CN115017526A - Database access method and device, electronic equipment and storage medium - Google Patents

Database access method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115017526A
CN115017526A CN202210708351.2A CN202210708351A CN115017526A CN 115017526 A CN115017526 A CN 115017526A CN 202210708351 A CN202210708351 A CN 202210708351A CN 115017526 A CN115017526 A CN 115017526A
Authority
CN
China
Prior art keywords
access
database
user
access control
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210708351.2A
Other languages
Chinese (zh)
Inventor
李强
李晓明
郭庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dawning Information Industry Beijing Co Ltd
Original Assignee
Dawning Information Industry Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dawning Information Industry Beijing Co Ltd filed Critical Dawning Information Industry Beijing Co Ltd
Priority to CN202210708351.2A priority Critical patent/CN115017526A/en
Publication of CN115017526A publication Critical patent/CN115017526A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/252Integrating or interfacing systems involving database management systems between a Database Management System and a front-end application
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computational Linguistics (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a database access method, a database access device, electronic equipment and a storage medium, and relates to the technical field of security. According to the method, after a database access request of a user is received, an access control strategy corresponding to the user is obtained, the access control strategy comprises multi-level access control authority of the database, then the database access request is subjected to rule matching with the access control strategy to determine the access authority of the user to the content to be accessed, the database access request is responded according to the access authority, the multi-level access control authority is set for the access control strategy of the user, and therefore finer-grained access control of the user to the database can be achieved, the security is higher, and data access control under more application scenes can be met.

Description

Database access method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of security technologies, and in particular, to a database access method, an apparatus, an electronic device, and a storage medium.
Background
At present, with the rapid development of big data and cloud computing technologies and the diversification of business application scenes, the complexity of application services is higher and higher. In order to ensure the data security, data access control can be carried out, the data access control is a security mechanism for protecting data resources from unauthorized access, and a certain access process is permitted or limited in a certain mode, so that illegal intrusion of external users and illegal operation of internal users can be effectively prevented, and the data resources can be used legally and controllably.
In traditional data access control, data access control is often realized through relevant service attributes, for example, in a certain service system, control of a data access range is realized through row-level filtering of department numbers, for example, a database which can be accessed is determined by looking at the department numbers.
Disclosure of Invention
An embodiment of the present application provides a database access method, an apparatus, an electronic device, and a storage medium, so as to solve the problem that data security cannot be ensured in an existing coarse-grained access control manner.
In a first aspect, an embodiment of the present application provides a database access method, where the method includes:
receiving a database access request of a user;
acquiring an access control strategy corresponding to the user, wherein the access control strategy comprises multi-level access control permission of a database;
carrying out rule matching on the database access request and the access control strategy to determine the access authority of the content to be accessed;
and responding to the database access request according to the access authority.
In the implementation process, after receiving a database access request of a user, the method obtains an access control policy corresponding to the user, wherein the access control policy comprises multi-level access control permission of the database, then the database access request is subjected to rule matching with the access control policy to determine the access permission of the user to the content to be accessed, and the database access request is responded according to the access permission.
Optionally, the multi-level access control authority includes control authority of at least one level of a database type, a database, a data table, and a data field. Therefore, four-level access control can be realized, and the safe access of the user to the data is further improved.
Optionally, the performing rule matching on the database access request and the access control policy includes:
performing syntactic analysis on the database access request to generate an abstract syntactic tree;
determining the content to be accessed which is requested to be accessed according to the abstract syntax tree;
and carrying out rule matching on the content to be accessed and the hierarchical access authority in the access control strategy.
In the implementation process, the database access request is analyzed in a syntax mode to more accurately determine the content to be accessed, and the content to be accessed is subjected to rule matching with the hierarchical access authority in the access control strategy, so that the access authority corresponding to the content to be accessed can be determined.
Optionally, the receiving a database access request of a user includes:
receiving a database access request of a user through a uniform interface of a query engine, wherein access interfaces corresponding to databases of a plurality of database types are the uniform interface. Therefore, cross-type and cross-database query can be performed on data of multiple database types through the unified interface, and convenience and rapidness are achieved.
Optionally, the obtaining of the access control policy corresponding to the user includes:
and if the visitor control strategies corresponding to the user comprise a plurality of visitor control strategies, performing union calculation on the plurality of visitor control strategies to obtain a final visitor control strategy. And configuring a plurality of access control strategies for the user according to different service requirements, and performing union calculation to determine all access rights of the user.
Optionally, the responding to the database access request according to the access right includes:
if the access authority is not in the range of the access control strategy, corresponding prompt information is returned to the user;
and if the access right is in the range of the access control strategy, inquiring the content to be accessed corresponding to the database access request and returning the content to the user.
In the implementation process, the database access request can be responded by judging whether the access authority is within the range of the access control strategy, so that the content accessed by the user can be safely accessed and controlled, the problem of data leakage caused by the fact that the user accesses the content without the access authority is avoided, and the data safety is ensured.
Optionally, the method further comprises:
and carrying out abnormity analysis on the access records of each user, and outputting an alarm when the access records are abnormal. Therefore, the alarm can be realized when the abnormality occurs, so that management personnel can process the abnormality in time and ensure the data safety.
In a second aspect, an embodiment of the present application provides a database access apparatus, where the apparatus includes:
the request receiving module is used for receiving a database access request of a user;
the strategy acquisition module is used for acquiring an access control strategy corresponding to the user, wherein the access control strategy comprises a multi-level access control authority of a database;
the permission determining module is used for carrying out rule matching on the database access request and the access control strategy so as to determine the access permission of the content to be accessed;
and the request response module is used for responding to the database access request according to the access authority.
In a third aspect, an embodiment of the present application provides an electronic device, which includes a processor and a memory, where the memory stores computer-readable instructions, and when the computer-readable instructions are executed by the processor, the steps in the method as provided in the first aspect are executed.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, performs the steps in the method as provided in the first aspect above.
Additional features and advantages of the present application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a flowchart of a database access method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a database management system according to an embodiment of the present application;
fig. 3 is a schematic diagram of an actual service deployment architecture provided in the embodiment of the present application;
fig. 4 is a block diagram of a database access apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device for executing a database access method according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
It should be noted that the terms "system" and "network" in the embodiments of the present invention may be used interchangeably. The "plurality" means two or more, and in view of this, the "plurality" may also be understood as "at least two" in the embodiments of the present invention. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" generally indicates that the preceding and following related objects are in an "or" relationship, unless otherwise specified.
The embodiment of the application provides a database access method, the method obtains an access control strategy corresponding to a user after receiving a database access request of the user, the access control strategy comprises a multi-level access control authority of a database, then the database access request is subjected to rule matching with the access control strategy to determine the access authority of the user to the content to be accessed, the database access request is responded according to the access authority, the multi-level access control authority is set for the access control strategy of the user, therefore, finer-grained access control of the user to the database can be realized, and the security is higher.
Referring to fig. 1, fig. 1 is a flowchart of a database access method according to an embodiment of the present application, where the method includes the following steps:
step S110: a database access request of a user is received.
The data access method is applied to a database access management system, which can be shown in fig. 2 and comprises a query engine, an authentication service module, a policy service module and the like, wherein the query engine can realize data interaction with a client, and is also used for querying and obtaining information required by a user from a database. The user can submit a database access request on a corresponding client for requesting to access corresponding database content, and the database access request is received through the query engine after reaching the query engine and is subjected to subsequent processing.
Step S120: and acquiring an access control strategy corresponding to the user.
In order to realize finer-grained access control, the access control policy of the user includes a multi-level access control authority of the database, and the multi-level access control authority can be understood as a multi-level authority set for the user to access the database.
In some embodiments, the multi-level access control authority includes at least one level of control authority in a database type, a database, a data table, a data field. For example, it may be set that a certain user may access data of certain database types, and it may be set that a certain user may access data of certain databases under certain database types, that is, it may be specifically refined to corresponding data tables or data fields, and the minimum granularity accessible by the user is the data fields. The database accessed by the user is a database of one of a plurality of database types, so that the scheme of the application can realize the access authority control of the plurality of database types.
Because of the multi-level access control authority, the access control strategy of the user to the database can be limited to different levels, different users can configure different access control strategies according to requirements, the user at the same level can have multi-level access control strategy combinations, and the access control strategies of the user at the same level can be shared for use, so that the access control strategies can be configured for the users with different roles according to the service requirements of the user to the database, and the free dynamic fine control of the user access control is supported.
The policy service module is used for managing the access control policy of each user, can support the row-level access policy presetting of the user, and can carry out full life cycle management on the access control policy of each user. If the access control strategy of the user needs to be added and modified, the access control strategy can also be modified through the strategy service module, and the historical modification record can be stored through the authentication service module so as to facilitate the follow-up tracing.
It should be noted that the access control policy of the user may be configured for the role of the user, users in the same role may have the same access control policy, and users in different roles may have different access control policies. Therefore, the access control policy corresponding to the user currently requesting the user can be obtained by resolving the role of the user.
Step S130: and carrying out rule matching on the database access request and the access control strategy so as to determine the access authority of the content to be accessed.
After the query engine acquires the access control policy of the user from the policy service module, the query engine can submit the access control policy and the database access request to the authentication service module, and the authentication service module authenticates the database access request and the access control policy. The method comprises the steps of carrying out rule matching on a database access request and an access control policy, wherein the rule matching refers to matching access authority in the access control policy of a user with content to be accessed by the data access request according to a certain rule, for example, matching access authority fields in the access control policy with corresponding fields of the content to be accessed so as to match whether the content to be accessed is in the access authority of the access control policy of the content to be accessed or not, and thus obtaining the access authority of the content to be accessed.
In some embodiments, the specific matching process may be as follows: and carrying out syntactic analysis on the database access request to generate an abstract syntactic tree, then determining the content to be accessed which is requested to be accessed according to the abstract syntactic tree, and carrying out rule matching on the content to be accessed and the hierarchy access authority in the access control strategy.
After receiving the database access request, the query engine can perform syntax analysis on the database access request through the query parser so as to generate an abstract syntax tree, and further can analyze and obtain information such as database types, databases, data tables, fields and the like accessed by the request according to the abstract syntax tree.
For example, the access control policy of the user is that the user can access a certain 5 tables in a certain database under a certain database type, and the content to be accessed requested by the database access request of the user is obtained by parsing as 8 tables in the certain database under the certain database type, so that the content to be accessed is 8 tables through matching of the authentication service module, if the 8 tables required to be accessed include the 5 tables in the access control policy, and the hierarchical access authority is a specific certain 5 tables, the user only has the authority to access the 5 tables, and at this time, the access authority to the content to be accessed can be determined as the authority of the 5 tables, or the access authority to the content to be accessed is determined as no access authority, that is, the user does not have the authority to access the 8 tables.
In the implementation process, the database access request is analyzed in a syntax mode to more accurately determine the content to be accessed, and the content to be accessed is subjected to rule matching with the hierarchical access authority in the access control strategy, so that the access authority corresponding to the content to be accessed can be determined.
Step S140: and responding to the database access request according to the access authority.
After obtaining the access right of the user to the content to be accessed, the query engine can respond to the database access request according to the access right. If the access right is not the access right, the query engine can return corresponding prompt information to the user, and if the access right is that part of the content to be accessed has the access right, the query engine can query the content to obtain the response and return the content to the user.
In some embodiments, when the access right of the content to be accessed is a specific content right, such as the right to access 5 tables, it may be determined whether the access right is within the access control policy range to access the database access request, if the access right is not within the access control policy range, corresponding prompt information is returned to the user, and if the access right is within the access control policy range, the content to be accessed corresponding to the database access request is queried and returned to the user.
For example, the user's access control policy is that 8 tables can be accessed, and the currently requested content to be accessed is 5 tables, which indicates that the access right is within the scope of the access control policy, and at this time, the query engine can query and obtain the content of the requested 5 tables, and return the content to the user. If the content to be accessed which is requested to be accessed at present is 5 tables of another database, the access authority is indicated to be no longer in the range of the access control strategy, and prompt information which is not authorized to be checked can be returned to the user at the moment.
It should be noted that, if the access right of the content to be accessed and the access control policy overlap, the access right may also be in the range of the access control policy at this time, and the query engine may return the content requested to be accessed by the user in the overlapping range to the user, and at this time, the returned content is not all the content to be accessed that requests all the access, but the content in the overlapping range with the access control policy, so that it may be ensured that other content that is not accessed to the right is not leaked to the user, and data security is improved.
In addition, when the query engine is used for querying, the query engine is composed of a service coordinator, a service registration discovery unit and a plurality of worker service nodes, wherein the service coordinator complexly analyzes a database access request of a user, generates a corresponding execution plan and distributes an execution task to the worker service nodes, the service registration discovery unit has registration and management monitoring of the worker nodes, and the worker service nodes are responsible for executing the query task and querying data from databases of various data types.
Because the database of multiple database types can be connected in the scheme, the method can support the concurrent cross-type cross-database correlation query of multiple database types, for example, the queried content is contained in the database 1 in the database type 1 and the database 2 in the database type 2, and the query engine can simultaneously query and obtain the content in the two databases during query, thereby realizing the cross-database correlation query of data.
In the implementation process, after receiving a database access request of a user, the method obtains an access control policy corresponding to the user, wherein the access control policy comprises multi-level access control permission of the database, then the database access request is subjected to rule matching with the access control policy to determine the access permission of the user to the content to be accessed, and the database access request is responded according to the access permission.
On the basis of the above embodiment, in order to facilitate querying data in a plurality of database types, the query engine may provide a unified query interface for a user, that is, a database access request of the user may be received through the unified interface of the query engine, where an access interface corresponding to a database of the plurality of database types is the unified interface.
That is, when the data query is implemented internally, the access interfaces of the database types are implemented uniformly by the query engine, so that only one uniform interface is provided for a user to access the data of the database types, and each database type does not correspond to one query interface, so that the data query across the database types is implemented.
In actual application, a deployment schematic diagram of the database access management system is shown in fig. 3, and a query engine, an authentication service module, a policy service module, a plurality of database types (shown in fig. 3 as heterogeneous data sources), and the like are correspondingly deployed, a set of common services can be set up for the policy service module, relevant information such as access control policies of users and the like can be stored in a relational database, an elastic search or a memory database, and can be determined according to requirements according to the scale and response time of access requests. And the interface of the authentication service module has good expandability and can support linear expansion so as to better meet the requirement of rule authentication of large-scale application.
In the schematic diagram of fig. 3, the service zones may refer to different user roles, for example, the service zone one is team 1, which has a corresponding access control policy, the service zone two is team 2, which also has a corresponding access control policy, and the access control policies of the two may be different, that is, the content permissions accessible by the two teams are different.
After the specific deployment, the database access management system can automatically synchronize the user information in each service area, manual intervention is not needed, namely, an administrator only needs to configure the access control strategy of the user with each role in the strategy service module, manual input of the user information is not needed, the operation of the administrator is simplified, and the strategy configuration efficiency is improved.
In the specific implementation process, the access control strategy can be defined according to the needs of the user, fine-grained four-level management can be realized through the access control strategy, the deployment of the access control strategy is automatically realized through a database access management system in the scheme, the access control strategy can also realize online modification, deletion, instant enabling and disabling and the like, the convenience of authority management and the normalization of data application are greatly improved, and the safety of the data is effectively guaranteed.
The unified interface may be a Java Data Base Connectivity (JDBC) or an Open Database Connectivity (ODBC) in a specific implementation, and the two interfaces can support query of multiple Database types and query engine clustered deployment application and linear service extension.
The various database types described above may include oracle, mysql, hive, hbase, hdfs, alluxio, elastic search, gbase, hbase-drill, postgresql. It can be understood that the databases in the database types can adopt distributed storage (i.e. heterogeneous storage) to save storage resources and improve data access efficiency, and multiple database types can be understood as multiple sources, so that the scheme of the application can realize multi-level access authority control on multiple source heterogeneous data sources.
On the basis of the above embodiment, since data in different database types may need to be accessed, a plurality of access control policies may be configured for a user, and if the access control policy corresponding to the user includes a plurality of access control policies, a union calculation is performed on the plurality of access control policies to obtain a final access control policy of the user.
For example, for a user in the same role, the user has a right to access 3 tables in the database 1 in the database type 1, an access control policy may be configured for the right, and also has a right to access 5 fields in 4 tables in the database 2 in the database type 1, and one access control policy may be configured for the right.
On the basis of the above embodiment, the query engine may also be configured to perform an anomaly analysis on the access records of each user, and perform an alarm output when the access records are anomalous.
That is, the query engine may store access records of various users, and may subsequently perform anomaly analysis on the access records for a period of time or at a regular time. Or performing exception analysis on the access record of each user, and if the query engine determines that the access right of the requested content to be accessed is not within the range of the access control policy of the user after the current user submits the database access request, determining that the user is in an abnormal access state, and outputting corresponding alarm information to an administrator, otherwise, not outputting the alarm information.
In some embodiments, when analyzing whether the database access request of the user is abnormal, the method may further analyze the current operating environment of the user, for example, scan a client currently used by the user through antivirus software, for example, scan information such as a built-in file and parameter information of an application program used by the user at the client, and the installed antivirus software, and then determine the security of the operating environment according to the scanning result, if the scanning result is that the file used by the user is a dangerous file, determine that the operating environment is not safe, and at this time, determine that the access right of the content accessed by the database access request is not within the range of the access control policy of the user, determine that the content is an abnormal request, and output warning information. Of course, if the operating environment is secure, the content to be accessed can be regarded as a non-abnormal request regardless of whether the access right is within the range of the access control policy, and no alarm information is output.
In addition, the query engine can automatically record access records of all users, and can be used for performing statistical analysis, abnormal alarm, operation backtracking and the like on the access records.
The scheme of the present application is explained below with a specific example.
For example, for a company, it contains several departments, and the data of these departments can be stored in databases of different database types, different departments may have access to data in databases of different database types, while different users may have access to different data, so that the corresponding access control policy can be configured in the policy service module for each user or each department in advance (if the authority of all users of one department is the same, the authority can be configured according to the role of the department), its access control policy can be refined to specific database types, databases, data tables, data fields, etc., that is, multi-level access control policies, certainly, a user can configure multiple access control policies, and after configuration, the access control policies of the users are stored in the policy service module.
If the access control policy of some user is to be modified subsequently, the operation of on-line modification, deletion and the like can be directly performed in the policy service module, and certainly, for the access control policy of some user, the corresponding function of enabling or disabling the access control policy can be configured in the policy service module, for example, after the access control policy is configured to be enabled, the access control policy of the user takes effect, the access right of the user can be judged subsequently according to the access control policy of the user, and if the access control policy is configured to be disabled, the subsequent access to the user can be rejected, which indicates that the user does not have the right to access all data. Of course, the function of disabling or enabling the access control policy configured here may be implemented uniformly for all users, or may be implemented selectively for only a part of users.
For example, if the user 1 wants to access a certain data, a database access request may be submitted to the query engine at the user terminal, and the query engine provides a uniform query interface for the user, and the query interface may interface with databases of multiple database types, and the user may query data in databases of all database types through the query interface. After receiving a database access request, an inquiry engine calls a policy service module to inquire an access control policy corresponding to a user 1, if the user 1 corresponds to a plurality of access control policies, the policy service module can extract and integrate the plurality of access control policies of the user 1 to obtain a final access control policy of the user 1, then the policy service module can submit the final access control policy of the user 1 to an authentication service module, the authentication service module authenticates the final access control policy of the user 1 and the database access request thereof, namely, judges whether the data content accessed by the user 1 is in the access authority, if so, returns a prompt message passing the authentication to the inquiry engine, the inquiry engine can search and obtain corresponding data from a corresponding database and return the data to the user 1, and thus, the user 1 can access the corresponding data, if not, the prompt information that the authentication fails is returned to the query engine, and the query engine can deny the access of the user 1 at the moment, namely the corresponding prompt information for denying the access is returned to the user 1.
After the user 1 finishes accessing, the query engine may record an access record of the user 1 regardless of whether the access is successful, where the access record may include data such as data content accessed by the user 1, whether the access is successful, total access times, access frequency, access unsuccessful times, access successful times, and the like. For the access record of each user, the query engine can automatically record and can be used for history tracing or statistical analysis, such as abnormal access analysis and the like.
Referring to fig. 4, fig. 4 is a block diagram of a database access apparatus 200 according to an embodiment of the present disclosure, where the apparatus 200 may be a module, a program segment, or code on an electronic device. It should be understood that the apparatus 200 corresponds to the above-mentioned embodiment of the method of fig. 1, and can perform various steps related to the embodiment of the method of fig. 1, and the specific functions of the apparatus 200 can be referred to the above description, and the detailed description is appropriately omitted here to avoid redundancy.
Optionally, the apparatus 200 comprises:
a request receiving module 210, configured to receive a database access request of a user;
a policy obtaining module 220, configured to obtain an access control policy corresponding to the user, where the access control policy includes a multi-level access control permission of a database;
a permission determining module 230, configured to perform rule matching on the database access request and the access control policy to determine an access permission of the content to be accessed;
a request response module 240, configured to respond to the database access request according to the access right.
Optionally, the multi-level access control authority includes control authority of at least one level of a database type, a database, a data table, and a data field.
Optionally, the permission determining module 230 is configured to perform syntax analysis on the database access request to generate an abstract syntax tree; determining the content to be accessed which is requested to be accessed according to the abstract syntax tree; and carrying out rule matching on the content to be accessed and the hierarchical access authority in the access control strategy.
Optionally, the request receiving module 210 is configured to receive a database access request of a user through a unified interface of a query engine, where access interfaces corresponding to databases of multiple database types are the unified interface.
Optionally, the policy obtaining module 220 is configured to perform union calculation on multiple access control policies to obtain a final access control policy if the visitor control policy corresponding to the user includes multiple visitor control policies.
Optionally, the request response module 240 is configured to return corresponding prompt information to the user if the access right is not within the range of the access control policy; and if the access right is in the range of the access control strategy, inquiring the content to be accessed corresponding to the database access request and returning the content to the user.
Optionally, the apparatus 200 further comprises:
and the alarm module is used for carrying out abnormity analysis on the access records of each user and carrying out alarm output when the access records are abnormal.
It should be noted that, for the convenience and brevity of description, the specific working procedure of the above-described apparatus may refer to the corresponding procedure in the foregoing method embodiment, and the description is not repeated herein.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an electronic device for executing a database access method according to an embodiment of the present application, where the electronic device may include: at least one processor 310, such as a CPU, at least one communication interface 320, at least one memory 330, and at least one communication bus 340. Wherein the communication bus 340 is used for realizing direct connection communication of these components. The communication interface 320 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The memory 330 may be a high-speed RAM memory or a non-volatile memory (e.g., at least one disk memory). The memory 330 may optionally be at least one memory device located remotely from the aforementioned processor. The memory 330 stores computer readable instructions, which when executed by the processor 310, the electronic device executes the above-mentioned method process shown in fig. 1.
It will be appreciated that the configuration shown in fig. 5 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 5 or may have a different configuration than shown in fig. 5. The components shown in fig. 5 may be implemented in hardware, software, or a combination thereof.
Embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, performs the method processes performed by an electronic device in the method embodiment shown in fig. 1.
The present embodiments disclose a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the methods provided by the above-described method embodiments, for example, comprising: receiving a database access request of a user; acquiring an access control strategy corresponding to the user, wherein the access control strategy comprises multi-level access control permission of a database; carrying out rule matching on the database access request and the access control strategy to determine the access authority of the content to be accessed; and responding to the database access request according to the access authority.
To sum up, the embodiment of the present application provides a database access method, an apparatus, an electronic device, and a storage medium, where the method obtains an access control policy corresponding to a user after receiving a database access request of the user, where the access control policy includes a multi-level access control authority of a database, then performs rule matching on the database access request and the access control policy to determine an access authority of the user on a content to be accessed, and responds to the database access request according to the access authority, and the present solution sets the multi-level access control authority on the access control policy of the user, so that finer-grained access control on the database by the user can be achieved, the security is higher, and data access control in more application scenarios can be satisfied.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A database access method, the method comprising:
receiving a database access request of a user;
acquiring an access control strategy corresponding to the user, wherein the access control strategy comprises multi-level access control permission of a database;
carrying out rule matching on the database access request and the access control strategy to determine the access authority of the content to be accessed;
and responding to the database access request according to the access authority.
2. The method of claim 1, wherein the multi-level access control authority comprises at least one level of control authority among a database type, a database, a data table, and a data field.
3. The method of claim 2, wherein the rule matching the database access request with the access control policy comprises:
carrying out syntactic analysis on the database access request to generate an abstract syntactic tree;
determining the content to be accessed which is requested to be accessed according to the abstract syntax tree;
and carrying out rule matching on the content to be accessed and the hierarchical access authority in the access control strategy.
4. The method of claim 1, wherein receiving a database access request from a user comprises:
receiving a database access request of a user through a uniform interface of a query engine, wherein access interfaces corresponding to databases of a plurality of database types are the uniform interface.
5. The method of claim 1, wherein the obtaining the access control policy corresponding to the user comprises:
and if the visitor control strategies corresponding to the user comprise a plurality of visitor control strategies, performing union calculation on the plurality of visitor control strategies to obtain a final visitor control strategy.
6. The method of claim 1, wherein responding to the database access request according to the access rights comprises:
if the access authority is not in the range of the access control strategy, corresponding prompt information is returned to the user;
and if the access right is in the range of the access control strategy, inquiring the content to be accessed corresponding to the database access request and returning the content to the user.
7. The method of claim 1, further comprising:
and carrying out abnormity analysis on the access records of each user, and outputting an alarm when the access records are abnormal.
8. A database access apparatus, the apparatus comprising:
the request receiving module is used for receiving a database access request of a user;
the strategy acquisition module is used for acquiring an access control strategy corresponding to the user, wherein the access control strategy comprises a multi-level access control authority of a database;
the permission determining module is used for carrying out rule matching on the database access request and the access control strategy so as to determine the access permission of the content to be accessed;
and the request response module is used for responding to the database access request according to the access authority.
9. An electronic device comprising a processor and a memory, the memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 7.
CN202210708351.2A 2022-06-21 2022-06-21 Database access method and device, electronic equipment and storage medium Pending CN115017526A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210708351.2A CN115017526A (en) 2022-06-21 2022-06-21 Database access method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210708351.2A CN115017526A (en) 2022-06-21 2022-06-21 Database access method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115017526A true CN115017526A (en) 2022-09-06

Family

ID=83076499

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210708351.2A Pending CN115017526A (en) 2022-06-21 2022-06-21 Database access method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115017526A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115238297A (en) * 2022-09-23 2022-10-25 北京安帝科技有限公司 Multi-level authority control memory protection method and device
CN115622785A (en) * 2022-10-24 2023-01-17 哈尔滨工业大学 Service internet-oriented multi-level zero-trust security control method
CN117708879A (en) * 2023-12-13 2024-03-15 北京镜舟科技有限公司 Information authority control method, system, terminal and storage medium
CN117834304A (en) * 2024-03-05 2024-04-05 东方电气风电股份有限公司 Autonomous controllable master control network safety protection system

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115238297A (en) * 2022-09-23 2022-10-25 北京安帝科技有限公司 Multi-level authority control memory protection method and device
CN115238297B (en) * 2022-09-23 2023-01-31 北京安帝科技有限公司 Multi-level authority control memory protection method and device
CN115622785A (en) * 2022-10-24 2023-01-17 哈尔滨工业大学 Service internet-oriented multi-level zero-trust security control method
CN115622785B (en) * 2022-10-24 2024-06-07 哈尔滨工业大学 Multi-level zero trust security control method for service Internet
CN117708879A (en) * 2023-12-13 2024-03-15 北京镜舟科技有限公司 Information authority control method, system, terminal and storage medium
CN117834304A (en) * 2024-03-05 2024-04-05 东方电气风电股份有限公司 Autonomous controllable master control network safety protection system
CN117834304B (en) * 2024-03-05 2024-05-03 东方电气风电股份有限公司 Autonomous controllable master control network safety protection system

Similar Documents

Publication Publication Date Title
CN115017526A (en) Database access method and device, electronic equipment and storage medium
US10097531B2 (en) Techniques for credential generation
CN108874863B (en) Data access control method and database access device
US11700264B2 (en) Systems and methods for role-based computer security configurations
CN104484617A (en) Database access control method on basis of multi-strategy integration
US12021873B2 (en) Cloud least identity privilege and data access framework
US11580206B2 (en) Project-based permission system
KR101620601B1 (en) Method for conducting security check, Computer program for the same, and Recording medium storing computer program for the same
CN111914295A (en) Database access control method and device and electronic equipment
CN107566375B (en) Access control method and device
CN110245478A (en) A kind of system that safety management is integrated in rights management
CN114422197A (en) Permission access control method and system based on policy management
CN112784230B (en) Network security data sharing and controlling method and system
CN112487478B (en) Data access control method, device, storage medium and database system
US10454939B1 (en) Method, apparatus and computer program product for identifying excessive access rights granted to users
CN111737293A (en) Data warehouse authority management method, device, equipment and storage medium
CN109219807B (en) System, method, and medium providing access to a database
US11522863B2 (en) Method and system for managing resource access permissions within a computing environment
KR20120007841A (en) System for prenventing inner users from leaking the personal information by returnning results and the detection of anomaly pattern
US20210406391A1 (en) Production Protection Correlation Engine
CN113780789A (en) Unified data access service type fine-grained authority control method and system
Kamra et al. Privilege states based access control for fine-grained intrusion response
KR100657353B1 (en) Security system and method for supporting a variety of access control policies, and recordable medium thereof
US20220368712A1 (en) Anomalous and suspicious role assignment determinations
WO2023160010A1 (en) Security detection method and apparatus, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination