CN112214792A - Authority management method and tool based on cockroachDB database - Google Patents

Authority management method and tool based on cockroachDB database Download PDF

Info

Publication number
CN112214792A
CN112214792A CN202011054893.XA CN202011054893A CN112214792A CN 112214792 A CN112214792 A CN 112214792A CN 202011054893 A CN202011054893 A CN 202011054893A CN 112214792 A CN112214792 A CN 112214792A
Authority
CN
China
Prior art keywords
authority
type
database
drop
execute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011054893.XA
Other languages
Chinese (zh)
Other versions
CN112214792B (en
Inventor
金越
冯友旭
高子奇
马伟科
李欣泽
陈磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Cloud Information Technology Co Ltd
Original Assignee
Inspur Cloud Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Cloud Information Technology Co Ltd filed Critical Inspur Cloud Information Technology Co Ltd
Priority to CN202011054893.XA priority Critical patent/CN112214792B/en
Publication of CN112214792A publication Critical patent/CN112214792A/en
Application granted granted Critical
Publication of CN112214792B publication Critical patent/CN112214792B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/252Integrating or interfacing systems involving database management systems between a Database Management System and a front-end application

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a rights management method and a tool based on a cockroachDB database, which relate to the technical field of databases and are realized by the following steps: dividing the authority into three levels of a database, a mode and an object according to the authority use scene of the cockroachDB database; acquiring structural information of cockroachDB database authority, and respectively storing the structural information under the authority of three levels, wherein the authority structural information comprises three parts of name, type and action, the name part comprises Grantor, PrivilegeType and grantale, the types of Grantor and PrivilegeType are character strings, Grantor is an authority assignor, PrivilegeType marks the authority type, the grantale type is a Boolean value, and the grantale type records the authority assignor and is used for selecting whether the authority can be continuously assigned to other people or not; based on the authority structure information of different levels, the authority ring forming problem is solved through gradual empowerment and cascade revocation. The invention improves the security performance of the database, greatly expands the application scene of the database and solves the problem that the background management of the conventional cockroachDB database has no authority management function.

Description

Authority management method and tool based on cockroachDB database
Technical Field
The invention relates to the technical field of databases, in particular to a cockroachDB database-based authority management method and tool.
Background
In the current mainstream database operating system, if there is no authority management function in background management of the cockroachDB database, all users log in the database by the same account name and password. That is, as long as the account name and the password of the database exist, the operations such as data insertion and deletion can be performed without limitation when the database is logged in, and great risk is brought to the data security of the database.
Disclosure of Invention
Aiming at the requirements and the defects of the prior art development, the invention provides a cockroachDB database-based right management method and tool.
Firstly, the rights management method based on the cockroachDB database of the invention adopts the following technical scheme for solving the technical problems:
a rights management method based on a cockroachDB database comprises the following steps:
dividing the authority into three levels of a database, a mode and an object according to the authority use scene of the cockroachDB database;
acquiring the structure information of the cockroachDB database authority, and respectively storing the information under the three levels of authority;
based on the authority structure information of different levels, the authority ring forming problem is solved through gradual empowerment and cascade revocation.
Further, the structure information of the related cockroachDB database authority includes three parts of name, type and action, wherein:
the name part comprises three types of Grantor, Privilegetype and grantale,
the type of Grantor is a character string, as an assignor of the authority,
the type of PrivilegeType is a character string used for marking the authority type,
the grantale type is a boolean value which records the authority assignor and is used for selecting whether the authority can be continuously assigned to other people or not, and assistance is provided for solving the authority looping problem.
Furthermore, three permission types of CREATE, DROP and USAGE are supported for the permission at the database level, wherein the CREATE permission type can execute the operation of creating the database, the DROP permission type can execute the operation of deleting the database, and the USAGE permission type can execute the operation of accessing the database.
Furthermore, four permission types of CREATE, DROP, USAGE and ALTER are supported for the permission of the mode level, wherein the CREATE permission type can execute the operation of creating the mode, the DROP permission type can execute the operation of deleting the mode, the USAGE permission type can execute the operation of accessing the mode, and the ALTER permission is used for changing the mode.
Furthermore, the authority determination process of the involved mode level is as follows:
(1) starting;
(2a.1) executing CREATE authority and establishing a new mode;
(2a.2) determining whether the user has CREATE privileges for the current database,
if yes, giving the user permission types of CREATE, DROP and USAGE in the new mode, finishing after success, and if not, directly finishing;
(2b.1) executing DROP authority, deleting mode;
(2b.2) determining whether the user has the DROP authority for the mode,
if yes, traversing the table in the current mode, executing the step (2b.3), and if not, directly ending;
(2b.3) further determining whether the user has a DROP authority for each table,
if so, the method is successful, and then the method is ended,
if not, directly ending;
(2c.1) enforcing USAGE rights, access mode;
(2c.2) determining whether the user has CREATE privileges for the current database,
if yes, executing the step (2c.3), otherwise, directly ending;
(2c.3) further determining whether the user possesses the DROP authority for the mode,
if yes, the table in the current mode is traversed, step (2c.4) is executed,
(2c.4) further determining whether the user has a DROP authority for each table,
if yes, giving the user the three authority types of CREATE, DROP and USAGE in the new mode, finishing after success,
if not, the process is ended directly.
Furthermore, three permission types of CREATE, DROP and ALTER are supported aiming at the permission of the object level, wherein,
when the CREATE permission type is executed, a user firstly needs to judge whether the attachment relation of an object is a database or a mode, then the user has CREATE permission of the attached database/mode, the DROP permission type can execute the operation of deleting the object, and the ALTER permission type supports the operation of migrating the original object to different databases;
aiming at the authority of the object level, six authority types of INSERT, DELETE, UPDATE, SELECT, REFERENCES and DROP are supported,
the authority of the object level is divided into four types of relation, index, view and sequence,
aiming at the relation authority of an object level, six authority types of INSERT, DELETE, UPDATE, SELECT, REFERENCES and DROP are supported, wherein the INSERT authority type can execute the operation of adding data, the DELETE authority type can execute the operation of deleting data, the UPDATE authority type can execute the operation of updating data, the SELECT authority type can execute the operation of inquiring data, the REFERENCES authority type can execute the operation of changing relation attribute, and the DROP authority type can execute the operation of deleting corresponding data;
aiming at the index authority of the object level, a REFERENCES authority type is supported, and the REFERENCES authority type can execute the operations of creating, modifying and deleting the index;
aiming at the view permission of the object hierarchy, two permission types of SELECT and DROP are supported, wherein the SELECT permission type can execute the operation of inquiring the view, and the DROP permission type can execute the operation of deleting the view;
and aiming at the sequence authority of the object hierarchy, three authority types of SELECT, DROP and UPDATE are supported, wherein the SELECT authority type can execute the operation of a query sequence, the DROP authority type can execute the operation of a deletion sequence, and the UPDATE authority type can execute the operation of an UPDATE sequence.
Secondly, the rights management tool based on the cockroachDB database of the invention adopts the following technical scheme for solving the technical problems:
a rights management tool based on a cockroachDB database, the structure of which comprises:
the classification module is used for dividing the authority into three levels of the database, the mode and the object according to the authority use scene of the cockroachDB database;
the acquisition and storage module is used for acquiring the structure information of the cockroachDB database authority and respectively storing the information under the authority of three levels of the database, the mode and the object;
and the processing module is used for solving the authority ring forming problem through step-by-step empowerment and cascade revocation according to the authority structure information of different levels.
Further, the structure information of the cockroachDB database authority includes three parts of name, type and action, wherein:
the name part comprises three types of Grantor, Privilegetype and grantale,
the type of Grantor is a character string, as an assignor of the authority,
the type of PrivilegeType is a character string used for marking the authority type,
the grantale type is a boolean value which records the authority assignor and is used for selecting whether the authority can be continuously assigned to other people or not, and assistance is provided for solving the authority looping problem.
Furthermore, three permission types of CREATE, DROP and USAGE are supported aiming at the permission of the database level, wherein the CREATE permission type can execute the operation of creating the database, the DROP permission type can execute the operation of deleting the database, and the USAGE permission type can execute the operation of accessing the database;
and aiming at the authority of the mode level, four authority types of CREATE, DROP, USAGE and ALTER are supported, wherein the CREATE authority type can execute the operation of creating the mode, the DROP authority type can execute the operation of deleting the mode, the USAGE authority type can execute the operation of accessing the mode, and the ALTER authority is used for changing the mode.
Furthermore, three permission types of CREATE, DROP and ALTER are supported aiming at the permission of the object level, wherein,
when the CREATE permission type is executed, a user firstly needs to judge whether the attachment relation of an object is a database or a mode, then the user has CREATE permission of the attached database/mode, the DROP permission type can execute the operation of deleting the object, and the ALTER permission type supports the operation of migrating the original object to different databases;
aiming at the authority of the object level, six authority types of INSERT, DELETE, UPDATE, SELECT, REFERENCES and DROP are supported,
the authority of the object level is divided into four types of relation, index, view and sequence,
aiming at the relation authority of an object level, six authority types of INSERT, DELETE, UPDATE, SELECT, REFERENCES and DROP are supported, wherein the INSERT authority type can execute the operation of adding data, the DELETE authority type can execute the operation of deleting data, the UPDATE authority type can execute the operation of updating data, the SELECT authority type can execute the operation of inquiring data, the REFERENCES authority type can execute the operation of changing relation attribute, and the DROP authority type can execute the operation of deleting corresponding data;
aiming at the index authority of the object level, a REFERENCES authority type is supported, and the REFERENCES authority type can execute the operations of creating, modifying and deleting the index;
aiming at the view permission of the object hierarchy, two permission types of SELECT and DROP are supported, wherein the SELECT permission type can execute the operation of inquiring the view, and the DROP permission type can execute the operation of deleting the view;
and aiming at the sequence authority of the object hierarchy, three authority types of SELECT, DROP and UPDATE are supported, wherein the SELECT authority type can execute the operation of a query sequence, the DROP authority type can execute the operation of a deletion sequence, and the UPDATE authority type can execute the operation of an UPDATE sequence.
Compared with the prior art, the rights management method and tool based on the cockroachDB database have the following beneficial effects:
the invention realizes the support of the authority in the database, is a set of complete and perfect design scheme, has better user experience, also improves the safety performance of the database, greatly expands the application scene of the database and solves the problem that the background management of the traditional cockroachDB database has no authority management function.
Drawings
Fig. 1 is a schematic diagram of a pattern level authority determination logic according to a first embodiment of the present invention.
Detailed Description
In order to make the technical scheme, the technical problems to be solved and the technical effects of the present invention more clearly apparent, the following technical scheme of the present invention is clearly and completely described with reference to the specific embodiments.
The first embodiment is as follows:
the embodiment provides a rights management method based on a cockroachDB database, which comprises the following steps:
dividing the authority into three levels of a database, a mode and an object according to the authority use scene of the cockroachDB database;
acquiring the structure information of the cockroachDB database authority, and respectively storing the information under the three levels of authority;
based on the authority structure information of different levels, the authority ring forming problem is solved through gradual empowerment and cascade revocation.
In this embodiment, the structure information of the cockroachDB database authority includes three parts, namely name, type, and action, where:
name (R) Type (B) Function of
Grantor Character string Authority assignor
PrivilegeType Character string Type of authority
GrantAble Boolean value Whether the right can be continuously given to others
The grantale records the authority assignor and is used for selecting whether the authority can be continuously assigned to other people or not, so that help is provided for solving the authority looping problem.
Figure RE-GDA0002823695050000061
Figure RE-GDA0002823695050000071
From the above table, it can be seen that:
three permission types of CREATE, DROP and USAGE are supported aiming at the permission of the database level, wherein,
the CREATE authority type can execute the operation of creating a database, and only a root user in a database operating system has the operation authority of creating database;
the DROP authority type can execute the operation of deleting the database, and a user with the DROP authority of the database has the operation authority of deleting the database;
the USAGE rights type may perform operations to access the database.
And aiming at the authority of the mode level, four authority types of CREATE, DROP, USAGE and ALTER are supported, wherein the CREATE authority type can execute the operation of creating the mode, the DROP authority type can execute the operation of deleting the mode, the USAGE authority type can execute the operation of accessing the mode, and the ALTER authority is used for changing the mode.
Referring to fig. 1, for the authority of the schema hierarchy, the logical judgment process is as follows:
(1) starting;
(2a.1) executing CREATE authority and establishing a new mode;
(2a.2) determining whether the user has CREATE privileges for the current database,
if yes, giving the user permission types of CREATE, DROP and USAGE in the new mode, finishing after success, and if not, directly finishing;
(2b.1) executing DROP authority, deleting mode;
(2b.2) determining whether the user has the DROP authority for the mode,
if yes, traversing the table in the current mode, executing the step (2b.3), and if not, directly ending;
(2b.3) further determining whether the user has a DROP authority for each table,
if so, the method is successful, and then the method is ended,
if not, directly ending;
(2c.1) enforcing USAGE rights, access mode;
(2c.2) determining whether the user has CREATE privileges for the current database,
if yes, executing the step (2c.3), otherwise, directly ending;
(2c.3) further determining whether the user possesses the DROP authority for the mode,
if yes, the table in the current mode is traversed, step (2c.4) is executed,
(2c.4) further determining whether the user has a DROP authority for each table,
if yes, giving the user the three authority types of CREATE, DROP and USAGE in the new mode, finishing after success,
if not, the process is ended directly.
Three permission types of CREATE, DROP and ALTER are supported aiming at the permission of the object level, wherein,
when the CREATE permission type is executed, a user firstly needs to judge whether the attachment relation of an object is a database or a mode, then the user has CREATE permission of the attached database/mode, the DROP permission type can execute the operation of deleting the object, and the ALTER permission type supports the operation of migrating the original object to different databases;
aiming at the rights of an object level, six rights types of INSERT, DELETE, UPDATE, SELECT, REFERENCES and DROP are supported, wherein: aiming at the INSERT authority, any user can INSERT data into the object as long as the user has the INSERT authority of the object; for the DELETE authority, any user can DELETE the data in the object as long as the user has the SELECT and DELETE authorities of the object; for the UPDATE authority, which user only needs to have the SELECT and UPDATE authorities of the object can UPDATE the data in the object; for the SELECT permission, any user can query the data in the object as long as the user has the SELECT permission of all objects (including views, sequences and connection tables) involved in the query operation;
the authority of the object level is divided into four types of relation, index, view and sequence,
aiming at the relation authority of an object level, six authority types of INSERT, DELETE, UPDATE, SELECT, REFERENCES and DROP are supported, wherein the INSERT authority type can execute the operation of adding data, the DELETE authority type can execute the operation of deleting data, the UPDATE authority type can execute the operation of updating data, the SELECT authority type can execute the operation of inquiring data, the REFERENCES authority type can execute the operation of changing relation attribute, and the DROP authority type can execute the operation of deleting corresponding data;
aiming at the index authority of the object level, a REFERENCES authority type is supported, and the REFERENCES authority type can execute the operations of creating, modifying and deleting the index;
aiming at the view permission of the object hierarchy, two permission types of SELECT and DROP are supported, wherein the SELECT permission type can execute the operation of inquiring the view, and the DROP permission type can execute the operation of deleting the view;
and aiming at the sequence authority of the object hierarchy, three authority types of SELECT, DROP and UPDATE are supported, wherein the SELECT authority type can execute the operation of a query sequence, the DROP authority type can execute the operation of a deletion sequence, and the UPDATE authority type can execute the operation of an UPDATE sequence.
For the authority of the object hierarchy, taking the relationship TABLE as an example, the logical judgment process is as follows:
(1) starting;
(2) the user executes the authority type of CREATE/DROP/ALTER;
(2a.1) the user performs CREATE right;
(2a.2) determining whether the user has a CREATE right to the SCHEMA SCHEMA/DATABASE DATABASE,
if yes, executing step (2a.3),
if not, not executing, reporting an error, and executing the step (3) if the user does not have the corresponding authority;
(2a.3) executing CREATE TABLE, setting TABLE permission as default permission of TABLE, and executing the step (3);
(2b.1) the user performs the DROP authority;
(2b.2) judging whether the user has the DROP authority of the TABLE,
if yes, executing the step (2b.3), and if not, executing the step (2 b.4);
(2b.3) executing the DROP authority, and executing the step (3);
(2b.4) not executing DROP TABLE, reporting an error, and executing the step (3) if the user does not have corresponding authority;
(2c.1) the user performing ALTER rights;
(2c.2) judging whether the user has the DROP authority of the TABLE and the CREATE authority of the target original mode SCHEMA/DATABASE DATABASE,
if yes, executing step (2c.3),
if not, not executing, reporting an error, and executing the step (3) if the user does not have the corresponding authority;
(2c.3) executing ALTER TABLE, setting TABLE permission as default permission of TABLE, and executing the step (3);
(3) and (6) ending.
Example two:
this embodiment proposes a rights management tool based on cockroachDB database, and its structure includes:
the classification module is used for dividing the authority into three levels of the database, the mode and the object according to the authority use scene of the cockroachDB database;
the acquisition and storage module is used for acquiring the structure information of the cockroachDB database authority and respectively storing the information under the authority of three levels of the database, the mode and the object;
and the processing module is used for solving the authority ring forming problem through step-by-step empowerment and cascade revocation according to the authority structure information of different levels.
In this embodiment, the structure information of the cockroachDB database authority includes three parts, namely name, type, and action, where:
the name part comprises three types of Grantor, Privilegetype and grantale,
the type of Grantor is a character string, as an assignor of the authority,
the type of PrivilegeType is a character string used for marking the authority type,
the grantale type is a boolean value which records the authority assignor and is used for selecting whether the authority can be continuously assigned to other people or not, and assistance is provided for solving the authority looping problem.
In this embodiment, three permission types, namely CREATE, DROP, and USAGE, are supported for the permission at the database level, where the CREATE permission type may perform an operation of creating a database, the DROP permission type may perform an operation of deleting a database, and the USAGE permission type may perform an operation of accessing a database.
In this embodiment, four types of rights, namely CREATE, DROP, USAGE, and ALTER, are supported for the rights of the schema hierarchy, where the CREATE rights type may perform an operation of creating the schema, the DROP rights type may perform an operation of deleting the schema, the USAGE rights type may perform an operation of accessing the schema, and the ALTER rights are used for changing the schema.
In this embodiment, three permission types, namely, CREATE, DROP, and ALTER, are supported for permission of an object level, where when executing the CREATE permission type, a user first needs to determine whether an attachment relationship of an object is a database or a pattern, and then the user has a CREATE permission of the attached database/pattern, the DROP permission type may execute an operation of deleting the object, and the ALTER permission type supports an operation of migrating an original object to a different database;
aiming at the rights of an object level, six rights types of INSERT, DELETE, UPDATE, SELECT, REFERENCES and DROP are supported, wherein: aiming at the INSERT authority, any user can INSERT data into the object as long as the user has the INSERT authority of the object; for the DELETE authority, any user can DELETE the data in the object as long as the user has the SELECT and DELETE authorities of the object; for the UPDATE authority, which user only needs to have the SELECT and UPDATE authorities of the object can UPDATE the data in the object; for the SELECT permission, any user can query the data in the object as long as the user has the SELECT permission of all objects (including views, sequences and connection tables) involved in the query operation;
the authority of the object level is divided into four types of relation, index, view and sequence,
aiming at the relation authority of an object level, six authority types of INSERT, DELETE, UPDATE, SELECT, REFERENCES and DROP are supported, wherein the INSERT authority type can execute the operation of adding data, the DELETE authority type can execute the operation of deleting data, the UPDATE authority type can execute the operation of updating data, the SELECT authority type can execute the operation of inquiring data, the REFERENCES authority type can execute the operation of changing relation attribute, and the DROP authority type can execute the operation of deleting corresponding data;
aiming at the index authority of the object level, a REFERENCES authority type is supported, and the REFERENCES authority type can execute the operations of creating, modifying and deleting the index;
aiming at the view permission of the object hierarchy, two permission types of SELECT and DROP are supported, wherein the SELECT permission type can execute the operation of inquiring the view, and the DROP permission type can execute the operation of deleting the view;
and aiming at the sequence authority of the object hierarchy, three authority types of SELECT, DROP and UPDATE are supported, wherein the SELECT authority type can execute the operation of a query sequence, the DROP authority type can execute the operation of a deletion sequence, and the UPDATE authority type can execute the operation of an UPDATE sequence.
In summary, the rights management method and tool based on the cockroachDB database can improve the security performance of the database, expand the application scene of the database and solve the problem that the background management of the conventional cockroachDB database has no rights management function.
The principles and embodiments of the present invention have been described in detail using specific examples, which are provided only to aid in understanding the core technical content of the present invention. Based on the above embodiments of the present invention, those skilled in the art should make any improvements and modifications to the present invention without departing from the principle of the present invention, and therefore, the present invention should fall into the protection scope of the present invention.

Claims (10)

1. A rights management method based on a cockroachDB database is characterized by comprising the following steps:
dividing the authority into three levels of a database, a mode and an object according to the authority use scene of the cockroachDB database;
acquiring the structure information of the cockroachDB database authority, and respectively storing the information under the three levels of authority;
based on the authority structure information of different levels, the authority ring forming problem is solved through gradual empowerment and cascade revocation.
2. The rights management method based on cockroachDB database of claim 1, wherein the structure information of the cockroachDB database rights includes three parts of name, type and effect, wherein:
the name part comprises three types of Grantor, Privilegetype and grantale,
the type of Grantor is a character string, as an assignor of the authority,
the type of PrivilegeType is a character string used for marking the authority type,
the grantale type is a boolean value which records the authority assignor and is used for selecting whether the authority can be continuously assigned to other people or not, and assistance is provided for solving the authority looping problem.
3. The rights management method of claim 2, wherein three rights types of CREATE, DROP and USAGE are supported for the rights at the database level, wherein the CREATE rights type can perform the operation of creating the database, the DROP rights type can perform the operation of deleting the database, and the USAGE rights type can perform the operation of accessing the database.
4. The rights management method based on cockroachDB database according to claim 3, characterized in that four rights types of CREATE, DROP, USAGE, ALTER are supported for the rights of the mode hierarchy, wherein the CREATE rights type can execute the operation of creating mode, the DROP rights type can execute the operation of deleting mode, the USAGE rights type can execute the operation of accessing mode, and ALTER rights are used for changing mode.
5. The rights management method based on the cockroachDB database according to claim 4, wherein the rights judgment process of the schema hierarchy is as follows:
(1) starting;
(2a.1) executing CREATE authority and establishing a new mode;
(2a.2) determining whether the user has CREATE privileges for the current database,
if yes, giving the user permission types of CREATE, DROP and USAGE in the new mode, finishing after success, and if not, directly finishing;
(2b.1) executing DROP authority, deleting mode;
(2b.2) determining whether the user has the DROP authority for the mode,
if yes, traversing the table in the current mode, executing the step (2b.3), and if not, directly ending;
(2b.3) further determining whether the user has a DROP authority for each table,
if so, the method is successful, and then the method is ended,
if not, directly ending;
(2c.1) enforcing USAGE rights, access mode;
(2c.2) determining whether the user has CREATE privileges for the current database,
if yes, executing the step (2c.3), otherwise, directly ending;
(2c.3) further determining whether the user possesses the DROP authority for the mode,
if yes, the table in the current mode is traversed, step (2c.4) is executed,
(2c.4) further determining whether the user has a DROP authority for each table,
if yes, giving the user the three authority types of CREATE, DROP and USAGE in the new mode, finishing after success,
if not, the process is ended directly.
6. The rights management method based on cockroachDB database as claimed in claim 4, wherein three rights types of CREATE, DROP, ALTER are supported for the rights of object level, wherein,
when the CREATE permission type is executed, a user firstly needs to judge whether the attachment relation of an object is a database or a mode, then the user has CREATE permission of the attached database/mode, the DROP permission type can execute the operation of deleting the object, and the ALTER permission type supports the operation of migrating the original object to different databases;
aiming at the authority of the object level, six authority types of INSERT, DELETE, UPDATE, SELECT, REFERENCES and DROP are supported,
the authority of the object level is divided into four types of relation, index, view and sequence,
aiming at the relation authority of an object level, six authority types of INSERT, DELETE, UPDATE, SELECT, REFERENCES and DROP are supported, wherein the INSERT authority type can execute the operation of adding data, the DELETE authority type can execute the operation of deleting data, the UPDATE authority type can execute the operation of updating data, the SELECT authority type can execute the operation of inquiring data, the REFERENCES authority type can execute the operation of changing relation attribute, and the DROP authority type can execute the operation of deleting corresponding data;
aiming at the index authority of the object level, a REFERENCES authority type is supported, and the REFERENCES authority type can execute the operations of creating, modifying and deleting the index;
aiming at the view permission of the object hierarchy, two permission types of SELECT and DROP are supported, wherein the SELECT permission type can execute the operation of inquiring the view, and the DROP permission type can execute the operation of deleting the view;
and aiming at the sequence authority of the object hierarchy, three authority types of SELECT, DROP and UPDATE are supported, wherein the SELECT authority type can execute the operation of a query sequence, the DROP authority type can execute the operation of a deletion sequence, and the UPDATE authority type can execute the operation of an UPDATE sequence.
7. A rights management tool based on a cockroachDB database, the structure of which comprises:
the classification module is used for dividing the authority into three levels of the database, the mode and the object according to the authority use scene of the cockroachDB database;
the acquisition and storage module is used for acquiring the structure information of the cockroachDB database authority and respectively storing the information under the authority of three levels of the database, the mode and the object;
and the processing module is used for solving the authority ring forming problem through step-by-step empowerment and cascade revocation according to the authority structure information of different levels.
8. The rights management tool based on cockroachDB database of claim 7, wherein the structure information of cockroachDB database rights includes name, type, role three parts, wherein:
the name part comprises three types of Grantor, Privilegetype and grantale,
the type of Grantor is a character string, as an assignor of the authority,
the type of PrivilegeType is a character string used for marking the authority type,
the grantale type is a boolean value which records the authority assignor and is used for selecting whether the authority can be continuously assigned to other people or not, and assistance is provided for solving the authority looping problem.
9. The rights management tool based on cockroachDB database according to claim 7, wherein three rights types of CREATE, DROP and USAGE are supported for the rights at the database level, wherein the CREATE rights type can perform the operation of creating the database, the DROP rights type can perform the operation of deleting the database, and the USAGE rights type can perform the operation of accessing the database;
and aiming at the authority of the mode level, four authority types of CREATE, DROP, USAGE and ALTER are supported, wherein the CREATE authority type can execute the operation of creating the mode, the DROP authority type can execute the operation of deleting the mode, the USAGE authority type can execute the operation of accessing the mode, and the ALTER authority is used for changing the mode.
10. The rights management tool based on cockroachDB database in accordance with claim 7, wherein three rights types of CREATE, DROP, ALTER are supported for the rights at object level, wherein,
when the CREATE permission type is executed, a user firstly needs to judge whether the attachment relation of an object is a database or a mode, then the user has CREATE permission of the attached database/mode, the DROP permission type can execute the operation of deleting the object, and the ALTER permission type supports the operation of migrating the original object to different databases;
aiming at the authority of the object level, six authority types of INSERT, DELETE, UPDATE, SELECT, REFERENCES and DROP are supported,
the authority of the object level is divided into four types of relation, index, view and sequence,
aiming at the relation authority of an object level, six authority types of INSERT, DELETE, UPDATE, SELECT, REFERENCES and DROP are supported, wherein the INSERT authority type can execute the operation of adding data, the DELETE authority type can execute the operation of deleting data, the UPDATE authority type can execute the operation of updating data, the SELECT authority type can execute the operation of inquiring data, the REFERENCES authority type can execute the operation of changing relation attribute, and the DROP authority type can execute the operation of deleting corresponding data;
aiming at the index authority of the object level, a REFERENCES authority type is supported, and the REFERENCES authority type can execute the operations of creating, modifying and deleting the index;
aiming at the view permission of the object hierarchy, two permission types of SELECT and DROP are supported, wherein the SELECT permission type can execute the operation of inquiring the view, and the DROP permission type can execute the operation of deleting the view;
and aiming at the sequence authority of the object hierarchy, three authority types of SELECT, DROP and UPDATE are supported, wherein the SELECT authority type can execute the operation of a query sequence, the DROP authority type can execute the operation of a deletion sequence, and the UPDATE authority type can execute the operation of an UPDATE sequence.
CN202011054893.XA 2020-09-29 2020-09-29 Authority management method and tool based on cockroachDB database Active CN112214792B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011054893.XA CN112214792B (en) 2020-09-29 2020-09-29 Authority management method and tool based on cockroachDB database

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011054893.XA CN112214792B (en) 2020-09-29 2020-09-29 Authority management method and tool based on cockroachDB database

Publications (2)

Publication Number Publication Date
CN112214792A true CN112214792A (en) 2021-01-12
CN112214792B CN112214792B (en) 2023-03-28

Family

ID=74051755

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011054893.XA Active CN112214792B (en) 2020-09-29 2020-09-29 Authority management method and tool based on cockroachDB database

Country Status (1)

Country Link
CN (1) CN112214792B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102411689A (en) * 2011-12-21 2012-04-11 北京人大金仓信息技术股份有限公司 Method for controlling authority of database administrator
KR20130082628A (en) * 2011-12-12 2013-07-22 현대중공업 주식회사 Work permittion managemnt system, method thereof, and recordable medium storing the same
JP2013254391A (en) * 2012-06-07 2013-12-19 Hitachi Solutions Ltd Privilege command execution control method and system
US20170139674A1 (en) * 2015-11-18 2017-05-18 American Express Travel Related Services Company, Inc. Systems and methods for tracking sensitive data in a big data environment
CN108629166A (en) * 2018-04-27 2018-10-09 华中科技大学 A kind of user right various dimensions multiple management method of information system
CN110046205A (en) * 2019-04-22 2019-07-23 瀚高基础软件股份有限公司 A kind of relevant database row safety access control method and system
CN111460506A (en) * 2020-04-03 2020-07-28 中国工商银行股份有限公司 Data access control method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130082628A (en) * 2011-12-12 2013-07-22 현대중공업 주식회사 Work permittion managemnt system, method thereof, and recordable medium storing the same
CN102411689A (en) * 2011-12-21 2012-04-11 北京人大金仓信息技术股份有限公司 Method for controlling authority of database administrator
JP2013254391A (en) * 2012-06-07 2013-12-19 Hitachi Solutions Ltd Privilege command execution control method and system
US20170139674A1 (en) * 2015-11-18 2017-05-18 American Express Travel Related Services Company, Inc. Systems and methods for tracking sensitive data in a big data environment
CN108629166A (en) * 2018-04-27 2018-10-09 华中科技大学 A kind of user right various dimensions multiple management method of information system
CN110046205A (en) * 2019-04-22 2019-07-23 瀚高基础软件股份有限公司 A kind of relevant database row safety access control method and system
CN111460506A (en) * 2020-04-03 2020-07-28 中国工商银行股份有限公司 Data access control method and device

Also Published As

Publication number Publication date
CN112214792B (en) 2023-03-28

Similar Documents

Publication Publication Date Title
US10108813B2 (en) Query conditions-based security
US9965497B2 (en) Moving data between partitions
WO2017096939A1 (en) Method for establishing index on hdfs-based spark-sql big-data processing system
CN107239710B (en) Database permission implementation method and system
CA2167790A1 (en) Relational database system and method with high data availability during table data restructuring
CN108376156B (en) Method, device, server and storage medium for creating database index
CN109144978B (en) Authority management method and device
EP4006740A1 (en) Method for indexing data in storage engines, and related device
CN110928882B (en) Memory database indexing method and system based on improved red black tree
US11500836B2 (en) Systems and methods of creation and deletion of tenants within a database
CN109299101B (en) Data retrieval method, device, server and storage medium
CN110968894A (en) Fine-grained access control scheme for game business data
CN113407514A (en) Method, device and equipment for migrating database and readable medium
CN115203750A (en) Hive data authority control and security audit method and system based on Hive plug-in
CN113282599A (en) Data synchronization method and system
US7693845B2 (en) Database systems, methods and computer program products using type based selective foreign key association to represent multiple but exclusive relationships in relational databases
US10698723B2 (en) Dropping an index without blocking locks
CN110659465A (en) RBAC-based personalized authority management method
US10558636B2 (en) Index page with latch-free access
CN114443015A (en) Method for generating adding, deleting, modifying and checking service interface based on database metadata
CN112214792B (en) Authority management method and tool based on cockroachDB database
CN107944288B (en) Data access control method and device
US7424495B2 (en) Handling uniqueness constraints in a database system with versioned data
CN104636471A (en) Procedure code finding method and device
EP0422877A2 (en) A method for invalidating access plans in a database system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant