CN113489689A - Access request authentication method and device, storage medium and electronic equipment - Google Patents

Access request authentication method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN113489689A
CN113489689A CN202110687187.7A CN202110687187A CN113489689A CN 113489689 A CN113489689 A CN 113489689A CN 202110687187 A CN202110687187 A CN 202110687187A CN 113489689 A CN113489689 A CN 113489689A
Authority
CN
China
Prior art keywords
access request
access
authority
permission
hadoop
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110687187.7A
Other languages
Chinese (zh)
Other versions
CN113489689B (en
Inventor
梁海昆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN202110687187.7A priority Critical patent/CN113489689B/en
Publication of CN113489689A publication Critical patent/CN113489689A/en
Application granted granted Critical
Publication of CN113489689B publication Critical patent/CN113489689B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an access request authentication method and device, a storage medium and electronic equipment, and belongs to the field of cloud computing. Wherein, the method comprises the following steps: receiving an access request of a client, wherein the access request is used for requesting a Hadoop node to access Hadoop service; acquiring a first authority list from an authority management server in real time by taking the access request as a trigger condition, wherein the authority management server is used for configuring and storing authority policy data of a plurality of Hadoop clusters; and authenticating the access request by adopting the first authority list. The invention solves the technical problem that the Hadoop cluster in the related technology can not manage the user authority, improves the response speed of the Hadoop service, and simultaneously improves the safety of the Hadoop cluster.

Description

Access request authentication method and device, storage medium and electronic equipment
Technical Field
The invention relates to the field of cloud computing, in particular to an access request authentication method and device, a storage medium and electronic equipment.
Background
In the related art, the Hadoop realizes a Distributed File System (HDFS, Hadoop Distributed File System), one of the components is the HDFS, and the HDFS has the characteristic of high fault tolerance and is designed to be deployed on low-cost hardware; and it provides high throughput access to application data, suitable for applications with very large data sets.
In the big data of the related technology, the Hadoop service mainly used is used for solving the business problem, the isolation and the safety of the data are important, the Hadoop has no safety authentication, and in order to solve the problem of the safety authentication of the user, the Hadoop is mainly based on a Kerberos tool, and Kerberos provides the safety authentication capability but does not provide the management of the user authority.
In view of the above problems in the related art, no effective solution has been found at present.
Disclosure of Invention
The embodiment of the invention provides an access request authentication method and device, a storage medium and electronic equipment.
According to an aspect of an embodiment of the present application, there is provided an authentication method for an access request, including: receiving an access request of a client, wherein the access request is used for requesting a Hadoop node to access Hadoop service; acquiring a first authority list from an authority management server in real time by taking the access request as a trigger condition, wherein the authority management server is used for configuring and storing authority policy data of a plurality of Hadoop clusters; and authenticating the access request by adopting the first authority list.
Further, authenticating the access request using the first permission list comprises: analyzing an access account and an access object in the access request; searching permission configuration data corresponding to the access account from the first permission list, wherein the permission configuration data comprise a plurality of Hadoop resources allowing the access account to operate; judging whether the access object is contained in the authority configuration data or not; if the access object is contained in the authority configuration data, determining that the authentication is passed; and if the access object is not contained in the authority configuration data, determining that the authentication fails.
Further, the method further comprises: if the first permission list is failed to be acquired from the permission management server in real time, reading a locally cached historical permission list; and authenticating the access request by adopting the historical authority list.
Further, before reading the history authority list of the local cache, the method further comprises the following steps: accessing the authority management server at regular time according to a preset period, and establishing a first communication link between the Hadoop node and the authority management server; pulling a second permission list from the permission management server based on the first communication link, wherein the second permission list is used to update the historical permission list.
Further, before reading the history authority list of the local cache, the method further comprises the following steps: responding to a connection request of the authority management server, and establishing a second communication link between the Hadoop node and the authority management server, wherein the connection request is generated after the authority management server locally updates authority policy data; and receiving a third permission list issued by the permission management server based on the second communication link, wherein the third permission list is used for updating the historical permission list.
Further, after acquiring the first permission list from the permission management server in real time, the method further includes: judging whether the first permission list is consistent with a historical permission list locally pre-stored in the Hadoop node; and if the first permission list is inconsistent with a historical permission list pre-stored locally by the Hadoop node, updating the historical permission list into the first permission list.
Further, receiving the access request of the client comprises one of the following: receiving a first access request of a client, wherein the first access request is used for requesting a namespace node to access a distributed file system (HDFS) service; receiving a second access request of the client, wherein the second access request is used for requesting access to a distributed column storage system HBase service from a namespace node; receiving a third access request of the client, wherein the third access request is used for requesting the namespace node to access the Hive service of the data warehouse; receiving a fourth access request of the client, wherein the fourth access request is used for requesting the namespace node to access the Kafka service of the distributed publish-subscribe message system; receiving a fifth access request of the client, wherein the fifth access request is used for requesting the namespace node to access the distributed search service.
According to another aspect of the embodiments of the present application, there is also provided an access request authentication apparatus, including: the system comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving an access request of a client, and the access request is used for requesting a Hadoop node to access Hadoop service; the acquisition module is used for acquiring a first permission list from a permission management server in real time by taking the access request as a trigger condition, wherein the permission management server is used for configuring and storing permission policy data of a plurality of Hadoop clusters; and the first authentication module is used for authenticating the access request by adopting the first permission list.
Further, the first authentication module comprises: the analysis unit is used for analyzing the access account and the access object in the access request; the searching unit is used for searching permission configuration data corresponding to the access account from the first permission list, wherein the permission configuration data comprise a plurality of Hadoop resources allowing the access account to operate; the judging unit is used for judging whether the access object is contained in the authority configuration data or not; the authentication unit is used for determining that the authentication is passed if the access object is contained in the authority configuration data; and if the access object is not contained in the authority configuration data, determining that the authentication fails.
Further, the apparatus further comprises: the reading module is used for reading the locally cached historical permission list if the first permission list is failed to be acquired from the permission management server in real time; and the second authentication module is used for authenticating the access request by adopting the historical authority list.
Further, the apparatus further comprises: the first establishing module is used for accessing the authority management server regularly according to a preset period before the reading module reads the history authority list of the local cache, and establishing a first communication link between the Hadoop node and the authority management server; and the pulling module is used for pulling the second permission list from the permission management server based on the first communication link.
Further, the apparatus further comprises: the second creating module is used for responding to a connection request of the authority management server before the reading module reads the history authority list of the local cache, and establishing a second communication link between the Hadoop node and the authority management server, wherein the connection request is generated by the authority management server after the authority policy data is locally updated; and the second receiving module is used for receiving a third permission list issued by the permission management server based on the second communication link.
Further, the apparatus further comprises: the judging module is used for judging whether the first permission list is consistent with a historical permission list locally pre-stored by the Hadoop node or not after the acquiring module acquires the first permission list from the permission management server in real time; and the updating module is used for updating the historical authority list into the first authority list if the first authority list is inconsistent with the historical authority list which is locally pre-stored by the Hadoop node.
Further, the first receiving module comprises one of: the system comprises a first receiving unit, a second receiving unit and a first access unit, wherein the first receiving unit is used for receiving a first access request of a client, and the first access request is used for requesting a namespace node to access the HDFS service of the distributed file system; the second receiving unit is used for receiving a second access request of the client, wherein the second access request is used for requesting access to a distributed column storage system HBase service from a namespace node; a fourth receiving unit, configured to receive a third access request of the client, where the third access request is used to request a namespace node to access a data warehouse Hive service; a fifth receiving unit, configured to receive a fourth access request of the client, where the fourth access request is used to request a namespace node to access a Kafka service of a distributed publish-subscribe message system; a sixth receiving unit, configured to receive a fifth access request of the client, where the fifth access request is used to request the namespace node to access the distributed search service.
According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program that executes the above steps when the program is executed.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus; wherein: a memory for storing a computer program; a processor for executing the steps of the method by running the program stored in the memory.
Embodiments of the present application also provide a computer program product containing instructions, which when run on a computer, cause the computer to perform the steps of the above method.
According to the invention, an access request of a client is received, the access request is used for requesting the Hadoop node to access Hadoop service, the access request is taken as a trigger condition, a first permission list is obtained from the permission management server in real time, the first permission list is finally adopted for authenticating the access request, and the permission list is obtained from the permission management server in real time, so that the real-time authentication of the Hadoop node on the access request is realized, the technical problem that a Hadoop cluster in the related technology cannot manage user permission is solved, the response speed of the Hadoop service is improved, and the safety of the Hadoop cluster is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a block diagram of a hardware configuration of a server according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method of authenticating an access request according to an embodiment of the present invention;
FIG. 3 is a flowchart of authentication according to an embodiment of the present invention;
fig. 4 is a block diagram of an authentication apparatus for an access request according to an embodiment of the present invention;
fig. 5 is a block diagram of an electronic device implementing an embodiment of the invention.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
The method provided by the embodiment one of the present application may be executed in a server, a computer, or a similar computing device. Taking an example of the server running on the server, fig. 1 is a hardware structure block diagram of a server according to an embodiment of the present invention. As shown in fig. 1, the server may include one or more (only one shown in fig. 1) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally may also include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration, and is not intended to limit the structure of the server. For example, the server may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a server program, for example, a software program and a module of application software, such as a server program corresponding to an authentication method of an access request in an embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the server program stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to a server over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the server. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
In this embodiment, an authentication method for an access request is provided, and fig. 2 is a flowchart of an authentication method for an access request according to an embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
step S202, receiving an access request of a client, wherein the access request is used for requesting the Hadoop node to access Hadoop service;
the Hadoop node in this embodiment may be a name node (name node), a data node (data node), a service node (server node), a resource manager (ResourceManager), and the like, according to different Hadoop services, and respectively authenticate an access request in different Hadoop distributed scenarios.
Step S204, taking the access request as a trigger condition, and acquiring a first permission list from a permission management server in real time, wherein the permission management server is used for configuring and storing permission policy data of a plurality of Hadoop clusters;
optionally, the authority management server configures an authentication management process, the Hadoop node configures an authentication interface, the authentication management process communicates with the authentication interface, and when the same authority management server manages a plurality of clusters, the authority management server communicates with the authentication interfaces of the plurality of clusters through the authentication management process.
Step S206, the access request is authenticated by adopting the first authority list.
After the authentication is passed, operations of allowing access and denying access to the access request can be further executed based on the authentication result.
Through the steps, an access request of a client is received, the access request is used for requesting the Hadoop node to access Hadoop service, the access request is used as a trigger condition, a first permission list is obtained from the permission management server in real time, the first permission list is finally adopted for authenticating the access request, and the permission list is obtained from the permission management server in real time, so that the real-time authentication of the Hadoop node on the access request is realized, the technical problem that a Hadoop cluster in the related technology cannot manage user permission is solved, the response speed of the Hadoop service is improved, and meanwhile, the safety of the Hadoop cluster is improved.
In this embodiment, authenticating the access request by using the first permission list includes:
s11, analyzing the access account and the access object in the access request;
in one example, a Hadoop client sends an access request to a Hadoop node (e.g., a name node, a data node) to request access to a Hadoop service, and the access object may be a data resource, a node server (e.g., a data node), or the like.
S12, searching permission configuration data corresponding to the access account from the first permission list, wherein the permission configuration data comprise a plurality of Hadoop resources allowing the access account to operate;
optionally, the first permission list includes a user account allowed to access the Hadoop node, or a user account allowed to access a Hadoop cluster in which the Hadoop node is located, and access permissions (accessible resource information, accessible node information, accessible Hadoop service information, and the like) of all registered users. For example, { user: "Zhang III", "service:" HDFS ", access:" rwx "}; { user: "Liquad", service: "Hive", db: "school", table: "student", access: "select" }.
S13, judging whether the authority configuration data contains the access object;
in one example, the permission configuration data of the access account user1 is a white list, such as { a, B, C }, which allows access to a, B, C through a Hadoop node, and determines whether an access object requesting access is any one of a, B, and C, and whether the access object hits the white list, if so, it is determined as yes, and if not, it is determined as no. In another example, the permission configuration data of the access account is a blacklist, such as { M, N }, that is, the access account user1 is not allowed to access M, N through a Hadoop node, and determines whether an access object requesting access is any one of M and N, if so, it is determined to be no, and if not, it is determined to be yes, and certainly, a manner of combining a black list and a white list may also be adopted.
S14, if the authority configuration data contains the access object, determining that the authentication is passed; and if the access object is not contained in the authority configuration data, determining that the authentication fails.
Further, after the authentication is determined to pass, an access operation of the Hadoop service is executed on the Hadoop node, or the access request is forwarded to a corresponding service node, for example, the name node forwards the access request to the data node where the target resource is located.
In another aspect of this embodiment, the method further comprises: if the first permission list is failed to be acquired from the permission management server in real time, reading a locally cached historical permission list; and authenticating the access request by adopting the historical authority list.
In an implementation manner of this embodiment, before reading the history permission list of the local cache, the second permission list is obtained by interacting with the limit management server in advance according to a cycle. The method comprises the following steps: accessing the authority management server at regular time according to a preset period, and establishing a first communication link between the Hadoop node and the authority management server; and pulling a second permission list from the permission management server based on the first communication link, wherein the second permission list is used for updating the historical permission list.
By pulling the second authority list from the authority management server in advance, the situation that an access request is received can be prevented, when the first authority list is obtained in real time, real-time authentication fails to be connected with the authority management server, local cache files can be used for authentication, the normal function of the existing authority is guaranteed, and a bottom-of-pocket mechanism is realized.
In another implementation manner of this embodiment, before reading the history permission list of the local cache, the method further includes: responding a connection request of the authority management server, and establishing a second communication link between the Hadoop node and the authority management server, wherein the connection request is generated after the authority management server locally updates authority policy data; and receiving a third permission list issued by the permission management server based on the second communication link, wherein the third permission list is used for updating the historical permission list.
In the above embodiment of pulling the second permission list based on the first communication link, if the permission management server configures the permission policy data frequently, or the update time is less than the pull period, there is a possibility that the permission policy data configured on the permission management server cannot be synchronized to the Hadoop node in time. In order to prevent the situation, the resource overhead of the Hadoop node can be saved, so that the Hadoop node can process more resources for the service request from the client, and the concurrency capability of the Hadoop system is improved.
The two embodiments may be used in combination, or alternatively used according to a scene or a user setting.
Optionally, after acquiring the first permission list from the permission management server in real time, the method further includes: judging whether the first permission list is consistent with a historical permission list pre-stored locally by the Hadoop node; and if the first permission list is not consistent with a historical permission list pre-stored locally by the Hadoop node, updating the historical permission list into the first permission list.
Through updating, the latest first authority list is used for updating the historical authority list pre-stored locally in the Hadoop node, and the Hadoop node can directly use the latest first authority list when responding to the access request next time without initiating the real-time access authority management server again, so that the authentication process is simplified, the authentication speed is improved, and the authentication time is saved.
Optionally, the access request of the receiving client may be, but is not limited to: receiving a first access request of a client, wherein the first access request is used for requesting a namespace node to access a distributed file system (HDFS) service; receiving a second access request of the client, wherein the second access request is used for requesting access to a distributed column storage system HBase service from a namespace node; receiving a third access request of the client, wherein the third access request is used for requesting the namespace node to access the Hive service of the data warehouse; receiving a fourth access request of the client, wherein the fourth access request is used for requesting the namespace node to access the Kafka service of the distributed publish-subscribe message system; and receiving a fifth access request of the client, wherein the fifth access request is used for requesting the namespace node to access the distributed search service. Again, only by way of example, the application scenario of the present embodiment may also be applied to other Hadoop services.
Fig. 3 is an authentication flow chart of the embodiment of the present invention, which is illustrated by taking HDFS service as an example, this example only shows an authentication process when a user accesses the HDFS service, other Hadoop services are similar, and the right management server is Ranger, and provides functions of right management and control, access monitoring, and data encryption for specific resources (such as specific tables in HBase). The Range comprises Range admin and Range plug (Range interface), the Range admin is the main program of Range, the user logs on the page to carry out authority management on the Hadoop service, meanwhile, RESTful (representation state transfer) API is provided, and the inquiry request of plug is received; the Ranger plugin is an extension plugin of the Hadoop service, the operation of the Hadoop service is required to be depended on, and different Hadoop services have corresponding plugins. The authorization operation of the user can be completed by matching with the Range, such as directory/file in HDSF, DB/Table in Hive, Table in HBase, and the like. Taking HDSF as an example, the process includes:
s31, the administrator edits and inputs the corresponding authority of all users through a web UI (web configuration interface);
s32, a Range plugin (Range interface) in the HDFS accesses a Range admin in a Range server at regular time, and pulls an existing policy list;
s33, when the user accesses the HDFS, the user will be authenticated through Ranger plugin;
s34, the Range plugin is directly connected with Range admin, and reads the policy list for authentication;
s35, the client normally accesses the resources in the HDFS after the authentication is passed; authentication fails and access is denied.
The Ranger plugin is deployed in a corresponding Hadoop service (HDFS), and when an access request of a client is received by the HDFS, real-time authentication can be performed through the Ranger admin. On the other hand, the plugin interacts with the Ranger server at regular time, obtains the latest authority policy list, and caches the policy in the host where the plugin is located in the form of a json file. And when the user accesses the Hadoop service, the plugin reads the authority information from the cached json file for verification, and returns the verification result.
By adopting the scheme of the embodiment, the plugin is subjected to function expansion, and directly interacts with the Ranger server during authentication to obtain the actual authority configuration of the server, the synchronous policy function is reserved and is synchronous with the server at regular time, when the Ranger server is unavailable, the real-time authentication fails to be connected with the server, and the authentication is carried out by using the local cache file, so that the normal function of the existing authority is ensured, the access authentication mode on Hadoop is realized, the problem that the Hadoop authority is delayed to take effect is solved, and after the administrator authorizes or cancels the authorization of the user, the user immediately returns the corresponding operation authority to the target resource.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
In this embodiment, an authentication apparatus for an access request is further provided, which is used to implement the foregoing embodiments and preferred embodiments, and the description already made is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 4 is a block diagram of an authentication apparatus for an access request according to an embodiment of the present invention, as shown in fig. 4, the apparatus includes: a first receiving module 40, an obtaining module 42, a first authentication module 44, wherein,
the first receiving module 40 is configured to receive an access request of a client, where the access request is used to request a Hadoop node to access a Hadoop service;
an obtaining module 42, configured to obtain, in real time, a first permission list from a permission management server with the access request as a trigger condition, where the permission management server is configured to configure and store permission policy data of a plurality of Hadoop clusters;
a first authentication module 44, configured to authenticate the access request with the first permission list.
Optionally, the first authentication module includes: the analysis unit is used for analyzing the access account and the access object in the access request; the searching unit is used for searching permission configuration data corresponding to the access account from the first permission list, wherein the permission configuration data comprise a plurality of Hadoop resources allowing the access account to operate; the judging unit is used for judging whether the access object is contained in the authority configuration data or not; the authentication unit is used for determining that the authentication is passed if the access object is contained in the authority configuration data; and if the access object is not contained in the authority configuration data, determining that the authentication fails.
Optionally, the apparatus further comprises: the reading module is used for reading the locally cached historical permission list if the first permission list is failed to be acquired from the permission management server in real time; and the second authentication module is used for authenticating the access request by adopting the historical authority list.
Optionally, the apparatus further comprises: the first establishing module is used for accessing the authority management server regularly according to a preset period before the reading module reads the history authority list of the local cache, and establishing a first communication link between the Hadoop node and the authority management server; and the pulling module is used for pulling the second permission list from the permission management server based on the first communication link.
Optionally, the apparatus further comprises: the second creating module is used for responding to a connection request of the authority management server before the reading module reads the history authority list of the local cache, and establishing a second communication link between the Hadoop node and the authority management server, wherein the connection request is generated by the authority management server after the authority policy data is locally updated; and the second receiving module is used for receiving a third permission list issued by the permission management server based on the second communication link.
Optionally, the apparatus further comprises: the judging module is used for judging whether the first permission list is consistent with a historical permission list locally pre-stored by the Hadoop node or not after the acquiring module acquires the first permission list from the permission management server in real time; and the updating module is used for updating the historical authority list into the first authority list if the first authority list is inconsistent with the historical authority list which is locally pre-stored by the Hadoop node.
Optionally, the first receiving module includes one of: the system comprises a first receiving unit, a second receiving unit and a first access unit, wherein the first receiving unit is used for receiving a first access request of a client, and the first access request is used for requesting a namespace node to access the HDFS service of the distributed file system; the second receiving unit is used for receiving a second access request of the client, wherein the second access request is used for requesting access to a distributed column storage system HBase service from a namespace node; a fourth receiving unit, configured to receive a third access request of the client, where the third access request is used to request a namespace node to access a data warehouse Hive service; a fifth receiving unit, configured to receive a fourth access request of the client, where the fourth access request is used to request a namespace node to access a Kafka service of a distributed publish-subscribe message system; a sixth receiving unit, configured to receive a fifth access request of the client, where the fifth access request is used to request the namespace node to access the distributed search service.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
Example 3
Fig. 5 is a structural diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 5, the electronic device includes a processor 51, a communication interface 52, a memory 53 and a communication bus 54, where the processor 51, the communication interface 52, and the memory 53 complete mutual communication through the communication bus 54, and the memory 53 is used for storing a computer program; the processor 51 is configured to implement the following steps when executing the program stored in the memory 53: receiving an access request of a client, wherein the access request is used for requesting a Hadoop node to access Hadoop service; acquiring a first authority list from an authority management server in real time by taking the access request as a trigger condition, wherein the authority management server is used for configuring and storing authority policy data of a plurality of Hadoop clusters; and authenticating the access request by adopting the first authority list.
Further, authenticating the access request using the first permission list comprises: analyzing an access account and an access object in the access request; searching permission configuration data corresponding to the access account from the first permission list, wherein the permission configuration data comprise a plurality of Hadoop resources allowing the access account to operate; judging whether the access object is contained in the authority configuration data or not; if the access object is contained in the authority configuration data, determining that the authentication is passed; and if the access object is not contained in the authority configuration data, determining that the authentication fails.
Further, the method further comprises: if the first permission list is failed to be acquired from the permission management server in real time, reading a locally cached historical permission list; and authenticating the access request by adopting the historical authority list.
Further, before reading the history authority list of the local cache, the method further comprises the following steps: accessing the authority management server at regular time according to a preset period, and establishing a first communication link between the Hadoop node and the authority management server; pulling a second permission list from the permission management server based on the first communication link, wherein the second permission list is used to update the historical permission list.
Further, before reading the history authority list of the local cache, the method further comprises the following steps: responding to a connection request of the authority management server, and establishing a second communication link between the Hadoop node and the authority management server, wherein the connection request is generated after the authority management server locally updates authority policy data; and receiving a third permission list issued by the permission management server based on the second communication link, wherein the third permission list is used for updating the historical permission list.
After acquiring the first permission list from the permission management server in real time, the method further includes: judging whether the first permission list is consistent with a historical permission list locally pre-stored in the Hadoop node; if the first permission list is inconsistent with a historical permission list locally pre-stored by the Hadoop node, updating the historical permission list into the first permission list, and the method further comprises the following steps: if managed from rights in real time.
Further, receiving the access request of the client comprises one of the following: receiving a first access request of a client, wherein the first access request is used for requesting a namespace node to access a distributed file system (HDFS) service; receiving a second access request of the client, wherein the second access request is used for requesting access to a distributed column storage system HBase service from a namespace node; receiving a third access request of the client, wherein the third access request is used for requesting the namespace node to access the Hive service of the data warehouse; receiving a fourth access request of the client, wherein the fourth access request is used for requesting the namespace node to access the Kafka service of the distributed publish-subscribe message system; receiving a fifth access request of the client, wherein the fifth access request is used for requesting the namespace node to access the distributed search service.
The communication bus mentioned in the above terminal may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the terminal and other equipment.
The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
In yet another embodiment provided by the present application, there is also provided a computer-readable storage medium having stored therein instructions, which when run on a computer, cause the computer to perform the method for authenticating an access request as described in any of the above embodiments.
In yet another embodiment provided by the present application, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the method of authenticating an access request as described in any of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.
The above description is merely exemplary of the present application and is presented to enable those skilled in the art to understand and practice the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A method for authenticating an access request, comprising:
receiving an access request of a client, wherein the access request is used for requesting a Hadoop node to access Hadoop service;
acquiring a first authority list from an authority management server in real time by taking the access request as a trigger condition, wherein the authority management server is used for configuring and storing authority policy data of a plurality of Hadoop clusters;
and authenticating the access request by adopting the first authority list.
2. The method of claim 1, wherein authenticating the access request with the first permission list comprises:
analyzing an access account and an access object in the access request;
searching permission configuration data corresponding to the access account from the first permission list, wherein the permission configuration data comprise a plurality of Hadoop resources allowing the access account to operate;
judging whether the access object is contained in the authority configuration data or not;
if the access object is contained in the authority configuration data, determining that the authentication is passed; and if the access object is not contained in the authority configuration data, determining that the authentication fails.
3. The method of claim 1, further comprising:
if the first permission list is failed to be acquired from the permission management server in real time, reading a locally cached historical permission list;
and authenticating the access request by adopting the historical authority list.
4. The method of claim 3, wherein prior to reading the locally cached historical permission list, the method further comprises:
accessing the authority management server at regular time according to a preset period, and establishing a first communication link between the Hadoop node and the authority management server;
pulling a second permission list from the permission management server based on the first communication link, wherein the second permission list is used to update the historical permission list.
5. The method of claim 3, wherein prior to reading the locally cached historical permission list, the method further comprises:
responding to a connection request of the authority management server, and establishing a second communication link between the Hadoop node and the authority management server, wherein the connection request is generated after the authority management server locally updates authority policy data;
and receiving a third permission list issued by the permission management server based on the second communication link, wherein the third permission list is used for updating the historical permission list.
6. The method of claim 1, wherein after obtaining the first permission list from the rights management server in real time, the method further comprises:
judging whether the first permission list is consistent with a historical permission list locally pre-stored in the Hadoop node;
and if the first permission list is inconsistent with a historical permission list pre-stored locally by the Hadoop node, updating the historical permission list into the first permission list.
7. The method of claim 1, wherein receiving the client's access request comprises one of:
receiving a first access request of a client, wherein the first access request is used for requesting a namespace node to access a distributed file system (HDFS) service;
receiving a second access request of the client, wherein the second access request is used for requesting access to a distributed column storage system HBase service from a namespace node;
receiving a third access request of the client, wherein the third access request is used for requesting the namespace node to access the Hive service of the data warehouse;
receiving a fourth access request of the client, wherein the fourth access request is used for requesting the namespace node to access the Kafka service of the distributed publish-subscribe message system;
receiving a fifth access request of the client, wherein the fifth access request is used for requesting the namespace node to access the distributed search service.
8. An apparatus for authenticating an access request, comprising:
the system comprises a first receiving module, a second receiving module and a third receiving module, wherein the first receiving module is used for receiving an access request of a client, and the access request is used for requesting a Hadoop node to access Hadoop service;
the acquisition module is used for acquiring a first permission list from a permission management server in real time by taking the access request as a trigger condition, wherein the permission management server is used for configuring and storing permission policy data of a plurality of Hadoop clusters;
and the first authentication module is used for authenticating the access request by adopting the first permission list.
9. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program is operative to perform the method steps of any of the preceding claims 1 to 7.
10. An electronic device comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus; wherein:
a memory for storing a computer program;
a processor for performing the method steps of any of claims 1 to 7 by executing a program stored on a memory.
CN202110687187.7A 2021-06-21 2021-06-21 Authentication method and device for access request, storage medium and electronic equipment Active CN113489689B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110687187.7A CN113489689B (en) 2021-06-21 2021-06-21 Authentication method and device for access request, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110687187.7A CN113489689B (en) 2021-06-21 2021-06-21 Authentication method and device for access request, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN113489689A true CN113489689A (en) 2021-10-08
CN113489689B CN113489689B (en) 2023-09-19

Family

ID=77935714

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110687187.7A Active CN113489689B (en) 2021-06-21 2021-06-21 Authentication method and device for access request, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN113489689B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070612A (en) * 2021-11-15 2022-02-18 北京天融信网络安全技术有限公司 Network authentication processing method and device
CN116743511A (en) * 2023-08-15 2023-09-12 中移(苏州)软件技术有限公司 Authentication method, device, server and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109902497A (en) * 2019-02-26 2019-06-18 南威软件股份有限公司 A kind of access authority management method and system towards big data cluster
CN110519285A (en) * 2019-08-30 2019-11-29 浙江大搜车软件技术有限公司 User authen method, device, computer equipment and storage medium
CN112948842A (en) * 2019-12-10 2021-06-11 华为技术有限公司 Authentication method and related equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109902497A (en) * 2019-02-26 2019-06-18 南威软件股份有限公司 A kind of access authority management method and system towards big data cluster
CN110519285A (en) * 2019-08-30 2019-11-29 浙江大搜车软件技术有限公司 User authen method, device, computer equipment and storage medium
CN112948842A (en) * 2019-12-10 2021-06-11 华为技术有限公司 Authentication method and related equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070612A (en) * 2021-11-15 2022-02-18 北京天融信网络安全技术有限公司 Network authentication processing method and device
CN116743511A (en) * 2023-08-15 2023-09-12 中移(苏州)软件技术有限公司 Authentication method, device, server and storage medium
CN116743511B (en) * 2023-08-15 2023-11-03 中移(苏州)软件技术有限公司 Authentication method, device, server and storage medium

Also Published As

Publication number Publication date
CN113489689B (en) 2023-09-19

Similar Documents

Publication Publication Date Title
CN109168156B (en) Method, system, medium, computer program product and server for implementing virtual SIM card
US11096051B2 (en) Connection establishment method, device, and system
CN110493184B (en) Method and device for processing login page in client and electronic device
EP3386167B1 (en) Cloud operation interface sharing method, related device and system
CN112995163B (en) Authentication method and device for resource access, storage medium and electronic equipment
CN111400777B (en) Network storage system, user authentication method, device and equipment
CN113489689B (en) Authentication method and device for access request, storage medium and electronic equipment
CN113014593B (en) Access request authentication method and device, storage medium and electronic equipment
US20170118211A1 (en) Native enrollment of mobile devices
US11546833B2 (en) Controlling equipment access to slices in a 5G network
CN112948842A (en) Authentication method and related equipment
CN115189897A (en) Access processing method and device for zero trust network, electronic equipment and storage medium
CN103259785B (en) The authentication method of virtual token and system
CN112995164B (en) Resource access authentication method and device, storage medium and electronic equipment
CN114466054A (en) Data processing method, device, equipment and computer readable storage medium
CN114221959A (en) Service sharing method, device and system
CN116566656A (en) Resource access method, device, equipment and computer storage medium
CN116094814A (en) VPN access method, device, electronic equipment and storage medium
CN109218415B (en) Distributed node management method, node and storage medium
KR20140121571A (en) System for intergrated authentication, method and apparatus for intergraged authentication thereof
CN110048864B (en) Method and apparatus for authenticating an administrator of a device-specific message group
KR102250867B1 (en) Method and server for performing log-in for application
CN111064675A (en) Access flow control method, device, network equipment and storage medium
WO2018188073A1 (en) Content deployment method and distribution controller
CN110022538B (en) Method and device for identifying traffic type

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant