CN111125674B - Open type data processing system, open type data system and data processing method - Google Patents

Open type data processing system, open type data system and data processing method Download PDF

Info

Publication number
CN111125674B
CN111125674B CN201911330515.7A CN201911330515A CN111125674B CN 111125674 B CN111125674 B CN 111125674B CN 201911330515 A CN201911330515 A CN 201911330515A CN 111125674 B CN111125674 B CN 111125674B
Authority
CN
China
Prior art keywords
user
data
server
target
cluster server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911330515.7A
Other languages
Chinese (zh)
Other versions
CN111125674A (en
Inventor
冯兴
李静
韩博文
王海涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN201911330515.7A priority Critical patent/CN111125674B/en
Publication of CN111125674A publication Critical patent/CN111125674A/en
Application granted granted Critical
Publication of CN111125674B publication Critical patent/CN111125674B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Abstract

The application provides an open data processing system, an open data system and a data processing method, and relates to the field of data processing. The open data processing system includes: the SSO platform is used for carrying out validity verification on the user according to the received input information of the user; the AD server is used for detecting whether the user identity information matched with the user exists in the AD server under the condition that the SSO platform passes the validity verification of the user; the data cluster server is used for carrying out identity authentication on the user by using a Kerberos protocol under the condition that the AD server has user identity information matched with the user, determining the access authority of the user and outputting target data requested by the user if the user passes the identity authentication, and/or determining the operation authority of the user and executing a target task requested by the user, wherein the target data is matched with the access authority of the user, and the target task is matched with the operation authority of the user. By the aid of the technical scheme, safety of the open data processing system can be improved.

Description

Open type data processing system, open type data system and data processing method
Technical Field
The present application belongs to the field of data processing, and in particular, relates to an open data processing system, an open data system, and a data processing method.
Background
The data island phenomenon refers to the phenomenon that data are independently stored, maintained and independent from each other in different departments. However, with the rapid development of the information technology industry, the traditional application-centric data queuing manner is shifted to an information-centric distributed architecture manner. Data islanding gradually disappears, and the open sharing of data becomes a trend of the development of big data.
Because the open data system needs to interact data with a plurality of external users, and part of the data in the open data system is data with high requirements on security. Data with high requirements on safety in the open data system at the present stage is easy to leak, and the safety of the open data system is reduced.
Disclosure of Invention
The embodiment of the application provides an open data processing system, an open data system and a data processing method, which can improve the safety of the open data processing system.
In a first aspect, an embodiment of the present application provides an open data processing system, including a single sign-on SSO platform, an active directory AD server, and a data cluster server;
the SSO platform is used for carrying out validity verification on the user according to the received input information of the user;
the AD server stores user identity information and is used for detecting whether the AD server has the user identity information matched with the user or not under the condition that the SSO platform passes the validity verification of the user;
the data cluster server is used for carrying out identity authentication on the user by using a Kerberos protocol under the condition that the AD server has user identity information matched with the user, determining the access authority of the user and outputting target data requested by the user if the user passes the identity authentication, and/or determining the operation authority of the user and executing a target task requested by the user,
the target data are stored in the data cluster server and matched with the access authority of the user, and the target task is matched with the operation authority of the user.
In a second aspect, an embodiment of the present application provides an open data system, including a user terminal and the open data processing system in the technical solution of the first aspect;
the user terminal is provided with a human-computer interaction interface, the human-computer interaction interface is used for responding to input operation of a user, jumping to the SSO platform and transmitting input information corresponding to the input operation to the SSO platform.
In a third aspect, an embodiment of the present application provides a data processing method based on an open data processing system, which is applied to the open data processing system in the technical solution of the first aspect, and the data processing method based on the open data processing system includes:
the SSO platform verifies the validity of the user according to the received input information of the user;
under the condition that the SSO platform passes the validity verification of the user, the AD server detects whether user identity information matched with the user exists in the AD server;
under the condition that the AD server has user identity information matched with the user, the data cluster server performs identity authentication on the user by using a Kerberos protocol, if the user passes the identity authentication, determines the access authority of the user, outputs target data requested by the user, and/or determines the operation authority of the user, executes a target task requested by the user,
the target data are stored in the data cluster server and matched with the access authority of the user, and the target task is matched with the operation authority of the user.
In a fourth aspect, an embodiment of the present application provides a data processing method based on an open data system, which is applied to the open data system in the technical solution of the second aspect, and the data processing method based on the open data system includes:
responding to the input operation of a user by a human-computer interaction interface of the user terminal, jumping to the SSO platform, and transmitting input information corresponding to the input operation to the SSO platform;
the SSO platform verifies the validity of the user according to the received input information of the user;
under the condition that the SSO platform passes the validity verification of the user, the AD server detects whether user identity information matched with the user exists in the AD server;
under the condition that the AD server has user identity information matched with the user, the data cluster server performs identity authentication on the user by using a Kerberos protocol, if the user passes the identity authentication, determines the access authority of the user, outputs target data requested by the user, and/or determines the operation authority of the user, executes a target task requested by the user,
the target data are stored in the data cluster server and matched with the access authority of the user, and the target task is matched with the operation authority of the user.
The embodiment of the application provides an open data processing system, an open data system and a data processing method, wherein a Kerberos protocol in an SSO platform, an AD server and a data cluster server 13 is used for carrying out triple identity authentication on a user. Whether the user is connected or accessed through an application interface, the data cluster server outputs the target data which is requested by the user and matched with the access authority of the user and/or executes the target task which is requested by the user and matched with the operation authority of the user under the condition that the triple identity authentication is passed. In the embodiment of the application, the safety of the whole process from login access to data processing of a user is ensured, and the risk of data leakage is reduced or even avoided, so that the safety of the open data processing system is improved.
Drawings
The present application may be better understood from the following description of specific embodiments thereof taken in conjunction with the accompanying drawings. Wherein like or similar reference numerals refer to like or similar features.
FIG. 1 is a block diagram of an open data processing system according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an open data system according to an embodiment of the present application;
fig. 3 is a flowchart of a data processing method based on an open data processing system according to an embodiment of the present application;
FIG. 4 is a flowchart of a data processing method based on an open data processing system according to another embodiment of the present application;
fig. 5 is a flowchart of a data processing method based on an open data system according to an embodiment of the present application.
Detailed Description
Features and exemplary embodiments of various aspects of the present application will be described in detail below. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present application by illustrating examples thereof. The present application is in no way limited to any specific configuration and algorithm set forth below, but rather covers any modification, replacement or improvement of elements, components or algorithms without departing from the spirit of the present application. In the drawings and the following description, well-known structures and techniques are not shown in order to avoid unnecessarily obscuring the present application.
The embodiment of the application provides an open data processing system, an open data system and a data processing method, which can be applied to the scene of open data security sharing. By adopting the open data processing system, the open data system and the data processing method provided by the embodiment of the application, the safety of data and the system can be improved on the basis of data open sharing. The open data processing system, the open data system and the data processing method can be particularly applied to data centers in various fields, especially fields with high requirements on security, such as financial transaction fields, user information security fields and the like, and are not limited herein.
The embodiment of the application provides an open type data processing system. Fig. 1 is a schematic structural diagram of an open data processing system according to an embodiment of the present application. As shown in fig. 1, the open data processing system may include a Single Sign On (SSO) platform 11, an Active Directory (AD) server 12, and a data cluster server 13.
The SSO platform 11 is configured to perform validity verification on the user according to the received input information of the user. The SSO platform 11 implements a first duplicate authentication for the user, and the input information of the user may include a user identification and an authentication password. In some examples, the user's input information may also include a group identification. The specific implementation manner of the user identifier, the authentication password, and the group identifier may be set according to a working scenario and a working requirement, and is not limited herein. For example, in a scenario where the user group is divided into a plurality of organizations, the user identifier may be specifically implemented as a user name, the authentication password may be specifically implemented as a user password, and the group identifier may be specifically implemented as an organization code.
The SSO platform 11 can store the user identity information of the registered user, and the registered user and the user with the verified password matching are legal users. If the validity verification of the SSO platform 11 is passed, the verification process of the AD server 12 may be entered. If the user fails the validity verification of the SSO platform 11, a prompt message may be fed back to prompt that the user fails the validity verification.
The SSO platform 11 can also perform logout and authorization verification of the user, which is not limited herein.
Specifically, the SSO platform 11 may be configured to obtain, according to the received input information of the user, a Ukey certificate allocated to the user, and perform validity verification on the user by using the allocated Ukey certificate. Wherein, the user can send an application to the SSO platform 11 during registration, requesting to distribute the user's Ukey certificate. And in the process of carrying out identity authentication after the user logs in, carrying out validity authentication on the user by using the distributed Ukey certificate. The security of the open data processing system is further improved by using the Ukey certificate.
AD server 12 stores user identification information, where the user identification information stored in AD server 12 is user identification information of a registered user. The AD server 12 is configured to detect whether user identity information matching the user exists in the AD server 12 when the SSO platform 11 passes the validity verification of the user.
AD server 12 implements a second authentication of the user. If there is user identity information matching the user in the AD server 12, it indicates that the user passes the second authentication, and the data cluster server 13 is accessible. If there is no user identity information matching the user in AD server 12, a prompt may be fed back to prompt that the user is not authenticated.
The data cluster servers 13 are servers carrying data clusters, and the number of the data cluster servers 13 in the open data processing system is not limited herein. In some examples, the data cluster may be embodied as a CDH (fully known as clouder's Distribution incorporation Apache Hadoop) data cluster. Correspondingly, the data cluster server 13 may be embodied as a CDH data cluster server 13. The CDH data cluster may support a variety of components, and the data cluster server 13 may have built-in components supported by the data cluster, and the number and types of the components are not limited herein. For example, the CDH data cluster supportable components may include one or more of Hive, Impala, HBase, Spark, and HDFS. Wherein, Hive is a data warehouse tool. Impala is a query system. HBase is a distributed open source database. Spark is a large data processing framework. HDFS is a Hadoop distributed file system.
The data cluster server 13 is configured to authenticate the user by using Kerberos protocol if there is user identity information matching the user in the AD server 12. If the user passes the identity authentication, the data cluster server 13 may determine the access authority of the user, thereby outputting the target data requested by the user and/or executing the target task requested by the user. Wherein the target data is stored in the data cluster server 13 and matched with the access rights of the user. And matching the target task with the operation authority of the user.
In the data cluster server 13, the user may be authenticated again using the Kerberos protocol. In the third authentication process, the authority of the user can be verified. That is, in the case where the user passes the authentication of the Kerberos protocol, the target data of the user request output by the data cluster server 13 is data that matches the access authority of the user, and even if the user requests data that exceeds the access authority of the user, the data cluster server 13 does not output data that exceeds the access authority of the user. Similarly, in the case that the user passes the authentication of the Kerberos protocol, the target task requested by the user executed by the data cluster server 13 is a task matching the operation authority of the user, and even if the user requests a task exceeding the operation authority of the user, the data cluster server 13 will not execute the task exceeding the operation authority of the user.
The data cluster server 13 executes a target task requested by a user, and specifically, may call a component, which is built in the data cluster server 13 and matches with an operation authority of the user, to execute the target task. For example, the data cluster server 13 is internally provided with components Hive, Impala, HBase, Spark and HDFS, the user a1 has operation rights of Hive, Impala and HBase, and if the user a1 requests to connect Hive to lookup table data, the data cluster may call Hive to perform a task of the lookup table data of the user a 1.
In some examples, the data cluster server 13 may load a keytab file through a Kiit command, and implement identity authentication of the Kerberos protocol by using the keytab file. And if the loaded keytab file passes the authentication, determining that the user passes the identity authentication. The loaded keytab file is generated for user allocation in advance.
In other examples, the data cluster server 13 may implement identity authentication of the Kerberos protocol through an entered password. And if the input password passes the authentication, determining that the user passes the identity authentication.
The Kerberos protocol is utilized to realize the identity authentication between the user and the data cluster server 13 through the user terminal, so that strong authentication service can be provided in the occasions of preventing eavesdropping, preventing replay attack, protecting the integrity of data and the like, and the safety of the open data processing system is further improved.
In the embodiment of the present application, the user is subjected to triple identity authentication by the Kerberos protocol in the SSO platform 11, the AD server 12, and the data cluster server 13. In both the case of user connection and the case of access through an application interface, the data cluster server 13 outputs the target data requested by the user and matching with the access authority of the user and/or executes the target task requested by the user and matching with the operation authority of the user in the case that the triple authentication is passed. In the embodiment of the application, the safety of the whole process from login access to data processing of a user is ensured, and the risk of data leakage is reduced or even avoided, so that the safety of the open data processing system is improved.
In the embodiment of the application, the functions of the AD server 12 and the Kerberos protocol are integrated in the open data processing system, users under the Kerberos protocol are managed and controlled by the AD server 12, and a system administrator can manage and maintain the users through the AD server 12 without logging in the data cluster server 13, so that the influence of misoperation in the user management and maintenance process on the operation of the data cluster server 13 is avoided, the reliability of the open data processing system is improved, and more flexible user management, safe access and permission separation are realized.
In other embodiments of the present application, the data cluster server 13 may implement unified application of roles and groups in combination with Kerberos protocol and Sentry mechanism. Specifically, the data cluster server 13 is further configured to set a group based on a Kerberos protocol; establishing roles for users based on a Sentry mechanism, and giving authority to the roles so as to establish authority mapping relation between the roles and the authority; and establishing a mapping relation between the group and the roles of the users belonging to the group.
The type and level of the role can be set according to the working scene and the working requirement, and are not limited herein. For example, the roles may include a system administrator role, a group administrator role, and a user role, and the authority sizes of the system administrator role, the group administrator role, and the user role are sequentially decreased. The system administrator role may have the authority to assign permissions to the group administrator role and the user role.
Since the Sentry mechanism has the concept of roles, but not groups, the Kerberos protocol has the concept of groups, but not roles. According to the method and the device, the group and the role are combined together by establishing the mapping relation between the group and the role of the user belonging to the group, and the unified application of the role and the group is realized. The users in each group can only access the data corresponding to the respective group, and cannot acquire the data corresponding to other groups, so that the permission separation is realized.
In the case that the user passes the identity authentication, the data cluster server 13 may specifically be configured to: determining a target group; inquiring a target role set in the established mapping relation between the groups and the roles, wherein the target role set comprises roles corresponding to the target groups; inquiring a target role in the target role set; and taking the authority corresponding to the target role in the authority mapping relation as the authority of the user.
Wherein the target group is a group to which the user belongs. The target role set includes roles corresponding to the target group. The target role is a role corresponding to the user.
A large number of users using an open data processing system may belong to multiple organizations, and the management of the organizations may be implemented using the concept of "groups" in an open data processing system, e.g., one group for each organization. Different levels of access control are realized through the combination mode of roles and groups, so that information leakage is further avoided, and data security is improved.
Wherein the rights include access rights and/or operation rights. Due to the adoption of the Sentry mechanism, the permission can be subjected to granularity control. For example, the rights include access rights, the access rights include a target data granularity, and the target data granularity includes one or more of a database, a data table, a view, and a field. That is, the open data processing system is accessed by the user, and the output target data can be data at any one or more levels of a database level, a data table level, a view level and a field level. For another example, the authority includes an operation authority, and the operation authority includes an operation granularity, and the operation granularity includes one or more of a lookup operation, a delete operation, a create operation, and an update operation. That is, the open data processing system is accessed by a user, and the executed target task can be any one or more of a search operation, a delete operation, a create operation and an update operation.
In some examples, the SSO platform 11 in the foregoing embodiments is further configured to send, if it is determined that the user is a new user, a call request to the AD server 12, so as to call the AD server 12 to implement registration of the user. The SSO platform 11 can detect whether the user is registered during the process of verifying the validity of the user, and if the user is not registered and requests registration, it can be determined that the user is a new user. Registration of the user is achieved by calling AD server 12.
The SSO platform 11 stores user identity information. In order to ensure the accuracy of the SSO platform 11 for legality verification of the user and the accuracy of the AD server 12 for identity verification of the user. The SSO platform 11 and the AD server 12 can synchronize the user identity information with each other at regular time, and realize real-time update of the user identity information and the permission change. The time interval between the SSO platform 11 and the AD server 12 for synchronizing the user identity information can be determined according to the number of users in the AD server 12 and other factors, and is not limited herein. For example, the synchronization of the user identity information between the SSO platform 11 and the AD server 12 can be performed daily.
In some examples, AD server 12 may also be configured to configure the validity duration of a user's authentication password in performing a user's registration process. The effective time length may be set according to a specific work scenario and a work requirement, and is not limited herein. For example, the validity duration of the authentication password may be configured to be three months. And if the password is verified to be expired, the valid duration postponing operation can be carried out by sending a valid duration postponing application request to the open data processing system. AD server 12 receives the validity period extension application request, and can determine whether to extend the validity period and the specific duration of the extended validity period based on the validity period extension application request. The effective duration of the verification password of the user can be flexibly configured according to the work service requirement, so that the operation and maintenance workload of the open data processing system is reduced, the frequency of updating the verification password and the data security of the user are balanced, and the user experience is improved to a certain extent.
In some examples, the data cluster server 13 in the above embodiments is further configured to trigger to invoke an Application Programming Interface (API) to generate a keytab file of the user if it is determined that the user is a new user. Wherein, the API can be determined according to the programming language of the open data processing system, for example, Java API can be used.
Users need to pass the authentication of Kerberos protocol to access data or execute tasks in the open data processing system, so each user is configured with a respective keytab file. When a new user appears, a keytab file needs to be provided for the new user. When the user is determined to be a newly added user, the data cluster server 13 is triggered to automatically generate the keytab file of the user, the keytab file does not need to be generated manually, and the working efficiency is improved.
In some examples, the data cluster server 13 has an execution container built in. The data cluster server 13 is installed with a System Security Services Daemon (SSSD) tool. The data cluster server 13 may also be configured to communicate with the AD server 12, and synchronize user identity information in the AD server 12 to the respective execution containers using the SSSD tool.
Because an operating system such as a Linux system has user permission limitation, when a user submits a task to an execution container, the task needs to be switched to a user directory of the user to execute subsequent Kerberos protocol authentication, task execution and the like. But the user identity information is only one in AD server 12 and there are multiple execution containers. In the embodiment of the application, the user identity information is synchronized to each execution container, so that the user identity information does not need to be manually synchronized on the execution containers in the subsequent Kerberos protocol authentication and task execution processes, and the working efficiency is improved.
In some examples, data cluster server 13 is installed with yarn, which is used to establish the data queue. In the data cluster server 13, data corresponding to one group is stored in at least one data queue, and data corresponding to different groups is stored in different data queues. The different data queues are independent of each other. The data queues established by yann are utilized to isolate the data resources of different groups of users, one group corresponds to one mechanism, so that a plurality of mechanisms sharing one open data processing system can be independent from each other and are not influenced, uniform and flexible distribution of the data resources is realized, and the management of the users is more convenient.
Further, the data queue may be correspondingly set with a service priority and/or a group priority. The data cluster server 13 may respond to the user's request according to the data queue's service priority and/or group priority, and manage the data queue according to the data queue's service priority and/or group priority.
In some examples, the data cluster server 13 is further configured to establish a Directory of data in the data cluster server 13 using Lightweight Directory Access Protocol (LDAP). The root directories of the data corresponding to different groups are different, and the databases of the data corresponding to different users in the same group under the root directories are different. Namely, private data spaces of different groups can be isolated by setting different root directories, and each group can manage users and authorities of the private data spaces by itself. One group corresponds to one organization, so that a plurality of organizations sharing one open data processing system can be independent from each other.
In some examples, the AD server 12 includes a primary AD server 12 and a standby AD server 12, and the standby AD server 12 may implement the verification operation of the AD server 12 in the embodiment of the present application in the case that the primary AD server 12 fails, so as to ensure the reliability of the verification operation of the AD server 12.
The data cluster server 13 includes a Kerberos module for running the Kerberos protocol. The Kerberos module comprises a main Kerberos module and a standby Kerberos module. The authentication operation of the Kerberos protocol can be realized by the standby Kerberos module under the condition that the main Kerberos module fails, so that the reliability of the authentication operation of the Kerberos protocol is ensured.
In the embodiment of the present application, the data cluster server 13 stores first data and second data, where the first data and the second data are stored in different storage intervals in the data cluster server 13. The first data comprises detailed data and/or sensitive data. The second data is the first data after desensitization operation. The detail data and/or the sensitive data are related to the personal privacy of the user and are data that cannot be revealed. Desensitization refers to performing technical processing on the first data, so that specific detailed data and/or sensitive data cannot be obtained from the technically processed first data. In some examples, the second data may be obtained by desensitizing the first data using SM3 techniques.
In some examples, the data cluster server 13 further stores a correspondence of the first data and the second data.
It is noted that the target data includes one or more of public data, summary data, desensitization detail data, desensitization sensitive data. The public data is the data which can be disclosed. The summarized data is summarized data. Neither the public data nor the summary data relate to the privacy of the user. The desensitization detail data is detail data after desensitization operation. Desensitization sensitive data is sensitive data after desensitization operation. The detail data and the sensitive data relate to the user's personal privacy, but desensitization of the detail data and desensitization of the sensitive data does not reveal the user's personal privacy.
In some examples, in a transaction scenario, the public data may include merchant public data, institution public data, and the like. Summary data may include institutional summary data, personal summary data, merchant summary data, and the like. The detail data may include transaction details, etc. Correspondingly, the desensitization detail data comprises desensitized transaction details. The sensitive data may include a user card number, a user phone number, a user certificate number, and the like. Desensitization sensitive data may include desensitized user card numbers, desensitized user phone numbers, desensitized user credential numbers, and the like.
In the embodiment of the present application, the data cluster server 13 does not output the detail data and the sensitive data without desensitization processing to the outside, so as to implement control on data security from a data source.
The data cluster server 13 includes an audit module. The auditing module is used for detecting whether the target data to be output comprises detailed data of non-desensitization operation or sensitive data of non-desensitization operation, and refusing to output the target data if the target data to be output comprises the detailed data of non-desensitization operation or the sensitive data of non-desensitization operation.
Whether the data is output through an API or is transmitted outside through an internal File Transfer Protocol (FTP), detailed data of non-desensitized operation or sensitive data of non-desensitized operation cannot pass auditing. For management convenience, in some examples, downloading target data with the number of pieces less than 1000 pieces or target data with the size less than 1MB can be completed through automatic auditing.
Furthermore, the data transmission between the open data processing system and the external, such as file transmission, can be completed through a dedicated unified file transceiving system and transmitted through a dedicated communication channel.
The open data processing system can also adopt white list control, user flow control and other modes, and the safety of the open data processing system is further improved.
In order to improve the security of the open data processing system, the open data processing system may be disposed in a core production area of the data center, so as to reduce the risk of the open data processing system being attacked.
The operation of the open data processing system is recorded in the log, so that the problem tracing is performed by searching the record in the log in the subsequent process.
The embodiment of the application also provides an open data system. Fig. 2 is a schematic structural diagram of an open data system according to an embodiment of the present application. As shown in fig. 2, the open data system may include a user terminal 21 and the open data processing system 10 in the above embodiments.
Wherein the user terminal 21 has a human-machine interaction interface. The human-computer interaction interface is used for responding to input operation of a user, jumping to the SSO platform 11, and transmitting input information corresponding to the input operation to the SSO platform 11.
For details of the open data processing system 10, reference may be made to the related description in the above embodiments, and further description is omitted here.
In some examples, to further avoid data leakage and improve the security of the open data system, the user terminal 21 needs to communicate with the open data system through a dedicated communication channel.
In the embodiment of the application, the user jumps to the SSO platform 11 through the user terminal 21, and triggers the Kerberos protocol in the SSO platform 11, the AD server 12, and the data cluster server 13 to perform triple identity authentication on the user. In both the case of user connection and the case of access through an application interface, the data cluster server 13 outputs the target data requested by the user and matching with the access authority of the user and/or executes the target task requested by the user and matching with the operation authority of the user in the case that the triple authentication is passed. In the embodiment of the application, the security of the whole process from login access to data processing of the user is ensured, and the risk of data leakage is reduced or even avoided, so that the security of the open data processing system 10 is improved.
The open data processing system 10 and the open data system provided in the embodiments of the present application perform security management in the whole process from data source access control, data security processing, to data output, and thus ensure the security of the open data processing system 10 and the open data system.
In the above embodiment, other technologies, such as Openladp and the like, may also be used to implement authentication of the user, and other permission control components, encryption algorithms and the like are used to implement permission allocation and desensitization of data of the user, which is not limited herein.
The application also provides a data processing method based on the open data processing system, which can be particularly applied to the open data processing system in the embodiment. Fig. 3 is a flowchart of a data processing method based on an open data processing system according to an embodiment of the present application. As shown in fig. 3, the data processing method based on the open data processing system may include steps S301 to S304.
In step S301, the SSO platform performs validity verification on the user according to the received input information of the user.
In some examples, the input information includes a group identification, a user identification, and an authentication password.
In step S302, if the SSO platform passes the validity verification of the user, the AD server detects whether there is user identity information matching the user in the AD server.
In step S303, in the case that there is user identity information matching the user in the AD server, the data cluster server performs identity authentication on the user using the Kerberos protocol.
In step S304, if the user passes the identity authentication, the access right of the user is determined, and the target data requested by the user is output, and/or the operation right of the user is determined, and the target task requested by the user is executed.
The target data are stored in the data cluster server and are matched with the access authority of the user. And matching the target task with the operation authority of the user. In some examples, the target data includes one or more of public data, summary data, desensitization detail data, desensitization sensitive data.
In order to improve the safety, the first data and the second data in the data cluster server are stored in different storage intervals. The first data comprises detailed data and/or sensitive data. The second data is the first data after desensitization operation. The outputting of the target data requested by the user in step S304 may be implemented by specifically acquiring and outputting the target number from the storage interval for storing the second data by the data cluster server.
In the embodiment of the application, a Kerberos protocol in the SSO platform, the AD server and the data cluster server performs triple identity authentication on the user. Whether the user is connected or accessed through an application interface, the data cluster server outputs the target data which is requested by the user and matched with the access authority of the user and/or executes the target task which is requested by the user and matched with the operation authority of the user under the condition that the triple identity authentication is passed. In the embodiment of the application, the safety of the whole process from login access to data processing of a user is ensured, and the risk of data leakage is reduced or even avoided, so that the safety of the open data processing system is improved.
In some examples, the above target task of performing the user request may be specifically implemented as: and the data cluster server calls a component which is arranged in the data cluster server and matched with the operation authority of the user to execute the target task.
The components may include one or more of Hive, Impala, HBase, Spark, HDFS.
Fig. 4 is a flowchart of a data processing method based on an open data processing system according to another embodiment of the present application. Fig. 4 is different from fig. 3 in that step S301 in fig. 3 can be specifically detailed as step S3011 in fig. 4, step S303 in fig. 3 can be specifically detailed as step S3031 and step S3032 in fig. 4, and the data processing method based on the open data processing system shown in fig. 4 can further include step S305 and step S306.
In step S3011, the SSO platform obtains the Ukey certificate allocated to the user according to the received input information of the user, and performs validity verification on the user by using the allocated Ukey certificate.
In step S3031, the data cluster server loads the keytab file through a Kiit command.
In step S3032, if the loaded keytab file passes the authentication, the data cluster server determines that the user passes the identity authentication.
In step S305, the data cluster server detects whether the target data to be output includes detailed data of an desensitization-free operation or sensitive data of an desensitization-free operation;
in step S306, if the target data to be output includes detailed data of an operation not to be desensitized or sensitive data of an operation not to be desensitized, the data cluster server refuses to output the target data.
In still other embodiments, the data cluster servers may set up groups based on the Kerberos protocol. The data cluster server establishes roles for users based on a Sentry mechanism and gives authority to the roles so as to establish authority mapping relation between the roles and the authority. The data cluster server establishes a mapping relationship between the group and the roles of the users belonging to the group. Wherein the rights include access rights and/or operation rights.
Correspondingly, in the above embodiment, if the user passes the identity authentication in step S304, the determining of the access right of the user may be specifically detailed as: if the user passes the identity authentication, the data cluster server determines a target group; the data cluster server inquires a target role set in the established mapping relation between the groups and the roles; the data cluster server inquires a target role in the target role set; and the data cluster server takes the authority corresponding to the target role in the authority mapping relation as the authority of the user.
Wherein the target group is a group to which the user belongs. The target role set includes roles corresponding to the target group. The target role is a role corresponding to the user.
In particular, in some examples, the rights in the above embodiments include access rights including a target data granularity including one or more of a database, a data table, a view, a field.
In other examples, the permissions include operational permissions including operational granularity including one or more of lookup operations, delete operations, create operations, update operations.
In some embodiments, new users may be present in the open data processing system. Correspondingly, the data processing method based on the open data processing system may further include: and the SSO platform determines that the user is a new user, and sends a calling request to the AD server to call the AD server to realize the registration of the user.
In some examples, the SSO platform stores user identity information. Correspondingly, the data processing method based on the open data processing system may further include: and the SSO platform and the AD server synchronize user identity information with each other at regular time.
In some examples, the data processing method based on the open data processing system may further include: and the AD server configures the effective duration of the authentication password of the user in the registration process of the user.
In some examples, the data processing method based on the open data processing system may further include: and the data cluster server determines that the user is a newly added user, and triggers and calls an application programming interface to generate a keytab file of the user.
In some examples, the data cluster server has an execution container built in. And the data cluster server is provided with a system security service daemon SSSD tool. Correspondingly, the data processing method based on the open data processing system further includes: and the data cluster server is communicated with the AD server, and the SSSD tool is utilized to synchronize the user identity information in the AD server to each execution container.
In a data cluster server, data may be stored in a data queue. For example, in a data cluster server, data corresponding to one group is stored in at least one data queue, and data corresponding to different groups is stored in different data queues. Correspondingly, the target data requested by the user in step S304 in the foregoing embodiment may be implemented as: the data cluster server determines a group to which the user belongs and searches a data queue corresponding to the group to which the user belongs; and acquiring and outputting target data from the data queue corresponding to the user group.
In the data cluster server, the storage of data can be recorded by means of a directory. For example, the root directories of the data corresponding to different groups are different, and the libraries of the data corresponding to different users in the same group under the root directories are different. Correspondingly, the target data requested by the user in step S304 in the foregoing embodiment may be implemented as: the data cluster server determines a group to which the user belongs and searches a root directory corresponding to the group to which the user belongs; searching a library corresponding to the user under a root directory corresponding to the group to which the user belongs; and acquiring and outputting target data from a library corresponding to the user.
The embodiment of the application also provides a data processing method based on the open data system, which can be applied to the open data system in the embodiment. Fig. 5 is a flowchart of a data processing method based on an open data system according to an embodiment of the present application. As shown in fig. 5, the data processing method based on the open data system may include steps S401 to S405.
In step S401, the human-computer interface of the user terminal responds to the input operation of the user, jumps to the SSO platform, and transmits input information corresponding to the input operation to the SSO platform.
In step S402, the SSO platform performs validity verification on the user according to the received input information of the user.
In step S403, if the SSO platform passes the validity verification of the user, the AD server detects whether there is user identity information matching the user in the AD server.
In step S404, in the case that there is user identity information matching the user in the AD server, the data cluster server performs identity authentication on the user using the Kerberos protocol.
In step S405, if the user passes the identity authentication, the data cluster server determines the access right of the user, outputs the target data requested by the user, and/or determines the operation right of the user, and executes the target task requested by the user.
The target data are stored in the data cluster server and are matched with the access authority of the user. And matching the target task with the operation authority of the user.
In the embodiment of the application, the user jumps to the SSO platform through the user terminal, and the Kerberos protocol in the SSO platform, the AD server and the data cluster server is triggered to carry out triple identity authentication on the user. Whether the user is connected or accessed through an application interface, the data cluster server outputs the target data which is requested by the user and matched with the access authority of the user and/or executes the target task which is requested by the user and matched with the operation authority of the user under the condition that the triple identity authentication is passed. In the embodiment of the application, the safety of the whole process from login access to data processing of a user is ensured, and the risk of data leakage is reduced or even avoided, so that the safety of the open data processing system is improved.
In the data processing method based on the open data system in the embodiment of the present application, the method executed by the open data processing system may refer to the data processing method based on the open data processing system in the above embodiment, and details are not described herein again.
It should be clear that the embodiments in this specification are described in a progressive manner, and the same or similar parts in the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. For the open data system embodiments, method embodiments, reference may be made to the description of the open data processing system embodiments for relevant points. The present application is not limited to the particular steps and structures described above and shown in the drawings. Those skilled in the art may make various changes, modifications and additions or change the order between the steps after appreciating the spirit of the present application. Also, a detailed description of known process techniques is omitted herein for the sake of brevity.
It will be appreciated by persons skilled in the art that the above embodiments are illustrative and not restrictive. Different features which are present in different embodiments may be combined to advantage. Other variations to the disclosed embodiments can be understood and effected by those skilled in the art upon studying the drawings, the specification, and the claims. In the claims, the term "comprising" does not exclude other means or steps; the indefinite article "a" does not exclude a plurality; the terms "first" and "second" are used to denote a name and not to denote any particular order. Any reference signs in the claims shall not be construed as limiting the scope. The functions of the various parts appearing in the claims may be implemented by a single hardware or software module. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims (43)

1. An open data processing system is characterized by comprising a single sign-on (SSO) platform, an Active Directory (AD) server and a data cluster server;
the SSO platform is used for carrying out validity verification on the user according to the received input information of the user;
the AD server stores user identity information and is used for detecting whether the AD server has the user identity information matched with the user or not under the condition that the SSO platform passes the validity verification of the user;
the data cluster server is used for carrying out identity authentication on the user by using a Kerberos protocol under the condition that user identity information matched with the user exists in the AD server, determining the access authority of the user and outputting target data requested by the user if the user passes the identity authentication, and/or determining the operation authority of the user and executing a target task requested by the user,
the target data are stored in the data cluster server and matched with the access authority of the user, and the target task is matched with the operation authority of the user.
2. The system according to claim 1, wherein the data cluster server is specifically configured to invoke a component built in the data cluster server and matching the operation authority of the user to execute the target task.
3. The system according to claim 1 or 2, wherein the data cluster server is specifically configured to load a keytab file via a command to accept, and if the keytab file that is loaded is authenticated, it is determined that the user is authenticated.
4. The system of claim 1, wherein the SSO platform is specifically configured to obtain, according to the received input information of the user, the Ukey certificate assigned to the user, and perform validity verification on the user by using the assigned Ukey certificate.
5. The system of claim 1, wherein one or more components of Hive, Impala, HBase, Spark, and HDFS are built in the data cluster server.
6. The system of claim 1, wherein the data cluster server is further configured to:
setting a group based on a Kerberos protocol;
creating roles for users based on a Sentry mechanism, and giving permissions to the roles so as to establish a permission mapping relation between the roles and the permissions, wherein the permissions comprise the access permissions and/or the operation permissions;
a mapping relationship between a group and roles of users belonging to the group is established.
7. The system of claim 6, wherein the data cluster server is specifically configured to:
if the user passes the identity authentication, determining a target group, wherein the target group is a group to which the user belongs;
inquiring a target role set in the established mapping relation between the group and the role, wherein the target role set comprises the role corresponding to the target group;
querying a target role in the target role set, wherein the target role is the role corresponding to the user;
and taking the authority corresponding to the target role in the authority mapping relation as the authority of the user.
8. The system of claim 6 or 7,
the access rights comprise a target data granularity comprising one or more of a database, a data table, a view, a field;
the operation authority comprises operation granularity, and the operation granularity comprises one or more of searching operation, deleting operation, creating operation and updating operation.
9. The system of claim 1, wherein the SSO platform is further configured to send a call request to the AD server to call the AD server to register the user if the user is determined to be a new user.
10. The system according to claim 9, wherein the AD server is further configured to configure a valid duration of the user's authentication password during the registration of the user.
11. The system of claim 3, wherein the data cluster server is further configured to trigger an application programming interface to generate a keytab file for the user if the user is determined to be a new user.
12. The system of claim 1, wherein the data cluster server has an execution container built in, and wherein the data cluster server has a system security service daemon SSSD tool installed,
the data cluster server is further configured to communicate with the AD server, and synchronize user identity information in the AD server to each of the execution containers using the SSSD tool.
13. The system of claim 6, wherein the data cluster server is installed with a yarn for establishing a data queue,
in the data cluster server, data corresponding to one group is stored in at least one data queue, and data corresponding to different groups are stored in different data queues.
14. The system according to claim 13, wherein the data queue is correspondingly set with a traffic priority and/or a group priority.
15. The system of claim 6, wherein the data cluster server is further configured to establish a directory of data in the data cluster server using lightweight directory access protocol LDAP,
the root directories of the data corresponding to different groups are different, and the databases of the data corresponding to different users in the same group under the root directories are different.
16. The system of claim 1 or 9, wherein the SSO platform stores user identity information,
and the SSO platform and the AD server synchronize user identity information with each other at regular time.
17. The system of claim 1,
the AD server comprises a main AD server and a standby AD server;
the data cluster server comprises a Kerberos module for running a Kerberos protocol, wherein the Kerberos module comprises a main Kerberos module and a standby Kerberos module.
18. The system according to claim 1, wherein first data and second data in the data cluster server are stored in different storage intervals, the first data includes detail data and/or sensitive data, and the second data is the first data after desensitization operation;
the data cluster server also stores the corresponding relation between the first data and the second data.
19. The system of claim 1, wherein the target data comprises one or more of public data, summary data, desensitization detail data, desensitization sensitive data.
20. The system of claim 1, wherein the input information comprises a group identification, a user identification, and an authentication password.
21. The system according to claim 1, wherein the data cluster server comprises an auditing module, and the auditing module is configured to detect whether the target data to be output includes detailed data of an un-desensitized operation or sensitive data of an un-desensitized operation, and reject to output the target data if the target data to be output includes detailed data of an un-desensitized operation or sensitive data of an un-desensitized operation.
22. An open data system comprising a user terminal and an open data processing system according to any one of claims 1 to 21;
the user terminal is provided with a human-computer interaction interface, and the human-computer interaction interface is used for responding to input operation of a user, jumping to the SSO platform and transmitting input information corresponding to the input operation to the SSO platform.
23. The system of claim 22, wherein the user terminal communicates with the open data system via a dedicated communication channel.
24. A data processing method based on an open data processing system, which is applied to the open data processing system according to any one of claims 1 to 21, the method comprising:
the SSO platform carries out validity verification on the user according to the received input information of the user;
under the condition that the SSO platform passes the validity verification of the user, the AD server detects whether user identity information matched with the user exists in the AD server or not;
under the condition that user identity information matched with the user exists in the AD server, the data cluster server performs identity authentication on the user by using a Kerberos protocol, if the user passes the identity authentication, the access authority of the user is determined, target data requested by the user is output, and/or the operation authority of the user is determined, and a target task requested by the user is executed,
the target data are stored in the data cluster server and matched with the access authority of the user, and the target task is matched with the operation authority of the user.
25. The method of claim 24, wherein performing the user requested target task comprises:
and the data cluster server calls a component which is arranged in the data cluster server and matched with the operation authority of the user to execute the target task.
26. The method of claim 25, wherein the component comprises one or more of Hive, Impala, HBase, Spark, and HDFS.
27. The method of claim 24 or 25, wherein the data cluster server authenticates the user using Kerberos protocol, comprising:
the data cluster server loads a keytab file through a Kiit command;
and if the loaded keytab file passes the authentication, the data cluster server determines that the user passes the identity authentication.
28. The method of claim 24, wherein the SSO platform performs validity verification on the user according to the received input information of the user, comprising:
and the SSO platform acquires the Ukey certificate distributed for the user according to the received input information of the user, and carries out validity verification on the user by using the distributed Ukey certificate.
29. The method of claim 24, further comprising:
the data cluster server sets a group based on a Kerberos protocol;
the data cluster server establishes a role for a user based on a Sentry mechanism and gives authority to the role so as to establish an authority mapping relation between the role and the authority;
the data cluster server establishes a mapping relation between a group and roles of users belonging to the group;
wherein the rights comprise the access rights and/or the operation rights.
30. The method of claim 29, wherein determining the access rights of the user if the user passes the identity authentication comprises:
if the user passes the identity authentication, the data cluster server determines a target group, wherein the target group is a group to which the user belongs;
the data cluster server inquires a target role set in the established mapping relation between the group and the role, wherein the target role set comprises the role corresponding to the target group;
the data cluster server inquires a target role in the target role set, wherein the target role is the role corresponding to the user;
and the data cluster server takes the authority corresponding to the target role in the authority mapping relation as the authority of the user.
31. The method of claim 29 or 30,
the access rights comprise a target data granularity comprising one or more of a database, a data table, a view, a field;
the operation authority comprises operation granularity, and the operation granularity comprises one or more of searching operation, deleting operation, creating operation and updating operation.
32. The method of claim 24, further comprising:
and the SSO platform determines that the user is a newly added user, and sends a calling request to the AD server so as to call the AD server to realize the registration of the user.
33. The method of claim 32, further comprising:
and the AD server configures the effective duration of the authentication password of the user in the registration process of the user.
34. The method of claim 27, further comprising:
and the data cluster server determines that the user is a newly added user, and triggers and calls an application programming interface to generate a keytab file of the user.
35. The method of claim 24, wherein an execution container is built in the data cluster server, wherein the data cluster server is installed with a system security service daemon SSSD tool,
the method further comprises the following steps:
and the data cluster server is communicated with the AD server, and the SSSD tool is utilized to synchronize the user identity information in the AD server to each execution container.
36. The method of claim 29 or 30, wherein in the data cluster server, data corresponding to one of the groups is stored in at least one of the data queues, data corresponding to different ones of the groups is stored in different ones of the data queues,
the outputting the target data requested by the user comprises:
the data cluster server determines a group to which the user belongs and searches the data queue corresponding to the group to which the user belongs;
and acquiring and outputting the target data from the data queue corresponding to the group of the user.
37. The method of claim 29, wherein the root directory of the data corresponding to different groups is different, and the library of the data corresponding to different users in the same group under the root directory is different,
the outputting the target data requested by the user comprises:
the data cluster server determines a group to which the user belongs and searches a root directory corresponding to the group to which the user belongs;
searching a library corresponding to the user under a root directory corresponding to the group to which the user belongs;
and acquiring and outputting the target data from a library corresponding to the user.
38. The method according to claim 24 or 32, wherein said SSO platform stores user identity information,
the method further comprises the following steps:
and the SSO platform and the AD server synchronize user identity information with each other at regular time.
39. The method of claim 24, wherein first data and second data are stored in different storage intervals in the data cluster server, the first data comprises detail data and/or sensitive data, the second data is the first data after desensitization operation,
the outputting the target data requested by the user comprises:
and the data cluster server acquires the target number from the storage interval for storing the second data and outputs the target number.
40. The method of claim 24, wherein the target data comprises one or more of public data, summary data, desensitization detail data, desensitization sensitive data.
41. The method of claim 24, wherein the input information comprises a group identification, a user identification, and an authentication password.
42. The method of claim 24, further comprising:
the data cluster server detects whether the target data to be output comprises detailed data of non-desensitization operation or sensitive data of the non-desensitization operation;
and if the target data to be output comprises detailed data of non-desensitization operation or sensitive data of non-desensitization operation, the data cluster server refuses to output the target data.
43. A data processing method based on an open data system, which is applied to the open data system according to claim 22 or 23, the method comprising:
responding to the input operation of a user by a human-computer interaction interface of the user terminal, jumping to the SSO platform, and transmitting input information corresponding to the input operation to the SSO platform;
the SSO platform carries out validity verification on the user according to the received input information of the user;
under the condition that the SSO platform passes the validity verification of the user, the AD server detects whether user identity information matched with the user exists in the AD server or not;
under the condition that user identity information matched with the user exists in the AD server, the data cluster server performs identity authentication on the user by using a Kerberos protocol, if the user passes the identity authentication, the access authority of the user is determined, target data requested by the user is output, and/or the operation authority of the user is determined, and a target task requested by the user is executed,
the target data are stored in the data cluster server and matched with the access authority of the user, and the target task is matched with the operation authority of the user.
CN201911330515.7A 2019-12-20 2019-12-20 Open type data processing system, open type data system and data processing method Active CN111125674B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911330515.7A CN111125674B (en) 2019-12-20 2019-12-20 Open type data processing system, open type data system and data processing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911330515.7A CN111125674B (en) 2019-12-20 2019-12-20 Open type data processing system, open type data system and data processing method

Publications (2)

Publication Number Publication Date
CN111125674A CN111125674A (en) 2020-05-08
CN111125674B true CN111125674B (en) 2022-03-22

Family

ID=70501093

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911330515.7A Active CN111125674B (en) 2019-12-20 2019-12-20 Open type data processing system, open type data system and data processing method

Country Status (1)

Country Link
CN (1) CN111125674B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111651122B (en) * 2020-05-20 2023-07-28 远景智能国际私人投资有限公司 Data deleting method, device, server and storage medium
CN112291244A (en) * 2020-10-30 2021-01-29 常州微亿智造科技有限公司 Multi-tenant method for industrial production data real-time processing platform system
CN112925766B (en) * 2021-03-01 2024-02-20 北京滴普科技有限公司 Data security management and control device, system and method and readable storage medium thereof
CN113746831B (en) * 2021-09-02 2023-04-07 杭州海康威视数字技术股份有限公司 Authority verification method and device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571733A (en) * 2010-12-31 2012-07-11 中国移动通信集团陕西有限公司 Access method and system for business operation support system (BOSS), and cloud computing platform
CN106375270A (en) * 2015-07-24 2017-02-01 华为技术有限公司 Token generation and authentication method and authentication server
CN108200107A (en) * 2018-03-30 2018-06-22 浙江网新恒天软件有限公司 A kind of method that single-sign-on is realized in multi-domain environment
CN109558721A (en) * 2017-09-27 2019-04-02 思杰系统有限公司 The Secure Single Sign-on and conditional access of client application

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8856512B2 (en) * 2008-12-30 2014-10-07 Intel Corporation Method and system for enterprise network single-sign-on by a manageability engine
US9218494B2 (en) * 2013-10-16 2015-12-22 Citrix Systems, Inc. Secure client drive mapping and file storage system for mobile device management type security

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571733A (en) * 2010-12-31 2012-07-11 中国移动通信集团陕西有限公司 Access method and system for business operation support system (BOSS), and cloud computing platform
CN106375270A (en) * 2015-07-24 2017-02-01 华为技术有限公司 Token generation and authentication method and authentication server
CN109558721A (en) * 2017-09-27 2019-04-02 思杰系统有限公司 The Secure Single Sign-on and conditional access of client application
CN108200107A (en) * 2018-03-30 2018-06-22 浙江网新恒天软件有限公司 A kind of method that single-sign-on is realized in multi-domain environment

Also Published As

Publication number Publication date
CN111125674A (en) 2020-05-08

Similar Documents

Publication Publication Date Title
CN111125674B (en) Open type data processing system, open type data system and data processing method
CN112765639B (en) Security micro-service architecture based on zero trust access strategy and implementation method
US10708276B2 (en) Authentication system and method
US10503545B2 (en) Universal security agent
US11489872B2 (en) Identity-based segmentation of applications and containers in a dynamic environment
US9288193B1 (en) Authenticating cloud services
US8522333B2 (en) Client/server system for communicating according to the standard protocol OPC UA and having single sign-on mechanisms for authenticating, and method for performing single sign-on in such a system
US9781096B2 (en) System and method for out-of-band application authentication
JP2007219935A (en) Distributed authentication system and distributed authentication method
US10021144B2 (en) Techniques for establishing a trusted cloud service
CN112422532A (en) Business communication method, system, device and electronic equipment
WO2022011055A2 (en) A System and Method for Simplifying User Authentication and Authorization Workflows
US11805182B2 (en) User profile distribution and deployment systems and methods
CN114448648A (en) Sensitive credential management method and system based on RPA
US11297049B2 (en) Linking a terminal into an interconnectable computer infrastructure
US20230179591A1 (en) Mechanism of common authentication for both supervisor and guest clusters
CN115277237A (en) Control method and device for accessing mobile terminal to enterprise intranet
CN112039851B (en) Server login method, system and device
CN115795493A (en) Access control policy deployment method, related device and access control system
Falcão et al. Supporting confidential workloads in spire
KR20210068832A (en) Access control system and method using SQL tool based on web
CN115865502B (en) Authority management and control method, device, equipment and storage medium
EP2107488A1 (en) Improvements in policy driven computer systems
KR102214162B1 (en) A user-based object access control system using server's hooking
CN117195177A (en) Unified user management system and method for big data platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant