CN111427860A

CN111427860A - Distributed storage system and data processing method thereof

Info

Publication number: CN111427860A
Application number: CN201910020649.2A
Authority: CN
Inventors: 刘俊峰; 姚文辉; 吕鹏程; 常艳军
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2019-01-09
Filing date: 2019-01-09
Publication date: 2020-07-17
Anticipated expiration: 2039-01-09
Also published as: CN111427860B

Abstract

The application discloses a distributed storage system and a data processing method thereof. Wherein, the method comprises the following steps: the client acquires data and key information corresponding to the write operation; the client encrypts data corresponding to the write operation based on the key information to obtain encrypted data; and the client sends the encrypted data to the data storage node. The data processing method and the data processing device solve the technical problems that a data processing method of a distributed storage system in the related art is low in processing efficiency and large in occupied memory.

Description

Distributed storage system and data processing method thereof

Technical Field

The present application relates to the field of computers, and in particular, to a distributed storage system and a data processing method thereof.

Background

In some application scenarios of the distributed file system, due to the consideration of data security, data of a user cannot be written to a disk in a naked manner, so that data leakage caused by recovery of the data of the user from the disk after being taken by other people is avoided.

In the related art, various data encryption schemes are provided, and the first scheme is as follows: the user can set the file directory to be encrypted, the data of the file newly built under the directory is encrypted, the user can set different keys for different directories, and when the file is created, the key of the file is the key of the nearest parent directory. When a file is created, the namenode acquires a key from a KMS (Key manager service), then stores the key in the namenode, and returns the key which needs to encrypt and use the data to the client side, and when a user uses the client to access the file, the client side can encrypt and decrypt the data by using the encryption key and the decryption key returned by the namenode. The second scheme is as follows: a user calls a data encryption API (Application Programming Interface) for existing data to encrypt, and the encrypted data is required to be unchanged, and chunk is fragmented during encryption.

However, with the first scheme, only files under the directory where encryption is set can be encrypted, and only data of newly created files can be encrypted, so that the amount of change is large, the processing efficiency is low, and the memory is large; in addition, because the encrypted keys are all acquired by the namenode, the pressure of the namenode is increased, and the namenode is easier to become a cluster bottleneck. For the second scheme, writing the encrypted data into the distributed storage system is equivalent to background conversion, and data security cannot be guaranteed to the maximum extent, so that the method is not suitable for the distributed storage system.

Aiming at the problems of low processing efficiency and large memory occupation of a data processing method of a distributed storage system in the related art, an effective solution is not provided at present.

Disclosure of Invention

The embodiment of the application provides a distributed storage system and a data processing method thereof, so as to at least solve the technical problems that the data processing method of the distributed storage system in the related art is low in processing efficiency and large in memory occupation.

According to an aspect of an embodiment of the present application, there is provided a data processing method of a distributed storage system, including: the client acquires data and key information corresponding to the write operation; the client encrypts data corresponding to the write operation based on the key information to obtain encrypted data; and the client sends the encrypted data to the data storage node.

According to another aspect of the embodiments of the present application, there is also provided a distributed storage system, including: the client is used for acquiring data and key information corresponding to the write operation and encrypting the data corresponding to the write operation based on the key information to obtain encrypted data; and the data storage node has a communication relationship with the client and is used for storing the encrypted data.

According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program, wherein when the program runs, a device on which the storage medium is located is controlled to perform the following steps: the client acquires data and key information corresponding to the write operation; the client encrypts data corresponding to the write operation based on the key information to obtain encrypted data; and the client sends the encrypted data to the data storage node.

According to another aspect of the embodiments of the present application, there is also provided a computing device, including: a processor for executing the program, wherein the following steps are performed when the program is executed: the client acquires data and key information corresponding to the write operation; the client encrypts data corresponding to the write operation based on the key information to obtain encrypted data; and the client sends the encrypted data to the data storage node.

According to another aspect of the embodiments of the present application, there is also provided a distributed storage system, including: a processor; and a memory coupled to the processor for providing instructions to the processor for processing the following processing steps: the client acquires data and key information corresponding to the write operation; the client encrypts data corresponding to the write operation based on the key information to obtain encrypted data; and the client sends the encrypted data to the data storage node.

In the embodiment of the application, after the client acquires the data corresponding to the write operation and the key information, the data corresponding to the write operation can be encrypted based on the key information to obtain encrypted data, and the encrypted data is sent to the data storage node, so that the purpose of data encryption in the distributed storage system is achieved. Compared with the prior art, the scheme provided by the embodiment of the application can encrypt the data corresponding to the write operation, the write operation can operate the existing files, and thus, chunk-level data confidentiality is realized, instead of encrypting only newly-built files, so that the technical effects of reducing the change amount, improving the processing efficiency, saving the memory and facilitating file merging are achieved, and the technical problems that the data processing method of the distributed storage system in the related art is low in processing efficiency and occupies a large memory are solved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a block diagram of a hardware structure of a computer terminal (or a mobile device) for implementing a data processing method of a distributed storage system according to an embodiment of the present application;

FIG. 2 is a flow chart of a data processing method of a distributed storage system according to an embodiment of the present application;

FIG. 3 is a schematic diagram of an alternative distributed storage system according to an embodiment of the present application;

FIG. 4 is a schematic diagram of a data processing apparatus of a distributed storage system according to an embodiment of the present application;

FIG. 5 is a schematic diagram of a distributed storage system according to an embodiment of the present application;

FIG. 6 is a schematic diagram of yet another distributed storage system according to an embodiment of the present application; and

fig. 7 is a block diagram of a computer terminal according to an embodiment of the present application.

Detailed Description

In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:

a KMS module: key manager service, user management user's encryption key and user authority verification.

Master: a storage management and control node in a distributed storage system mainly stores metadata information and directory tree information of files.

Client: the sdk library provided externally in the distributed storage system, the user can only access the distributed storage system through sdk.

Chunksever: the location in the distributed storage system where the data actually exists.

UserId: user information in kms is accessed.

UserKey: access the cryptographic information in kms.

MasterKey: key information in kms is accessed.

EncryptionDataKey: a key used to encrypt data.

EncryptedDataKey: EncryptionDataKey encrypted key.

Example 1

In accordance with an embodiment of the present application, there is provided an embodiment of a data processing method for a distributed storage system, it should be noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.

The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Fig. 1 shows a hardware configuration block diagram of a computer terminal (or mobile device) for implementing a data processing method of a distributed storage system. As shown in fig. 1, the computer terminal 10 (or mobile device 10) may include one or more (shown as 102a, 102b, … …, 102 n) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 104 for storing data, and a transmission device 106 for communication functions. Besides, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.

It should be noted that the one or more processors 102 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the present application, the data processing circuit acts as a processor control (e.g., selection of a variable resistance termination path to interface with).

The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the data processing method of the distributed storage system in the embodiment of the present application, and the processor 102 executes various functional applications and data processing by executing the software programs and modules stored in the memory 104, that is, implementing the data processing method of the distributed storage system described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.

The display may be, for example, a touch screen-type liquid crystal display (L CD) that may enable a user to interact with the user interface of the computer terminal 10 (or mobile device).

It should be noted here that in some alternative embodiments, the computer device (or mobile device) shown in fig. 1 described above may include hardware elements (including circuitry), software elements (including computer code stored on a computer-readable medium), or a combination of both hardware and software elements. It should be noted that fig. 1 is only one example of a particular specific example and is intended to illustrate the types of components that may be present in the computer device (or mobile device) described above.

In the above operating environment, the present application provides a data processing method of the distributed storage system as shown in fig. 2. Fig. 2 is a flowchart of a data processing method of a distributed storage system according to an embodiment of the present application. As shown in fig. 2, the method comprises the steps of:

step S202, the client acquires data and key information corresponding to the write operation.

Specifically, the Client may be a Client in the distributed storage system, the user may write data to be encrypted and stored through the sdk API, and the Client may receive the data written by the user and encrypt the data in the Client. The Client may obtain key information for encrypting data from the KMS in order to encrypt data written by the user, and preferably, the key information may include: a first Key encryption datakey (Key 1 for short), a second Key encryption datakey (Key 2 for short), and an initial vector initIV, wherein the first Key is used for encrypting data, and the second Key is obtained by encrypting the first Key. The Client can scale to the offset of the current chunk by scaling initIV.

Optionally, the write operation is used to write data to the end of an already existing file.

Specifically, the write data pattern of the user is an additional write mode, that is, data can be written to the end of an existing file, rather than being written to any position of the file in a random write-like manner.

And step S204, the client encrypts data corresponding to the write operation based on the key information to obtain encrypted data.

In step S206, the client sends the encrypted data to the data storage node.

In particular, the data storage node may be Chunksever in a distributed system.

In an optional embodiment, after acquiring data written by a user in an additional writing manner and key information for encrypting the data, the Client may encrypt the data written by the user through the key information to obtain encrypted data, and may send the encrypted data to multiple chunksevers, where the chunksevers may write the data into a disk after receiving the data.

It should be noted that, for a file, encryption may be performed according to the data portion for chunk alignment, for example, the chunk size is 64M, and the unit of whether data is encrypted may be 64M.

For example, as shown in fig. 3, a user may write data through the API, and the Client may cache the obtained key locally to the Client after receiving the data. And the Client encrypts the received data according to the key to obtain encrypted data. The Client sends the encrypted data to multiple chunksevers, and the chunksevers store the encrypted data in Hybrid Storage, SSD (Solid State drive), SATA (Serial Advanced Technology Attachment). The data encryption by the Client can ensure the correctness of the encrypted data.

Based on the scheme provided by the embodiment of the application, after the client acquires the data and the key information corresponding to the write operation, the data corresponding to the write operation can be encrypted based on the key information to obtain encrypted data, and the encrypted data is sent to the data storage node, so that the purpose of data encryption in the distributed storage system is achieved. Compared with the prior art, the scheme provided by the embodiment of the application can encrypt the data corresponding to the write operation, the write operation can operate the existing files, and thus, chunk-level data confidentiality is realized, instead of encrypting only newly-built files, so that the technical effects of reducing the change amount, improving the processing efficiency, saving the memory and facilitating file merging are achieved, and the technical problems that the data processing method of the distributed storage system in the related art is low in processing efficiency and occupies a large memory are solved.

Optionally, in the foregoing embodiment of the present application, the obtaining, by the client, the key information includes: the client judges whether the operation position corresponding to the write operation is the position of the current data block; under the condition that the operation position corresponding to the write operation is not the position of the current data block, the client sends a first key request to the key management server and receives a first key and a second key returned by the key management server; the client generates an initial vector.

Specifically, the key management server may be a KMS in a distributed storage system, and in the embodiment of the present application, the Client performs data interaction with the KMS, so as to avoid data interaction between the Master and the KMS of the storage management and control node.

The data written by the user is stored in units of chunks, and the data written by the user in this writing operation may be additionally written starting at the current chunk position or starting at the new chunk position. The operation positions corresponding to the write operation are different, and the key information is obtained in different modes, so that before the Client obtains the key information, whether the operation position corresponding to the write operation is not the position of the current data block is determined from a new chunk position when a user opens a file and starts to perform additional writing is judged, and if the operation position corresponding to the write operation is not the position of the current data block; if not, the operation position corresponding to the write operation can be determined to be the position of the current data block.

In an alternative embodiment, when a user opens a file, if the append write happens to be from a new chunk location, the Client can initiate a first Key request to the KMS, which returns a Key1 and Key 2; meanwhile, the Client can generate initIV required for encryption.

For example, as shown in fig. 3, after the Client determines to perform an append write from a new chunk location, the Client can request a Key1 and Key2 (shown by dashed lines in fig. 3) from the KMS, and generate the initIV needed for encryption.

Optionally, in the foregoing embodiment of the present application, when the operation position corresponding to the write operation is the position of the current data block, the method may further include the following steps: the client sends a second key request to the preset server and receives a second key and an initial vector returned by the preset server, wherein the preset server comprises one of the following components: the storage management and control node and the data storage node are connected; and the client sends a third key request carrying the second key to the key management server and receives the first key returned by the key management server.

Specifically, the storage management node may be a Master of the storage management node in the distributed storage system. Master and Chunkserver may be deployed on the same or different physical machines, and this is not a limitation of the present application. Key2 and initIV may be stored in Master or Chunkserver, each chunk storing a Key, and Key2 and initIV stored on Chunkserver may be stored in the metadata Meta node, not in the Data node.

In an alternative embodiment, when the user opens the file, if the user does not perform additional writing from a new chunk location, the Client may send a second Key request to the Master or Chunkserver, which returns Key2 and initIV, and the Client initiates a third Key request with Key2 to the KMS, which returns a Key 1.

It should be noted that, since Key2 and initIV are stored in the Master, under the condition of the same data size, more memory space is occupied, so that the Master is more likely to become a bottleneck. In order to avoid the performance bottleneck problem, it is preferable to illustrate in the embodiment of the present application that Key2 and initIV are stored in Chunkserver as an example.

For example, as shown in fig. 3, after the Client determines that the append write is not to be initiated from a new chunk location, the Client may request Key2 and initIV back from Chunkserver (as shown by the dotted line in fig. 3), and then request Key1 back from the KMS with Key2 (as shown by the dashed line in fig. 3).

Optionally, in the foregoing embodiment of the present application, the client converts the initial vector to obtain an offset of the current data block, where the data storage node stores the encrypted data based on the offset.

In an alternative embodiment, after receiving the initIV returned by the Master or Chunkserver, the Client may convert the initIV into the offset of the current chunk by calculation, and the Chunkserver may store the encrypted data based on the offset of the current chunk, and store the encrypted data into the current chunk.

Optionally, in the foregoing embodiment of the present application, the method may further include the following steps: the client acquires access information for accessing the key management server, wherein the access information comprises at least one of: address information, a user name, a password and an access key of the key management server; the client acquires the first key and the second key or acquires the first key from the key management server based on the access information.

Specifically, the address information may be a KMS address, the user name may be UserId, the password may be userke, and the access key may be MasterKey.

In an optional embodiment, a user needs to specify whether to encrypt when using the sdk API of the distributed storage system, and if encryption is needed, in order to ensure that the Client can access the KMS and obtain keys 1 and Key2, or obtain Key1, the user needs to configure the address of the KMS and information such as UserId, UserKey, MasterKey, and the like. After configuration is completed, the Client can obtain the keys 1 and 2 or obtain the keys 1 from the KMS according to the access information configured by the user.

Optionally, in the foregoing embodiment of the present application, after the client sends the encrypted data to the data storage node, the method may further include the following steps: the method comprises the steps that a client sends a refresh request to a data storage node, wherein the refresh request comprises: the second key, the encryption type and the initial vector, and the refreshing request are stored into the metadata node by the data storage node; and the client sends identification information to the storage management and control node, wherein the identification information is used for representing whether the data block corresponding to the encrypted data is encrypted or not.

In an alternative embodiment, after the user finishes writing data, the user calls a commit function, when the user calls commit, the Client may send a request for flushing Flush to Chunkserver together with Key2, the encryption type and the generated initIV, and after receiving the information, the Chunkserver stores the information in the Meta node of chunk. In addition, when the Client calls commit to the Master, the Client carries the identification information of whether the corresponding chunk is encrypted or not, and the Master stores the identification information.

For example, as shown in fig. 3, the Client may send the encrypted Data to Chunkserver for storage, and after the user finishes writing the Data, send a Flush request carrying information such as Key2, the encryption type, the generated initIV, and the like to the Chunkserver (as shown by a dotted line in fig. 3), and the Chunkserver may store the received information in the Meta node instead of the Data node. In addition, the Client may send information whether chunk is encrypted to the Master, and store the information by the Master (as shown by a two-dot chain line in fig. 3).

Optionally, in the foregoing embodiment of the present application, the method may further include the following steps: the client sends a read request to the storage control node and receives identification information returned by the storage control node, wherein the read request is used for reading encrypted data, and the identification information is used for representing whether a data block corresponding to the encrypted data is encrypted or not; under the condition that the data block corresponding to the encrypted data is determined to be encrypted, the client acquires the key information from the preset server and the key management server, wherein the preset server comprises one of the following: the storage management and control node and the data storage node are connected; and the client decrypts the encrypted data based on the key information to obtain decrypted data.

Specifically, the above-mentioned decryption data may be data written by the user through a write operation, that is, data actually required by the user.

In an optional embodiment, for a read request sent by a user, a Client first retrieves identification information from a Master, determines whether chunk required to be read is encrypted, and if not, the Client directly reads data from a chunk; if the encrypted data is the encrypted data, the Client reads the encrypted data from the chunk, acquires key information from the preset server and the KMS, namely the acquired decryption key, and decrypts the encrypted data based on the acquired key information, so that the data required by the user is obtained.

For example, as shown in fig. 3, when the Client receives a read request from the user, the Client first obtains information whether chunk is encrypted from the Master (as shown by a two-dot chain line in fig. 3), then obtains encrypted data from chunk, obtains key information from chunk and KMS, caches the obtained key information locally, decrypts the encryption key through the key information, obtains data required by the user, and returns the data to the user.

Optionally, in the foregoing embodiment of the present application, the obtaining, by the client, the key information from the preset server and the key management server includes: the client sends a second key request to the preset server and receives a second key and an initial vector returned by the preset server; and the client sends a third key request carrying the second key to the key management server and receives the first key returned by the key management server.

In an alternative embodiment, similar to the process of acquiring Key information during the process of writing data, the Client may send a second Key request to the Client to the Master or the Chunkserver, the Master or the Chunkserver returns Key2 and initIV, the Client takes Key2 to initiate a third Key request to the KMS, and the KMS returns a Key 1.

Optionally, in the foregoing embodiment of the present application, the method may further include the following steps: the client converts the initial vector to obtain the offset of the current data block; the client obtains encrypted data from the data storage node based on the offset of the current data block.

In an optional embodiment, in order to obtain the encrypted data from Chunkserver, after receiving initIV returned by Master or Chunkserver, Client may convert the initIV into offset of current chunk through calculation, based on the offset of chunk, Client may read corresponding encrypted data from Chunkserver, and further decrypt the encrypted data to obtain data required by the user.

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.

Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.

Example 2

According to an embodiment of the present application, there is also provided a data processing apparatus of a distributed storage system for implementing the data processing method of the distributed storage system, as shown in fig. 4, the apparatus 400 includes: a first obtaining module 402, an encrypting module 404 and a first sending module 406.

The first obtaining module 402 is configured to obtain data and key information corresponding to a write operation through a client; the encryption module 404 is configured to encrypt, by the client, data corresponding to the write operation based on the key information to obtain encrypted data; the first sending module 406 is configured to send the encrypted data to the data storage node through the client.

Specifically, the Client may be a Client in the distributed storage system, and the data storage node may be a Chunksever in the distributed system. The user can write the data needing to be encrypted and stored through the sdk API, and the Client can receive the data written by the user and encrypt the data in the Client. The Client may obtain key information for encrypting data from the KMS in order to encrypt data written by the user, and preferably, the key information may include: a first Key encryption datakey (Key 1 for short), a second Key encryption datakey (Key 2 for short), and an initial vector initIV, wherein the first Key is used for encrypting data, and the second Key is obtained by encrypting the first Key. The Client can scale to the offset of the current chunk by scaling initIV.

It should be noted here that the first obtaining module 402, the encrypting module 404 and the first sending module 406 correspond to steps S202 to S206 in embodiment 1, and the three modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in embodiment 1. It should be noted that the above modules may be operated in the computer terminal 10 provided in embodiment 1 as a part of the apparatus.

Optionally, in the foregoing embodiment of the present application, the obtaining module includes: the device comprises a judging unit, a first communication unit and a generating unit.

The judging unit is used for judging whether an operation position corresponding to the write operation is the position of the current data block or not through the client; the first communication unit is used for sending a first key request to the key management server through the client and receiving a first key and a second key returned by the key management server under the condition that the operation position corresponding to the write operation is not the position of the current data block; the generating unit is used for generating an initial vector through the client.

Optionally, in the foregoing embodiment of the present application, the apparatus further includes: a second communication unit and a third communication unit.

The second communication unit is further configured to send a second key request to the provisioning server through the client and receive a second key and an initial vector returned by the provisioning server when the operation location corresponding to the write operation is the location of the current data block, where the provisioning server includes one of: the storage management and control node and the data storage node are connected; the third communication unit is used for sending a third key request carrying the second key to the key management server through the client and receiving the first key returned by the key management server.

Optionally, in the foregoing embodiment of the present application, the apparatus further includes: and a conversion module.

The conversion module is used for converting the initial vector through the client to obtain the offset of the current data block, wherein the data storage node stores the encrypted data based on the offset.

Optionally, in the foregoing embodiment of the present application, the apparatus further includes: the device comprises a second acquisition module and a third acquisition module.

The second obtaining module is used for obtaining access information used for accessing the key management server through the client, wherein the access information comprises at least one of: address information, a user name, a password and an access key of the key management server; the third obtaining module is used for obtaining the first key and the second key from the key management server or obtaining the first key through the client based on the access information.

Optionally, in the foregoing embodiment of the present application, the apparatus further includes: the device comprises a second sending module and a third sending module.

The second sending module is further configured to send a refresh request to the data storage node through the client, where the refresh request includes: the second key, the encryption type and the initial vector, and the refreshing request are stored into the metadata node by the data storage node; and the third sending module is used for sending identification information to the storage management and control node through the client, wherein the identification information is used for representing whether the data block corresponding to the encrypted data is encrypted or not.

Optionally, in the foregoing embodiment of the present application, the apparatus further includes: the device comprises a communication module, a fourth acquisition module and a decryption module.

The communication module is used for sending a read request to the storage control node through the client and receiving identification information returned by the storage control node, wherein the read request is used for reading encrypted data, and the identification information is used for representing whether a data block corresponding to the encrypted data is encrypted or not; the fourth obtaining module is configured to obtain, by the client, key information from a preset server and a key management server when it is determined that a data block corresponding to encrypted data is encrypted, where the preset server includes one of: the storage management and control node and the data storage node are connected; the decryption module is used for decrypting the encrypted data through the client based on the key information to obtain decrypted data.

Optionally, in the foregoing embodiment of the present application, the fourth obtaining module includes: a fourth communication unit and a third communication unit.

The fourth communication unit is used for sending a second key request to the preset server through the client and receiving a second key and an initial vector returned by the preset server; the third communication unit is used for sending a third key request carrying the second key to the key management server through the client and receiving the first key returned by the key management server.

Optionally, in the foregoing embodiment of the present application, the apparatus further includes: the device comprises a conversion module and a fifth acquisition module.

The conversion module is used for converting the initial vector through the client to obtain the offset of the current data block; and the fifth acquisition module is used for acquiring the encrypted data from the data storage node through the client based on the offset of the current data block.

It should be noted that, for alternative or preferred embodiments of this embodiment, reference may be made to the description in embodiment 1, and details are not described herein.

Example 3

According to an embodiment of the present application, there is also provided a distributed storage system, as shown in fig. 5, the system including:

and the client 52 is configured to obtain data and key information corresponding to the write operation, and encrypt the data corresponding to the write operation based on the key information to obtain encrypted data.

And a data storage node 54 in communication with the client for storing the encrypted data.

In particular, the data storage node may be Chunksever in a distributed system.

Optionally, in the foregoing embodiment of the present application, as shown in fig. 6, the system further includes:

and the key management server 62 has a communication relationship with the client, and is configured to receive a first key request sent by the client to the key management server and send the first key and the second key to the client when the client determines that the operation position corresponding to the write operation is not the position of the current data block.

The client is also used to generate an initial vector.

Optionally, in the foregoing embodiment of the present application, as shown in fig. 6, the system further includes: a provisioning server and a key management server 62, wherein the provisioning server includes one of: storage management node 64, data storage node 54.

And the preset server has a communication relation with the client, and is used for receiving a second key request sent by the client and sending the second key and the initial vector to the client under the condition that the client determines that the operation position corresponding to the write operation is the position of the current data block.

Specifically, the storage management node may be a Master of the storage management node in the distributed storage system. Key2 and initIV may be stored in Master or Chunkserver, each chunk storing a Key, and Key2 and initIV stored on Chunkserver may be stored in the metadata Meta node, not in the Data node.

And the key management server has a communication relation with the client, and is used for receiving a third key request carrying the second key and sent by the client and sending the first key to the client.

Optionally, in the foregoing embodiment of the present application, the client is further configured to convert the initial vector to obtain an offset of the current data block; the data storage node is further configured to store the encrypted data based on the offset.

Optionally, in the foregoing embodiment of the present application, the client is further configured to obtain access information for accessing the key management server, and obtain the first key and the second key from the key management server or obtain the first key based on the access information, where the access information includes at least one of: address information, user name, password, and access key of the key management server.

Optionally, in the foregoing embodiment of the present application, the client is further configured to send a refresh request to the data storage node, and send identification information to the storage management and control node, where the refresh request includes: the identification information is used for representing whether the data block corresponding to the encrypted data is encrypted or not; the data storage node is also used to store the refresh request into the metadata node.

The storage management and control node is in communication relation with the client and is used for receiving a reading request sent by the client and sending identification information to the client, wherein the reading request is used for reading encrypted data, and the identification information is used for representing whether a data block corresponding to the encrypted data is encrypted or not;

and the client has a communication relation with the preset server and is used for acquiring the key information from the preset server and the key management server under the condition that the data block corresponding to the encrypted data is determined to be encrypted, and decrypting the encrypted data based on the key information to obtain decrypted data.

Optionally, in the foregoing embodiment of the present application, the client is further configured to send a second key request to the preset server, receive a second key and an initial vector returned by the preset server, send a third key request carrying the second key to the key management server, and receive a first key returned by the key management server.

Optionally, in the foregoing embodiment of the present application, the client is further configured to convert the initial vector to obtain an offset of the current data block, and obtain the encrypted data from the data storage node based on the offset of the current data block.

Example 4

According to an embodiment of the present application, there is also provided a distributed storage system, including:

a processor. And

a memory coupled to the processor for providing instructions to the processor for processing the following processing steps: the client acquires data and key information corresponding to the write operation; the client encrypts data corresponding to the write operation based on the key information to obtain encrypted data; and the client sends the encrypted data to the data storage node.

Example 5

The embodiment of the application can provide a computer terminal, and the computer terminal can be any one computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.

Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.

In this embodiment, the computer terminal may execute the program code of the following steps in the data processing method of the distributed storage system: the client acquires data and key information corresponding to the write operation; the client encrypts data corresponding to the write operation based on the key information to obtain encrypted data; and the client sends the encrypted data to the data storage node.

Optionally, fig. 7 is a block diagram of a computer terminal according to an embodiment of the present application. As shown in fig. 7, the computer terminal a may include: one or more processors 702 (only one of which is shown), and memory 704.

The memory may be used to store software programs and modules, such as program instructions/modules corresponding to the data processing method and apparatus of the distributed storage system in the embodiments of the present application, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory, that is, implements the data processing method of the distributed storage system. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory remotely located from the processor, and these remote memories may be connected to terminal a through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: the client acquires data and key information corresponding to the write operation; the client encrypts data corresponding to the write operation based on the key information to obtain encrypted data; and the client sends the encrypted data to the data storage node.

Optionally, the key information includes: the device comprises a first key, a second key and an initial vector, wherein the first key is used for encrypting data, and the second key is obtained by encrypting the first key.

Optionally, the processor may further execute the program code of the following steps: the client judges whether the operation position corresponding to the write operation is the position of the current data block; under the condition that the operation position corresponding to the write operation is not the position of the current data block, the client sends a first key request to the key management server and receives a first key and a second key returned by the key management server; the client generates an initial vector.

Optionally, the processor may further execute the program code of the following steps: under the condition that the operation position corresponding to the write operation is the position of the current data block, the client sends a second key request to the preset server and receives a second key and an initial vector returned by the preset server, wherein the preset server comprises one of the following components: the storage management and control node and the data storage node are connected; and the client sends a third key request carrying the second key to the key management server and receives the first key returned by the key management server.

Optionally, the processor may further execute the program code of the following steps: and the client converts the initial vector to obtain the offset of the current data block, wherein the data storage node stores the encrypted data based on the offset.

Optionally, the processor may further execute the program code of the following steps: the client acquires access information for accessing the key management server, wherein the access information comprises at least one of: address information, a user name, a password and an access key of the key management server; the client acquires the first key and the second key or acquires the first key from the key management server based on the access information.

Optionally, the processor may further execute the program code of the following steps: after the client sends the encrypted data to the data storage node, the client sends a refresh request to the data storage node, wherein the refresh request comprises: the second key, the encryption type and the initial vector, and the refreshing request are stored into the metadata node by the data storage node; and the client sends identification information to the storage management and control node, wherein the identification information is used for representing whether the data block corresponding to the encrypted data is encrypted or not.

Optionally, the processor may further execute the program code of the following steps: the client sends a read request to the storage control node and receives identification information returned by the storage control node, wherein the read request is used for reading encrypted data, and the identification information is used for representing whether a data block corresponding to the encrypted data is encrypted or not; under the condition that the data block corresponding to the encrypted data is determined to be encrypted, the client acquires the key information from the preset server and the key management server, wherein the preset server comprises one of the following: the storage management and control node and the data storage node are connected; and the client decrypts the encrypted data based on the key information to obtain decrypted data.

Optionally, the processor may further execute the program code of the following steps: the client sends a second key request to the preset server and receives a second key and an initial vector returned by the preset server; and the client sends a third key request carrying the second key to the key management server and receives the first key returned by the key management server.

Optionally, the processor may further execute the program code of the following steps: the client converts the initial vector to obtain the offset of the current data block; the client obtains encrypted data from the data storage node based on the offset of the current data block.

By adopting the embodiment of the application, after the client acquires the data and the key information corresponding to the write operation, the data corresponding to the write operation can be encrypted based on the key information to obtain the encrypted data, and the encrypted data is sent to the data storage node, so that the purpose of data encryption in the distributed storage system is achieved. Compared with the prior art, the scheme provided by the embodiment of the application can encrypt the data corresponding to the write operation, the write operation can operate the existing files, and thus, chunk-level data confidentiality is realized, instead of encrypting only newly-built files, so that the technical effects of reducing the change amount, improving the processing efficiency, saving the memory and facilitating file merging are achieved, and the technical problems that the data processing method of the distributed storage system in the related art is low in processing efficiency and occupies a large memory are solved.

It can be understood by those skilled in the art that the structure shown in fig. 7 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 7 is a diagram illustrating a structure of the electronic device. For example, the computer terminal a may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in fig. 7, or have a different configuration than shown in fig. 7.

Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.

Example 4

Embodiments of the present application also provide a storage medium. Optionally, in this embodiment, the storage medium may be configured to store a program code executed by the data processing method of the distributed storage system provided in the first embodiment.

Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: the client acquires data and key information corresponding to the write operation; the client encrypts data corresponding to the write operation based on the key information to obtain encrypted data; and the client sends the encrypted data to the data storage node.

The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.

In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.

The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims

1. A data processing method of a distributed storage system, comprising:

the client acquires data and key information corresponding to the write operation;

the client encrypts data corresponding to the write operation based on the key information to obtain encrypted data;

and the client sends the encrypted data to a data storage node.

2. The method of claim 1, wherein the write operation is to write the data to the end of an already existing file.

3. The method of claim 2, wherein the key information comprises: the client side comprises a first key, a second key and an initial vector, wherein the first key is used for encrypting the data, the second key is obtained by encrypting the first key, and the client side acquires key information and comprises the following steps:

the client judges whether the operation position corresponding to the write operation is the position of the current data block;

under the condition that the operation position corresponding to the write operation is not the position of the current data block, the client sends a first key request to a key management server and receives the first key and the second key returned by the key management server;

the client generates the initial vector.

4. The method of claim 3, wherein in a case that the operation location corresponding to the write operation is the location of the current data block, the method further comprises:

the client sends a second key request to a preset server and receives the second key and the initial vector returned by the preset server, wherein the preset server comprises one of the following components: the storage management and control node and the data storage node are connected;

and the client sends a third key request carrying the second key to the key management server and receives the first key returned by the key management server.

5. The method of claim 4, wherein the client converts the initial vector to obtain an offset for the current block of data, wherein the data storage node stores the encrypted data based on the offset.

6. The method of claim 3 or 4, wherein the method further comprises:

the client acquires access information for accessing the key management server, wherein the access information comprises at least one of: address information, a user name, a password and an access key of the key management server;

and the client acquires the first key and the second key or acquires the first key from a key management server based on the access information.

7. The method of claim 3, wherein after the client sends the encrypted data to a data storage node, the method further comprises:

the client sends a refresh request to the data storage node, wherein the refresh request comprises: the second key, encryption type, and the initial vector, the refresh request being stored by the data storage node into a metadata node;

and the client sends identification information to a storage management and control node, wherein the identification information is used for representing whether the data block corresponding to the encrypted data is encrypted or not.

8. The method of claim 1, wherein the method further comprises:

the client sends a read request to a storage control node and receives identification information returned by the storage control node, wherein the read request is used for reading the encrypted data, and the identification information is used for representing whether a data block corresponding to the encrypted data is encrypted or not;

under the condition that the data block corresponding to the encrypted data is determined to be encrypted, the client acquires the key information from a preset server and a key management server, wherein the preset server comprises one of the following: the storage management and control node and the data storage node are connected;

and the client decrypts the encrypted data based on the key information to obtain decrypted data.

9. The method of claim 8, wherein the client obtaining the key information from a provisioning server and a key management server comprises:

the client sends a second key request to the preset server and receives a second key and an initial vector returned by the preset server;

10. The method of claim 9, wherein the method further comprises:

the client converts the initial vector to obtain the offset of the current data block;

the client obtains the encrypted data from the data storage node based on the offset of the current data block.

11. A distributed storage system, comprising:

the client is used for acquiring data and key information corresponding to write operation and encrypting the data corresponding to the write operation based on the key information to obtain encrypted data;

and the data storage node has a communication relationship with the client and is used for storing the encrypted data.

12. A storage medium comprising a stored program, wherein the program, when executed, controls an apparatus on which the storage medium is located to perform the steps of:

and the client sends the encrypted data to a data storage node.

13. A computing device, comprising: a processor for executing a program, wherein the following steps are performed when the program is executed:

and the client sends the encrypted data to a data storage node.

14. A distributed storage system, comprising:

a processor; and

a memory coupled to the processor for providing instructions to the processor for processing the following processing steps:

and the client sends the encrypted data to a data storage node.