CN111737232A

CN111737232A - Database management method, system, device, equipment and computer storage medium

Info

Publication number: CN111737232A
Application number: CN202010587345.7A
Authority: CN
Inventors: 夏运; 向非能; 殷跃; 冯庆磊; 陈振拥
Original assignee: WeBank Co Ltd
Current assignee: WeBank Co Ltd
Priority date: 2020-06-24
Filing date: 2020-06-24
Publication date: 2020-10-02

Abstract

The invention relates to the technical field of financial technology (Fintech), and discloses a database management method, which comprises the following steps: when an input sql command is detected, acquiring a plurality of parameters corresponding to the sql command, and detecting whether target authentication information exists in a local cache of a client according to each parameter; if the target database does not exist, acquiring a sensitive base table and a target account password fed back by the central password verification service corresponding to the client based on each parameter, determining the target database according to the target account password, and establishing sql connection between the target database and a service end where the target database is located; executing the sql command based on the sql connection, and detecting whether a target library table triggered when the sql command is executed is matched with a sensitive library table; and if so, determining whether to continue executing the operation on the target base table according to the operation authority of the client. The invention discloses a database management system, a database management device and a computer storage medium. The invention improves the data security of the automatic database.

Description

Database management method, system, device, equipment and computer storage medium

Technical Field

The present invention relates to the field of database management technology in financial technology (Fintech), and in particular, to a database management method, system, apparatus, device, and computer storage medium.

Background

With the development of computer technology, more and more technologies (big data, distributed, Blockchain, artificial intelligence, etc.) are applied to the financial field, and the traditional financial industry is gradually changing to financial technology (Fintech), but higher requirements are also put forward on the technologies due to the requirements of security and real-time performance of the financial industry. At present, the password for accessing the database is controlled by operation and maintenance personnel, so that the risk of accessing the database by unauthorized and misoperation exists, and the operation and maintenance personnel are not limited when operating the database, so that the risk of data leakage in the database is probably led in due to unauthorized and misoperation of accessing the database, and the password is easily leaked due to the fact that the password is kept unchanged for a long time, so that the data leakage in the database is caused, and the safety of the database is lower. Therefore, how to improve the security of the database becomes a technical problem to be solved urgently at present.

Disclosure of Invention

The invention mainly aims to provide a database management method, a database management system, a database management device, a database management equipment and a computer storage medium, and aims to solve the technical problem of improving the security of a database.

In order to achieve the above object, the present invention provides a database management method, which is applied to a client, and comprises the following steps:

when an input sql command is detected, acquiring a plurality of parameters corresponding to the sql command, and detecting whether target authentication information exists in a local cache of the client according to each parameter;

if the target database does not exist, acquiring a sensitive library table and a target account password fed back by the central encryption service corresponding to the client based on each parameter, determining a target database according to the target account password, and establishing sql connection between the target database and a service end where the target database is located;

executing the sql command based on the sql connection, and detecting whether a target library table triggered when the sql command is executed is matched with the sensitive library table;

and if so, determining whether to continue executing the operation on the target base table according to the operation authority of the client.

Optionally, after the step of detecting whether the target authentication information exists in the local cache of the client according to each of the parameters, the method includes:

and if the target authentication information exists, acquiring a forbidden library table corresponding to the target authentication information and the database account password, taking the forbidden library table as the sensitive library table, taking the database password as the target account password, executing the step of determining the target database according to the target account password and establishing the sql connection between the target database and the service end where the target database is located.

Optionally, the step of obtaining a sensitive library table and a target account password fed back by the central encryption service corresponding to the client based on each of the parameters includes:

acquiring local information of the client, creating a request instruction according to each parameter and the local information, and sending the request instruction to a central secret verification service corresponding to the client, wherein the central secret verification service performs authentication and certification on the request instruction according to a preset authentication logic, and if the certification is passed, a sensitive library table and a target account password are fed back to the client;

and receiving the sensitive base table and the target account password fed back by the central password verification service based on the request instruction.

Optionally, the step of determining whether to continue to execute the operation on the target library table according to the operation authority of the client includes:

determining whether the client has an operation authority for operating the target base table according to the authority information in the sensitive base table;

if yes, continuing to execute the operation on the target base table.

In addition, the present invention provides a database management method applied to a management station, the database management method including the steps of:

classifying and storing input account passwords of a plurality of databases, distributing managed accounts to the account passwords which are classified and stored, and configuring authentication information of the managed accounts to obtain authentication information corresponding to the databases;

if an acquisition instruction sent by a client-based request instruction of a central encryption verification service is received, determining a target escrow account corresponding to the acquisition instruction in each escrow account with authentication information;

and acquiring a target account password and a sensitive library table corresponding to the target escrow account, and sending the target account password and the sensitive library table to the central secret verification service, wherein the central secret verification service sends the target account password and the sensitive library table to a client.

Optionally, after the step of determining, in each managed account having the authentication information, a target managed account corresponding to the obtaining instruction, the method includes:

acquiring a conventional account password corresponding to the acquisition instruction, and detecting whether the conventional account password is expired;

and if the password is not expired, taking the conventional account password as the target account password.

Optionally, after the step of detecting whether the conventional account password is expired, the method includes:

and if the password is expired, acquiring a shadow account password corresponding to the conventional account password, modifying the conventional account, taking the modified conventional account password as a new shadow account password, taking the shadow account password as a new conventional account password, and taking the new conventional account password as a target account password.

In addition, in order to achieve the above object, the present invention further provides a database management system, where the database management system includes a client, a management desk and a central secret verification service, and the database management system implements the following steps:

the management platform classifies and stores input account passwords of a plurality of databases, allocates managed accounts to the account passwords which are classified and stored, and configures authentication information of the managed accounts to obtain the authentication information corresponding to the databases;

when a client detects an input sql command, a plurality of parameters corresponding to the sql command are obtained, and whether target authentication information exists in a local cache of the client is detected according to the parameters; if the client does not exist, local information of the client is obtained, a request instruction is created according to each parameter and the local information, and the request instruction is sent to the central encryption verification service;

the central secret-verification service carries out authentication and certification on the request instruction according to a preset authentication logic, and if the certification is passed, an acquisition instruction is sent to the management platform;

the management platform receives an acquisition instruction sent by a central password verification service, and determines a target escrow account corresponding to the acquisition instruction in each escrow account with authentication information; acquiring a target account password and a sensitive library table corresponding to the target escrow account, and sending the target account password and the sensitive library table to the central secret verification service;

the central secret checking service receives the target account password and the sensitive library table sent by the management station and sends the target account password and the sensitive library table to a client;

the client receives the sensitive base table and the target account password sent by the central password verification service, determines a target database according to the target account password, and establishes sql connection between the target database and a service end where the target database is located; executing the sql command based on the sql connection, and detecting whether a target library table triggered when the sql command is executed is matched with the sensitive library table; and if so, determining whether to continue executing the operation on the target base table according to the operation authority of the client.

In addition, to achieve the above object, the present invention provides a database management apparatus, including:

the system comprises a detection module, a processing module and a processing module, wherein the detection module is used for acquiring a plurality of parameters corresponding to an input sql command when the input sql command is detected, and detecting whether target authentication information exists in a local cache of a client side according to each parameter;

the acquisition module is used for acquiring a sensitive base table and a target account password fed back by the central encryption service corresponding to the client based on each parameter if the parameter does not exist, determining a target database according to the target account password, and establishing sql connection between the target database and a service end where the target database is located;

the execution module is used for executing the sql command based on the sql connection and detecting whether a target library table triggered when the sql command is executed is matched with the sensitive library table;

and the determining module is used for determining whether to continuously execute the operation on the target base table according to the operation authority of the client if the operation authority is matched with the target base table.

the configuration module is used for classifying and storing the input account passwords of the multiple databases, distributing managed accounts to the account passwords which are classified and stored, and configuring authentication information of the managed accounts to obtain the authentication information corresponding to the databases;

the receiving module is used for determining a target escrow account corresponding to an acquisition instruction in each escrow account with authentication information if the acquisition instruction sent by the request instruction of the central encryption verification service based on the client is received;

and the sending module is used for obtaining a target account password and a sensitive library table corresponding to the target escrow account, and sending the target account password and the sensitive library table to the central password verification service, wherein the central password verification service sends the target account password and the sensitive library table to a client.

In addition, to achieve the above object, the present invention also provides a database management apparatus including: a memory, a processor, and a database management program stored on the memory and executable on the processor, the database management program when executed by the processor implementing the steps of the database management method as described above.

In addition, to achieve the above object, the present invention also provides a computer storage medium having a database management program stored thereon, the database management program implementing the steps of the database management method as described above when executed by a processor.

When an input sql command is detected, a plurality of parameters corresponding to the sql command are obtained, and whether target authentication information exists in a local cache of a client side is detected according to the parameters; if the target database does not exist, acquiring a sensitive library table and a target account password fed back by the central encryption service corresponding to the client based on each parameter, determining a target database according to the target account password, and establishing sql connection between the target database and a service end where the target database is located; executing the sql command based on the sql connection, and detecting whether a target library table triggered when the sql command is executed is matched with the sensitive library table; and if so, determining whether to continue executing the operation on the target base table according to the operation authority of the client. Whether target authentication information exists in a local cache is determined according to a plurality of parameters corresponding to an sql command, if the target authentication information does not exist, a sensitive library table and a target account password fed back by a central authentication service are obtained, then a target database is determined according to the target account password, and sql connection is carried out, so that the phenomenon that operation and maintenance personnel directly master the password in the prior art to cause reduction of data security in the database is avoided, the data security in the database is improved, and if the triggered target library table and the sensitive library table are matched when the sql command is executed, whether the operation on the target library table is continuously executed is determined according to the operation authority of a client side, so that the unauthorized operation of a user is effectively avoided, and the data security in the database is improved.

Drawings

FIG. 1 is a schematic diagram of a database management device of a hardware operating environment according to an embodiment of the present invention;

FIG. 2 is a flow chart illustrating a first embodiment of a database management method according to the present invention;

FIG. 3 is a flow chart illustrating another embodiment of a database management method of the present invention;

FIG. 4 is a block diagram of an apparatus of a database management apparatus according to the present invention;

FIG. 5 is a block diagram of an apparatus of a database management apparatus according to the present invention;

FIG. 6 is a block diagram of a database management method according to the present invention;

FIG. 7 is a schematic diagram illustrating a client operation flow in the database management method according to the present invention;

FIG. 8 is a flow chart of a database management method according to the present invention.

The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

Fig. 1 is a schematic diagram of a database management device in a hardware operating environment according to an embodiment of the present invention.

The database management equipment of the embodiment of the invention can be a PC (personal computer) or server equipment, and a Java virtual machine runs on the database management equipment.

As shown in fig. 1, the database management apparatus may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.

Those skilled in the art will appreciate that the database management apparatus configuration shown in FIG. 1 does not constitute a limitation of apparatus and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.

As shown in fig. 1, the memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a database management program.

In the database management apparatus shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and communicating with the backend server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and the processor 1001 may be used to call a database management program stored in the memory 1005 and perform operations in the database management method described below.

Based on the hardware structure, the embodiment of the database management method is provided.

Referring to fig. 2, fig. 2 is a schematic flowchart of a first embodiment of a database management method according to the present invention, where the method includes:

step S10, when an input sql command is detected, acquiring a plurality of parameters corresponding to the sql command, and detecting whether target authentication information exists in a local cache of the client according to each parameter;

in this embodiment, the DPM, i.e., the database password housekeeper, is a system for hosting database user names and passwords (i.e., account passwords), and includes a client, a client cache, a server, and a management desk. And the client is the corresponding DPM-CLTENT subsystem, i.e. the cryptographic housekeeping client. The client caches the corresponding DPM-CP subsystem, namely the password query agent, queries the database password after supporting the authentication of the application, the script and the real-name account, applies local deployment and caches the database password. The service end corresponds to a DPM-CCP subsystem, namely, a central password query service, and is used for supporting application, script and real-name account authentication and then querying database passwords. The management platform corresponds to the DPM-CONSOLE subsystem, namely a database password manager management platform, and is used for managing the managed account. Therefore, in the present embodiment, the overall architecture of the cryptographic housekeeping system may include UM-SSO (unified single sign-on), DPM-connect (database cryptographic housekeeping management desk), UM-CORE (user management), DPM-CCP (central cryptographic query service), DPM-CLIENT (cryptographic housekeeping CLIENT), and DPM-CP, as shown in fig. 6.

In the embodiment, the database management method is mainly applied to the client, namely the DPM-clientsubsystem. As shown in fig. 7, the database account management may be performed by that a password manager client first accesses a local memory to perform a password query proxy service, and if not, accesses a central password query service (i.e., a central password verification service) through an HTTP (HyperText Transfer Protocol) Protocol, and the central password query service first queries user information from an HTTP to an UM (user information management system) and accesses the TDSQL through an MYSQL Protocol according to the queried user information to obtain corresponding database information, and the TDSQL manages passwords in the TDSQL (e.g., periodically changing passwords). And the password manager client accesses the CMDB (statistical machine learning system) through an HTTP (hyper text transport protocol) protocol according to the acquired database information to determine MYSQL-SERVER, and establishes SQL (Structured Query Language) connection according to the MYSQL protocol and the MYSQL-SERVER.

Therefore, in the present embodiment, when an input sql command (e.g., mysql sec command, mysql dump command, etc., which is only exemplified by mysql sec command in the present embodiment) is detected. The mysql sec command needs to be added to the environment variable, and parameter detection is performed to obtain multiple parameters corresponding to the sql command, such as parameters of an api (authentication information), an account id, a database ip and a port. And inquiring local cache according to the parameters, namely detecting whether target authentication information exists in the local cache of the client, and executing different operations according to different detection results. That is, after parameter detection is successful, some information (such as local ip information, script path information, and the like) is automatically captured, the captured information and each parameter are encapsulated in a local cache (i.e., DPM-CP) according to a specified format to query corresponding appid information (i.e., target authentication information), and if the target authentication information is queried, the local cache sends a database user name and a password corresponding to an account id and base table information that the appid prohibits access to a client. But if the target authentication information is not inquired, determining that the target authentication information does not exist.

Step S20, if not, acquiring a sensitive library table and a target account password fed back by the central privacy verification service corresponding to the client based on the parameters, determining a target database according to the target account password, and establishing sql connection between the target database and a service end where the target database is located;

and when the target authentication information does not exist through judgment, assembling the parameters and the captured information to obtain a corresponding http request, and sending the http request to a central encryption check service (namely DPM-CCP) corresponding to the client to obtain a sensitive library table and a target account password fed back by the central encryption check service. When receiving the http request, the central encryption verification service authenticates according to a preset authentication logic, namely, whether version information of the mysqlsec meets requirements is judged, if yes, whether an appid corresponding to the mysqlsec exists, whether necessary authentication information and public key information are configured and the like are judged, and only if all the authentications pass, the central encryption verification service sends the sensitive library table and the target account password to the client where the mysqlsec is located. The mysqlsec can be applied to two different application scenarios, namely script usage and direct connection of a database. The scenario that the script uses mysqlsec mainly comprises that data is imported, exported and issued regularly to modify a data table structure, generally time is set, and the data is automatically executed by a server without manual intervention; the scene that the direct connection database uses mysqlsec mainly refers to that when problems or abnormity occurs, operation and maintenance manual intervention is needed to inquire or modify data. Therefore, when the central encryption checking service feeds back the sensitive base table, different sensitive base tables can be fed back according to different application scenes. For example, if the script is used, the sensitive table is returned according to the api, and if the script is directly connected to the database, the sensitive table is fed back according to the um (user information) account.

And when the client where the mysqlsec is located acquires the result returned by the DPM-CP, symmetrically decrypting the database password according to the agreed symmetric key. If the result returned by the central encryption verification service is yes, rsa (asymmetric encryption algorithm) or ecc (elliptic encryption algorithm) decryption is carried out on the returned database password ciphertext according to a private key in the configuration file, whether a database IP and a port exist or not is determined after decryption is successful, and if the result does not exist, dcn (data communication network) information is designated according to user requirements to inquire the database IP and the port. And after acquiring the ip and port information of the database, a mysql protocol can be used for initiating a connection request to a mysql-server corresponding to the ip and port information of the database, the mysql-server verifies the correctness of the password after receiving the connection request, then confirmation information is returned to the mysql sec, if the verification fails, the connection is directly refused, the mysql sec executes the failure to prompt a user of a failure reason and quit the program, and if the verification succeeds, the sql connection is established.

Step S30, executing the sql command based on the sql connection, and detecting whether a target library table triggered when the sql command is executed is matched with the sensitive library table;

in this embodiment, after the sql is connected, the sql command may be executed, that is, the database operation is performed according to actual requirements, and in the database operation process, if operation behaviors of a specific library table, such as deletion, modification, and the like, are involved, it is checked whether the library table (i.e., the target library table) triggered when the sql command is executed matches the sensitive library table, and if not, the current database operation is continuously executed.

And step S40, if the operation authority of the client is matched with the operation authority of the target library table, determining whether to continue executing the operation of the target library table.

When the target library table is found to be matched with the sensitive library table through judgment, whether the operation on the target library table is continuously executed needs to be determined according to the operation authority of the client. That is, when the table name of the request is found in the name set in the returned sensitive table, it needs to be judged whether the apid or um account has the operation authority for operating the target table, if not, the user is prompted to apply for the corresponding sensitive table authority, and the sql connection is disconnected. And if the operation authority exists, allowing the operation to be continued, simultaneously reporting the current operation command to the password manager center service through an http request by the client, and storing the data to a database for subsequent audit after the password manager center service receives the request.

In addition, the following description is given for the purpose of assisting understanding of database management in the present embodiment.

For example, as shown in fig. 8, in the password manager CLIENT (DPM-CLIENT), a mysql sec command is executed first, then the mysql sec is subjected to parameter detection, whether target authentication information exists in the local cache (DPM-CP) is queried, if the target authentication information does not exist, a central verification service (DPM-CCP) is requested, and a result fed back by the local cache or the central verification is analyzed, that is, the mysql sec analyzes and returns a result, then the mysql sec queries the cmdb, an sql connection is created, and an sql statement is executed, so that the whole process of obtaining a database password to connect the database is completed, and as long as there is a failure in the steps, the steps are actively exited, so that a user cannot access the database. And the central password checking inquiry service (DPM-CCP) can check according to the request instruction, namely check whether the mysqlsec version meets the requirements, whether the appid is legal, whether the account id is legal, whether the appid has the authority of accessing the account id, whether the authentication information such as ip and script paths corresponding to the appid meets the requirements, whether the um password passes the check and the like. If one of the checks fails, the sensitive library table and the target account password are not sent to the client, namely, the password verification service process of the request center of the password manager client fails. And if the verification is successful, encrypting the database password and returning the database user name password and the sensitive base table information.

In this embodiment, when an input sql command is detected, a plurality of parameters corresponding to the sql command are obtained, and whether target authentication information exists in a local cache of the client is detected according to each parameter; if the target database does not exist, acquiring a sensitive library table and a target account password fed back by the central encryption service corresponding to the client based on each parameter, determining a target database according to the target account password, and establishing sql connection between the target database and a service end where the target database is located; executing the sql command based on the sql connection, and detecting whether a target library table triggered when the sql command is executed is matched with the sensitive library table; and if so, determining whether to continue executing the operation on the target base table according to the operation authority of the client. Whether target authentication information exists in a local cache is determined according to a plurality of parameters corresponding to an sql command, if the target authentication information does not exist, a sensitive library table and a target account password fed back by a central authentication service are obtained, then a target database is determined according to the target account password, and sql connection is carried out, so that the phenomenon that operation and maintenance personnel directly master the password in the prior art to cause reduction of data security in the database is avoided, the data security in the database is improved, and if the triggered target library table and the sensitive library table are matched when the sql command is executed, whether the operation on the target library table is continuously executed is determined according to the operation authority of a client side, so that the unauthorized operation of a user is effectively avoided, and the data security in the database is improved.

Further, based on the first embodiment of the database management method of the present invention, a second embodiment of the database management method of the present invention is proposed. This embodiment is the step S30 of the first embodiment of the present invention, and after the step of detecting whether the target authentication information exists in the local cache of the client according to each of the parameters, the method includes:

step a, if the target authentication information exists, acquiring a forbidden library table corresponding to the target authentication information and the database account password, taking the forbidden library table as the sensitive library table, taking the database password as the target account password, executing the step of determining a target database according to the target account password, and establishing sql connection between the target database and a server side where the target database is located.

In this embodiment, when it is determined that target authentication information exists in the local cache, that is, when target api information exists, it is required to first detect whether the target authentication information satisfies a condition, for example, parameters of the target authentication information are identical, and when the target authentication information satisfies the condition, a database user name and a password (the password is stored in the memory using a symmetric encryption algorithm) corresponding to the target authentication information may be returned to the mysqlsec program, and at the same time, information of a base table to which the api prohibits access is returned. Namely, the forbidden library table in the cache is used as a sensitive library table, and the database password is used as the target account password and sent to the client where the mysqlsec is located. And then the client decrypts the result returned by the cache, acquires the ip and the port of the database according to the decrypted result and establishes corresponding sql connection.

In this embodiment, when it is determined that the target authentication information exists in the local cache, the target database is determined according to the forbidden library table and the database account password corresponding to the target authentication information, and the corresponding sql connection is established, thereby ensuring effective performance of the sql connection.

Further, the step of obtaining a sensitive library table and a target account password fed back by the central encryption service corresponding to the client based on the parameters includes:

b, acquiring local information of the client, creating a request instruction according to each parameter and the local information, and sending the request instruction to a central secret verification service corresponding to the client, wherein the central secret verification service performs authentication and authentication on the request instruction according to a preset authentication logic, and if the authentication is passed, a sensitive library table and a target account password are fed back to the client;

in this embodiment, local information of the client, such as local ip information and script path information, needs to be acquired. And then, creating a corresponding request instruction according to each parameter and local information, such as an http request, and sending the request instruction to a central encryption verification service corresponding to the client, wherein the central encryption verification service performs authentication certification on the request instruction according to a preset authentication logic after receiving the request instruction, namely, firstly judging whether version information of the mysqlsec meets requirements, and if so, judging whether an appid corresponding to the mysqlsec exists, whether necessary authentication information and public key information are configured, and only if all the authentications pass, the central encryption verification service sends the sensitive library table and the target account password to the client where the mysqlsec is located. The mysqlsec can be applied to two different application scenarios, namely script usage and direct connection of a database. The scenario that the script uses mysqlsec mainly comprises that data is imported, exported and issued regularly to modify a data table structure, generally time is set, and the data is automatically executed by a server without manual intervention; the scene that the direct connection database uses mysqlsec mainly refers to that when problems or abnormity occurs, operation and maintenance manual intervention is needed to inquire or modify data. Therefore, when the central encryption checking service feeds back the sensitive base table, different sensitive base tables can be fed back according to different application scenes. For example, if the script is used, the sensitive table is returned according to the api, and if the script is directly connected to the database, the sensitive table is fed back according to the um (user information) account.

And e, receiving the sensitive base table and the target account password fed back by the central password verification service based on the request instruction.

And receiving a feedback result fed back by the central encryption service based on the request instruction, wherein the feedback result comprises the sensitive library table and the target account password, and performing rsa or ecc decryption on a database password ciphertext (namely the account password) in the feedback result according to a private key in the configuration file.

In this embodiment, a request instruction is created according to each parameter and local information, and the sensitive library table and the target account password fed back by the central encryption service are obtained according to the request instruction, so that the effectiveness of the obtained sensitive library table and the target account password is guaranteed.

Further, the step of determining whether to continue executing the operation on the target library table according to the operation authority of the client comprises:

step f, determining whether the client has the operation authority for operating the target base table according to the authority information in the sensitive base table;

in this embodiment, when a target library table and a sensitive library table are found to be matched, it is necessary to determine whether a client has an operation authority for operating the target library table according to authority information in the sensitive library table, that is, when a library table name of a request is found in a returned sensitive library table name set, it is necessary to determine whether an appid or um account has an operation authority for operating the target library table, and if not, a user is prompted to apply for a corresponding sensitive library table authority, and an sql connection is disconnected. And if the operation authority exists, allowing the operation to be continued, simultaneously reporting the current operation command to the password manager center service through an http request by the client, and storing the data to a database for subsequent audit after the password manager center service receives the request.

And g, if so, continuing to execute the operation on the target base table.

And when the client is found to have the operation right for operating the target library table through judgment, the client can be allowed to continuously execute the operation on the target library table.

In the embodiment, when the client side is determined to have the operation authority for operating the target library table according to the authority information of the sensitive library table, the operation on the target library table is continuously executed.

In addition, referring to fig. 3, fig. 3 is a schematic flowchart of another embodiment of a database management method according to the present invention, where the database management method includes:

step S100, classifying and storing input account passwords of a plurality of databases, distributing managed accounts to the account passwords which are classified and stored, and configuring authentication information of the managed accounts to obtain authentication information corresponding to the databases;

in the present embodiment, the database management method is applied to a management desk, i.e., PM-connect. And when all database accounts are managed in the management station, classified storage is carried out, namely the input account passwords of a plurality of databases are classified and stored. For example, the management console divides each department into a domain, sets a department operation and maintenance responsible person as a domain administrator, and then the domain administrator can divide a plurality of safes according to business needs, designates corresponding personnel as the safe administrator, and the authority of each domain and each safe is independent; domain administrators and safe administrators have the authority to host and maintain their own domain or safe. In this embodiment, an account ID, that is, a managed account, is assigned to each account password stored in a classified manner, and authentication management is performed, that is, authentication information configuration is performed on each managed account to obtain authentication information corresponding to each database. Namely, after the managed account is created, the corresponding appid is created, authentication information configuration is performed, and the corresponding appid is authorized to access the databases. The authentication information configuration may be as shown in table 1 below.

TABLE 1

Step S200, if an acquisition instruction sent by a request instruction of a central encryption verification service based on a client is received, determining a target escrow account corresponding to the acquisition instruction in each escrow account with authentication information;

after each database account is hosted to the management platform, if an acquisition instruction sent by a client-side-based request instruction of the central encryption verification service is received, a hosted account, namely a target hosted account, matched with the acquisition instruction can be determined in each hosted account with authentication information according to parameter information carried by the acquisition instruction.

Step 300, acquiring a target account password and a sensitive library table corresponding to the target escrow account, and sending the target account password and the sensitive library table to the central password verification service, wherein the central password verification service sends the target account password and the sensitive library table to a client.

And acquiring a target account password and a sensitive library table corresponding to the target escrow account, and sending the target account password and the sensitive library table to a central password verification service, wherein the central password verification service sends the target account password and the sensitive library table to a client. It should be noted that, in this embodiment, the account numbers and passwords of the stock database may be input in batch, and for the newly applied database, only information such as the id of the database account may be fed back to the applicant, instead of feeding back the plaintext password. And the password of the newly applied database is actually randomly generated by the password shutdown management station and is notified to the database administrator, and the newly applied database can be connected to the corresponding database server for database operation through mysqlsec or mysqlsecdump. However, since the database account is exposed after a period of time, a double-account system can be used for encryption. Namely, two accounts with consistent authority, namely a conventional account and a shadow account, exist in the same database. If regular password changing is carried out when the conventional account is used, the password changing process is that the password changing operation is clicked on a database password manager management table, a background of the password manager management table starts to start starting a shadow account of the database after receiving a request, the follow-up mysqlsec request is a user name and an encryption password which are returned to the shadow account, whether connection and operation are carried out by using the conventional account exists or not is judged through a background monitoring program, the password of the conventional account is changed into the conventional account after confirmation is not carried out, and the password of the account after the password is changed into a new shadow account.

In this embodiment, by classifying and storing input account passwords of a plurality of databases, assigning managed accounts to each account password which is classified and stored, and configuring authentication information for each managed account, authentication information corresponding to each database is obtained; if an acquisition instruction sent by a client-based request instruction of a central encryption verification service is received, determining a target escrow account corresponding to the acquisition instruction in each escrow account with authentication information; and acquiring a target account password and a sensitive library table corresponding to the target escrow account, and sending the target account password and the sensitive library table to the central secret verification service, wherein the central secret verification service sends the target account password and the sensitive library table to a client. The account passwords of the databases are stored in a classified mode, corresponding managed accounts are allocated, and authentication information configuration is carried out on each managed account, so that the validity of the account passwords corresponding to each managed account is guaranteed, and the safety of the account passwords of the databases during storage is also guaranteed due to the fact that the account passwords are stored in a classified mode and given to the managed accounts. When an acquisition instruction is received, the escrow account is determined according to the acquisition instruction, the sensitive library table and the target account password are sent to the central password verification service, and the information is sent to the client through the central password verification service, so that the security of data in the database is guaranteed.

Further, a third embodiment of the database management method of the present invention is provided based on another embodiment of the database management method of the present invention. This embodiment is a step S200 of another embodiment of the present invention, and after the step of determining, in each managed account having the authentication information, a target managed account corresponding to the obtaining instruction, the method includes:

step x, acquiring a conventional account password corresponding to the acquisition instruction, and detecting whether the conventional account password is expired;

in this embodiment, each database corresponds to a set of regular account and shadow account with the same authority, so that it is necessary to determine the regular account password corresponding to the acquisition instruction first, and then detect whether the regular account password has expired. And performs different operations based on different determination results.

And step y, if the password is not expired, taking the conventional account password as the target account password.

When the conventional account password is judged to be not expired, the conventional account password can be directly sent as a target account password, but if the conventional account password is expired, a shadow account password corresponding to the conventional account password is started, the shadow account password is sent as the target account password, the conventional account password is modified, the modified conventional account password is used as a new shadow account password, and the original shadow account password is used as a new conventional account password.

In this embodiment, when the conventional account password corresponding to the acquisition instruction is not expired, the conventional account password is used as the target account password, so that the validity of the target account password is ensured.

Further, after the step of detecting whether the conventional account password is expired, the method includes:

and m, if the password is overdue, acquiring a shadow account password corresponding to the conventional account password, modifying the conventional account password, taking the modified conventional account password as a new shadow account password, taking the shadow account password as a new conventional account password, and taking the new conventional account password as a target account password.

In this embodiment, when it is determined that the conventional account password is expired, a shadow account password corresponding to the conventional account password needs to be acquired, the conventional account password is modified, the modified conventional account password is used as a new shadow account password, the shadow account password is used as a new conventional account password, and the new conventional account password is used as a target account password.

In this embodiment, when it is determined that the conventional account password is expired, the shadow account password is used as a new conventional account password, and the new conventional account password is used as the target account password, so that the validity of the target account password is guaranteed.

In addition, an embodiment of the present invention further provides a database management system, where the database management system includes a client, a management station, and a central secret verification service, and the database management system implements the following steps:

In this embodiment, the management station in the database management system classifies and stores account passwords of a plurality of databases, allocates corresponding managed accounts, and configures authentication information for each managed account, thereby ensuring the validity of the account password corresponding to each managed account, and because the account passwords are classified and stored, and given to the managed accounts, the security of the account passwords of the databases during storage is also ensured. And the client determines whether target authentication information exists in a local cache according to a plurality of parameters corresponding to the sql command, and when the target authentication information does not exist, acquires a sensitive library table and a target account password fed back by the central encryption verification service based on the management console, determines a target database according to the target account password, and performs sql connection, thereby avoiding the phenomenon that the security of data in the database is reduced due to the fact that operation and maintenance personnel directly master the password in the prior art, improving the security of the data in the database, and when the sql command is executed, if the triggered target library table and the sensitive library table are matched, determining whether to continue to execute the operation on the target library table according to the operation authority of the client, thereby effectively avoiding the unauthorized operation of a user, and improving the security of the data in the database.

The present invention also provides a database management apparatus, referring to fig. 4, the database management apparatus including:

a detecting module a10, configured to, when an input sql command is detected, obtain multiple parameters corresponding to the sql command, and detect whether target authentication information exists in a local cache of the client according to each of the parameters;

an obtaining module a20, configured to, if not, obtain, based on each of the parameters, a sensitive library table and a target account password fed back by the central privacy verification service corresponding to the client, determine a target database according to the target account password, and establish an sql connection between the target database and a service end where the target database is located;

an execution module A30, configured to execute the sql command based on the sql connection, and detect whether a target library table triggered when the sql command is executed matches the sensitive library table;

and a determining module a40, configured to determine, if the operation of the target library table is continued, according to the operation permission of the client.

Optionally, the detecting module a10 is further configured to:

Optionally, the obtaining module a20 is further configured to:

Optionally, the determining module a40 is further configured to:

if yes, continuing to execute the operation on the target base table.

The present invention also provides a database management apparatus, referring to fig. 5, the database management apparatus including:

a configuration module a100, configured to store account passwords of multiple input databases in a classified manner, assign managed accounts to the account passwords that have been stored in the classified manner, and configure authentication information for each managed account to obtain authentication information corresponding to each database;

the receiving module A200 is used for determining a target escrow account corresponding to an acquisition instruction in each escrow account with authentication information if the acquisition instruction sent by the request instruction of the central encryption verification service based on the client is received;

the sending module a300 is configured to obtain a target account password and a sensitive library table corresponding to the target escrow account, and send the target account password and the sensitive library table to the central password verification service, where the central password verification service sends the target account password and the sensitive library table to a client.

Optionally, the receiving module a200 is further configured to:

The methods executed by the program units can refer to various embodiments of the database management method of the present invention, and are not described herein again.

The present invention also provides a database management apparatus, including: a memory, a processor, and a database management program stored on the memory and executable on the processor, the database management program when executed by the processor implementing the steps of the database management method as described above.

The invention also provides a computer storage medium.

The computer storage medium of the present invention has stored thereon a database management program which, when executed by a processor, performs the steps of the database management method as described above.

The method implemented when the database management program running on the processor is executed may refer to each embodiment of the database management method of the present invention, and details thereof are not described herein.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.

The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims

1. A database management method applied to a client, the database management method comprising the steps of:

2. The database management method according to claim 1, wherein said step of detecting whether target authentication information exists in a local cache of said client according to each of said parameters comprises:

3. The database management method according to claim 1, wherein the step of obtaining the sensitive library table and the target account password fed back by the central encryption service corresponding to the client based on each of the parameters comprises:

4. The database management method according to claim 1, wherein the step of determining whether to continue to execute the operation on the target library table according to the operation authority of the client comprises:

if yes, continuing to execute the operation on the target base table.

5. A database management method, wherein the database management method is applied to a management station, and the database management method comprises the following steps:

6. The database management method according to claim 5, wherein the step of determining, among the managed accounts having the authentication information, the target managed account corresponding to the obtaining instruction, comprises:

7. The database management method of claim 6, wherein the step of detecting whether the regular account password is expired comprises:

8. A database management system is characterized in that the database management system comprises a client, a management platform and a central secret verification service, and the database management system realizes the following steps:

9. A database management apparatus, characterized in that the database management apparatus comprises:

10. A database management apparatus, characterized in that the database management apparatus further comprises:

11. A database management apparatus characterized by comprising: memory, a processor and a database management program stored on the memory and executable on the processor, the database management program when executed by the processor implementing the steps of the database management method according to any of claims 1 to 7.

12. A computer storage medium having stored thereon a database management program which, when executed by a processor, implements the steps of a database management method as recited in any of claims 1-7.