CN115455462A - Trino authority control and device based on Elasticissearch strategy - Google Patents
Trino authority control and device based on Elasticissearch strategy Download PDFInfo
- Publication number
- CN115455462A CN115455462A CN202210934305.4A CN202210934305A CN115455462A CN 115455462 A CN115455462 A CN 115455462A CN 202210934305 A CN202210934305 A CN 202210934305A CN 115455462 A CN115455462 A CN 115455462A
- Authority
- CN
- China
- Prior art keywords
- authority
- trino
- schema
- user
- catalog
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The application discloses a Trino authority control method and device based on an Elasticsearch strategy, comprising the following steps: an index and a data structure of the ES between the business system and the Trino are configured in advance, and the Trino-main module is used for initializing the Trino connection ES; after the business end writes in the current user authority data, analyzing TrinoSQL statements to obtain catalog, schema and table in the TrinoSQL statements and execute user information; performing authority verification on the current user based on the catalog, the schema, the table and the execution user information in the TrinosSQL statement; and packaging a trino-main module corresponding to the current user under the condition that the verification is passed, and performing replacement in tar.gz to complete the authority deployment of the current user. According to the method, the permission of all the data sources in the trino is controlled, real-time response to the change of permission data is achieved, and more accurate permission verification is achieved.
Description
Technical Field
The application relates to the technical field of computers, in particular to Trino authority control and a Trino authority control device based on an Elasticsearch strategy.
Background
The Trino is an excellent OLAP query engine, and the Trino philosophy is SQL on Everything, namely, data stored anywhere can be read in a standard SQL mode. The Trino does not store data, is a typical MPP framework with separated storage and calculation, and is very suitable for a multi-source heterogeneous combined query scene.
In a large-scale Trino cluster, the problems of resource isolation among users and authority control of the users on a base table (catalog/schema/table) need to be mainly solved, so that the Trino multi-tenant requirement is met.
In the prior art, trino integrates Presto privilege plug-ins (https:// esses. Apache. Org/jira/browse/RANGER-2395) into Ranger2.0 before renaming (PresstoSQL). The range authentication capability is added at the Hive Metaservice end, the Hive data authentication process is sunk to the metadata service end, the Trino side does not need to provide the authentication capability, and the code invasion is low.
The method includes the steps that when a Trino accesses a MetaStore, a correct client user is transmitted, then a MetaStore service receives a Trino call request, and meanwhile an authentication request is sent to a Range
In the existing scheme, the Presto privilege plug-in has compatibility problem after the name of Presto SQL is changed. The Ranger community has not provided a reasonable solution for a while.
The Trino realizes the Ranger authentication, the strategy for controlling the Hive data source is only directed at the Trino engine, but the Trino strategy is not synchronous with the strategy of the HiveServer2, which causes that the Trino-Hive data source and the HiveServer2 have different strategies.
Rights to relational databases (Mysql, oracle, postgresql, sqlserver, etc.) are not controlled.
The addition, change and deletion of the authority data are complicated.
Disclosure of Invention
The embodiment of the application provides a Trino authority control method and device based on an Elasticsearch strategy, which are used for controlling the authorities of all data sources in a Trino, realizing real-time response to the change of authority data and realizing more accurate authority verification.
The embodiment of the application provides a Trino authority control method based on an Elasticsearch strategy, which comprises the following steps:
an index and a data structure of the ES between the business system and the Trino are configured in advance, and the Trino-main module is used for initializing the Trino connection ES;
after the current user permission data are written in the service end, analyzing the Trino SQL statement to obtain the catalog, the schema, the table and the execution user information in the Trino SQL statement;
performing authority verification on the current user based on the catalog, the schema and the table in the obtained Trino SQL statement and the execution user information;
and packaging a trino-main module corresponding to the current user under the condition that the verification is passed, and performing replacement in tar.gz to complete the authority deployment of the current user.
Optionally, the catalog in the Trino SQL statement obtained includes:
checkcanaccesscalog: verifying whether the user can access the catalog;
filtracalogs: filtering the catalog;
the obtained schema in the Trino SQL statement comprises:
checkCanShowSchemas: checking whether the user can access the schema under the current catalog;
filter schema: filtering the schemas allowed to be accessed according to the users;
the obtained table in the Trino SQL statement comprises the following components:
filetables: filtering the table with the query authority;
checkCanInsertIntoTable: checking whether the table has the authority of inserting data;
checkcandeletefromstable: checking whether the form has the authority of deleting the data;
the obtained execution user information in the Trino SQL statement comprises the following steps:
checkCanShowTablesMetadata: checking table metadata allowed to be accessed;
checkcanselectfromcumns: and checking whether the user has the authority to query the column.
Optionally, performing permission check on the current user based on the catalog, the schema, the table and the executed user information in the obtained Trino SQL statement includes:
based on the checkCanaccessCatalog, if the current user is determined to be the super user, the check is passed, otherwise, based on ES, the dbUserName is inquired, whether the catalogName has the authority or not, and if the catalogName has the authority, the check is passed;
checking the query authority of the catalog of the user based on the filterdirectories, if the current user is a super user, returning all the catalogs, otherwise, traversing all the catalogs, and returning the accorded authority based on the ES checking authority one by one through dbUserName and the catalog Name;
based on the checkCanShowSchemas, if the current user is determined to be the super user, the check is passed, otherwise, based on ES, whether the dbUserName has the authority is inquired, and if the dbUserName has the authority, the check is passed;
checking the query authority of the schema of the user based on the fileter schema, if the current user is a super user, returning all the schema names, otherwise, traversing all the schema names, and returning the accorded authority by checking the authority based on ES one by one through dbUserName, catalogName and schema Name;
based on the checkCanShowTablesMetadata, querying the ES through dbUserName, catalogName and schema Name to check whether the user has the query authority of the metadata;
based on the filetables, traversing each schema tablename, and inquiring the ES to judge whether each table has an inquiry authority;
analyzing the CatalogSchemaTableName into catalogName and SchemableName objects based on the checkCanselectFromColumns, and inquiring catalogName, schema Name, tableName and columnName in the ES to judge whether the column has the inquiry authority or not;
analyzing catalogName, schema name and tablemname according to the CatalogSchemaTablename based on the checkCanertIntoTable, and passing the verification under the condition that a query table in the ES has the write-in authority;
and resolving catalogName, schema name and tableName according to the CatalogSchemaTablename based on the checkCandeleteFromTable, and inquiring whether the access right of DELETE _ OPERATION _ AUTH exists based on ES.
Optionally, after the permission deployment of the current user is completed, the Trino permission control method further includes: and entering the server, and verifying the permission interception condition by using a preset instruction.
An embodiment of the present application further provides a Trino authority control device based on an Elasticsearch policy, including a processor, configured to:
an index and a data structure of the ES between the business system and the Trino are configured in advance, and the Trino-main module is used for initializing the Trino connection ES;
after the current user permission data are written in the service end, analyzing the Trino SQL statement to obtain the catalog, the schema, the table and the execution user information in the Trino SQL statement;
performing authority verification on the current user based on the catalog, the schema and the table in the obtained Trino SQL statement and the execution user information;
and under the condition that the verification is passed, packaging a trino-main module corresponding to the current user, and performing replacement in tar.
Optionally, the catalog in the Trino SQL statement obtained includes:
checkCanAccessCatalog: verifying whether the user can access the catalog;
filtCatalogs: filtering the catalog;
the obtained schema in the Trino SQL statement comprises:
checkCanShowSchemas: checking whether a user can access the schema under the current catalog;
filter schema: filtering the schemas allowed to be accessed according to the users;
the obtained table in the Trino SQL statement includes:
filterTables: filtering the table with the query authority;
checkcaninsertintrotable: checking whether the form has the authority of inserting the data;
checkcandeletefromstable: checking whether the form has the authority of deleting the data;
the obtained execution user information in the Trino SQL statement comprises the following steps:
checkcanshowtablesametadata: checking table metadata allowed to be accessed;
checkCanSelectFromColumns: and checking whether the user has the authority of inquiring the column.
Optionally, the treatment appliance is configured to:
based on the checkCanaccessCatalog, if the current user is determined to be the super user, the check is passed, otherwise, based on ES, the dbUserName is inquired, whether the catalogName has the authority or not, and if the catalogName has the authority, the check is passed;
checking the query authority of the catalog of the user based on the filterdirectories, if the current user is a super user, returning all the catalogs, otherwise, traversing all the catalogs, and returning the accorded authority based on the ES checking authority one by one through dbUserName and the catalog Name;
based on the checkCanShowSchemas, if the current user is determined to be the super user, the check is passed, otherwise, based on ES, whether the dbUserName has the authority is inquired, and if the dbUserName has the authority, the check is passed;
checking the query authority of the schema of the user based on the filter schema, if the current user is a super user, returning all schema names, otherwise, traversing all the schema names, and returning the accorded authority by the dbUserName, catalogName and schema name based on ES checking authority one by one;
based on the checkCanShowTablesMetadata, querying the ES through dbUserName, catalogName and schema Name to check whether the user has the query authority of the metadata;
based on the filetables, traversing each schema tablename, and inquiring ES to judge whether each table has inquiry authority;
analyzing the CatalogSchemaTableName into catalogName and SchemableName objects based on the checkCanselectFromColumns, and inquiring catalogName, schema Name, tableName and columnName in the ES to judge whether the column has the inquiry authority or not;
analyzing catalogName, schema name and tablemname according to the CatalogSchemaTablename based on the checkCanertIntoTable, and passing the verification under the condition that a query table in the ES has the write-in authority;
and resolving catalogName, schema name and tableName according to the CatalogSchemaTablename based on the checkCandeleteFromTable, and inquiring whether the access right of DELETE _ OPERATION _ AUTH exists based on ES.
Optionally, after completing the deployment of the authority of the current user, the processor is configured to: and entering the server, and verifying the permission interception condition by using a preset instruction.
According to the method and the device, authority verification is performed on the current user based on the catalog, the schema and the table in the obtained Trino SQL statement and the execution user information; and under the condition that the verification is passed, packaging a trino-main module corresponding to the current user, and performing replacement in tar.gz to complete the permission deployment of the current user, so that the permission of all data sources in the trino is controlled, the real-time response to the change of the permission data is realized, and more accurate permission verification is realized.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a basic flowchart of a Trino authority control method according to an embodiment of the present application;
fig. 2 is a general flowchart of a Trino authority control method according to an embodiment of the present application.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The Elastic Search (ES) is a real-time distributed storage, search and analysis engine. An Elasticissearch cluster has a plurality of Elasticissearch nodes, and the nodes are actually machines running Elasticissearch processes.
An embodiment of the present application provides a Trino authority control method based on an Elasticsearch policy, as shown in fig. 1, including:
in step S101, an index and a data structure of an ES between a business system and a Trino are configured in advance, authority data are updated into the ES, a Trino connection ES is initialized based on a Trino-main module, a specific initialization process may include that the Trino configures connection information of the ES, client dependency of the ES is introduced, and a client query method of ES is written by initializing the connection ES in the Trino-main module.
In step S102, after the current user permission data is written in the service end, the Trino SQL statement is parsed to obtain catalog, schema, table and execution user information in the Trino SQL statement.
In step S103, authority check is performed on the current user based on the catalog, the schema, the table and the execution user information in the obtained Trino SQL statement.
In step S104, in the case that the verification passes, the trino-main module corresponding to the current user is packaged, and replacement is performed in tar.gz to complete the permission deployment of the current user, and the current user can be enabled after the permission deployment is completed.
According to the method, after the Trino process is started, each data source is loaded, the ES database is connected at the same time, the index structure in the ES is well constrained with the service platform, and when a user conducts cross-data source query, the catalog \ schema \ table and the execution System SecurityContext (including information of users, groups, strategies and the like) in the SQL statement are analyzed. The method comprises the steps of realizing each strategy filtering method in the sub-class io, trino, security, access control, capturing a user, catalog, schema and table, determining whether the read-write permission of the user meets the requirement or not by inquiring the elastic search, giving an inquiry result and throwing out permission exception, recompiling trino-main and trino-spi modules, and replacing a jar package in source codes, so that the control of the trino permission can be realized. According to the method, the permission of all data sources in the trino is controlled, real-time response to the change of permission data is achieved, and more accurate permission verification is achieved.
In some embodiments, the catalog in the obtained Trino SQL statement includes:
checkCanAccessCatalog: verifying whether the user can access the catalog;
filtracalogs: filtering the catalog;
the obtained schema in the Trino SQL statement comprises:
checkCanShowSchemas: checking whether the user can access the schema under the current catalog;
filter schema: filtering the schemas allowed to be accessed according to the users;
the obtained table in the Trino SQL statement includes:
filetables: filtering the table with the query authority;
checkcaninsertintrotable: checking whether the table has the authority of inserting data;
checkcandeletefromstable: checking whether the form has the authority of deleting the data;
the obtained execution user information in the Trino SQL statement comprises the following steps:
checkcanshowtablesametadata: checking table metadata allowed to be accessed;
checkCanSelectFromColumns: and checking whether the user has the authority to query the column.
In some embodiments, performing permission check on the current user based on the catalog, the schema, the table, and the execution user information in the obtained Trino SQL statement, as shown in fig. 2, specifically implementing the sub-class io, trino, security, allowallaccesscontrol of io, trino, security, allowallaccesscontrol includes:
and on the basis of the checkCanaccessCatalog, if the current user is determined to be the super user, passing, otherwise, inquiring dbUserName on the basis of ES, judging whether the catalogName has authority, if so, checking to pass, and if not, throwing the exception of 'no authority of the user to access the catalog'.
Checking the query authority of catalog of the user based on the filterdirectories, returning all catalogs if the current user is a super user, otherwise, traversing all catalogs, and returning the accorded authority based on ES check authority item by item through dbUserName and catalog Name. Filtering the catalog, typically due to listening to "show catalogs; "such sql statements result, verifying which catalog query permissions the user has. And participating in a set of user information Identity and catalog.
And based on the checkCanShowSchemas, if the current user is determined to be a super user, the user passes the checkup, otherwise, the user inquires whether the dbUserName has the authority or not based on the ES, if the authority exists, the check is passed, and if the authority does not exist, the exception of 'the user does not access the schema authority under the catalog' is thrown out.
And checking the query authority of the schema of the user based on the filter schema, if the current user is a super user, returning all schema names, otherwise, traversing all the schema names, and returning the accorded authority by checking the authority based on the ES item by item through the dbUserName, the catalogName and the schema Name. Generally, the method is to monitor the "show schemas from catalog; "such sql statement is generated to verify which schema the user has the query right. The entries are a set of user information Identity, catalogName and schema name.
And inquiring the ES through dbUserName, catalogName and schema Name based on the checkCanShowTablesMetadata so as to check whether the user has the inquiry authority of the metadata.
And traversing each schema tablename based on the filetables, and inquiring the ES to judge whether each table has inquiry authority. The accession numbers are Identity, catalogName and Set < schema table name >.
Based on the checkcanselectfromcumns, the entries are Identity, catalog schema tableName and columnName set, the catalog schema tableName is firstly analyzed to be catalogName and schema tableName objects, and then catalogName, schema name, tablemname and columnName are inquired in the ES to judge whether the query authority of the column is possessed, and the authority can be controlled to the column by the method.
Analyzing catalogName, schematname and tablemname according to the CatalogSchemaTablename based on the checkCanertIntoTable, wherein the ES stores that WRITE _ OPERATION _ AUTH is bound to the table, the ES can check that the table is passed under the condition that the lookup table in the ES has the WRITE right, and if the table has the WRITE right, the ES passes the check, otherwise, the ES throws the exception.
And resolving catalogName, schema name and tableName according to the CatalogSchemaTablename based on the checkCandeleteFromTable, and inquiring whether the access right of DELETE _ OPERATION _ AUTH exists based on ES.
In some embodiments, after the permission deployment of the current user is completed, the Trino permission control method further includes: and entering the server, and verifying the permission interception condition by using a preset instruction. For example, a/trino-server ip: 8660-usersername-like command may be used to verify the interception of permissions.
The method can increase the control on the permission of all data sources in the trino, control from a catalog, schema and table three-layer structure, customize permission services (such as write and read), respond to the change of permission data in real time, and check the permission more accurately.
An embodiment of the present application further provides a Trino authority control device based on an Elasticsearch policy, including a processor, configured to:
configuring an index and a data structure of an ES between a service system and a Trino in advance, and initializing a Trino connection ES based on a Trino-main module;
after the current user permission data are written in the service end, analyzing the Trino SQL statement to obtain the catalog, the schema, the table and the execution user information in the Trino SQL statement;
performing authority verification on the current user based on the catalog, the schema and the table in the obtained Trino SQL statement and the execution user information;
and under the condition that the verification is passed, packaging a trino-main module corresponding to the current user, and performing replacement in tar.
In some embodiments, the catalog in the obtained Trino SQL statement comprises:
checkCanAccessCatalog: verifying whether the user can access the catalog;
filtracalogs: filtering the catalog;
the obtained schema in the Trino SQL statement comprises:
checkCanShowSchemas the method comprises the following steps: checking whether the user can access the schema under the current catalog;
filter schema: filtering the schemas allowed to be accessed according to the users;
the obtained table in the Trino SQL statement includes:
filetables: filtering the table with the query authority;
checkCanInsertIntoTable: checking whether the table has the authority of inserting data;
checkcandeletefromstable: checking whether the form has the authority of deleting the data;
the obtained execution user information in the Trino SQL statement comprises the following steps:
checkCanShowTablesMetadata: checking table metadata allowed to be accessed;
checkCanSelectFromColumns: and checking whether the user has the authority to query the column.
In some embodiments, the treatment appliance is configured to:
based on the checkCanaccessCatalog, if the current user is determined to be the super user, the check is passed, otherwise, based on ES, the dbUserName is inquired, whether the catalogName has the authority or not, and if the catalogName has the authority, the check is passed;
checking the query authority of catalog of the user based on the filterdirectories, if the current user is a super user, returning all catalogs, otherwise, traversing all catalogs, and returning the conforming authority based on the ES checking authority one by one through dbUserName and catalog Name;
based on the checkCanShowSchemas, if the current user is determined to be the super user, the check is passed, otherwise, based on ES, whether the dbUserName has the authority is inquired, and if the dbUserName has the authority, the check is passed;
checking the query authority of the schema of the user based on the filter schema, if the current user is a super user, returning all schema names, otherwise, traversing all the schema names, and returning the accorded authority by the dbUserName, catalogName and schema name based on ES checking authority one by one;
based on the checkCanShowTablesMetadata, querying the ES through dbUserName, catalogName and schema Name to check whether the user has the query authority of the metadata;
based on the filetables, traversing each schema tablename, and inquiring ES to judge whether each table has inquiry authority;
analyzing the CatalogSchemaTableName into catalogName and SchemableName objects based on the checkCanselectFromColumns, and inquiring catalogName, schema Name, tableName and columnName in the ES to judge whether the column has the inquiry authority or not;
analyzing catalogName, schema name and tablemname according to the CatalogSchemaTablename based on the checkCanertIntoTable, and passing the verification under the condition that a query table in the ES has the write-in authority;
and resolving catalogName, schema name and tableName according to the CatalogSchemaTablename based on the checkCandeleteFromTable, and inquiring whether the access right of DELETE _ OPERATION _ AUTH exists based on ES.
In some embodiments, after completing the deployment of the current user's permissions, the processor is configured to: and entering the server, and verifying the permission interception condition by using a preset instruction.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a component of' 8230; \8230;" does not exclude the presence of another like element in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present application are merely for description, and do not represent the advantages and disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.
While the present embodiments have been described with reference to the accompanying drawings, it is to be understood that the invention is not limited to the precise embodiments described above, which are meant to be illustrative and not restrictive, and that various changes may be made therein by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (8)
1. A Trino authority control method based on an Elasticissearch strategy is characterized by comprising the following steps:
configuring an index and a data structure of an ES between a service system and a Trino in advance, and initializing a Trino connection ES based on a Trino-main module;
after the current user permission data are written in the service end, analyzing the Trino SQL statement to obtain the catalog, the schema, the table and the execution user information in the Trino SQL statement;
performing authority verification on the current user based on the catalog, the schema and the table in the obtained Trino SQL statement and the execution user information;
and packaging a trino-main module corresponding to the current user under the condition that the verification is passed, and performing replacement in tar.gz to complete the authority deployment of the current user.
2. The method for controlling Trino authority based on the Elasticsearch strategy of claim 1, wherein the catalog in the obtained Trino SQL statement comprises:
checkCanAccessCatalog: checking whether the user can access the catalog;
filtracalogs: filtering the catalog;
the obtained schema in the Trino SQL statement comprises:
checkCanShowSchemas: checking whether the user can access the schema under the current catalog;
filter schema: filtering the schemas allowed to be accessed according to the users;
the obtained table in the Trino SQL statement includes:
filetables: filtering the table with the query authority;
checkCanInsertIntoTable: checking whether the table has the authority of inserting data;
checkcandeletefromstable: checking whether the form has the authority of deleting the data;
the obtained execution user information in the Trino SQL statement comprises the following steps:
checkCanShowTablesMetadata: checking table metadata allowed to be accessed;
checkCanSelectFromColumns: and checking whether the user has the authority to query the column.
3. The method of controlling Trino authority based on the Elasticsearch policy as claimed in claim 2, wherein performing authority check on the current user based on the catalog, the schema, the table and the execution user information in the obtained Trino SQL statement comprises:
based on the checkCanaccessCatalog, if the current user is determined to be the super user, the check is passed, otherwise, based on ES, the dbUserName is inquired, whether the catalogName has the authority or not, and if the catalogName has the authority, the check is passed;
checking the query authority of catalog of the user based on the filterdirectories, if the current user is a super user, returning all catalogs, otherwise, traversing all catalogs, and returning the conforming authority based on the ES checking authority one by one through dbUserName and catalog Name;
based on the checkCanShowSchemas, if the current user is determined to be the super user, the check is passed, otherwise, based on ES, whether the dbUserName has the authority is inquired, and if the dbUserName has the authority, the check is passed;
checking the query authority of the schema of the user based on the fileter schema, if the current user is a super user, returning all the schema names, otherwise, traversing all the schema names, and returning the accorded authority by checking the authority based on ES one by one through dbUserName, catalogName and schema Name;
based on the checkCanShowTablesMetadata, querying the ES through dbUserName, catalogName and schema Name to check whether the user has the query authority of the metadata;
based on the filetables, traversing each schema tablename, and inquiring the ES to judge whether each table has an inquiry authority;
analyzing the CatalogSchemaTableName into catalogName and SchemableName objects based on the checkCanselectFromColumns, and inquiring catalogName, schema Name, tableName and columnName in the ES to judge whether the column has the inquiry authority or not;
analyzing catalogName, schema name and tableName according to the CatalogSchemaTableName based on the checkCanertIntoTable, and passing the check under the condition that a query table in the ES has the write-in authority;
analyzing catalogName, schematname and tablemname according to CatalogSchemaTablename based on the checkCanDeleteFromTable, and inquiring whether the DELETE _ OPERATION _ AUTH authority exists based on ES.
4. The method of Trino authority control based on an Elasticsearch policy of claim 1, wherein after the authority deployment of the current user is completed, the method of Trino authority control further comprises: and entering the server, and verifying the permission interception condition by using a preset instruction.
5. A Trino authority control device based on an Elasticsearch policy, comprising a processor configured to:
configuring an index and a data structure of an ES between a service system and a Trino in advance, and initializing a Trino connection ES based on a Trino-main module;
after the current user permission data are written in the service end, analyzing the Trino SQL statement to obtain the catalog, the schema, the table and the execution user information in the Trino SQL statement;
performing authority verification on the current user based on the catalog, the schema and the table in the obtained Trino SQL statement and the execution user information;
and packaging a trino-main module corresponding to the current user under the condition that the verification is passed, and performing replacement in tar.gz to complete the authority deployment of the current user.
6. The Elasticissearch policy-based Trino authority control device according to claim 5, wherein the catalog in the obtained Trino SQL statement comprises:
checkCanAccessCatalog: verifying whether the user can access the catalog;
filtracalogs: filtering the catalog;
the obtained schema in the Trino SQL statement comprises:
checkCanShowSchemas: checking whether the user can access the schema under the current catalog;
filter schema: filtering the schemas allowed to be accessed according to the users;
the obtained table in the Trino SQL statement includes:
filetables: filtering the table with the query authority;
checkcaninsertintrotable: checking whether the table has the authority of inserting data;
checkcandeletefromstable: checking whether the form has the authority of deleting the data;
the obtained execution user information in the Trino SQL statement comprises the following steps:
checkCanShowTablesMetadata: checking table metadata allowed to be accessed;
checkcanselectfromcumns: and checking whether the user has the authority to query the column.
7. The Elasticissearch policy-based Trino right control device of claim 6, wherein the processor is configured to:
based on the checkCanaccesscalog, if the current user is determined to be a super user, the user passes the checkCanaccesscalog, otherwise, based on ES, querying dbUserName, if the catalgName has the authority, and if the catalgName has the authority, checking the dbUserName to pass the checkCanaccesscontalog;
checking the query authority of the catalog of the user based on the filterdirectories, if the current user is a super user, returning all the catalogs, otherwise, traversing all the catalogs, and returning the accorded authority based on the ES checking authority one by one through dbUserName and the catalog Name;
based on the checkCanShowSchemas, if the current user is determined to be a super user, the user passes, otherwise, based on ES, whether the dbUserName has the authority is inquired, and if the dbUserName has the authority, the check is passed;
checking the query authority of the schema of the user based on the filter schema, if the current user is a super user, returning all schema names, otherwise, traversing all the schema names, and returning the accorded authority by the dbUserName, catalogName and schema name based on ES checking authority one by one;
based on the checkCanShowTablesMetadata, querying the ES through dbUserName, catalogName and schema Name to check whether the user has the query authority of the metadata;
based on the filetables, traversing each schema tablename, and inquiring ES to judge whether each table has inquiry authority;
analyzing the CatalogSchemaTableName into catalogName and SchemableName objects based on the checkCanselectFromColumns, and inquiring catalogName, schema Name, tableName and columnName in the ES to judge whether the column has the inquiry authority or not;
analyzing catalogName, schema name and tableName according to the CatalogSchemaTableName based on the checkCanertIntoTable, and passing the check under the condition that a query table in the ES has the write-in authority;
analyzing catalogName, schematname and tablemname according to CatalogSchemaTablename based on the checkCanDeleteFromTable, and inquiring whether the DELETE _ OPERATION _ AUTH authority exists based on ES.
8. The Elasticissearch policy-based Trino right control device of claim 5, wherein after the right deployment of the current user is completed, the processor is configured to: and entering the server, and verifying the permission interception condition by using a preset instruction.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210934305.4A CN115455462A (en) | 2022-08-04 | 2022-08-04 | Trino authority control and device based on Elasticissearch strategy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210934305.4A CN115455462A (en) | 2022-08-04 | 2022-08-04 | Trino authority control and device based on Elasticissearch strategy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115455462A true CN115455462A (en) | 2022-12-09 |
Family
ID=84295982
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210934305.4A Pending CN115455462A (en) | 2022-08-04 | 2022-08-04 | Trino authority control and device based on Elasticissearch strategy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115455462A (en) |
-
2022
- 2022-08-04 CN CN202210934305.4A patent/CN115455462A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7222036B2 (en) | Model training system and method and storage medium | |
| US7299171B2 (en) | Method and system for processing grammar-based legality expressions | |
| EP2548138B1 (en) | Computer relational database method and system having role based access control | |
| US8386498B2 (en) | Message descriptions | |
| JP2022000757A5 (en) | ||
| US10438008B2 (en) | Row level security | |
| US20090063448A1 (en) | Aggregated Search Results for Local and Remote Services | |
| US20060225055A1 (en) | Method, system, and device for indexing and processing of expressions | |
| US20120290592A1 (en) | Federated search apparatus, federated search system, and federated search method | |
| WO2012150316A1 (en) | Fine-grained relational database access-control policy enforcement using reverse queries | |
| CN103067463A (en) | Centralized management system and centralized management method for user root permission | |
| US8079065B2 (en) | Indexing encrypted files by impersonating users | |
| CN109144978A (en) | Right management method and device | |
| US9053207B2 (en) | Adaptive query expression builder for an on-demand data service | |
| US10691757B1 (en) | Method and system for cached document search | |
| CN112131228A (en) | FABRIC-based alliance chain system convenient for data retrieval | |
| US20140280303A1 (en) | Replacing equivalent content items | |
| CN115455462A (en) | Trino authority control and device based on Elasticissearch strategy | |
| US20140172834A1 (en) | Providing premium access to aggregated data sets | |
| CN115827589A (en) | Authority verification method and device, electronic equipment and storage medium | |
| CN102799645A (en) | Security search device and method | |
| US11954223B2 (en) | Data record search with field level user access control | |
| CN111814171B (en) | Cloud resource access control method based on attributes and graphs | |
| CN116305288B (en) | Method, device, equipment and storage medium for isolating database resources | |
| US20230306030A1 (en) | Row-level permissioning based on evaluated policies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |