all users to access. The external access controller can identify whether the source of the access request belongs to the NodeManager through the IP address, if so, the read-write permission check is directly carried out according to the user name corresponding to the access request, and the efficiency of user permission authentication can be improved.
The technical scheme of the embodiment includes that a user name and an IP address corresponding to an access request are obtained by responding to the access request of the distributed file system, the source of the access request is judged according to the IP address, and if the access request comes from an entrance machine server, whether the access request is allowed or not is determined according to a matching result in an allowed user set; and if the access request is from the node management server, directly checking the read-write permission. The method and the device solve the problems that in the prior art, security holes exist in the access authority management of the distributed file system, and illegal operation of an illegal user is easy to occur, do not need to set a firewall, and improve the security of data access and storage of the distributed file system.
Example four
Fig. 4 is a schematic structural diagram of a rights management apparatus of a distributed file system according to a fourth embodiment of the present invention, which is applicable to a case of managing rights of the distributed file system. The authority management device of the distributed file system provided by the embodiment of the invention can execute the authority management method of the distributed file system provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. As shown in fig. 4, the apparatus includes an access request module 410 and an access verification module 420, wherein:
and an access request module 410, configured to, in response to an access request to the distributed file system, obtain a user name and an IP address corresponding to the access request.
Optionally, the user name includes a user name of a super account and a user name of a non-super account.
And the access verification module 420 is used for matching the acquired user name and the acquired IP address with a pre-acquired allowed user set if the access request is from the portal server, and determining whether to allow the access request according to a matching result, wherein the allowed user set is an allowed user set which is configured by the user through the Web service of the distributed file system in advance.
Optionally, the access verification module 420 comprises:
the identity matching unit is used for matching the acquired user name and IP address with a pre-acquired allowed user set if the access request is from the portal server;
the permission checking unit is used for checking the read-write permission according to the user name corresponding to the access request if the user name and the IP address are matched with the permission user set, wherein the permission user set comprises the IP address of each entrance machine server in at least one entrance machine server and at least one corresponding permission user name;
and the operation execution unit is used for allowing the access request to execute the operation which is consistent with the result of the read-write permission check.
Further, the access authentication module 420 further includes an allowed user set obtaining unit for obtaining and updating the allowed user set according to a preset period. Wherein the allowed user set acquisition unit includes:
the time sending subunit is used for obtaining the time of updating the allowed user set last time according to a preset period and sending the last updating time to the Web service, so that the Web service can judge whether the allowed user set at the current time is updated according to the last updating time;
and the acquisition subunit is used for acquiring the updated allowed user set from the Web service if the returned result of the Web service indicates that the allowed user set is updated.
On the basis of the above technical solution, optionally, the apparatus further includes:
and the access checking module is used for performing read-write permission check according to the user name corresponding to the access request and allowing the access request to execute the operation according with the read-write permission check result if the access request is from the node management server of the distributed file system.
According to the technical scheme of the embodiment, the user name and the IP address corresponding to the access request are acquired by responding to the access request of the distributed file system, matching is carried out on the allowed user set which is configured in advance by using the Web service, and then whether the access request is allowed or not is determined according to the matching result. The method and the device solve the problems that in the prior art, security holes exist in the access authority management of the distributed file system, and illegal operation of an illegal user is easy to occur, a firewall does not need to be set, the safety of access and data storage of the distributed file system is improved, the double authority authentication process of external access control and internal access control of the user is realized, and the effective management of the authority of the distributed file system is realized.
EXAMPLE five
Fig. 5 is a schematic structural diagram of a server according to a fifth embodiment of the present invention. FIG. 5 illustrates a block diagram of an exemplary server 512 suitable for use in implementing embodiments of the present invention. The server 512 shown in fig. 5 is only an example and should not bring any limitations to the function and scope of the use of the embodiments of the present invention.
As shown in FIG. 5, the server 512 is in the form of a general purpose server. Components of server 512 may include, but are not limited to: one or more processors 516, a storage device 528, and a bus 518 that couples the various system components including the storage device 528 and the processors 516.
Bus 518 represents one or more of any of several types of bus structures, including a memory device bus or memory device controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
The server 512 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by server 512 and includes both volatile and nonvolatile media, removable and non-removable media.
Storage 528 may include computer system readable media in the form of volatile Memory, such as Random Access Memory (RAM) 530 and/or cache Memory 532. The server 512 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 534 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 5, and commonly referred to as a "hard drive"). Although not shown in FIG. 5, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk such as a Compact disk Read-Only Memory (CD-ROM), Digital Video disk Read-Only Memory (DVD-ROM) or other optical media may be provided. In these cases, each drive may be connected to bus 518 through one or more data media interfaces. Storage 528 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 540 having a set (at least one) of program modules 542 may be stored, for example, in storage 528, such program modules 542 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may include an implementation of a network environment. The program modules 542 generally perform the functions and/or methods of the described embodiments of the invention.
The server 512 may also communicate with one or more external devices 514 (e.g., keyboard, pointing device, display 524, etc.), with one or more devices that enable a user to interact with the server 512, and/or with any devices (e.g., network card, modem, etc.) that enable the server 512 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 522. Further, server 512 may communicate with one or more networks (e.g., a Local Area Network (LAN), Wide Area Network (WAN), and/or a public Network such as the Internet) via Network adapter 520. As shown in FIG. 5, the network adapter 520 communicates with the other modules of the server 512 via the bus 518. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the server 512, including but not limited to: microcode, device drivers, Redundant processors, external disk drive Arrays, RAID (Redundant Arrays of Independent Disks) systems, tape drives, and data backup storage systems, among others.
The processor 516 executes various functional applications and data processing by executing programs stored in the storage device 528, for example, to implement the rights management method of the distributed file system provided by the embodiment of the present invention.
EXAMPLE six
The sixth embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for managing rights of a distributed file system according to the sixth embodiment of the present invention.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM, or flash Memory), an optical fiber, a portable compact disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, Radio Frequency (RF), etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A method for managing authority of a distributed file system is applied to a distributed file system (HDFS), and comprises the following steps:
responding to an access request of a distributed file system, and acquiring a user name and an IP address corresponding to the access request, wherein the user name comprises a user name of a super account;
if the access request is from an entry machine server, matching the user name and the IP address with a pre-acquired allowed user set, and determining whether to allow the access request according to a matching result, specifically comprising: matching the user name and the IP address with a pre-acquired allowed user set, if the user name and the IP address are matched with the allowed user set, performing read-write permission check according to the user name corresponding to the access request, and allowing the access request to execute operation conforming to the read-write permission check result; the allowed user set is configured by a user through a Web service of the distributed file system in advance, the allowed user set comprises a set of user names and a set of IP addresses which are allowed to be accessed, and the allowed user set comprises the IP addresses of all the portal machine servers in at least one portal machine server and at least one corresponding allowed user name.
2. The method of claim 1, wherein the username further comprises a username that is not a super account.
3. The method of claim 1, further comprising:
and if the access request is from a node management server of the distributed file system, performing read-write permission check according to a user name corresponding to the access request, and allowing the access request to execute an operation conforming to the read-write permission check result.
4. The method of claim 1, wherein the operation of obtaining the set of allowed users comprises:
acquiring and updating the allowed user set according to a preset period, specifically comprising:
acquiring the last time of updating the allowed user set according to a preset period, and sending the last time of updating to the Web service, so that the Web service can judge whether the allowed user set is updated at the current time according to the last time of updating;
and if the returned result of the Web service indicates that the allowed user set is updated, acquiring the updated allowed user set from the Web service.
5. A rights management device of a distributed file system, configured in a distributed file system (HDFS), comprising:
the access request module is used for responding to an access request to the distributed file system and acquiring a user name and an IP address corresponding to the access request, wherein the user name comprises a user name of a super account;
the access verification module is used for matching the user name and the IP address with a pre-acquired allowed user set if the access request is from an entrance machine server, and determining whether to allow the access request according to a matching result; the allowed user set is configured by a user through a Web service of the distributed file system in advance, and comprises a user name set and an IP address set which are allowed to be accessed;
the access authentication module includes:
the identity matching unit is used for matching the user name and the IP address with a pre-acquired allowed user set if the access request is from an entrance machine server;
the permission checking unit is used for checking the read-write permission according to the user name corresponding to the access request if the user name and the IP address are matched with the permission user set, wherein the permission user set comprises the IP address of each portal server in at least one portal server and at least one corresponding permission user name;
and the operation execution unit is used for allowing the access request to execute the operation which is consistent with the result of the read-write permission check.
6. The apparatus of claim 5, wherein the username further comprises a username that is not a super account.
7. The apparatus of claim 5, further comprising:
and the access checking module is used for performing read-write permission check according to the user name corresponding to the access request and allowing the access request to execute the operation according with the read-write permission check result if the access request is from the node management server of the distributed file system.
8. The apparatus of claim 5, wherein the access authentication module further comprises an allowed user set obtaining unit, configured to obtain and update the allowed user set according to a preset period;
the permitted user set acquisition unit includes:
the time sending subunit is configured to obtain a time for updating the allowed user set last time according to a preset period, and send the last update time to the Web service, so that the Web service determines whether the allowed user set at the current time is updated according to the last update time;
and the obtaining subunit is configured to obtain the updated allowed user set from the Web service if the returned result of the Web service indicates that the allowed user set is updated.
9. A server, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method for rights management for a distributed file system as claimed in any of claims 1 to 4.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method of rights management for a distributed file system according to any one of claims 1 to 4.
CN201810031104.7A 2018-01-12 2018-01-12 Authority management method and device of distributed file system, server and medium Active CN108289098B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810031104.7A CN108289098B (en) 2018-01-12 2018-01-12 Authority management method and device of distributed file system, server and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810031104.7A CN108289098B (en) 2018-01-12 2018-01-12 Authority management method and device of distributed file system, server and medium

Publications (2)

Publication Number Publication Date
CN108289098A CN108289098A (en) 2018-07-17
CN108289098B true CN108289098B (en) 2021-07-06

Family

ID=62835195

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810031104.7A Active CN108289098B (en) 2018-01-12 2018-01-12 Authority management method and device of distributed file system, server and medium

Country Status (1)

Country Link
CN (1) CN108289098B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108696540A (en) * 2018-07-18 2018-10-23 安徽云图信息技术有限公司 A kind of authorizing secure system and its authorization method
CN109299617A (en) * 2018-09-19 2019-02-01 中国农业银行股份有限公司贵州省分行 A kind of file encryption and decryption system
CN111049869B (en) * 2018-10-15 2022-09-02 航天信息股份有限公司 User management method and system in Hadoop cluster
CN111104666B (en) * 2018-10-25 2023-09-05 戴尔产品有限公司 Method, apparatus and computer readable medium for accessing services
CN112579557A (en) * 2019-09-27 2021-03-30 北京沃东天骏信息技术有限公司 Request response method, device, system, computer system and readable storage medium
CN112579525A (en) * 2019-09-30 2021-03-30 成都长虹网络科技有限责任公司 WEB-based unified file processing method and system
CN111427861B (en) * 2020-02-28 2023-05-05 云知声智能科技股份有限公司 Distributed file system configuration method and device
CN113158169A (en) * 2021-03-30 2021-07-23 北京大米科技有限公司 Hadoop cluster-based verification method and device, storage medium and electronic equipment
CN113779609B (en) * 2021-09-22 2024-03-22 北方健康医疗大数据科技有限公司 Data management method, device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102341809A (en) * 2009-03-12 2012-02-01 国际商业机器公司 Distributed filesystem access
CN102546664A (en) * 2012-02-27 2012-07-04 中国科学院计算技术研究所 User and authority management method and system for distributed file system
CN107196951A (en) * 2017-06-12 2017-09-22 北京明朝万达科技股份有限公司 The implementation method and firewall system of a kind of HDFS systems fire wall
CN107257334A (en) * 2017-06-08 2017-10-17 中国电子科技集团公司第三十二研究所 Identity authentication method for Hadoop cluster

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8738629B1 (en) * 2013-05-03 2014-05-27 Splunk Inc. External Result Provided process for retrieving data stored using a different configuration or protocol

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102341809A (en) * 2009-03-12 2012-02-01 国际商业机器公司 Distributed filesystem access
CN102546664A (en) * 2012-02-27 2012-07-04 中国科学院计算技术研究所 User and authority management method and system for distributed file system
CN107257334A (en) * 2017-06-08 2017-10-17 中国电子科技集团公司第三十二研究所 Identity authentication method for Hadoop cluster
CN107196951A (en) * 2017-06-12 2017-09-22 北京明朝万达科技股份有限公司 The implementation method and firewall system of a kind of HDFS systems fire wall

Also Published As

Publication number Publication date
CN108289098A (en) 2018-07-17

Similar Documents

Publication Publication Date Title
CN108289098B (en) Authority management method and device of distributed file system, server and medium
US10880287B2 (en) Out of box experience application API integration
CN110414268B (en) Access control method, device, equipment and storage medium
US10484385B2 (en) Accessing an application through application clients and web browsers
EP1680727B1 (en) Distributed document version control
US8239954B2 (en) Access control based on program properties
US9805209B2 (en) Systems and methodologies for managing document access permissions
CN109479062B (en) Usage tracking in hybrid cloud computing systems
US9973504B2 (en) Pre-authorizing a client application to access a user account on a content management system
CN110661831B (en) Big data test field security initialization method based on trusted third party
US10579810B2 (en) Policy protected file access
US11005847B2 (en) Method, apparatus and computer program product for executing an application in clouds
US11063922B2 (en) Virtual content repository
US20220385596A1 (en) Protecting integration between resources of different services using service-generated dependency tags
US20220141224A1 (en) Method and system for managing resource access permissions within a computing environment
CN112311716A (en) Data access control method and device based on openstack and server
US11750660B2 (en) Dynamically updating rules for detecting compromised devices
CN116305218B (en) Data link tracking and data updating method, device and data management system
US20240064148A1 (en) System and method for managing privileged account access
CN117193940A (en) Data access method, device, electronic equipment and computer readable medium
CN115203670A (en) Service access processing method and device, computer readable medium and electronic equipment
CN113297595A (en) Method and device for processing right-offering, storage medium and electronic equipment
CN117494186A (en) Rights management method, system and electronic equipment based on Alluxio cluster data
CN116090013A (en) Dynamic configuration method and device for application file access credentials
CN114707128A (en) Database access method, related device, storage medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant