CN108289098B - Authority management method and device of distributed file system, server and medium - Google Patents
Authority management method and device of distributed file system, server and medium Download PDFInfo
- Publication number
- CN108289098B CN108289098B CN201810031104.7A CN201810031104A CN108289098B CN 108289098 B CN108289098 B CN 108289098B CN 201810031104 A CN201810031104 A CN 201810031104A CN 108289098 B CN108289098 B CN 108289098B
- Authority
- CN
- China
- Prior art keywords
- user
- access request
- allowed
- file system
- distributed file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Abstract
The embodiment of the invention discloses a method and a device for managing authority of a distributed file system, a server and a medium, wherein the method comprises the following steps: responding to an access request of the distributed file system, and acquiring a user name and an IP address corresponding to the access request; and if the access request is from the portal server, matching the acquired user name and IP address with a pre-acquired allowed user set, and determining whether to allow the access request according to a matching result, wherein the allowed user set is the allowed user set which is configured by the user through the Web service of the distributed file system in advance. The embodiment of the invention does not need to set a firewall, solves the problems that in the prior art, security holes exist in the access authority management of the distributed file system, and illegal operation of an illegal user is easy to occur, and improves the security of data access and storage of the distributed file system.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method and a device for managing authority of a distributed file system, a server and a medium.
Background
A Hadoop Distributed File System (HDFS) is a Distributed File System provided by Hadoop. HDFS has many advantages such as high fault tolerance, streaming access, suitability for batch/big data processing, and being able to be built on cheap machines, and has wide application in many fields such as image processing, infrastructure management, and electronic commerce.
The HDFS mainly includes two components, NameNode and DataNode. The NameNode is used as a main node to manage metadata, and comprises a directory structure, authority information, file block storage information and the like, and the DataNode is used as a slave node to store specific data blocks. The NameNode is the manager of the HDFS, through which any operation that reads a file must pass. Specifically, the NameNode has three external interfaces, which are a Remote Procedure Call (RPC) Protocol interface, a Hyper File Transfer Protocol (HFTP) interface, and a Distributed File System (WebHDFS) Protocol interface, and a user can access the HDFS through any one of the three interfaces.
At present, a client program of a Hadoop platform defaults to read Hadoop _ USER _ NAME from an environment variable of a current server as a USER NAME, and if the Hadoop _ USER _ NAME is empty, a current operating system USER is acquired as a Hadoop USER, and the Hadoop USER is allowed to access the HDFS. This poses a problem that the USER can be forged to perform illegal operations only by modifying the HADOOP _ USER _ NAME environment variable at the client. Therefore, the prior art generally uses firewall technology to limit the access of the RPC protocol interface to improve the access security. However, the method for improving access security by using firewall technology still has at least the following problems for HDFS:
1) for the RPC protocol interface, even if the firewall is added, the firewall can only detect whether the portal machine is legal, but cannot detect whether the user using the portal machine is legal, so that the problem that an illegal user imitates a legal user to perform illegal operation is still caused.
2) Since the HFTP and WebHDFS protocol interfaces cannot be added with firewalls, an illegal user can still access the HFTP and WebHDFS protocol interfaces.
Disclosure of Invention
The embodiment of the invention provides a method and a device for managing the authority of a distributed file system, a server and a medium, which are used for improving the safety of accessing and storing data of the distributed file system.
In a first aspect, an embodiment of the present invention provides a method for managing permissions of a distributed file system, where the method includes:
responding to an access request to a distributed file system, and acquiring a user name and an IP address corresponding to the access request;
and if the access request is from an entrance machine server, matching the user name and the IP address with a pre-acquired allowed user set, and determining whether to allow the access request according to a matching result, wherein the allowed user set is the allowed user set which is configured by a user through the Web service of the distributed file system in advance.
In a second aspect, an embodiment of the present invention further provides a rights management apparatus for a distributed file system, where the apparatus includes:
the access request module is used for responding to an access request to the distributed file system and acquiring a user name and an IP address corresponding to the access request;
and the access verification module is used for matching the user name and the IP address with a pre-acquired allowed user set if the access request is from an entry machine server, and determining whether to allow the access request according to a matching result, wherein the allowed user set is the allowed user set which is configured by a user through the Web service of the distributed file system in advance.
In a third aspect, an embodiment of the present invention further provides a server, including:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for rights management of a distributed file system according to any embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a rights management method of a distributed file system according to any embodiment of the present invention.
The embodiment of the invention acquires the user name and the IP address corresponding to the access request in response to the access request of the distributed file system, performs matching in a centralized manner on the allowed users configured in advance by using Web service, and then determines whether to allow the access request according to the matching result without setting a firewall, thereby solving the problems that in the prior art, the access authority management of the distributed file system has security holes and illegal operation of illegal users is easy to occur, and improving the security of accessing and storing data of the distributed file system.
Drawings
Fig. 1 is a flowchart of a rights management method of a distributed file system according to an embodiment of the present invention;
fig. 2 is a flowchart of a rights management method of a distributed file system according to a second embodiment of the present invention;
fig. 3 is a flowchart of a rights management method of a distributed file system according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a rights management apparatus of a distributed file system according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a server according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a method for managing permissions of a distributed file system according to an embodiment of the present invention, where the embodiment is applicable to a case of managing permissions of the distributed file system, and the method may be executed by a permission management apparatus of the distributed file system, where the apparatus may be implemented in a software and/or hardware manner, and may be integrated in a server. As shown in fig. 1, the method specifically includes:
and S110, responding to the access request to the distributed file system, and acquiring a user name and an IP address corresponding to the access request.
The NameNode is used as a main node to manage metadata, the metadata mainly comprises a directory structure, authority information and file block storage information, and the DataNode is used as a slave node to store specific data blocks. Illustratively, the directory structure includes subdirectories and files under a directory; the authority information comprises read, write and access authorities of an owner of a directory or a file, users in the same group and other users; the file blocking storage information includes the file being divided into several data blocks and on which servers the data blocks are stored. Since the NameNode is the administrator of the entire file system, any operation that reads a file must pass through it. When a user logs in a server to access the NameNode, the authority management device of the distributed file system can respond to an access request of the user and acquire a user name used by the user for logging in and an IP address of the server. The IP address may further enhance the security of accessing the data file.
According to rights management, users are divided into three categories: administrator users, business responsible persons and general users. An administrator user may add a service group and the service owner for the service group, create a corresponding database and directory, and assign the owner (owner) of the corresponding directory to the group. The service responsible person modifies the authority of the own directory according to the requirement, for example, other users are not allowed to read the data of a certain database, the users who add the own group and the portal server which adds the own group, and the like.
And S120, if the access request is from the portal server, matching the acquired user name and the IP address with a pre-acquired allowed user set, and determining whether to allow the access request according to a matching result, wherein the allowed user set is the allowed user set which is configured by the user through the Web service of the distributed file system in advance.
The portal server is a server where users access data and submit distributed programs, so there is a need to control the users who use the portal server. When the access request reaches NameNode, the authority management device of the distributed file system can verify whether the user of the portal server has the access authority, and if the user is an illegal user pretending to be other users, the access authority exception is directly thrown out.
Specifically, the HDFS has a configuration item dfs, name, inode, attributes, provider, class, which may obtain an external access controller by using a method of getextra access control entity, match the obtained user name and IP address with a pre-obtained allowed user set, that is, implement a first re-authorization authentication process for external access control of the user, and indicate that authorization authentication of the external access control passes if both the user name and the IP address are successfully matched. It should be noted that, if the IP address is not in the allowed user set, for example, a certain service group currently has an entry machine and then feels insufficient, the program required by the entry machine is directly copied to another new entry machine for running, and since the IP address of the new entry machine is not added to the allowed user set, the matching of the user name is not performed any more, and the access request is directly rejected. And determining whether the access request of the user is allowed again according to the matching result, namely realizing a second permission authentication process of internal access control of the user, and specifically, if the permission authentication of external access control of the user passes, continuing to authenticate the common file permission of the user.
The set of allowed users is a set of allowed users previously configured by the user through the Web service of the distributed file system, including a set of usernames and a set of IP addresses allowed to access. Compared with the prior art that the access security of the distributed file system is improved by setting a firewall on an external protocol interface of a master node of the HDFS, the method has the advantages that the Web service configuration is utilized to allow the user set, and the method has the following advantages:
1) the problem that the access entries of the users are not uniform can be solved. In the prior art, only a firewall is added to an RPC protocol interface, but the HFTP protocol interface and the WebHDFS protocol interface cannot be added with the firewall because the interfaces are the same as the Web service of the NameNode. The access of the RPC interface is limited by using a firewall technology, a boundary is given to the cluster, a user must access the cluster through an authorized entrance machine server, and other servers cannot access the cluster through the RPC protocol interface. But the user can operate the portal server to emulate any user reading data through the HFTP and WebHDFS protocol interfaces. This creates the problem of the user accessing non-uniformly on the same server, with some protocols being able to access data, while others are not. In the embodiment of the invention, no firewall is required to be added, so that the problem of nonuniform access entries of users is avoided, and the problem that illegal users counterfeit any legal users to read data through HFTP and WebHDFS protocol interfaces is avoided.
In addition, in the prior art, in order to prevent a user from creating other users on a portal server allowing an RPC protocol to access a NameNode to perform illegal cluster operation, a root password of the portal server is recycled, and the portal server is placed in a firewall white list. However, some services are logs generated by online services, and the logs need to be uploaded to Hadoop by using software such as flash and the like, and a root password is recovered, so that difficulty occurs when a user operates and maintains the server of the user. If the user copies the data to the distributed portal server in advance, the multiple transit cost of the data is increased. This ultimately results in inconvenience for the user to use the cluster. In the embodiment of the invention, because a firewall is not required to be added, the problems are naturally avoided, and the inconvenience of using the cluster by a user is avoided.
2) The method can make up the defect that the firewall cannot identify the USER logging in the portal server, and can avoid the risk of data leakage and loss caused by the fact that the USER imitates other USER operation clusters by setting the environment variable HADOOP _ USER _ NAME. If, there are two user accounts under a certain service group: zhang san and lie si, i.e. the service responsible person of the service group adds these two account numbers when adding the portal machine. Then if Zhang three changed the user to search by modifying the environment variable before accessing hadoop to read the private file of search. The username passed to the Namenode at this time is search. When the authority is authenticated, a corresponding user list including Zhang III and Liqu is found according to the IP address, after matching, the user list does not contain search, and then abnormity is thrown out to prevent Zhang III from accessing the user list.
In the embodiment, the Web service is used for configuring the allowed user set, no firewall needs to be additionally arranged, and no root password needs to be recycled.
Optionally, the user name includes a user name of a super account and a user name of a non-super account.
The super account of the Hadoop, i.e. the user who starts the Hadoop service, has all permissions. In the prior art, the user does not perform permission authentication when logging in the super account operating file system, that is, when the Hadoop permission check program encounters access of the super account, the external check program is skipped. In the technical solution of this example, a switch configuration may be set to set whether the super account skips an external inspection program. When false is set, an external check program is also run for super account access, i.e. matching of the user name and IP address with the set of allowed users is also performed for the super account. And if the matching is successful, judging whether the super account carries out the common file permission check. When the super account needs to execute file authority check, the file operation becomes a common user, the files of other users cannot be deleted, the files of which the file authority set by other users is 0 to other users cannot be read, and only the cluster maintenance function is realized. Through switch configuration, no matter super account number or non-super account number, all need carry out the authority authentication of outside access control and the authority authentication of inside access control, can avoid imitating super account number like this and carry out data access, prevent that data from revealing, avoid because of super account number can read and delete all data and the irrecoverable major accident that arouses.
According to the technical scheme, the user name and the IP address corresponding to the access request are obtained in response to the access request of the distributed file system, centralized matching is carried out on allowed users configured in advance by using Web service, whether the access request is allowed or not is determined according to the matching result, and a firewall does not need to be set.
Example two
Fig. 2 is a flowchart of a rights management method of a distributed file system according to a second embodiment of the present invention, and this embodiment is further optimized based on the foregoing embodiment. As shown in fig. 2, the method specifically includes:
s210, responding to the access request of the distributed file system, and acquiring a user name and an IP address corresponding to the access request.
And S220, if the access request is from the portal server, matching the acquired user name and IP address with the pre-acquired allowed user set.
And S230, if the user name and the IP address are matched with an allowed user set, performing read-write permission check according to the user name corresponding to the access request, wherein the allowed user set comprises the IP address of each portal server in at least one portal server and at least one corresponding allowed user name.
The service responsible person in the distributed file system can only add users of the service group of the person, but can not add users of other user groups. Exemplarily, the flow of adding the portal server by the service responsible person is as follows:
(1) the Web interface adds portal information, enters the host name, IP address of the portal server, and which users are allowed to access on this portal server. The server of the NameNode will add this portal server and the users allowed access to the external access control system of the NameNode. Meanwhile, the portal machine server is put into a portal machine list so as to be used when the Hadoop program is upgraded and cluster parameters are updated.
(2) The Web interface downloads the portal server installer and executes it with the root account number. Illustratively, installing a portal server requires performing the following operations: 1) and creating a Hadoop account number of the installation user. 2) Create directory/usr/local/platform and assign the owner of this directory to this user. 3) And (3) putting the public private key of the Hadoop account of the distribution entry machine server into an authorized _ keys file, and then distributing the Hadoop program and configuring the Hadoop account only. 4) And downloading the Hadoop installation program from the Web server to the local computer and decompressing the program. 5) Set/usr/local/platform/hadoop links to the decompressed directory. 6) And setting environment variables such as HADOOP _ HOME, PATH and the like to be/etc/profile, so that the user of the portal machine server can execute a Hadoop command.
(3) And the service responsible person creates a user account number which is created on the Web on the portal server, wherein the user account number comprises a user name and a login password. Since this portal server platform group has no root authority, it needs the service responsible person to create itself.
According to the operation, the service responsible person can add at least one portal server and at least one allowed user corresponding to each portal server in the own service group, so that the IP address of each portal server and the corresponding at least one allowed user name form the allowed user set. If the access request comes from the portal server and the user name and the IP address are matched with the allowed user set, the first re-authority authentication process of external access control is indicated, and the second re-authority authentication process of internal access control on the user is further realized through the read-write authority check of the access request, namely the common file authority authentication of the user is realized.
It should be noted that the common permissions of the Hadoop file System are exceptions to permissions and Access Control Lists (ACL) similar to a Portable Operating System Interface (UNIX, POSIX). POSIX divides file and directory permissions into file owners, peer groups of users, and other three parts. The authority of each part comprises three types of reading, writing and executing, wherein each type of authority is represented by a one-bit binary, for example, binary 1 represents that the authority is available, and 0 represents that the authority is not available. Illustratively, the authority of a file is 750, specifically, 7 is converted into a binary system of 111, which indicates that the file owner can have three authorities of reading, writing and executing on the file; 5, converting the file into a binary system of 101, wherein the same group of users only have two rights of reading and executing the file and have no writing right; 0 is converted to a binary value of 000, indicating that the other users do not have any rights to the file. Now, if another user needs to read the file, an exception may be added by using an ACL, where the ACL may add an exception to the user, may add an exception to a group, may add a read exception, and may add a read-write exception.
S240, allowing the access request to execute the operation corresponding to the read-write permission check result.
And when the read-write authority authentication of the user on the file is passed, the user can perform corresponding authority operation on the file.
According to the technical scheme, the user name and the IP address corresponding to the access request are obtained in response to the access request of the distributed file system, after the user is allowed to be successfully matched in a centralized mode, the read-write permission check of the access user is carried out according to the user name corresponding to the access request, the double permission authentication process of external access control and internal access control of the user is achieved, a firewall does not need to be arranged, the problems that in the prior art, security holes exist in the access permission management of the distributed file system, illegal operation of an illegal user is prone to occurring are solved, the safety of access and data storage of the distributed file system is improved, and the permission of the distributed file system is effectively managed.
EXAMPLE III
Fig. 3 is a flowchart of a rights management method of a distributed file system according to a third embodiment of the present invention, and this embodiment is further optimized based on the foregoing embodiments. As shown in fig. 3, the method specifically includes:
s310, responding to the access request of the distributed file system, and acquiring a user name and an IP address corresponding to the access request.
And S320, if the access request is from the portal server, matching the acquired user name and the IP address with a pre-acquired allowed user set, and determining whether to allow the access request according to a matching result, wherein the allowed user set is the allowed user set which is configured by the user through the Web service of the distributed file system in advance.
Optionally, the operation of allowing the user set to obtain includes:
acquiring and updating an allowed user set according to a preset period, specifically comprising:
acquiring the time of updating the allowed user set last time according to a preset period, and sending the last updating time to the Web service so that the Web service can judge whether the allowed user set at the current time is updated or not according to the last updating time;
and if the returned result of the Web service is that the allowed user set is updated, acquiring the updated allowed user set from the Web service.
Illustratively, in the process of acquiring and updating the allowed user set according to a preset period, the rights management device of the distributed file system calls a read and parse module for executing the configuration at regular time by the program of the timed loading configurator, for example, the preset period may be set to 30 seconds. To reduce system overhead, if no user or portal server has been added after the last read configuration, and no user is modifying the current portal server, then no reloading is necessary. The timed loader reserves the last loading time of the configuration, calls the hasUpdate method of the configuration provider (referred to as Web service) first, and uses the last loading time of the configuration as a parameter. If there is no update since the last load time, false is returned and the configuration provider's reload method is called to reload only if true is returned. The Reload method, if invoked, returns a mapping of the set of allowed users for all of the portal servers.
The configuration provider may be various, for example, the configuration in the configuration file provided by the configuration provider may be performed based on a file, Restful call, or database, etc. The configuration provider needs to provide a hasUpdate method and a load method.
S330, if the access request is from the node management server of the distributed file system, performing read-write permission check according to the user name corresponding to the access request, and allowing the access request to execute the operation corresponding to the read-write permission check result.
The server accessing the NameNode includes a node management server (NodeManager) in addition to the portal server. Since the NodeManager runs a distributed program submitted by all users, and since users cannot log on to run on the NodeManager, all NodeManager servers allow all users to access. The external access controller can identify whether the source of the access request belongs to the NodeManager through the IP address, if so, the read-write permission check is directly carried out according to the user name corresponding to the access request, and the efficiency of user permission authentication can be improved.
The technical scheme of the embodiment includes that a user name and an IP address corresponding to an access request are obtained by responding to the access request of the distributed file system, the source of the access request is judged according to the IP address, and if the access request comes from an entrance machine server, whether the access request is allowed or not is determined according to a matching result in an allowed user set; and if the access request is from the node management server, directly checking the read-write permission. The method and the device solve the problems that in the prior art, security holes exist in the access authority management of the distributed file system, and illegal operation of an illegal user is easy to occur, do not need to set a firewall, and improve the security of data access and storage of the distributed file system.
Example four
Fig. 4 is a schematic structural diagram of a rights management apparatus of a distributed file system according to a fourth embodiment of the present invention, which is applicable to a case of managing rights of the distributed file system. The authority management device of the distributed file system provided by the embodiment of the invention can execute the authority management method of the distributed file system provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. As shown in fig. 4, the apparatus includes an access request module 410 and an access verification module 420, wherein:
and an access request module 410, configured to, in response to an access request to the distributed file system, obtain a user name and an IP address corresponding to the access request.
Optionally, the user name includes a user name of a super account and a user name of a non-super account.
And the access verification module 420 is used for matching the acquired user name and the acquired IP address with a pre-acquired allowed user set if the access request is from the portal server, and determining whether to allow the access request according to a matching result, wherein the allowed user set is an allowed user set which is configured by the user through the Web service of the distributed file system in advance.
Optionally, the access verification module 420 comprises:
the identity matching unit is used for matching the acquired user name and IP address with a pre-acquired allowed user set if the access request is from the portal server;
the permission checking unit is used for checking the read-write permission according to the user name corresponding to the access request if the user name and the IP address are matched with the permission user set, wherein the permission user set comprises the IP address of each entrance machine server in at least one entrance machine server and at least one corresponding permission user name;
and the operation execution unit is used for allowing the access request to execute the operation which is consistent with the result of the read-write permission check.
Further, the access authentication module 420 further includes an allowed user set obtaining unit for obtaining and updating the allowed user set according to a preset period. Wherein the allowed user set acquisition unit includes:
the time sending subunit is used for obtaining the time of updating the allowed user set last time according to a preset period and sending the last updating time to the Web service, so that the Web service can judge whether the allowed user set at the current time is updated according to the last updating time;
and the acquisition subunit is used for acquiring the updated allowed user set from the Web service if the returned result of the Web service indicates that the allowed user set is updated.
On the basis of the above technical solution, optionally, the apparatus further includes:
and the access checking module is used for performing read-write permission check according to the user name corresponding to the access request and allowing the access request to execute the operation according with the read-write permission check result if the access request is from the node management server of the distributed file system.
According to the technical scheme of the embodiment, the user name and the IP address corresponding to the access request are acquired by responding to the access request of the distributed file system, matching is carried out on the allowed user set which is configured in advance by using the Web service, and then whether the access request is allowed or not is determined according to the matching result. The method and the device solve the problems that in the prior art, security holes exist in the access authority management of the distributed file system, and illegal operation of an illegal user is easy to occur, a firewall does not need to be set, the safety of access and data storage of the distributed file system is improved, the double authority authentication process of external access control and internal access control of the user is realized, and the effective management of the authority of the distributed file system is realized.
EXAMPLE five
Fig. 5 is a schematic structural diagram of a server according to a fifth embodiment of the present invention. FIG. 5 illustrates a block diagram of an exemplary server 512 suitable for use in implementing embodiments of the present invention. The server 512 shown in fig. 5 is only an example and should not bring any limitations to the function and scope of the use of the embodiments of the present invention.
As shown in FIG. 5, the server 512 is in the form of a general purpose server. Components of server 512 may include, but are not limited to: one or more processors 516, a storage device 528, and a bus 518 that couples the various system components including the storage device 528 and the processors 516.
The server 512 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by server 512 and includes both volatile and nonvolatile media, removable and non-removable media.
A program/utility 540 having a set (at least one) of program modules 542 may be stored, for example, in storage 528, such program modules 542 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may include an implementation of a network environment. The program modules 542 generally perform the functions and/or methods of the described embodiments of the invention.
The server 512 may also communicate with one or more external devices 514 (e.g., keyboard, pointing device, display 524, etc.), with one or more devices that enable a user to interact with the server 512, and/or with any devices (e.g., network card, modem, etc.) that enable the server 512 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 522. Further, server 512 may communicate with one or more networks (e.g., a Local Area Network (LAN), Wide Area Network (WAN), and/or a public Network such as the Internet) via Network adapter 520. As shown in FIG. 5, the network adapter 520 communicates with the other modules of the server 512 via the bus 518. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the server 512, including but not limited to: microcode, device drivers, Redundant processors, external disk drive Arrays, RAID (Redundant Arrays of Independent Disks) systems, tape drives, and data backup storage systems, among others.
The processor 516 executes various functional applications and data processing by executing programs stored in the storage device 528, for example, to implement the rights management method of the distributed file system provided by the embodiment of the present invention.
EXAMPLE six
The sixth embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for managing rights of a distributed file system according to the sixth embodiment of the present invention.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM, or flash Memory), an optical fiber, a portable compact disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, Radio Frequency (RF), etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A method for managing authority of a distributed file system is applied to a distributed file system (HDFS), and comprises the following steps:
responding to an access request of a distributed file system, and acquiring a user name and an IP address corresponding to the access request, wherein the user name comprises a user name of a super account;
if the access request is from an entry machine server, matching the user name and the IP address with a pre-acquired allowed user set, and determining whether to allow the access request according to a matching result, specifically comprising: matching the user name and the IP address with a pre-acquired allowed user set, if the user name and the IP address are matched with the allowed user set, performing read-write permission check according to the user name corresponding to the access request, and allowing the access request to execute operation conforming to the read-write permission check result; the allowed user set is configured by a user through a Web service of the distributed file system in advance, the allowed user set comprises a set of user names and a set of IP addresses which are allowed to be accessed, and the allowed user set comprises the IP addresses of all the portal machine servers in at least one portal machine server and at least one corresponding allowed user name.
2. The method of claim 1, wherein the username further comprises a username that is not a super account.
3. The method of claim 1, further comprising:
and if the access request is from a node management server of the distributed file system, performing read-write permission check according to a user name corresponding to the access request, and allowing the access request to execute an operation conforming to the read-write permission check result.
4. The method of claim 1, wherein the operation of obtaining the set of allowed users comprises:
acquiring and updating the allowed user set according to a preset period, specifically comprising:
acquiring the last time of updating the allowed user set according to a preset period, and sending the last time of updating to the Web service, so that the Web service can judge whether the allowed user set is updated at the current time according to the last time of updating;
and if the returned result of the Web service indicates that the allowed user set is updated, acquiring the updated allowed user set from the Web service.
5. A rights management device of a distributed file system, configured in a distributed file system (HDFS), comprising:
the access request module is used for responding to an access request to the distributed file system and acquiring a user name and an IP address corresponding to the access request, wherein the user name comprises a user name of a super account;
the access verification module is used for matching the user name and the IP address with a pre-acquired allowed user set if the access request is from an entrance machine server, and determining whether to allow the access request according to a matching result; the allowed user set is configured by a user through a Web service of the distributed file system in advance, and comprises a user name set and an IP address set which are allowed to be accessed;
the access authentication module includes:
the identity matching unit is used for matching the user name and the IP address with a pre-acquired allowed user set if the access request is from an entrance machine server;
the permission checking unit is used for checking the read-write permission according to the user name corresponding to the access request if the user name and the IP address are matched with the permission user set, wherein the permission user set comprises the IP address of each portal server in at least one portal server and at least one corresponding permission user name;
and the operation execution unit is used for allowing the access request to execute the operation which is consistent with the result of the read-write permission check.
6. The apparatus of claim 5, wherein the username further comprises a username that is not a super account.
7. The apparatus of claim 5, further comprising:
and the access checking module is used for performing read-write permission check according to the user name corresponding to the access request and allowing the access request to execute the operation according with the read-write permission check result if the access request is from the node management server of the distributed file system.
8. The apparatus of claim 5, wherein the access authentication module further comprises an allowed user set obtaining unit, configured to obtain and update the allowed user set according to a preset period;
the permitted user set acquisition unit includes:
the time sending subunit is configured to obtain a time for updating the allowed user set last time according to a preset period, and send the last update time to the Web service, so that the Web service determines whether the allowed user set at the current time is updated according to the last update time;
and the obtaining subunit is configured to obtain the updated allowed user set from the Web service if the returned result of the Web service indicates that the allowed user set is updated.
9. A server, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method for rights management for a distributed file system as claimed in any of claims 1 to 4.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method of rights management for a distributed file system according to any one of claims 1 to 4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810031104.7A CN108289098B (en) | 2018-01-12 | 2018-01-12 | Authority management method and device of distributed file system, server and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810031104.7A CN108289098B (en) | 2018-01-12 | 2018-01-12 | Authority management method and device of distributed file system, server and medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108289098A CN108289098A (en) | 2018-07-17 |
CN108289098B true CN108289098B (en) | 2021-07-06 |
Family
ID=62835195
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810031104.7A Active CN108289098B (en) | 2018-01-12 | 2018-01-12 | Authority management method and device of distributed file system, server and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108289098B (en) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108696540A (en) * | 2018-07-18 | 2018-10-23 | 安徽云图信息技术有限公司 | A kind of authorizing secure system and its authorization method |
CN109299617A (en) * | 2018-09-19 | 2019-02-01 | 中国农业银行股份有限公司贵州省分行 | A kind of file encryption and decryption system |
CN111049869B (en) * | 2018-10-15 | 2022-09-02 | 航天信息股份有限公司 | User management method and system in Hadoop cluster |
CN111104666B (en) * | 2018-10-25 | 2023-09-05 | 戴尔产品有限公司 | Method, apparatus and computer readable medium for accessing services |
CN112579557A (en) * | 2019-09-27 | 2021-03-30 | 北京沃东天骏信息技术有限公司 | Request response method, device, system, computer system and readable storage medium |
CN112579525A (en) * | 2019-09-30 | 2021-03-30 | 成都长虹网络科技有限责任公司 | WEB-based unified file processing method and system |
CN111427861B (en) * | 2020-02-28 | 2023-05-05 | 云知声智能科技股份有限公司 | Distributed file system configuration method and device |
CN113158169A (en) * | 2021-03-30 | 2021-07-23 | 北京大米科技有限公司 | Hadoop cluster-based verification method and device, storage medium and electronic equipment |
CN113779609B (en) * | 2021-09-22 | 2024-03-22 | 北方健康医疗大数据科技有限公司 | Data management method, device, electronic equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102341809A (en) * | 2009-03-12 | 2012-02-01 | 国际商业机器公司 | Distributed filesystem access |
CN102546664A (en) * | 2012-02-27 | 2012-07-04 | 中国科学院计算技术研究所 | User and authority management method and system for distributed file system |
CN107196951A (en) * | 2017-06-12 | 2017-09-22 | 北京明朝万达科技股份有限公司 | The implementation method and firewall system of a kind of HDFS systems fire wall |
CN107257334A (en) * | 2017-06-08 | 2017-10-17 | 中国电子科技集团公司第三十二研究所 | Identity authentication method for Hadoop cluster |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8738629B1 (en) * | 2013-05-03 | 2014-05-27 | Splunk Inc. | External Result Provided process for retrieving data stored using a different configuration or protocol |
-
2018
- 2018-01-12 CN CN201810031104.7A patent/CN108289098B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102341809A (en) * | 2009-03-12 | 2012-02-01 | 国际商业机器公司 | Distributed filesystem access |
CN102546664A (en) * | 2012-02-27 | 2012-07-04 | 中国科学院计算技术研究所 | User and authority management method and system for distributed file system |
CN107257334A (en) * | 2017-06-08 | 2017-10-17 | 中国电子科技集团公司第三十二研究所 | Identity authentication method for Hadoop cluster |
CN107196951A (en) * | 2017-06-12 | 2017-09-22 | 北京明朝万达科技股份有限公司 | The implementation method and firewall system of a kind of HDFS systems fire wall |
Also Published As
Publication number | Publication date |
---|---|
CN108289098A (en) | 2018-07-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108289098B (en) | Authority management method and device of distributed file system, server and medium | |
US10880287B2 (en) | Out of box experience application API integration | |
CN110414268B (en) | Access control method, device, equipment and storage medium | |
US10484385B2 (en) | Accessing an application through application clients and web browsers | |
EP1680727B1 (en) | Distributed document version control | |
US8239954B2 (en) | Access control based on program properties | |
US9805209B2 (en) | Systems and methodologies for managing document access permissions | |
CN109479062B (en) | Usage tracking in hybrid cloud computing systems | |
US9973504B2 (en) | Pre-authorizing a client application to access a user account on a content management system | |
CN110661831B (en) | Big data test field security initialization method based on trusted third party | |
US10579810B2 (en) | Policy protected file access | |
US11005847B2 (en) | Method, apparatus and computer program product for executing an application in clouds | |
US11063922B2 (en) | Virtual content repository | |
US20220385596A1 (en) | Protecting integration between resources of different services using service-generated dependency tags | |
US20220141224A1 (en) | Method and system for managing resource access permissions within a computing environment | |
CN112311716A (en) | Data access control method and device based on openstack and server | |
US11750660B2 (en) | Dynamically updating rules for detecting compromised devices | |
CN116305218B (en) | Data link tracking and data updating method, device and data management system | |
US20240064148A1 (en) | System and method for managing privileged account access | |
CN117193940A (en) | Data access method, device, electronic equipment and computer readable medium | |
CN115203670A (en) | Service access processing method and device, computer readable medium and electronic equipment | |
CN113297595A (en) | Method and device for processing right-offering, storage medium and electronic equipment | |
CN117494186A (en) | Rights management method, system and electronic equipment based on Alluxio cluster data | |
CN116090013A (en) | Dynamic configuration method and device for application file access credentials | |
CN114707128A (en) | Database access method, related device, storage medium and program product |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |