CN110290138B - Restricted login method and system suitable for test database - Google Patents
Restricted login method and system suitable for test database Download PDFInfo
- Publication number
- CN110290138B CN110290138B CN201910566491.9A CN201910566491A CN110290138B CN 110290138 B CN110290138 B CN 110290138B CN 201910566491 A CN201910566491 A CN 201910566491A CN 110290138 B CN110290138 B CN 110290138B
- Authority
- CN
- China
- Prior art keywords
- login
- test
- database
- list
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The invention discloses a login limiting method and a system suitable for a test database, which receive a login trigger sent from the outside, and judge a received login request by adopting the login trigger, wherein: and judging whether the IP address contained in the login request belongs to a first IP address list, if so, allowing login, otherwise, sequentially judging whether the user name is stored in a white list, whether the domain account is stored in the domain account list allowing login, and whether the IP address belongs to a second IP address list corresponding to the user name, if all the user names pass through the domain account list allowing login, allowing the login request, and otherwise, rejecting the login request. The invention adopts a login trigger to limit the roles of login members and login equipment of a test database, and transfers the change authority of the test database to a tester; the method comprises the steps of monitoring an account information database and a test information database of a tester in real time/regularly, and generating a new login trigger to adapt to a changed test database when data of any one database is changed.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a login limiting method and system suitable for a test database.
Background
In the software testing process, a tester performs daily work in a testing environment to test codes, databases and the like which guarantee the operation of a system in the testing environment, so that the change of the databases needs to be guaranteed within a controllable range.
The database change is simply divided into two types, one is the update of adding, deleting, modifying and checking data when a code runs, and the other is the update of database definition by logging in a database by a database manager or other authorized operators, and the update comprises the creation, modification, deletion and the like of objects such as tables, sequences, indexes, storage processes and the like. The latter change will directly affect whether the basis on which the software test conclusion is based is reliable or not, requiring control; the former variant belongs to the test focus.
The method is different from the production environment, the password of the test database is in a semi-public state for various reasons, and the password of the database is a plaintext in system configuration or code configuration; the production environment database can be logged in only by means of bastion machines and the like due to network segment isolation, and an office area cannot access the production database; the network segment deployed by the test environment database can be directly accessed by an office area, and both testers and developers have the requirement of database access; the developer can log in the database to make database changes by using any high-level authority user, and the changes can cause inconsistency of each test environment and inconsistency with the script delivered to the tester.
The related relation personnel of the test database have 3 types of roles, namely a database manager or operation and maintenance personnel, a tester and a developer; the tester needs to be responsible for the change of the test environment database; a developer initiates a change, and a test environment tests the change; if the developer logs in the database at will to change, the test work of the tester is seriously influenced.
Disclosure of Invention
The invention aims to provide a login limiting method and a login limiting system suitable for a test database, wherein a login trigger is adopted to limit the roles of login members and login equipment of the test database, and the change authority of the test database is handed to a tester; the login trigger comprises four layers of judgment, and the average login judgment time is shortened and the CPU resource occupation is reduced by combining a first IP address list and a white list; monitoring the account information database and the test information database of the tester in real time/regularly, and generating a new login trigger to adapt to the changed test database when the data of any one database is changed; and testing the pushed new login trigger by using the test account number, and verifying the pushing result.
To achieve the above object, with reference to fig. 1, the present invention provides a method for limiting login of a test database, the method comprising:
s1: and receiving a login trigger sent from the outside, wherein the login trigger at least comprises account information corresponding to the test database, and the account information comprises a first IP address list, a first MAC address list, a white list, a domain account list allowing login, a second IP address list and a second MAC address list.
S2: judging the received login request by adopting a login trigger, wherein the login request at least comprises an IP address, a user name and a domain account, and the method comprises the following steps:
s21: and judging whether the IP address contained in the login request belongs to a first IP address list, if so, entering the step S25, otherwise, entering the step S22.
S22: and judging whether the user name contained in the login request is stored in a white list, if so, entering the step S23, otherwise, rejecting the login request, and ending the process.
S23: and judging whether the domain account contained in the login request is stored in a domain account list allowing login, if so, entering the step S24, otherwise, rejecting the login request, and ending the process.
S24: and judging whether the IP address belongs to a second IP address list corresponding to the user name, if so, recording login information to a login log, and entering step S25, otherwise, rejecting the login request, and ending the process.
S25: and allowing the login request and ending the process.
Based on the method, the invention also provides a login limiting system suitable for the test database, and the system comprises a test information database, a tester account information database, a test database management module, an account information management module, a login request receiving module, a login trigger and a login information management module.
The test information database is used for storing a plurality of pieces of test database information for limiting login, and the test database information comprises a white list management unit and a read-only user management unit.
The test database management module comprises a login limit level management unit, a white list management unit, a read-only user management unit and a test information database monitoring unit.
The login limit level management unit is used for managing login limit levels of each test database, the login limit levels comprise limited login and unlimited login, and the login limit level management unit is also used for sending the name of the test database with limited login to the test information database; the white list management unit is used for managing a white list of each test database; the read-only user management unit is used for managing the read-only user account information of each test database; the test information database monitoring unit is used for monitoring whether data in the test information database are changed in real time or according to a set period, and if the data in the test information database are changed, a first change signal is sent to the login trigger management module.
The tester account information database is used for storing account information corresponding to each test database which is limited to login, and comprises an employee basic information list and a test role list; the employee basic information list is used for managing the employee job number, domain account, name, department information, position information and contact information; the test role list is used for storing all the position information with login authority.
The account information management module is used for managing account information and comprises an employee basic information management unit, a test role list management unit, an IP address and MAC address management unit and a tester account information database monitoring unit.
The staff basic information management unit is used for managing a staff basic information list; the test role list management unit is used for managing a test role list; the IP address and MAC address management unit is used for managing the corresponding relation between the IP address and the MAC address; the testing personnel account information database monitoring unit is used for monitoring whether data in the testing personnel account information data are changed in real time or according to a set period, and if the data are changed, a second change signal is sent to the login trigger management module.
And the login trigger management module responds to the first change signal and the second update signal, combines the updated data in the tester account information database and the test information database, creates a new login trigger aiming at the changed test database, and pushes the new login trigger to the changed test database.
The login request receiving module is used for receiving a login request, extracting an IP address, a user name, a domain account and an MAC address from the login request, and sending an extraction result to a login trigger to judge login authority.
The login trigger comprises a login request receiving unit, a first judging unit, a second judging unit, a third judging unit and a fourth judging unit, wherein:
the login request receiving unit is used for receiving the extraction result sent by the login request receiving module and importing the extraction result into the first judging unit; the first judging unit is used for judging whether the IP address contained in the login request belongs to a first IP address list, if so, outputting a login success instruction, and otherwise, importing the extraction result into a second judging unit; the second judging unit is used for judging whether the user name contained in the login request is stored in a white list or not, if so, the extraction result is led into the third judging unit, and if not, a login failure instruction is output; the third judging unit is used for judging whether the domain account contained in the login request is stored in a domain account list allowing login, if so, the extraction result is led into the fourth judging unit, and if not, a login failure instruction is output; the fourth judging unit is used for judging whether the IP address belongs to a second IP address list corresponding to the user name, if so, logging information is recorded to a logging log, and a logging success instruction is output, otherwise, a logging failure instruction is output.
The login information management module is used for recording login information to the login log.
Each test database which is set to be logged in a limited mode is provided with an independent login trigger, account information which allows logging in the test database is stored in the login trigger, and preferably, the account information stored in the login trigger cannot be changed from the outside so as to ensure the limiting function of the login trigger. When the login trigger needs to be updated, there are two ways: firstly, manually pushing the data to a corresponding test server by a user, secondly, monitoring the account information database and the test information database of the tester in real time/regularly by the system, and generating a new login trigger by combining the changed data when monitoring that the data of any one database is changed, and pushing the new login trigger to the corresponding test database.
For example, the system sets a timing pushing frequency for monitoring whether the account information database and the test information database of the tester change at regular time, and if so, pushes a login trigger; if the log-in trigger is not changed, the log-in trigger is not pushed; the timing task is used for compensating pushing, and real-time pushing failure is prevented.
The login trigger comprises at least four layers of judging units, and the first judging unit is used for judging whether the IP address contained in the login request belongs to a first IP address list or not; the second judgment unit is used for judging whether the user name contained in the login request is stored in the white list or not; the third judging unit is used for judging whether the domain account contained in the login request is stored in a domain account list allowing login; and the fourth judging unit is used for judging whether the IP address belongs to a second IP address list corresponding to the user name.
Specifically, when a system receives a login request sent from the outside, the login request is sent to a login trigger corresponding to a test database which a user requests to log in, wherein the login request at least comprises an IP address, a user name and a domain account; if the user name belongs to a white list, the white list can be a high-level authority user list, a third judgment unit is entered, the domain account is identified, and otherwise, login is refused; if the domain account is stored in the domain account list allowing login, entering a fourth judgment unit to identify the IP address, otherwise, refusing to login; and if the IP address also belongs to the second IP address list corresponding to the user name, recording login information to a login log, and releasing the login, otherwise, refusing the login.
Preferably, the login trigger further determines whether the user name belongs to a read-only user list of read-only permissions in the second determination unit, and when the user name belongs to the read-only user list, the user name is directly released, but only the login account is given the read-only permissions.
Compared with the prior art, the technical scheme of the invention has the following remarkable beneficial effects:
(1) and a login trigger is adopted to limit the roles of login members and login equipment of the test database, and the change authority of the test database is delivered to a tester.
(2) The login trigger comprises four layers of judgment, and the average login judgment time is shortened and the CPU resource occupation is reduced by combining the first IP address list and the white list.
(3) The method comprises the steps of monitoring an account information database and a test information database of a tester in real time/regularly, and generating a new login trigger to adapt to a changed test database when data of any one database is changed.
(4) And testing the pushed new login trigger by using the test account number, and verifying the pushing result.
(5) And a log analysis unit is adopted to periodically analyze the log to judge abnormal log-in and ensure the safety of the test database.
It should be understood that all combinations of the foregoing concepts and additional concepts described in greater detail below can be considered as part of the inventive subject matter of this disclosure unless such concepts are mutually inconsistent. In addition, all combinations of claimed subject matter are considered a part of the presently disclosed subject matter.
The foregoing and other aspects, embodiments and features of the present teachings can be more fully understood from the following description taken in conjunction with the accompanying drawings. Additional aspects of the present invention, such as features and/or advantages of exemplary embodiments, will be apparent from the description which follows, or may be learned by practice of specific embodiments in accordance with the teachings of the present invention.
Drawings
The drawings are not intended to be drawn to scale. In the drawings, each identical or nearly identical component that is illustrated in various figures may be represented by a like numeral. For purposes of clarity, not every component may be labeled in every drawing. Embodiments of various aspects of the present invention will now be described, by way of example, with reference to the accompanying drawings, in which:
FIG. 1 is a flow chart of a restricted entry method for a test database of the present invention.
FIG. 2 is a schematic diagram of the employee basic information maintenance of the present invention.
Fig. 3 is a schematic diagram of the test role position list maintenance of the present invention.
Fig. 4 is a schematic diagram of an office domain registration record of the present invention.
FIG. 5 is a diagram illustrating the binding management of the MAC address and the IP address of the office computer according to the present invention.
FIG. 6 is a schematic diagram of test role employee list maintenance in accordance with the present invention.
FIG. 7 is a schematic diagram of the restricted entry test environment Oracle database of the present invention.
Fig. 8 is a schematic diagram of one example of a login trigger of the present invention.
Fig. 9 is a flowchart of a second embodiment of the present invention.
Fig. 10 is a schematic diagram of login trigger maintenance in accordance with the present invention.
Detailed Description
In order to better understand the technical content of the present invention, specific embodiments are described below with reference to the accompanying drawings.
Detailed description of the preferred embodiment
With reference to fig. 1, the present invention provides a login limiting method for a test database, where the method includes:
s1: and receiving a login trigger sent from the outside, wherein the login trigger at least comprises account information corresponding to the test database, and the account information comprises a first IP address list, a first MAC address list, a white list, a domain account list allowing login, a second IP address list and a second MAC address list.
S2: judging the received login request by adopting a login trigger, wherein the login request at least comprises an IP address, a user name and a domain account, and the method comprises the following steps:
s21: and judging whether the IP address contained in the login request belongs to a first IP address list, if so, entering the step S25, otherwise, entering the step S22.
S22: and judging whether the user name contained in the login request is stored in a white list, if so, entering the step S23, otherwise, rejecting the login request, and ending the process.
S23: and judging whether the domain account contained in the login request is stored in a domain account list allowing login, if so, entering the step S24, otherwise, rejecting the login request, and ending the process.
S24: and judging whether the IP address belongs to a second IP address list corresponding to the user name, if so, recording login information to a login log, and entering step S25, otherwise, rejecting the login request, and ending the process.
S25: and allowing the login request and ending the process.
The login trigger comprises at least four layers of judging units, wherein the first judging unit is used for judging whether the IP address contained in the login request belongs to a first IP address list or not, and if the login equipment used by the user belongs to a test environment or not; the second judging unit is used for judging whether the user name contained in the login request is stored in the white list, for example, whether the account which the user requests to login belongs to the test account which allows login; the third judging unit is used for judging whether the domain account contained in the login request is stored in a domain account list allowing login, the domain account is used for logging in a computer, and the third judging unit is used for judging the position information of the user; the fourth judging unit is used for judging whether the IP address belongs to a second IP address list corresponding to the user name, and the third judging unit is used for judging whether the equipment which the user requests to log in belongs to an office area and the like.
The foregoing method is explained in detail below by way of an example.
In an enterprise, all machines of a test environment, including a test application deployment server and a database deployment server, are uniformly planned in the same network segment, such as a' 17.29. The testing environment is a set of software and hardware environment which is set up in a software development testing process and is different from a production environment and is specially used for testing; the test application refers to a tested system or service in a software development test process; the database may be an oracle database. All machines in the test environment can only be used by managers and testers.
The office area network segments are uniformly planned in another same network segment, such as a '17.30 DEG' network segment, so that the office area is isolated from the test environment. The office area refers to the working places of software developers, software testers, database management personnel and the like; the routine work of developers is software development, including code compiling, database script designing and the like; the tester carries out quality inspection on the output of the developer to find out potential problems; and the database management personnel performs basic maintenance on the database of each environment. Office computers in office areas can be used by managers, testers and developers, and each worker has an independent office computer corresponding to a unique IP address and a unique MAC address.
Unifying the IP addresses of the '17.29' network segments into a first IP address list, and unifying the IP addresses of the '17.30' network segments into a second IP address list. The white list is used for storing high-level authority user names, such as user names of test accounts corresponding to testers, and the like.
In order to test the security of the database, in some examples, only the tester may be limited to log in the database by using the equipment in the testing environment and some equipment in the office area, so as to avoid the tester from logging in the database by using the computer of the developer, leaving the login information on the computer of the developer, or the developer logging in the database, which may cause a threat to the data security of the database, and so on. Based on the limitation of the foregoing example, after receiving the login request, the system sends the login request to the login trigger corresponding to the test database, where the login trigger includes at least four layers of judgment.
Judging the first layer: if the IP address in the login request belongs to the first IP address list, the device which requests to login belongs to the test environment, the user which sends the request is a manager and/or a tester, and the device is directly released, otherwise, the device enters a second layer for judgment.
And second-layer judgment: if the user name in the login request belongs to the white list, the user requesting login is a high-level authority user, such as a tester, an administrator and the like, and the fourth layer of judgment is performed, otherwise, the user requesting login does not have the change authority of the test database, the login request can be directly rejected, and whether the user belongs to a read-only user or not can be continuously judged, and the read-only authority is given; preferably, the user name and the password of the read-only user are consistent, and maintenance and daily use are facilitated.
And fourth layer judgment: if the domain account in the login request is stored in the list of domain accounts allowed to be logged in, as described above, the domain account is used for logging in the computer, and the fourth layer of judgment is used for further judging the user and the device which request to be logged in, for example, the login device used by the user belongs to the office environment, and the user may be a tester, for example, the tester logs in the temporary computer by using the domain account to request to log in, and the temporary computer belongs to the office environment. If the user passes the judgment of the fourth layer, the login equipment requested by the user to login belongs to the external environment, and the login behavior is rejected because the security of the external computer cannot be determined.
And fourth layer judgment: and if the IP address in the login request belongs to the second IP address list corresponding to the user name, judging whether the IP address in the login request belongs to the second IP address list corresponding to the user name.
When all the office computer IP addresses of the testers are stored in the second IP address list, if the office computer IP addresses of the testers belong to the second IP address list, the fact that the user adopts the office computer of the testers to request login is indicated, login is allowed, if the office computer does not belong to the second IP address list, the fact that the equipment which the testers request to login is possibly the office computer of the developer is indicated, login information of the test database is prevented from being stored in the computer of the developer, the safety of the test database is threatened, meanwhile, effective control is conducted on login behaviors of the testers, and the current login behavior is rejected.
It should be understood that the example of the limited login is only one of the application manners of the present invention, and in actual work, the adjustment may be made according to specific requirements, for example, if a stricter management and control is required, it may be limited that a tester can only log in a test database on a device of a test environment and its own device, and so on. For example, when the IP address corresponding to the user name is stored in the second IP address list, the tester cannot log in the test database by using an office computer other than the tester, so that a way for the tester to log in the test database is defined, and management and control are facilitated.
In some examples, since the IP address is important in the judgment condition of the login trigger, the IP address may be managed and controlled through the following two measures. A first measure, namely, enabling the first IP address list and the first MAC address list to be in one-to-one correspondence; the second IP address list and the second MAC address list are in one-to-one correspondence; in the second measure, the staff cannot modify the IP acquisition strategy of the office computer, and only DHCP can be automatically acquired.
For example, after the employee enters the office, the employee uses the domain login computer for the first time, generally the office computer for self-acceptance, and after the employee successfully logs in for the first time, the system automatically binds the MAC address and the IP address of the device, so as to ensure that the IP used by the employee in the subsequent office is the same, and the MAC address and the IP address of the device correspond to the domain account number of the employee; preferably, the binding relationship among the MAC address, the IP address and the domain account can also be manually maintained, and if the binding information is wrong or an office computer is replaced, a manager can add or delete the record; only 1 record can exist at a time per MAC address.
In a further embodiment, step S23, the recording the login information to the login log means,
and extracting the IP address/MAC address contained in the login request, comparing the extracted IP address/MAC address with the IP address/MAC address corresponding to the user name, if the comparison is successful, indicating that the tester logs in the test database by using a self computer, and recording the login information into a main record data table, otherwise, indicating that the tester logs in the test database by using a temporary computer, and recording the login information into a temporary record data table.
Preferably, the tester has an operation authority for the temporary record data table corresponding to the tester. One employee has 2 records at most, one main record registers the use record of the personal computer, and the employee can not modify the record and only allows the administrator to modify and delete the record; another temporary record is used to register a non-self computer, which the employee and/or administrator can delete. More preferably, the system automatically sets the interception frequency, and when the employee deletes the temporary record within one day, one week or one month, the employee sets the upper risk limit and refuses to delete the temporary record when deleting the temporary record frequently.
In some examples, the method further comprises:
and if the temporary recording data table is not empty, not recording the login information.
For example, the job to which the employee belongs is in the test role list: if the login is the first time, adding the relevant information of the employee to the master record of the employee; if the employee logs in at another computer and the temporary record of the employee is empty, adding a new temporary record; if the employee is logged in at another computer and the employee's temporary record is not empty, then no registration is made, etc.
Preferably, the login behavior of the read-only user is not recorded, so that the system computation amount and the storage amount are reduced. Namely, when the position of the employee is not in the test role list, the employee is not registered.
In other examples, the login information management module further includes a login log analysis unit.
The log analysis unit is used for periodically analyzing log, and
and if the number of the IP addresses requested to be logged in by any one domain account in the set time range exceeds the set number threshold, marking the domain account in a monitoring state.
When the number of IP addresses requested to be logged in by a user in a set time range exceeds a set number threshold, the requesting person is indicated to adopt a plurality of computers to perform abnormal logging behaviors in a short time, and in order to test the security of a database, the domain account needs to be monitored, or the operation authority of the domain account needs to be limited, and the like.
The invention also provides a method for rapidly judging the login authority of the domain account, and specifically, the step of judging whether the domain account contained in the login request is stored in a domain account list allowing login comprises the following steps:
creating a test role list, wherein the test role list comprises all position information with login authority, and the test role list is used as a domain account list; and judging whether the position information corresponding to the domain account contained in the login request is stored in a test role list.
For example, positions such as a test specialist, a test engineer, a test supervisor, and the like are maintained in the test role list, and whether the employee is a test role can be identified from the position attributes of the employee. The method is characterized in that the personnel structure changes frequently in enterprises, the workload is very large undoubtedly if management is carried out on user names, and by adopting the method, a test database manager can effectively manage the login authority of all members only by uniformly managing the login authority of the position attributes without knowing the member names, and when the login authority of a certain member needs to be modified, the position information of the member can be directly modified.
The login limiting method adopted in the invention mainly depends on the login trigger, as described above, when data is changed, for example, a certain test database is changed from an open state to a login limiting state, or account information of login-allowed personnel of a certain test database is changed, for example, a member allowing login is added, at this time, a new login trigger needs to be generated again, and the new trigger is pushed to the corresponding test database. Specifically, the method further comprises:
and creating a testing personnel account information database and a testing information database, wherein the testing information database is used for storing a plurality of pieces of testing database information for limiting login, and the testing personnel account information database is used for storing account information corresponding to each testing database for limiting login.
Monitoring the tester account information database and the test information database in real time/according to a set period, if the data of any one database changes, combining the updated data in the tester account information database and the test information database, creating a new login trigger aiming at the changed test database, and pushing the new login trigger to the changed test database.
In order to confirm whether the login trigger is successfully pushed, the invention provides the following test method.
The method further comprises the following steps:
and adopting the test account number to periodically send a login request to the changed test database so as to verify the pushing result of the login trigger, and if the pushing of the login trigger fails, sending alarm information to the specified client.
The test account number can be compiled in advance, or randomly selected from a tester account information database, or a combination of the two, and the push condition of the login trigger is detected through the test account number, so that the login trigger is ensured to be successfully pushed.
Based on the method, the invention also provides a login limiting system suitable for the test database, and the system comprises a test information database, a tester account information database, a test database management module, an account information management module, a login request receiving module, a login trigger and a login information management module.
The test information database is used for storing a plurality of pieces of test database information for limiting login, and the test database information comprises a white list management unit and a read-only user management unit.
The test database management module comprises a login limit level management unit, a white list management unit, a read-only user management unit and a test information database monitoring unit.
The login limit level management unit is used for managing login limit levels of each test database, the login limit levels comprise limited login and unlimited login, and the login limit level management unit is also used for sending the name of the test database with limited login to the test information database; the white list management unit is used for managing a white list of each test database; the read-only user management unit is used for managing the read-only user account information of each test database; the test information database monitoring unit is used for monitoring whether data in the test information database are changed in real time or according to a set period, and if the data in the test information database are changed, a first change signal is sent to the login trigger management module.
The tester account information database is used for storing account information corresponding to each test database which is limited to login, and comprises an employee basic information list and a test role list; the employee basic information list is used for managing the employee job number, domain account, name, department information, position information and contact information; the test role list is used for storing all the position information with login authority.
The account information management module is used for managing account information and comprises an employee basic information management unit, a test role list management unit, an IP address and MAC address management unit and a tester account information database monitoring unit.
The staff basic information management unit is used for managing a staff basic information list; the test role list management unit is used for managing a test role list; the IP address and MAC address management unit is used for managing the corresponding relation between the IP address and the MAC address; the testing personnel account information database monitoring unit is used for monitoring whether data in the testing personnel account information data are changed in real time or according to a set period, and if the data are changed, a second change signal is sent to the login trigger management module.
And the login trigger management module responds to the first change signal and the second update signal, combines the updated data in the tester account information database and the test information database, creates a new login trigger aiming at the changed test database, and pushes the new login trigger to the changed test database.
The login request receiving module is used for receiving a login request, extracting an IP address, a user name, a domain account and an MAC address from the login request, and sending an extraction result to a login trigger to judge login authority.
The login trigger comprises a login request receiving unit, a first judging unit, a second judging unit, a third judging unit and a fourth judging unit, wherein:
the login request receiving unit is used for receiving the extraction result sent by the login request receiving module and importing the extraction result into the first judging unit; the first judging unit is used for judging whether the IP address contained in the login request belongs to a first IP address list, if so, outputting a login success instruction, and otherwise, importing the extraction result into a second judging unit; the second judging unit is used for judging whether the user name contained in the login request is stored in a white list or not, if so, the extraction result is led into the third judging unit, and if not, a login failure instruction is output; the third judging unit is used for judging whether the domain account contained in the login request is stored in a domain account list allowing login, if so, the extraction result is led into the fourth judging unit, and if not, a login failure instruction is output; the fourth judging unit is used for judging whether the IP address belongs to a second IP address list corresponding to the user name, if so, logging information is recorded to a logging log, and a logging success instruction is output, otherwise, a logging failure instruction is output.
The login information management module is used for recording login information to the login log.
First, staff basic information list
With reference to fig. 2, the employee basic information list includes employee job/domain account numbers, names, departments, positions, telephones, and the like. When the employee enters the job, a corresponding record can be newly added; when the employee leaves, the corresponding record can be deleted. The position information comprises a test specialist, a test engineer, a test supervisor, a development engineer and the like, wherein the test specialist, the test engineer and the test supervisor belong to a tester, can completely log in a test database, and have a change permission for data in the test database, and the development engineer only has a read-only permission for browsing and inquiring the test database by adopting a read-only account.
Second, test role list
With reference to fig. 3, taking the aforementioned job information as an example, jobs such as test professionals, test engineers, and test supervisors may be maintained in the test role list, and the job information in the test role list may be added and deleted.
Third, test information database (restriction login test environment Oracle database list)
With reference to fig. 7, a database that requires login restriction in the test environment is maintained, and may be newly added, modified, and deleted, where the database information includes an IP address, a port number, a case name, a read-only user (if there are multiple commas separated), and the like.
Fourth, log in (office domain log in record)
With reference to fig. 4, the employee can only log in the office computer by using the domain account, and after the login is successful, the login information is retained in the management system; the login information comprises a domain account number, a name, a physical address MAC, a network address IP, login time, whether to login for the first time and the like; the staff cannot modify the IP acquisition strategy of the office computer and only can automatically acquire DHCP; after the employee successfully logs in for the first time, the management system can bind the MAC address and the IP address, and the same IP is guaranteed to be used when the employee works subsequently; the binding of MAC to IP can also be maintained manually.
Fifth, office computer MAC and IP binding management list
With reference to fig. 5, after the employee enters the job, the employee uses the domain login computer for the first time, generally the office computer for his own reception, and after the login is successful, the MAC address and the IP address are automatically bound; if the binding information is wrong or the office computer is replaced, the administrator can add or delete the record; only 1 record can exist at a time per MAC address.
Sixth, test role list
In other examples, in conjunction with fig. 6, a test role list may also be managed, such as a test role list.
Testing the employees in the role list, and logging in the database by using the users with higher authority of the database to update the database; the employees not in the list can only log in the database by using the database read-only user to perform query operation. The list contains fields of domain account number, name, physical address MAC, network address IP, whether the computer is the person or not, and the like. At most 2 records exist in a certain employee, one main record is registered in the computer of the employee, the employee can not modify the record and only allows the administrator to modify and delete the record; the other temporary record is used for registering a non-personal computer, and can be deleted by the employee and the administrator. The position of the employee is in the test role list: if the login is the first time, adding the relevant information of the employee to the master record of the employee; if the employee logs in at another computer and the temporary record of the employee is empty, adding a new temporary record; if the employee logs in at another computer and the temporary record of the employee is not empty, the employee is not registered; the position of the employee is not in the test role list and is not registered; the list can be manually maintained, when the 'test role position list' changes, existing staff cannot be automatically updated into the list, and manual maintenance is needed at the moment; when the binding management of the office computer MAC and the IP is changed, the recording of the 'personal computer' of the module is automatically synchronized, and the like.
In conjunction with FIG. 10, the system automatically generates a control login trigger whose key fields may come from the "test role employee List" and the "restricted login test Environment Oracle database List"
When the 2 lists (the test environment Oracle database list and the test role employee list) change, the system pushes the login trigger to the test database in real time, the pushed database range is the changed test database listed in the 'limitation login test environment Oracle database list', the login trigger can be regenerated for each database, and then the login trigger is pushed to all the test databases at the same time.
The system sets a timing pushing frequency for regularly monitoring whether the 2 lists change or not, and if so, a login trigger is pushed; if the log-in trigger is not changed, the log-in trigger is not pushed; the timing task is used for compensating pushing and preventing real-time pushing failure; the login trigger pushing task can be manually executed and is suitable for emergency;
the content of one of the login triggers is shown in fig. 8, in the login trigger, another definition is made for the white list user, if the user name is in the white list, the user name is directly released, if not, the next step is carried out to continuously judge the domain user name. That is, there are many ways for the application of the white list, and the user can make adjustments according to the security level and the list of usernames of the white list. For example, in fig. 8, the white list is a high-authority user, such as an administrator user, and the like, such a user name is relatively private, in a non-public state or in a semi-public state, and has a higher security level, and at this time, in order to speed up the login process and reduce the determination time, the user of this type may be directly released without verifying the logged-in computer device.
In a further embodiment, the login information management module further includes a login log analysis unit.
The log analysis unit is used for periodically analyzing log, and
and if the number of the IP addresses requested to be logged in by any one domain account in the set time range exceeds the set number threshold, marking the domain account in a monitoring state.
For example, the system issues office domain LOGIN records, extracts LOGIN records in the LOGIN _ ALLOW _ LOG and LOGIN _ REJECT _ LOG tables of the databases, associates the LOGIN records, issues related reports, and performs subsequent auditing work.
Detailed description of the invention
With reference to fig. 9, the logic for determining the login trigger is:
the account number used by the database management personnel is a DBA account number, is not limited by a trigger and can be logged in at will; the DBA account number is strictly kept secret and does not need to be provided for developers and testers.
And secondly, the test environment application server is connected with the database, any database user is used, and the trigger directly passes the database after the first-layer judgment is carried out due to the fact that the IP of the database user is identified as '17.29', no information is registered, performance consumption is reduced, and time consumption is reduced.
And thirdly, the developers and the testers use the database to read only the user login database, the IP of the database is identified as '17.30', after the trigger carries out the first layer judgment, the trigger does not accord with the IP of the test server, the trigger enters the second layer judgment, the second layer judgment is released, and no log is recorded.
And fourthly, the tester logs in the database by using the personal computer and the high-level authority user of the database, and the fourth layer judgment logic of the trigger is reached to register a log of successful logging.
And fifthly, the tester logs in the temporary computer by using the own domain account, logs in the database by using the high-level authority user, and reaches the fourth-layer judgment logic of the trigger to register a log of successful login.
Sixthly, the tester logs in the temporary computer by using the own domain account, the IP of the temporary computer is not in the IP list of the employee, the judgment logic of the fourth layer of the trigger is reached, and the log refusing to log in is registered.
And seventhly, the developer logs in the database by using the personal computer and the high-level authority user of the database, the fourth-layer judgment logic of the trigger is reached, and since the domain account is not in the test role list, a login refusing log is registered, and a login refusing prompt is popped up.
And allowing the developer to log in a computer of a tester by using a domain account of the developer and to log in a database by using a high-level authority user of the database, registering a log refusing to log in because the domain account is not in a test role list, and popping up a prompt of refusing to log in.
The judgment process of the login trigger comprises the following steps:
step one, judging whether a login IP is input into a test server network segment, if so, finishing the judgment and directly releasing; otherwise, entering the step two.
Step two, judging whether the logged database user name is in a white list, if not, finishing the judgment and directly rejecting; otherwise, entering the step three.
Step three, judging whether the computer user name is the domain account number of the tester, if not, refusing to log in, and popping up prompt information; if yes, go to step four.
Step four, judging whether the current IP is the IP of the computer of the tester or the computer IP which is allowed to be temporarily used by the tester, if not, refusing to log in and popping up prompt information; if yes, go to step five.
And step five, registering a login log and allowing login.
In this disclosure, aspects of the present invention are described with reference to the accompanying drawings, in which a number of illustrative embodiments are shown. Embodiments of the present disclosure are not necessarily defined to include all aspects of the invention. It should be appreciated that the various concepts and embodiments described above, as well as those described in greater detail below, may be implemented in any of numerous ways, as the disclosed concepts and embodiments are not limited to any one implementation. In addition, some aspects of the present disclosure may be used alone, or in any suitable combination with other aspects of the present disclosure.
Although the present invention has been described with reference to the preferred embodiments, it is not intended to be limited thereto. Those skilled in the art can make various changes and modifications without departing from the spirit and scope of the invention. Therefore, the protection scope of the present invention should be determined by the appended claims.
Claims (9)
1. A restricted login method adapted for testing a database, the method comprising:
s1: receiving a login trigger sent from the outside, wherein the login trigger at least comprises account information corresponding to a test database, and the account information comprises a first IP address list, a first MAC address list, a white list, a domain account list allowing login, a second IP address list and a second MAC address list;
s2: judging the received login request by adopting a login trigger, wherein the login request at least comprises an IP address, a user name and a domain account, and the method comprises the following steps:
s21: judging whether the IP address contained in the login request belongs to a first IP address list, if so, entering a step S25, otherwise, entering a step S22;
s22: judging whether the user name contained in the login request is stored in a white list, if so, entering a step S23, otherwise, rejecting the login request, and ending the process;
s23: judging whether the domain account contained in the login request is stored in a domain account list allowing login, if so, entering a step S24, otherwise, rejecting the login request, and ending the process;
s24: judging whether the IP address belongs to a second IP address list corresponding to the user name, if so, recording login information to a login log, and entering a step S25, otherwise, rejecting the login request, and ending the process;
s25: allowing the login request and ending the process;
the method further comprises the following steps:
creating a testing personnel account information database and a testing information database, wherein the testing information database is used for storing a plurality of pieces of testing database information for limiting login, and the testing personnel account information database is used for storing account information corresponding to each testing database for limiting login;
monitoring the tester account information database and the test information database in real time/according to a set period, if the data of any one database changes, combining the updated data in the tester account information database and the test information database, creating a new login trigger aiming at the changed test database, and pushing the new login trigger to the changed test database.
2. The method of claim 1, further comprising:
and adopting the test account number to periodically send a login request to the changed test database so as to verify the pushing result of the login trigger, and if the pushing of the login trigger fails, sending alarm information to the specified client.
3. The method of claim 1, wherein the first IP address list and the first MAC address list are in one-to-one correspondence;
and the second IP address list and the second MAC address list are in one-to-one correspondence.
4. The method for limiting login according to claim 3, wherein the step S23, the logging the login information to the login log means,
and extracting the IP address/MAC address contained in the login request, comparing the extracted IP address/MAC address with the IP address/MAC address corresponding to the user name, if the comparison is successful, recording the login information to a main recording data table, otherwise, recording the login information to a temporary recording data table.
5. The method of claim 4, wherein the tester has an operation right on the temporary record data table corresponding to the tester.
6. The method of claim 4, further comprising:
and if the temporary recording data table is not empty, not recording the login information.
7. The method of claim 1, wherein the step of determining whether the domain account included in the login request is stored in a list of domain accounts allowed to be logged in comprises the steps of:
creating a test role list, wherein the test role list comprises all position information with login authority, and the test role list is used as a domain account list;
and judging whether the position information corresponding to the domain account contained in the login request is stored in a test role list.
8. A limited login system suitable for a test database is characterized by comprising a test information database, a tester account information database, a test database management module, an account information management module, a login request receiving module, a login trigger and a login information management module;
the test information database is used for storing a plurality of pieces of test database information for limiting login, and the test database information comprises a white list management unit and a read-only user management unit;
the test database management module comprises a login limit level management unit, a white list management unit, a read-only user management unit and a test information database monitoring unit;
the login limit level management unit is used for managing login limit levels of each test database, the login limit levels comprise limited login and unlimited login, and the login limit level management unit is also used for sending the name of the test database with limited login to the test information database; the white list management unit is used for managing a white list of each test database; the read-only user management unit is used for managing the read-only user account information of each test database; the test information database monitoring unit is used for monitoring whether data in the test information database are changed in real time or according to a set period, and if the data in the test information database are changed, a first change signal is sent to the login trigger management module;
the tester account information database is used for storing account information corresponding to each test database which is limited to login, and comprises an employee basic information list and a test role list; the employee basic information list is used for managing the employee job number, domain account, name, department information, position information and contact information; the test role list is used for storing all position information with login authority;
the account information management module is used for managing account information and comprises an employee basic information management unit, a test role list management unit, an IP address and MAC address management unit and a tester account information database monitoring unit;
the staff basic information management unit is used for managing a staff basic information list; the test role list management unit is used for managing a test role list; the IP address and MAC address management unit is used for managing the corresponding relation between the IP address and the MAC address; the testing personnel account information database monitoring unit is used for monitoring whether data in the testing personnel account information data are changed in real time or according to a set period, and if the data are changed, a second change signal is generated to the login trigger management module;
the login trigger management module responds to the first change signal and the second parallel update signal, combines the updated data in the tester account information database and the test information database, creates a new login trigger aiming at the changed test database, and pushes the new login trigger to the changed test database;
the login request receiving module is used for receiving a login request, extracting an IP address, a user name, a domain account and an MAC address from the login request, and sending an extraction result to a login trigger to judge login authority;
the login trigger comprises a login request receiving unit, a first judging unit, a second judging unit, a third judging unit and a fourth judging unit, wherein:
the login request receiving unit is used for receiving the extraction result sent by the login request receiving module and importing the extraction result into the first judging unit;
the first judging unit is used for judging whether the IP address contained in the login request belongs to a first IP address list, if so, outputting a login success instruction, and otherwise, importing the extraction result into a second judging unit;
the second judging unit is used for judging whether the user name contained in the login request is stored in a white list or not, if so, the extraction result is led into the third judging unit, and if not, a login failure instruction is output;
the third judging unit is used for judging whether the domain account contained in the login request is stored in a domain account list allowing login, if so, the extraction result is led into the fourth judging unit, and if not, a login failure instruction is output;
the fourth judging unit is used for judging whether the IP address belongs to a second IP address list corresponding to the user name or not, if so, recording login information to a login log, and outputting a login success instruction, otherwise, outputting a login failure instruction;
the login information management module is used for recording login information to the login log.
9. The system of claim 8, wherein the log information management module further comprises a log analysis unit;
the log analysis unit is used for periodically analyzing log, and
and if the number of the IP addresses requested to be logged in by any one domain account in the set time range exceeds the set number threshold, marking the domain account in a monitoring state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910566491.9A CN110290138B (en) | 2019-06-27 | 2019-06-27 | Restricted login method and system suitable for test database |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910566491.9A CN110290138B (en) | 2019-06-27 | 2019-06-27 | Restricted login method and system suitable for test database |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110290138A CN110290138A (en) | 2019-09-27 |
| CN110290138B true CN110290138B (en) | 2021-12-21 |
Family
ID=68007734
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910566491.9A Active CN110290138B (en) | 2019-06-27 | 2019-06-27 | Restricted login method and system suitable for test database |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110290138B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111131152B (en) * | 2019-11-15 | 2022-06-10 | 苏州浪潮智能科技有限公司 | Automatic verification method and system for cross-platform remote login protection system |
| CN112861119A (en) * | 2019-11-27 | 2021-05-28 | 郭东林 | Method and system for defending hacker from slowly colliding or blasting attack on database |
| CN113127335A (en) * | 2020-01-16 | 2021-07-16 | 北京京东振世信息技术有限公司 | System testing method and device |
| CN113672479A (en) * | 2021-04-27 | 2021-11-19 | 全球能源互联网研究院有限公司 | Data sharing method and device and computer equipment |
| CN114553576A (en) * | 2022-02-28 | 2022-05-27 | 广东省大湾区集成电路与系统应用研究院 | Authority management method, device, system and medium |
| CN114362966A (en) * | 2022-02-28 | 2022-04-15 | 携程商旅信息服务(上海)有限公司 | Pseudo test login method, system, electronic device and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254328A (en) * | 2016-07-27 | 2016-12-21 | 杭州华为数字技术有限公司 | A kind of access control method and device |
| CN107362537A (en) * | 2017-07-03 | 2017-11-21 | 珠海金山网络游戏科技有限公司 | A kind of method and device of qualified role account login service device |
| CN107426213A (en) * | 2017-07-26 | 2017-12-01 | 郑州云海信息技术有限公司 | The method and system that a kind of limitation SSR management platforms log in |
| CN109495472A (en) * | 2018-11-19 | 2019-03-19 | 南京邮电大学 | A kind of defence method for intranet and extranet camera configuration weak passwurd loophole |
-
2019
- 2019-06-27 CN CN201910566491.9A patent/CN110290138B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254328A (en) * | 2016-07-27 | 2016-12-21 | 杭州华为数字技术有限公司 | A kind of access control method and device |
| CN107362537A (en) * | 2017-07-03 | 2017-11-21 | 珠海金山网络游戏科技有限公司 | A kind of method and device of qualified role account login service device |
| CN107426213A (en) * | 2017-07-26 | 2017-12-01 | 郑州云海信息技术有限公司 | The method and system that a kind of limitation SSR management platforms log in |
| CN109495472A (en) * | 2018-11-19 | 2019-03-19 | 南京邮电大学 | A kind of defence method for intranet and extranet camera configuration weak passwurd loophole |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110290138A (en) | 2019-09-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110290138B (en) | Restricted login method and system suitable for test database | |
| US10325095B2 (en) | Correlating a task with a command to perform a change ticket in an it system | |
| EP2866411A1 (en) | Method and system for detecting unauthorized access to and use of network resources with targeted analytics | |
| US11700264B2 (en) | Systems and methods for role-based computer security configurations | |
| CN110443048A (en) | Data center looks into number system | |
| CN115733681A (en) | Data security management platform for preventing data loss | |
| CN104166812A (en) | Database safety access control method based on independent authorization | |
| CN107480553B (en) | Data exploration system, method, equipment and storage medium | |
| CN104486346A (en) | Stepping stone system | |
| CN107358122A (en) | The access management method and system of a kind of data storage | |
| CN110719298A (en) | Method and device for supporting user-defined change of privileged account password | |
| KR20140035146A (en) | Apparatus and method for information security | |
| Schweizerische | Information technology-Security techniques-Information security management systems-Requirements | |
| CN114157457A (en) | Authority application and monitoring method for network data information security | |
| CN109948331A (en) | A kind of weak passwurd detection system and method | |
| CN107566375B (en) | Access control method and device | |
| CN113162950A (en) | Mobile application secondary authority authentication and management system based on i country network | |
| KR101278971B1 (en) | Interception system for preventing dishonestly using information and Method thereof | |
| KR101200907B1 (en) | System for prenventing inner users from leaking the personal information by returnning results and the detection of anomaly pattern | |
| Kim et al. | A system for detection of abnormal behavior in BYOD based on web usage patterns | |
| CN110958236A (en) | Dynamic authorization method of operation and maintenance auditing system based on risk factor insight | |
| CN110572279A (en) | Security management system for privileged account | |
| CN108965317A (en) | A kind of network data guard system | |
| KR101025029B1 (en) | Implementation method for integration database security system using electronic authentication | |
| Purba et al. | Assessing Privileged Access Management (PAM) using ISO 27001: 2013 Control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: No.88, Huaihai Road, Qinhuai District, Nanjing City, Jiangsu Province, 210000 Patentee after: Nanyin Faba Consumer Finance Co.,Ltd. Address before: No.88, Huaihai Road, Qinhuai District, Nanjing City, Jiangsu Province, 210000 Patentee before: SUNING CONSUMER FINANCE Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |