CN112100675B - Zero-trust data storage access method and system - Google Patents
Zero-trust data storage access method and system Download PDFInfo
- Publication number
- CN112100675B CN112100675B CN202011220319.7A CN202011220319A CN112100675B CN 112100675 B CN112100675 B CN 112100675B CN 202011220319 A CN202011220319 A CN 202011220319A CN 112100675 B CN112100675 B CN 112100675B
- Authority
- CN
- China
- Prior art keywords
- access
- client
- authorization
- gateway server
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a zero-trust data storage access method and a zero-trust data storage access system, and relates to the technical field of data processing. The method comprises the following steps: the client side initiates an online request authorization authentication to an authorization server; after receiving the online request authorization authentication, the authorization server performs authorization authentication on the online request authorization authentication; after the authorization authentication is successful, the authorization server generates corresponding authorization information and sends an access strategy to the client so that the client sends an access message to the gateway server according to the access strategy; and the gateway server receives the authorization information and performs access management on the access message according to the authorization information. The method breaks through the conventional storage safety protection means through the safety design of the zero trust storage scheme, and realizes that the data storage which can be accessed into all types is not limited to block storage, file storage and object storage.
Description
Technical Field
The invention relates to the technical field of data processing, in particular to a zero-trust data storage access method and a zero-trust data storage access system.
Background
With the development of network security, the popularization of a zero-trust network framework concept which is led by large foreign enterprises in recent years and the establishment of a general protocol provide a new visual angle for cloud boundary access security. With the future trend that a large number of enterprise services are accessed to the public cloud, the advantages of service clouding are the advantages of centralized management, relatively low cost, deployment elasticity, extremely easy expansion and the like, and then the most core of the advantages is that the safety of self business is affected after the service clouding for the enterprise, the safety is mainly access safety and data safety, a zero trust model provides a very good concept for the access safety, but the protection for the data safety is extremely monotonous so far, no matter encryption or various other forms of data protection, as long as a third party takes access authority, the data acquisition is easy as a bag finding object, and the safety of data access cannot be guaranteed.
Disclosure of Invention
The invention aims to provide a zero-trust data storage access method and a zero-trust data storage access system, which are used for solving the problem that the safety of data access cannot be ensured in the prior art.
In a first aspect, an embodiment of the present application provides a zero-trust data storage access method, where the method includes: the client side initiates an online request authorization authentication to an authorization server; after receiving the online request authorization authentication, the authorization server performs authorization authentication on the online request authorization authentication; after the authorization authentication is successful, the authorization server generates corresponding authorization information and sends an access strategy to the client; the client sends an access message to the gateway server according to the access strategy; and the gateway server receives the authorization information and performs access management on the access message according to the authorization information.
In the implementation process, the client firstly initiates an online request authorization authentication to the authorization server, generates response authorization information after the authorization server authorizes the online request authorization authentication, and sends an access strategy to the client, so that the client can send an access message to the gateway server according to the access strategy. And after receiving the authorization information, the gateway server performs access management on the access message. The method breaks through the conventional storage safety protection means through the safety design of the zero trust storage scheme, and realizes that the data storage which can be accessed into all types is not limited to block storage, file storage and object storage.
In some embodiments of the present invention, after the gateway server receives the authorization information and performs access management on the access packet according to the authorization information, the method further includes: after the gateway server passes the access message, the client sends the access operation on the internal data to the metadata management program service cluster; and the metadata management program service cluster sends the metadata to the client according to the access operation.
In the implementation process, the metadata management program service cluster is a center for centralized and unified management of visual resource directories, files and the like on all storage systems, all the clients operate on internal data and need to pass through the metadata management program service cluster to obtain metadata, and the metadata is description information of the data such as the files and the like.
In some embodiments of the present invention, the message service cluster is configured to provide a data interaction function, and the step of sending, by the client, the access packet to the gateway server according to the access policy includes: after receiving the authorization information, the message service cluster allocates a port mapping relation of a gateway server to the client; and the client sends an access message to the gateway server according to the port mapping relation.
In some embodiments of the present invention, the gateway server receives the authorization information, and performs access management on the access packet according to the authorization information, including: the gateway server acquires a release address mapping relation from the message service cluster according to the authorization information; and the gateway server performs access management on the IP address and the port through the XDP module according to the released address mapping relation.
In some embodiments of the present invention, before the step of receiving, by the gateway server, the authorization information and performing access management on the access packet according to the authorization information, the method further includes: the client side starts a local network address conversion module; before the client sends the access message to the gateway server, the network address conversion module maps the access message to an internal storage server; the internal storage server acquires a resource authority control table from the message service cluster; after the client acquires the authority control table, analyzing the authority control table to acquire resource operation authority; and the client side changes the access message according to the resource operation authority.
In the implementation process, after the operation is performed for the first access, the client can safely access the internal storage resource as the local file.
In a second aspect, an embodiment of the present application provides a zero-trust data storage access system, where the system includes: the system comprises a client, an authorization server and a gateway server; the client is used for initiating an online request authorization authentication to the authorization server; the authorization server is used for carrying out authorization authentication on the online request after receiving the online request authorization authentication; the authorization server is also used for generating corresponding authorization information after the authorization authentication is successful and sending an access strategy to the client; the client is used for sending an access message to the gateway server according to the access strategy; and the gateway server is used for receiving the authorization information and carrying out access management on the access message according to the authorization information.
In some embodiments of the invention, the system further comprises: a metadata manager service cluster; the client is used for sending the access operation on the internal data to the metadata management program service cluster after the gateway server passes the access message; and the metadata management program service cluster is used for sending the metadata to the client according to the access operation.
In some embodiments of the invention, the system further comprises: a message service cluster; the message service cluster is used for distributing the port mapping relation of the gateway server to the client after receiving the authorization information; and the client is used for sending the access message to the gateway server according to the port mapping relation.
In some embodiments of the invention, the gateway server comprises an XDP module; the gateway server is used for acquiring a release address mapping relation from the message service cluster according to the authorization information; and the gateway server is also used for carrying out access management on the IP address and the port through the XDP module according to the released address mapping relation.
In some embodiments of the invention, the client comprises a local network address translation module, the system further comprises an internal storage server: the client is used for starting a local network address translation module; the network address conversion module is used for mapping the access message to the internal storage server before the client sends the access message to the gateway server; the internal storage server is used for acquiring a resource authority control table from the message service cluster; the client is used for analyzing the authority control table to obtain the resource operation authority after obtaining the authority control table; and the client is used for changing the access message according to the resource operation authority.
In a third aspect, an embodiment of the present application provides an electronic device, which includes a memory for storing one or more programs; a processor. The program or programs, when executed by a processor, implement the method of any of the first aspects as described above.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the method according to any one of the first aspect described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
FIG. 1 is a flow chart of a zero trust data store access method according to an embodiment of the present invention;
FIG. 2 is a block diagram of a zero trust data store access system according to an embodiment of the present invention;
fig. 3 is a block diagram of an electronic device according to an embodiment of the present invention.
Icon: 100-zero trust data store access system, 110-client, 120-authorization server, 130-gateway server, 140-metadata manager service cluster, 150-message service cluster, 101-memory, 102-processor, 103-communication interface.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments described below and the individual features of the embodiments can be combined with one another without conflict.
In order to realize that a large amount of data is stored in the cloud after enterprise service clouding, but not limited to data security protection of cloud storage, and to realize stricter and fine-grained resource access control, no perception is realized on user access, and security control, version control and data sharing of the data are all strongly guaranteed, the application provides a zero-trust data storage access method.
The method is based on the realization of each service module of the microkernel and the distributed cluster, and the microkernel has the advantages of extremely safe and efficient scheduling, system address exposure and extremely low threat to system security. The microkernel framework does not store actual disk data, so that high security of system authority data is really guaranteed, and the microkernel is difficult to adapt to traditional attacks.
The hardware system environment in which the zero-trust data storage access method provided by the application can operate is as follows: devices running the seL4 system, devices running centros, and so on. The system environment in which the zero-trust data storage access method provided by the application can operate is as follows: authorization servers, metadata manager service clusters, gateway servers, internal storage servers, message service clusters, and the like.
Since the seL4 system always strictly meets the rules of kernel behavior in the last abstraction layer, it will not crash and execute unsafe operation in any case, and based on such microkernel, it designs a set of distributed framework service system, including authorization server, metadata management program service cluster, etc. seL 4-based internal network, interconnection is realized through switching devices or routing devices, and its distributed consistency protocol adopts dynamically downgradeable policy to cope with different deployment forms, so that the authorization server and metadata management service cluster can be flexibly deployed on the public network. Initializing a distributed system, and adopting a strong consistency guarantee mechanism, wherein the strong consistency needs all nodes in the system to confirm and keep the data state consistent, and the weak consistency needs more than half of the nodes to confirm and keep the data state consistent. When the consistency negotiation service of the system discovers that part of the nodes are abnormal, the consistency strategy is adjusted to be changed into weak consistency.
Referring to fig. 1, fig. 1 is a flowchart of a zero-trust data storage access method according to an embodiment of the present invention. The zero trust data storage access method comprises the following steps:
step S110: the client side sends an online request authorization authentication to the authorization server.
When the client sends an online request for authorization authentication, the address of the authorization server can be obtained through domain name resolution.
Step S120: and after receiving the online request authorization authentication, the authorization server performs authorization authentication on the online request authorization authentication.
Step S130: and after the authorization authentication is successful, the authorization server generates corresponding authorization information and sends an access strategy to the client.
After the authorization authentication is successful, the authorization server generates corresponding authorization information, which may include information such as an authorization validity period, an authorization code, an authorization address, a port, and the like. The authorization validity period can ensure that the online request authorization authentication is only valid within the validity period, if the validity period is exceeded, the authentication needs to be carried out again, the security of zero-trust data storage access can be ensured to a certain extent, and the attack behavior that the client terminal illegally carries out data access through the client terminal after the online request authorization authentication of the client terminal is authenticated is avoided. The form of the authorization code included in the authorization information can ensure higher security.
The access policy may be an external address and port actually mapped by the storage server accessed by the client, and an authority table for accessing the storage resource. So that the client can send the access message to the gateway server according to the access policy.
Step S140: and the client sends an access message to the gateway server according to the access strategy.
The gateway server can realize Network Address Translation (NAT) mapping between the internal Network and the external Network, provide management and control of internal Network port mapping and safety defense functions of the external Network, realize isolation of a Network layer and improve safety of data access.
In some embodiments of the present invention, the message service cluster is used for providing data interaction functions, for example, the message service cluster may provide data interaction functions for each part in the system such as authorization server, metadata management program service cluster, gateway server, internal storage server, etc. The data may include authorization messages for managing configuration, for example, internal resource right messages for client access, messages for allocating storage controllers and gateway controller port mapping relationships for clients after authorization passes, and the like.
When a client sends an access message to a gateway server according to an access strategy, an information service cluster firstly receives authorization information and then distributes a port mapping relation of the gateway server to the client; and then the client sends an access message to the gateway server according to the port mapping relation.
Step S150: and the gateway server receives the authorization information and performs access management on the access message according to the authorization information.
Specifically, when the gateway server receives the authorization information and performs access management on the access packet according to the authorization information, the gateway server may first obtain a release address mapping relationship from the message service cluster according to the authorization information, and then perform access management on the IP address and the port through the XDP module according to the release address mapping relationship.
In the implementation process, the client firstly initiates an online request authorization authentication to the authorization server, generates response authorization information after the authorization server authorizes the online request authorization authentication, and sends an access strategy to the client, so that the client can send an access message to the gateway server according to the access strategy. And after receiving the authorization information, the gateway server performs access management on the access message. The method breaks through the conventional storage safety protection means through the safety design of the zero trust storage scheme, and realizes that the data storage which can be accessed into all types is not limited to block storage, file storage and object storage.
The distributed cluster with mirror flow and load balance can provide high reliability inside an authorization server, a metadata management service cluster and a message service cluster more efficiently, different consistency protocols can be adopted for dynamic negotiation of the cluster service, a strict consistency protocol is adopted for a network environment with excellent delay network performance, the state of data is confirmed if all online nodes are in accordance with each other, once online host networks in the cluster are jittered, an internal detection module detects that the time is serious all through heartbeat three times, a cluster data consistency algorithm is changed, and the consistency state of the data is confirmed if more than half of the nodes are in accordance with each other.
In some embodiments of the present invention, the metadata manager service cluster is a center for centralized and unified management of visual resource directories, files, and the like on all storage systems, and all operations of clients on internal data need to pass through the metadata manager service cluster to obtain metadata, where the metadata is description information of data such as files.
Therefore, after the gateway server receives the authorization information and performs access management on the access message according to the authorization information, the method further includes the following steps: and after the gateway server passes the access message, the client sends the access operation on the internal data to the metadata management program service cluster, and the metadata management program service cluster sends the metadata to the client according to the access operation.
In some embodiments of the present invention, before the step of receiving the authorization information and performing access management on the access packet according to the authorization information, the gateway server starts a local network address translation module at the client, and then before the client sends the access packet to the gateway server, the network address translation module maps the access packet to the internal storage server. And the internal storage server acquires the authority control table of the resource from the message service cluster. And after the client acquires the authority control table, analyzing the authority control table to acquire the resource operation authority. And the client side changes the access message according to the resource operation authority.
Specifically, when the client accesses for the first time, the local network address conversion module needs to be started, and when the client initiates network connection to the gateway server through an access message, the access message of the client is mapped onto the internal storage server, and the internal storage server is responsible for acquiring the authority control table of the resource from the message service cluster, sending the control relationship to the client, and performing snapshot of the storage resource on the current data view. The technology that any client accesses the storage system to perform one-time directory snapshot is achieved on the internal storage server, so that the purpose of sharing of any client accessing storage is achieved, the traditional realization through a locking mode is replaced, and the space time switching mode is adopted, so that the efficiency is higher. After the client acquires the authority control, the client can analyze the policy message and can analyze and acquire resource authority, such as operation authority for reading, writing, reading and writing, updating, deleting and the like, so as to refine and control the directory authority for accessing the storage pool. The local program module of the client side can intercept illegal authority operation once to reduce the load of the internal storage server, and after the operation is carried out in the first access, the client side can safely access the internal storage resource like accessing a local file.
In the implementation process, one-layer isolation of internal storage resources, namely access control of a client host can be realized through control of network address translation nat inside the proxy network; the refinement authority control of the directory resources realizes two-layer isolation of storage, and further refines the access content of the storage resources; the three-layer isolation of the sharing strategy of the resources on different memories is realized, and the operation protection of different users on the resources is realized; in addition, the centralized or partial control of the whole system resources is realized through the unified operation of the global metadata management program service cluster, the global four-layer isolation is realized, namely the access control of the global resources is controlled, the transparent processing of the global data is realized, different addresses are required to be accessed to obtain different resources in the past, and the realization of global invisibility to users is realized.
Based on the same inventive concept, the present invention further provides a zero-trust data storage access system 100, please refer to fig. 2, and fig. 2 is a block diagram of a zero-trust data storage access system according to an embodiment of the present invention. The zero trust data store access system 100 includes: a client 110, an authorization server 120, and a gateway server 130;
the client 110 is configured to initiate an online request authorization authentication to the authorization server 120;
the authorization server 120 is used for performing authorization authentication on the online request after receiving the online request authorization authentication;
the authorization server 120 is further configured to generate corresponding authorization information after the authorization authentication is successful, and send an access policy to the client 110;
the client 110 is configured to send an access packet to the gateway server 130 according to the access policy;
and the gateway server 130 is configured to receive the authorization information and perform access management on the access packet according to the authorization information.
In some embodiments of the invention, the system further comprises: a metadata manager service cluster 140;
the client 110 is configured to send an access operation on the internal data to the metadata manager service cluster 140 after the gateway server 130 passes the access packet;
and the metadata manager service cluster 140 is used for sending the metadata to the client terminal 110 according to the access operation.
In some embodiments of the invention, the system further comprises: a message service cluster 150;
the message service cluster 150 is configured to, after receiving the authorization information, allocate a port mapping relationship of the gateway server 130 to the client 110;
the client 110 is configured to send an access packet to the gateway server 130 according to the port mapping relationship.
In some embodiments of the invention, the gateway server 130 comprises an XDP module;
the gateway server 130 is configured to obtain a release address mapping relationship from the message service cluster 150 according to the authorization information;
the gateway server 130 is further configured to perform access management on the IP address and the port through the XDP module according to the released address mapping relationship.
In some embodiments of the invention, the client 110 comprises a local network address translation module, and the system further comprises an internal storage server:
a client 110 for enabling a local network address translation module;
a network address translation module, configured to map the access packet to an internal storage server before the client 110 sends the access packet to the gateway server 130;
the internal storage server is used for acquiring the authority control table of the resource from the message service cluster 150;
the client 110 is configured to, after obtaining the authority control table, analyze the authority control table to obtain a resource operation authority;
and the client 110 is used for changing the access message according to the resource operation authority.
Referring to fig. 3, fig. 3 is a schematic structural block diagram of an electronic device according to an embodiment of the present disclosure. The electronic device comprises a memory 101, a processor 102 and a communication interface 103, wherein the memory 101, the processor 102 and the communication interface 103 are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 101 may be used for storing software programs and modules, such as program instructions/modules corresponding to the zero-trust data storage access system 100 provided in the embodiments of the present application, and the processor 102 executes various functional applications and data processing by executing the software programs and modules stored in the memory 101. The communication interface 103 may be used for communicating signaling or data with other node devices.
The Memory 101 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like.
The processor 102 may be an integrated circuit chip having signal processing capabilities. The Processor 102 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
It will be appreciated that the configuration shown in fig. 3 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 3 or have a different configuration than shown in fig. 3. The components shown in fig. 3 may be implemented in hardware, software, or a combination thereof.
In the embodiments provided in the present application, it should be understood that the disclosed system and method may be implemented in other ways. The above-described system embodiments are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In summary, the method and system for accessing data storage with zero trust provided by the embodiments of the present application include: the client side initiates an online request authorization authentication to an authorization server; after receiving the online request authorization authentication, the authorization server performs authorization authentication on the online request authorization authentication; after the authorization authentication is successful, the authorization server generates corresponding authorization information and sends an access strategy to the client; the client sends an access message to the gateway server according to the access strategy; and the gateway server receives the authorization information and performs access management on the access message according to the authorization information. In the implementation process, the client firstly initiates an online request authorization authentication to the authorization server, generates response authorization information after the authorization server authorizes the online request authorization authentication, and sends an access strategy to the client, so that the client can send an access message to the gateway server according to the access strategy. And after receiving the authorization information, the gateway server performs access management on the access message. The method breaks through the conventional storage safety protection means through the safety design of the zero trust storage scheme, and realizes that the data storage which can be accessed into all types is not limited to block storage, file storage and object storage.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (8)
1. A zero trust data store access method, the method comprising:
the client side initiates an online request authorization authentication to an authorization server;
after receiving the online request authorization authentication, the authorization server performs authorization authentication on the online request authorization authentication;
after the authorization authentication is successful, the authorization server generates corresponding authorization information and sends an access strategy to the client;
the client sends an access message to a gateway server according to the access strategy;
the gateway server receives the authorization information and performs access management on the access message according to the authorization information;
the message service cluster is used for providing a data interaction function, wherein before the step of receiving the authorization information and performing access management on the access message according to the authorization information, the method further comprises:
the client side enables a local network address translation module;
before the client sends the access message to the gateway server, the network address conversion module maps the access message to an internal storage server;
the internal storage server acquires a resource authority control table from the message service cluster;
after the client acquires the authority control table, analyzing the authority control table to acquire resource operation authority;
the client side changes the access message according to the resource operation authority;
the gateway server receives the authorization information and performs access management on the access message according to the authorization information, and the method comprises the following steps:
the gateway server acquires a release address mapping relation from the message service cluster according to the authorization information;
and the gateway server performs access management on the IP address and the port through the XDP module according to the release address mapping relation.
2. The method of claim 1, wherein after the gateway server receives the authorization information and performs access management on the access packet according to the authorization information, the method further comprises:
after the gateway server passes the access message, the client sends an access operation on the internal data to a metadata management program service cluster;
and the metadata management program service cluster sends metadata to the client according to the access operation.
3. The method according to claim 1, wherein the message service cluster is used for providing a data interaction function, and the step of sending, by the client, the access packet to the gateway server according to the access policy comprises:
after receiving the authorization information, the gateway server allocates a port mapping relation of the gateway server to the client;
and the client sends an access message to the gateway server according to the port mapping relation.
4. A zero trust data store access system, the system comprising: the system comprises a client, an authorization server and a gateway server;
the client is used for initiating an online request authorization authentication to the authorization server;
the authorization server is used for performing authorization authentication on the online request after receiving the online request authorization authentication;
the authorization server is further used for generating corresponding authorization information after the authorization authentication is successful, and sending an access strategy to the client;
the client is used for sending an access message to the gateway server according to the access strategy;
the gateway server is used for receiving the authorization information and carrying out access management on the access message according to the authorization information;
the client comprises a local network address translation module, and the system further comprises an internal storage server:
the client is used for starting the local network address translation module;
the network address translation module is used for mapping the access message to the internal storage server before the client sends the access message to the gateway server;
the internal storage server is used for acquiring a resource authority control table from the message service cluster;
the client is used for analyzing the authority control table to obtain the resource operation authority after obtaining the authority control table; the client is used for changing the access message according to the resource operation authority;
wherein the gateway server comprises an XDP module; the gateway server is used for acquiring a release address mapping relation from the message service cluster according to the authorization information;
and the gateway server is also used for carrying out access management on the IP address and the port through the XDP module according to the released address mapping relation.
5. The system of claim 4, further comprising: a metadata manager service cluster;
the client is used for sending the access operation of the internal data to the metadata management program service cluster after the gateway server passes the access message;
and the metadata management program service cluster is used for sending metadata to the client according to the access operation.
6. The system of claim 4, further comprising: a message service cluster;
the gateway server is used for distributing the port mapping relation of the gateway server to the client after receiving the authorization information;
and the client is used for sending an access message to the gateway server according to the port mapping relation.
7. An electronic device, comprising:
a memory for storing one or more programs;
a processor;
the one or more programs, when executed by the processor, implement the method of any of claims 1-3.
8. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011220319.7A CN112100675B (en) | 2020-11-05 | 2020-11-05 | Zero-trust data storage access method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011220319.7A CN112100675B (en) | 2020-11-05 | 2020-11-05 | Zero-trust data storage access method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112100675A CN112100675A (en) | 2020-12-18 |
| CN112100675B true CN112100675B (en) | 2021-02-12 |
Family
ID=73785467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011220319.7A Active CN112100675B (en) | 2020-11-05 | 2020-11-05 | Zero-trust data storage access method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112100675B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112738047B (en) * | 2020-12-24 | 2023-08-25 | 贝壳技术有限公司 | Access control method of service system and zero trust system |
| CN112733190B (en) * | 2021-01-20 | 2024-03-08 | 北京联创信安科技股份有限公司 | Data processing method, device, electronic equipment, system and storage medium |
| CN113572738B (en) * | 2021-06-29 | 2023-04-07 | 中孚安全技术有限公司 | Zero trust network architecture and construction method |
| CN113783774B (en) * | 2021-08-20 | 2024-03-26 | 北京快乐茄信息技术有限公司 | Cross-cluster network configuration method and device, communication equipment and storage medium |
| CN113992402B (en) * | 2021-10-27 | 2023-11-21 | 贝壳找房(北京)科技有限公司 | Access control method, system and medium based on zero trust policy |
| CN114006819A (en) * | 2021-11-03 | 2022-02-01 | 北京天融信网络安全技术有限公司 | Detection strategy generation and device, and data transmission method and device |
| CN113987560A (en) * | 2021-12-29 | 2022-01-28 | 北京交研智慧科技有限公司 | Zero trust authentication method and device for data and electronic equipment |
| CN114531348A (en) * | 2022-01-07 | 2022-05-24 | 上海安几科技有限公司 | Network communication method, device, terminal and storage medium based on zero trust technology |
| CN114598498A (en) * | 2022-01-28 | 2022-06-07 | 杭州亿格云科技有限公司 | Access method, access system, computer device, and storage medium |
| CN115086045B (en) * | 2022-06-17 | 2023-05-19 | 海南大学 | Data security protection method and device based on voiceprint counterfeiting detection |
| CN115296926B (en) * | 2022-09-27 | 2022-12-27 | 杭州安恒信息技术股份有限公司 | Network flow management and control method, device, equipment and medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110138785A (en) * | 2019-05-16 | 2019-08-16 | 重庆八戒电子商务有限公司 | A kind of processing method of document access authority, device, medium and electronic equipment |
| CN110417776B (en) * | 2019-07-29 | 2022-03-25 | 大唐高鸿信安(浙江)信息科技有限公司 | Identity authentication method and device |
| CN111143793B (en) * | 2019-12-13 | 2021-05-28 | 支付宝(杭州)信息技术有限公司 | Access control method and access control device |
| CN111416822B (en) * | 2020-03-20 | 2022-10-18 | 数篷科技(深圳)有限公司 | Method for access control, electronic device and storage medium |
-
2020
- 2020-11-05 CN CN202011220319.7A patent/CN112100675B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112100675A (en) | 2020-12-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112100675B (en) | Zero-trust data storage access method and system | |
| RU2679188C2 (en) | Multifunctional identification of a virtual computing node | |
| CN109076065B (en) | System and method for providing network connectivity according to a secure resource-based policy | |
| CN110035079B (en) | Honeypot generation method, device and equipment | |
| EP2572288B1 (en) | Validating updates to domain name system records | |
| US9325699B2 (en) | Method for apparatus for routing application programming interface (API) calls | |
| JP7036899B2 (en) | Alias management method and device | |
| WO2016128491A1 (en) | Validating computer resource usage | |
| CN109672680B (en) | Cross-domain login method | |
| CN108427677B (en) | Object access method and device and electronic equipment | |
| EP3095214A1 (en) | An entity handle registry to support traffic policy enforcement | |
| US9871778B1 (en) | Secure authentication to provide mobile access to shared network resources | |
| US11849053B2 (en) | Automation of user identity using network protocol providing secure granting or revocation of secured access rights | |
| CN112099913B (en) | Method for realizing virtual machine security isolation based on OpenStack | |
| CN112291204B (en) | Access request processing method and device and readable storage medium | |
| US10242174B2 (en) | Secure information flow | |
| CN116170403A (en) | Method and device for decentralized domain name resolution based on Handle system | |
| US11647020B2 (en) | Satellite service for machine authentication in hybrid environments | |
| JP2022058265A (en) | Computer implementation method, computer system, and computer program (provision of isolation container for user request processing) | |
| Karp et al. | The client utility architecture: the precursor to E-speak | |
| US20240171587A1 (en) | Region-based authentication and access policies for services | |
| CN117176415A (en) | Cluster access method and device, electronic equipment and storage medium | |
| CN117614628A (en) | ISTIO-based JWT authentication and authorization method and system | |
| CN116527316A (en) | Service calling method and device, electronic equipment and machine-readable storage medium | |
| CN115878853A (en) | Request processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |