CN110941599A - Authority control method and device, electronic equipment and storage medium - Google Patents
Authority control method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN110941599A CN110941599A CN201911100943.0A CN201911100943A CN110941599A CN 110941599 A CN110941599 A CN 110941599A CN 201911100943 A CN201911100943 A CN 201911100943A CN 110941599 A CN110941599 A CN 110941599A
- Authority
- CN
- China
- Prior art keywords
- authority
- type
- permission
- control item
- authority control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000013507 mapping Methods 0.000 claims abstract description 56
- 238000004590 computer program Methods 0.000 claims description 7
- 238000013475 authorization Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000005236 sound signal Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/182—Distributed file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Bioethics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a permission control method, a permission control device, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: acquiring all first authority control items of a target object; the first authority control item is an authority control item in a standard access control list, and the target object comprises a target file or a target directory; mapping the first role type in each first authority control item to be a second role type, and mapping the first authority type in each first authority control item to be a second authority type so as to obtain a second authority control item corresponding to each first authority control item; the second right control item is a right control item in an access control list conforming to the NFS v4 version; and performing authority control on the target object by using the second authority control item. Therefore, the standard access control list is mapped into the access control list of the NFS V4, and the compatibility between the access control list of the NFS V4 and the standard access control list is realized.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for controlling an authority, an electronic device, and a computer-readable storage medium.
Background
The NFS-GaneshaV4 protocol version is a user mode network file system, and the Access Control list uses a format and an authority Control draft specified by the NFS V4 protocol, and is greatly different from a Posix standard Access Control List (ACL).
The distributed file system supports Posix ACL right control draft, namely a standard access control list, by default. The standard access control list solves the problem that under linux, an owner, a group to which the owner belongs and other users/groups cannot meet the resource authority distribution requirement. Since the NFS-Ganesha v4ACL is more granular than the POSIX ACL permission control, it is generally very complicated to map any NFSv 4ACL access control list to a POSIX ACL with the same semantics, and vice versa. Therefore, the problem of incompatibility of authority control exists between the two file systems, and no method for controlling the authority of the distributed file system aiming at the NFS-Ganesha v4 version exists at present.
Therefore, how to comply with the access control list of NFS V4 and the standard access control list is a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide an authority control method, an authority control device, an electronic device and a computer readable storage medium, which realize the compatibility of an access control list of NFS V4 and a standard access control list.
In order to achieve the above object, the present application provides an authority control method, including:
acquiring all first authority control items of a target object; the first authority control item is an authority control item in a standard access control list, and the target object comprises a target file or a target directory;
mapping the first role type in each first authority control item to be a second role type, and mapping the first authority type in each first authority control item to be a second authority type so as to obtain a second authority control item corresponding to each first authority control item; wherein the second right control item is a right control item in an access control list conforming to the NFS v4 version;
and performing authority control on the target object by using the second authority control item.
Wherein the mapping the first role type in each of the first permission control items to a second role type includes:
if the first role type is ACL _ USER, the second role type is USER;
if the first role type is ACL _ GROUP, the second role type is GROUP;
if the first role type is ACL _ USER _ OBJ, the second role type is QWNER @;
if the first role type is ACL _ GROUP _ OBJ, the second role type is GROUP @;
if the first role type is ACL _ OTHER, the second role type is EVERYONE @.
Wherein the mapping the first permission type in each first permission control item to a second permission type includes:
if the first permission type is a READ permission, the second permission type is ACE4_ READ _ DATA;
if the first permission type is WRITE permission, the second permission type is ACE4_ WRITE _ DATA and ACE4_ APPEND _ DATA;
and if the first permission type is EXECUTE permission, the second permission type is ACE4_ EXECUTE.
Wherein, still include:
determining a first target permission type included by an allowed mask of the target object, and performing clearing operation on all the first permission types so as to enable all the first permission types to be the first target permission type.
Wherein, still include:
adding a default permission type in all the second permission control items; wherein the default permission types include ACE4_ READ _ ACL, ACE4_ READ _ ATTRIBUTES, and ACE4_ SYNCHRONIZE;
adding a second target permission type in the first permission type in a second permission control item corresponding to the QWERER @; wherein the second target permission type includes ACE4_ WRITE _ ACL and ACE4_ WRITE _ ATTRIBUTES.
Wherein, still include:
acquiring all the second authority control items of the target object, mapping a second role type in each second authority control item to be a first role type, and mapping a second authority type in each second authority control item to be a first authority type so as to obtain a first authority control item corresponding to each second authority control item;
calculating an allowance mask and a rejection mask of the target object, and updating the first authority control item according to the allowance mask and the rejection mask;
and performing authority control on the target object by using the first authority control item.
Wherein the calculating of the allowance mask and the rejection mask of the target object comprises:
calculating an allowable mask of the target object based on the first target second authority control item; the first target second authority control item comprises second authority control of an allowable type of which the second role type is EVERYONE @, GROUP and GROUP @;
calculating a denial mask of the target object based on a second target second authority control item; the second target second authority control item comprises a second authority control of a rejection type of which the second role type is EVERYONE @, GROUP and GROUP @.
In order to achieve the above object, the present application provides an authority control device, including:
the acquisition module is used for acquiring all first authority control items of the target object; the first authority control item is an authority control item in a standard access control list, and the target object comprises a target file or a target directory;
the first mapping module is used for mapping the first role type in each first authority control item to be a second role type and mapping the first authority type in each first authority control item to be a second authority type so as to obtain a second authority control item corresponding to each first authority control item; wherein the second right control item is a right control item in an access control list conforming to the NFS v4 version;
and the first control module is used for performing authority control on the target object by using the second authority control item.
To achieve the above object, the present application provides an electronic device including:
a memory for storing a computer program;
and a processor for implementing the steps of the above-mentioned right control method when executing the computer program.
To achieve the above object, the present application provides a computer-readable storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the above-described entitlement control method.
According to the scheme, the authority control method provided by the application comprises the following steps: acquiring all first authority control items of a target object; the first authority control item is an authority control item in a standard access control list, and the target object comprises a target file or a target directory; mapping the first role type in each first authority control item to be a second role type, and mapping the first authority type in each first authority control item to be a second authority type so as to obtain a second authority control item corresponding to each first authority control item; wherein the second right control item is a right control item in an access control list conforming to the NFS v4 version; and performing authority control on the target object by using the second authority control item.
Therefore, the standard access control list is mapped into the access control list of NFS V4, and the problem that the V4 protocol version of the NFS-Ganesha user mode network file system cannot be incompatible with the draft of the POSIX ACL standard access control list of the distributed file system in the prior art is solved. The application also discloses an authority control device, an electronic device and a computer readable storage medium, which can also realize the technical effects.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
FIG. 1 is a flow diagram illustrating a method of rights control in accordance with an exemplary embodiment;
FIG. 2 is a flow diagram illustrating another method of entitlement control in accordance with an exemplary embodiment;
FIG. 3 is a flowchart of mapping a standard Posix ACL to an NFS-Ganesha V4 protocol ACL in an application embodiment;
FIG. 4 is a flowchart of mapping an NFS-Ganesha V4 protocol ACL to a standard Posix ACL in an application embodiment;
FIG. 5 is a block diagram illustrating a rights control unit in accordance with one exemplary embodiment;
FIG. 6 is a block diagram illustrating an electronic device in accordance with an exemplary embodiment.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application discloses an authority control method, which realizes the compatibility of an access control list of NFS V4 and a standard access control list.
Referring to fig. 1, a flowchart of a method for controlling a right according to an exemplary embodiment is shown, as shown in fig. 1, including:
s101: acquiring all first authority control items of a target object; the first authority control item is an authority control item in a standard access control list, and the target object comprises a target file or a target directory;
the execution subject of this embodiment is a distributed file system, and the purpose is to map the POSIX ACL to the NFSv4 ACL. The POSIX ACL includes a plurality of rights control items of a plurality of target objects, and this embodiment introduces mapping of the rights control item of one of the target objects, where the target object may include a target file or a target directory.
In the specific implementation, a system client mounts a network file system NFS-Ganesha V4 version service, and determines whether a network file system supports an ACL extended attribute feature, if so, the client sends a system call request for processing, otherwise, failure information is returned, wherein the ACL extended attribute refers to an access control list draft of an NFS V4 network file system, and specifically, a network file system access control permission switch item is added to control whether the network file system supports an ACL. The method comprises the steps that a client side initiates an ACL obtaining request and converts the ACL obtaining request into a linux standard system calling request, the linux standard system calling refers to a file operation function of a virtual file system, the file operation function is packaged into a remote process calling method according to the system calling request and initiates a request to a network file system server side, the network file system server side receives the request of obtaining an authority control extended attribute from the client side packaged in the remote process calling and further initiates a calling request to a distributed file system, the distributed file system can be a file system of a distributed storage cluster and calls a distributed file system interface function to obtain the distributed file system extended attribute, and the distributed file system extended attribute is the POSIX ACL.
S102: mapping the first role type in each first authority control item to be a second role type, and mapping the first authority type in each first authority control item to be a second authority type so as to obtain a second authority control item corresponding to each first authority control item; wherein the second right control item is a right control item in an access control list conforming to the NFS v4 version;
the POSIX authority control items comprise roles and authorities, a role mapping strategy and an authority mapping strategy are respectively set in the step, the role mapping strategy is used for mapping the first role types in the first authority control items to the second role types of NFSv4, and the authority mapping strategy is used for mapping the first authority types in each first authority control item to the second authority types of NFSv 4.
The role mapping strategy specifically comprises the following steps: if the first role type is ACL _ USER, the second role type is USER; if the first role type is ACL _ GROUP, the second role type is GROUP; if the first role type is ACL _ USER _ OBJ, the second role type is QWNER @; if the first role type is ACL _ GROUP _ OBJ, the second role type is GROUP @; if the first role type is ACL _ OTHER, the second role type is EVERYONE @.
The role types of POSIX include ACL _ USER, ACL _ GROUP, ACL _ USER _ OBJ, ACL _ GROUP _ OBJ, ACL _ OTHER, and ACL _ MASK. The ACL _ MASK is a MASK, i.e., the maximum rights of ACL _ USER, ACL _ GROUP _ OBJ, and ACL _ GROUP, and may include an allow MASK and a deny MASK. Preferably, this embodiment further includes: determining a first target permission type included by an allowed mask of the target object, and performing clearing operation on all the first permission types so as to enable all the first permission types to be the first target permission type. In a specific implementation, the permission types of all roles need to be contained within the allowance mask and outside the denial mask. The role types of NFSv4 include USER, GROUP, QWNER @, GROUP @ and evenyone @, and when the first role type is ACL _ USER or ACL _ GROUP, the USER name or GROUP name in NFSv4 may be determined according to the USER identification or GROUP identification thereof.
The authority mapping strategy specifically comprises the following steps: if the first permission type is a READ permission, the second permission type is ACE4_ READ _ DATA; if the first permission type is WRITE permission, the second permission type is ACE4_ WRITE _ DATA and ACE4_ APPEND _ DATA; and if the first permission type is EXECUTE permission, the second permission type is ACE4_ EXECUTE. Preferably, this embodiment further includes: adding a default permission type in all the second permission control items; wherein the default permission types include ACE4_ READ _ ACL, ACE4_ READ _ ATTRIBUTES, and ACE4_ SYNCHRONIZE; adding a second target permission type in the first permission type in a second permission control item corresponding to the QWERER @; wherein the second target permission type includes ACE4_ WRITE _ ACL and ACE4_ WRITE _ ATTRIBUTES.
In a specific implementation, if the first role has READ right, setting an ACE4_ READ _ DATA right limit of a target object in an NFS-Ganesha V4 ACL; if the first character has WRITE authority, setting an ACE4_ WRITE _ DATA authority limit and an ACE4_ APPEND _ DATA authority limit of the target object in the NFS-Ganesha V4ACL, and if the target object is a directory, setting an ACE4_ DELETE _ CHILD authority limit again; if the first role has EXECUTE authority, setting an ACE4_ EXECUTE authority limit of the target object in an NFS-Ganesha V4 ACL; the ACE4_ READ _ ACL, ACE4_ READ _ ATTRIBUTES, and ACE4_ SYNCHRONIZE permission bits are set by default. If the first role is ACL _ USER _ OBJ, then ACE4_ WRITE _ ACL and ACE4_ WRITE _ ATTRIBUTES permission bits are set
S103: and performing authority control on the target object by using the second authority control item.
In this embodiment, the POSIX ACL is mapped to the NFSv 4ACL, and the POSIX ACL may be used to perform authority control on the distributed file system conforming to the NFS v4 version.
Therefore, the standard access control list is mapped into the access control list of NFS V4, and the problem that the version of the V4 protocol of the NFS-Ganesha user mode network file system in the prior art cannot be incompatible with the draft of the POSIX ACL standard access control list of the distributed file system is solved.
The embodiment of the application discloses another authority control method, which specifically comprises the following steps:
referring to fig. 2, a flowchart of another method for controlling permissions is shown according to an exemplary embodiment, and as shown in fig. 2, includes:
s201: acquiring all the second authority control items of the target object, mapping a second role type in each second authority control item to be a first role type, and mapping a second authority type in each second authority control item to be a first authority type so as to obtain a first authority control item corresponding to each second authority control item;
the purpose of this embodiment is to map the POSIX ACL to the NFSv4 ACL. In the specific implementation, the system client mounts the version service of the network file system NFS-Ganesha V4, and determines whether the network file system supports the ACL extended attribute characteristic, if so, the client sends a system call request to perform processing, otherwise, failure information is returned. The client initiates an ACL acquisition request, then converts the ACL acquisition request into a linux standard system calling request, packages the system calling request into a remote process calling method according to the system calling request, initiates a request to a network file system server, and the network file system server receives the request for setting the authority control extended attribute of the client packaged in the remote process calling and maps the access control list request set by the authority into the POSIX ACL.
S202: calculating an allowance mask and a rejection mask of the target object, and updating the first authority control item according to the allowance mask and the rejection mask;
s203: and performing authority control on the target object by using the first authority control item.
In specific implementation, the allowable mask of the target object is calculated based on the first target second authority control item; the first target second authority control item comprises second authority control of an allowable type of which the second role type is EVERYONE @, GROUP and GROUP @; calculating a denial mask of the target object based on a second target second authority control item; the second target second authority control item comprises a second authority control of a rejection type of which the second role type is EVERYONE @, GROUP and GROUP @.
In this embodiment, NFSv 4ACL is mapped to POSIX ACL, and the POSIX ACL may be used to perform authority control on the standard distributed file system.
An application embodiment of the present application is described below, in a first aspect, as shown in fig. 3, mapping a Posix ACL of a distributed file system standard to an NFS-Ganesha V4 protocol ACL may include the following steps:
the method comprises the following steps: the system client mounts the NFS-Ganesha V4 version service, judges whether the network file system supports ACL extended attribute characteristics, if so, the client sends a system call request to process, otherwise, failure information is returned;
step two: the client side initiates an ACL acquisition request and converts the ACL acquisition request into a linux standard system calling request;
step three: packaging the calling request in the step (2) into a remote procedure calling method to send a request to a network file system server;
step four: a network file system server receives a request for acquiring the authority control extended attribute from a client encapsulated in remote process call, and further initiates a call request to a distributed file system;
step five: calling a distributed file system interface function to obtain the extended attribute of the distributed file system;
step six: mapping the obtained POSIX ACL in the distributed file system access control list to be an ACL draft of NFSv 4:
1. first, according to the authority of mask ACE (authority control item), the authority of all users or user groups not in the scope of the mask authority is cleared. The Mask authority means that the authority set by the user or the group is required to be in the authority setting range of the Mask to be effective, and the Mask authority also becomes effective authority.
2. Converts uid and gid on ACL _ USER and ACL _ GROUP ACE into names of NFS-Ganesha V4 protocol version, and converts ACL _ USER _ OBJ, ACL _ GROUP _ OBJ and ACL _ OTHER into special NFS-Ganesha V4 protocol version entities "OWNER @", "GROUP @" and "EVERYONE @".
3. Each POSIX ACE (except the mask ACE, which has been set in the first step) in a given POSIX ACL is mapped to the NFSv4 all ACE of the determined entity and the NFS-Ganesha V4 protocol permission mask determined from the permission bits on the POSIX ACE is as follows:
A) if Posix ACL has READ right, NFS-Ganesha V4ACL sets ACE4_ READ _ DATA right limit;
B) posix ACL has WRITE authority, then NFS-Ganesha V4ACL sets ACE4_ WRITE _ DATA authority limit and ACE4_ APPEND _ DATA authority limit, and if the directory, then sets ACE4_ DELETE _ CHILD authority limit;
C) if Posix ACL has EXECUTE authority, then NFS-Ganesha V4ACL sets ACE4_ EXECUTE authority limit;
D) the ACE4_ READ _ ACL, ACE4_ READ _ ATTRIBUTES, and ACE4_ SYNCHRONIZE permission bits are set by default.
E) If the user is owner, set ACE4_ WRITE _ ACL and ACE4_ WRITE _ ATTRIBUTES;
step seven: and returning the mapped NFS V4ACL access control list to a network file system client through a remote procedure call function, and completing the method that the NFS-Ganesha V4 protocol version client calls a distributed file system to obtain PosixACL extended attributes.
In a second aspect, as shown in fig. 4, mapping the NFS-Ganesha V4 protocol ACL to a Posix ACL of the distributed file system standard may include the following steps:
the method comprises the following steps: the system client mounts the NFS-Ganesha V4 version service, judges whether the network file system supports ACL extended attribute characteristics, if so, the client sends a system call request to process, otherwise, failure information is returned;
step two: the client side initiates an ACL acquisition request and converts the ACL acquisition request into a linux standard system calling request;
step three: packaging the calling request in the step (2) into a remote procedure calling method to send a request to a network file system server;
step four: a network file system server receives a request for setting authority control extended attributes of a client encapsulated in remote procedure call;
step five: mapping an access control list request set by the authority into a POSIX ACL standard;
1. firstly, distinguishing directories or files, wherein the directories need to set inheritance permission;
2. the authority limit for initializing other is 0;
3. ACE traversing NFS-Ganesha V4 ACL:
(1) if the ACE is not EVERYONE @ ACE, please ignore it and go to the next ACE.
(2) If ACE is EVERYONE @ ALLOW ACE, then add to other _ ALLOW, any bit set in this ACE, but not set in other _ deny.
(3) If ACE is EVERYONE @ DENY ACE, then add to other _ DENY, any bit set in this ACE, but not set in other _ allow.
4. Further, calculate GROUP _ OBJ and GROUP mask:
(1) the allow and deny bitmasks in each GROUP mask and each GROUP _ OBJ mask are initialized to 0.
(2) For each ACE in the ACL, starting from the top:
A) if ACE is OWNER @ or user ACE, please ignore it and move to the next ACE;
B) if ACE is EVERYONE @ ALLOW ACE, then an ALLOW mask is set for each GROUP or GROUP _ OBJ, and the number of bits ACE allowed in EVERYONE is set but not in the reject mask of this GROUP or GROUP _ OBJ;
C) if ACE is EVERYONE @ DENY ACE, then a reject mask is set for each GROUP or GROUP _ OBJ, and the rejected bits in EVERYONE ACE are set;
D) if the ACE is a GROUP or GROUP @ ALLOW ACE, setting a bit allowance mask in an allowance corresponding GROUP or GROUP _ OBJ;
E) if the ACE is the GROUP or the GROUP @ DENY ACE, setting a bit rejection mask for rejecting the corresponding GROUP or GROUP _ OBJ;
repeating the above steps, it can be seen that the mapping generated by the NFSv 4ACL produces a unique POSIX ACL.
Step six: the converted POSIX ACL standard access control request is further called to set an extended attribute function by the distributed file system;
step seven: and returning the set access control attribute to the network file system client, and completing the method for calling the ACL extended attribute by the NFS-Ganesha V4 protocol version client through the distributed file system interface.
In the following, a right control device provided in an embodiment of the present application is introduced, and a right control device described below and a right control method described above may be referred to each other.
Referring to fig. 5, a block diagram of a rights control apparatus according to an exemplary embodiment is shown, as shown in fig. 5, including:
an obtaining module 501, configured to obtain all first permission control items of a target object; the first authority control item is an authority control item in a standard access control list, and the target object comprises a target file or a target directory;
a first mapping module 502, configured to map the first role type in each first permission control item to a second role type, and map the first permission type in each first permission control item to a second permission type, so as to obtain a second permission control item corresponding to each first permission control item; wherein the second right control item is a right control item in an access control list conforming to the NFS v4 version;
a first control module 503, configured to perform permission control on the target object by using the second permission control item.
Therefore, the standard access control list is mapped into the access control list of NFS V4, and the problem that the version of the V4 protocol of the NFS-Ganesha user mode network file system in the prior art cannot be incompatible with the draft of the POSIX ACL standard access control list of the distributed file system is solved.
On the basis of the foregoing embodiment, as a preferred implementation, the first mapping module 502 includes:
a first mapping unit, configured to determine that the second role type is USER if the first role type is ACL _ USER;
a second mapping unit, configured to determine that the second role type is a GROUP if the first role type is ACL _ GROUP;
a third mapping unit, configured to, if the first role type is ACL _ USER _ OBJ, determine that the second role type is QWNER @;
a fourth mapping unit, configured to, if the first role type is ACL _ GROUP _ OBJ, determine that the second role type is GROUP @;
a fifth mapping unit, configured to, if the first role type is ACL _ OTHER, determine that the second role type is event @.
On the basis of the foregoing embodiment, as a preferred implementation, the first mapping module 502 includes:
a sixth mapping unit, configured to, if the first permission type is a READ permission, determine that the second permission type is ACE4_ READ _ DATA;
a seventh mapping unit, configured to, if the first permission type is the WRITE permission, determine that the second permission type is ACE4_ WRITE _ DATA and ACE4_ APPEND _ DATA;
an eighth mapping unit, configured to, if the first permission type is EXECUTE permission, determine that the second permission type is ACE4_ EXECUTE.
On the basis of the above embodiment, as a preferred implementation, the method further includes:
and the clearing module is used for determining a first target permission type included by the permission mask of the target object and clearing all the first permission types so as to enable all the first permission types to be the first target permission type.
On the basis of the above-mentioned embodiment, as a preferred implementation, the method further includes:
the first adding module is used for adding default permission types in all the second permission control items; wherein the default permission types include ACE4_ READ _ ACL, ACE4_ READ _ ATTRIBUTES, and ACE4_ SYNCHRONIZE;
the second adding module is used for adding a second target permission type in the first permission type in a second permission control item corresponding to the QWERER @; wherein the second target permission type includes ACE4_ WRITE _ ACL and ACE4_ WRITE _ ATTRIBUTES.
On the basis of the above embodiment, as a preferred implementation, the method further includes:
the second mapping module is used for acquiring all the second authority control items of the target object, mapping a second role type in each second authority control item to be a first role type, and mapping a second authority type in each second authority control item to be a first authority type so as to obtain a first authority control item corresponding to each second authority control item;
the calculation module is used for calculating an allowance mask and a rejection mask of the target object and updating the first permission control item according to the allowance mask and the rejection mask;
and the second control module is used for performing authority control on the target object by using the first authority control item.
On the basis of the above embodiment, as a preferred implementation, the computing module includes:
a first calculation unit, configured to calculate an allowance mask of the target object based on a first target second authority control item; the first target second authority control item comprises second authority control of an allowable type of which the second role type is EVERYONE @, GROUP and GROUP @;
a second calculation unit, configured to calculate a rejection mask of the target object based on a second target second authority control item; the second target second authority control item comprises a second authority control of a rejection type of which the second role type is EVERYONE @, GROUP and GROUP @;
and the updating unit is used for updating the first authority control item according to the allowance mask and the rejection mask.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
The present application further provides an electronic device, and referring to fig. 6, a structure diagram of an electronic device 600 provided in an embodiment of the present application may include a processor 11 and a memory 12, as shown in fig. 6. The electronic device 600 may also include one or more of a multimedia component 13, an input/output (I/O) interface 14, and a communication component 15.
The processor 11 is configured to control the overall operation of the electronic device 600, so as to complete all or part of the steps in the above-mentioned authorization control method. The memory 12 is used to store various types of data to support operation at the electronic device 600, such as instructions for any application or method operating on the electronic device 600 and application-related data, such as contact data, transmitted and received messages, pictures, audio, video, and so forth. The Memory 12 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk. The multimedia component 13 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 12 or transmitted via the communication component 15. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 14 provides an interface between the processor 11 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication module 15 is used for wired or wireless communication between the electronic device 600 and other devices. Wireless communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G or 4G, or a combination of one or more of them, so that the corresponding communication component 15 may include: Wi-Fi module, bluetooth module, NFC module.
In an exemplary embodiment, the electronic Device 600 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components for performing the above-described rights control method.
In another exemplary embodiment, there is also provided a computer readable storage medium comprising program instructions which, when executed by a processor, implement the steps of the above-described entitlement control method. For example, the computer readable storage medium may be the memory 12 described above including program instructions that are executable by the processor 11 of the electronic device 600 to perform the rights control method described above.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. An authority control method, comprising:
acquiring all first authority control items of a target object; the first authority control item is an authority control item in a standard access control list, and the target object comprises a target file or a target directory;
mapping the first role type in each first authority control item to be a second role type, and mapping the first authority type in each first authority control item to be a second authority type so as to obtain a second authority control item corresponding to each first authority control item; wherein the second right control item is a right control item in an access control list conforming to the NFS v4 version;
and performing authority control on the target object by using the second authority control item.
2. The method of claim 1, wherein mapping the first role type in each of the first entitlement control items to a second role type comprises:
if the first role type is ACL _ USER, the second role type is USER;
if the first role type is ACL _ GROUP, the second role type is GROUP;
if the first role type is ACL _ USER _ OBJ, the second role type is QWNER @;
if the first role type is ACL _ GROUP _ OBJ, the second role type is GROUP @;
if the first role type is ACL _ OTHER, the second role type is EVERYONE @.
3. The method for controlling authority according to claim 1, wherein the mapping the first authority type in each of the first authority control items to a second authority type includes:
if the first permission type is a READ permission, the second permission type is ACE4_ READ _ DATA;
if the first permission type is WRITE permission, the second permission type is ACE4_ WRITE _ DATA and ACE4_ APPEND _ DATA;
and if the first permission type is EXECUTE permission, the second permission type is ACE4_ EXECUTE.
4. The rights control method of claim 1, further comprising:
determining a first target permission type included by an allowed mask of the target object, and performing clearing operation on all the first permission types so as to enable all the first permission types to be the first target permission type.
5. The rights control method of claim 1, further comprising:
adding a default permission type in all the second permission control items; wherein the default permission types include ACE4_ READ _ ACL, ACE4_ READ _ ATTRIBUTES, and ACE4_ SYNCHRONIZE;
adding a second target permission type in the first permission type in a second permission control item corresponding to the QWERER @; wherein the second target permission type includes ACE4_ WRITE _ ACL and ACE4_ WRITE _ ATTRIBUTES.
6. The entitlement control method according to any one of claims 1 to 5, characterized by further comprising:
acquiring all the second authority control items of the target object, mapping a second role type in each second authority control item to be a first role type, and mapping a second authority type in each second authority control item to be a first authority type so as to obtain a first authority control item corresponding to each second authority control item;
calculating an allowance mask and a rejection mask of the target object, and updating the first authority control item according to the allowance mask and the rejection mask;
and performing authority control on the target object by using the first authority control item.
7. The method of claim 6, wherein the calculating the allowance mask and the denial mask of the target object comprises:
calculating an allowable mask of the target object based on the first target second authority control item; the first target second authority control item comprises second authority control of an allowable type of which the second role type is EVERYONE @, GROUP and GROUP @;
calculating a denial mask of the target object based on a second target second authority control item; the second target second authority control item comprises a second authority control of a rejection type of which the second role type is EVERYONE @, GROUP and GROUP @.
8. An authorization control device, comprising:
the acquisition module is used for acquiring all first authority control items of the target object; the first authority control item is an authority control item in a standard access control list, and the target object comprises a target file or a target directory;
the first mapping module is used for mapping the first role type in each first authority control item to be a second role type and mapping the first authority type in each first authority control item to be a second authority type so as to obtain a second authority control item corresponding to each first authority control item; wherein the second right control item is a right control item in an access control list conforming to the NFS v4 version;
and the first control module is used for performing authority control on the target object by using the second authority control item.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the entitlement control method according to any of claims 1 to 7 when executing said computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the rights control method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911100943.0A CN110941599A (en) | 2019-11-12 | 2019-11-12 | Authority control method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911100943.0A CN110941599A (en) | 2019-11-12 | 2019-11-12 | Authority control method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110941599A true CN110941599A (en) | 2020-03-31 |
Family
ID=69907566
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911100943.0A Withdrawn CN110941599A (en) | 2019-11-12 | 2019-11-12 | Authority control method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110941599A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114462076A (en) * | 2021-12-31 | 2022-05-10 | 苏州浪潮智能科技有限公司 | Method, device, equipment and medium for controlling file authority |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106649600A (en) * | 2016-11-25 | 2017-05-10 | 华为技术有限公司 | Way, device and system of migrating file permissions |
| CN109740367A (en) * | 2019-01-08 | 2019-05-10 | 郑州云海信息技术有限公司 | A kind of mapping method of file system accesses control list |
| CN109740381A (en) * | 2019-01-08 | 2019-05-10 | 郑州云海信息技术有限公司 | A kind of authority control method across file system, device, equipment and storage medium |
-
2019
- 2019-11-12 CN CN201911100943.0A patent/CN110941599A/en not_active Withdrawn
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106649600A (en) * | 2016-11-25 | 2017-05-10 | 华为技术有限公司 | Way, device and system of migrating file permissions |
| CN109740367A (en) * | 2019-01-08 | 2019-05-10 | 郑州云海信息技术有限公司 | A kind of mapping method of file system accesses control list |
| CN109740381A (en) * | 2019-01-08 | 2019-05-10 | 郑州云海信息技术有限公司 | A kind of authority control method across file system, device, equipment and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114462076A (en) * | 2021-12-31 | 2022-05-10 | 苏州浪潮智能科技有限公司 | Method, device, equipment and medium for controlling file authority |
| CN114462076B (en) * | 2021-12-31 | 2023-08-08 | 苏州浪潮智能科技有限公司 | File permission control method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107426169B (en) | Service processing method and device based on permission | |
| US8656454B2 (en) | Data store including a file location attribute | |
| CN110990804A (en) | Resource access method, device and equipment | |
| CN109617896B (en) | Internet of things access control method and system based on intelligent contract | |
| CN109936571B (en) | Mass data sharing method, open sharing platform and electronic equipment | |
| CN107018174B (en) | Unitized system service processing method and device and business processing system | |
| US20120102539A1 (en) | Cloud services layer | |
| US8190636B2 (en) | Method, apparatus and computer program product for providing object privilege modification | |
| KR20060089658A (en) | Process for the secure management of the execution of an application | |
| EP3066816B1 (en) | Method and device for the management of applications | |
| CN110555293A (en) | Method, apparatus, electronic device and computer readable medium for protecting data | |
| US20130125217A1 (en) | Authorization Control | |
| TW202024984A (en) | Data reading and writing method and device and electronic equipment | |
| JP2009529182A (en) | Entitlement management and enforcement | |
| CN106951795B (en) | Application data access isolation method and device | |
| US20060156020A1 (en) | Method and apparatus for centralized security authorization mechanism | |
| US20060156021A1 (en) | Method and apparatus for providing permission information in a security authorization mechanism | |
| CN107306247B (en) | Resource access control method and device | |
| CN112464214A (en) | Authority detection method and device, electronic equipment and readable storage medium | |
| CN108108633A (en) | A kind of data file and its access method, device and equipment | |
| CN115544585A (en) | Method, equipment, device and storage medium for dynamically configuring secure memory | |
| CN109657485B (en) | Authority processing method and device, terminal equipment and storage medium | |
| TWI716385B (en) | Authentication method and authentication device | |
| CN110941599A (en) | Authority control method and device, electronic equipment and storage medium | |
| US10242174B2 (en) | Secure information flow |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20200331 |