CN114706857A - Unified authentication/authorization method, equipment and storage medium for cross-multi-source heterogeneous storage system - Google Patents

Unified authentication/authorization method, equipment and storage medium for cross-multi-source heterogeneous storage system Download PDF

Info

Publication number
CN114706857A
CN114706857A CN202210424460.1A CN202210424460A CN114706857A CN 114706857 A CN114706857 A CN 114706857A CN 202210424460 A CN202210424460 A CN 202210424460A CN 114706857 A CN114706857 A CN 114706857A
Authority
CN
China
Prior art keywords
user
data storage
logic
storage system
level
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210424460.1A
Other languages
Chinese (zh)
Inventor
姚宏宇
朱朝强
王刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING YOYO TIANYU SYSTEM TECHNOLOGY CO LTD
Original Assignee
BEIJING YOYO TIANYU SYSTEM TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING YOYO TIANYU SYSTEM TECHNOLOGY CO LTD filed Critical BEIJING YOYO TIANYU SYSTEM TECHNOLOGY CO LTD
Priority to CN202210424460.1A priority Critical patent/CN114706857A/en
Publication of CN114706857A publication Critical patent/CN114706857A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2282Tablespace storage structures; Management thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Automation & Control Theory (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Storage Device Security (AREA)

Abstract

Embodiments of the present application provide a global mapping-based unified authorization method, apparatus, and computer-readable storage medium across a multi-source heterogeneous data storage system. The method comprises the steps of mapping different types of data storage systems based on preset mapping rules to generate a logic table; generating a logic diagram based on the logic table and the business incidence relation; and constructing a user authority table based on the logic table and the logic diagram, and performing unified access authorization on registered users based on the user authority table to realize unified authorization on different data storage systems. In this way, uniform authorization across multi-source heterogeneous data storage systems is achieved.

Description

Unified authentication/authorization method, equipment and storage medium for cross-multi-source heterogeneous storage system
Technical Field
Embodiments of the present application relate to the field of data processing, and in particular, to a method, an apparatus, and a computer-readable storage medium for uniform authorization across multi-source heterogeneous data storage systems based on global mapping.
Background
In the construction of a modern enterprise IT information system, due to the existence of objective factors such as a large number of different historical periods, different business fields, different software suppliers, different software technology systems and the like, an enterprise business system becomes more numerous along with the business development requirement, and a situation that a plurality of heterogeneous application systems are used simultaneously exists, the systems often have different data storage systems, such as a common relational database, early-used more foreign mature business products, such as Oracle, DB2, SQLServer and the like, and along with the vigorous development of an open-source community and a big data technology, an open-source database system (such as MySQL, PostgreSQL and the like) and an open-source big data storage system (such as HDFS, HBase, MongoDB and the like) are continuously started in an enterprise.
In the conventional technology, data protection methods for data storage systems are all single user systems, and only take effect for the data storage systems of the type, such as the user systems in relational databases.
The existing database technology system does not have a user system and a data protection method which can be used on a cross-multi-source heterogeneous data storage system, and the method also needs to be realized under the condition of not modifying the existing data storage system completely, so that the existing business system cannot be influenced.
Therefore, a data protection method capable of crossing a multi-source heterogeneous data storage system is needed, which needs to realize uniform user management and a uniform authorization system for the multi-source heterogeneous data storage system, and can realize data protection without modifying data content of a physical data storage system.
Disclosure of Invention
According to an embodiment of the application, a unified authorization scheme based on global mapping and across multi-source heterogeneous data storage systems is provided.
In a first aspect of the present application, a unified authorization method across multi-source heterogeneous data storage systems based on global mapping is provided. The method comprises the following steps:
mapping different types of data storage systems based on a preset mapping rule to generate a logic table;
generating a logic diagram based on the logic table and the business incidence relation;
and constructing a user authority table based on the logic table and the logic diagram, and performing unified access authorization on registered users based on the user authority table to realize unified authorization on different data storage systems.
Further, the mapping different types of data storage systems based on the preset mapping rule, and the generating a logic table includes:
the preset mapping rules are from a single table to a single table and from a field to a field;
mapping different types of data storage systems based on a preset mapping rule to respectively obtain a logic table corresponding to a table in each type of data storage system; the data storage system includes a physical storage system that does not support table level, field level, and row level permissions.
Further, the building a user authority table based on the logic table and the logic diagram includes:
and respectively performing table-level, field-level and row-level authorization on each registered user based on the logic table and the logic diagram, and constructing a user authority table.
Further, the table-level, field-level and row-level authorization is performed on each registered user, and the constructing of the user permission table includes:
setting the addition, deletion, modification and checking authority of each user to the data storage system table and the lines and fields in the table;
and constructing a user authority table based on the addition, deletion, modification and check authorities.
Further, the performing table-level, field-level and row-level authorization on each registered user, and constructing the user permission table further includes:
the encryption algorithm authority for encrypting the same field in the same data storage system table by different preset encryption algorithms aiming at different registered users;
rows in the data storage system tables are authorized through the where clause of SQL.
Further, the performing unified access authorization on the registered users based on the logic table and the logic diagram to implement unified authorization on different data storage systems further includes:
and based on the association relation of the services, performing unified authorization on the same fields in different logic tables.
In a second aspect of the present application, an authentication method for a cross-multi-source heterogeneous data storage system based on global mapping is provided. The method comprises the following steps:
acquiring an SQL query statement and simultaneously acquiring a user authority table corresponding to an access user; calling the operation authority of the access user on a table in a data storage system and fields and rows in the table from the authority table;
and finishing the authentication of the access user according to the operation authority of the access user on the table in the data storage system, the fields and the rows in the table and the SQL query statement.
Further, the completing the authentication of the access user according to the operation authority of the access user on the table in the data storage system, the fields and the rows in the table, and the SQL query statement includes:
and determining whether the access user has the access right according to the operation right of the access user to the table in the data storage system, the field and the row in the table and the SQL query statement, if so, modifying the SQL query based on the operation right of the access user to the table in the data storage system and the field and the row in the table, and finishing the access to the data storage system through the modified SQL statement.
In a third aspect of the present application, an electronic device is provided. The electronic device includes: a memory having a computer program stored thereon and a processor implementing the method as described above when executing the program.
In a fourth aspect of the present application, a computer-readable storage medium is provided, having stored thereon a computer program which, when executed by a processor, performs the method as according to the first aspect of the present application.
The unified authorization method for the cross-multi-source heterogeneous data storage system based on the global mapping, which is provided by the embodiment of the application, maps different types of data storage systems based on the preset mapping rule to generate a logic table; generating a logic diagram based on the logic table and the business association relation; based on the logic table and the logic diagram, unified access authorization is carried out on registered users, unified authorization on different data storage systems is realized, and unified authorization on multi-source isomerism is realized.
It should be understood that what is described in this summary section is not intended to limit key or critical features of the embodiments of the application, nor is it intended to limit the scope of the application. Other features of the present application will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present application will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, like or similar reference characters designate like or similar elements, and wherein:
FIG. 1 illustrates a flow diagram of a global mapping based unified authorization method across a multi-source heterogeneous data storage system in accordance with an embodiment of the present application;
FIG. 2 illustrates a logical map according to an embodiment of the present application;
FIG. 3 illustrates a unified authorization diagram according to an embodiment of the present application;
FIG. 4 illustrates a field level authorization diagram according to an embodiment of the present application;
FIG. 5 shows a field level encryption algorithm authorization diagram according to an embodiment of the present application;
FIG. 6 shows a row level authorization diagram according to an embodiment of the application;
FIG. 7 shows a flowchart of a global mapping based unified authentication method across multi-source heterogeneous data storage systems according to an embodiment of the application
Fig. 8 shows a schematic structural diagram of a terminal device or a server suitable for implementing the embodiments of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
Noun resolution:
structured Query Language (SQL), a special purpose programming Language, is a database Query and programming Language for accessing data and querying, updating, and managing relational database systems.
Structured query languages are high-level, non-procedural programming languages that allow users to work on high-level data structures. The user does not need to specify a data storage method and know a specific data storage mode, different database systems with completely different underlying structures can use the same structured query language as an interface for data input and management. The structured query language statements can be nested, and great flexibility and strong functions are achieved.
FIG. 1 illustrates a flow diagram of a global mapping based unified authorization method across a multi-source heterogeneous data storage system according to an embodiment of the disclosure. The method comprises the following steps:
s110, mapping different types of data storage systems based on preset mapping rules to generate a logic table.
The preset mapping rule comprises a single table to a single table and a field to a field.
Different types of data storage systems include physical storage systems that do not support table level, field level, and row level permissions; relational databases such as Oracle, DB2, SQLServer, etc.; opening source databases such as MySQL, PostgreSQL and the like; open source big databases such as HDFS, HBase, MongoDB and the like.
Referring to fig. 2, three data sources of MySQL, Oracle, and HDFS are taken as examples;
wherein, a User table is stored in MySQL and comprises 4 fields, an id User unique identifier, a name, a dept _ id department unique identifier and an id _ card identity card number;
a Dept department table is stored in the Oracle and comprises 2 fields, an id department unique identifier and a name department name;
an employee attendance log file is stored in the HDFS file system, a first field is a unique user identifier, a second field is the time of punching a card, and a third field corresponds to the entrance and the exit of work.
In some embodiments, the data in the three data sources are mapped through a preset mapping rule:
mapping a user table in the original MySQL into a logic table of logic _ MySQL _ user in a logic database through a global logic database;
mapping a depth table in an original Oracle into a logic _ Oracle _ depth logic table of a logic database through a global logic database;
mapping a log file in an original HDFS to a logic table of logic _ HDFS _ log in a logic database through a global logic database;
the global logic database is used for storing the logic table obtained by mapping and a logic diagram constructed based on the logic table in the subsequent step, referring to logic _ view _ user in fig. 2.
And S120, generating a logic diagram based on the logic table and the business association relation.
In some embodiments, a logic diagram is generated based on the logic table and the business association relationship between the tables obtained in step S110. Referring to fig. 2, a cross-library logical view logic _ view _ user is generated from a table obtained by mapping three data sources according to a service association relationship.
The business association relationship can be preset according to an application scene and comprises the association relationship among the physical storage systems.
S130, constructing a user authority table based on the logic table and the logic diagram, and performing unified access authorization on registered users based on the user authority table to realize unified authorization on different data storage systems.
In some embodiments, based on the logic table and the logic diagram obtained in step S120, a table-level authorization is performed on each registered user, so as to construct a user permission table.
Specifically, referring to fig. 3, a user (DBA, database administrator) is created, and the obtained logical table is subjected to unified authorization, for example, the logical table of logic _ mysql _ user, the logical table of logic _ oracle _ depth, and the logical table of logic _ hdfs _ log are subjected to unified authorization; in the present disclosure, when creating authorization, it is only necessary to follow a uniform database standard authorization manner (add/delete checking authority system) without knowing the authorization system of the physical database.
In some embodiments, to further increase the data protection capabilities of the data storage system, field level and row level authorizations may be added based on table level authorization for registered users.
The field-level authorization is used for realizing the improvement of the data protection capability of the physical storage system which does not support the field-level operation authority originally by authorizing the field level of the same logical table aiming at different users.
Specifically, referring to fig. 4, the field operation may be set as the authority to authorize the field operation for different users; such as select, update, insert, delete; different field permissions can be set for the same table when different users use the table.
For example, for visiting user A, select authorization is performed for id and name of Logic _ mysql _ user table;
when the user A executes the select id.name, dept _ id from logic _ mysql _ user statement, an error is prompted and access cannot be achieved because the dept _ id is not authorized;
and for the user B, performing select and update operation authorization on id, name and dept _ id of the logic _ mysql _ user table respectively.
When user B executes the update logic mysql user set name statement, success is returned.
The original multi-source heterogeneous database such as MySQL, Oracle, HDFS and the like does not support field-level permissions, permission promotion is achieved through the method, the field-level permissions are supported, and therefore data protection is achieved.
Further, based on the association provided by the logic diagram, the same field (the same data content) of different logic tables can be authorized at the same time, so as to ensure that the same field authority of the same user is consistent in different types of data storage systems. For example, referring to fig. 3, for the user a, based on the logic _ view _ user map, the association relationship between each logical table is obtained, and when the id in the logic _ mysql _ user table is authorized, the authorization for the id field in the logic _ oracle _ depth table and the logic _ hdfs _ log can be obtained at the same time.
Further, referring to fig. 5, the field-level encryption algorithm is set as the authority, and field-level encryption algorithm authorization is performed according to different users; the encryption algorithm comprises md5 and/or user-defined functions (udf, preset character replacement rules, etc.), etc.; different users can see different data contents by configuring different field-level encryption rights, so that the data is protected;
for example, for different users a and B, the id _ card field is authorized by the encryption algorithm, the id _ card field is authorized by the user a as md5, and the id _ card field is authorized by the user B as udf. When both user a and user B execute the same SQL statement (select id _ card from logical _ view _ user), the id _ card returned by user a is the result after calculation using md5(id _ card), and the id _ card returned by user B is the result after calculation using udf (id _ card).
In particular, the amount of the solvent to be used,
for user A:
the id _ card field is selected, set to query (select) authority, and the encryption algorithm authority of id _ card is set to function md 5;
when user A enters the SQL statement "select id _ card from logical _ mysql _ user" for database access, the SQL statement is replaced with "select md5(id _ card) from logical _ mysql _ user".
For user B:
the id _ card field is selected, set to query (select) authority, and the encryption algorithm authority of id _ card is set to function udf;
when user B enters an SQL statement (the same statement as user A) "select id _ card from logical _ mysql _ user" for database access, the SQL statement is replaced with "select udf (id _ card) from logical _ mysql _ user";
namely, the whole data field encryption authorization and SQL access process only needs to operate SQL statements, does not need to process the original data of the database, and can see different data contents by configuring different field level encryption authorities for different users A and B, thereby realizing the protection of data.
Further, referring to fig. 6, taking a where clause of the query SQL as a permission, and performing row-level data authorization according to different users;
for example, the user a and the user B are authorized for the row-level data, respectively, and the row-level authorization of the user a is set to "where depth _ id ═ d 1'; the row-level grant for user B is set to "where depth _ id ═ d 2'". When user a and user B execute the same SQL (select from local _ mysql _ user), the data viewed by user a is data of d1, and the data viewed by user B is data of d 2.
Specifically, for user a:
setting the row level authority depth _ id ═ d 1';
when the user A inputs an SQL statement "select from _ logic _ mysql _ user" for database access, the SQL statement is replaced with "select from _ logic _ mysql _ user where term _ id ═ d 1';
for user B:
setting a line level authority depth _ id ═ d 2';
when the user A inputs an SQL statement "select from _ logic _ mysql _ user" for database access, the SQL statement is replaced with "select from _ logic _ mysql _ user where term _ id ═ d 2';
that is, the row-level authorization and the SQL access process only need to operate on SQL statements, do not need to process the original data of the database, and different row-level authorizations are configured for different users a and B, so that the data can be protected.
In summary, the method of the present disclosure can implement unified authorization for different data storage systems, and the authorization scope includes the whole library (the whole storage system), and the table, row and/or field in the storage system.
Meanwhile, the encryption protection of the data content is successfully realized through the non-intrusive mode on the basis of not changing the original use mode of the user and not modifying the data of the original physical storage system, and the development and maintenance cost is greatly reduced.
In some embodiments, referring to fig. 3, the authority of the user a is authorized based on a database table local _ mysql _ user, and a user authority table is constructed, where the user authority table includes:
the operation authority of the logic _ mysql _ user table is query (select);
the operation authority of the field id is query (select);
the operation authority of the field name is query (select);
the operation authority of the field dept _ id is query (select);
the operation right of the field id _ card is query (select);
the encryption algorithm authority of the field id _ card is md 5;
the row-level data authority depth _ id ═ d 1'.
Fig. 7 shows a flowchart of an authentication method of a global mapping-based cross-multi-source heterogeneous data storage system, which corresponds to the global mapping-based unified authorization method of a cross-multi-source heterogeneous data storage system according to the embodiment of the present application, and as shown in fig. 7, the authentication method includes:
s710, acquiring an SQL query statement and simultaneously acquiring a user authority table corresponding to an access user; and calling the operation authority of the access user on a table in a data storage system and fields and rows in the table from the authority table.
In some embodiments, an SQL statement that accesses a data storage system is received and parsed to extract table, row, and/or field information in the SQL statement.
And simultaneously acquiring a user authority table corresponding to an access user, and calling the operation authority of the access user on a table in a data storage system and fields and/or rows in the table from the authority table.
S720, according to the operation authority of the access user to the table in the data storage system, the fields and the rows in the table and the SQL query statement, the authentication of the access user is completed.
In some embodiments, taking SQL statements as select id, name, dept _ id, id _ card from logic _ mysql _ user as an example, the logic _ mysql _ user table and the rows and fields in the table are accessed.
Verifying the table-level operation authority of an access user based on the table name (such as logic _ mysql _ user) and the corresponding operation type (such as select) of the SQL statement and the operation authority of the access user on the table in the database;
if the verification is passed, if the select right of the logic _ mysql _ user is provided, the field-level operation right of the access user is verified through the field information (field name and operation type) in the SQL statement and the field operation right of the access user in the data storage system table;
if the verification is passed, if the authority and the operation type of the id _ card are selected, calling an encryption algorithm for processing the content of each field by the access user in a user authority table, and replacing the field in the SQL statement by the encryption algorithm; taking user A as an example, verifying the encryption authority of the data field of user A, and replacing the id _ card field in the SQL statement with md5(id _ card) if the md5 encryption authority of the id _ card is provided;
judging whether the SQL statement contains a where clause, if not, namely no row-level conflict exists, reading the row-level data authority of the access user in the user authority table, and adding the row-level data authority to the SQL statement subjected to field replacement; taking the user a as an example, reading the row-level data authority of the user a, and adding dept _ id ═ d 1' to the query statement; if so, not increasing;
in conclusion, the generated rights-adjusted SQL statement select id, name, depth _ id, md5(id _ card) from local _ mysql _ user where depth _ id is d 1;
further, the database is accessed through the modified SQL statement, and data content (1, Zhang III, d1, 134567) corresponding to the authority of the access user is obtained.
According to the embodiment of the disclosure, the following technical effects are achieved:
by the unified authorization method, one user can access a plurality of physical storage systems simultaneously, the work of authority distribution is simplified, and an authority system (such as HDFS) can be added to the data storage system which does not support the authority system, namely, the data protection capability of the data storage system which does not support the authority is enhanced.
Meanwhile, the authority management promotion of the data storage system can be completed without modifying the configuration of any physical storage system and adding any new equipment, namely, the field and row level management authority is added to the physical storage system which does not support the field and row level authority.
By the authorization mechanism, different users can return different data contents according to different field-level encryption authorities when inquiring the same field of the same table, so that the aim of data protection is fulfilled.
A large amount of management cost of database management workers is saved, and the use difficulty of the multi-source heterogeneous data storage system is greatly reduced. By means of an extensible field-level encryption authority protection mechanism, the real-time encryption requirement of actual services on variable data protection is met.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are exemplary embodiments and that the acts and modules referred to are not necessarily required in this application.
Fig. 8 shows a schematic structural diagram of a terminal device or a server suitable for implementing the embodiments of the present application.
As shown in fig. 8, the terminal device or server 800 includes a Central Processing Unit (CPU)801 which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. The CPU 801, ROM802, and RAM 803 are connected to each other via a bus 804. An input/output (I/O) interface 805 is also connected to bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including a signal such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that a computer program read out therefrom is mounted on the storage section 808 as necessary.
In particular, the above method flow steps may be implemented as a computer software program according to embodiments of the present application. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a machine-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program performs the above-described functions defined in the system of the present application when executed by the Central Processing Unit (CPU) 801.
It should be noted that the computer readable medium shown in the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units or modules described in the embodiments of the present application may be implemented by software or hardware. The described units or modules may also be provided in a processor. Wherein the designation of a unit or module does not in some way constitute a limitation of the unit or module itself.
As another aspect, the present application also provides a computer-readable storage medium, which may be included in the electronic device described in the above embodiments; or may be separate and not incorporated into the electronic device. The computer readable storage medium stores one or more programs that, when executed by one or more processors, perform the methods described herein.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the application referred to in the present application is not limited to the embodiments with a particular combination of the above-mentioned features, but also encompasses other embodiments with any combination of the above-mentioned features or their equivalents without departing from the spirit of the application. For example, the above features may be replaced with (but not limited to) features having similar functions as those described in this application.

Claims (10)

1. A global mapping-based unified authorization method for a cross-multi-source heterogeneous data storage system is characterized by comprising the following steps:
mapping different types of data storage systems based on a preset mapping rule to generate a logic table;
generating a logic diagram based on the logic table and the business association relation;
and constructing a user authority table based on the logic table and the logic diagram, and performing unified access authorization on registered users based on the user authority table to realize unified authorization on different data storage systems.
2. The method according to claim 1, wherein the mapping different types of data storage systems based on the preset mapping rule, and generating the logical table comprises:
the preset mapping rules are from a single table to a single table and from a field to a field;
mapping different types of data storage systems based on a preset mapping rule to respectively obtain a logic table corresponding to a table in each type of data storage system; the data storage system includes a physical storage system that does not support table level, field level, and row level permissions.
3. The method of claim 1, wherein constructing a user permission table based on the logic table and logic diagram comprises:
and respectively performing table-level, field-level and row-level authorization on each registered user based on the logic table and the logic diagram, and constructing a user authority table.
4. The method of claim 3, wherein performing table-level, field-level, and row-level authorization for each registered user separately, and wherein constructing the user permission table comprises:
setting the addition, deletion, modification and checking authority of each user to the data storage system table and the lines and fields in the table;
and constructing a user authority table based on the addition, deletion, modification and check authorities.
5. The method of claim 4, wherein performing table-level, field-level, and row-level authorization for each registered user separately, and wherein constructing the user permission table further comprises:
the encryption algorithm authority for encrypting the same field in the same data storage system table by different preset encryption algorithms aiming at different registered users;
rows in the data storage system tables are authorized through the where clause of SQL.
6. The method of claim 1, wherein the performing unified access authorization for registered users based on the logic table and logic diagram further comprises:
and based on the association relation of the services, performing unified authorization on the same fields in different logic tables.
7. An authentication method of a cross-multi-source heterogeneous data storage system based on global mapping is characterized by comprising the following steps:
acquiring an SQL query statement and simultaneously acquiring a user authority table corresponding to an access user; calling the operation authority of the access user on a table in a data storage system and fields and rows in the table from the authority table;
and finishing the authentication of the access user according to the operation authority of the access user on the table in the data storage system, the fields and the rows in the table and the SQL query statement.
8. The method of claim 7, wherein the completing authentication of the access user according to the operation authority of the access user on the table in the data storage system and the fields and rows in the table and the SQL query statement comprises:
and determining whether the access user has the access right according to the operation right of the access user to the table in the data storage system, the field and the row in the table and the SQL query statement, if so, modifying the SQL query based on the operation right of the access user to the table in the data storage system and the field and the row in the table, and finishing the access to the data storage system through the modified SQL statement.
9. An electronic device comprising a memory and a processor, the memory having a computer program stored thereon, wherein the processor, when executing the computer program, implements the method of any of claims 1-8.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1 to 8.
CN202210424460.1A 2022-04-22 2022-04-22 Unified authentication/authorization method, equipment and storage medium for cross-multi-source heterogeneous storage system Pending CN114706857A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210424460.1A CN114706857A (en) 2022-04-22 2022-04-22 Unified authentication/authorization method, equipment and storage medium for cross-multi-source heterogeneous storage system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210424460.1A CN114706857A (en) 2022-04-22 2022-04-22 Unified authentication/authorization method, equipment and storage medium for cross-multi-source heterogeneous storage system

Publications (1)

Publication Number Publication Date
CN114706857A true CN114706857A (en) 2022-07-05

Family

ID=82173752

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210424460.1A Pending CN114706857A (en) 2022-04-22 2022-04-22 Unified authentication/authorization method, equipment and storage medium for cross-multi-source heterogeneous storage system

Country Status (1)

Country Link
CN (1) CN114706857A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117171108A (en) * 2023-11-02 2023-12-05 北京友友天宇系统技术有限公司 Virtual model mapping method and system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060137019A1 (en) * 2004-12-15 2006-06-22 International Business Machines Corporation Techniques for managing access to physical data via a data abstraction model
CN104462559A (en) * 2014-12-25 2015-03-25 广东电子工业研究院有限公司 Mainstream relation type database table mode objectification and virtualization mechanism
CN109802832A (en) * 2017-11-17 2019-05-24 中国移动通信集团公司 A kind of processing method of data file, system, big data processing server and computer storage medium
CN110909386A (en) * 2019-11-21 2020-03-24 福建南威软件有限公司 Unified authorization access method and system for multiple data sources
CN113536334A (en) * 2021-06-09 2021-10-22 佛山市青松科技股份有限公司 Authorization checking method, module and system
CN114065296A (en) * 2021-12-16 2022-02-18 深圳壹账通智能科技有限公司 Authority control method and device based on interceptor, computer equipment and medium
CN114372276A (en) * 2021-12-14 2022-04-19 闪捷信息科技有限公司 Data security protection method and device, electronic equipment and storage medium
CN114756577A (en) * 2022-03-25 2022-07-15 北京友友天宇系统技术有限公司 Processing method of multi-source heterogeneous data, computer equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060137019A1 (en) * 2004-12-15 2006-06-22 International Business Machines Corporation Techniques for managing access to physical data via a data abstraction model
CN104462559A (en) * 2014-12-25 2015-03-25 广东电子工业研究院有限公司 Mainstream relation type database table mode objectification and virtualization mechanism
CN109802832A (en) * 2017-11-17 2019-05-24 中国移动通信集团公司 A kind of processing method of data file, system, big data processing server and computer storage medium
CN110909386A (en) * 2019-11-21 2020-03-24 福建南威软件有限公司 Unified authorization access method and system for multiple data sources
CN113536334A (en) * 2021-06-09 2021-10-22 佛山市青松科技股份有限公司 Authorization checking method, module and system
CN114372276A (en) * 2021-12-14 2022-04-19 闪捷信息科技有限公司 Data security protection method and device, electronic equipment and storage medium
CN114065296A (en) * 2021-12-16 2022-02-18 深圳壹账通智能科技有限公司 Authority control method and device based on interceptor, computer equipment and medium
CN114756577A (en) * 2022-03-25 2022-07-15 北京友友天宇系统技术有限公司 Processing method of multi-source heterogeneous data, computer equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
白创: "《面向安全密钥生成的PUF技术研究与验证》", 28 February 2019 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117171108A (en) * 2023-11-02 2023-12-05 北京友友天宇系统技术有限公司 Virtual model mapping method and system
CN117171108B (en) * 2023-11-02 2024-02-13 北京友友天宇系统技术有限公司 Virtual model mapping method and system

Similar Documents

Publication Publication Date Title
CN114840521B (en) Database authority management and data protection method, device, equipment and storage medium
US20220398338A1 (en) Data privacy pipeline providing collaborative intelligence and constraint computing
CN108874863B (en) Data access control method and database access device
US9081978B1 (en) Storing tokenized information in untrusted environments
CN110188573B (en) Partition authorization method, partition authorization device, partition authorization equipment and computer readable storage medium
US20200334375A1 (en) Constraint querying for collaborative intelligence and constraint computing
CA3119538A1 (en) Differentially private database permissions system
US11580206B2 (en) Project-based permission system
US11954233B2 (en) Chaining, triggering, and enforcing entitlements
KR20220044603A (en) Blockchain database management system
US11924185B2 (en) Method and system for general data protection compliance via blockchain
Upadhyaya et al. Price-optimal querying with data apis
US11775681B2 (en) Enforcement flow for pipelines that include entitlements
CN113342775B (en) Centralized multi-tenant as-a-service in a cloud-based computing environment
CN111914295A (en) Database access control method and device and electronic equipment
CN114647825A (en) Access right control method, device, electronic equipment and computer storage medium
CN114168930A (en) Hive authority control method, device, equipment and readable storage medium
CN114422197A (en) Permission access control method and system based on policy management
CN114706857A (en) Unified authentication/authorization method, equipment and storage medium for cross-multi-source heterogeneous storage system
JPH06243016A (en) File security protection method
US9330276B2 (en) Conditional role activation in a database
CN117313050A (en) Authority configuration, storage, distribution, authorization and authentication method suitable for low-code platform
CN111737293A (en) Data warehouse authority management method, device, equipment and storage medium
CN109299613B (en) Database partition authority setting method and terminal equipment
CN114003877A (en) Data access method, device, medium and electronic equipment of multi-tenant system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination