CN114780300A - Backup system authority management method and system based on resource layering - Google Patents
Backup system authority management method and system based on resource layering Download PDFInfo
- Publication number
- CN114780300A CN114780300A CN202210694316.XA CN202210694316A CN114780300A CN 114780300 A CN114780300 A CN 114780300A CN 202210694316 A CN202210694316 A CN 202210694316A CN 114780300 A CN114780300 A CN 114780300A
- Authority
- CN
- China
- Prior art keywords
- resource
- node
- hierarchical structure
- backup system
- virtual group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1448—Management of the data involved in backup or backup restore
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5027—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a backup system authority management method and system based on resource layering, and relates to the technical field of backup system management. The method comprises the following steps: acquiring and layering resources of a backup system, and constructing an initial resource hierarchical structure; acquiring and adding virtual group nodes in a corresponding initial resource hierarchical structure according to service requirements, and aggregating resource instances through each virtual group node according to service specifications in the service requirements to obtain a target resource hierarchical structure; and acquiring and judging whether the corresponding resources are authorized to the corresponding users in the corresponding virtual group nodes based on the target resource hierarchical structure or the corresponding nodes based on the initial resource hierarchical structure according to the authorization requirement of the backup system, thereby completing authority management. The invention carries out layering on the resources of the system, and realizes fine-grained and flexible authority control in the backup system by utilizing the hierarchical relation of the layered resources and combining the authority control based on roles.
Description
Technical Field
The invention relates to the technical field of backup system management, in particular to a backup system authority management method and system based on resource layering.
Background
In a backup system, users want to be able to perform system resource isolation between different tenants or user groups (sets of multiple users), which can be logical isolation, for example, different user groups use the same storage resource and each can only see and use their own data, or physical isolation, for example, different user groups use different storage resources. The specific isolation is made depending on the specific service requirements of the user.
Current backup systems (including CDM backup systems) generally have different roles built therein, and these roles are bound to fixed-range resources, and when a user is granted the role, authorization operations for the user are completed on the fixed-range resources. However, the design has some disadvantages, the granularity of the authority management is coarse, the range of the resource is limited at the beginning of the role definition, and the resource is unchangeable and lacks flexibility.
Disclosure of Invention
In order to overcome the above problems or at least partially solve the above problems, embodiments of the present invention provide a method and a system for managing permissions of a backup system based on resource layering, which are used to layer resources of the system, and implement fine-grained and flexible permission management and control in the backup system by using hierarchical relationships of the layered resources in combination with role-based permission control.
The embodiment of the invention is realized by the following steps:
in a first aspect, an embodiment of the present invention provides a backup system authority management method based on resource layering, which is characterized by including the following steps:
acquiring and layering resources of a backup system, and constructing an initial resource hierarchical structure;
acquiring and adding virtual group nodes in a corresponding initial resource hierarchical structure according to service requirements, and aggregating resource instances through each virtual group node according to service specifications in the service requirements to obtain a target resource hierarchical structure;
and acquiring and judging whether the corresponding resources are authorized to the corresponding users in the corresponding virtual group nodes based on the target resource hierarchical structure or the corresponding nodes based on the initial resource hierarchical structure according to the authorization requirement of the backup system, thereby completing authority management.
In some embodiments of the invention based on the first aspect, the initial resource hierarchy includes a parent node and a plurality of child nodes, and a tree structure is generated based on the parent node and the plurality of child nodes.
Based on the first aspect, in some embodiments of the present invention, the method for acquiring and adding virtual group nodes in a corresponding initial resource hierarchy according to a service requirement, and aggregating resource instances by each virtual group node according to a service specification in the service requirement includes the following steps:
acquiring and inserting a virtual group node between a corresponding father node and a corresponding child node according to a service requirement;
and aggregating the resource instances of each child node through the virtual group node according to the service specification in the service requirement.
Based on the first aspect, in some embodiments of the present invention, the method for obtaining and determining whether to authorize a corresponding resource to a corresponding user in a corresponding virtual group node based on a target resource hierarchy structure or in a corresponding node based on an initial resource hierarchy structure according to an authorization requirement of a backup system includes the following steps:
a1, acquiring and judging whether a corresponding user has authorization in a corresponding virtual group node based on a target resource hierarchical structure or in a corresponding node based on an initial resource hierarchical structure according to the authorization requirement of the backup system, if so, returning all the permissions of the user on the resource instance, authorizing the user to the corresponding user, and ending; if not, go to step A2;
a2, judging whether the user has authorization to the resource at the father node of the corresponding resource, if yes, returning all the authority of the user on the resource instance, and authorizing to the corresponding user, and ending; if not, go to step A3;
a3, judging whether the corresponding father node is a resource level root node, if so, entering the step A4; if not, taking the corresponding father node as a resource node, and returning to the step A2;
a4, judging whether all user groups where the users are located have authorization in the resource instance, if so, returning all the permissions of the users on the resource instance, authorizing the corresponding users, and ending; if not, go to step A5;
a5, judging whether all user groups where the users are located have authorization to the resources at the father node of the resources, if so, returning all the permissions of the users on the resource instance, authorizing the corresponding users, and ending; if not, go to step A6;
a6, judging whether the father node is a resource level root node, if so, returning no authority, and ending; if not, the corresponding father node is taken as the resource node, and the step A5 is returned.
Based on the first aspect, in some embodiments of the present invention, the method for managing rights of a backup system based on resource layering further includes the following steps:
and caching the judgment result to obtain a cache list.
Based on the first aspect, in some embodiments of the present invention, the method for managing rights of a backup system based on resource hierarchy further includes the following steps:
and monitoring the adding, updating and deleting operations of resources and authorization, and updating the cache list.
Based on the first aspect, in some embodiments of the present invention, the method for managing rights of a backup system based on resource layering further includes the following steps:
and nesting the corresponding virtual group nodes according to the service requirements.
In a second aspect, an embodiment of the present invention provides a backup system authority management system based on resource layering, including a hierarchical structure entry module, a virtual group addition module, and an authority management module, where:
the hierarchical structure input module is used for acquiring and layering resources of the backup system and constructing an initial resource hierarchical structure;
the virtual group adding module is used for acquiring and adding virtual group nodes in the corresponding initial resource hierarchical structure according to the service requirements, and aggregating resource instances through each virtual group node according to the service specifications in the service requirements to obtain a target resource hierarchical structure;
and the authority management module is used for acquiring and judging whether the corresponding resources are authorized to the corresponding users in the corresponding virtual group nodes based on the target resource hierarchical structure or the corresponding nodes based on the initial resource hierarchical structure according to the authorization requirement of the backup system, so as to complete authority management.
In order to solve the technical problems that the granularity of resource authority management of a backup system is coarse, the range of resources is limited at the beginning of role definition, the resources cannot be changed and the flexibility is poor in the prior art, the system inserts virtual group nodes among parent and child nodes in a resource layer structure through the cooperation of a plurality of modules such as a hierarchical structure recording module, a virtual group adding module, an authority management module and the like and the combination of the existing resource layer structure in a CDM backup system, and each group node aggregates the instances of the child nodes according to a certain service specification, so that each service scene can be changed into a mode that a user authorizes the instances of the virtual group nodes. The invention carries out resource layering on the backup system and applies the backup system to the authority management of the backup system, and refines and provides the rule of the authority propagation and coverage in the resource layering, so that the system can complete the authority management requirements of different granularities of a client through proper authority configuration.
In a third aspect, an embodiment of the present application provides an electronic device, which includes a memory for storing one or more programs; a processor. The program or programs, when executed by a processor, implement the method of any of the first aspects as described above.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the method according to any one of the first aspect described above.
The embodiment of the invention at least has the following advantages or beneficial effects:
the embodiment of the invention provides a backup system authority management method and a backup system authority management system based on resource layering, which solve the technical problems that the granularity of resource authority management for a backup system in the prior art is coarse, the range of resources is limited at the beginning of role definition, the resources can not be changed and the flexibility is poor. The invention carries out resource layering on the backup system and applies the backup system to the authority management of the backup system, and refines and provides a rule for the transmission and coverage of the authority in the resource layering, so that the system can complete the authority management requirements of different granularities of a client through proper authority configuration. The method has fine granularity and flexibility, meets various authority management requirements of CDM backup system customers, can meet the requirements of most customers by carrying out proper authority configuration, thereby obviously reducing the requirements of customization and development and making the CDM backup system delivered in a standard product mode possible.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
FIG. 1 is a flowchart of a backup system authority management method based on resource hierarchy according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a resource hierarchy in an embodiment of the present invention;
FIG. 3 is a diagram illustrating a hierarchy of target resources in an embodiment of the present invention;
FIG. 4 is a schematic flowchart of authorization determination in a backup system authority management method based on resource layering according to an embodiment of the present invention;
FIG. 5 is a schematic block diagram of a backup system privilege management system based on resource hierarchy according to an embodiment of the present invention;
fig. 6 is a block diagram of an electronic device according to an embodiment of the present invention.
Description of the reference numerals: 100. a hierarchical structure entry module; 200. a virtual group addition module; 300. a rights management module; 101. a memory; 102. a processor; 103. a communication interface.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
Example (b):
as shown in fig. 1 to fig. 4, in a first aspect, an embodiment of the present invention provides a backup system authority management method based on resource layering, which is characterized by including the following steps:
s1, obtaining and layering the resources of the backup system, and constructing an initial resource hierarchical structure; the initial resource hierarchy includes a parent node and a plurality of child nodes, and a tree structure is generated based on the nesting of the parent node and the plurality of child nodes.
In some embodiments of the present invention, all of the hosted entities in a CDM backup system and the objects defined in the system may be collectively referred to as resources. The hierarchy of resources reflects the aggregation and dependency relationships between resources. As shown in fig. 2, it shows a hierarchical structure of part of resources in a CDM backup system. Each CDM backup system corresponds to one data center, and resources under the data centers are layered in sequence. The backup and replication policies in fig. 2 are defined on the data center, meaning that they are subordinate to the data center, and the scope of action is the entire data center. The same client belongs to the data center, such as a VMware vSphere client; data objects are subordinate to a client, such as a virtual machine under a VMware vSphere client; the backup object is subordinate to the data object, such as a backup generated after the virtual machine is backed up through a CDM backup system; the mount point object is subordinate to the backup object, for example, a mount point object generated after the mount is performed by using the virtual machine backup object.
From the above examples and definitions it is readily apparent that the hierarchy has the following properties:
CDM backup systems form a resource level tree starting from the topmost data center.
2. Each node in the tree is an aggregation of resources of that type, which may be one to many.
3. There is a one-to-many relationship between the two instances of the resource node from top to bottom in the hierarchical tree, for example, there may be one to many backup object instances for a specific data object instance.
The above attributes enable each hierarchical node to exist as a natural aggregation node of the descendant nodes, and after a specific instance of a user on the node is authorized by the authority of the descendant node, the user can have corresponding authority on all the descendant nodes. In this process, the rights are very natural to complete the propagation between parent and child nodes on the resource hierarchy.
S2, acquiring and adding virtual group nodes in the corresponding initial resource hierarchical structure according to the service requirements, and aggregating resource instances through each virtual group node according to the service specifications in the service requirements to obtain a target resource hierarchical structure; the virtual group nodes are dynamically added by a user through a console interface of the system, and the virtual group nodes are different due to different services.
Further, acquiring and inserting a virtual group node between the corresponding father node and the corresponding child node according to the service requirement; and aggregating the resource instances of each child node through the virtual group node according to the service specification in the service requirement.
In some embodiments of the present invention, an existing resource hierarchy completes aggregation of resources on a parent node, and the granularity of this aggregation is inconvenient to use in some service scenarios, for example, a backup policy in a data center is strongly related to a data object type, some backup policies can only backup an Oracle database, some backup policies can only backup a vSphere virtual machine, and it is obviously inappropriate to perform an authorization operation on a data center, assuming that a user wishes to authorize a policy that can only backup an Oracle database to a certain user. Based on the existing resource hierarchy model, the user must be individually granted the policy to backup the Oracle database. While still meeting the needs of the user, the user experience is poor and maintenance can be a problem.
For the problem, the invention combines the existing resource layer structure, inserts virtual group nodes between the parent and child nodes, and each group node aggregates the sub-node instances according to a certain service specification, so that the service scene can be changed into the situation that the user authorizes on a certain virtual group node instance. The resource hierarchy containing the virtual group nodes is shown in fig. 3.
And S3, acquiring and judging whether to authorize the corresponding resource to the corresponding user in the corresponding virtual group node based on the target resource hierarchy structure or in the corresponding node based on the initial resource hierarchy structure according to the authorization requirement of the backup system, and completing the authority management.
Further, as shown in fig. 4, the method includes:
a1, acquiring and judging whether a corresponding user has authorization in a corresponding virtual group node based on a target resource hierarchical structure or a corresponding node based on an initial resource hierarchical structure according to the authorization requirement of the backup system, if so, returning all the permissions of the user on the resource instance, authorizing the corresponding user, and ending; if not, go to step A2;
a2, judging whether the user has authorization to the resource at the father node of the corresponding resource, if yes, returning all the authority of the user on the resource instance, and authorizing to the corresponding user, and ending; if not, go to step A3;
a3, judging whether the corresponding father node is a resource level root node, if yes, entering the step A4; if not, taking the corresponding father node as a resource node, and returning to the step A2;
a4, judging whether all user groups where the users are located have authorization in the resource instance, if so, returning all the permissions of the users on the resource instance, authorizing the corresponding users, and ending; if not, go to step A5;
a5, judging whether all user groups where the users are located have authorization to the resources at the father node of the resources, if so, returning all the permissions of the users on the resource instance, authorizing the corresponding users, and ending; if not, go to step A6;
a6, judging whether the father node is a resource level root node, if so, returning no authority, and ending; if not, the corresponding father node is taken as the resource node, and the step A5 is returned.
In some embodiments of the present invention, when a CDM backup system needs to specifically determine whether a resource is authorized to a certain user, the determination of the above steps is performed in sequence, and in this process, the authority propagation and coverage rule is as follows:
1. all resources in a CDM backup system have a hierarchy in which permissions are propagated from parent nodes to child nodes.
2. And covering between the parent node and the child node. If the rights in the role granted to a particular user completed at the parent node are not as expected, then a grant operation may be performed at the child node that overwrites the portion of the parent node grant associated with the child node's rights. That is, the grant of the same user or group of users on a child object overrides the rights that it propagates to the child object in the grant on the parent object.
3. Coverage between users and groups of users. If the user is also in a certain user group, on the same object, the authorization given to the user overwrites the rights given to the user group in which the user is located.
In order to solve the technical problems that the granularity of resource authority management aiming at a backup system is coarse, the range of resources is limited at the beginning of role definition, the resources cannot be changed and the flexibility is lacked in the prior art, the method combines the existing resource layer structure in the CDM backup system, virtual group nodes are inserted between parent-child nodes in the resource layer structure, and each group node aggregates the instances of the child nodes according to a certain service specification, so that each service scene can be changed into a user to authorize on a certain virtual group node instance. The invention carries out resource layering on the backup system and applies the backup system to the authority management of the backup system, and refines and provides the rule of the authority propagation and coverage in the resource layering, so that the system can complete the authority management requirements of different granularities of a client through proper authority configuration. The method has fine granularity and flexibility, meets various authority management requirements of CDM backup system customers, can meet the requirements of most customers by carrying out proper authority configuration, thereby obviously reducing the requirements of customized development and making the CDM backup system delivered in a standard product mode possible.
Based on the first aspect, in some embodiments of the present invention, the method for managing rights of a backup system based on resource layering further includes the following steps:
and caching the judgment result to obtain a cache list.
Since the permission judgment of each resource needs to be performed through the above judgment process, in order to increase the judgment speed, the judgment result may be cached in an actual system architecture, for example, in a common Spring framework, the judgment result may be cached in Redis.
Based on the first aspect, in some embodiments of the present invention, the method for managing rights of a backup system based on resource hierarchy further includes the following steps:
and monitoring the addition, update and deletion operations of resources and authorization, and updating the cache list.
After the resource is added, it is necessary to determine which users or user groups have which permissions on the resource according to the current authorization information, and obtain and count the determination result in the cache. When the resource is deleted, the cached authorization information corresponding to the resource needs to be deleted. When the authorization is updated, the original cached content is deleted, and then the judgment is recalculated according to the new authorization, so that the content in the cache list is updated.
Based on the first aspect, in some embodiments of the present invention, the method for managing rights of a backup system based on resource layering further includes the following steps:
and nesting the corresponding virtual group nodes according to the service requirement.
The virtual group nodes may be nested. Whether to add a virtual group and whether to support nesting can be flexibly determined according to business requirements, and then the authority management effect is better realized.
As shown in fig. 5, in a second aspect, an embodiment of the present invention provides a backup system authority management system based on resource hierarchy, including a hierarchical structure entry module 100, a virtual group addition module 200, and an authority management module 300, where:
a hierarchical structure entry module 100, configured to acquire and layer resources of a backup system, and construct an initial resource hierarchical structure;
a virtual group adding module 200, configured to obtain and add virtual group nodes in a corresponding initial resource hierarchy according to a service requirement, and aggregate resource instances through each virtual group node according to a service specification in the service requirement, to obtain a target resource hierarchy;
the authority management module 300 is configured to obtain and determine whether to authorize the corresponding resource to the corresponding user in the corresponding virtual group node based on the target resource hierarchy structure or in the corresponding node based on the initial resource hierarchy structure according to the authorization requirement of the backup system, thereby completing authority management.
In order to solve the technical problems that the granularity of resource authority management aiming at a backup system in the prior art is coarse, the range of resources is limited at the beginning of role definition, the resources cannot be changed and the flexibility is poor, the system inserts virtual group nodes among parent and child nodes in a resource layer structure through the cooperation of a plurality of modules such as a hierarchical structure entry module 100, a virtual group addition module 200, an authority management module 300 and the like and the combination of the existing resource layer structure in a CDM backup system, and each group node aggregates the instances of the child nodes according to a certain service specification, so that each service scene can be changed into a user to authorize on a certain virtual group node instance. The invention carries out resource layering on the backup system and applies the backup system to the authority management of the backup system, and refines and provides a rule for the transmission and coverage of the authority in the resource layering, so that the system can complete the authority management requirements of different granularities of a client through proper authority configuration.
In a third aspect, as shown in fig. 6, an embodiment of the present application provides an electronic device, which includes a memory 101 for storing one or more programs; a processor 102. The one or more programs, when executed by the processor 102, implement the method of any of the first aspects as described above.
Also included is a communication interface 103, and the memory 101, processor 102 and communication interface 103 are electrically connected to each other, directly or indirectly, to enable transfer or interaction of data. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 101 may be used to store software programs and modules, and the processor 102 executes various functional applications and data processing by executing the software programs and modules stored in the memory 101. The communication interface 103 may be used for communicating signaling or data with other node devices.
The Memory 101 may be, but not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like.
The processor 102 may be an integrated circuit chip having signal processing capabilities. The Processor 102 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In the embodiments provided in the present application, it should be understood that the disclosed method, system and method may be implemented in other ways. The method and system embodiments described above are merely illustrative and, for example, the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods and systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist alone, or two or more modules may be integrated to form an independent part.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by the processor 102, implements the method as in any one of the first aspect described above. The functions may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solutions of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
The present invention has been described in terms of the preferred embodiment, and it is not intended to be limited to the embodiment. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
It will be evident to those skilled in the art that the application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (10)
1. A backup system authority management method based on resource layering is characterized by comprising the following steps:
acquiring and layering resources of a backup system, and constructing an initial resource hierarchical structure;
acquiring and adding virtual group nodes in a corresponding initial resource hierarchical structure according to service requirements, and aggregating resource instances through each virtual group node according to service specifications in the service requirements to obtain a target resource hierarchical structure;
and acquiring and judging whether to authorize the corresponding resource to the corresponding user in the corresponding virtual group node based on the target resource hierarchical structure or in the corresponding node based on the initial resource hierarchical structure according to the authorization requirement of the backup system, and acquiring and finishing authority management according to the judgment result.
2. The method of claim 1, wherein the initial resource hierarchy comprises a parent node and a plurality of child nodes, and wherein a tree structure is generated based on the parent node and the plurality of child nodes.
3. The method for managing the authority of the backup system based on the resource layering as claimed in claim 2, wherein the method for acquiring and adding the virtual group nodes in the corresponding initial resource hierarchical structure according to the service requirements and aggregating the resource instances through each virtual group node according to the service specifications in the service requirements comprises the following steps:
acquiring and inserting a virtual group node between a corresponding father node and a corresponding child node according to a service requirement;
and aggregating the resource instances of each child node through the virtual group node according to the service specification in the service requirement.
4. The method for managing the authority of the backup system based on the resource layering of claim 3, wherein the method for obtaining and judging whether to authorize the corresponding resource to the corresponding user in the corresponding virtual group node based on the target resource hierarchical structure or in the corresponding node based on the initial resource hierarchical structure according to the authorization requirement of the backup system comprises the following steps:
a1, acquiring and judging whether a corresponding user has authorization in a corresponding virtual group node based on a target resource hierarchical structure or a corresponding node based on an initial resource hierarchical structure according to the authorization requirement of the backup system, if so, returning all the permissions of the user on the resource instance, authorizing the corresponding user, and ending; if not, go to step A2;
a2, judging whether the user has authorization to the resource at the father node of the corresponding resource, if so, returning all the permissions of the user on the resource instance, authorizing the corresponding user, and ending; if not, go to step A3;
a3, judging whether the corresponding father node is a resource level root node, if yes, entering the step A4; if not, taking the corresponding father node as a resource node, and returning to the step A2;
a4, judging whether all user groups where the users are located have authorization in the resource instance, if so, returning all the permissions of the users on the resource instance, authorizing the corresponding users, and ending; if not, go to step A5;
a5, judging whether all user groups where the users are located have authorization to the resources at the father node of the resources, if so, returning all the permissions of the users on the resource instances, authorizing the corresponding users, and ending; if not, go to step A6;
a6, judging whether the father node is a resource level root node, if so, returning no authority, and ending; if not, the corresponding father node is taken as the resource node, and the step A5 is returned.
5. The method for managing backup system authority based on resource hierarchy as claimed in claim 1, further comprising the steps of:
and caching the judgment result to obtain a cache list.
6. The method for managing backup system authority based on resource hierarchy as claimed in claim 5, further comprising the steps of:
and monitoring the adding, updating and deleting operations of resources and authorization, and updating the cache list.
7. The method for managing backup system authority based on resource hierarchy as claimed in claim 1, further comprising the steps of:
and nesting the corresponding virtual group nodes according to the service requirements.
8. The utility model provides a backup system authority management system based on resource layering which characterized in that, includes hierarchical structure entry module, virtual group adds module and authority management module, wherein:
the hierarchical structure input module is used for acquiring and layering the resources of the backup system and constructing an initial resource hierarchical structure;
the virtual group adding module is used for acquiring and adding virtual group nodes in the corresponding initial resource hierarchical structure according to the service requirements, and aggregating resource instances through each virtual group node according to the service specifications in the service requirements to obtain a target resource hierarchical structure;
and the authority management module is used for acquiring and judging whether the corresponding resources are authorized to the corresponding users in the corresponding virtual group nodes based on the target resource hierarchical structure or the corresponding nodes based on the initial resource hierarchical structure according to the authorization requirement of the backup system, so as to complete authority management.
9. An electronic device, comprising:
a memory for storing one or more programs;
a processor;
the one or more programs, when executed by the processor, implement the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210694316.XA CN114780300B (en) | 2022-06-20 | 2022-06-20 | Backup system authority management method and system based on resource layering |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210694316.XA CN114780300B (en) | 2022-06-20 | 2022-06-20 | Backup system authority management method and system based on resource layering |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114780300A true CN114780300A (en) | 2022-07-22 |
| CN114780300B CN114780300B (en) | 2022-09-09 |
Family
ID=82421165
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210694316.XA Active CN114780300B (en) | 2022-06-20 | 2022-06-20 | Backup system authority management method and system based on resource layering |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114780300B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895551A (en) * | 2010-07-22 | 2010-11-24 | 北京天融信科技有限公司 | Resource access control method and system |
| US20150212856A1 (en) * | 2014-01-30 | 2015-07-30 | Vmware, Inc. | System and method for performing resource allocation for a host computer cluster |
| CN105763522A (en) * | 2014-12-18 | 2016-07-13 | 中兴通讯股份有限公司 | Authorization processing method and device |
| CN105939290A (en) * | 2012-08-14 | 2016-09-14 | 华为技术有限公司 | Resource allocation method and device |
| CN109286579A (en) * | 2017-07-21 | 2019-01-29 | 中兴通讯股份有限公司 | A kind of distribution method of user resources, device and computer readable storage medium |
| CN112733162A (en) * | 2020-12-31 | 2021-04-30 | 北京乐学帮网络技术有限公司 | Resource allocation method, device, computer equipment and storage medium |
-
2022
- 2022-06-20 CN CN202210694316.XA patent/CN114780300B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895551A (en) * | 2010-07-22 | 2010-11-24 | 北京天融信科技有限公司 | Resource access control method and system |
| CN105939290A (en) * | 2012-08-14 | 2016-09-14 | 华为技术有限公司 | Resource allocation method and device |
| US20150212856A1 (en) * | 2014-01-30 | 2015-07-30 | Vmware, Inc. | System and method for performing resource allocation for a host computer cluster |
| CN105763522A (en) * | 2014-12-18 | 2016-07-13 | 中兴通讯股份有限公司 | Authorization processing method and device |
| CN109286579A (en) * | 2017-07-21 | 2019-01-29 | 中兴通讯股份有限公司 | A kind of distribution method of user resources, device and computer readable storage medium |
| CN112733162A (en) * | 2020-12-31 | 2021-04-30 | 北京乐学帮网络技术有限公司 | Resource allocation method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114780300B (en) | 2022-09-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8086615B2 (en) | Security data redaction | |
| US10977687B2 (en) | Data collection and pattern analysis in a decentralized network | |
| US20060218149A1 (en) | Data redaction policies | |
| US8402514B1 (en) | Hierarchy-aware role-based access control | |
| US7613726B1 (en) | Framework for defining and implementing behaviors across and within content object types | |
| WO2006104810A2 (en) | Security policy driven data redaction | |
| CN105051749A (en) | Policy based data protection | |
| US11010456B2 (en) | Information access in a graph database | |
| US11580206B2 (en) | Project-based permission system | |
| US11864095B2 (en) | Multiple access points for data containers | |
| CN111464487B (en) | Access control method, device and system | |
| CN113127848A (en) | Storage method of permission system data and related equipment | |
| US11609770B2 (en) | Co-managing links with a link platform and partner service | |
| CN114780300B (en) | Backup system authority management method and system based on resource layering | |
| US10826985B2 (en) | System and method for content tethering in an enterprise content management system | |
| CN116956366A (en) | Data authority management method and system based on graph model and electronic equipment | |
| CN114090969B (en) | Multilevel multi-tenant cross authorization management method | |
| CN109219807B (en) | System, method, and medium providing access to a database | |
| KR101570980B1 (en) | Method for management common code of multi-tenane environment, server performing the same and storage media storing the same | |
| WO2021034329A1 (en) | Data set signatures for data impact driven storage management | |
| JP2015087944A (en) | Roll-based access control method and system | |
| CN117573296B (en) | Virtual machine equipment straight-through control method, device, equipment and storage medium | |
| CN108683581A (en) | Mail triggering method and device, electronic equipment and computer readable storage medium | |
| AU2022304619B2 (en) | Co-managing links with a link platform and partner service | |
| US11675864B2 (en) | Proxy links to support legacy links |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |