CN113810484A - File request processing method and device, computer equipment and storage medium - Google Patents

File request processing method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN113810484A
CN113810484A CN202111064373.1A CN202111064373A CN113810484A CN 113810484 A CN113810484 A CN 113810484A CN 202111064373 A CN202111064373 A CN 202111064373A CN 113810484 A CN113810484 A CN 113810484A
Authority
CN
China
Prior art keywords
file
protected
file request
request
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111064373.1A
Other languages
Chinese (zh)
Inventor
张欣
冯鹏龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Yunzhijia Network Co ltd
Original Assignee
Shenzhen Yunzhijia Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Yunzhijia Network Co ltd filed Critical Shenzhen Yunzhijia Network Co ltd
Priority to CN202111064373.1A priority Critical patent/CN113810484A/en
Publication of CN113810484A publication Critical patent/CN113810484A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a file request processing method, a file request processing device, computer equipment and a storage medium. The method comprises the following steps: receiving a file request forwarded by a terminal through a gateway; under the condition that the terminal belongs to a protected network area, the file request carries a protected identifier which is added by the gateway and corresponds to the protected network area; under the condition that the file request is used for uploading files, when the file request carries the protected identification, storing the files specified by the file request, and recording the protected identification corresponding to the files; and under the condition that the file request is used for accessing the file, when the file request carries the protected identifier and the protected identifier is correspondingly recorded in the file specified by the file request, triggering to access the file. By adopting the method, the efficiency of processing the file request can be improved.

Description

File request processing method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for processing a file request, a computer device, and a storage medium.
Background
With the development of computer technology, a user can access files stored in a public cloud anytime and anywhere through a terminal. In order to enable the advantages of the public cloud used anytime and anywhere to be unaffected and enable the file to have confidentiality, the current method is to limit the physical address of the terminal of the user so as to limit the user to access only the file allowed to be accessed by the physical address of the terminal.
However, the user is restricted from accessing the files of the public cloud by restricting the terminal physical address of the user, and a large amount of work is required for the staff to maintain the data table storing the terminal physical address of the user, so that the request processing efficiency for the files on the public cloud is reduced.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a file request processing method, device, computer device, and storage medium capable of improving efficiency.
A method of file request processing, the method comprising:
receiving a file request forwarded by a terminal through a gateway; under the condition that the terminal belongs to a protected network area, the file request carries a protected identifier which is added by the gateway and corresponds to the protected network area;
under the condition that the file request is used for uploading files, when the file request carries the protected identification, storing the files specified by the file request, and recording the protected identification corresponding to the files;
and under the condition that the file request is used for accessing the file, when the file request carries the protected identifier and the protected identifier is correspondingly recorded in the file specified by the file request, triggering to access the file.
In one embodiment, when the egress network address corresponding to the terminal exists in a gateway data table accessed by the gateway, the file request carries a protected identifier added by the gateway, and the added protected identifier corresponds to the egress network address corresponding to the terminal in the gateway data table; the gateway data table is stored with the exit network address of the protected network area and the corresponding protected identifier.
In one embodiment, the added protected identifier is obtained by adding, when the egress network address corresponding to the terminal exists in the gateway data table accessed by the gateway, the read protected identifier to a preset idle attribute field in a request header of the file request after the gateway reads the protected identifier corresponding to the egress network address corresponding to the terminal from the gateway data table.
In one embodiment, when the file request is used to upload a file and the file request carries the protected identifier, the storing the file specified by the file request and recording the protected identifier corresponding to the file includes:
under the condition that the file request is used for uploading a file, when the file request carries the protected identifier, correspondingly storing the file meta-attribute information of the file specified by the file request and the protected identifier, and storing the file corresponding to the file meta-attribute information;
when the file request is used to access a file, and the file request carries the protected identifier and the protected identifier is recorded in a file corresponding to the file specified by the file request, triggering access to the file includes:
and under the condition that the file request is used for accessing the file, when the file request carries the protected identifier and the file meta-attribute information of the file specified by the file request is consistent with the stored file meta-attribute information, triggering to access the file according to the file meta-attribute information.
In one embodiment, the method further comprises:
and when the file request is used for accessing the file, and when the protected identifier carried by the file request is inconsistent with the protected identifier recorded corresponding to the file specified by the file request, the access is denied and access failure information is returned.
In one embodiment, the method further comprises:
and in the case that the file request is used for accessing the file, when the exit network address of the file request is not originated from the protected network area and the file specified by the file request records a protected identifier, denying access and returning access failure information.
In one embodiment, the method further comprises:
and under the condition that the file request is used for accessing the file, when the file request does not carry the protected identifier and the protected identifier is not recorded in the file specified by the file request, triggering to access the file.
A file request processing apparatus, the apparatus comprising:
the receiving module is used for receiving a file request forwarded by the terminal through the gateway; under the condition that the terminal belongs to a protected network area, the file request carries a protected identifier which is added by the gateway and corresponds to the protected network area;
a storage module, configured to store a file specified by the file request when the file request carries the protected identifier and record the protected identifier corresponding to the file, where the file request is used to upload a file;
and the access module is used for triggering the access to the file when the file request carries the protected identifier and the protected identifier is recorded in the file specified by the file request under the condition that the file request is used for accessing the file.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
receiving a file request forwarded by a terminal through a gateway; under the condition that the terminal belongs to a protected network area, the file request carries a protected identifier which is added by the gateway and corresponds to the protected network area;
under the condition that the file request is used for uploading files, when the file request carries the protected identification, storing the files specified by the file request, and recording the protected identification corresponding to the files;
and under the condition that the file request is used for accessing the file, when the file request carries the protected identifier and the protected identifier is correspondingly recorded in the file specified by the file request, triggering to access the file.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
receiving a file request forwarded by a terminal through a gateway; under the condition that the terminal belongs to a protected network area, the file request carries a protected identifier which is added by the gateway and corresponds to the protected network area;
under the condition that the file request is used for uploading files, when the file request carries the protected identification, storing the files specified by the file request, and recording the protected identification corresponding to the files;
and under the condition that the file request is used for accessing the file, when the file request carries the protected identifier and the protected identifier is correspondingly recorded in the file specified by the file request, triggering to access the file.
According to the file request processing method, the file request processing device, the computer equipment and the storage medium, the gateway adds the protected identification to the file request of the terminal belonging to the protected network area, so that the file request of the terminal belonging to the protected network area can be distinguished without the need of more workload consumed by workers to maintain the data table storing the physical address of the terminal of the user. In the case that the file request belonging to the protected network area is for uploading a file, the file specified by the file request may be directly stored, and the protected identifier may be recorded in correspondence to the file, so that in the case that the file request belonging to the corresponding protected network area is for accessing a file in which the protected identifier corresponding to the protected network area is recorded, access to the file is directly triggered. Therefore, a worker does not need to add or delete the physical address of the terminal from the data table, and as long as the terminal sends the file request belonging to the protected network area, the file request can be distinguished from the file request belonging to the unprotected network area, so that the processing efficiency of the file request is improved.
Drawings
FIG. 1 is a diagram of an application environment in which a file request processing method is implemented in one embodiment;
FIG. 2 is a flowchart illustrating a file request processing method according to an embodiment;
FIG. 3 is a flow diagram of a method for processing a protected network area file request in one embodiment;
FIG. 4 is a block diagram of a file request processing method in one embodiment;
FIG. 5 is a flow diagram of a method for unprotected network area file request processing in one embodiment;
FIG. 6 is a block diagram showing the construction of a file request processing apparatus according to one embodiment;
FIG. 7 is a diagram illustrating an internal structure of a computer device according to an embodiment;
fig. 8 is an internal structural view of a computer device in another embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The file request processing method provided by the application can be applied to the application environment shown in fig. 1. The terminal 102 communicates with the gateway 104 through a network, and the gateway 104 communicates with the public cloud 106 through the network. Public cloud 106 receives file requests that the terminal forwards through gateway 104. In the case where the terminal belongs to a protected network area, the file request carries a protected identifier corresponding to the protected network area, which is added by the gateway 104. Under the condition that the file request is used for uploading the file, when the file request carries the protected identifier, the public cloud 106 stores the file specified by the file request, and records the protected identifier corresponding to the file. Under the condition that the file request is used for accessing the file, when the file request carries the protected identifier and the protected identifier is recorded in the file specified by the file request, the public cloud 106 triggers to access the file. The terminal 102 may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices. Public cloud 106 provides shared resource services over the internet, and it is understood that hardware support may be provided for the public cloud by a cluster of servers. The gateway 104 may be implemented with an intelligent router having gateway functionality or with a dedicated gateway product.
In one embodiment, as shown in fig. 2, a file request processing method is provided, which is described by taking the application of the method to the public cloud in fig. 1 as an example, and includes the following steps:
step 202, receiving a file request forwarded by a terminal through a gateway; and under the condition that the terminal belongs to the protected network area, the file request carries a protected identifier which is added by the gateway and corresponds to the protected network area.
The file request is a request for a file on a public cloud. It is to be appreciated that the file request can be used to upload the file to the public cloud, as well as to download/access the file from the public cloud. The protected network area is a network area protected by the authority. The protected identifier is an identifier corresponding to the network area protected by the authority. It will be appreciated that a protected network region corresponds to a unique protected identity. The file specified by the file request includes a file of a public cloud.
Specifically, the terminal sends a file request through the gateway. And the gateway intercepts an exit network address of a file request sent by the terminal, belongs to the protected network area, adds a protected identifier corresponding to the protected network area to the file request and forwards the file request to the public cloud. The public cloud receives file requests forwarded through the gateway. Wherein, the exit network address is the network address of the file request. It can be understood that, after receiving the file request, the public cloud may return a file corresponding to the file request to the egress network address.
In one embodiment, the user may partition the protected network area by an egress network address within a preset range. For example, the egress network addresses in the range of 172.16.0.0-172.31.255.255 are divided into a protected network region. The user may also bind a local area network to an egress network address and treat the local area network as a protected network area. For example, the egress network addresses of several terminals using the local area network are 172.16.0.0, and the network area to which these several terminals belong can be regarded as a protected network area. One terminal may be assigned one egress network address, or may be assigned a plurality of egress network addresses.
In one embodiment, a company may have a research and development department as well as a non-research and development department. The terminals of the research and development department all use the same export network address, and the network area to which the terminals of the research and development department belong can be used as a protected network area. For example, the terminals of the research and development department all use the same egress network address 172.16.0.0, and the network area to which the terminals belong can be regarded as a protected network area. The gateway may add a protected identity corresponding to the protected network area whenever a file request is sent by a terminal of a research and development department.
In one embodiment, the Service mode of the public cloud may be a Software-as-a-Service (SAAS) Service mode, an infrastructure as a Service (IaaS) Service mode, or a platform as a Service (PaaS) Service mode.
In one embodiment, the protected identifier may be added by adding an attribute to the request header of the file request, such as: security-domain is KDRD, where KDRD is a protected identity.
In one embodiment, the gateway functionality may be implemented using seven-layer access devices, or may be implemented using openness in conjunction with lua. Wherein, openness is a scalable network platform based on NGINX. NGINX, is a reverse proxy server. Lua, a scripting language, is used to embed in applications, providing flexible extension and customization functionality for applications.
Step 204, under the condition that the file request is used for uploading the file, when the file request carries the protected identifier, storing the file specified by the file request, and recording the protected identifier corresponding to the file.
It is to be understood that the file request is for uploading a file, and means that the file request is for requesting uploading a specified file to the public cloud. Storing the file specified by the file request means storing the file specified by the file request in the public cloud.
Specifically, after receiving the file request forwarded through the gateway, the public cloud analyzes the file request. Under the condition that the file request is analyzed for uploading the file, when the file request carries the protected identification, the public cloud stores the file specified by the file request, and records the protected identification corresponding to the file. In one embodiment, a company may have a research and development department as well as a non-research and development department. The network area to which the terminal of the research and development department belongs is a protected network area. Under the condition that a file request sent by a terminal of a research and development department is used for uploading a file, when the file request carries a protected identifier corresponding to a protected network area to which the terminal of the research and development department belongs, the public cloud stores the file specified by the file request and records the protected identifier corresponding to the file.
Step 206, under the condition that the file request is used for accessing the file, when the file request carries the protected identifier and the file specified by the file request has the protected identifier recorded correspondingly, the specified file is triggered to be accessed.
It is to be understood that a file request for accessing a file refers to a file request for accessing a specified file on a public cloud. Triggering access to the specified file refers to triggering access to the file specified by the file request from the public cloud.
Specifically, after receiving the file request forwarded through the gateway, the public cloud analyzes the file request. Under the condition that the file request is analyzed to be used for accessing the file, when the file request carries a protected identifier corresponding to a protected network area to which a terminal of a research and development department belongs and a protected identifier is recorded in correspondence to a file specified by the file request, the public cloud triggers access to the specified file stored on the public cloud.
In one embodiment, a company may have a research and development department as well as a non-research and development department. The network area to which the terminal of the research and development department belongs is a protected network area. Under the condition that a file request sent by a terminal of a research and development department is used for accessing a file, when the file request carries a protected identifier corresponding to a protected network area to which the terminal of the research and development department belongs and a protected identifier is correspondingly recorded in a file specified by the file request, the public cloud triggers access to the specified file stored in the public cloud.
FIG. 3 is a flow diagram of a method for processing a protected network area file request in one embodiment. As shown in fig. 3, when the terminal is used by a user to send a file request for downloading resources in a protected network area of a company, the gateway obtains the file request and adds a protected identifier. The gateway forwards the file request with the added protected identifier to a file service of the public cloud. And the public cloud acquires the file specified by the file request from the memory and returns the file to the gateway through the file service. The gateway returns the file specified by the file request to the terminal.
In the file request processing method, the gateway adds the protected identifier to the file request of the terminal belonging to the protected network area, so that the file request of the terminal belonging to the protected network area can be distinguished without the need of more workload of workers to maintain the data table storing the terminal physical address of the user. In the case that the file request belonging to the protected network area is for uploading a file, the file specified by the file request may be directly stored, and the protected identifier may be recorded in correspondence to the file, so that in the case that the file request belonging to the corresponding protected network area is for accessing a file in which the protected identifier corresponding to the protected network area is recorded, access to the file is directly triggered. Therefore, a worker does not need to add or delete the physical address of the terminal from the data table, and as long as the terminal sends the file request belonging to the protected network area, the file request can be distinguished from the file request belonging to the unprotected network area, so that the processing efficiency of the file request is improved.
In one embodiment, when the egress network address corresponding to the terminal exists in a gateway data table accessed by the gateway, the file request carries a protected identifier added by the gateway, and the added protected identifier corresponds to the egress network address corresponding to the terminal in the gateway data table; the gateway data table correspondingly stores the exit network address of the protected network area and the corresponding protected identifier.
The gateway data table is a data structure table storing gateway data.
Specifically, after acquiring the exit network address corresponding to the terminal, the gateway accesses the gateway data table, and the accessed gateway data table matches the exit network address. The gateway data table correspondingly stores the exit network address of the protected network area and the corresponding protected identifier, and when the exit network address corresponding to the terminal exists in the gateway data table, the gateway can recognize that the exit network address is the exit network address of the protected network area. The gateway may obtain a protected identification corresponding to the egress network address corresponding to the terminal in the gateway data table and add to the file request.
In one embodiment, the gateway data table may be stored in the gateway, may be stored in a service, and may be stored in a storage space accessible to the gateway, such as a public cloud.
FIG. 4 is an architecture diagram of a file request processing method in one embodiment. The terminal sends a file request for uploading resource a via the egress network address of the unprotected network area. And the gateway acquires the file request for uploading the resource A, and if the gateway data table does not identify that the exit network address is the exit network address of the protected network area, the gateway forwards the file request for uploading the resource A to the file service of the public cloud. The file service of the public cloud then stores resource a in memory. And the terminal sends a file request for uploading the resource B through the exit network address of the protected network area to which the terminal belongs. And the gateway acquires a file request for uploading the resource B, and if the visited gateway data table identifies that the exit network address is the exit network address of the protected network area, adds a protected identifier B corresponding to the exit network address to the file request, and forwards the file request to the file service of the public cloud. The file service of the public cloud then stores the protected identity B and the resource B in memory.
In this embodiment, the gateway adds the unprotected identifier to the file request for different egress network addresses, which may act as an intermediate authenticator, so that files on the public cloud are effectively managed.
In an embodiment, the added protected identifier is obtained by adding, when the egress network address corresponding to the terminal exists in the gateway data table accessed by the gateway, the read protected identifier to a preset idle attribute field in a request header of the file request after the gateway reads the protected identifier corresponding to the egress network address corresponding to the terminal from the gateway data table.
The preset idle attribute field is a preset idle attribute field.
Specifically, the gateway data table correspondingly stores the exit network address of the protected network area and the corresponding protected identifier, and if the gateway matches the exit network address from the accessed gateway data table, it can be recognized that the exit network address is the exit network address of the protected network area and the protected identifier needs to be added. The gateway may obtain a protected identifier corresponding to the egress network address corresponding to the terminal in the gateway data table, read a preset idle attribute field in a request header of the file request, and add the protected identifier to the preset idle attribute field.
In one embodiment, the preset free attribute field may be an unused attribute field in a request header of the file request, such as an "authentication information" attribute field.
In one embodiment, the gateway may obtain a protected identifier corresponding to the egress network address corresponding to the terminal in the gateway data table, read the "authentication information" attribute field in the file request header, and add the protected identifier to the "authentication information" attribute field.
In the embodiment, the protected identifier is added to the preset idle attribute field in the request header of the file request through the gateway, and a user does not need to edit a new attribute field, so that the workload of the user is effectively reduced, and the storage resources are effectively saved.
In one embodiment, in a case that the file request is for uploading a file, when the file request carries a protected identifier, storing the file specified by the file request, and recording the protected identifier corresponding to the file, includes: under the condition that the file request is used for uploading the file, when the file request carries a protected identifier, correspondingly storing the file meta-attribute information of the file specified by the file request and the protected identifier, and storing the file corresponding to the file meta-attribute information; under the condition that the file request is used for accessing the file, when the file request carries a protected identifier and the protected identifier is recorded in a file corresponding to the file specified by the file request, triggering to access the file, wherein the method comprises the following steps: and under the condition that the file request is used for accessing the file, when the file request carries a protected identifier and the file meta-attribute information of the file specified by the file request is consistent with the stored file meta-attribute information, triggering to access the file according to the file meta-attribute information.
The file meta attribute information is multi-element attribute information of the file. It is understood that the file meta attribute information includes one or more of owner, size, modification time, and the like.
Specifically, the public cloud receives a file request carrying a protected identifier and forwarded by the gateway.
When a file request carrying a protected identifier and used for uploading a file is received, the public cloud reads the file meta-attribute information and the protected identifier of the file specified by the file request, correspondingly stores the file meta-attribute information and the protected identifier of the file specified by the file request, and stores the file corresponding to the file meta-attribute information.
And when a file request carrying the protected identifier and used for accessing the file is received, the public cloud searches the corresponding file according to the file meta-attribute information of the file specified by the file request and the protected identifier and triggers access.
In one embodiment, the public cloud may receive a file request through the file service, and obtain a file specified by the file request from the storage server according to the file request, or store the file specified by the file request on the storage server.
In one embodiment, when a file request carrying a protected identifier and used for uploading a file is received, the public cloud reads file meta-attribute information and the protected identifier of the file specified by the file request, correspondingly stores the file meta-attribute information and the protected identifier of the file specified by the file request in a storage server, and stores the file corresponding to the file meta-attribute information in the storage server.
In one embodiment, when a file request carrying a protected identifier and used for accessing a file is received, the public cloud searches for the corresponding file from the storage server according to the file meta-attribute information of the file specified by the file request and the protected identifier and triggers access.
In the embodiment, the file is stored through the file meta-attribute information, and the file can be quickly found only according to the file meta-attribute information of the file, so that the efficiency of searching the file is improved.
In one embodiment, the method further comprises: and when the protected identifier carried by the file request is inconsistent with the protected identifier recorded corresponding to the file specified by the file request, rejecting the access and returning access failure information.
The access failure information is information that the file specified by the file request is not accessed.
In an embodiment, the access failure information may specifically be that the protected identifier is inconsistent, or the file meta attribute information is inconsistent, or that a file stored in the public cloud has expired.
Specifically, the public cloud receives a file request carrying a protected identifier and used for accessing a file, which is forwarded by the gateway. And when the protected identifier carried by the file request is inconsistent with the protected identifier recorded corresponding to the file specified by the file request, the public cloud refuses to access and returns access failure information to the terminal through the gateway.
In one embodiment, when the protected identifier carried by the file request is consistent with the protected identifier recorded correspondingly to the file specified by the file request, and the file meta-attribute information of the file specified by the file request is inconsistent with the file meta-attribute information of the file stored correspondingly, the public cloud denies access and returns access failure information to the terminal through the gateway.
In this embodiment, the terminal can access the file on the public cloud as long as the terminal has the authorized export network address, that is, the advantage of resource sharing of the public cloud is not destroyed, and the confidential file can be protected. The public cloud can judge whether the pre-file request has the authority of accessing the file or not by directly detecting the consistency of the protected identifier carried by the file request and the protected identifier recorded corresponding to the file specified by the file request, so that the file request can be quickly processed.
In one embodiment, the method further comprises: in the case that the file request is used to access a file, when the egress network address of the file request is not from the protected network area and the file specified by the file request has a protected identifier recorded therein, access is denied and access failure information is returned.
Specifically, the public cloud may detect whether the received file request carries a protected identifier, and if not, determine that the egress network address of the file request is from the unprotected area. And when the file request is judged to be from the unprotected area and the file record appointed to be accessed by the file request has the protected identifier, the public cloud refuses to access and returns access failure information.
In one embodiment, when the public cloud receives that the file record appointed by the file request has the protected identifier and the file request does not carry the protected identifier consistent with the protected identifier of the file record, the public cloud refuses to access and returns access failure information.
In one embodiment, the public cloud receives a file record which is specified by the file request and accessed, the file request does not carry a protected identifier which is consistent with the protected identifier of the file record, the public cloud can judge the level of the protected identifier carried by the file request, and if the level of the protected identifier carried by the file request is higher than the level of the protected identifier of the file record, the corresponding file is searched and access is triggered. The level of the protected identifier can be divided by a weight value, and the higher the weight is, the higher the level is. For example, the level of the protected identifier is level 1, and the level of the higher protected identifier is level 2.
In one embodiment, a terminal may use multiple egress network addresses. For example, when the terminal is used by a user in a research and development department of a company, the file is accessed or uploaded through an export network address corresponding to the research and development department. When the terminal is used by a user in a non-company, the protected file is accessed or uploaded through the corresponding exit network address in the non-company, and the gateway can carry a high-level protected identifier for a file request accessed by the exit network address corresponding to a research and development department of the non-company.
In an embodiment, as shown in the following table, the terminal may send a file request through a public network in a protected department, the gateway only needs to add an egress network address corresponding to a protected network area to the file request, and when the public cloud recognizes that the file request has a protected identifier, the public cloud triggers access to a file specified by the file request and the downloaded file. The terminal can access and download the file uploaded by the exit network address corresponding to the protected network area, and can also access and download the file uploaded by the exit network address corresponding to the unprotected network area. The terminal sends a file request through a public network in an unprotected department, the gateway directly forwards the file request to a public cloud, and the public cloud recognizes that the file request carries a protected identifier, and triggers access and downloads of a file which is uploaded through an exit network address corresponding to an unprotected network area and designated by the file request.
Figure BDA0003257613850000131
In one embodiment, the enterprise has one office park in each of city a, city B, and city C, and each office park has one protected department. The terminal can use different exit network addresses in each protected department of the city A, the city B and the city C, and the gateways add corresponding protected identifications for file requests using the exit network addresses of the protected departments. And the public cloud recognizes that the file request carries the protected identifier, and triggers access and download to the file uploaded through the outlet network address corresponding to the protected network area of each of the three protected departments. The terminal can use different exit network addresses in each unprotected department of cities A, B and C, the gateway does not add protected identifiers to file requests of the exit network addresses of unprotected parts, and the public cloud only triggers access and downloads to files uploaded through the exit network addresses corresponding to the unprotected network areas when recognizing that the file requests do not carry the protected identifiers.
FIG. 5 is a flow diagram that illustrates the processing of an unprotected network area file request in one embodiment. As shown in fig. 5, when the terminal is used by the user in the non-protected network area of the company to send a file request for downloading resources, the gateway obtains the file request and forwards the file request to the file service of the public cloud. And the file service of the public cloud receives the file request and authenticates the file request, and refuses to access and returns access failure information to the gateway by identifying the protected identifier which is not carried by the file request and the protected identifier which is correspondingly recorded in the file specified by the file request. And the gateway returns the access failure information to the terminal.
In this embodiment, the terminal can access the file on the public cloud as long as the terminal has the authority to export the network address, that is, the advantage of sharing the resources of the public cloud anytime and anywhere is not damaged, and the confidential file can be protected.
In one embodiment, the method further comprises: when the file request is used for accessing the file, when the file request does not carry the protected identifier and the file specified by the file request does not record the protected identifier, the file access is triggered.
Specifically, when the public cloud receives a file request which does not carry a protected identifier and a protected identifier is not recorded in a file which is specified to be accessed by the file request, the file which is stored in the public cloud and is specified to be accessed is triggered to be accessed.
In one embodiment, when the terminal is used by a user in an unprotected network area of a company, the terminal accesses the file through an egress network address corresponding to the unprotected network area. And if the gateway does not match the exit network address corresponding to the unprotected network area from the accessed gateway data table, the protected identification is not added and the file request is forwarded to the public cloud. And the public cloud receives a file request which does not carry the protected identifier and the file appointed to be accessed by the file request does not record the protected identifier, and then the file appointed to be accessed and stored in the public cloud is triggered to be accessed.
In one embodiment, when the terminal is used by a user in a protected network area of a company, the terminal accesses the file through an egress network address corresponding to the protected network area. And if the gateway matches the exit network address corresponding to the protected network area from the accessed gateway data table, adding the protected identifier matched to the protected network area to the file request and forwarding the file request to the public cloud. And the public cloud receives a file request carrying a protected identifier, and if the protected identifier is not recorded in the file which is appointed to be accessed by the file request, the file is triggered to be accessed.
In this embodiment, as long as the file on the public cloud is not a protected file, the file can be accessed by using either an exit network address corresponding to the protected network area, that is, the file request carrying the protected identifier, or an exit network address corresponding to the unprotected network area, so that the access of the unprotected file is not affected by the divided exit network addresses using the protected network area, thereby ensuring the sharing of the unprotected file.
It should be understood that, although the steps in the flowcharts of the above embodiments are shown in sequence as indicated by the arrows, the steps are not necessarily executed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts of the above embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
In one embodiment, as shown in FIG. 6, there is provided a document processing apparatus 600 comprising: a receiving module 602, a storage module 604, and an accessing module 606, wherein:
a receiving module 602, configured to receive a file request forwarded by a terminal through a gateway; and under the condition that the terminal belongs to the protected network area, the file request carries a protected identifier which is added by the gateway and corresponds to the protected network area.
The storage module 604 is configured to, when the file request is used to upload a file, store the file specified by the file request when the file request carries a protected identifier, and record the protected identifier in correspondence to the file.
The accessing module 606 is configured to, when the file request is used to access a file, trigger access to the file when the file request carries a protected identifier and a protected identifier is recorded in a file corresponding to a file specified by the file request.
In one embodiment, when the egress network address corresponding to the terminal exists in a gateway data table accessed by the gateway, the file request carries a protected identifier added by the gateway, and the added protected identifier corresponds to the egress network address corresponding to the terminal in the gateway data table; the gateway data table correspondingly stores the exit network address of the protected network area and the corresponding protected identifier.
In an embodiment, the added protected identifier is obtained by adding, when the egress network address corresponding to the terminal exists in the gateway data table accessed by the gateway, the read protected identifier to a preset idle attribute field in a request header of the file request after the gateway reads the protected identifier corresponding to the egress network address corresponding to the terminal from the gateway data table.
In an embodiment, the storage module 604 is further configured to, when the file request is used to upload a file and the file request carries a protected identifier, correspondingly store the file meta-attribute information of the file specified by the file request and the protected identifier, and store the file corresponding to the file meta-attribute information;
in an embodiment, the accessing module 606 is further configured to, when the file request is used to access the file, trigger to access the file according to the file meta-attribute information when the file request carries the protected identifier and the file meta-attribute information of the file specified by the file request is consistent with the stored file meta-attribute information.
In an embodiment, the accessing module 606 is further configured to, when the file request is used to access a file, deny access and return access failure information when a protected identifier carried in the file request is inconsistent with a protected identifier recorded in correspondence to the file specified by the file request.
In one embodiment, the accessing module 606 is further configured to, in a case that the file request is used to access the file, deny access and return access failure information when an egress network address of the file request is not from the protected network area and the file specified by the file request records a protected identifier.
In an embodiment, the accessing module 606 is further configured to, in a case that the file request is used to access the file, trigger to access the file when the file request does not carry the protected identifier and the file specified by the file request does not record the protected identifier.
For the specific limitations of the file request processing device, reference may be made to the above limitations of the file request processing method, which are not described herein again. The modules in the file request processing device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server providing hardware support for a public cloud, and its internal structure diagram may be as shown in fig. 7. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing file request processing data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a file request processing method.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 8. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a file request processing method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the configurations shown in fig. 7-8 are only block diagrams of some of the configurations relevant to the present disclosure, and do not constitute a limitation on the computing devices to which the present disclosure may be applied, and that a particular computing device may include more or less components than those shown, or combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A method for processing file requests, the method comprising:
receiving a file request forwarded by a terminal through a gateway; under the condition that the terminal belongs to a protected network area, the file request carries a protected identifier which is added by the gateway and corresponds to the protected network area;
under the condition that the file request is used for uploading files, when the file request carries the protected identification, storing the files specified by the file request, and recording the protected identification corresponding to the files;
and under the condition that the file request is used for accessing the file, when the file request carries the protected identifier and the protected identifier is correspondingly recorded in the file specified by the file request, triggering to access the file.
2. The method according to claim 1, wherein when the egress network address corresponding to the terminal exists in a gateway data table accessed by the gateway, the file request carries a protected identifier added by the gateway, and the added protected identifier corresponds to the egress network address corresponding to the terminal in the gateway data table; the gateway data table is stored with the exit network address of the protected network area and the corresponding protected identifier.
3. The method according to claim 2, wherein the added protected identifier is added to a preset free attribute field in a request header of the file request after the gateway reads the protected identifier corresponding to the egress network address corresponding to the terminal from the gateway data table when the egress network address corresponding to the terminal exists in the gateway data table accessed by the gateway.
4. The method according to claim 1, wherein, in a case that the file request is for uploading a file, when the file request carries the protected identifier, storing the file specified by the file request, and recording the protected identifier corresponding to the file, includes:
under the condition that the file request is used for uploading a file, when the file request carries the protected identifier, correspondingly storing the file meta-attribute information of the file specified by the file request and the protected identifier, and storing the file corresponding to the file meta-attribute information;
when the file request is used to access a file, and the file request carries the protected identifier and the protected identifier is recorded in a file corresponding to the file specified by the file request, triggering access to the file includes:
and under the condition that the file request is used for accessing the file, when the file request carries the protected identifier and the file meta-attribute information of the file specified by the file request is consistent with the stored file meta-attribute information, triggering to access the file according to the file meta-attribute information.
5. The method of claim 1, further comprising:
and when the file request is used for accessing the file, and when the protected identifier carried by the file request is inconsistent with the protected identifier recorded corresponding to the file specified by the file request, the access is denied and access failure information is returned.
6. The method of claim 1, further comprising:
and in the case that the file request is used for accessing the file, when the exit network address of the file request is not originated from the protected network area and the file specified by the file request records a protected identifier, denying access and returning access failure information.
7. The method of claim 1, further comprising:
and under the condition that the file request is used for accessing the file, when the file request does not carry the protected identifier and the protected identifier is not recorded in the file specified by the file request, triggering to access the file.
8. A file request processing apparatus, characterized in that the apparatus comprises:
the receiving module is used for receiving a file request forwarded by the terminal through the gateway; under the condition that the terminal belongs to a protected network area, the file request carries a protected identifier which is added by the gateway and corresponds to the protected network area;
a storage module, configured to store a file specified by the file request when the file request carries the protected identifier and record the protected identifier corresponding to the file, where the file request is used to upload a file;
and the access module is used for triggering the access to the file when the file request carries the protected identifier and the protected identifier is recorded in the file specified by the file request under the condition that the file request is used for accessing the file.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
CN202111064373.1A 2021-09-10 2021-09-10 File request processing method and device, computer equipment and storage medium Pending CN113810484A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111064373.1A CN113810484A (en) 2021-09-10 2021-09-10 File request processing method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111064373.1A CN113810484A (en) 2021-09-10 2021-09-10 File request processing method and device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113810484A true CN113810484A (en) 2021-12-17

Family

ID=78895072

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111064373.1A Pending CN113810484A (en) 2021-09-10 2021-09-10 File request processing method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113810484A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106487856A (en) * 2015-09-01 2017-03-08 天脉聚源(北京)科技有限公司 A kind of method and system of network file storage
CN106844111A (en) * 2016-12-26 2017-06-13 创新科存储技术(深圳)有限公司 The access method of cloud storage NFS
CN108388794A (en) * 2018-02-01 2018-08-10 金蝶软件(中国)有限公司 Page data guard method, device, computer equipment and storage medium
CN108647262A (en) * 2018-04-27 2018-10-12 平安科技(深圳)有限公司 A kind of picture management method, device, computer equipment and storage medium
US20190213265A1 (en) * 2018-01-08 2019-07-11 International Business Machines Corporation Clientless active remote archive
CN111193698A (en) * 2019-08-22 2020-05-22 腾讯科技(深圳)有限公司 Data processing method, device, terminal and storage medium
CN111431957A (en) * 2019-01-10 2020-07-17 钉钉控股(开曼)有限公司 File processing method, device, equipment and system
CN112104905A (en) * 2020-07-06 2020-12-18 聚好看科技股份有限公司 Server, display equipment and data transmission method
CN112165455A (en) * 2020-09-04 2021-01-01 杭州安恒信息技术股份有限公司 Data access control method and device, computer equipment and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106487856A (en) * 2015-09-01 2017-03-08 天脉聚源(北京)科技有限公司 A kind of method and system of network file storage
CN106844111A (en) * 2016-12-26 2017-06-13 创新科存储技术(深圳)有限公司 The access method of cloud storage NFS
US20190213265A1 (en) * 2018-01-08 2019-07-11 International Business Machines Corporation Clientless active remote archive
CN108388794A (en) * 2018-02-01 2018-08-10 金蝶软件(中国)有限公司 Page data guard method, device, computer equipment and storage medium
CN108647262A (en) * 2018-04-27 2018-10-12 平安科技(深圳)有限公司 A kind of picture management method, device, computer equipment and storage medium
CN111431957A (en) * 2019-01-10 2020-07-17 钉钉控股(开曼)有限公司 File processing method, device, equipment and system
CN111193698A (en) * 2019-08-22 2020-05-22 腾讯科技(深圳)有限公司 Data processing method, device, terminal and storage medium
CN112104905A (en) * 2020-07-06 2020-12-18 聚好看科技股份有限公司 Server, display equipment and data transmission method
CN112165455A (en) * 2020-09-04 2021-01-01 杭州安恒信息技术股份有限公司 Data access control method and device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
CN109510849B (en) Cloud-storage account authentication method and device
US9021564B2 (en) Method and apparatus to assist user input based on a mobile terminal browser
US20210144147A1 (en) System and method for externally-delegated access control and authorization
US20140068085A1 (en) Controlling access to resources by hosted entities
CN110598380B (en) User right management method, device, computer equipment and storage medium
US20140095722A1 (en) Cloud-based resource sharing method and system
CN106776917B (en) Method and device for acquiring resource file
CN112115167B (en) Cache system hot spot data access method, device, equipment and storage medium
US9262646B1 (en) Systems and methods for managing web browser histories
CN112165455A (en) Data access control method and device, computer equipment and storage medium
CN112468482B (en) Data transmission method, device, server, storage medium and system
CN111885184A (en) Method and device for processing hot spot access keywords in high concurrency scene
CN111652685A (en) Information processing method, information processing device, computer equipment and computer readable storage medium
CN114244568B (en) Security access control method, device and equipment based on terminal access behavior
WO2018189736A1 (en) System and method for dynamic management of private data
WO2011145096A1 (en) System and method for controlling and monitoring access to data processing applications
CN113742023A (en) Authority configuration method and device, computer equipment and storage medium
CN109495432B (en) Authentication method of anonymous account and server
CN111314454A (en) Application access method and device, electronic equipment and storage medium
CN113810484A (en) File request processing method and device, computer equipment and storage medium
CN110909074A (en) Method and device for processing social data, computer equipment and storage medium
CN112153103B (en) Session management method, device, computer equipment and storage medium
US8621557B2 (en) Information processing system judging whether manipulation is possible or not based on access control policy and method of operation thereof
US11275851B2 (en) System, method, and storage medium for distributed data management
KR102212664B1 (en) An apparatus for assuring integrity of log data and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination