CN113722723A - Information processing method, system, equipment and computer storage medium - Google Patents
Information processing method, system, equipment and computer storage medium Download PDFInfo
- Publication number
- CN113722723A CN113722723A CN202010451709.9A CN202010451709A CN113722723A CN 113722723 A CN113722723 A CN 113722723A CN 202010451709 A CN202010451709 A CN 202010451709A CN 113722723 A CN113722723 A CN 113722723A
- Authority
- CN
- China
- Prior art keywords
- list
- authority management
- authority
- data request
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000010365 information processing Effects 0.000 title claims abstract description 62
- 238000003672 processing method Methods 0.000 title claims abstract description 47
- 238000000034 method Methods 0.000 claims description 42
- 238000012545 processing Methods 0.000 claims description 29
- 238000004458 analytical method Methods 0.000 claims description 23
- 230000015654 memory Effects 0.000 claims description 22
- 238000004891 communication Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 abstract description 11
- 238000007726 management method Methods 0.000 description 312
- 239000000306 component Substances 0.000 description 80
- 238000010586 diagram Methods 0.000 description 5
- 230000007547 defect Effects 0.000 description 4
- 239000000243 solution Substances 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000002245 particle Substances 0.000 description 2
- KLDZYURQCUYZBL-UHFFFAOYSA-N 2-[3-[(2-hydroxyphenyl)methylideneamino]propyliminomethyl]phenol Chemical compound OC1=CC=CC=C1C=NCCCN=CC1=CC=CC=C1O KLDZYURQCUYZBL-UHFFFAOYSA-N 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 201000001098 delayed sleep phase syndrome Diseases 0.000 description 1
- 208000033921 delayed sleep phase type circadian rhythm sleep disease Diseases 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- VEMKTZHHVJILDY-UHFFFAOYSA-N resmethrin Chemical compound CC1(C)C(C=C(C)C)C1C(=O)OCC1=COC(CC=2C=CC=CC=2)=C1 VEMKTZHHVJILDY-UHFFFAOYSA-N 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The application provides an information processing method, which comprises the following steps: acquiring an operation list; the operation list is used for representing an operation list with preset granularity executable on the stored data; generating a first authority management mode based on the operation list; the first authority management mode is used for representing a management mode for executing operation on the stored data based on a data request; and when a data request is detected, performing authority management on the data request based on the first authority management mode. The information processing method provided by the application can flexibly generate the first authority management mode corresponding to the granularity according to the operation list with the preset granularity, and can carry out authority management corresponding to the granularity on the data request, so that the threat of the fixed coarse-granularity authority management mode on data safety in the related technology is relieved. The present application also provides an information processing system, an apparatus, and a computer-readable storage medium.
Description
Technical Field
The present application relates to the field of information technology, and in particular, to an information processing method, system, device, and computer storage medium.
Background
The data stored in the big data platform is of multiple types, wide sources and large quantity, so that when a large amount of data is accessed, the safety of massive data is very important while the data is stably processed. In the related technology, the rationality of the access flow of a large data platform is improved, the confusion of data access is reduced, and the possible tampering operation of a user in the data operation process is reduced by setting the operation authority of the user/user group on the stored data; the operation authority is mainly embodied as authority management of users and/or data, specifically, the authority management is to limit behaviors that some or some users or user groups can or cannot execute data stored in the big data platform, so that the users or the user groups can only execute allowed operations on part of the stored data, namely authorized operations. At present, in some widely-used big data platforms, such as Hadoop, an authorization management platform, such as Apache range, are combined together, although connectivity between various components, such as Hadoop Distributed File storage systems (HDFS), Hive, and HBase, can be improved, the above components execute a fixed and coarse-grained authority management mode for accessing stored data, such an authority management mode is not flexible enough, and easily poses a threat to security of stored data.
Disclosure of Invention
An information processing method, system, device, and computer-readable storage medium are provided.
According to the information processing method, the corresponding authority management mode can be flexibly generated according to the preset granularity operation list, so that the security threat brought to the stored data in the big data platform according to the fixed rough authority management mode in the related technology is relieved.
The information processing method provided by the application is realized as follows:
an information processing method, the method comprising:
acquiring an operation list; the operation list is used for representing operations with preset granularity which can be executed on the stored data;
generating a first authority management mode based on the operation list; the first authority management mode is used for representing a management mode for executing operation on the stored data based on a data request;
and when a data request is detected, performing authority management on the data request based on the first authority management mode.
Optionally, the generating a first rights management manner based on the operation list includes:
acquiring authority management component information; wherein the rights management component information is information indicating a component that performs rights management for the data request;
and generating the first authority management mode based on the operation list and the authority management component information.
Optionally, the generating the first rights management manner based on the operation list and the rights management component information includes:
determining a second authority management mode based on the authority management component information; the second authority management mode is used for representing a preset authority management mode in a component corresponding to the authority management component information;
and generating the first authority management mode based on the operation list and the second authority management mode.
Optionally, the performing, based on the first rights management manner, rights management on the data request includes:
analyzing the data request to obtain an analysis result;
and performing authority management on the data request based on the first authority management mode and the analysis result.
Optionally, the performing, based on the first rights management manner and the analysis result, rights management on the data request includes:
obtaining an account identifier based on the analysis result;
and performing authority management on the data request based on the first authority management mode and the account identifier.
Optionally, the performing, based on the first rights management manner and the account identifier, rights management on the data request includes:
acquiring a permission list based on the first permission management mode; the authority list is used for representing an executable operation list which is associated with account information and is used for storing data;
obtaining a matching result based on the permission list and the account identifier; the matching result is used for indicating whether authority information corresponding to the account identification exists in the authority list or not;
and performing authority management on the data request based on the matching result.
Optionally, the method further includes:
acquiring an account identifier list; the account identification list is used for representing account identifications capable of operating stored data;
determining the permission list based on the account identification list and the operation list.
An information handling system, the system comprising: a processor, a memory, and a communication bus; wherein:
the communication bus is used for realizing communication connection between the processor and the memory;
the processor is used for executing the program of the information processing method in the memory to realize the following steps:
determining an operation list; the operation list is used for representing executable operation with preset granularity on the stored data;
generating a first authority management mode based on the operation list; the first authority management mode is used for representing a management mode for executing operation on the stored data based on a data request;
and when a data request is detected, performing authority management on the data request based on the first authority management mode.
An information processing apparatus, the apparatus comprising: the device comprises an acquisition module and a processing module; wherein:
the acquisition module is used for acquiring an operation list; the operation list is used for representing executable operation with preset granularity on the stored data;
the processing module is used for generating a first authority management mode based on the operation list;
the processing module is further configured to perform, when a data request is detected, right management on the data request based on the first right management manner; the first authority management mode is used for representing a management mode for executing operation on the stored data based on the data request.
A computer-readable storage medium on which a computer program according to any one of the preceding claims is stored, the computer program being executed by a processor of an information processing apparatus.
Therefore, in the information processing method provided by the application, the first authority management mode for carrying out authority management on the data request can be flexibly generated according to the operation list with the preset granularity, so that the defect of fixed authority management mode in the related technology is overcome; in addition, under the condition that the granularity of the operation list is fine, the granularity of the generated first authority management mode can be synchronously refined, in this case, the fineness of the granularity of the authority management executed on the data request based on the first authority management mode is also improved, so that the data security risk caused by the authority management of the rough authority management mode in the related art is relieved.
Meanwhile, in the information processing method provided by the application, the first authority management mode is generated based on the acquired authority management component information and the operation list, and the generated first authority management mode can be generated according to at least one executable operation in the information of the authority management components of different types and the operation lists of different types, so that the first authority management mode generation method is stronger in pertinence and better in flexibility, the first authority management mode can be matched with the granularity of the operation list, and the granularity of the first authority management mode can be flexibly refined under the condition that the granularity of the operation list is fine.
In the information processing method provided by the present application, the first right management method is further generated based on the operation list and the second right management method after the second right management method corresponding to the right management component information is specified. Therefore, under the condition of acquiring the information of the authority management component, the second authority management mode corresponding to the authority management component can be deeply acquired, and then the second authority management mode is perfected and optimized based on the operation list, so that the acquired first authority management mode can more comprehensively and objectively embody the authority management flow corresponding to the information of the authority management component under the condition of improving the granularity of authority management, and the generation efficiency of the first authority management mode is improved.
Based on the above description, in the information processing method provided by the application, when the data request is subjected to authority management based on the first authority management mode, the authority list is firstly obtained based on the first authority management mode, then the matching result is obtained based on the authority list and the account identifier, and then the authority management is performed on the data request based on the matching result, so that the operation process on the data request is realized by depending on the first authority management mode which is flexibly determined and has improved granularity, the granularity of the data request is further improved, and the security of the data request is improved.
Drawings
FIG. 1 is a flow chart of a first information processing method provided in the present application;
FIG. 2 is a flow chart of a second information processing method provided by the present application;
FIG. 3 is a flow chart of a third information processing method provided by the present application;
FIG. 4 is an architecture diagram of an implementation of the information processing method provided herein;
FIG. 5 is a flowchart of an implementation of an information processing method provided by the present application;
fig. 6 is a flowchart of an implementation of an information processing method for a user to send a data download request to an HDFS according to the present application;
FIG. 7 is a block diagram of an information handling system provided herein;
fig. 8 is a block diagram of an information processing apparatus provided in the present application.
Detailed Description
The present application relates to the field of information technology, and in particular, to an information processing method, system, device, and computer storage medium.
In the related art, the authority management of the big data platform mainly provides a security control capability for corresponding stored data through a platform component. Wherein the security management and control capability comprises: access control security for platform components and data, and sensitive data security.
On the other hand, the work of the authority management of the big data platform can be mainly divided into two parts: user identity management and mapping relation management of user identity and authority. User identity management, namely user identity authentication, and common solution Access of user identity authentication in a big data platform, such as Kerberos and Lightweight Directory Access Protocol (LDAP); mapping management of user identity and authority, namely authorization management, is a common solution, such as Apache Ranger.
Apache Range is a framework for providing data security for operations, monitoring and management on a Hadoop platform. The vision of Apache range is to provide comprehensive security in the Apache Hadoop ecosystem. By operating the Apache Range console, an administrator can easily manage the access rights of a user or group of users to files, databases, namespaces, tables, and even fields by configuring policies, and these rights can seamlessly interface with Hadoop.
In Apache Ranger, the access right of a user or a user group can be represented by the relationship defined as "user-resource-right", and the Apache Ranger abstracts the relationship based on Policy (Policy) and constructs a model to represent a right model.
The above expression is explained in detail from the perspective of "user-resource-rights":
the user: expressed by User or Group; user represents the User accessing the resource, and Group represents the User Group to which the User belongs.
Resource: expressed by (Service, Policy, Resource) triplets; wherein, Service is used to represent components, such as the HDFS component above; policy represents an access Policy to stored data; resource is used to represent resources and may include a representative file, a database, a namespace, a table, and even fields; illustratively, one Policy corresponds to only one Service, but one Service may correspond to multiple policies and one Policy may correspond to multiple resources.
Permission: expressed by (allowACL, DenyACL) doublets; wherein, allowACL indicates that the user or user group is allowed to execute, and DenyACL indicates that the user or user group is refused to execute.
Specifically, the authority model may be as shown in equations (1) - (4).
Policy=Service+Resource+AllowACL+DenyACL (1)
AllowACL=List<AccessItem>allow+List<AccssItem>allowException (2)
DenyACL=List<AccessItem>deny+List<AccssItem>denyException (3)
AccessItem=List<User/Group>+List<AccessType> (4)
Wherein, the formula (1) indicates that each Policy is composed of Service, Resource, AllowACL and DenyACL.
In the equations (2) and (3), each contains an AccessItem, and the AccessItem is used to describe the relationship between a group of users and a group of accesses — indicating permission of execution in AllowACL and denyclac indicating denial of execution.
In equation (2), List < AccessItem > allow is used to indicate an access List that allows a user group to execute, and List < AccessItem > allowException indicates an access List that does not allow one or more users in the user group to execute. That is, in equation (2), the AllowACL indicates an allowed access list of users other than one or several users in the user group.
Accordingly, in equation (3), List < AccessItem > deny is used to indicate an access List that is rejected from the user group, and List < AccessItem > denyException is used to indicate an access List that is allowed to be executed by one or more users in the user group. That is, in equation (3), denyclcs represent a list of users in a user group that deny access to users other than one or some of the users.
Specifically, as shown in formula (4), the accesseltem is composed of List < User/Group > and List < AccessType >, where List < User/Group > is used to represent the List of users or User groups, and List < AccessType > is used to represent the List of AccessType.
TABLE 1
Illustratively, the AccessType is used to represent a permission list, and the specific meaning is shown in table 1.
In table 1, three columns of series, Resource, and AccessType are included, where series is used to represent various components in the big data platform, and in this application, HDFS, Hive, and HBase are taken as examples for description; resource is used for resources which can be accessed by users or user groups in the big data platform, and comprises Path, Database, Table, Column Family and Column; the access type is used for representing operations which can be executed on Resource by a user or a user group through Service, and comprises the following steps: read, Write, Execute, Select, Update, Create, Drop, Alter, Index, Lock, Admin.
The Path is used to indicate a Path for storing data, and the folder corresponding to the Path may store data or may not store data.
Database is used for representing the Database; table, used to represent tables in a database or namespace; column is used to represent a Column in a table of a database; column Family is used to represent a Family of columns, which may represent a combination of related columns in a database.
Read, which is used for representing the Read operation of the storage data; write, which represents a Write operation to the storage data; execute, ignore for files, and indicate for folders whether access to its contents is allowed.
Select, used to represent query scan of the whole table; update, which is used for representing the updating operation of the table; create, used for representing and creating the table operation; drop, used to represent delete table operation; alter, used for representing the operation of the modification table; index, used for representing and creating the Index operation; lock, used to indicate Lock table operation.
Admin, used for representing the execution of administrator operations.
Table 1 shows the operations of AccessType that a user or a group of users can perform on Resource through different services.
As can be seen from table 1, although various components implement the authority management on the stored data, the authority model used in the authority management implementation process has a larger granularity for defining the range of the AccessType, and cannot satisfy the principle of "clear authority and minimum authority". For example, if user Z wants to write to file X saved under path Y, user Z may perform the following operations on file X: renaming, adding, downloading, cutting off, deleting and the like. Thus, the user Z may misoperate the file X, for example, the user Z only needs to perform an additional operation but may perform a deletion or download operation; for another example, when the user Z frequently performs or maliciously performs some heavy operations (e.g., recursively deletes a directory), the number of Remote Procedure Call (RPC) requests may increase, which may increase the load of the system, and may further cause a downtime of the service component, thereby increasing the operation and maintenance cost. Therefore, the fixed large granularity of the authority model can cause the authority to be fuzzy and expanded, so that malicious access to the stored data and even tampering can easily occur.
Therefore, an adjustable granularity operation authority management mode is urgently needed, and a corresponding authority management mode is generated through adjustable granularity operation, so that the threat of a fixed large-granularity authority management mode on the safety of data stored in a large data platform in the related technology is relieved.
The embodiment of the application provides an information processing method, which can be realized by an information processing device, in particular, a processor in the information processing device.
As shown in fig. 1, the information processing method provided in the embodiment of the present application may be implemented by the following steps:
and step 101, acquiring an operation list.
The operation list is used for representing the operation with preset granularity which can be executed on the stored data.
In step 101, data is stored, which may be used to represent data stored in a big data platform.
In one embodiment, the stored data may be used to represent data stored in a large data platform of a certain type.
In one embodiment, data is stored, which may be used to represent various types of data stored in a big data platform.
In one embodiment, the stored data may be used to represent a certain type of data stored in a large data platform.
In one embodiment, the stored data can be used to represent data stored in a certain manner in a big data platform, such as text information or multimedia data information stored in the form of a database.
In one embodiment, storing data may be used to represent data stored under a path in a large data platform in some type of manner.
In step 101, the preset granularity may be used to represent a first granularity preset in the big data platform. The preset granularity is smaller than the granularity of the authority management mode in the component.
In one embodiment, the predetermined granularity is an adjustable granularity.
In one embodiment, the preset granularity may be a granularity corresponding to a data type, for example, a first type of data corresponds to a first preset granularity, and an nth type of data corresponds to an nth preset granularity, where N is an integer greater than or equal to 2.
In an embodiment, the preset granularity may be a granularity corresponding to a storage manner of the data, for example, the M1 storage manner corresponds to the K1 preset granularity. Wherein M1 is an integer greater than or equal to 1, and K1 is an integer greater than or equal to N.
In one embodiment, the preset granularity may be a granularity corresponding to a user or a group of users. For example, the M2 th user or user group corresponds to the K2 th preset granularity. Wherein M2 is an integer greater than or equal to 1, and K2 is an integer greater than or equal to K1.
In one embodiment, the predetermined particle size may also be a combination of one or more of the above predetermined particle size patterns.
In step 101, the operation list with the preset granularity may be an operation list with an adjustable granularity, where the adjustable granularity includes the operation list corresponding to the granularity corresponding to the data type, corresponding to the storage manner of the data, corresponding to the user or the user group, or obtained in one or more combinations of the foregoing manners.
Illustratively, the operation list of the preset granularity provided in the embodiment of the present application is shown as the AccessType and the AccessType specification in table 2.
As shown in Table 2, Table 2 is illustrated by Service, Resource, Access type, and Access type
TABLE 2
Four columns. Wherein the same names of the parameters in table 2 as those in table 1 have the same meanings. The details are not repeated here, and the meanings of various parameters in the AccessType have been described in the fourth column, AccessType description part of table 2, and are also not repeated here.
By comparing table 1 and table 2, it can be seen that in table 2, the number of AccessType changes greatly for both HDFS and HBase and Hive. Taking HDFS as an example, in table 1, there are three types of access types supported by HDFS, Read, Write, and Execute, although the three types of access types may cover general operations on data, the above operations are fewer in number and coarser in granularity than the access types corresponding to HDFS in table 2, and in table 2, the access types supported by HDFS include mkdir, rename, delete, list, create, upload, download, truncate, and open. Wherein mkdir, rename, delete, create, upload, truncate, and open in table 2 are several different operation embodiment forms with finer granularity in Write in table 1, that is, fine-grained division is performed on the AccessType in table 2, and one or more types of division of the AccessType in table 2 may be selected as needed, or all types of accesstypes in table 2 may be selected.
Therefore, by partially or completely selecting various access types in different services in table 2, an executable operation list with a preset granularity, that is, an access type list corresponding to different services, can be obtained. The granularity of the operation list with the preset granularity obtained in the above manner is smaller than the granularity of the AccessType corresponding to different services in table 1.
And 102, generating a first authority management mode based on the operation list.
The first authority management mode is used for representing a management mode of an operation which can be executed on the stored data based on the data request.
In step 102, the operation performed on the stored data may be any one of the operations in the AccessType list corresponding to different services in table 1.
In step 102, the operation performed on the stored data may be a combination of at least two operations in the AccessType list corresponding to different services in table 1.
In one embodiment, the operation performed on the stored data may be any one of the operations in the AccessType list corresponding to different services in table 2.
In one embodiment, the operation performed on the stored data may be a combination of at least two operations in the AccessType list corresponding to different services as in table 2.
In one embodiment, the operations that can be performed on the stored data may be one or more of the access type lists corresponding to different services in table 2, or a combination of several operations in the access type lists corresponding to different services in table 1.
In step 102, the first rights management mode may include a mode of managing permission or denial of the data request.
In one embodiment, the first rights management manner may represent a management manner of permission or rejection of a user corresponding to the data request.
In one embodiment, the first rights management manner may represent a management manner of permission or rejection of an operation corresponding to the data request.
In one embodiment, the first rights management method may represent a management method of permission or rejection of a combination of a user and an operation corresponding to the data request.
In an embodiment, the first permission management manner may be a fine-grained permission management manner corresponding to an AccessType list of different services in table 2.
And 103, when the data request is detected, performing authority management on the data request based on a first authority management mode.
In step 103, when the data request is detected, the data request may be subjected to a preset granularity of rights management based on the first rights management manner.
In one embodiment, step 103 may be performed based on the first rights management method, and perform rights management on the data request corresponding to the data type and corresponding to the AccessType list of different services in table 2.
In one embodiment, step 103 may be performed based on the first rights management method, and perform rights management corresponding to the access type list of different services in table 2, corresponding to the data storage method for the data request.
In one embodiment, step 103 may be performed based on the first rights management method, and perform rights management on the data request corresponding to the user or the user group and corresponding to the AccessType list of different services in table 2.
In one embodiment, step 103, based on the first rights management mode, may be a combination of some or all of the above rights management modes.
In the information processing method provided by the embodiment of the application, the first authority management mode for carrying out authority management on the data request can be flexibly generated according to the operation list with the preset granularity, so that the defect of fixed authority management mode in the related technology is overcome; in addition, under the condition that the granularity of the operation list is fine, the granularity of the corresponding generated first authority management mode can be synchronously refined, in this case, the fineness of the granularity of the authority management executed on the data request based on the first authority management mode is also improved, and the data security risk caused by the authority management according to the fixed rough authority management mode in the related art is relieved.
Based on the foregoing embodiments, an embodiment of the present application provides an information processing method, as shown in fig. 2, the information processing method including the steps of:
The operation list is used for representing the operation with preset granularity which can be executed on the stored data.
The authority management component information is used for representing information of a component for carrying out authority management on the data request.
In step 202, the component for performing rights management on the data request may include any one of the foregoing HDFS, HBase, and Hive.
In step 202, the rights management component information may be information including any one of the aforementioned HDFS, HBase, and Hive components.
In one embodiment, the rights management component information may represent information on how to perform rights management on the data request by any one of the rights management components.
In one embodiment, the rights management component information may be used to indicate information that is used by any one of the rights management components to perform a rights management procedure for the current data request.
In one embodiment, the rights management component information may be used to indicate information of any one of the rights management components that makes a code call to the data request that is performed for rights management.
And step 203, generating a first authority management mode based on the operation list and the authority management component information.
Illustratively, in step 203, the rights management component information may be configured based on the operation list, so as to generate the first rights management manner.
In one embodiment, step 203 may be to modify the rights management component information from the aspect of the flow of rights management based on the operation list, so as to generate the first rights management manner.
Illustratively, step 203 may be implemented by step A1-step A2:
step A1, based on the authority management component information, determining the second authority management mode.
And the second authority management mode is used for representing the preset authority management mode in the component corresponding to the authority management component information.
In step a1, the second rights management method can be used to indicate the rights management method currently used by the rights management component.
In an embodiment, the second rights management manner may be used to indicate a management manner for a certain data type in the rights management manners adopted by the current rights management component.
In an embodiment, the second rights management method may be used to indicate a management method for data stored in a specific storage method among rights management methods used by the current rights management component.
In an embodiment, the second rights management method may be used to indicate a management method for a certain user or user group in the dedicated rights management methods adopted by the current rights management component.
In one embodiment, the second rights management mode may be used to represent a combination of the above management modes.
In one embodiment, the second rights management manner may be a coarse-grained rights management manner currently adopted in the HDFS, HBase, and Hive components as described above.
And A2, generating a first authority management mode based on the operation list and the second authority management mode.
For example, in step a2, the second rights management manner may be modified based on the operation list, so as to generate the first rights management manner.
In one embodiment, step a2 may be to reconfigure one or some links in the implementation process of the second rights management mode based on the operation list to generate the first rights management mode.
In one embodiment, step a2 may be to modify a method call in the implementation process of the second rights management mode based on the operation list, so as to generate the first rights management mode.
In an embodiment, step a2 may be to modify a logic implementation of a method to be called in the second rights management implementation process based on the operation list, so as to generate the first rights management implementation.
Specifically, an implementation process of the second authority management mode is generated based on the operation list and the first authority management mode, and implementation of each component is slightly different.
For HDFS, the above process may be implemented by a code injection manner, an abstract class inode attribute provider provided by inode attribute of NameNode in HDFS is modified into a user-defined rankhdfsauthorizer class, and meanwhile, a checkPermission method of an interface accesscontrol enforcer in the class is implemented, and a fine-grained authentication logic is implemented by modifying or rewriting the checkPermission method based on each operation, i.e., an operation list, defined in the defined finer-grained permission model, thereby implementing permission matching with a user or a user group through the checkPermission method.
For HBase and Hive, the above process can be implemented by extending the extensible interface. Specifically, the HBase and Hive embed the defined authority model and the extensible authority model in the interface implementation method by modifying the authentication logic in the access control interface, so that authority management and control with finer granularity can be achieved.
And 204, when the data request is detected, performing authority management on the data request based on a first authority management mode.
As can be seen from the above, in the information processing method provided in the embodiment of the present application, the operation list and the rights management component information are obtained first, and the first rights management manner is generated from the operation list and the rights management component information, so that in the information processing method provided in the embodiment of the present application, the first rights management manner can be flexibly generated based on the operation list, and under the condition that the operation list is used to indicate fine-grained operation that can be performed on the stored data, the granularity of rights management when performing rights management on the received data request in the first rights management manner generated accordingly can also be refined correspondingly, thereby alleviating the threat to the security of the stored data by the fixed coarse-grained rights management in the related art.
Based on the foregoing embodiments, the present application provides an information processing method, as shown in fig. 3, which may be implemented by the following steps:
and 301, acquiring an operation list.
The operation list is used for representing the operation with preset granularity which can be executed on the stored data.
The first authority management mode is used for representing a management mode for executing operation on the stored data based on the data request.
When a data request is detected, steps 303-304 are performed:
and step 303, analyzing the data request to obtain an analysis result.
In step 304, the analysis result includes account information carried in the data request and corresponding to the data request.
In one embodiment, the analysis result includes account information corresponding to the data request and target data corresponding to the data request, which are carried in the data request.
In one embodiment, the parsing result includes account information carried in the data request corresponding to the data request, the requested target data, and an operation attempted to be performed on the target data.
And 304, performing authority management on the data request based on the first authority management mode and the analysis result.
Illustratively, in step 304, based on the first authority management manner, a certain parameter included in the analysis result is analyzed, so as to implement authority management on the data request.
In one embodiment, step 304 may be to analyze a combination of some parameters included in the analysis result based on the first authority management mode, so as to implement authority management on the data request.
Illustratively, step 304 may be implemented by step B1-step B2:
and step B1, obtaining the account identification based on the analysis result.
In step B1, the account identification is used to indicate the identification of the account sending the data request.
And step B2, performing authority management on the data request based on the first authority management mode and the account identification.
In an embodiment, in step B2, based on the first rights management manner, matching and recognizing the account id, so as to implement rights management on the data request.
In one embodiment, step B2 may be to perform matching identification on account information based on the first rights management manner, and further determine whether to allow or deny the data request.
Illustratively, step B2 may be implemented by steps C1-C3:
and step C1, acquiring the authority list based on the first authority management mode.
And the permission list is used for representing an executable operation list which is associated with the account information and is used for storing the data.
In one embodiment, the permission list may include a list of operations that the user corresponding to all the account information may perform on the stored data.
In one embodiment, the permission list may include all account information and a list of operations that the user may perform on the stored data corresponding to all account information.
In one embodiment, the permission list may include all account information, a list of user-executable operations corresponding to all account information, and a set of user-executable target data corresponding to all account information.
In one embodiment, the permission list may include all account information, component information corresponding to the account information, an executable operation list corresponding to the account information, and a user-executable target data set corresponding to the account information.
In one embodiment, step C1 may be to obtain the authority list corresponding to the account information through the first authority management manner based on all the account information.
Illustratively, the step C1 can also be realized through the step D1-the step D2:
and D1, acquiring the account identification list.
The account identification list is used for representing an account identification set which can operate stored data.
In step D1, the list of account ids may include a collective list of all account ids that are operable to store data.
In one embodiment, the account token list may be used to represent a list of all sets of account ids and account group ids that are operable to store data.
And D2, determining the permission list based on the account identification list and the operation list.
In step D2, the operation list may be used to represent a set of executable operations corresponding to each account id in the account id list.
In one embodiment, the operation list may be used to represent a set of executable operations corresponding to each account id in the account id list, and a set of non-executable operations.
In one embodiment, the operation list may include a set of operations having a correspondence relationship with the account identification list and a set of operations having no correspondence relationship with the account identification list.
And step C2, obtaining a matching result based on the authority list and the account identification.
And the matching result is used for indicating whether the authority list has the authority information corresponding to the account identification.
Step C2, the account identifier may be matched with each account identifier in the account identifier list included in the permission list, and if the matching is successful, it indicates that the account corresponding to the current account identifier is a valid user, and the data request corresponding to the account information is allowed to operate on the stored data; otherwise, the account corresponding to the current account identifier is marked as an illegal user, and the data request corresponding to the account information is not allowed to access and operate the stored data.
The above operation of step C2 may also be referred to as account authentication.
And step C3, based on the matching result, performing authority management on the data request.
In step C3, the data request is subjected to rights management, including whether to allow management of data operation execution carried in the data request.
In one mode, the data request is subjected to authority management, target data and operation expected to be executed can be obtained based on the data request, then the target data is matched with the authority list, if the matching is successful, the current account information has legal access authority for the target data, and otherwise, the current account information does not have the legal access authority for the target data.
On the basis of successful matching of the target data and the authority list, further matching the operation expected to be executed with an operation list corresponding to the target data in the authority list, and if the matching is successful, indicating that the expected operation can be executed on the target data; otherwise, it indicates that the desired operation cannot be performed on the target data.
In an embodiment, when the operation that is expected to be performed includes at least two types of operations, each type of operation needs to be matched with the authority list, and if any type of operation is successfully matched, it indicates that the current data request can perform a corresponding operation on the target data.
The present application further provides an implementation architecture diagram of the information processing method provided in the embodiment of the present application, as shown in fig. 4.
In fig. 4, LDAP and Active Directory (AD) are widely used in the authentication server, and in the architecture diagram of the information processing method provided in the embodiment of the present application, LDAP and AD are mainly used to implement management of user/user group information. The LDAP is mainly used for a Linux platform, and the AD is mainly used for a Windows platform.
In fig. 4, Representational State Transfer (REST) is used to provide an interactive interface to a data administrator or data owner, so that the data administrator or data owner of the cloud platform can manage data and its rights; and the Web User Interface (Web UI) is used for providing an interactive Interface for the User so that the User can access or operate the data of the cloud platform.
In fig. 4, a DataBase (DataBase, DB) is used for storing data, correspondence between users or user groups and operation lists and operable data, i.e., permission lists, and may also be used for storing data; the HDFS is used for realizing the function of a distributed file system; solr, a full text search server, which is used to implement log storage.
In fig. 4, a component family is also included, among which there are the HDFS component, Hive component, HBase component, and Yarn component and Kafka component mentioned above.
In fig. 4, a range Usersync is mainly used to synchronize user or user group information to a range Admin.
In fig. 4, a range Admin is a core component, which is an independent process that can acquire user and user group information and can also receive data right configuration information sent by an administrator and a data owner through REST; furthermore, the data authority configuration information, the user and user group information can be stored in the DB, so that an authority list is obtained; when various types of components need to perform authority management on the data request, the authority list can be obtained from the DB so as to perform flexible fine-grained authority management on various components.
Specifically, the implementation flow of the information processing method provided by the embodiment of the present application in the framework shown in fig. 4 is as follows:
first, the authority list is stored in the DB. Wherein the permission list is a fine-grained permission list defined based on the Serial-Resource-Access type shown in Table 2.
Secondly, the authority management flow in various components is modified according to the definition of the AccessType column in the authority list, namely the operation list. Specifically, various types of plug-ins periodically acquire a permission list from the DB through range Admin and an operation list from the permission list, and different types of components correspond to different services in table 2; and after the operation list is acquired, changing the authority management flow of the user according to the operation type supported in the operation list. In addition, the various components also periodically log access audit logs.
Specifically, after receiving a data request, an implementation flow of the information processing method provided in the embodiment of the present application is shown in fig. 5. In fig. 5, the data request is first analyzed, the account information is obtained from the data request, and whether the account information is legal or not is detected, that is, identity authentication is performed; and if the account information is legal, namely the account information passes identity authentication, acquiring target data and operation executed on the target data from the data request, and then matching the operation and the authority list based on the target data, the operation required to be executed on the target data. If the matching is successful, allowing the target data to be operated, and returning an operation result; and if the matching fails, rejecting the operation and returning a rejection reason. And if the account information is illegal, namely the account information does not pass the identity authentication, directly returning an identity illegal authentication result.
Specifically, fig. 6 is a flowchart describing a data processing method provided in an embodiment of the present application, taking an example where a user sends a data download request to an HDFS.
In fig. 6, when a user wants to download a file from the HDFS system, a data request first arrives at the HDFS component, the component parses the data download request to obtain parameter information such as an account identifier, target data, and an operation to be performed on the target data, then calls a checkPermission method in an inner class rangerracccescesioncontrolenforcer of the ragnerhdfsiAuthorzer class, first determines whether the account identifier is legal, then determines whether the target data is accessible, and finally determines whether the operation performed on the target data is executable according to an access type list in a "source-Resource-access type" defined in table 2, and if so, allows the corresponding operation to be performed on the target data; otherwise, refusing the access to the target data; meanwhile, the HDFS plug-in also records an audit log of the process through the rangerhdfsaudidhandler class, including logs of access and access denial.
As can be seen from the above, the information processing method provided in the embodiment of the present application first obtains the operation list indicating the preset granularity executable for the stored data, and then generates the first authority management manner based on the operation list, so that the information processing method provided in the embodiment of the present application can flexibly generate the first authority management manner corresponding to the granularity based on the operation list of the preset granularity, when the data request is received, the data request is analyzed, and the authority management is performed on the data request based on the generated first authority management manner corresponding to the granularity, and under the condition that the operation list is of the fine granularity, the fine-granularity authority management on the data request can be implemented. Therefore, the threat of a fixed coarse-grained authority management mode on data security in the related technology is relieved.
Based on the foregoing embodiments, the present application provides an information processing system 4. As shown in fig. 7, the information processing system 4 includes: a processor 41, a memory 42 and a communication bus. Wherein the content of the first and second substances,
a communication bus for realizing communication connection between the processor 41 and the memory 42;
the processor 41 is configured to execute a program of an information processing method in the memory 42 to realize the steps of:
determining an operation list; the operation list is used for representing the executable operation with preset granularity on the stored data;
generating a first authority management mode based on the operation list; the first authority management mode is used for representing a management mode for executing operation on the stored data based on the data request;
and when the data request is detected, performing authority management on the data request based on the first authority management mode.
The processor 41 is configured to execute a program of an information processing method in the memory 42 to realize the steps of:
generating a first authority management mode based on the operation list, wherein the first authority management mode comprises the following steps:
acquiring authority management component information; the authority management component information is used for representing information of a component for carrying out authority management on the data request;
and generating a first authority management mode based on the operation list and the authority management component information.
The processor 41 is configured to execute a program of an information processing method in the memory 42 to realize the steps of:
generating a first authority management mode based on the operation list and the authority management component information, wherein the first authority management mode comprises the following steps:
determining a second authority management mode based on the authority management component information; the second authority management mode is used for representing the preset authority management mode in the component corresponding to the authority management component information;
and generating a first authority management mode based on the operation list and the second authority management mode.
The processor 41 is configured to execute a program of an information processing method in the memory 42 to realize the steps of:
based on the first authority management mode, the authority management of the data request comprises the following steps:
analyzing the data request to obtain an analysis result;
and performing authority management on the data request based on the first authority management mode and the analysis result.
The processor 41 is configured to execute a program of an information processing method in the memory 42 to realize the steps of:
and based on the first authority management mode and the analysis result, carrying out authority management on the data request, wherein the authority management comprises the following steps:
obtaining an account identifier based on the analysis result;
and performing authority management on the data request based on the first authority management mode and the account identification.
The processor 41 is configured to execute a program of an information processing method in the memory 42 to realize the steps of:
and based on the first authority management mode and the account identification, carrying out authority management on the data request, wherein the authority management comprises the following steps:
acquiring a permission list based on a first permission management mode; the authority list is used for representing an executable operation list which is associated with the account information and is used for storing data;
obtaining a matching result based on the authority list and the account identifier; the matching result is used for indicating whether authority information corresponding to the account identification exists in the authority list or not;
and performing authority management on the data request based on the matching result.
The processor 41 is configured to execute a program of an information processing method in the memory 42 to realize the steps of:
acquiring an account identifier list; the account identification list is used for representing an account identification set capable of operating the stored data;
and determining the permission list based on the account identification list and the operation list.
In practical applications, the Processor 41 may be at least one of an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a Central Processing Unit (CPU), a controller, a microcontroller, and a microprocessor. The memory 42 may be a volatile memory (RAM); or a non-volatile memory (non-volatile memory) such as a ROM, a flash memory (flash memory), a Hard Disk (Hard Disk Drive, HDD) or a Solid-State Drive (SSD); or a combination of the above types of memories and provides instructions and data to the processor 41.
Therefore, in the information processing system provided by the embodiment of the application, the first authority management mode for performing authority management on the data request can be flexibly generated according to the operation list with the preset granularity, so that the defect of fixed authority management mode in the related technology is overcome; in addition, under the condition that the granularity of the operation list is fine, the granularity of the generated first authority management mode can be synchronously refined, in this case, the fineness of the granularity of the authority management executed on the data request based on the first authority management mode is also improved, so that the data security risk caused by the authority management of the rough authority management mode in the related art is relieved.
Based on the foregoing embodiments, an embodiment of the present application provides an information processing apparatus 5, as shown in fig. 8, the information processing apparatus 5 including: an acquisition module 51 and a processing module 52, wherein:
the obtaining module 51 is configured to obtain an operation list; the operation list is used for representing executable operation with preset granularity on the stored data;
the processing module 52 is configured to generate a first rights management manner based on the operation list;
the processing module 52 is further configured to perform, when a data request is detected, right management on the data request based on the first right management manner; the first authority management mode is used for representing a management mode for executing operation on the stored data based on the data request.
The processing module 52 is configured to generate a first rights management manner based on the operation list, and includes:
the processing module 52 is configured to obtain rights management component information; wherein the rights management component information is information indicating a component that performs rights management for the data request;
the processing module 52 is configured to generate the first rights management manner based on the operation list and the rights management component information.
The processing module 52 is configured to generate the first rights management manner based on the operation list and the rights management component information, and includes:
the processing module 52 is configured to determine a second rights management manner based on the rights management component information; the second authority management mode is used for representing a preset authority management mode in a component corresponding to the authority management component information;
the processing module 52 is configured to generate the first rights management manner based on the operation list and the second rights management manner.
The processing module 52 is configured to perform rights management on the data request based on the first rights management manner, and includes:
the processing module 52 is configured to analyze the data request to obtain an analysis result;
the processing module 52 is configured to perform rights management on the data request based on the first rights management manner and the analysis result.
The processing module 52 is configured to perform rights management on the data request based on the first rights management manner and the analysis result, and includes:
the processing module 52 is configured to obtain an account identifier based on the analysis result;
the processing module 52 is configured to perform rights management on the data request based on the first rights management manner and the account identifier.
The processing module 52 is configured to perform rights management on the data request based on the first rights management manner and the account identifier, and includes:
the processing module 52 is configured to obtain a permission list based on the first permission management manner; the authority list is used for representing an executable operation list which is associated with account information and is used for storing data;
the processing module 52 is configured to obtain a matching result based on the permission list and the account identifier; the matching result is used for indicating whether authority information corresponding to the account identification exists in the authority list or not;
the processing module 52 is configured to perform rights management on the data request based on the matching result.
The processing module 52 is configured to obtain an account identifier list; the account identification list is used for representing an account identification set capable of operating stored data;
the processing module 52 is configured to determine the permission list based on the account identification list and the operation list.
In practical applications, the obtaining module 51 and the processing module 52 may be implemented by a processor located in an electronic device, where the processor is at least one of an ASIC, a DSP, a DSPD, a PLD, an FPGA, a CPU, a controller, a microcontroller, and a microprocessor.
Therefore, the information processing device provided by the embodiment of the application can flexibly generate the first authority management mode for performing authority management on the data request according to the operation list with the preset granularity, so that the defect of fixed authority management mode in the related technology is overcome; in addition, under the condition that the granularity of the operation list is fine, the granularity of the generated first authority management mode can be synchronously refined, in this case, the fineness of the granularity of the authority management executed on the data request based on the first authority management mode is also improved, so that the data security risk caused by the authority management of the rough authority management mode in the related art is relieved.
The present embodiment also provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor of an information processing apparatus, implements the information processing method according to any one of the previous embodiments.
In some embodiments, functions of or modules included in the apparatus provided in the embodiments of the present invention may be used to execute the method described in the above method embodiments, and specific implementation thereof may refer to the description of the above method embodiments, and for brevity, will not be described again here.
The foregoing description of the various embodiments is intended to highlight various differences between the embodiments, and the same or similar parts may be referred to each other, and for brevity, will not be described again herein.
The methods disclosed in the method embodiments provided by the present application can be combined arbitrarily without conflict to obtain new method embodiments.
Features disclosed in various product embodiments provided by the application can be combined arbitrarily to obtain new product embodiments without conflict.
The features disclosed in the various method or apparatus embodiments provided herein may be combined in any combination to arrive at new method or apparatus embodiments without conflict.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (10)
1. An information processing method, characterized in that the method comprises:
acquiring an operation list; the operation list is used for representing operations with preset granularity which can be executed on the stored data;
generating a first authority management mode based on the operation list; the first authority management mode is used for representing a management mode for executing operation on the stored data based on a data request;
and when a data request is detected, performing authority management on the data request based on the first authority management mode.
2. The method according to claim 1, wherein the generating a first rights management manner based on the operation list comprises:
acquiring authority management component information; wherein the rights management component information is information indicating a component that performs rights management for the data request;
and generating the first authority management mode based on the operation list and the authority management component information.
3. The method according to claim 2, wherein the generating the first rights management manner based on the operation list and the rights management component information comprises:
determining a second authority management mode based on the authority management component information; the second authority management mode is used for representing a preset authority management mode in a component corresponding to the authority management component information;
and generating the first authority management mode based on the operation list and the second authority management mode.
4. The method according to claim 1, wherein the performing rights management on the data request based on the first rights management manner includes:
analyzing the data request to obtain an analysis result;
and performing authority management on the data request based on the first authority management mode and the analysis result.
5. The method according to claim 4, wherein the performing rights management on the data request based on the first rights management manner and the analysis result includes:
obtaining an account identifier based on the analysis result;
and performing authority management on the data request based on the first authority management mode and the account identifier.
6. The method of claim 5, wherein the performing rights management on the data request based on the first rights management manner and the account identifier comprises:
acquiring a permission list based on the first permission management mode; the authority list is used for representing an executable operation list which is associated with account information and is used for storing data;
obtaining a matching result based on the permission list and the account identifier; the matching result is used for indicating whether authority information corresponding to the account identification exists in the authority list or not;
and performing authority management on the data request based on the matching result.
7. The method of claim 6, further comprising:
acquiring an account identifier list; the account identification list is used for representing an account identification set capable of operating stored data;
determining the permission list based on the account identification list and the operation list.
8. An information processing system, the system comprising: a processor, a memory, and a communication bus; wherein:
the communication bus is used for realizing communication connection between the processor and the memory;
the processor is used for executing the program of the information processing method in the memory to realize the following steps:
determining an operation list; the operation list is used for representing executable operation with preset granularity on the stored data;
generating a first authority management mode based on the operation list; the first authority management mode is used for representing a management mode for executing operation on the stored data based on a data request;
and when a data request is detected, performing authority management on the data request based on the first authority management mode.
9. An information processing apparatus characterized by comprising: the device comprises an acquisition module and a processing module; wherein:
the acquisition module is used for acquiring an operation list; the operation list is used for representing executable operation with preset granularity on the stored data;
the processing module is used for generating a first authority management mode based on the operation list;
the processing module is further configured to perform, when a data request is detected, right management on the data request based on the first right management manner; the first authority management mode is used for representing a management mode for executing operation on the stored data based on the data request.
10. A computer-readable storage medium on which a computer program is stored, characterized in that the computer program realizes the information processing method of any one of claims 1 to 7 when executed by a processor of an information processing apparatus.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010451709.9A CN113722723A (en) | 2020-05-25 | 2020-05-25 | Information processing method, system, equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010451709.9A CN113722723A (en) | 2020-05-25 | 2020-05-25 | Information processing method, system, equipment and computer storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113722723A true CN113722723A (en) | 2021-11-30 |
Family
ID=78671203
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010451709.9A Pending CN113722723A (en) | 2020-05-25 | 2020-05-25 | Information processing method, system, equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113722723A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150200943A1 (en) * | 2014-01-13 | 2015-07-16 | Oracle International Corporation | Access policy harvesting |
| CN107196951A (en) * | 2017-06-12 | 2017-09-22 | 北京明朝万达科技股份有限公司 | The implementation method and firewall system of a kind of HDFS systems fire wall |
| CN108280367A (en) * | 2018-01-22 | 2018-07-13 | 腾讯科技(深圳)有限公司 | Management method, device, computing device and the storage medium of data manipulation permission |
| CN109525593A (en) * | 2018-12-20 | 2019-03-26 | 中科曙光国际信息产业有限公司 | A kind of pair of hadoop big data platform concentrates security management and control system and method |
| CN110519285A (en) * | 2019-08-30 | 2019-11-29 | 浙江大搜车软件技术有限公司 | User authen method, device, computer equipment and storage medium |
| US20200028838A1 (en) * | 2017-09-14 | 2020-01-23 | Tencent Technology (Shenzhen) Company Ltd | Account authentication method for cloud storage, and server |
-
2020
- 2020-05-25 CN CN202010451709.9A patent/CN113722723A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150200943A1 (en) * | 2014-01-13 | 2015-07-16 | Oracle International Corporation | Access policy harvesting |
| CN107196951A (en) * | 2017-06-12 | 2017-09-22 | 北京明朝万达科技股份有限公司 | The implementation method and firewall system of a kind of HDFS systems fire wall |
| US20200028838A1 (en) * | 2017-09-14 | 2020-01-23 | Tencent Technology (Shenzhen) Company Ltd | Account authentication method for cloud storage, and server |
| CN108280367A (en) * | 2018-01-22 | 2018-07-13 | 腾讯科技(深圳)有限公司 | Management method, device, computing device and the storage medium of data manipulation permission |
| CN109525593A (en) * | 2018-12-20 | 2019-03-26 | 中科曙光国际信息产业有限公司 | A kind of pair of hadoop big data platform concentrates security management and control system and method |
| CN110519285A (en) * | 2019-08-30 | 2019-11-29 | 浙江大搜车软件技术有限公司 | User authen method, device, computer equipment and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 刘东;王文婷;: "大数据平台安全管控系统的研究与实践", 电信网技术, no. 04, 15 April 2017 (2017-04-15) * |
| 王文杰;胡柏青;刘驰;: "开源大数据治理与安全软件综述", 信息网络安全, no. 05, 10 May 2017 (2017-05-10) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10819652B2 (en) | Access management tags | |
| US10097531B2 (en) | Techniques for credential generation | |
| JP5497178B2 (en) | Changing access control lists | |
| US10911428B1 (en) | Use of metadata for computing resource access | |
| US11102189B2 (en) | Techniques for delegation of access privileges | |
| US20160202963A1 (en) | Software deployment over a network | |
| US20070289024A1 (en) | Controlling access to computer resources using conditions specified for user accounts | |
| US20100241668A1 (en) | Local Computer Account Management at Domain Level | |
| US20120167167A1 (en) | Enabling granular discretionary access control for data stored in a cloud computing environment | |
| US20150222665A1 (en) | Restricting user actions based on document classification | |
| US10659389B2 (en) | Efficient cascading of flow tables in software defined networks (SDN) | |
| US20150271267A1 (en) | Content-oriented federated object store | |
| US10374870B2 (en) | Efficient access control for trigger events in SDN | |
| US8180894B2 (en) | System and method for policy-based registration of client devices | |
| CN107491470B (en) | Data management system, control method, and storage medium | |
| US11258826B2 (en) | Policy separation | |
| US10834141B1 (en) | Service-level authorization policy management | |
| US9740876B1 (en) | Securely storing and provisioning security telemetry of multiple organizations for cloud based analytics | |
| CN113722723A (en) | Information processing method, system, equipment and computer storage medium | |
| US11657172B2 (en) | Policy-based mobile access to shared network resources | |
| CN117640202A (en) | Zero trust-based data security management method and system | |
| US20110196885A1 (en) | Discoverable Applicability of Dynamically Deployable Software Modules | |
| CN112613075A (en) | Permission determination method and device, storage medium and electronic device | |
| Aneja et al. | Security and Privacy: Challenges and Defending Solutions for NoSQL Data Stores | |
| CN117640125A (en) | Cloud resource access control method and cloud management platform based on cloud computing technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |