CN111797424A - Method and device for processing request - Google Patents
Method and device for processing request Download PDFInfo
- Publication number
- CN111797424A CN111797424A CN201911176643.0A CN201911176643A CN111797424A CN 111797424 A CN111797424 A CN 111797424A CN 201911176643 A CN201911176643 A CN 201911176643A CN 111797424 A CN111797424 A CN 111797424A
- Authority
- CN
- China
- Prior art keywords
- user
- project
- item
- target
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012545 processing Methods 0.000 title claims abstract description 51
- 238000000034 method Methods 0.000 title claims abstract description 49
- 230000004044 response Effects 0.000 claims abstract description 35
- 238000013507 mapping Methods 0.000 claims description 27
- 238000013475 authorization Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 9
- 238000001914 filtration Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了处理请求的方法和装置,涉及云技术领域。该方法的一具体实施方式包括:接收用户终端发送的请求,所述请求携带所述用户标识和目标项目的标识;所述目标项目是所述用户从所述用户所属的至少一个项目中选择的任一个项目;根据所述用户标识和所述目标项目的标识确定所述用户在所述目标项目中的权限;从数据仓库中,获取与所述请求和所述用户在所述目标项目中的权限均匹配的响应数据,并返回给所述用户终端。该实施方式真正实现用户按照项目使用数据仓库中与所述项目对应的部分。
The invention discloses a method and a device for processing a request, and relates to the field of cloud technology. A specific implementation of the method includes: receiving a request sent by a user terminal, where the request carries the user identifier and the identifier of a target item; the target item is selected by the user from at least one item to which the user belongs. Any project; determine the authority of the user in the target project according to the user ID and the target project ID; from the data warehouse, obtain the request and the user in the target project Response data matching the permissions is returned to the user terminal. This embodiment truly enables the user to use the part corresponding to the item in the data warehouse according to the item.
Description
技术领域technical field
本发明涉及云技术领域,尤其涉及一种处理请求的方法和装置。The present invention relates to the field of cloud technology, and in particular, to a method and apparatus for processing a request.
背景技术Background technique
随着公有云的发展,现需要用户按照项目使用数据仓库中与所述项目对应的部分。With the development of the public cloud, users are now required to use the part corresponding to the project in the data warehouse according to the project.
在实现本发明过程中,发明人发现现有技术中至少存在如下问题:In the process of realizing the present invention, the inventor found that there are at least the following problems in the prior art:
现有技术是从数据仓库中,获取与用户终端发送的请求匹配的所有响应数据,即用户通过一个项目使用的不是数据仓库中与这个项目对应的部分,而是数据仓库中与用户所属的每个项目均对应的部分,因而,不能实现用户按照项目使用数据仓库中与所述项目对应的部分。The prior art is to obtain all the response data matching the request sent by the user terminal from the data warehouse, that is, what the user uses through a project is not the part of the data warehouse corresponding to this project, but the part of the data warehouse that belongs to the user. Each item corresponds to a part, therefore, it cannot be realized that the user can use the part corresponding to the item in the data warehouse according to the item.
发明内容SUMMARY OF THE INVENTION
有鉴于此,本发明实施例提供一种处理请求的方法和装置,能够真正实现用户按照项目使用数据仓库中与所述项目对应的部分。In view of this, the embodiments of the present invention provide a method and an apparatus for processing a request, which can truly realize that the user uses the part corresponding to the item in the data warehouse according to the item.
为实现上述目的,根据本发明实施例的一个方面,提供了一种处理请求的方法。To achieve the above object, according to an aspect of the embodiments of the present invention, a method for processing a request is provided.
本发明实施例的处理请求的方法,包括:The method for processing a request according to an embodiment of the present invention includes:
接收用户终端发送的请求,所述请求携带所述用户标识和目标项目的标识;所述目标项目是所述用户从所述用户所属的至少一个项目中选择的任一个项目;Receive a request sent by the user terminal, where the request carries the user identifier and the identifier of the target item; the target item is any item selected by the user from at least one item to which the user belongs;
根据所述用户标识和所述目标项目的标识确定所述用户在所述目标项目中的权限;Determine the authority of the user in the target project according to the user identification and the identification of the target project;
从数据仓库中,获取与所述请求和所述用户在所述目标项目中的权限均匹配的响应数据,并返回给所述用户终端。From the data warehouse, obtain response data matching both the request and the user's authority in the target item, and return it to the user terminal.
在一个实施例中,根据所述用户标识和所述目标项目的标识确定所述用户在所述目标项目中的权限,包括:In one embodiment, determining the authority of the user in the target project according to the user identification and the identification of the target project includes:
根据所述用户标识和所述目标项目的标识获取权限参数;Obtain permission parameters according to the user identifier and the identifier of the target project;
根据所述权限参数获取所述用户在所述目标项目中的权限。The authority of the user in the target project is acquired according to the authority parameter.
在一个实施例中,根据所述用户标识和所述目标项目的标识获取权限参数,包括:In one embodiment, obtaining permission parameters according to the user identification and the identification of the target project, including:
根据所述用户标识和所述目标项目的标识,从预先创建的第一映射关系中,分别获取所述用户在所述目标项目中的角色的标识,以及所述用户在所述目标项目中的组的标识;According to the user identifier and the identifier of the target item, from the pre-created first mapping relationship, the identifier of the role of the user in the target item and the user's role in the target item are respectively obtained. the identity of the group;
根据所述用户标识生成控制指令;generating a control instruction according to the user identification;
权限参数包括所述用户在所述目标项目中的角色的标识、所述用户在所述目标项目中的组的标识和所述控制指令;The permission parameter includes the identification of the role of the user in the target project, the identification of the group of the user in the target project, and the control instruction;
所述第一映射关系包括所述用户标识、所述目标项目的标识、所述用户在所述目标项目中的角色的标识和所述用户在所述目标项目中的组的标识的匹配关系。The first mapping relationship includes a matching relationship between the user identifier, the identifier of the target item, the identifier of the role of the user in the target item, and the identifier of the group of the user in the target item.
在一个实施例中,根据所述权限参数获取所述用户在所述目标项目中的权限,包括:In one embodiment, acquiring the permission of the user in the target project according to the permission parameter includes:
按照所述控制指令切断所述用户与所有权限的直接关系;Cut off the direct relationship between the user and all permissions according to the control instruction;
根据所述用户在所述目标项目中的角色的标识,以及所述用户在所述目标项目中的组的标识,从预先创建的第二映射关系中,获取与所述角色的标识和所述组的标识均匹配的权限,将其作为所述用户在所述目标项目中的权限;According to the identifier of the role of the user in the target item and the identifier of the group of the user in the target item, from a pre-created second mapping relationship, the identifier of the role and the identifier of the role are obtained from the pre-created second mapping relationship. Permissions matching the identifiers of the groups are used as the permissions of the user in the target project;
所述第二映射关系包括所述用户在所述目标项目中的角色的标识、所述用户在所述目标项目中的组的标识和所述权限的匹配关系。The second mapping relationship includes the identification of the role of the user in the target project, the identification of the group of the user in the target project and the matching relationship of the authority.
在一个实施例中,从数据仓库中,获取与所述请求和所述用户在所述目标项目中的权限均匹配的响应数据,包括:In one embodiment, from the data warehouse, obtain response data that matches both the request and the user's authority in the target project, including:
从数据仓库的元数据库中,获取与所述请求匹配的元数据;Obtaining metadata matching the request from the metadata database of the data warehouse;
采用所述用户在所述目标项目中的权限对所述元数据进行过滤,得到过滤后的所述元数据;Filter the metadata by using the user's authority in the target project to obtain the filtered metadata;
根据过滤后的所述元数据从所述数据仓库中,获取与所述请求和所述用户在所述目标项目中的权限均匹配的响应数据。Response data matching both the request and the user's authority in the target project is obtained from the data warehouse according to the filtered metadata.
在一个实施例中,在接收用户终端发送的请求之前,包括:In one embodiment, before receiving the request sent by the user terminal, the method includes:
对于至少一个项目中每个项目,创建所述项目的属主标识与所述项目的属主在所述项目中的角色的标识的匹配关系;通过所述项目的属主,创建所述项目的租户标识与所述项目的租户在所述项目中的角色的标识的匹配关系;所述用户包括所述项目的属主或所述项目的租户。For each project in at least one project, create a matching relationship between the owner ID of the project and the ID of the project owner's role in the project; through the project owner, create the project's owner ID The matching relationship between the tenant identifier and the identifier of the role of the tenant of the project in the project; the user includes the owner of the project or the tenant of the project.
在一个实施例中,在接收用户终端发送的请求之前,包括:In one embodiment, before receiving the request sent by the user terminal, the method includes:
禁止所述用户对组进行授权操作。The user is prohibited from authorizing operations on the group.
为实现上述目的,根据本发明实施例的另一个方面,提供了一种处理请求的装置。To achieve the above object, according to another aspect of the embodiments of the present invention, an apparatus for processing a request is provided.
本发明实施例的处理请求的装置,包括:The apparatus for processing a request according to the embodiment of the present invention includes:
接收单元,用于接收用户终端发送的请求,所述请求携带所述用户标识和目标项目的标识;所述目标项目是所述用户从所述用户所属的至少一个项目中选择的任一个项目;a receiving unit, configured to receive a request sent by a user terminal, where the request carries the user identifier and the identifier of the target item; the target item is any item selected by the user from at least one item to which the user belongs;
第一处理单元,用于根据所述用户标识和所述目标项目的标识确定所述用户在所述目标项目中的权限;a first processing unit, configured to determine the authority of the user in the target project according to the user identification and the identification of the target project;
第二处理单元,用于从数据仓库中,获取与所述请求和所述用户在所述目标项目中的权限均匹配的响应数据,并返回给所述用户终端。The second processing unit is configured to acquire, from the data warehouse, response data matching both the request and the user's authority in the target item, and return it to the user terminal.
在一个实施例中,第一处理单元用于:In one embodiment, the first processing unit is used to:
根据所述用户标识和所述目标项目的标识获取权限参数;Obtain permission parameters according to the user identifier and the identifier of the target project;
根据所述权限参数获取所述用户在所述目标项目中的权限。The authority of the user in the target project is acquired according to the authority parameter.
在一个实施例中,第一处理单元用于:In one embodiment, the first processing unit is used to:
根据所述用户标识和所述目标项目的标识,从预先创建的第一映射关系中,分别获取所述用户在所述目标项目中的角色的标识,以及所述用户在所述目标项目中的组的标识;According to the user identifier and the identifier of the target item, from the pre-created first mapping relationship, the identifier of the role of the user in the target item and the user's role in the target item are respectively obtained. the identity of the group;
根据所述用户标识生成控制指令;generating a control instruction according to the user identification;
权限参数包括所述用户在所述目标项目中的角色的标识、所述用户在所述目标项目中的组的标识和所述控制指令;The permission parameter includes the identification of the role of the user in the target project, the identification of the group of the user in the target project, and the control instruction;
所述第一映射关系包括所述用户标识、所述目标项目的标识、所述用户在所述目标项目中的角色的标识和所述用户在所述目标项目中的组的标识的匹配关系。The first mapping relationship includes a matching relationship between the user identifier, the identifier of the target item, the identifier of the role of the user in the target item, and the identifier of the group of the user in the target item.
在一个实施例中,第一处理单元用于:In one embodiment, the first processing unit is used to:
按照所述控制指令切断所述用户与所有权限的直接关系;Cut off the direct relationship between the user and all permissions according to the control instruction;
根据所述用户在所述目标项目中的角色的标识,以及所述用户在所述目标项目中的组的标识,从预先创建的第二映射关系中,获取与所述角色的标识和所述组的标识均匹配的权限,将其作为所述用户在所述目标项目中的权限;According to the identifier of the role of the user in the target item and the identifier of the group of the user in the target item, from a pre-created second mapping relationship, the identifier of the role and the identifier of the role are obtained from the pre-created second mapping relationship. Permissions matching the identifiers of the groups are used as the permissions of the user in the target project;
所述第二映射关系包括所述用户在所述目标项目中的角色的标识、所述用户在所述目标项目中的组的标识和所述权限的匹配关系。The second mapping relationship includes the identification of the role of the user in the target project, the identification of the group of the user in the target project and the matching relationship of the authority.
在一个实施例中,第二处理单元用于:In one embodiment, the second processing unit is used to:
从数据仓库的元数据库中,获取与所述请求匹配的元数据;Obtaining metadata matching the request from the metadata database of the data warehouse;
采用所述用户在所述目标项目中的权限对所述元数据进行过滤,得到过滤后的所述元数据;Filter the metadata by using the user's authority in the target project to obtain the filtered metadata;
根据过滤后的所述元数据从所述数据仓库中,获取与所述请求和所述用户在所述目标项目中的权限均匹配的响应数据。Response data matching both the request and the user's authority in the target project is obtained from the data warehouse according to the filtered metadata.
在一个实施例中,第一处理单元用于:In one embodiment, the first processing unit is used to:
在接收用户终端发送的请求之前,对于至少一个项目中每个项目,创建所述项目的属主标识与所述项目的属主在所述项目中的角色的标识的匹配关系;通过所述项目的属主,创建所述项目的租户标识与所述项目的租户在所述项目中的角色的标识的匹配关系;所述用户包括所述项目的属主或所述项目的租户。Before receiving the request sent by the user terminal, for each item in at least one item, create a matching relationship between the identifier of the owner of the item and the identifier of the role of the owner of the item in the item; The owner of the project creates a matching relationship between the tenant identification of the project and the identification of the role of the tenant of the project in the project; the user includes the owner of the project or the tenant of the project.
在一个实施例中,第一处理单元用于:In one embodiment, the first processing unit is used to:
在接收用户终端发送的请求之前,禁止所述用户对组进行授权操作。Before receiving the request sent by the user terminal, the user is prohibited from performing authorization operations on the group.
为实现上述目的,根据本发明实施例的再一个方面,提供了一种电子设备。To achieve the above object, according to yet another aspect of the embodiments of the present invention, an electronic device is provided.
本发明实施例的一种电子设备,包括:一个或多个处理器;存储装置,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现本发明实施例提供的处理请求的方法。An electronic device according to an embodiment of the present invention includes: one or more processors; and a storage device configured to store one or more programs, when the one or more programs are executed by the one or more processors, The one or more processors are caused to implement the method for processing a request provided by the embodiment of the present invention.
为实现上述目的,根据本发明实施例的又一个方面,提供了一种计算机可读介质。To achieve the above object, according to yet another aspect of the embodiments of the present invention, a computer-readable medium is provided.
本发明实施例的一种计算机可读介质,其上存储有计算机程序,所述程序被处理器执行时实现本发明实施例提供的处理请求的方法。A computer-readable medium according to an embodiment of the present invention stores a computer program thereon, and when the program is executed by a processor, the method for processing a request provided by the embodiment of the present invention is implemented.
上述发明中的一个实施例具有如下优点或有益效果:通过请求携带的用户标识和目标项目的标识,确定用户在目标项目中的权限,将与请求和用户在目标项目中的权限均匹配的响应数据返回给用户终端,由于响应数据与用户在目标项目中的权限匹配,因而,用户通过目标项目只能使用数据仓库中与目标项目对应的部分,不能使用数据仓库中与其他项目对应的部分,其他项目是指用户所属的至少两个项目中除目标项目以外的项目,真正实现用户按照项目使用数据仓库中与所述项目对应的部分。An embodiment in the above-mentioned invention has the following advantages or beneficial effects: through the user identification carried in the request and the identification of the target project, the authority of the user in the target project is determined, and the response that matches the authority of the request and the user in the target project is The data is returned to the user terminal. Since the response data matches the user's authority in the target project, the user can only use the part corresponding to the target project in the data warehouse through the target project, but cannot use the part corresponding to other projects in the data warehouse. Other items refer to items other than the target item among the at least two items to which the user belongs, and truly realize that the user uses the part corresponding to the item in the data warehouse according to the item.
上述的非惯用的可选方式所具有的进一步效果将在下文中结合具体实施方式加以说明。Further effects of the above non-conventional alternatives will be described below in conjunction with specific embodiments.
附图说明Description of drawings
附图用于更好地理解本发明,不构成对本发明的不当限定。其中:The accompanying drawings are used for better understanding of the present invention and do not constitute an improper limitation of the present invention. in:
图1是根据本发明实施例的处理请求的方法的主要流程的示意图;1 is a schematic diagram of the main flow of a method for processing a request according to an embodiment of the present invention;
图2是根据本发明实施例的处理请求的方法的一个应用场景;2 is an application scenario of a method for processing a request according to an embodiment of the present invention;
图3是现有技术中用户、项目和数据仓库的关系示例;Fig. 3 is the relation example of user, project and data warehouse in the prior art;
图4是现有技术中Hive权限的示例;Fig. 4 is an example of Hive authority in the prior art;
图5是本发明实施例中Hive权限的示例;FIG. 5 is an example of Hive authority in an embodiment of the present invention;
图6是本发明实施例中对权限主题参数的处理流程示例;FIG. 6 is an example of a processing flow for a permission theme parameter in an embodiment of the present invention;
图7是本发明实施例中用户、项目和数据仓库的关系的一个示例;Fig. 7 is an example of the relationship among user, project and data warehouse in the embodiment of the present invention;
图8是本发明实施例中用户、项目和数据仓库的关系的另一个示例;Fig. 8 is another example of the relationship between the user, the project and the data warehouse in the embodiment of the present invention;
图9是现有技术中角色示例;Figure 9 is an example of roles in the prior art;
图10是本发明实施例中用户与角色的关系示例;10 is an example of the relationship between users and roles in an embodiment of the present invention;
图11是根据本发明实施例的处理请求的装置的主要单元的示意图;11 is a schematic diagram of main units of an apparatus for processing a request according to an embodiment of the present invention;
图12是本发明实施例可以应用于其中的示例性系统架构图;FIG. 12 is an exemplary system architecture diagram to which an embodiment of the present invention may be applied;
图13是适于用来实现本发明实施例的终端设备或服务器的计算机系统的结构示意图。FIG. 13 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server according to an embodiment of the present invention.
具体实施方式Detailed ways
以下结合附图对本发明的示范性实施例做出说明,其中包括本发明实施例的各种细节以助于理解,应当将它们认为仅仅是示范性的。因此,本领域普通技术人员应当认识到,可以对这里描述的实施例做出各种改变和修改,而不会背离本发明的范围和精神。同样,为了清楚和简明,以下的描述中省略了对公知功能和结构的描述。Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, which include various details of the embodiments of the present invention to facilitate understanding and should be considered as exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted from the following description for clarity and conciseness.
需要指出的是,在不冲突的情况下,本发明中的实施例以及实施例中的特征可以互相组合。It should be pointed out that the embodiments of the present invention and the features of the embodiments may be combined with each other without conflict.
现有技术中,数据仓库的权限体系,有三个主题(topic)维度,分别是用户(USER)、组(GROUP)和角色(ROLE)。数据仓库是取三个维度权限的并集,进行权限验证。由此导致权限粒度过粗,不能实现用户按照项目使用数据仓库中与所述项目对应的部分。In the prior art, the authority system of the data warehouse has three topic (topic) dimensions, namely user (USER), group (GROUP) and role (ROLE). The data warehouse is the union of the permissions of the three dimensions for permission verification. As a result, the granularity of authority is too coarse, and it is impossible for the user to use the part corresponding to the item in the data warehouse according to the item.
数据仓库的HDFS权限由组控制,组的概念来自于LINUX系统中的组。当LINUX系统中的组发生变化时,将会影响权限,因而,使用数据仓库的安全性不高。The HDFS permissions of the data warehouse are controlled by groups, and the concept of groups comes from groups in the LINUX system. When the group in the LINUX system changes, the authority will be affected, so the security of using the data warehouse is not high.
为了解决现有技术存在的问题,本发明实施例提供了一种处理请求的方法,如图1所示,该方法包括:In order to solve the problems existing in the prior art, an embodiment of the present invention provides a method for processing a request. As shown in FIG. 1 , the method includes:
步骤S101、接收用户终端发送的请求,所述请求携带所述用户标识和目标项目的标识;所述目标项目是所述用户从所述用户所属的至少一个项目中选择的任一个项目。Step S101: Receive a request sent by a user terminal, where the request carries the user identifier and the identifier of a target item; the target item is any item selected by the user from at least one item to which the user belongs.
步骤S102、根据所述用户标识和所述目标项目的标识确定所述用户在所述目标项目中的权限。Step S102: Determine the authority of the user in the target item according to the user ID and the target item ID.
步骤S103、从数据仓库中,获取与所述请求和所述用户在所述目标项目中的权限均匹配的响应数据,并返回给所述用户终端。Step S103: Obtain response data matching both the request and the user's authority in the target item from the data warehouse, and return it to the user terminal.
在该实施例中,具体实施时,如图2所示,下面以一具体例子说明该实施例:用户通过用户终端登录公有云,并选择项目A。用户终端通过WEB接口将请求发送给云服务器。请求携带用户标识和项目A(项目A是目标项目)的标识,项目A是用户从用户所属的三个项目(三个项目包括项目A、项目B和项目C)中选择的项目。In this embodiment, during specific implementation, as shown in FIG. 2 , the embodiment is described below with a specific example: a user logs in to the public cloud through a user terminal, and selects item A. The user terminal sends the request to the cloud server through the WEB interface. The request carries the user ID and the ID of item A (item A is the target item), item A is the item selected by the user from the three items (the three items include item A, item B and item C) to which the user belongs.
云服务器接收请求,根据用户标识和项目A的标识获取权限参数(即图中的权限主题参数),并将请求和权限参数通过RAS-API发送给MetaStore服务。The cloud server receives the request, obtains the permission parameters (that is, the permission topic parameters in the figure) according to the user ID and the ID of the project A, and sends the request and permission parameters to the MetaStore service through RAS-API.
MetaStore服务根据权限参数获取用户在项目A中的权限;从数据仓库的元数据库(即图中的Hive元数据库),获取与请求匹配的元数据;采用用户在项目A中的权限对元数据进行过滤,得到过滤后的元数据;根据过滤后的元数据从数据仓库中,获取与请求和用户在项目A中的权限均匹配的响应数据,将响应数据发送给云服务器。The MetaStore service obtains the user's permission in project A according to the permission parameters; obtains the metadata matching the request from the metadata database of the data warehouse (that is, the Hive metadata database in the figure); uses the user's permission in project A to perform metadata processing. Filter to obtain filtered metadata; obtain response data that matches the request and the user's permissions in project A from the data warehouse according to the filtered metadata, and send the response data to the cloud server.
云服务器将响应数据发送给用户终端。The cloud server sends the response data to the user terminal.
如图2所示,下面以另一具体例子说明该实施例:用户终端通过WEB接口将请求发送给云服务器。请求携带用户标识和项目A(项目A是目标项目)的标识,项目A是用户从用户所属的三个项目(三个项目包括项目A、项目B和项目C)中选择的项目。As shown in FIG. 2 , this embodiment is described below with another specific example: the user terminal sends a request to the cloud server through the WEB interface. The request carries the user ID and the ID of item A (item A is the target item), item A is the item selected by the user from the three items (the three items include item A, item B and item C) to which the user belongs.
云服务器接收请求,根据用户标识和项目A的标识获取权限参数(即图中的权限主题参数),并将请求和权限参数通过RAS-API发送给Beeline服务。The cloud server receives the request, obtains the permission parameters (that is, the permission topic parameters in the figure) according to the user ID and the ID of the project A, and sends the request and permission parameters to the Beeline service through RAS-API.
Beeline服务将请求和权限参数发送给HiveServer服务。The Beeline service sends the request and permission parameters to the HiveServer service.
HiveServer服务将请求和权限参数发送给MetaStore服务。The HiveServer service sends the request and permission parameters to the MetaStore service.
具体地,Beeline服务将权限参数保存在Session中,Beeline服务只将请求发送给HiveServer服务。HiveServer服务运行SQL时,从Session中获取权限参数。Specifically, the Beeline service saves the permission parameters in the Session, and the Beeline service only sends requests to the HiveServer service. When the HiveServer service runs SQL, it obtains the permission parameters from the Session.
MetaStore服务根据权限参数获取用户在项目A中的权限;从数据仓库的元数据库(即图中的Hive元数据库),获取与请求匹配的元数据;采用用户在项目A中的权限对元数据进行过滤,得到过滤后的元数据;将过滤后的元数据发送给HiveServer服务。The MetaStore service obtains the user's permission in project A according to the permission parameters; obtains the metadata matching the request from the metadata database of the data warehouse (that is, the Hive metadata database in the figure); uses the user's permission in project A to perform metadata processing. Filter to get the filtered metadata; send the filtered metadata to the HiveServer service.
HiveServer服务根据过滤后的元数据从数据仓库中,获取与请求和用户在项目A中的权限均匹配的响应数据,将响应数据发送给Beeline服务。The HiveServer service obtains the response data that matches the request and the user's permissions in project A from the data warehouse according to the filtered metadata, and sends the response data to the Beeline service.
Beeline服务将响应数据发送给云服务器。The Beeline service sends the response data to the cloud server.
云服务器将响应数据发送给用户终端。The cloud server sends the response data to the user terminal.
RAS-API服务:自建的API服务,可以直接调用MetaStore服务或HiveServer服务,也可通过Beeline服务调用HiveServer服务。RAS-API service: Self-built API service, which can directly call MetaStore service or HiveServer service, or call HiveServer service through Beeline service.
Beeline服务:Hive内置的一种服务,可以连接HiveServer服务来远程连接Hive。Beeline service: A service built into Hive that can connect to the HiveServer service to connect to Hive remotely.
MetaStore服务:Hive内置的一种服务,用户不需要知道关系型数据库的用户名和密码,便可以通过MetaStore服务访问元数据。MetaStore service: a built-in service of Hive, users can access metadata through the MetaStore service without knowing the user name and password of the relational database.
HiveServer服务:Hive内置的一种服务,允许用户通过客户端远程连接Hive。HiveServer service: A service built into Hive that allows users to connect to Hive remotely through clients.
Hive:基于HDFS的数据仓库,是目前使用最广泛的数据仓库,提供HiveSQL功能,简单易上手。Hive: A data warehouse based on HDFS, which is currently the most widely used data warehouse. It provides HiveSQL functions and is easy to use.
角色:HIVE权限主题的基本单位。Role: The basic unit of HIVE permission subject.
组:HIVE权限主题的基本单位,与LINUX系统中的组相同。Group: The basic unit of HIVE permission subject, the same as the group in LINUX system.
需说明的是,数据仓库提供给每个项目的功能相同。It should be noted that the data warehouse provides the same functionality to each project.
在本发明实施例中,步骤S102可以包括:In this embodiment of the present invention, step S102 may include:
根据所述用户标识和所述目标项目的标识获取权限参数;Obtain permission parameters according to the user identifier and the identifier of the target project;
根据所述权限参数获取所述用户在所述目标项目中的权限。The authority of the user in the target project is acquired according to the authority parameter.
需说明的是,该实施例的具体实施方式在下文中进行了详细的介绍,在此不再赘述。It should be noted that the specific implementation of this embodiment is described in detail below, and details are not repeated here.
在该实施例中,通过权限参数实现了细粒度地划分权限,从而真正实现用户按照项目使用数据仓库中与所述项目对应的部分。In this embodiment, fine-grained division of permissions is achieved through the permission parameters, so that the user can actually use the part corresponding to the item in the data warehouse according to the item.
在本发明实施例中,根据所述用户标识和所述目标项目的标识获取权限参数,包括:In this embodiment of the present invention, obtaining permission parameters according to the user identifier and the identifier of the target item, including:
根据所述用户标识和所述目标项目的标识,从预先创建的第一映射关系中,分别获取所述用户在所述目标项目中的角色的标识,以及所述用户在所述目标项目中的组的标识;According to the user identifier and the identifier of the target item, from the pre-created first mapping relationship, the identifier of the role of the user in the target item and the user's role in the target item are respectively obtained. the identity of the group;
根据所述用户标识生成控制指令;generating a control instruction according to the user identification;
权限参数包括所述用户在所述目标项目中的角色的标识、所述用户在所述目标项目中的组的标识和所述控制指令;The permission parameter includes the identification of the role of the user in the target project, the identification of the group of the user in the target project, and the control instruction;
所述第一映射关系包括所述用户标识、所述目标项目的标识、所述用户在所述目标项目中的角色的标识和所述用户在所述目标项目中的组的标识的匹配关系。The first mapping relationship includes a matching relationship between the user identifier, the identifier of the target item, the identifier of the role of the user in the target item, and the identifier of the group of the user in the target item.
在该实施例中,需说明的是,权限参数还可以包括用户标识,通过用户标识验证所述用户在所述目标项目中的角色的标识,以及所述用户在所述目标项目中的组的标识是否真实存在。In this embodiment, it should be noted that the authority parameter may further include a user ID, an ID for verifying the user's role in the target project through the user ID, and the user's group ID in the target project. Whether the logo actually exists.
第一映射关系可以存储在MetaStore服务中。The first mapping relationship may be stored in the MetaStore service.
用户标识可以是用户名称,目标项目的标识可以是目标项目名称,用户在目标项目中的角色的标识可以是用户在目标项目中的角色的名称,用户在目标项目中的组的标识可以是用户在目标项目中的组的名称。任意一个角色的名称和任意一个组的名称具有唯一性。The user ID can be the user name, the ID of the target project can be the target project name, the ID of the user's role in the target project can be the name of the user's role in the target project, and the ID of the user's group in the target project can be the user The name of the group in the target project. The name of any role and the name of any group are unique.
根据用户标识生成控制指令包括:将标识与用户标识相同的用户作为目标用户,控制指令包括将目标用户权限开关设置为false。Generating a control instruction according to the user identification includes: taking a user with the same identification as the user identification as the target user, and the control instruction includes setting the target user permission switch to false.
在该实施例中,根据用户标识生成控制指令,根据用户标识和目标项目的标识,分别获取用户在目标项目中的角色的标识,以及用户在目标项目中组的标识。从而使用户在目标项目中的权限与目标项目中的角色有关系,与目标项目中的组有关系,与用户无关,隔离了用户在各个项目中的权限,进而真正实现用户按照项目使用数据仓库中与所述项目对应的部分。In this embodiment, the control instruction is generated according to the user ID, and the ID of the user's role in the target item and the ID of the user's group in the target item are obtained respectively according to the user ID and the ID of the target item. Therefore, the user's authority in the target project is related to the role in the target project, and the group in the target project has nothing to do with the user. in the section corresponding to the item in question.
在本发明实施例中,根据所述权限参数获取所述用户在所述目标项目中的权限,包括:In the embodiment of the present invention, acquiring the authority of the user in the target project according to the authority parameter includes:
按照所述控制指令切断所述用户与所有权限的直接关系;Cut off the direct relationship between the user and all permissions according to the control instruction;
根据所述用户在所述目标项目中的角色的标识,以及所述用户在所述目标项目中的组的标识,从预先创建的第二映射关系中,获取与所述角色的标识和所述组的标识均匹配的权限,将其作为所述用户在所述目标项目中的权限;According to the identifier of the role of the user in the target item and the identifier of the group of the user in the target item, from a pre-created second mapping relationship, the identifier of the role and the identifier of the role are obtained from the pre-created second mapping relationship. Permissions matching the identifiers of the groups are used as the permissions of the user in the target project;
所述第二映射关系包括所述用户在所述目标项目中的角色的标识、所述用户在所述目标项目中的组的标识和所述权限的匹配关系。The second mapping relationship includes the identification of the role of the user in the target project, the identification of the group of the user in the target project and the matching relationship of the authority.
在该实施例中,第二映射关系也可以存储在MetaStore服务中。In this embodiment, the second mapping relationship may also be stored in the MetaStore service.
若切断用户与所有权限的直接关系,则用户在目标项目中的权限与用户无关。另外,用户在目标项目中的权限可以包括对数据仓库中与目标项目对应的部分的读写权限。If the direct relationship between the user and all permissions is cut off, the user's permissions in the target project are independent of the user. In addition, the user's rights in the target project may include read and write rights to the portion of the data warehouse corresponding to the target project.
在该实施例中,通过控制指令切断用户与所有权限的直接关系,根据用户在目标项目中的角色的标识,以及用户在目标项目中的组的标识,获取与所述角色的标识和所述组的标识均匹配的权限。从而使用户在目标项目中的权限与目标项目中的角色有关系,与目标项目中的组有关系,与用户无关,隔离了用户在各个项目中的权限,进而真正实现用户按照项目使用数据仓库中与所述项目对应的部分。In this embodiment, the direct relationship between the user and all permissions is cut off through a control instruction, and the identification of the role and the identification of the user are obtained according to the identification of the user's role in the target project and the identification of the user's group in the target project. The identities of the group all match the permissions. Therefore, the user's authority in the target project is related to the role in the target project, and the group in the target project has nothing to do with the user. in the section corresponding to the item in question.
在本发明实施例中,从数据仓库中,获取与所述请求和所述用户在所述目标项目中的权限均匹配的响应数据,包括:In this embodiment of the present invention, obtaining response data matching both the request and the user's authority in the target project from the data warehouse, including:
从数据仓库的元数据库中,获取与所述请求匹配的元数据;Obtaining metadata matching the request from the metadata database of the data warehouse;
采用所述用户在所述目标项目中的权限对所述元数据进行过滤,得到过滤后的所述元数据;Filter the metadata by using the user's authority in the target project to obtain the filtered metadata;
根据过滤后的所述元数据从所述数据仓库中,获取与所述请求和所述用户在所述目标项目中的权限均匹配的响应数据。Response data matching both the request and the user's authority in the target project is obtained from the data warehouse according to the filtered metadata.
在该实施例中,下面以一具体例子说明采用用户在目标项目中的权限对元数据进行过滤,得到过滤后的元数据:元数据包括元数据1、元数据2和元数据3。用户所属项目包括项目1、项目2和项目3。项目3是目标项目。用户在项目1中的权限与元数据1匹配,用户在项目2中的权限与元数据2匹配,用户在项目3中的权限与元数据3匹配。因而,过滤后的元数据包括元数据3。元数据1和元数据2被滤除。In this embodiment, a specific example is used below to illustrate that the user's authority in the target item is used to filter the metadata to obtain filtered metadata: the metadata includes metadata 1 , metadata 2 and metadata 3 . The projects to which the user belongs include Project 1, Project 2 and Project 3. Item 3 is the target item. The user's permissions in item 1 match metadata 1, the user's permissions in item 2 match metadata 2, and the user's permissions in item 3 match metadata 3. Thus, the filtered metadata includes metadata 3 . Metadata 1 and Metadata 2 are filtered out.
在该实施例中,采用用户在目标项目中的权限对与请求匹配的元数据进行过滤,得到过滤后的元数据,从而获取响应数据,该响应数据不是与请求匹配的所有响应数据,而是部分响应数据,该部分响应数据存储在数据仓库中与目标项目对应的部分,因而,真正实现用户按照项目使用数据仓库中与所述项目对应的部分。In this embodiment, the metadata matching the request is filtered by the user's authority in the target item, and the filtered metadata is obtained, so as to obtain the response data. The response data is not all the response data matching the request, but Part of the response data is stored in the part corresponding to the target item in the data warehouse, so that the user can actually use the part corresponding to the item in the data warehouse according to the project.
在本发明实施例中,在接收用户终端发送的请求之前,包括:In this embodiment of the present invention, before receiving the request sent by the user terminal, it includes:
对于至少一个项目中每个项目,创建所述项目的属主标识与所述项目的属主在所述项目中的角色的标识的匹配关系;通过所述项目的属主,创建所述项目的租户标识与所述项目的租户在所述项目中的角色的标识的匹配关系;所述用户包括所述项目的属主或所述项目的租户。For each project in at least one project, create a matching relationship between the owner ID of the project and the ID of the project owner's role in the project; through the project owner, create the project's owner ID The matching relationship between the tenant identifier and the identifier of the role of the tenant of the project in the project; the user includes the owner of the project or the tenant of the project.
在该实施例中,应理解的是,在一个项目中,项目中的角色可以是多个,但项目中的组只有一个。另外,组是程序根据项目创建,项目的属主不能创建项目中的组。再者,项目的租户在项目中的角色可以包括项目中的所有角色。项目的租户在项目中的角色可以根据项目的属主与项目的租户签订的协议确定。In this embodiment, it should be understood that, in a project, there may be multiple roles in the project, but there is only one group in the project. In addition, the group is created by the program according to the project, and the owner of the project cannot create the group in the project. Furthermore, the roles of the tenant of the project in the project may include all roles in the project. The role of the project tenant in the project can be determined according to the agreement signed between the project owner and the project tenant.
项目的属主和所述项目的租户均可以按照项目使用数据仓库中与所述项目对应的部分。Both the owner of the project and the tenant of the project can use the part corresponding to the project in the data warehouse according to the project.
项目的属主作为角色的属主,存储在数据仓库的元数据库中,只有项目的属主才有权对角色进行授权等操作。As the owner of the role, the owner of the project is stored in the metadata database of the data warehouse. Only the owner of the project has the right to authorize the role and other operations.
在该实施例中,创建项目的租户标识与项目的租户在项目中的角色的标识的匹配关系,是通过项目的属主,而不是通过管理员,减少了非项目的租户通过管理员使用数据仓库中与项目对应的部分的情况,提高了使用数据仓库的安全性。In this embodiment, the matching relationship between the tenant identification of the project and the identification of the role of the tenant of the project in the project is created by the owner of the project, not by the administrator, which reduces the use of data by non-project tenants through the administrator The situation of the part of the warehouse corresponding to the project improves the security of using the data warehouse.
在本发明实施例中,在接收用户终端发送的请求之前,包括:In this embodiment of the present invention, before receiving the request sent by the user terminal, it includes:
禁止所述用户对组进行授权操作。The user is prohibited from authorizing operations on the group.
需说明的是,该实施例的具体实施方式在下文中进行了详细地介绍,在此不再赘述。It should be noted that the specific implementation of this embodiment is described in detail below, and details are not repeated here.
在该实施例中,通过禁止所述用户对组进行授权操作,减少了LINUX系统中的组变化导致的用户无法通过项目使用数据仓库中与所述项目对应的部分的问题,提高了使用数据仓库的安全性。In this embodiment, by prohibiting the user to perform authorization operations on the group, the problem that the user cannot use the part corresponding to the item in the data warehouse through the project caused by the group change in the LINUX system is reduced, and the use of the data warehouse is improved. security.
下面结合现有技术说明本发明实施例的思路:The idea of the embodiments of the present invention is described below in conjunction with the prior art:
现有技术是根据用户在用户所属的所有项目中的权限得到响应数据。如图3所示,现有技术是用户无论在哪个项目空间下,都可以访问其他有权限的项目空间下的数据,数据仓库中与各个项目对应的部分的数据并没有做到隔离。In the prior art, response data is obtained according to the user's authority in all projects to which the user belongs. As shown in FIG. 3 , in the prior art, no matter which project space a user is in, a user can access data under other authorized project spaces, and the data in the part corresponding to each project in the data warehouse is not isolated.
Hive权限由用户权限、角色权限和组权限构成。因此,需要对HIVE的权限主题进行改造,解耦HIVE权限。Hive permissions consist of user permissions, role permissions, and group permissions. Therefore, it is necessary to transform the HIVE authority theme and decouple HIVE authority.
如图4所示,现有技术中,HIVE权限以用户(USER)为基本单位。一个用户对数据仓库的使用权限=用户所属的所有组的权限,用户所属的所有角色的权限,以及用户权限做并集。具体规则如下:As shown in FIG. 4 , in the prior art, the HIVE authority takes a user (USER) as the basic unit. A user's permission to use the data warehouse = the permissions of all groups to which the user belongs, the permissions of all roles to which the user belongs, and the union of user permissions. The specific rules are as follows:
privilegeprivilege
=privilege(group(user))∪privilege(role(user))∪privilaege(user)=privilege(group(user))∪privilege(role(user))∪privilaege(user)
随着用户所属的角色,以及用户所属的组不断增加,取最大并集进行权限验证的方式,存在安全漏洞。As the roles to which users belong and the groups to which users belong continue to increase, there is a security loophole in the method of taking the maximum union for permission verification.
如图5所示,本发明中用户与组、用户与角色的关系是强关系,将权限主题(用户、组、角色)与权限的关系由强关系变为弱关系。即用户可以指定组和角色,排除用户自身的权限,权限划分地更细。As shown in FIG. 5 , the relationship between users and groups, and between users and roles in the present invention is a strong relationship, and the relationship between permission subjects (users, groups, roles) and permissions is changed from a strong relationship to a weak relationship. That is, users can specify groups and roles, excluding the user's own permissions, and the permissions are more finely divided.
用户通过Beeline服务使用数据仓库,需要将权限主题参数给Beeline服务。To use the data warehouse through the Beeline service, users need to pass the permission topic parameters to the Beeline service.
具体地,-n作为用户名,其他权限主题(组和角色)和权限主题开关,要重新构建,如下表所示:Specifically, -n as the username, other permission topics (groups and roles) and permission topic switches, to be rebuilt, as shown in the following table:
表1Table 1
假设用户U所属的组包括G1,G2,用户所属的角色包括R1,R2。It is assumed that the group to which the user U belongs includes G1 and G2, and the roles to which the user belongs include R1 and R2.
例子1:使用HIVE默认权限规则,连接方式如下:Example 1: Using HIVE default permission rules, the connection method is as follows:
beeline-u″jdbc:hive2://*.*.*.*:*/default″-n Ubeeline -u "jdbc:hive2://*.*.*.*:*/default" -n U
用户对数据仓库的使用权限:User permission to use the data warehouse:
privilegeprivilege
=privilege(G1)∪privilege(G2)∪privilaege(R1)∪privilaege(R2)∪privilaege(U)=privilege(G1)∪privilege(G2)∪privilaege(R1)∪privilaege(R2)∪privilaege(U)
例子2:使用组G1和角色R2,同时关闭用户权限,连接方式如下:Example 2: Use group G1 and role R2, and disable user permissions at the same time, the connection method is as follows:
beeline-u″jdbc:hive2://*.*.*.*:*/default?user.group=G1;user.role=R2;user.privlege=false;″-n Ubeeline -u "jdbc:hive2://*.*.*.*:*/default?user.group=G1;user.role=R2;user.privlege=false;"-n U
用户对数据仓库的使用权限:User permission to use the data warehouse:
privilege=privilege(G1)∪privilaege(R2)privilege=privilege(G1)∪privilaege(R2)
例子3:还可以手动设置权限主题参数,如下所示:Example 3: You can also manually set the permission topic parameters as follows:
使用角色R1和角色R2:Using role R1 and role R2:
set user.role=R1,R2;set user.role = r1, r2;
关闭用户权限:Turn off user permissions:
set user.privilege=false;set user.privilege = false;
HIVE获取权限通过get_privilege_set方法,HIVE依旧会取最大并集权限作为用户对数据仓库的使用权限,因而,将权限主题参数作为入参给get_privilege_set方法,以对权限进行过滤。HIVE obtains permissions through the get_privilege_set method. HIVE will still take the maximum union permission as the user's permission to use the data warehouse. Therefore, the permission theme parameter is used as an input parameter to the get_privilege_set method to filter permissions.
HIVE获取权限具体过程:The specific process of HIVE obtaining permission:
1在启动Beeline服务时将权限主题参数传入,如果传入非法参数报错,否则正常启动。1 When starting the Beeline service, pass in the permission topic parameter. If an illegal parameter is passed in, an error will be reported, otherwise it will start normally.
2启动Beeline服务后,也可以通过set方法来设置权限主题参数,如果set非法将设置失败,否则设置成功。2 After starting the Beeline service, you can also set the permission theme parameters through the set method. If the set is illegal, the setting will fail, otherwise the setting will be successful.
3将权限主题参数传入get_privilege_set方法。3 Pass the permission theme parameter into the get_privilege_set method.
如图6所示,设置权限主题参数或者指定权限主题参数;进行权限主题参数验证,验证是否真的存在;按照图2所示的另一具体例子处理请求。As shown in FIG. 6 , set the rights subject parameter or specify the rights subject parameter; verify the rights subject parameter to verify whether it really exists; and process the request according to another specific example shown in FIG. 2 .
HIVE权限经过上述改造后,已经可以做到按照不同的权限主题来控制权限,接下来看一下多租户场景中的权限要求,如图7所示,租户只对项目拥有权限,就可以访问数据仓库中与项目对应的部分存储的数据;不同项目的数据仓库的部分存储的数据要做到隔离。After the HIVE permission has been transformed, it is possible to control the permissions according to different permission themes. Next, let’s take a look at the permission requirements in the multi-tenant scenario. As shown in Figure 7, the tenant can access the data warehouse only if he has permission to the project. The data stored in the part corresponding to the project; the data stored in the part of the data warehouse of different projects should be isolated.
将项目的权限与用户权限解耦,把项目的权限给项目中的角色,项目中的组,同时关闭用户权限。以此使用数据仓库,做到数据的隔离。如图8所示,租户可以访问自己有权限的项目;使用项目中的组的权限,以及项目中的角色的权限进行权限验证,数据做到了隔离,真正实现用户按照项目使用数据仓库中与所述项目对应的部分。Decouple project permissions from user permissions, assign project permissions to roles in the project, groups in the project, and close user permissions at the same time. In this way, the data warehouse is used to isolate the data. As shown in Figure 8, tenants can access projects to which they have permissions; use the permissions of the groups in the project and the permissions of the roles in the project to verify the permissions, isolate the data, and truly realize that users can use the data warehouse according to the project. the corresponding part of the project.
权限解耦后,用户通过项目使用数据仓库,需要指定角色名和组名,因此,项目与组和角色具有关联关系。创建项目时,自动创建项目中的组和项目中的角色。After the permissions are decoupled, users need to specify the role name and group name to use the data warehouse through the project. Therefore, the project is associated with the group and role. When a project is created, groups in the project and roles in the project are automatically created.
构建项目权限主题表,用项目权限主题表存储项目与权限主题的映射关系,如下:Build a project permission topic table, and use the project permission topic table to store the mapping relationship between projects and permission topics, as follows:
表2Table 2
项目中的角色和项目中的组创建后,要进行授权操作,保证项目中的角色和项目中的组对数据仓库的权限。After the roles in the project and the groups in the project are created, perform authorization operations to ensure the permissions of the roles and groups in the project to the data warehouse.
将所有权限分配给项目中的角色和项目中的组;Assign all permissions to roles in the project and groups in the project;
将项目创建者,即项目的属主,归属到项目中的组。Assign the creator of the project, the owner of the project, to a group in the project.
经过上述过程,项目中的角色和项目中的组有了项目的权限。After the above process, the roles in the project and the groups in the project have the permissions of the project.
为了做到数据的隔离,当用户通过项目使用数据仓库,需要关闭用户权限,同时指定角色、指定组进行权限验证,改动如下:In order to isolate the data, when users use the data warehouse through the project, they need to close the user permissions, and at the same time specify the role and the specified group for permission verification. The changes are as follows:
MetaStore服务:MetaStore service:
通过项目权限主题表,得到用户在项目中的角色,用户在项目中的组;权限主题参数包括用户名称、上述角色的名称、上述组的名称和用户权限开关设置为false;将权限主题参数给MetaStore服务。Obtain the user's role in the project and the user's group in the project through the project permission theme table; the permission theme parameters include the user name, the name of the above role, the name of the above group and the user permission switch is set to false; set the permission theme parameter to MetaStore service.
Beeline服务:Beeline Services:
通过项目权限主题表,得到用户在项目中的角色,用户在项目中的组;权限主题参数包括用户名称、上述角色的名称、上述组的名称和用户权限开关设置为false;将权限主题参数给Beeline服务。Obtain the user's role in the project and the user's group in the project through the project permission theme table; the permission theme parameters include the user name, the name of the above role, the name of the above group and the user permission switch is set to false; set the permission theme parameter to Beeline Services.
经过上述过程,真正实现用户按照项目使用数据仓库中与所述项目对应的部分。After the above process, the user can actually use the part corresponding to the item in the data warehouse according to the item.
若租户要通过项目使用数据仓库,需要进行授权操作,包括:项目的属主将项目中的角色授权给租户;项目的属主调用接口,将租户归属到项目中的组。If a tenant wants to use the data warehouse through a project, authorization operations are required, including: the project owner authorizes the role in the project to the tenant; the project owner calls the interface to assign the tenant to a group in the project.
若项目的属主要禁止租户通过项目使用数据仓库与项目对应的部分,也需要进行授权操作,包括:项目的属主将项目中的角色从租户撤销;项目的属主调用接口,将租户从项目中的组移除。If the owner of the project prohibits the tenant from using the data warehouse and the corresponding part of the project through the project, authorization operations are also required, including: the owner of the project revokes the role in the project from the tenant; the owner of the project calls the interface to remove the tenant from the project. group removed.
项目的租户通过授权后,也可以通过项目使用数据仓库中与项目对应的部分,各个项目之间权限隔离。After the tenant of the project is authorized, it can also use the part corresponding to the project in the data warehouse through the project, and the permissions of each project are isolated.
如图9所示,现有技术中,项目的属主可以将项目的权限授权给角色,但角色没有真正的属主,被管理员所共享,管理员可以将与角色匹配的权限给非项目的租户,存在非项目的租户使用数据仓库中与项目对应的部分的情况,使用数据仓库的安全性不高。As shown in Figure 9, in the prior art, the project owner can authorize the project's permissions to the role, but the role has no real owner and is shared by the administrator. The administrator can assign the permissions matching the role to non-projects If there is a situation where non-project tenants use the part of the data warehouse corresponding to the project, the security of using the data warehouse is not high.
如图10所示,本发明中,项目中的角色由项目的属主创建,只有项目的属主能够进行授权操作,管理员不能进行授权操作,提高了安全性。As shown in FIG. 10 , in the present invention, the role in the project is created by the project owner, only the project owner can perform the authorization operation, and the administrator cannot perform the authorization operation, which improves the security.
角色可以通过MetaStore服务或Beeline服务创建:Roles can be created through the MetaStore service or the Beeline service:
在MetaStore服务,通过create_role方法,创建所述项目的属主标识与所述项目的属主在所述项目中的角色的标识的匹配关系。判断指示发出方是否是项目的属主,若是,则按照指示(包括项目的租户标识和项目中的角色),通过grant_role方法,创建所述项目的租户标识与所述项目的租户在所述项目中的角色的标识的匹配关系,若否,则报错。In the MetaStore service, through the create_role method, create a matching relationship between the identity of the owner of the item and the identity of the role of the owner of the item in the item. Determine whether the instruction issuer is the owner of the project, and if so, according to the instructions (including the tenant ID of the project and the role in the project), through the grant_role method, create the tenant ID of the project and the tenant of the project in the project The matching relationship between the IDs of the roles in , if not, an error will be reported.
在Beeline服务,修改DDLTask代码roleDDL方法,将adminGrantor参数由空变更为项目的属主标识,创建所述项目的属主标识与所述项目的属主在所述项目中的角色的标识的匹配关系。判断指示发出方是否是项目的属主,若是,则按照指示(包括项目的租户标识和项目中的角色),创建所述项目的租户标识与所述项目的租户在所述项目中的角色的标识的匹配关系,若否,则报错。In the Beeline service, modify the DDLTask code roleDDL method, change the adminGrantor parameter from empty to the owner ID of the project, and create a matching relationship between the owner ID of the project and the ID of the role of the project owner in the project . Determine whether the instruction issuer is the owner of the project, and if so, according to the instruction (including the tenant ID of the project and the role in the project), create a relationship between the tenant ID of the project and the role of the tenant of the project in the project The matching relationship of the identifier, if not, an error will be reported.
数据仓库的组与LINUX系统中的组是同一概念,用户没有权限对LINUX系统中的组进行编辑,但用户可以通过SQL对数据仓库的组进行授权,虽然项目的租户不能将自己归属到其他项目中的组,但是项目的属主可以将权限授予其他项目中的组,因而,存在安全漏洞。为避免这种安全漏洞,进行如下处理:The group of the data warehouse is the same concept as the group in the LINUX system. The user does not have permission to edit the group in the LINUX system, but the user can authorize the group of the data warehouse through SQL, although the tenant of the project cannot belong to other projects. However, the project owner can grant permissions to groups in other projects, so there is a security hole. In order to avoid this security loophole, proceed as follows:
MetaStore服务:MetaStore service:
调用MetaStore服务进行授权操作时,若授权对象是组,直接报错,若授权对象是用户或者角色,则正常授权。When calling the MetaStore service for authorization operation, if the authorization object is a group, an error will be reported directly, and if the authorization object is a user or role, the authorization will be performed normally.
Beeline服务:Beeline Services:
用户通过Beeline服务执行SQL进行授权操作,修改DDLTask代码的grantOrRevokePrivileges方法,对授权对象属性进行判断。若授权对象是组,直接报错;若授权对象是用户或者角色,则正常授权。The user executes the SQL authorization operation through the Beeline service, modifies the grantOrRevokePrivileges method of the DDLTask code, and judges the attributes of the authorization object. If the authorization object is a group, an error is reported directly; if the authorization object is a user or a role, the authorization is normal.
为了解决现有技术存在的问题,本发明实施例提供了一种处理请求的装置,如图11所示,该装置包括:In order to solve the problems existing in the prior art, an embodiment of the present invention provides an apparatus for processing a request. As shown in FIG. 11 , the apparatus includes:
接收单元1101,用于接收用户终端发送的请求,所述请求携带所述用户标识和目标项目的标识;所述目标项目是所述用户从所述用户所属的至少一个项目中选择的任一个项目。A receiving
第一处理单元1102,用于根据所述用户标识和所述目标项目的标识确定所述用户在所述目标项目中的权限。The
第二处理单元1103,用于从数据仓库中,获取与所述请求和所述用户在所述目标项目中的权限均匹配的响应数据,并返回给所述用户终端。The
在本发明实施例中,第一处理单元1102用于:In this embodiment of the present invention, the
根据所述用户标识和所述目标项目的标识获取权限参数;Obtain permission parameters according to the user identifier and the identifier of the target project;
根据所述权限参数获取所述用户在所述目标项目中的权限。The authority of the user in the target project is acquired according to the authority parameter.
在本发明实施例中,第一处理单元1102用于:In this embodiment of the present invention, the
根据所述用户标识和所述目标项目的标识,从预先创建的第一映射关系中,分别获取所述用户在所述目标项目中的角色的标识,以及所述用户在所述目标项目中的组的标识;According to the user identifier and the identifier of the target item, from the pre-created first mapping relationship, the identifier of the role of the user in the target item and the user's role in the target item are respectively obtained. the identity of the group;
根据所述用户标识生成控制指令;generating a control instruction according to the user identification;
权限参数包括所述用户在所述目标项目中的角色的标识、所述用户在所述目标项目中的组的标识和所述控制指令;The permission parameter includes the identification of the role of the user in the target project, the identification of the group of the user in the target project, and the control instruction;
所述第一映射关系包括所述用户标识、所述目标项目的标识、所述用户在所述目标项目中的角色的标识和所述用户在所述目标项目中的组的标识的匹配关系。The first mapping relationship includes a matching relationship between the user identifier, the identifier of the target item, the identifier of the role of the user in the target item, and the identifier of the group of the user in the target item.
在本发明实施例中,第一处理单元1102用于:In this embodiment of the present invention, the
按照所述控制指令切断所述用户与所有权限的直接关系;Cut off the direct relationship between the user and all permissions according to the control instruction;
根据所述用户在所述目标项目中的角色的标识,以及所述用户在所述目标项目中的组的标识,从预先创建的第二映射关系中,获取与所述角色的标识和所述组的标识均匹配的权限,将其作为所述用户在所述目标项目中的权限;According to the identifier of the role of the user in the target item and the identifier of the group of the user in the target item, from a pre-created second mapping relationship, the identifier of the role and the identifier of the role are obtained from the pre-created second mapping relationship. Permissions matching the identifiers of the groups are used as the permissions of the user in the target project;
所述第二映射关系包括所述用户在所述目标项目中的角色的标识、所述用户在所述目标项目中的组的标识和所述权限的匹配关系。The second mapping relationship includes the identification of the role of the user in the target project, the identification of the group of the user in the target project and the matching relationship of the authority.
在本发明实施例中,第二处理单元1103用于:In this embodiment of the present invention, the
从数据仓库的元数据库中,获取与所述请求匹配的元数据;Obtaining metadata matching the request from the metadata database of the data warehouse;
采用所述用户在所述目标项目中的权限对所述元数据进行过滤,得到过滤后的所述元数据;Filter the metadata by using the user's authority in the target project to obtain the filtered metadata;
根据过滤后的所述元数据从所述数据仓库中,获取与所述请求和所述用户在所述目标项目中的权限均匹配的响应数据。Response data matching both the request and the user's authority in the target project is obtained from the data warehouse according to the filtered metadata.
在本发明实施例中,第一处理单元1102用于:In this embodiment of the present invention, the
在接收用户终端发送的请求之前,对于至少一个项目中每个项目,创建所述项目的属主标识与所述项目的属主在所述项目中的角色的标识的匹配关系;通过所述项目的属主,创建所述项目的租户标识与所述项目的租户在所述项目中的角色的标识的匹配关系;所述用户包括所述项目的属主或所述项目的租户。Before receiving the request sent by the user terminal, for each item in at least one item, create a matching relationship between the identifier of the owner of the item and the identifier of the role of the owner of the item in the item; The owner of the project creates a matching relationship between the tenant identification of the project and the identification of the role of the tenant of the project in the project; the user includes the owner of the project or the tenant of the project.
在本发明实施例中,第一处理单元1102用于:In this embodiment of the present invention, the
在接收用户终端发送的请求之前,禁止所述用户对组进行授权操作。Before receiving the request sent by the user terminal, the user is prohibited from performing authorization operations on the group.
应理解的是,本发明实施例提供的处理请求的装置的各部件所执行的功能已经在上述实施例一种处理请求的方法中做了详细的介绍,这里不再赘述。It should be understood that the functions performed by each component of the apparatus for processing a request provided by the embodiment of the present invention have been described in detail in a method for processing a request in the foregoing embodiment, and are not repeated here.
图12示出了可以应用本发明实施例的处理请求的方法或处理请求的装置的示例性系统架构1200。FIG. 12 shows an
如图12所示,系统架构1200可以包括终端设备1201、1202、1203,网络1204和服务器1205。网络1204用以在终端设备1201、1202、1203和服务器1205之间提供通信链路的介质。网络1204可以包括各种连接类型,例如有线、无线通信链路或者光纤电缆等等。As shown in FIG. 12 , the
用户可以使用终端设备1201、1202、1203通过网络1204与服务器1205交互,以接收或发送消息等。终端设备1201、1202、1203上可以安装有各种通讯客户端应用,例如购物类应用、网页浏览器应用、搜索类应用、即时通信工具、邮箱客户端、社交平台软件等(仅为示例)。The user can use the
终端设备1201、1202、1203可以是具有显示屏并且支持网页浏览的各种电子设备,包括但不限于智能手机、平板电脑、膝上型便携计算机和台式计算机等等。The
服务器1205可以是提供各种服务的服务器,例如对用户利用终端设备1201、1202、1203所浏览的购物类网站提供支持的后台管理服务器(仅为示例)。后台管理服务器可以对接收到的产品信息查询请求等数据进行分析等处理,并将处理结果(例如目标推送信息、产品信息--仅为示例)反馈给终端设备。The
需要说明的是,本发明实施例所提供的处理请求的方法一般由服务器1205执行,相应地,处理请求的装置一般设置于服务器1205中。It should be noted that the method for processing a request provided by the embodiment of the present invention is generally executed by the
应该理解,图12中的终端设备、网络和服务器的数目仅仅是示意性的。根据实现需要,可以具有任意数目的终端设备、网络和服务器。It should be understood that the numbers of terminal devices, networks and servers in FIG. 12 are merely illustrative. There can be any number of terminal devices, networks and servers according to implementation needs.
下面参考图13,其示出了适于用来实现本发明实施例的终端设备的计算机系统1300的结构示意图。图13示出的终端设备仅仅是一个示例,不应对本发明实施例的功能和使用范围带来任何限制。Referring to FIG. 13 below, it shows a schematic structural diagram of a
如图13所示,计算机系统1300包括中央处理单元(CPU)1301,其可以根据存储在只读存储器(ROM)1302中的程序或者从存储部分1308加载到随机访问存储器(RAM)1303中的程序而执行各种适当的动作和处理。在RAM 1303中,还存储有系统1300操作所需的各种程序和数据。CPU 1301、ROM 1302以及RAM 1303通过总线1304彼此相连。输入/输出(I/O)接口1305也连接至总线1304。As shown in FIG. 13, a
以下部件连接至I/O接口1305:包括键盘、鼠标等的输入部分1306;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分1307;包括硬盘等的存储部分1308;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分1309。通信部分1309经由诸如因特网的网络执行通信处理。驱动器1310也根据需要连接至I/O接口1305。可拆卸介质1311,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器1310上,以便于从其上读出的计算机程序根据需要被安装入存储部分1308。The following components are connected to the I/O interface 1305: an
特别地,根据本发明公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本发明公开的实施例包括一种计算机程序产品,其包括承载在计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分1309从网络上被下载和安装,和/或从可拆卸介质1311被安装。在该计算机程序被中央处理单元(CPU)1301执行时,执行本发明的系统中限定的上述功能。In particular, the processes described above with reference to the flowcharts may be implemented as computer software programs in accordance with the disclosed embodiments of the present invention. For example, embodiments disclosed herein include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the method illustrated in the flowchart. In such an embodiment, the computer program may be downloaded and installed from the network via the
需要说明的是,本发明所示的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本发明中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本发明中,计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于:无线、电线、光缆、RF等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium shown in the present invention may be a computer-readable signal medium or a computer-readable storage medium, or any combination of the above two. The computer-readable storage medium can be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or a combination of any of the above. More specific examples of computer readable storage media may include, but are not limited to, electrical connections with one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Programmable read only memory (EPROM or flash memory), fiber optics, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing. In the present invention, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In the present invention, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code therein. Such propagated data signals may take a variety of forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium that can transmit, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device . Program code embodied on a computer readable medium may be transmitted using any suitable medium including, but not limited to, wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
附图中的流程图和框图,图示了按照本发明各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个单元、程序段、或代码的一部分,上述单元、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图或流程图中的每个方框、以及框图或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a unit, segment, or portion of code that contains one or more functions for implementing the specified logical function(s) executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams or flowchart illustrations, and combinations of blocks in the block diagrams or flowchart illustrations, can be implemented in special purpose hardware-based systems that perform the specified functions or operations, or can be implemented using A combination of dedicated hardware and computer instructions is implemented.
描述于本发明实施例中所涉及到的单元可以通过软件的方式实现,也可以通过硬件的方式来实现。所描述的单元也可以设置在处理器中,例如,可以描述为:一种处理器包括接收单元、第一处理单元和第二处理单元。其中,这些单元的名称在某种情况下并不构成对该单元本身的限定,例如,第一处理单元还可以被描述为“根据所述用户标识和所述目标项目的标识确定所述用户在所述目标项目中的权限的单元”。The units involved in the embodiments of the present invention may be implemented in a software manner, and may also be implemented in a hardware manner. The described unit may also be provided in the processor, for example, it may be described as: a processor includes a receiving unit, a first processing unit and a second processing unit. Wherein, the names of these units do not constitute a limitation of the unit itself under certain circumstances, for example, the first processing unit may also be described as "determining that the user is unit of permissions in the target project".
作为另一方面,本发明还提供了一种计算机可读介质,该计算机可读介质可以是上述实施例中描述的设备中所包含的;也可以是单独存在,而未装配入该设备中。上述计算机可读介质承载有一个或者多个程序,当上述一个或者多个程序被一个该设备执行时,使得该设备包括:接收用户终端发送的请求,所述请求携带所述用户标识和目标项目的标识;所述目标项目是所述用户从所述用户所属的至少一个项目中选择的任一个项目;根据所述用户标识和所述目标项目的标识确定所述用户在所述目标项目中的权限;从数据仓库中,获取与所述请求和所述用户在所述目标项目中的权限均匹配的响应数据,并返回给所述用户终端。As another aspect, the present invention also provides a computer-readable medium, which may be included in the device described in the above embodiments; or may exist alone without being assembled into the device. The above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by a device, the device includes: receiving a request sent by a user terminal, the request carrying the user identifier and the target item The target item is any item selected by the user from at least one item to which the user belongs; determining the user's identity in the target item according to the user ID and the target item ID permission; from the data warehouse, obtain response data matching the request and the user's permission in the target item, and return it to the user terminal.
根据本发明实施例的技术方案,通过请求携带的用户标识和目标项目的标识,确定用户在目标项目中的权限,将与请求和用户在目标项目中的权限均匹配的响应数据返回给用户终端,由于响应数据与用户在目标项目中的权限匹配,因而,用户通过目标项目只能使用数据仓库中与目标项目对应的部分,不能使用数据仓库中与其他项目对应的部分,其他项目是指用户所属的至少两个项目中除目标项目以外的项目,真正实现用户按照项目使用数据仓库中与所述项目对应的部分。According to the technical solution of the embodiment of the present invention, the user's authority in the target project is determined by the user identification carried in the request and the target project's identification, and response data matching both the request and the user's authority in the target project is returned to the user terminal , since the response data matches the user's authority in the target project, the user can only use the part corresponding to the target project in the data warehouse through the target project, but cannot use the part corresponding to other projects in the data warehouse. Other projects refer to the user For the projects other than the target project among the at least two belonging projects, the user can actually use the part corresponding to the project in the data warehouse according to the project.
上述具体实施方式,并不构成对本发明保护范围的限制。本领域技术人员应该明白的是,取决于设计要求和其他因素,可以发生各种各样的修改、组合、子组合和替代。任何在本发明的精神和原则之内所作的修改、等同替换和改进等,均应包含在本发明保护范围之内。The above-mentioned specific embodiments do not constitute a limitation on the protection scope of the present invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may occur depending on design requirements and other factors. Any modifications, equivalent replacements and improvements made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911176643.0A CN111797424A (en) | 2019-11-26 | 2019-11-26 | Method and device for processing request |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911176643.0A CN111797424A (en) | 2019-11-26 | 2019-11-26 | Method and device for processing request |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111797424A true CN111797424A (en) | 2020-10-20 |
Family
ID=72805584
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911176643.0A Pending CN111797424A (en) | 2019-11-26 | 2019-11-26 | Method and device for processing request |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111797424A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112434818A (en) * | 2020-11-19 | 2021-03-02 | 脸萌有限公司 | Model construction method, device, medium and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080052291A1 (en) * | 2006-08-22 | 2008-02-28 | Michael Bender | Database entitlement |
| CN106485101A (en) * | 2015-08-24 | 2017-03-08 | 阿里巴巴集团控股有限公司 | The access method of data and device under a kind of cloud computing environment |
| CN108229206A (en) * | 2018-01-09 | 2018-06-29 | 上海中畅数据技术有限公司 | A kind of right management method and system based on tag library |
| CN108280367A (en) * | 2018-01-22 | 2018-07-13 | 腾讯科技(深圳)有限公司 | Management method, device, computing device and the storage medium of data manipulation permission |
| CN110188573A (en) * | 2019-05-27 | 2019-08-30 | 深圳前海微众银行股份有限公司 | Partition authorization method, device, equipment and computer-readable storage medium |
-
2019
- 2019-11-26 CN CN201911176643.0A patent/CN111797424A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080052291A1 (en) * | 2006-08-22 | 2008-02-28 | Michael Bender | Database entitlement |
| CN106485101A (en) * | 2015-08-24 | 2017-03-08 | 阿里巴巴集团控股有限公司 | The access method of data and device under a kind of cloud computing environment |
| CN108229206A (en) * | 2018-01-09 | 2018-06-29 | 上海中畅数据技术有限公司 | A kind of right management method and system based on tag library |
| CN108280367A (en) * | 2018-01-22 | 2018-07-13 | 腾讯科技(深圳)有限公司 | Management method, device, computing device and the storage medium of data manipulation permission |
| CN110188573A (en) * | 2019-05-27 | 2019-08-30 | 深圳前海微众银行股份有限公司 | Partition authorization method, device, equipment and computer-readable storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112434818A (en) * | 2020-11-19 | 2021-03-02 | 脸萌有限公司 | Model construction method, device, medium and electronic equipment |
| CN112434818B (en) * | 2020-11-19 | 2023-09-26 | 脸萌有限公司 | Model construction method, device, medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10848520B2 (en) | Managing access to resources | |
| US9961053B2 (en) | Detecting compromised credentials | |
| US11477187B2 (en) | API key access authorization | |
| US20150188886A1 (en) | Identifying and blocking prohibited content items in a content management system | |
| CN109831435B (en) | Database operation method, system, proxy server and storage medium | |
| CN114417287B (en) | Data processing method, system, device and storage medium | |
| EP4246358A2 (en) | Registration of the same domain with different cloud services networks | |
| JP2017529629A (en) | Managing application access to directories with a hosted directory service | |
| US9930063B2 (en) | Random identifier generation for offline database | |
| US10333717B2 (en) | Timestamped license data structure | |
| US11410173B1 (en) | Tokenization web services | |
| CN110348237A (en) | Data managing method and device, storage medium, electronic equipment based on block chain | |
| US10491635B2 (en) | Access policies based on HDFS extended attributes | |
| WO2024027328A1 (en) | Data processing method based on zero-trust data access control system | |
| CN117193940A (en) | Data access method, device, electronic equipment and computer readable medium | |
| US11409847B2 (en) | Source-based authentication for a license of a license data structure | |
| US11244031B2 (en) | License data structure including license aggregation | |
| US9355232B2 (en) | Methods for governing the disclosure of restricted data | |
| You et al. | [Retracted] Research and Design of Docker Technology Based Authority Management System | |
| US10257263B1 (en) | Secure remote execution of infrastructure management | |
| CN111797424A (en) | Method and device for processing request | |
| US11226983B2 (en) | Sub-scope synchronization | |
| WO2021136075A1 (en) | Product license management method and system | |
| CN108537621B (en) | Data operation method and device | |
| US9961132B2 (en) | Placing a user account in escrow |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201020 |
|
| RJ01 | Rejection of invention patent application after publication |