CN112487478B - Data access control method, device, storage medium and database system - Google Patents
Data access control method, device, storage medium and database system Download PDFInfo
- Publication number
- CN112487478B CN112487478B CN202011400075.0A CN202011400075A CN112487478B CN 112487478 B CN112487478 B CN 112487478B CN 202011400075 A CN202011400075 A CN 202011400075A CN 112487478 B CN112487478 B CN 112487478B
- Authority
- CN
- China
- Prior art keywords
- access
- permission
- node
- client
- database system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a data access control method, data access control equipment, a storage medium and a database system. The method comprises the following steps: receiving first permission query information sent by a routing node in a database system, wherein the first permission query information comprises: the user identification in the access request of the client and the static object identification of the static access object requesting access; inquiring metadata corresponding to a user identifier in first permission inquiry information in each storage node of a database system, and judging whether the client has an access permission to the static access object or not according to the metadata obtained by inquiry and the static object identifier; and returning the access authority judgment result to the routing node so that the routing node executes an operation response matched with the authority judgment result. The embodiment of the invention realizes the data access control with high safety, high performance and high availability.
Description
Technical Field
The embodiment of the invention relates to the technical field of databases, in particular to a data access control method, data access control equipment, a storage medium and a database system.
Background
With the advent of the big data age, the scale of data is exponentially increased, and the retrieval and storage requirements of data are changed. The performance of a traditional single-machine database is rapidly reduced under the condition of facing massive data requests, so that the industry proposes that distributed data is adopted, complete data or calculation tasks are split into database subsystems of a plurality of nodes, each subsystem only processes a subset of the requests, and finally, a combined result is calculated to achieve the purpose of improving the performance.
At present, the design of authority Access Control of a distributed database is relatively simple, static file configuration is mostly adopted, or the existing authority Control function of a database subsystem is completely multiplexed, and most of the authority Access Control functions are DAC (decentralized Access Control) or RBAC (Role-Based Access Control) models.
In the Access Control method for the authority, a distributed database represented by Vitess simply adopts a static ACL (Access Control Lists) mode, when the database is started, the relationship among predefined users, base tables and operation types (divided into READ, WRITE and ADMIN) in a text file is READ, when the database is started, the Access of the users is judged to be allowed or refused according to the static relationship during operation, once the rule needs to be changed, the whole system needs to be restarted, and the definition granularity of the operation types is too coarse; the existing authority control function of a direct multiplexing node database subsystem (for example, by adopting MySQL) can achieve fine-grained access control, but because the fragments on which data nodes a certain request relates to cannot be predicted in advance, each node must repeatedly store the same authority information, and because the data has multiple copies, a large amount of data redundancy is caused, and the problem is more obvious when node expansion is performed. In addition, if a model of DAC or RBAC is adopted, there may be a case where the user grants authorized rights to others, resulting in diffusion of rights, which does not satisfy the requirement of level protection.
Disclosure of Invention
Embodiments of the present invention provide a data access control method, device, storage medium, and database system, which implement data access control with high security, high performance, and high availability.
In a first aspect, an embodiment of the present invention provides a data access control method, which is applied to an access control node in a database system, and the method includes:
receiving first permission query information sent by a routing node in a database system, wherein the first permission query information comprises: the user identification in the access request of the client and the static object identification of the static access object requesting access;
inquiring metadata corresponding to a user identifier in first permission inquiry information in each storage node of a database system, and judging whether the client has an access permission to the static access object or not according to the metadata obtained by inquiry and the static object identifier;
and returning the access authority judgment result to the routing node so that the routing node executes an operation response matched with the authority judgment result.
In a second aspect, an embodiment of the present invention further provides a data access control method, which is applied to a routing node in a database system, and the method includes:
receiving and reading an access request of a client;
when the access request comprises a static access object, acquiring a user identifier in the access request and access object identifier information of the static access object, and generating first permission query information;
sending the first permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client;
and executing response operation matched with the permission judgment result.
In a third aspect, an embodiment of the present invention further provides a data access control method, which is applied to a compute node in a database system, and the method includes:
receiving and reading an access request of a client sent by a routing node in a database system;
when the access request comprises a dynamic access object, acquiring a user identifier in the access request and access object identifier information of the dynamic access object, and generating second permission query information;
sending the second permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client;
and executing response operation matched with the permission judgment result.
In a fourth aspect, an embodiment of the present invention further provides an access control node device, including a processor and a memory, where the memory is configured to store instructions that, when executed, cause the processor to:
receiving first permission query information sent by a routing node in a database system, wherein the first permission query information comprises: the user identification in the access request of the client and the static object identification of the static access object requesting access;
inquiring metadata corresponding to a user identifier in first permission inquiry information in each storage node of a database system, and judging whether the client has an access permission to the static access object or not according to the metadata obtained by inquiry and the static object identifier;
and returning the access authority judgment result to the routing node so that the routing node executes an operation response matched with the authority judgment result.
In a fifth aspect, an embodiment of the present invention further provides a routing node device, including a processor and a memory, where the memory is configured to store instructions that, when executed, cause the processor to:
receiving and reading an access request of a client;
when the access request comprises a static access object, acquiring a user identifier in the access request and access object identifier information of the static access object, and generating first permission query information;
sending the first permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client;
and executing response operation matched with the permission judgment result.
In a sixth aspect, an embodiment of the present invention further provides a computing node device, including a processor and a memory, where the memory is used to store instructions, and when the instructions are executed, the processor is caused to perform the following operations:
receiving and reading an access request of a client sent by a routing node in a database system;
when the access request comprises a dynamic access object, acquiring a user identifier in the access request and access object identifier information of the dynamic access object, and generating second permission query information;
sending the second permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client;
and executing response operation matched with the permission judgment result.
In a seventh aspect, an embodiment of the present invention further provides a database system, including at least one access control node, at least one routing node, at least one computing node, and at least one storage node;
the access control node is configured to perform the method of the first aspect of the present invention;
the routing node configured to perform the method according to any of the second aspects of the present invention;
the computing node configured to perform the method of any of the third aspects of the invention;
and the storage node is used for storing metadata corresponding to the client.
In an eighth aspect, embodiments of the present invention further provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform the data access control method according to any one of the embodiments of the present invention.
According to the technical scheme of the embodiment of the invention, the metadata describing the authority information of the access subject user for accessing the object data is introduced, so that the security attributes of the subject and the object are fixed, common users cannot modify the security attributes at will, the controllability of the authority is ensured, the access control process is deployed on a plurality of nodes, single-point faults can be eliminated, the access control performance of parallel transactions of the distributed database is improved, and the data access control with high security, high performance and high availability is realized.
Drawings
Fig. 1 is a flowchart of a data access control method according to an embodiment of the present invention.
Fig. 2 is a flowchart of a data access control method according to a second embodiment of the present invention.
Fig. 3 is a flowchart of another data access control method according to a second embodiment of the present invention.
Fig. 4 is a flowchart of a data access control method according to a third embodiment of the present invention.
Fig. 5 is a flowchart of a data access control method according to a fourth embodiment of the present invention.
Fig. 6 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention.
Detailed Description
The embodiments of the present invention will be described in further detail with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad invention. It should be further noted that, for convenience of description, only some structures, not all structures, relating to the embodiments of the present invention are shown in the drawings.
The term "data access control" as used herein may include authentication of a user and management of rights to access data to a user.
The term "metadata" as used herein may be data stored in a database for describing access rights of the subject user to access the object data.
The term "data shard" as used herein may be a form of storage in a database system for data in each node through the basic operation of relational algebra.
The term "slave database instance" as used herein may be a slave library in a database grouping architecture, which may provide database read services.
The term "master database instance" as used herein may be a master database in a database grouping architecture, which may provide database write services.
The term "polling" as used herein may be the sequential inquiry as to whether the target node device may perform the target operation.
For ease of understanding, the main inventive concepts of the embodiments of the present invention are briefly described.
In the prior art, data access control is required to be carried out on a database.
In the prior art, the authority access control design of the distributed database is simple and easy, and cannot be combined with the characteristics of the distributed database, so that the redundant storage and authority diffusion of authority data are caused, and the requirement of level protection cannot be met.
Based on the above thought, the inventor creatively proposes that, by an access control node in a database system, first permission query information sent by a routing node in the database system is received, where the first permission query information includes: the user identification in the access request of the client and the static object identification of the static access object requesting access; inquiring metadata corresponding to a user identifier in first permission inquiry information in each storage node of a database system, and judging whether the client has an access permission to the static access object or not according to the metadata obtained by inquiry and the static object identifier; and returning the access authority judgment result to the routing node for the routing node to execute the operation response matched with the authority judgment result, so that the data access control method of the distributed database in the prior art can be optimized, and the data access control with high safety, high performance and high availability is realized.
Example one
Fig. 1 is a flowchart of a data access control method according to an embodiment of the present invention. The embodiment of the invention can be applied to the condition of judging the authority of the data access request, and the method can be executed by a data access control device, can be realized by adopting a software and/or hardware mode, and can be generally integrated in computer equipment. Such as an access control node in a database system. The access control node can be a node which is deployed by an access control module in a database system through fragmentation, and can be used for authority authentication. As shown in fig. 1, the method of the embodiment of the present invention specifically includes:
and step 110, receiving first permission query information sent by a routing node in the database system.
Wherein the first permission query information includes: the user identification in the access request of the client and the static object identification of the static access object requesting to access.
The routing node may be a node deployed by a routing service module in the database system through fragmentation, and may be configured to receive an external request, a distribution request, and a summary result. The client may be any user terminal that can send data access requests to the database system. The access request may be a request statement to read or write any data in the database. The user identification may comprise any information that may enable the identity of the user to be identified, and may be, for example, a user name. A static access object may be a data object that is read directly by a routing node in a database system in an access request statement. The static object ID may include any information that may enable a static access object to be identified, and may include complete representation information of a data object in a database, for example, a data object Obj may be a column, and may be represented by a triple Obj (database ID, table name ID, column ID), and the database ID, the table name ID, and the column ID may be names or IDs of the database, the table, and the column, respectively.
Correspondingly, a plurality of clients can simultaneously send data access requests to a plurality of routing nodes of the database system, and each routing node receives the access requests of the clients and then distributes the access requests to different access control nodes. The access request usually carries a user identifier provided by the client as an access subject to the routing node, and identifier information of an access object data object requested to be accessed by the client. After receiving the access request, the routing node can directly read the user identifier and the static object identifier of the static access object in the access request statement, determine any access control node deployed in the database system in a random inquiry mode, and send the user identifier and the static object identifier to the access control node as first permission query information.
And step 120, inquiring metadata corresponding to the user identifier in the first permission inquiry information in each storage node of the database system, and judging whether the client has the access permission to the static access object according to the metadata obtained by inquiry and the static object identifier.
The storage node may be a node deployed by a storage module in the database system through fragmentation, and may be used for storing the data fragmentation. Each storage node may include at least one data shard, and each data shard may include a master database instance and at least one slave database instance to ensure that data is deployed in multiple copies in the master database instance and the slave database instance. The metadata may be data describing authority information of the access subject user for accessing the object data, and the metadata corresponding to an arbitrary user may include access authority of the user for each access object. The metadata may be stored in the storage nodes in the form of fragments, preferably, a fragment of the metadata is stored in a first data fragment of at least one storage node, so that the metadata may be organized, but not limited to, in a structured library table.
Correspondingly, after receiving the first permission query information, the access control node can determine the storage node storing the metadata corresponding to the user identifier according to the user identifier in the first permission query information, execute a read operation, and read the access permission of the user in the metadata to the static access object corresponding to the static object identifier in the first permission query information, so that whether the client sending the access request has the access permission to the static access object in the access request can be judged.
Optionally, a storage node storing metadata corresponding to the user identifier may be determined in a polling manner, and a first data fragment of the storage node determines any slave database instance in a polling manner, which may be a first queried idle slave database instance, and performs a read operation in the slave database instance to obtain the metadata corresponding to the user identifier.
And step 130, returning the access permission judgment result to the routing node so that the routing node executes an operation response matched with the permission judgment result.
The access right judgment result may include that the client has the access right to the static access object and that the client does not have the access right to the static access object. The operation response matched with the permission judgment result may be any preset operation response that can be executed by the routing node, for example, the operation response matched with the client having the access permission to the static access object may include executing an access request statement or sending the access request statement to a preset lower node, and the operation response matched with the client not having the access permission to the static access object may include stopping executing the access request statement or returning access denial information to the client.
Correspondingly, the access control node can finish the judgment of the client access authority and return an authority judgment result according to the first authority query information provided by the routing node and the metadata in the storage node, so that the access control of the static access object is realized.
The embodiment of the invention provides a data access control method, which is characterized in that by introducing metadata describing the authority information of a user accessing a subject to access object data, the security attributes of the subject and the object are fixed, common users cannot modify the security attributes at will, the controllability of the authority is ensured, and by deploying an access control process on a plurality of nodes, single-point faults can be eliminated, the access control performance of parallel transactions of a distributed database is improved, and the data access control with high security, high performance and high availability is realized.
Optionally, on the basis of the foregoing embodiment, the method further includes: and when receiving the notification of the change of the access control rule, executing write operation in the main database instance in the first data fragment of each storage node to update the metadata.
The access control rule change notification may be sent by the routing node to the access control node when detecting the access control rule change. The access control rule may include an access right judgment rule of the access subject user for accessing the object data. The access control rule change can comprise the authority change of accessing the main user information, and the source of the access control rule change can be a system table in the database, or the access control rule change can be acquired from an external user authentication source through a pluggable authentication module; the access control rule change can also comprise a change of authority information for accessing the object data, and can be read in the received access request statement through the routing node and executed in the storage node. For the change from the external information source, a monitoring mechanism can be adopted, and the operation log of the information source can be monitored; for the case that the change occurs inside the database, a callback mechanism is adopted, for example, a callback method is added to all instances of the routing module, and then all changes to the host and the object send an access control rule change notification to the access control module.
Example two
Fig. 2 is a flowchart of a data access control method according to a second embodiment of the present invention. The embodiment of the present invention may be combined with various alternatives in one or more of the above embodiments, and in the embodiment of the present invention, the method may further include: receiving second permission query information sent by a computing node in a database system, wherein the second permission query information comprises: the user identification in the access request of the client and the dynamic object identification of the dynamic access object requesting access; inquiring metadata corresponding to the user identifier in the second permission inquiry information in each storage node of the database system, and judging whether the client has the access permission to the dynamic access object or not according to the metadata obtained by inquiry and the dynamic object identifier; and returning the authority judgment result to the computing node so that the computing node executes an operation response matched with the authority judgment result.
As shown in fig. 2, the method of the embodiment of the present invention specifically includes:
and step 210, receiving first permission query information sent by a routing node in the database system.
Wherein the first permission query information includes: the user identification in the access request of the client and the static object identification of the static access object requesting to access.
And step 220, inquiring metadata corresponding to the user identifier in the first permission inquiry information in each storage node of the database system, and judging whether the client has the access permission to the static access object according to the metadata obtained by inquiry and the static object identifier.
The specific implementation of the above steps may refer to the implementation of the corresponding steps provided in the first embodiment, which is not described herein again.
And step 240, receiving second permission query information sent by the computing node in the database system.
Wherein the second permission query information includes: the user identification in the access request of the client and the dynamic object identification of the dynamic access object requesting the access.
The computing nodes can be nodes deployed by a computing service module in the database system through fragmentation, and can be used for processing complex requests. The dynamic access object may be a data object obtained by analyzing the access request statement by the computing node in the database system, and may be, for example, a definition that the computing node analyzes the VIEW object VIEW1 in the access request statement, so that the dynamic access object is COLUMN 2. The dynamic object identification may include any information that enables a dynamically accessible object to be identified, and may include information that represents the complete representation of the data object in the database.
Correspondingly, the computing node can receive the access request sent by the routing node, perform statement analysis on the access request, obtain a client user identifier and a dynamic object identifier in an access request statement, determine any access control node deployed in the database system in a random inquiry mode, and send the user identifier and the dynamic object identifier to the access control node as second permission query information.
And step 250, inquiring metadata corresponding to the user identifier in the second permission inquiry information in each storage node of the database system, and judging whether the client has the access permission to the dynamic access object according to the metadata obtained by inquiry and the dynamic object identifier.
Correspondingly, after receiving the second permission query information, the access control node can determine the storage node storing the metadata corresponding to the user identifier according to the user identifier in the second permission query information, execute a read operation, and read the access permission of the user in the metadata to the dynamic access object corresponding to the dynamic object identifier in the second permission query information, so that whether the client sending the access request has the access permission to the dynamic access object in the access request can be judged.
And step 260, returning the permission judgment result to the computing node so that the computing node executes an operation response matched with the permission judgment result.
For example, the operation response matched with the access right that the client has to access the dynamic access object may include executing an access request statement or sending the access request statement to a preset lower node, and the operation response matched with the access right that the client does not have to access the dynamic access object may include stopping executing the access request statement or returning access denial information to the upper node.
Correspondingly, the access control node can finish the judgment of the client access authority and return an authority judgment result according to the second authority query information provided by the computing node and the metadata in the storage node, so that the access control of the dynamic access object is realized.
The embodiment of the invention provides a data access control method, which is characterized in that by introducing metadata describing the authority information of a user accessing a subject to access object data, the security attributes of the subject and the object are fixed, common users cannot modify the security attributes at will, the controllability of the authority is ensured, and by deploying an access control process on a plurality of nodes, single-point faults can be eliminated, the access control performance of parallel transactions of a distributed database is improved, and the data access control with high security, high performance and high availability is realized.
The embodiment of the invention also provides a specific implementation mode. Fig. 3 is a flowchart of another data access control method according to a second embodiment of the present invention. As shown in fig. 3, an access request is sent to a database system, and it is first determined whether a static access object is included in the access request. And if the access request comprises the static access object, acquiring the user identifier and the static object identifier, and judging whether the static access object is allowed to be accessed. If the static access object is not allowed to be accessed, judging whether the static access object is in the transaction, if the static access object is in the transaction, rolling back the transaction, and returning error information step by step; if not, the error information is returned step by step.
And if the access request does not comprise the static access object or the static access object is allowed to be accessed, judging whether the access request comprises the dynamic access object. And if the access request comprises the dynamic access object, acquiring the user identifier and the dynamic object identifier, and judging whether to allow the dynamic access object to be accessed. If the dynamic access object is not allowed to be accessed, judging whether the dynamic access object is in the transaction, if the dynamic access object is in the transaction, rolling back the transaction, and returning error information step by step; if not, the error information is returned step by step. And if the access request does not comprise the dynamic access object or the dynamic access object is allowed to be accessed, executing the access request.
Illustratively, the USER of the client that sent the access request SQL statement is identified as the username "USER 1". The database DB1 receiving the access request includes two fragment TABLEs of TABLE1 and TABLE2, and VIEW1 established on the basis of TABLE 2.
Where TABLE1 is defined as:
CREATE TABLE TABLE1
(COLUMN1 BIGINT,…)
…
PARTITION BY HASH(COLUMN1)USING HASH;
definition of VIEW 1:
CREATE VIEW VIEW1
AS SELECT COLUMN2 FROM DB1.TABLE2;
the access request sent by client USER1 is:
SELECT T.COLUMN1,V.COLUMN2 FROM DB1.TABLE1 AS T
JOIN VIEW1 AS V
ON T.COLUMN1=V.COLUMN2;
in addition, a certain storage node in the database DB1 stores therein metadata corresponding to the client USER1, and there is only one piece of authority information included in the metadata, and only all columns in the TABLE1 are allowed to be accessed for the USER 1.
When the client sends the access request to a certain routing node of the database DB1, the routing node reads the USER identifier USER1 and the static object identifier (DB1, TABLE1, COLUMN1) according to the received access request, generates first right query information, and sends the first right query information to a certain access control node by randomly inquiring the certain access control node. The access control node polls and reads the metadata in a slave database instance in the first sub-slice of a storage node, judges that the USER1 has the right to access the COLUMN1 of the TABLE1, and returns the result to the routing node. The routing node obtains the result with the authority and issues the access request to a certain computing node.
The computing node analyzes the definition of the VIEW object VIEW1 statement by statement to obtain a USER identifier USER1 and a dynamic object identifier (TABLE2, COLUMN2), generates second authority query information, and sends the second authority query information to an access control node by randomly inquiring the access control node. The access control node polls and reads the metadata in a slave database instance in the first sub-slice of a storage node, judges that the USER1 does not allow the access to the COLUMN2 of the guest TABLE2, and then returns the judgment result to the computing node. And the routing node obtains the result of the lack of the authority, rolls back the whole transaction and reports the lack of the necessary authority step by step.
EXAMPLE III
Fig. 4 is a flowchart of a data access control method according to a third embodiment of the present invention. The embodiment of the invention can be applied to the condition of judging the authority of the data access request, and the method can be executed by a data access control device, can be realized by adopting a software and/or hardware mode, and can be generally integrated in computer equipment. Such as a routing node in a database system. As shown in fig. 4, the method of the embodiment of the present invention specifically includes:
Accordingly, the client may determine an available and idle routing node from at least one routing node in the database system through any implementable manner such as random query or polling, and send the access request to the routing node. The routing node can receive and read an access request sent by a client, and judge whether the access request comprises a static access object.
Accordingly, the routing node may read the user identification and the static object identification directly from the access request statement.
And 330, sending the first permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client.
Correspondingly, the routing node can determine any access control node by adopting a random inquiry mode and send the first authority inquiry information to the access control node.
And 340, executing a response operation matched with the permission judgment result.
Optionally, the executing the response operation matched with the permission determination result includes: when the permission judgment result shows that the client has the access permission to the static access object, the access request is sent to any computing node in a database system; and when the permission judgment result shows that the client does not have the access permission to the static access object, returning permission missing error information to the client.
Correspondingly, if the client has an access right to the static access object, which may indicate that the read or write request to the static access object in the access request is allowed to be executed, the access request needs to be sent to the computing node, so that the computing node parses the access request to obtain the dynamic access object in the access request.
If the client does not have the access right to the static access object, it can be shown that the read or write request to the static access object in the access request is not allowed to be executed, and the right missing error information can be directly returned to the client without continuously acquiring the dynamic access object and the access right of the client to the dynamic access object.
Optionally, before returning the right missing error information to the client, the method further includes: rolling back the transaction when the access request is in a transaction.
Correspondingly, if the client does not have the access right to the static access object, the data access operation executed in the database can be completely cancelled to modify the data in the database through the rollback transaction, so that the correctness of the data in the database and the normal operation of the database transaction are ensured.
The embodiment of the invention provides a data access control method, which is characterized in that by introducing metadata describing the authority information of a user accessing a subject to access object data, the security attributes of the subject and the object are fixed, common users cannot modify the security attributes at will, the controllability of the authority is ensured, and by deploying an access control process on a plurality of nodes, single-point faults can be eliminated, the access control performance of parallel transactions of a distributed database is improved, and the data access control with high security, high performance and high availability is realized.
Optionally, on the basis of the foregoing embodiment, the method further includes: when the change of the access control rule is detected, sending an access control rule change notice to any access control node in the database system, so that the access control node updates the metadata according to the access control rule change notice.
Example four
Fig. 5 is a flowchart of a data access control method according to a fourth embodiment of the present invention. The embodiment of the invention can be applied to the condition of judging the authority of the data access request, and the method can be executed by a data access control device, can be realized by adopting a software and/or hardware mode, and can be generally integrated in computer equipment. Such as a compute node in a database system. As shown in fig. 5, the method of the embodiment of the present invention specifically includes:
and step 410, receiving and reading an access request of the client sent by the routing node in the database system.
Accordingly, the routing node may determine an available and idle computing node among at least one computing node in the database system by any implementable manner such as random query or polling, and send the access request to the computing node. The computing node may receive and read the access request sent by the routing node, and determine whether the access request includes a dynamic access object.
Correspondingly, the routing node can obtain the user identifier and the dynamic object identifier by analyzing the access request statement.
Correspondingly, the computing node can determine any access control node by adopting a random inquiry mode and send the second authority inquiry information to the access control node.
And step 440, executing a response operation matched with the permission judgment result.
Optionally, the executing the response operation matched with the permission determination result includes: when the permission judgment result shows that the client has the access permission to the static access object, the access request is sent to a storage node corresponding to the access request in a database system; and when the permission judgment result shows that the client does not have the access permission to the static access object, returning permission missing error information to the routing node so that the routing node returns the permission missing error information to the client.
Correspondingly, if the client has the access right to the dynamic access object, which may indicate that the read or write request for the dynamic access object in the access request is allowed to be executed, when the client has access rights to both the static access object and the dynamic access object in the access request, the client may send the access request to the storage node, so that the storage node executes the access request statement to complete the read operation or write operation on the access object data. After the storage node finishes executing the access request, the execution result can be returned to the client side step by step through the computing node and the routing node.
If the client does not have the access right to the dynamic access object, which can indicate that the read or write request to the dynamic access object in the access request is not allowed to be executed, the access request cannot be sent to the storage node, and the information of the right missing error can be returned to the client.
Optionally, before returning the right missing error information to the client, the method further includes: rolling back the transaction when the access request is in a transaction.
The embodiment of the invention provides a data access control method, which is characterized in that by introducing metadata describing the authority information of a user accessing a subject to access object data, the security attributes of the subject and the object are fixed, common users cannot modify the security attributes at will, the controllability of the authority is ensured, and by deploying an access control process on a plurality of nodes, single-point faults can be eliminated, the access control performance of parallel transactions of a distributed database is improved, and the data access control with high security, high performance and high availability is realized.
EXAMPLE five
Fig. 6 is a schematic structural diagram of a computer apparatus according to a fifth embodiment of the present invention, as shown in fig. 6, the computer apparatus includes a processor 50, a memory 51, an input device 52, and an output device 53; the number of processors 50 in the computer device may be one or more, and one processor 50 is taken as an example in fig. 6; the processor 50, the memory 51, the input device 52 and the output device 53 in the computer apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 6.
The memory 51 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the data access control method in the embodiment of the present invention. The processor 50 executes various functional applications and data processing of the computer device by executing software programs, instructions and modules stored in the memory 51, that is, implements the data access control method described above.
The memory 51 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 51 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 51 may further include memory located remotely from the processor 50, which may be connected to a computer device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 52 is operable to receive input numeric or character information and to generate key signal inputs relating to user settings and function controls of the computer apparatus. The output device 53 may include a display device such as a display screen.
EXAMPLE six
A sixth embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the data access control method provided in the embodiments of the present invention.
Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or computer device. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (16)
1. A data access control method is applied to an access control node in a database system, and the method comprises the following steps:
receiving first permission query information sent by a routing node in a database system, wherein the first permission query information comprises: the user identification in the access request of the client and the static object identification of the static access object requesting access;
inquiring metadata corresponding to a user identifier in first permission inquiry information in each storage node of a database system, and judging whether the client has an access permission to the static access object or not according to the metadata obtained by inquiry and the static object identifier;
returning the access authority judgment result to the routing node so that the routing node can execute an operation response matched with the authority judgment result;
wherein the executing the response operation matched with the permission judgment result comprises:
when the permission judgment result shows that the client has the access permission to the static access object, the access request is sent to any computing node in a database system;
when the permission judgment result shows that the client does not have the access permission to the static access object, returning permission missing error information to the client;
wherein, the static access object is a data object directly read by a routing node in the database system in an access request statement;
wherein, after receiving the access request, the any computing node comprises:
receiving and reading an access request of a client sent by a routing node in a database system;
when the access request comprises a dynamic access object, acquiring a user identifier in the access request and access object identifier information of the dynamic access object, and generating second permission query information;
sending the second permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client;
executing response operation matched with the permission judgment result;
and the dynamic access object is a data object obtained by analyzing the access request statement by a computing node in the database system.
2. The method of claim 1, further comprising:
receiving second permission query information sent by a computing node in a database system, wherein the second permission query information comprises: the user identification in the access request of the client and the dynamic object identification of the dynamic access object requesting access;
inquiring metadata corresponding to the user identifier in the second permission inquiry information in each storage node of the database system, and judging whether the client has the access permission to the dynamic access object or not according to the metadata obtained by inquiry and the dynamic object identifier;
returning the authority judgment result to the computing node so that the computing node can execute an operation response matched with the authority judgment result;
and the dynamic access object is a data object obtained by analyzing the access request statement by a computing node in the database system.
3. The method of claim 1 or 2, wherein querying each storage node of the database system for metadata corresponding to the user identifier in the first permission query information or the second permission query information comprises:
determining any slave database instance in a storage node storing metadata corresponding to the user identifier and a first data fragment of the storage node by adopting a polling mode;
and executing reading operation in the slave database instance to acquire metadata corresponding to the user identification.
4. The method of claim 1 or 2, further comprising:
and when receiving the notification of the change of the access control rule, executing write operation in the main database instance in the first data fragment of each storage node to update the metadata.
5. A data access control method applied to a routing node in a database system, the method comprising:
receiving and reading an access request of a client;
when the access request comprises a static access object, acquiring a user identifier in the access request and access object identifier information of the static access object, and generating first permission query information;
sending the first permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client;
executing response operation matched with the permission judgment result;
wherein the executing the response operation matched with the permission judgment result comprises:
when the permission judgment result shows that the client has the access permission to the static access object, the access request is sent to any computing node in a database system;
when the permission judgment result shows that the client does not have the access permission to the static access object, returning permission missing error information to the client;
wherein, after receiving the access request, the any computing node includes:
receiving and reading an access request of a client sent by a routing node in a database system;
when the access request comprises a dynamic access object, acquiring a user identifier in the access request and access object identifier information of the dynamic access object, and generating second permission query information;
sending the second permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client;
executing response operation matched with the permission judgment result;
wherein, the static access object is a data object directly read by a routing node in the database system in an access request statement;
and the dynamic access object is a data object obtained by analyzing the access request statement by a computing node in the database system.
6. A data access control method applied to a compute node in a database system, the method comprising:
receiving and reading an access request of a client sent by a routing node in a database system;
when the access request comprises a dynamic access object, acquiring a user identifier in the access request and access object identifier information of the dynamic access object, and generating second permission query information;
sending the second permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client;
executing response operation matched with the permission judgment result;
wherein, when the access request of the client sent by the routing node in the database system is received and read, the access request specifically comprises:
when the permission judgment result shows that the client has the access permission to the static access object, the routing node sends the access request to any computing node in the database system;
wherein, the static access object is a data object directly read by a routing node in the database system in an access request statement;
and the dynamic access object is a data object obtained by analyzing the access request statement by a computing node in the database system.
7. The method according to claim 6, wherein the performing the response operation matching the permission determination result comprises:
when the permission judgment result shows that the client has the access permission to the dynamic access object, the access request is sent to a storage node corresponding to the access request in a database system;
and when the permission judgment result shows that the client does not have the access permission to the dynamic access object, returning permission missing error information to the routing node so that the routing node returns the permission missing error information to the client.
8. An access control node device comprising a processor and a memory, the memory for storing instructions that, when executed, cause the processor to:
receiving first permission query information sent by a routing node in a database system, wherein the first permission query information comprises: the user identification in the access request of the client and the static object identification of the static access object requesting access;
inquiring metadata corresponding to a user identifier in first permission inquiry information in each storage node of a database system, and judging whether the client has an access permission to the static access object or not according to the metadata obtained by inquiry and the static object identifier;
returning the access authority judgment result to the routing node so that the routing node can execute an operation response matched with the authority judgment result;
wherein the executing the response operation matched with the permission judgment result comprises:
when the permission judgment result shows that the client has the access permission to the static access object, the access request is sent to any computing node in a database system;
when the permission judgment result shows that the client does not have the access permission to the static access object, returning permission missing error information to the client;
wherein, after receiving the access request, the any computing node includes:
receiving and reading an access request of a client sent by a routing node in a database system;
when the access request comprises a dynamic access object, acquiring a user identifier in the access request and access object identifier information of the dynamic access object, and generating second permission query information;
sending the second permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client;
executing response operation matched with the permission judgment result;
wherein, the static access object is a data object directly read by a routing node in the database system in an access request statement;
and the dynamic access object is a data object obtained by analyzing the access request statement by a computing node in the database system.
9. The device of claim 8, wherein the instructions, when executed, further cause the processor to:
receiving second permission query information sent by a computing node in a database system, wherein the second permission query information comprises: the user identification in the access request of the client and the dynamic object identification of the dynamic access object requesting access;
inquiring metadata corresponding to the user identifier in the second permission inquiry information in each storage node of the database system, and judging whether the client has the access permission to the dynamic access object or not according to the metadata obtained by inquiry and the dynamic object identifier;
and returning the authority judgment result to the computing node so that the computing node executes an operation response matched with the authority judgment result.
10. The apparatus of claim 8 or 9, wherein the processor is further configured to query the storage nodes of the database system for the metadata corresponding to the user identifier in the first permission query information or the second permission query information by:
determining any slave database instance in a storage node storing metadata corresponding to the user identifier and a first data fragment of the storage node by adopting a polling mode;
and executing reading operation in the slave database instance to acquire metadata corresponding to the user identification.
11. The apparatus of claim 8 or 9, wherein the instructions, when executed, further cause the processor to:
and when receiving the notification of the change of the access control rule, executing write operation in the main database instance in the first data fragment of each storage node to update the metadata.
12. A routing node device comprising a processor and a memory, the memory for storing instructions that, when executed, cause the processor to:
receiving and reading an access request of a client;
when the access request comprises a static access object, acquiring a user identifier in the access request and access object identifier information of the static access object, and generating first permission query information;
sending the first permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client;
executing response operation matched with the permission judgment result;
the processor is further configured to perform a response operation matching the permission determination result by:
when the permission judgment result shows that the client has the access permission to the static access object, the access request is sent to any computing node in a database system;
when the permission judgment result shows that the client does not have the access permission to the static access object, returning permission missing error information to the client;
wherein, after receiving the access request, the any computing node includes:
receiving and reading an access request of a client sent by a routing node in a database system;
when the access request comprises a dynamic access object, acquiring a user identifier in the access request and access object identifier information of the dynamic access object, and generating second permission query information;
sending the second permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client;
executing response operation matched with the permission judgment result;
wherein, the static access object is a data object directly read by a routing node in the database system in an access request statement;
and the dynamic access object is a data object obtained by analyzing the access request statement by a computing node in the database system.
13. A computing node device comprising a processor and a memory, the memory to store instructions that, when executed, cause the processor to:
receiving and reading an access request of a client sent by a routing node in a database system;
when the access request comprises a dynamic access object, acquiring a user identifier in the access request and access object identifier information of the dynamic access object, and generating second permission query information;
sending the second permission query information to any access control node in a database system, and receiving a permission judgment result of the access control node to the client;
executing response operation matched with the permission judgment result;
wherein, when the access request of the client sent by the routing node in the database system is received and read, the access request specifically comprises:
when the permission judgment result shows that the client has the access permission to the static access object, the routing node sends the access request to any computing node in the database system;
wherein, the static access object is a data object directly read by a routing node in the database system in an access request statement;
and the dynamic access object is a data object obtained by analyzing the access request statement by a computing node in the database system.
14. The device of claim 13, wherein the processor is further configured to perform a response operation matching the permission determination result by:
when the permission judgment result shows that the client has the access permission to the dynamic access object, the access request is sent to a storage node corresponding to the access request in a database system;
and when the permission judgment result shows that the client does not have the access permission to the dynamic access object, returning permission missing error information to the routing node so that the routing node returns the permission missing error information to the client.
15. A database system comprising at least one access control node, at least one routing node, at least one compute node, and at least one storage node;
the access control node for performing the method of any of claims 1-4;
the routing node for performing the method of any of claim 5;
the computing node to perform the method of any of claims 6-7;
and the storage node is used for storing metadata corresponding to the client.
16. A storage medium containing computer-executable instructions for performing the data access control method of any one of claims 1-4, 5 or 6-7 when executed by a computer processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011400075.0A CN112487478B (en) | 2020-12-02 | 2020-12-02 | Data access control method, device, storage medium and database system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011400075.0A CN112487478B (en) | 2020-12-02 | 2020-12-02 | Data access control method, device, storage medium and database system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112487478A CN112487478A (en) | 2021-03-12 |
| CN112487478B true CN112487478B (en) | 2021-10-08 |
Family
ID=74938098
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011400075.0A Active CN112487478B (en) | 2020-12-02 | 2020-12-02 | Data access control method, device, storage medium and database system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112487478B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112861182A (en) * | 2021-03-29 | 2021-05-28 | 中信银行股份有限公司 | Database query method and system, computer equipment and storage medium |
| CN113285933A (en) * | 2021-05-13 | 2021-08-20 | 京东数字科技控股股份有限公司 | User access control method and device, electronic equipment and storage medium |
| CN118656854B (en) * | 2024-08-21 | 2024-10-18 | 南瑞轨道交通技术有限公司 | Process authorization and access control method and system for integrated monitoring system of rail transit |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104333512A (en) * | 2014-10-30 | 2015-02-04 | 北京思特奇信息技术股份有限公司 | Distributed memory database access system and method |
| CN111914295A (en) * | 2020-08-04 | 2020-11-10 | 北京金山云网络技术有限公司 | Database access control method and device and electronic equipment |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6064656A (en) * | 1997-10-31 | 2000-05-16 | Sun Microsystems, Inc. | Distributed system and method for controlling access control to network resources |
| WO2013113607A1 (en) * | 2012-02-01 | 2013-08-08 | International Business Machines Corporation | A method for optimizing processing of restricted-access data |
| CN105303102A (en) * | 2015-11-03 | 2016-02-03 | 浪潮电子信息产业股份有限公司 | Secure access method for virtual machine and virtual machine system |
| CN107895123A (en) * | 2017-11-13 | 2018-04-10 | 医渡云(北京)技术有限公司 | Data access authority control method and device, method for managing user right |
| CN111488595B (en) * | 2020-03-27 | 2023-03-28 | 腾讯科技(深圳)有限公司 | Method for realizing authority control and related equipment |
| CN111698228B (en) * | 2020-05-28 | 2023-08-11 | 中国平安财产保险股份有限公司 | System access authority granting method, device, server and storage medium |
-
2020
- 2020-12-02 CN CN202011400075.0A patent/CN112487478B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104333512A (en) * | 2014-10-30 | 2015-02-04 | 北京思特奇信息技术股份有限公司 | Distributed memory database access system and method |
| CN111914295A (en) * | 2020-08-04 | 2020-11-10 | 北京金山云网络技术有限公司 | Database access control method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112487478A (en) | 2021-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112487478B (en) | Data access control method, device, storage medium and database system | |
| US11431753B2 (en) | Network-based permissioning system | |
| CN108874863B (en) | Data access control method and database access device | |
| US11196772B2 (en) | Data access policies | |
| WO2019114766A1 (en) | Data desensitising method, server, terminal, and computer-readable storage medium | |
| CN109936571B (en) | Mass data sharing method, open sharing platform and electronic equipment | |
| RU2387003C2 (en) | Method, system and device for detecting data sources and connection to data sources | |
| JP2020504395A (en) | Data sharing in multi-tenant database system | |
| CN103067463B (en) | user root authority centralized management system and management method | |
| US11520740B2 (en) | Efficiently deleting data from objects in a multi-tenant database system | |
| EP3471010B1 (en) | Generic runtime protection for transactional data | |
| CN112000992B (en) | Data leakage prevention protection method and device, computer readable medium and electronic equipment | |
| CN109543448B (en) | HDFS file access authority control method, device and storage medium | |
| WO2021013056A1 (en) | Microservice-based data processing method and apparatus, and device and readable storage medium | |
| CN113094387A (en) | Data query method and device, electronic equipment and machine-readable storage medium | |
| CN114647825A (en) | Access right control method, device, electronic equipment and computer storage medium | |
| CN113535754A (en) | Data access method, device and system | |
| CN115017526A (en) | Database access method and device, electronic equipment and storage medium | |
| US10685019B2 (en) | Secure query interface | |
| US9330276B2 (en) | Conditional role activation in a database | |
| US11394748B2 (en) | Authentication method for anonymous account and server | |
| CN111737293A (en) | Data warehouse authority management method, device, equipment and storage medium | |
| CN116340970A (en) | Service system login method, device, electronic equipment and readable storage medium | |
| US11522863B2 (en) | Method and system for managing resource access permissions within a computing environment | |
| CN111797424A (en) | Method and device for processing request |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |