CN113849558A - Method and device for deploying data sharing service - Google Patents

Method and device for deploying data sharing service Download PDF

Info

Publication number
CN113849558A
CN113849558A CN202111022347.2A CN202111022347A CN113849558A CN 113849558 A CN113849558 A CN 113849558A CN 202111022347 A CN202111022347 A CN 202111022347A CN 113849558 A CN113849558 A CN 113849558A
Authority
CN
China
Prior art keywords
service
data
shared data
data set
shared
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111022347.2A
Other languages
Chinese (zh)
Inventor
全方磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Ant Blockchain Technology Shanghai Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Ant Blockchain Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd, Ant Blockchain Technology Shanghai Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202111022347.2A priority Critical patent/CN113849558A/en
Publication of CN113849558A publication Critical patent/CN113849558A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Medical Informatics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

One or more embodiments of the present specification provide a method and apparatus for deploying a data sharing service, wherein the method includes: receiving a service deployment request of a data provider, wherein the service deployment request comprises shared data set information and configuration information, the shared data set information is used for describing a shared data set, and the configuration information is used for configuring shared data in the shared data set through at least one preset configuration strategy; and deploying the data sharing service for calling based on the configuration information, wherein the data sharing service is used for providing the configured shared data obtained by configuring the shared data in the shared data set according to the target configuration mode to the service calling party under the condition that the target configuration mode indicated in the service calling request initiated by the service calling party is determined to be included in the at least one preset configuration strategy.

Description

Method and device for deploying data sharing service
Technical Field
One or more embodiments of the present specification relate to the field of data sharing technology, and more particularly, to a method and apparatus for deploying a data sharing service.
Background
With the development of informatization, more and more enterprises or individuals establish a set of independent information systems, and different information systems are isolated from each other, so that a large amount of information islands are formed in a network information space.
In the related art, if an information system wishes to implement data sharing, a secure communication connection is established between the information system as a sharing party and a shared party, and data to be shared by the sharing party is transmitted to the shared party through the previously established secure communication connection.
Disclosure of Invention
One or more embodiments of the present specification provide a method, an apparatus, an electronic device, and a storage medium for acquiring blockchain data.
According to a first aspect of one or more embodiments of the present specification, a method for deploying a data sharing service is provided, which is applied to a server side, and includes:
receiving a service deployment request of a data provider, wherein the service deployment request comprises shared data set information and configuration information, the shared data set information is used for describing a shared data set, and the configuration information is used for configuring shared data in the shared data set through at least one preset configuration strategy;
and deploying the data sharing service for calling based on the configuration information, wherein the data sharing service is used for providing the configured shared data obtained by configuring the shared data in the shared data set according to the target configuration mode to the service calling party under the condition that the target configuration mode indicated in the service calling request initiated by the service calling party is determined to be included in the at least one preset configuration strategy.
According to a second aspect of one or more embodiments of the present specification, there is provided an apparatus for deploying a data sharing service, applied to a server, including:
a request receiving unit, configured to receive a service deployment request of a data provider, where the service deployment request includes shared data set information and configuration information, the shared data set information is used to describe a shared data set, and the configuration information is used to configure shared data in the shared data set through at least one preset configuration policy;
and the service deployment unit is used for deploying the data sharing service available for calling based on the configuration information, and the data sharing service is used for providing the configured shared data obtained by configuring the shared data in the shared data set according to the target configuration mode to the service calling party under the condition that the target configuration mode indicated in the service calling request initiated by the service calling party is determined to be included in the at least one preset configuration strategy.
According to a third aspect of one or more embodiments of the present specification, there is provided an electronic apparatus including:
a processor; a memory for storing processor-executable instructions; wherein the processor implements the steps of the method for deploying a data sharing service by executing the executable instructions.
According to a fourth aspect of one or more embodiments of the present specification, there is provided a computer-readable storage medium having stored thereon executable instructions; wherein the instructions, when executed by the processor, implement the steps of the above-described method of deploying a data sharing service.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the specification.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is a schematic diagram of a network environment related to a block chain provided in the present specification.
Fig. 2 is a diagram of a network architecture provided by the present specification in accordance with an exemplary embodiment.
FIG. 3 is a flow chart of a method for deploying a data sharing service provided by the present specification according to an exemplary embodiment.
FIG. 4 is a flow chart of another method of deploying a data sharing service provided by the present specification in accordance with an exemplary embodiment.
Fig. 5 is a schematic structural diagram of an apparatus according to an exemplary embodiment.
FIG. 6 is a block diagram of an apparatus for deploying a data sharing service provided by the present specification according to an example embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of one or more embodiments of the specification, as detailed in the claims which follow.
It should be noted that: in other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described herein. In some other embodiments, the method may include more or fewer steps than those described herein. Moreover, a single step described in this specification may be broken down into multiple steps for description in other embodiments; multiple steps described in this specification may be combined into a single step in other embodiments.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating a network environment related to a blockchain according to the present disclosure.
In a network environment as shown in fig. 1, may include a client-side computing device 101, a server-side 102, and at least one blockchain system; such as blockchain system 103, blockchain system 104, and blockchain system 105.
In one embodiment, the client-side computing device 101, may include a variety of different types of client-side computing devices; for example, the client side terminal device may include devices such as a PC terminal device, a mobile terminal device, an internet of things device, and other forms of smart devices with certain computing capabilities, and so on.
In one embodiment, at least a portion of the computing devices in the client-side terminal device 101 may be connected to the server-side 102 through various communication networks; for example, the device 1 and the device 2 shown in fig. 1 are connected to the server side 102.
It is understood that some terminal devices in the client-side terminal device 101 may not be connected to the server-side terminal device 102, but may be directly connected to the blockchain system as blockchain nodes through various communication networks; for example, the apparatus 4 shown in fig. 1 may be connected as a blockchain link point to a blockchain system.
Wherein, the communication network may comprise a wired and/or wireless communication network; for example, the Network may be a Local Area Network (LAN), a Wide Area Network (WAN), the internet, or a combination thereof, implemented based on a wired access Network or a wireless access Network provided by an operator, such as a mobile cellular Network.
In one embodiment, the client-side computing device 101, may also include one or more user-side servers; such as the device 5 shown in fig. 1. At least a part of the computing devices in the client-side terminal device 101 may be connected to the user-side server, and the user-side server may further be connected to the server 102; for example, the devices 1 and 2 shown in fig. 1 are connected to the device 5, and the device 5 is further connected to the server side 102.
In an embodiment, the user-side server may be implemented by a service entity that establishes a user account system; the service entity may include an operation entity providing various service bearers for online and/or offline services to a user;
the service carrier may include a service carrier in a software form, and may also include a service carrier in a hardware form.
In one embodiment, the service carrier may include various client software providing online internet services; such as a website, web page, APP, etc.
In an embodiment, the service carrier may also include various intelligent devices deployed offline and capable of providing offline services; for example, intelligent express cabinets are deployed in residential areas, office areas, and public places.
Correspondingly, the operation entity may include an operator corresponding to the service bearer; for example, the operation entity may include an individual, an organization, a company, an enterprise, and the like that operate and manage the service carrier.
In one embodiment, the server side 102 may also be connected to one or more blockchain systems through various communication networks; for example, the server side 102 shown in fig. 1 may be connected to the blockchain system 103, the blockchain system 104, and the blockchain system 105, respectively, and so on.
In one embodiment, each blockchain system may maintain one or more blockchains (e.g., public blockchains, private blockchains, federation blockchains, etc.) and include a plurality of blockchain nodes for carrying the one or more blockchains; for example, a block chain node 1, a block link point 2, a block link point 3, a block link point 4, a block link point i, etc., as shown in fig. 1, may collectively carry one or more block chains. And cross-chain data access can be performed among the blockchains contained in each blockchain system and among the blockchain systems.
In one embodiment, the block link points may include full nodes and light nodes. The whole node can download the blockchain transaction contained in each block in the blockchain in a whole amount, and can perform consensus verification on the blockchain transaction contained in each blockchain according to the carried blockchain consensus algorithm.
And the light node may not download the complete blockchain, but may only download the data of the block header of each block in the blockchain, and use the data contained in the block header as a verification root for verifying the authenticity of the blockchain transaction. Light nodes may attach to full nodes to access more functions of the blockchain.
For example, each blockchain node in the blockchain system 103 shown in fig. 1 may be a full node; the device 4 shown in fig. 1, which is directly connected to the blockchain system, may be attached to each full node in the blockchain system 103 as a light node.
In one embodiment, a block link point may be a physical device, or may be a virtual device implemented in a server or a server cluster;
for example, the block-node device may be a physical host in a server cluster, or may be a virtual machine created after a virtualization technology is performed on a server or a hardware resource carried by the server cluster. Each blockchain node can be connected together by various types of communication methods (such as TCP/IP) to form a network so as to carry one or more blockchains.
In one embodiment, the server 102 may include a BaaS platform (also referred to as a BaaS cloud) for providing a Blockchain as a Service (BaaS). The BaaS platform can provide a pre-programmed software mode for activities (such as subscription and notification, user verification, database management and remote updating) occurring on a block chain, provides simple and easy-to-use block chain service which is deployed by one key, fast in verification and flexible and customizable for client-side computing equipment connected with the BaaS platform, and further can accelerate the development, test and online of block chain service application and assist the landing of block chain business application scenes of various industries.
For example, in one example, a BaaS platform may provide software such as MQ (Message Queue) services; the client-side computing equipment connected with the BaaS platform can subscribe an intelligent contract deployed on a certain block chain in a block chain system connected with the BaaS platform and trigger a contract event generated on the block chain after execution; and the BaaS platform can monitor the event generated on the block chain after the intelligent contract is triggered to execute, and then add the contract event into the message queue in the form of notification message based on the software related to MQ service, so that the client-side computing device subscribing the message queue can obtain the notification related to the contract event.
In one embodiment, the BaaS platform may also provide enterprise-level platform services based on blockchain technology to help enterprise-level customers construct a secure and stable blockchain environment and easily manage deployment, operation, maintenance, and development of blockchains.
For example, in one example, the BaaS platform may implement rich security policies and multi-tenant isolation environments based on cloud technology, provide advanced security protection based on chip encryption technology, provide highly reliable data storage based on high availability end-to-end services that can be quickly extended without interruption;
in another example, enhanced management functionality may also be provided to assist customers in building enterprise-level blockchain network environments; and, local support can also be provided for standard blockchain applications and data, supporting mainstream open source blockchain technologies such as Hyperhedger Fabric and Enterprise Ethereum-Quorum, to build an open and inclusive technology ecosystem.
In this embodiment of the present specification, the server side 102 is deployed with several data sharing services for the client side computing device 101 to call, and these data sharing services are also deployed on the server side 102 by the client side computing device 101 sending a service deployment request, for example, the device 5 serving as the client side computing device 101 may deploy a new data sharing service on the server side 102, and the device 3 serving as the client side computing device 101 may call the data sharing service deployed by the device 5 to obtain, from the server side 102, configured shared data obtained by configuring shared data shared by the device 5, so as to implement data sharing of a custom configuration. From another perspective, this is equivalent to that the server side 102 shown in fig. 1 may be regarded as a server side related to this specification, the device 5 directly connected to the server side 102 in the client side computing device 101 may be regarded as a data provider related to this specification, and the device 3 directly connected to the server side 102 may be regarded as a service caller related to this specification.
Fig. 2 is a diagram of a network architecture shown in the present specification according to an exemplary embodiment, where the network architecture includes a server deployed with a plurality of data sharing services, a plurality of service invokers, and a plurality of data providers, where the data sharing services 1-3 may be deployed by three data providers 1-3 respectively, or may be deployed by only one data provider 1, 2, or 3, or may be deployed by the server itself; the service caller 1-3 may send a service call request to the server for indicating the data sharing service to be called, and the server further executes the corresponding data sharing service, and encrypts the shared data required by the service caller and provides the encrypted shared data to the service caller who calls the data sharing service. The server side can receive service deployment requests from a plurality of data providers in parallel to deploy a plurality of data sharing services at the same time, and can also receive service calling requests from a plurality of service callers in parallel to execute a plurality of same or different data sharing services at the same time.
Fig. 3 is a flowchart illustrating a method for deploying a data sharing service according to an exemplary embodiment, where the method is applied to the server shown in fig. 2, and the method includes the following steps:
s302: receiving a service deployment request of a data provider, wherein the service deployment request comprises shared data set information and configuration information, the shared data set information is used for describing a shared data set, and the configuration information is used for configuring shared data in the shared data set through at least one preset configuration strategy;
s304: and deploying the data sharing service for calling based on the configuration information, wherein the data sharing service is used for providing the configured shared data obtained by configuring the shared data in the shared data set according to the target configuration mode to the service calling party under the condition that the target configuration mode indicated in the service calling request initiated by the service calling party is determined to be included in the at least one preset configuration strategy.
By the method for deploying the data sharing service according to the embodiment of the specification, a data provider can be flexibly configured according to actual requirements of a service scene, and a service caller can also flexibly call according to own requirements, so that the complexity of the data sharing service is reduced as much as possible under the condition that the call requirements of the service caller are met, and computing resources or storage resources required to be consumed by the data sharing service during deployment and maintenance are saved.
Optionally, the shared data set information may be a shared data set itself, so that the server side obtains a complete shared data set from the service deployment request to store in the cloud storage space of the server side when receiving the service deployment request of the service caller, and binds the shared data set with the subsequent data sharing service successfully deployed according to the service deployment request, so that the shared data set bound with the data sharing service is obtained from the cloud storage space when the data sharing service is invoked, in this embodiment, because the shared data set is stored in the server side in advance, the shared data set can be obtained more quickly, thereby accelerating the execution process when the data sharing service is invoked; in another embodiment, the shared data set information may be metadata corresponding to the shared data set, and the server may obtain the shared data set through the metadata, for example, the metadata may be an IP address, port information, and the like of a database table maintained by a data provider, where the database table stores the shared data set, and the server may download from the database table through the IP address and the port information of the database table at any time to obtain a complete shared data set.
Optionally, the configuration information further includes a data flow policy, where the data flow policy is used to configure a data flow pattern of the data sharing service for the configured shared data, and the data flow pattern includes an API (Application Programming Interface) gateway pattern or a database table pattern; under the condition that the data flow mode of the data sharing service is an API gateway mode, the configured shared data is provided to the client of the service calling party through the API gateway of the service end; and under the condition that the data flow mode of the data sharing service is a database table mode, the configured shared data is provided to the database of the service calling party through a database synchronization plug-in.
In this embodiment, the data provider may flexibly configure the data flow mode of the data sharing service to adapt to different actual service invocation scenarios. Under the condition that the data flow mode of the data sharing service is the API gateway mode, the service end maintains the API gateway for the service calling party to call, the service calling party can access the API gateway through the client, so that the service calling request is sent to the service end, and similarly, the service end can provide the configured shared data to the client of the service calling party through the API gateway. When the data flow mode of the data sharing service is a database table mode, after receiving a service call request of a service caller, the server directly provides the prepared configured shared data to the database of the service caller through a database synchronization plug-in. In an embodiment, the data sharing service instance related to the present application is implemented based on SpringBoot, so that when the server configures a data flow mode of the data sharing service, the data flow mode can be configured in a manner of injecting system environment variables, and can also be configured through an external application-profile.
Optionally, the configuration information further includes a right management policy, where the right management policy is used to configure a right management model of the data sharing service for a service caller, so that the data sharing service is used to respond to the service call request sent by the service caller when it is determined that the service caller has the call right of the data sharing service. The rights Management model comprises an OpenAPI (open application program interface) model or an IAM (Identity and Access Management) model; the determining that the service caller has the invocation authority of the data sharing service includes: in case the rights management model of the data sharing service is the OpenAPI model, verifying the signature contained in the service calling request according to a public key in a public key list corresponding to the data sharing service, and in case the check-signing is successful, determining that the service invoker has the invocation authority of the data sharing service, e.g., for a certain service invoker, firstly, a service calling request is signed according to a private key of the service calling request, the service calling request carrying the signature is sent to a server side, the server side finds a corresponding public key list according to a data sharing service required to be called by the service calling request, then, checking the signatures carried in the service calling request one by one according to a plurality of public keys in the public key list, and determining that the service calling party has the calling authority of the data sharing service as long as one public key is successfully checked; in the case that the authority management model of the data sharing service is an IAM model, querying a service authority list corresponding to the service caller in a login state, and in the case that the service authority list includes the data sharing service, determining that the service caller has the invocation authority of the data sharing service, for example, for a certain service caller, the service caller first needs to perform login operation to access a service end, after the login is successful, the service end will check the service authority list corresponding to the service caller, and the service authority list records service IDs of the data sharing services that can be invoked by the service caller, so that the services that the service caller can invoke can be displayed to a client corresponding to the service caller, and the service caller further initiates a service invocation request for the data sharing service through the client, and the service end further determines whether the service caller has the calling authority of the data sharing service according to whether the service ID of the data sharing service required to be called by the service calling request is contained in the service authority list.
In the embodiment of the specification, the data provider can flexibly configure the authority management model of the data sharing service, so that different authentication modes are required for a service caller, different actual service calling scenes are better adapted, and the requirements of each caller are met.
Optionally, the authority management policy is further configured to configure a legal caller list of the data sharing service for the service caller. For example, the authority management policy carries a legal caller list for a service caller, and then, under the condition that the authority management model of the data sharing service is an OpenAPI model, a plurality of public keys are recorded in the legal caller list, so that when the server deploys the data sharing service, the public keys recorded in the legal caller list are written into a public key list corresponding to the data sharing service; under the condition that the authority management model of the data sharing service is an IAM model, ID information of a plurality of service callers is recorded in the legal caller list, so that when the server deploys the data sharing service, the service authority list corresponding to each service caller is found according to the ID information of the plurality of service callers recorded in the legal caller list, and the service ID of the data sharing service is written into the service authority list corresponding to each service caller.
In the embodiment of the specification, the data provider can flexibly configure the legal caller list of the data sharing service, so that the service callers capable of calling the data sharing service are limited, and the data provider can freely decide the service object of the data sharing service.
Optionally, the method further includes: and calling the block link certificate storage service, and performing uplink certificate storage on the service deployment request and/or the service calling request. In the embodiment of the specification, the block chain credentialing service is deployed at the service end, so that the service end can credentiate the life cycle of the whole data sharing service, and transparency and traceability of data and operation in the system are ensured.
In another embodiment, the preset configuration policy includes a data security policy, and the data security policy includes at least one encryption manner for encrypting shared data in the shared data set, where the at least one encryption manner includes a homomorphic encryption manner, and also taking fig. 2 as an example, the device 5 serving as the client-side computing device 101 may deploy a new data sharing service on the server side 102, and the device 3 serving as the client-side computing device 101 may invoke the data sharing service deployed by the device 5 to obtain, from the server side 102, encrypted data obtained by encrypting shared data shared by the device 5, so as to implement privacy calculation based on the encrypted data, and a specific implementation procedure of this embodiment will be discussed in detail below.
Fig. 4 is a flowchart illustrating another method for deploying a data sharing service according to an exemplary embodiment of the present specification, where the method is applied to the server shown in fig. 2, and the method includes the following steps:
s402: receiving a service deployment request of a data provider, wherein the service deployment request comprises shared data set information and configuration information, the shared data set information is used for describing a shared data set, the configuration information comprises a data security policy, the data security policy comprises at least one encryption mode used for encrypting shared data in the shared data set, and the at least one encryption mode comprises a homomorphic encryption mode.
In this specification, an SDK (Software Development Kit) or a UDF (user defined function) is locally maintained in advance as a service caller of a client for using encrypted data, and the use of the encrypted data in the embodiment of the specification includes three types of ciphertext retrieval, ciphertext calculation and ciphertext decryption, where the ciphertext retrieval and the ciphertext calculation may be locally completed by the service caller after obtaining the encrypted data provided by the server, and the ciphertext decryption may require a secondary interaction between the service caller and the server to be able to be implemented, for example, for a service caller not related to a TEE (Trusted Execution Environment) architecture, if a ciphertext decryption of some encrypted data is required, a decryption request for the encrypted data must be initiated to the server, and after the authentication of the server succeeds, the encrypted data will be decrypted by the service caller or the service caller and finally decrypted by the service caller Provided to the service invoker.
Embodiments of the present specification relate to a Trusted Execution Environment (TEE) that may provide a secure execution environment for software, where the TEE is a CPU hardware-based secure extension and is completely isolated from the outside. TEE was originally proposed by Global Platform to address the secure isolation of resources on mobile devices, providing a trusted and secure execution environment for applications parallel to the operating system. The industry is concerned with TEE solutions, and almost all mainstream chip and software consortiums have their own TEE solutions, such as TPM (Trusted Platform Module) in software, and Intel SGX, ARM Trustzone (Trusted zone), AMD PSP (Platform Security Processor) in hardware.
The Intel SGX (hereinafter referred to as SGX) technology is taken as an example. The trusted computing node may create enclave (enclosure or enclave) based on SGX technology as a TEE for performing blockchain transactions. The block link point may allocate a partial area EPC (enclosure Page Cache, Enclave Page Cache, or Enclave Page Cache) in the memory by using a newly added processor instruction in the CPU, so as to reside the above-mentioned enclosure. The memory area corresponding to the EPC is encrypted by a memory Encryption engine mee (memory Encryption engine) inside the CPU, the contents (code and data in the enclave) in the memory area can be decrypted only in the CPU core, and a key for Encryption and decryption is generated and stored in the CPU only when the EPC is started. It can be seen that the security boundary of enclave only includes itself and the CPU, and no matter privileged or non-privileged software can not access enclave, even an operating system administrator and a VMM (virtual machine monitor, or called Hypervisor) can not affect code and data in enclave, so that the enclave has extremely high security.
In this embodiment of the present description, a data provider serving as a client may actively apply for deploying a data sharing service to a server, for which the data provider needs to carry shared data set information and configuration information in a service deployment request sent to the server, where the shared data set information is used to describe a shared data set maintained by the data provider, and the configuration information is used to configure the data sharing service that the data provider needs to deploy. The shared data set according to the embodiments of the present specification is a set of shared data that a data provider desires to share, and the shared data in the shared data set is in a plaintext state.
In an embodiment of this specification, the configuration information includes a data security policy, where the data security policy includes at least one encryption manner used to encrypt shared data in the shared data set, and the at least one encryption manner includes a homomorphic encryption manner. The homomorphic encryption method related in the embodiment of the present specification may include BFV (fully homomorphic encryption algorithm), CKKS (approximate computation homomorphic encryption algorithm), SM4 (block cipher algorithm), and the like, and the encrypted data obtained by encrypting in different homomorphic encryption methods support different types of ciphertext computations, for example, the encrypted data obtained by BFV encryption supports ciphertext computations such as finding a substring, finding connection between two ciphertext character strings, case-case conversion, and the like, the encrypted data obtained by CKKS encryption supports ciphertext computations such as addition, subtraction, multiplication, division, power function, exponential function, logarithmic function, and the like, and the encrypted data obtained by SM4 supports ciphertext computations such as year, month, day, time, minute, second, and the like. In this embodiment of the present specification, a data provider may specify one or more homomorphic encryption manners in a data security policy of configuration information, and encrypted data obtained through encryption in different homomorphic encryption manners supports different types of ciphertext computations, so that the data provider may limit the ciphertext computation type of the encrypted data finally provided to a service caller by controlling the encryption manner of shared data in a shared data set, which is equivalent to that the data provider may configure the ciphertext computation type corresponding to the deployed data sharing service. Therefore, the service caller can obtain the cryptograph calculation types which can be supported by the data sharing service by checking the description information of the data sharing service deployed on the server, so that when the data sharing service is requested from the server, the service caller can select from the cryptograph calculation types which can be supported by the data sharing service, and further obtain the required encrypted data to perform the cryptograph calculation of the corresponding type. In the embodiment of the present specification, the data provider may perform flexible configuration according to the actual requirements of the service scenario, so as to reduce the complexity of the data sharing service as much as possible under the condition of meeting the call requirement of the service caller, and save the computing resources or storage resources that the data sharing service needs to consume when deploying and maintaining.
In an embodiment of the specification, the data security policy further includes at least one retrieval mode for generating a retrieval index for the encrypted data, and the retrieval modes referred to in the embodiment of the specification may include a congruent query and a fuzzy query, where the congruent query may retrieve the encrypted data completely matching the retrieval key, and the fuzzy query may retrieve the encrypted data partially matching or having a correlation with the retrieval key. In this embodiment of the present specification, the data provider may specify one or more retrieval manners in the data security policy of the configuration information, so that the encrypted data may generate different types of retrieval indexes for performing retrieval in different manners by different retrieval manners. Therefore, the data provider can limit the type of the retrieval index of the encrypted data finally provided to the service caller by controlling the generation mode of the retrieval index of the encrypted data, so that the data provider can configure the retrieval mode of the encrypted data corresponding to the deployed data sharing service, and the encrypted data acquired by the service caller can support one or more ways of encrypted data retrieval. Therefore, the service caller can obtain the encrypted data retrieval modes which can be supported by the data sharing service by looking up the description information of the data sharing service deployed on the server, so that when the data sharing service is requested from the server, the service caller can select from the encrypted data retrieval modes which can be supported by the data sharing service, and further utilize the acquired retrieval index to retrieve the encrypted data in a corresponding mode. In this embodiment of the present specification, the data provider may flexibly configure the encrypted data retrieval manner supported by the data sharing service, so that the service invoker may perform encrypted data retrieval on the acquired encrypted data by using a ciphertext retrieval technology.
In an embodiment of the specification, the data security policy further includes a service invocation frequency, where the service invocation frequency is used for configuring a periodic invocation upper limit and/or a permanent invocation upper limit of the data sharing service, where the periodic invocation upper limit refers to an upper limit of times that can be invoked by a service invoker within a periodic time period (e.g., every hour, every day, every week, every month, etc.), and the permanent invocation upper limit refers to an upper limit of times that can be invoked by the service invoker in total since the data sharing service is deployed. The server maintains a call number table for the successfully deployed data sharing service, where current periodic call number and/or permanent call number are recorded, and when the server receives a service call request for the data sharing service each time, the server updates information in the call number table corresponding to the data sharing service, and if the periodic call number in the call number table reaches a periodic call number upper limit or the permanent call number reaches a permanent call number upper limit, the server suspends responding to the service call request for the data sharing service. In this embodiment, the data provider may flexibly configure the service invocation frequency of the data sharing service, so as to limit the invocation frequency of the data sharing service by the service invoker, so as to adapt to different actual service invocation scenarios.
S404: and deploying the data sharing service for calling based on the configuration information, wherein the data sharing service is used for providing encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption mode to the service calling party under the condition that the target encryption mode indicated in the service calling request initiated by the service calling party is determined to be included in the at least one encryption mode.
In this embodiment of the present description, a server first registers and loads a data sharing service instance, and configures different modules in the data sharing service instance according to the configuration information and shared data set information to enable the data sharing service to support different functions, for example, when the data sharing service instance is just loaded, a null field needs to be filled with data source information that the service needs to call, so that shared data set information can be directly filled into the null field, so that the data sharing service can correctly obtain a shared data set when being called; for another example, if the data encryption module in the data sharing service instance lacks configuration when being loaded, at least one encryption manner of the data security policy of the configuration information may be written into the configuration in the data encryption module, so as to open the corresponding encryption function, so that the data sharing service may encrypt the data to obtain encrypted data according to at least one encryption manner configured by the data provider when being invoked.
In this embodiment of the present specification, after the data sharing service is deployed, a service ID is maintained, and a service invoker may invoke and execute a corresponding data sharing service by initiating a service invocation request for the service ID. As shown in fig. 2, the service caller 1 may carry a service ID field "2" and an encryption mode field "CKKS" in the data security policy in the service invocation request, so that after the service terminal obtains the service invocation request, it is first determined that the data sharing service that the service caller 2 needs to invoke is "data sharing service 2" and the required encryption mode is "CKKS" according to the service ID field "2", and then the service terminal further executes the data sharing service 2 to obtain a shared data set corresponding to the data sharing service 2, encrypts shared data in the shared data set according to the encryption mode of CKKS to obtain encrypted data, and finally provides the encrypted data to the service caller 2.
In some scenarios, a service caller may only need to perform a certain type of ciphertext calculation, and therefore only call encrypted data encrypted according to a certain encryption manner, which is undoubtedly a waste of resources for data sharing services supporting various different encryption manners, and also causes the service caller to obtain unnecessary encrypted data.
Optionally, the providing, to the service invoker, encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption manner includes: and providing the encrypted data obtained by encrypting the target shared data indicated in the service calling request in the shared data set according to the target encryption mode to the service calling party. In this embodiment, the service invoker may specify target shared data in the service invocation request, for example, the service invocation request may carry description information such as a keyword, a data type, a file ID, and the like, and then the server may retrieve, according to the description information carried in the service invocation request, the shared data obtained by querying may be determined as the target shared data in a shared data set corresponding to the data sharing service, and further encrypt the target shared data and provide the encrypted data to the service invoker, so that the server may provide the encrypted data obtained by encrypting all shared data in the shared data set when providing the encrypted data to the service invoker, without providing encrypted data obtained by encrypting all shared data in the shared data set, but may provide encrypted data obtained by encrypting a part of shared data required by the service invoker in the shared data set according to actual requirements of the service invoker, unnecessary data encryption and network interaction processes are reduced as much as possible while more accurately satisfying the data requirements of the service invoker.
Optionally, the providing, to the service invoker, encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption manner includes: providing the encrypted data which is stored in an encrypted data set of the server in advance to the service caller, wherein the encrypted data set is obtained by encrypting all shared data in the shared data set in advance by the server according to the at least one encryption mode; or, providing the encrypted data obtained by instantly encrypting the shared data in the shared data set according to the target encryption mode to the service calling party.
In this embodiment of the present specification, when receiving a service invocation request initiated by a service invocation party, a service side provides a plurality of different encrypted data providing manners: in the first encrypted data providing method, the data sharing service also maintains an encrypted data set at the server during the deployment phase, where the encrypted data set is obtained by encrypting all shared data in the shared data set according to all encryption methods recorded in the data security policy, for example, when there are N shared data in the shared data set and M encryption methods are total M encryption methods recorded in the data security policy, the server encrypts the N shared data M times, and finally obtains M × N encrypted data as the encrypted data set. Therefore, when receiving a service calling request for a target encryption mode from a service calling party, the service side can directly take out encrypted data encrypted according to the target encryption mode from the prestored encrypted data set. Because the process of encrypting the shared data is completed before the service calling request is received, the encrypted data providing mode can save the execution time of the data sharing service, thereby reducing the waiting time of the service calling party for waiting the return of the encrypted data and improving the user experience.
In the second encrypted data providing method, the server does not store the encrypted data set in advance, but first obtains a target encryption method required by the service caller according to the received service call request, then instantly encrypts the shared data in the shared data set according to the target encryption method to obtain encrypted data, and provides the encrypted data to the service caller. Because the server side is instantly encrypted in the encrypted data providing mode, a large amount of encrypted data does not need to be stored in the server side in advance, and therefore consumption of storage resources of the server side is reduced.
In a third encrypted data providing manner, the server maintains a hotness list corresponding to each deployed data sharing service, where the hotness list corresponding to any data sharing service records the called condition of the data sharing service, including a service calling frequency and an encryption frequency for encrypting shared data according to different encryption manners in an execution process, and the service calling frequency reflects the hotness of the data sharing service called recently, and the frequency for encrypting the shared data by different encryption manners reflects the hotness of the service caller required for each encryption manner. The server side can determine whether to store the encrypted data set at the server side according to the called condition of the data sharing service, so that conversion is carried out between different encrypted data providing modes. For example, when the service invocation frequency of the data sharing service is higher than a first preset threshold, the server first establishes a complete encrypted data set according to the configuration information of the data sharing service and the shared data set, and after the encrypted data set is established and stored in the server, adopts the first encrypted data provision manner for the service invocation request specifying the data sharing service; and under the condition that the service calling frequency of a certain data sharing service is lower than a second preset threshold value, the server side adopts the second encrypted data providing mode, and at the moment, if the server side stores an encrypted data set corresponding to the data sharing service, the encrypted data set is deleted. For another example, in a hotness list corresponding to a certain data sharing service, the encryption frequency of encrypting shared data by different encryption modes is monitored in real time, after the encryption frequency corresponding to a certain encryption mode is higher than a first preset threshold value, an encrypted data set formed by encrypted data obtained by encrypting the shared data in a shared data set according to the encryption mode is stored in a server, and the first encrypted data providing mode is adopted for a service calling request specifying the encryption mode; and when the encryption frequency corresponding to a certain encryption mode is lower than a second preset threshold, the second encryption data providing mode is adopted for the service calling request for specifying the encryption mode, whether the encryption data set stored by the server contains the encryption data obtained through encryption by the encryption mode is checked, and if the encryption data exists, the part of the encryption data is deleted from the encryption data set. Under the encrypted data providing mode, the server side can intelligently adjust the encrypted data providing mode and the content of the encrypted data set stored by the server side according to the called condition of the shared service, so that a balance is obtained between saving storage resources and improving calling efficiency.
Optionally, the configuration information further includes an encrypted data storage policy, which is used to configure an encrypted data providing manner of the data sharing service for the service invoker. As described above, when receiving a service invocation request initiated by a service invoker, a server may provide a plurality of different encrypted data providing manners, including the aforementioned first, second, or third encrypted data providing manners.
Optionally, the providing, to the service invoker, encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption manner includes: and under the condition that the service calling party is determined to be a trusted application deployed in a trusted execution environment, providing encrypted data and a decryption key ciphertext obtained by encrypting the shared data in the shared data set according to the target encryption mode to the service calling party, wherein the decryption key ciphertext is obtained by encrypting a decryption key through a public key corresponding to the trusted application, and the decryption key is used for decrypting the encrypted data.
In the embodiment of the specification, the service end can check the TEE framework of the service caller, and additionally providing a decryption key ciphertext obtained by encrypting the public key corresponding to the service caller under the condition that the service caller is determined to be a trusted application deployed in a trusted execution environment, wherein the service caller can decrypt the decryption key ciphertext according to a private key of the service caller to obtain a decryption key, so that the service caller can decrypt the encrypted data which needs to participate in the cryptograph calculation in the trusted execution environment through the decryption key after obtaining the encrypted data, and performs plaintext calculation on the shared data obtained by decryption, thereby converting the ciphertext calculation task into a plaintext calculation task, because the computing resources required by the plaintext computing task are far less than those of the ciphertext computing task, the computing resources can be saved, and the privacy computing efficiency can be improved. In addition, the service calling party directly obtains the decryption key, so that the service calling party can locally realize ciphertext decryption without secondary interaction with the service end, and the system pressure of the service end is reduced. In the embodiment of the specification, the service side can identify the TEE framework of the service caller to intelligently adjust the implementation mode of privacy computation, and when the service caller is determined to be a trusted application in a trusted execution environment, the decryption key is encrypted and provided for the service caller to ensure safety, and meanwhile, the implementation mode of privacy computation in the TEE scene is adapted, so that different privacy computation solutions are provided for different types of service callers through the same data sharing service, and the TEE framework of the service caller is fully utilized to save computation resources, improve privacy computation efficiency and reduce system pressure of the service side.
Optionally, the determining that the service invoker is a trusted application deployed in a trusted execution environment includes: and checking the signature contained in the service calling request, and determining that the service calling party is a trusted application deployed in a trusted execution environment under the condition that the result of the check shows that the service calling party is the trusted application which passes the remote authentication.
In the embodiment of the present specification, the server maintains public keys of all trusted applications that have passed remote authentication, so that signatures included in the service invocation request can be checked one by one using the public keys, and as long as a certain public key succeeds in checking the signature, it can be verified that the service invoker is the trusted application to which the public key belongs, that is, it indicates that the service invoker is the trusted application that has passed remote authentication and is deployed in the trusted execution environment. In the embodiment of the specification, a public key of the trusted application which passes the remote authentication is maintained at the server, so that a list whether the service caller has the TEE framework is maintained, the TEE framework of the service caller can be identified through the list, in addition, besides the public key of the service caller and the passing condition of the remote authentication are recorded in the list, authentication failure time is also recorded, and the authentication failure time refers to the sum of the authentication time recorded in a remote authentication report acquired by the server and a preset fixed value, so that the authenticated service caller needs to regularly perform the remote authentication to the server again, the validity of the identity can be ensured only by updating the authentication failure time, the decryption key is prevented from being exposed to the service caller which is not in the TEE framework, and the data security is ensured to the maximum extent.
In another embodiment, the service invocation request also carries a remote authentication challenge, so that the server sends the remote authentication challenge to a third-party authentication system, such as an IAS (Intel authentication Service), the third party authentication system will perform a signature verification on the public key of the trusted hardware held by the Service caller and carried in the remote authentication challenge and generate a remote authentication report, the server receives the remote authentication report returned by the third party authentication system, and determining whether the service invoker is a trusted application deployed in the trusted execution environment according to a remote authentication result recorded in the remote authentication report, and under the condition that the service invoker is determined to be the trusted application, the server further acquires the public key of the trusted application serving as the service invoker from the remote authentication report and maintains the public key in a trusted application public key list which passes the remote authentication. In this embodiment, the remote authentication process may be performed in real time when the service invoker invokes the data sharing service, so as to verify whether the service invoker is a trusted application deployed in the trusted execution environment according to the remote authentication result recorded in the obtained remote authentication report, and therefore, whether the service invoker is a trusted application deployed in the trusted execution environment can be determined without maintaining a public key list of trusted applications that have passed the remote authentication in advance.
Optionally, the data security policy further includes at least one retrieval manner, so that the data sharing service is configured to, when it is determined that the target retrieval manner indicated in the service invocation request is included in the at least one retrieval manner, include, in the encrypted data provided to the service invocation party, a retrieval index generated according to the target retrieval manner, where the retrieval index is used to enable the encrypted data to support encrypted data retrieval. As described above, the data provider can flexibly configure the encrypted data retrieval method supported by the data sharing service, so that the service caller can specify the target retrieval method in the service invocation request, and the encrypted data provided to the service caller contains the retrieval index generated according to the target retrieval method, so that the service caller can perform encrypted data retrieval on the acquired encrypted data by using the required ciphertext retrieval technology.
Optionally, the data security policy further includes a service invocation frequency, where the service invocation frequency is used to configure an upper limit of the number of periodic invocations and/or an upper limit of the number of permanent invocations of the data sharing service. As described above, the data provider can flexibly configure the service invocation frequency of the data sharing service, so as to limit the invocation frequency of the data sharing service by the service invoker, so as to adapt to different actual service invocation scenarios.
Optionally, the method further includes: and calling the block link certificate storage service, and performing uplink certificate storage on the service deployment request and/or the service calling request. The server related to the embodiment of the present specification is connected to at least one blockchain system, and the server deploys a blockchain evidence storing service corresponding to the at least one blockchain system, so that the server can call the blockchain evidence storing service to implement uplink evidence storing for various materials. As described above, the server side related to the present specification may be a BaaS platform, and therefore, the server side may perform uplink storage for the service deployment request and/or the service invocation request by using the block chain storage service already deployed on the BaaS platform, and certainly, for the usage process of the encrypted data including ciphertext retrieval, ciphertext calculation and ciphertext decryption, although some of the usage processes such as ciphertext calculation only relate to the behavior of the client side, the uplink storage can also be achieved as well, specifically, the server side forwards the log related to the usage of the encrypted data recorded by the client side corresponding to the service invocation party to the server side, and then invokes the block chain storage service to perform uplink storage for the related log, thereby achieving indirect storage for the usage process of the encrypted data. In the embodiment of the specification, the block chain credentialing service is deployed at the service end, so that the service end can credentiate the life cycle of the whole data sharing service, and transparency and traceability of data and operation in the system are ensured.
Optionally, for the data sharing service already deployed on the server, a shared data set and configuration information corresponding to the data sharing service are maintained on the server, and a corresponding administrator may modify the shared data set information or the configuration information, so that the data sharing service is redeployed on the server according to the modified shared data set information and the configuration information, so as to update the deployed data sharing service in a shared data plane or a function plane, so as to adapt to a changing service invocation scenario, where the administrator of the data sharing service may include a data provider deploying the data sharing service or an administrator user of the server, and this specification does not limit this.
The present specification also provides embodiments of an apparatus, an electronic device, and a storage medium, corresponding to embodiments of the foregoing method.
FIG. 5 is a schematic block diagram of an apparatus provided in an exemplary embodiment. Referring to fig. 5, at the hardware level, the apparatus includes a processor 502, an internal bus 504, a network interface 506, a memory 508 and a non-volatile memory 510, but may also include hardware required for other services. One or more embodiments of the present description may be implemented in software, such as by processor 502 reading corresponding computer programs from non-volatile storage 510 into memory 508 and then running. Of course, besides software implementation, the one or more embodiments in this specification do not exclude other implementations, such as logic devices or combinations of software and hardware, and so on, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
As shown in fig. 6, fig. 6 is a block diagram of an apparatus for acquiring blockchain data according to an exemplary embodiment, where the apparatus may be applied to the device shown in fig. 4 to implement the technical solution of the present specification, and the apparatus is applied to a server, and includes:
a request receiving unit 601, configured to receive a service deployment request of a data provider, where the service deployment request includes shared data set information and configuration information, the shared data set information is used to describe a shared data set, and the configuration information is used to configure shared data in the shared data set through at least one preset configuration policy;
a service deployment unit 602, configured to deploy, based on the configuration information, a data sharing service available for invocation, where the data sharing service is configured to provide, to a service invoker, configured shared data obtained by configuring shared data in the shared data set according to a target configuration manner when it is determined that the target configuration manner indicated in a service invocation request initiated by the service invoker is included in the at least one preset configuration policy.
Optionally, the preset configuration policy includes a data security policy, where the data security policy includes at least one encryption mode for encrypting shared data in the shared data set; the data sharing service is configured to provide, to a service caller, configured shared data obtained by configuring shared data in the shared data set according to a target configuration manner when it is determined that the target configuration manner indicated in a service call request initiated by the service caller is included in the at least one preset configuration policy, and includes:
the data sharing service is used for providing the encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption mode to the service calling party under the condition that the target encryption mode indicated in the service calling request initiated by the service calling party is determined to be included in the at least one encryption mode.
Optionally, the at least one encryption mode includes a homomorphic encryption mode.
Optionally, the service deployment unit 602 is specifically configured to:
and providing the encrypted data obtained by encrypting the target shared data indicated in the service calling request in the shared data set according to the target encryption mode to the service calling party.
Optionally, the service deployment unit 602 is specifically configured to:
providing the encrypted data which is stored in an encrypted data set of the server in advance to the service caller, wherein the encrypted data set is obtained by encrypting all shared data in the shared data set in advance by the server according to the at least one encryption mode; alternatively, the first and second electrodes may be,
and providing the encrypted data obtained by instantly encrypting the shared data in the shared data set according to the target encryption mode for the service calling party.
Optionally, the service deployment unit 602 is specifically configured to:
and under the condition that the service caller is determined to be a trusted application deployed in a trusted execution environment, providing encrypted data and a decryption key ciphertext obtained by encrypting the shared data in the shared data set according to the target encryption mode to the service caller, wherein the decryption key ciphertext is obtained by encrypting a decryption key through a public key of the trusted application, and the decryption key is used for decrypting the encrypted data.
Optionally, the service deployment unit 602 is specifically configured to:
and checking the signature contained in the service calling request, and determining that the service calling party is a trusted application deployed in a trusted execution environment under the condition that the result of the check shows that the service calling party is the trusted application which passes the remote authentication.
Optionally, the data security policy further includes at least one retrieval manner, so that the data sharing service is configured to, when it is determined that the target retrieval manner indicated in the service invocation request is included in the at least one retrieval manner, include, in the encrypted data provided to the service invocation party, a retrieval index generated according to the target retrieval manner, where the retrieval index is used to enable the encrypted data to support encrypted data retrieval.
Optionally, the data security policy further includes a service invocation frequency, where the service invocation frequency is used to configure an upper limit of the number of periodic invocations and/or an upper limit of the number of permanent invocations of the data sharing service.
Optionally, the shared data set information includes the shared data set or metadata used for obtaining the shared data set.
Optionally, the configuration information further includes a data flow policy, where the data flow policy is used to configure a data flow mode of the data sharing service for the configured shared data.
Optionally, the data flow schema includes an API gateway schema or a database table schema;
under the condition that the data flow mode of the data sharing service is an API gateway mode, the configured shared data is provided to the client of the service calling party through the API gateway of the service end;
and under the condition that the data flow mode of the data sharing service is a database table mode, the configured shared data is provided to the database of the service calling party through a database synchronization plug-in.
Optionally, the configuration information further includes a right management policy, where the right management policy is used to configure a right management model of the data sharing service for a service caller, so that the data sharing service is used to respond to the service call request sent by the service caller when it is determined that the service caller has the call right of the data sharing service.
Optionally, the rights management model includes an OpenAPI model or an IAM model; the determining that the service caller has the invocation authority of the data sharing service includes:
under the condition that the authority management model of the data sharing service is an OpenAPI model, checking a signature contained in the service calling request according to a public key in a public key list corresponding to the data sharing service, and under the condition that the signature is checked successfully, determining that the service calling party has the calling authority of the data sharing service;
and under the condition that the authority management model of the data sharing service is an IAM model, inquiring a service authority list corresponding to the service caller in a login state, and under the condition that the service authority list contains the data sharing service, determining that the service caller has the calling authority of the data sharing service.
Optionally, the authority management policy is further configured to configure a legal caller list of the data sharing service for the service caller.
Optionally, the method further includes:
the block chain service invoking unit 603 is configured to invoke a block chain admission service, and perform uplink admission on the service deployment request and/or the service invocation request.
Correspondingly, the present specification also provides an apparatus comprising a processor; a memory for storing processor-executable instructions; wherein the processor is configured to implement the steps of the method of deploying a data sharing service provided by all of the above method embodiments.
Accordingly, the present specification also provides a computer readable storage medium having executable instructions stored thereon; wherein the instructions, when executed by the processor, implement the steps of the method for deploying a data sharing service provided by all the above method embodiments.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage media or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments herein. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The above description is only for the purpose of illustrating the preferred embodiments of the one or more embodiments of the present disclosure, and is not intended to limit the scope of the one or more embodiments of the present disclosure, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principle of the one or more embodiments of the present disclosure should be included in the scope of the one or more embodiments of the present disclosure.

Claims (19)

1. A method for deploying data sharing service is applied to a service end and comprises the following steps:
receiving a service deployment request of a data provider, wherein the service deployment request comprises shared data set information and configuration information, the shared data set information is used for describing a shared data set, and the configuration information is used for configuring shared data in the shared data set through at least one preset configuration strategy;
and deploying the data sharing service for calling based on the configuration information, wherein the data sharing service is used for providing the configured shared data obtained by configuring the shared data in the shared data set according to the target configuration mode to the service calling party under the condition that the target configuration mode indicated in the service calling request initiated by the service calling party is determined to be included in the at least one preset configuration strategy.
2. The method of claim 1, the preset configuration policy comprising a data security policy, the data security policy comprising at least one encryption manner for encrypting shared data in the shared data set; the data sharing service is configured to provide, to a service caller, configured shared data obtained by configuring shared data in the shared data set according to a target configuration manner when it is determined that the target configuration manner indicated in a service call request initiated by the service caller is included in the at least one preset configuration policy, and includes:
the data sharing service is used for providing the encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption mode to the service calling party under the condition that the target encryption mode indicated in the service calling request initiated by the service calling party is determined to be included in the at least one encryption mode.
3. The method of claim 2, wherein the at least one encryption scheme comprises a homomorphic encryption scheme.
4. The method of claim 2, wherein providing the service invoker with encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption manner comprises:
and providing the encrypted data obtained by encrypting the target shared data indicated in the service calling request in the shared data set according to the target encryption mode to the service calling party.
5. The method of claim 2, wherein providing the service invoker with encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption manner comprises:
providing the encrypted data which is stored in an encrypted data set of the server in advance to the service caller, wherein the encrypted data set is obtained by encrypting all shared data in the shared data set in advance by the server according to the at least one encryption mode; alternatively, the first and second electrodes may be,
and providing the encrypted data obtained by instantly encrypting the shared data in the shared data set according to the target encryption mode for the service calling party.
6. The method of claim 2, wherein providing the service invoker with encrypted data obtained by encrypting the shared data in the shared data set according to the target encryption manner comprises:
and under the condition that the service calling party is determined to be a trusted application deployed in a trusted execution environment, providing encrypted data and a decryption key ciphertext obtained by encrypting the shared data in the shared data set according to the target encryption mode to the service calling party, wherein the decryption key ciphertext is obtained by encrypting a decryption key through a public key corresponding to the trusted application, and the decryption key is used for decrypting the encrypted data.
7. The method of claim 6, the determining that the service invoker is a trusted application deployed in a trusted execution environment, comprising:
and checking the signature contained in the service calling request, and determining that the service calling party is a trusted application deployed in a trusted execution environment under the condition that the result of the check shows that the service calling party is the trusted application which passes the remote authentication.
8. The method according to claim 2, wherein the data security policy further includes at least one retrieval mode, so that the data sharing service is configured to include, in the encrypted data provided to the service invoker, a retrieval index generated according to the target retrieval mode, where it is determined that the target retrieval mode indicated in the service invocation request is included in the at least one retrieval mode, and the retrieval index is configured to enable the encrypted data to support encrypted data retrieval.
9. The method of claim 2, the data security policy further comprising a service invocation frequency, the service invocation frequency being used to configure a periodic invocation upper limit and/or a permanent invocation upper limit of the data sharing service.
10. The method of claim 1, the shared data set information comprising the shared data set or metadata used to retrieve the shared data set.
11. The method of claim 1, the configuration information further comprising a data flow policy for configuring a data flow pattern of the data sharing service for the configured shared data.
12. The method of claim 11, the data flow schema comprising an API gateway schema or a database table schema;
under the condition that the data flow mode of the data sharing service is an API gateway mode, the configured shared data is provided to the client of the service calling party through the API gateway of the service end;
and under the condition that the data flow mode of the data sharing service is a database table mode, the configured shared data is provided to the database of the service calling party through a database synchronization plug-in.
13. The method of claim 1, wherein the configuration information further comprises a rights management policy, and the rights management policy is used for configuring a rights management model of the data sharing service for a service caller, so that the data sharing service is used for responding to the service call request issued by the service caller when the service caller is determined to have the call right of the data sharing service.
14. The method of claim 13, the rights management model comprising an OpenAPI model or an IAM model; the determining that the service caller has the invocation authority of the data sharing service includes:
under the condition that the authority management model of the data sharing service is an OpenAPI model, checking a signature contained in the service calling request according to a public key in a public key list corresponding to the data sharing service, and under the condition that the signature is checked successfully, determining that the service calling party has the calling authority of the data sharing service;
and under the condition that the authority management model of the data sharing service is an IAM model, inquiring a service authority list corresponding to the service caller in a login state, and under the condition that the service authority list contains the data sharing service, determining that the service caller has the calling authority of the data sharing service.
15. The method of claim 13, the rights management policy further for configuring a list of legitimate callers of the data sharing service for a service caller.
16. The method of claim 1, further comprising:
and calling the block link certificate storage service, and performing uplink certificate storage on the service deployment request and/or the service calling request.
17. An apparatus for deploying data sharing service, applied to a server, includes:
a request receiving unit, configured to receive a service deployment request of a data provider, where the service deployment request includes shared data set information and configuration information, the shared data set information is used to describe a shared data set, and the configuration information is used to configure shared data in the shared data set through at least one preset configuration policy;
and the service deployment unit is used for deploying the data sharing service available for calling based on the configuration information, and the data sharing service is used for providing the configured shared data obtained by configuring the shared data in the shared data set according to the target configuration mode to the service calling party under the condition that the target configuration mode indicated in the service calling request initiated by the service calling party is determined to be included in the at least one preset configuration strategy.
18. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor implements the method of any one of claims 1-16 by executing the executable instructions.
19. A computer-readable storage medium having stored thereon computer instructions, which, when executed by a processor, carry out the steps of the method according to any one of claims 1 to 16.
CN202111022347.2A 2021-09-01 2021-09-01 Method and device for deploying data sharing service Pending CN113849558A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111022347.2A CN113849558A (en) 2021-09-01 2021-09-01 Method and device for deploying data sharing service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111022347.2A CN113849558A (en) 2021-09-01 2021-09-01 Method and device for deploying data sharing service

Publications (1)

Publication Number Publication Date
CN113849558A true CN113849558A (en) 2021-12-28

Family

ID=78976748

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111022347.2A Pending CN113849558A (en) 2021-09-01 2021-09-01 Method and device for deploying data sharing service

Country Status (1)

Country Link
CN (1) CN113849558A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100146582A1 (en) * 2008-12-04 2010-06-10 Dell Products L.P. Encryption management in an information handling system
US20150121155A1 (en) * 2013-10-31 2015-04-30 Stoyan Boshev Performing customized deployment scenarios in shared environments
CN106992990A (en) * 2017-05-19 2017-07-28 北京牛链科技有限公司 Data sharing method and system and block catenary system and computing device
CN107241360A (en) * 2017-08-04 2017-10-10 北京明朝万达科技股份有限公司 A kind of data safety shares exchange method and data safety shares switching plane system
CN109255246A (en) * 2018-08-14 2019-01-22 平安普惠企业管理有限公司 Interface parameters encryption method, device, computer equipment and storage medium
CN112199220A (en) * 2020-12-01 2021-01-08 蚂蚁智信(杭州)信息技术有限公司 API gateway-based data calling method and API gateway
CN112347496A (en) * 2020-11-16 2021-02-09 中电科大数据研究院有限公司 Fine-grained data security access control method and system
CN112637163A (en) * 2020-12-14 2021-04-09 北京中电普华信息技术有限公司 Authentication and authorization method and system based on API gateway

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100146582A1 (en) * 2008-12-04 2010-06-10 Dell Products L.P. Encryption management in an information handling system
US20150121155A1 (en) * 2013-10-31 2015-04-30 Stoyan Boshev Performing customized deployment scenarios in shared environments
CN106992990A (en) * 2017-05-19 2017-07-28 北京牛链科技有限公司 Data sharing method and system and block catenary system and computing device
CN107241360A (en) * 2017-08-04 2017-10-10 北京明朝万达科技股份有限公司 A kind of data safety shares exchange method and data safety shares switching plane system
CN109255246A (en) * 2018-08-14 2019-01-22 平安普惠企业管理有限公司 Interface parameters encryption method, device, computer equipment and storage medium
CN112347496A (en) * 2020-11-16 2021-02-09 中电科大数据研究院有限公司 Fine-grained data security access control method and system
CN112199220A (en) * 2020-12-01 2021-01-08 蚂蚁智信(杭州)信息技术有限公司 API gateway-based data calling method and API gateway
CN112637163A (en) * 2020-12-14 2021-04-09 北京中电普华信息技术有限公司 Authentication and authorization method and system based on API gateway

Similar Documents

Publication Publication Date Title
EP3937424B1 (en) Blockchain data processing methods and apparatuses based on cloud computing
KR102074116B1 (en) Blockchain node communication method and apparatus
US10055607B2 (en) Security layer and methods for protecting tenant data in a cloud-mediated computing network
WO2022237123A1 (en) Method and apparatus for acquiring blockchain data, electronic device, and storage medium
CN112948153B (en) Method and device for message cross-link transmission
Islam et al. A classification and characterization of security threats in cloud computing
US9401954B2 (en) Scaling a trusted computing model in a globally distributed cloud environment
US10693629B2 (en) System and method for blockchain address mapping
KR101791768B1 (en) Configuration and verification by trusted provider
US20160314299A1 (en) Mobile Device with Improved Security
US20230259386A1 (en) Data processing method based on container engine and related device
WO2019170177A2 (en) System and method for updating data in blockchain
US10768903B2 (en) Virtualization layer for mobile applications
US10686791B1 (en) Secure cloud computing framework
JP2024505692A (en) Data processing methods, devices and computer equipment based on blockchain networks
US20210319097A1 (en) Blocking Routine Redirection
CN113923023A (en) Authority configuration and data processing method, device, electronic equipment and medium
CN109802927B (en) Security service providing method and device
CN113849558A (en) Method and device for deploying data sharing service
Kim et al. Mobile-based dos attack security agent in sensor networking
Srivatsa Cloudless and Mixclaves
CN113689217A (en) Block chain transaction method and device
Munir Authentication Model for Mobile Cloud Computing Database Service
CN114647868A (en) Secure computing method, apparatus, device, medium, and program product
CN117896156A (en) Data credibility verification method, information sending equipment, verification system and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination