CN115630347A - Dynamic authorization method, device, equipment and storage medium based on credibility measurement - Google Patents
Dynamic authorization method, device, equipment and storage medium based on credibility measurement Download PDFInfo
- Publication number
- CN115630347A CN115630347A CN202211365826.9A CN202211365826A CN115630347A CN 115630347 A CN115630347 A CN 115630347A CN 202211365826 A CN202211365826 A CN 202211365826A CN 115630347 A CN115630347 A CN 115630347A
- Authority
- CN
- China
- Prior art keywords
- file
- credibility
- authorization
- file operation
- credit value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 102
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000005259 measurement Methods 0.000 title claims abstract description 11
- 230000008569 process Effects 0.000 claims abstract description 26
- 230000002159 abnormal effect Effects 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 16
- 230000000977 initiatory effect Effects 0.000 claims description 6
- 238000007726 management method Methods 0.000 description 28
- 238000004891 communication Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/182—Distributed file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a dynamic authorization method, a dynamic authorization device, equipment and a storage medium based on credibility measurement, and relates to the technical field of cloud computing. The method comprises the following steps: acquiring operation information associated with file operation in the process of executing the file operation; determining the reliability of the file operation according to the operation information; and dynamically authorizing the authorization subject to which the file operation belongs based on the credibility of the file operation. The technical scheme of the embodiment of the invention can monitor the full life cycle of user operation, and dynamically authorize the authorization subject based on the file operation credibility, thereby ensuring that the bottom-layer storage HDFS is always in a credible state.
Description
Technical Field
The invention relates to the technical field of cloud computing, in particular to a dynamic authorization method, a device, equipment and a storage medium based on credibility measurement.
Background
Hadoop (Hadoop) is a distributed big data infrastructure. Hadoop encapsulates the distributed bottom layer implementation details, and a user can develop a distributed program without knowing the distributed bottom layer details, and fully utilizes the cluster advantages to calculate and store.
A Hadoop Distributed File System (HDFS for short) implemented by Hadoop can provide storage service for the whole Hadoop System. HDFS stores file blocks separately on different hosts in a cluster in the form of file chunks. The method is very important for protecting the security of the Hadoop system associated file and improving the reliability of the HDFS.
Disclosure of Invention
The invention provides a dynamic authorization method, a device, equipment and a storage medium based on credibility measurement, which aim to solve the problem of low credibility of an HDFS.
According to an aspect of the present invention, there is provided a dynamic authorization method based on a trust metric, including:
acquiring operation information associated with file operation in the process of executing the file operation;
determining the reliability of the file operation according to the operation information;
and dynamically authorizing the authorization subject to which the file operation belongs based on the credibility of the file operation.
According to another aspect of the present invention, there is provided a dynamic authorization apparatus based on a trust metric, comprising:
the file operation system comprises an operation information acquisition module, a file operation processing module and a file management module, wherein the operation information acquisition module is used for acquiring operation information related to file operation in the process of executing the file operation;
the credibility determining module is used for determining the credibility of the file operation according to the operation information;
and the dynamic authorization module is used for dynamically authorizing the authorization subject to which the file operation belongs based on the credibility of the file operation.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the method for dynamic authorization based on trust metrics according to any of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing computer instructions for causing a processor to implement the dynamic authorization method based on trust metrics according to any of the embodiments of the present invention when executed.
According to the technical scheme of the embodiment of the invention, the credibility of the current operation is determined by executing the operation information acquired in the file operation process, and then the authorization main body to which the file operation belongs is dynamically authorized according to the credibility of the operation, so that the full life cycle of the user operation can be monitored, the dynamic authorization is carried out on the authorization main body based on the credibility of the file operation, and the HDFS stored at the bottom layer is ensured to be always in a credible state.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a dynamic authorization method based on a trust metric according to an embodiment of the present invention;
FIG. 2a is a flowchart of a dynamic authorization method based on a confidence measure according to a second embodiment of the present invention;
FIG. 2b is a diagram illustrating a file writing process according to a second embodiment of the present invention;
FIG. 2c is a schematic diagram of a file reading according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a dynamic authorization apparatus based on a confidence metric according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device implementing the dynamic authorization method based on trust metrics according to an embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of an embodiment of the present invention, which provides a method for dynamic authorization based on trust measurement, where this embodiment may be applied to dynamically adjust a permission level according to file operation trust, and this method may be performed by a dynamic authorization apparatus based on trust measurement, which may be implemented in hardware and/or software, and which may be configured in various general-purpose computing devices, for example, a client in an HDFS (high-level data file system) in a general-purpose computing device. As shown in fig. 1, the method includes:
s110, acquiring operation information associated with the file operation in the file operation executing process.
HDFS is a system that provides file storage services for the entire Hadoop system. The HDFS includes a client, a management node (namenode), and at least one data node (dataode). The management node is used for maintaining the file system tree and all files and directories in the file system tree, wherein the HDFS can divide the files into blocks when storing the files, and the obtained file blocks are stored on the data nodes in the cluster. Meanwhile, the management node also maintains the information of the data node where each file block included in each file is located. The data nodes are used for storing the file blocks, and a plurality of file blocks contained in a complete file can be stored on one data node or different data nodes respectively.
When a client side inquires a file, a file inquiry request is firstly sent to a management node, so that the management node feeds back the storage position of a file block contained in the file to be inquired, then the client side reads the file block from a corresponding data node according to the storage position fed back by the management node, and the file block is spliced to obtain a complete file.
Similarly, when the client writes a file, a file query request is first initiated to the management node, so that the management node queries whether a part of file blocks of the file are already stored in the data node. If not, a file index needs to be created in the management node, and then one or more data nodes meeting the data storage condition are determined in the plurality of data nodes. Finally, the file to be written is divided into file blocks and stored in the file nodes, wherein the file blocks can be stored in one data node or a plurality of data nodes in a backup mode.
In addition, the management node also comprises a log recording module which is used for recording file operation logs. The file operation log comprises at least one item of operation information acquired in the file operation process. For example, file information, user information for initiating a file operation, and system information during execution of a file operation may be recorded during the above-described file query and file write processes. For example, the user information may include a user identity identifier and information of a group in which the user is located, the file information may include a file identifier, a file size, a file read/write time, an identifier and a size of a file block included in the file, and the system information in performing the file operation may include network traffic information and the like.
In the embodiment of the invention, the operation information associated with the file operation is acquired in the process of executing the file operation. Illustratively, in the process of reading a file, information such as a user initiating a file writing operation, a group to which the user belongs, a file identifier of a file to be read, a file size, time consumed for reading the file, and network traffic required for reading the file is obtained. The operation information associated with the file operation can be read and stored in the file operation log.
And S120, determining the reliability of the file operation according to the operation information.
The credibility user represents the credibility of the current file operation, and the higher the credibility is, the higher the credibility of the current file operation is represented.
In the embodiment of the invention, after the operation information associated with the file operation is acquired, the credibility of the current file operation is determined according to the operation information. Specifically, the credibility of each item of operation information corresponding to one file operation may be determined first, and then the weighted summation is performed on the credibility of each item of operation information to obtain the credibility of the current file operation. The credibility of each item of operation information may be determined by a preset scoring rule, for example, the credibility of the network traffic in the operation information may be obtained according to a preset mapping relationship between a network traffic interval and the credibility. The operation information can be input into a pre-constructed operation reliability model, and the reliability of the file operation output by the operation reliability model is obtained.
Optionally, determining the reliability of the file operation according to the operation information includes:
and inputting the operation information into the operation credibility model, and acquiring the credibility of the file operation output by the operation credibility model.
In this optional embodiment, a specific way of determining the reliability of the file operation according to the operation information is provided: and inputting the operation information into the operation credibility model, and acquiring the file operation credibility output by the operation credibility model. For example, the operational confidence model may be a confidence interval model, a normal distribution model, a neural network, or the like.
In a specific example, whether the acquired at least one item of operation information is in a confidence interval is judged, and if all the operation information corresponding to the current file operation is in the confidence interval, the reliability of the file operation is determined to be 100%; and if part of operation information corresponding to the current file operation is not in the confidence interval, determining the reliability of the current file operation according to the proportion of the credible operation information in all operation information.
In another specific example, the operation information related to the current file operation is input into the normal distribution model, and the reliability of the file operation output by the normal distribution model is obtained.
Optionally, the operational reliability model is constructed through the following processes:
reading operation information associated with file operation in a file operation log;
and taking the operation information as a sample, and constructing an operation credibility model.
In this optional embodiment, a method for constructing an operation reliability model is provided: firstly, a large number of file operations and operation information corresponding to the file operations are obtained from a file operation log, and an operation reliability model is constructed by taking the operation information as a sample.
And S130, dynamically authorizing the authorization subject to which the file operation belongs based on the credibility of the file operation.
The authorization subject refers to a subject that can perform authorization in the HDFS, for example, the authorization subject may be a user of the HDFS, or may be a group consisting of multiple users. The authorization principal may be dynamically authorized based on a trustworthiness of at least one file operation performed by the authorization principal. For example, if the reliability of the file operation performed by the authorization subject is higher than the set threshold, the permission level of the authorization subject may be increased. On the contrary, if the credibility of the file operation is lower than the set threshold, the authority level of the authorization subject can be reduced. The authorized principal can only perform file operations within the scope of the level of authority to which it is granted.
In the embodiment of the invention, based on the credibility of the file operation, the authorization subject to which the file operation belongs can be dynamically authorized. Specifically, when the authorization agent executes the file operation, the reliability of the file operation is determined, and if the reliability is higher than a set threshold, the permission level of the authorization agent to which the file operation belongs may be increased, otherwise, the permission level may be decreased. The credit value of the authorization subject can be adjusted based on the credibility of each file operation of the authorization subject, and the authorization subject is dynamically authorized based on the change of the credit value of the authorization subject. Wherein the higher the credit value of the authorized subject, the higher the level of authority that can be granted. The authorization main body is dynamically authorized through the file operation credibility fed back during each file operation, so that the HDFS can be ensured to be in a credible state, and the file storage safety of the HDFS is improved.
In a specific example, the authority level of the authorized subject is three levels when the authorized subject performs file operation. If the credibility of the continuous 5 times of file operation is higher than the set threshold value, the authority level of the authorization subject can be adjusted to be high, for example, to be two levels.
In another specific example, during the file operation performed by the authorized subject, the credibility of each file operation is obtained, and then after the execution of each file operation is completed, the credit value of the current authorized subject is adjusted based on the credibility. And finally, dynamically authorizing the authorization subject according to the corresponding relation between the credit value and the authority level.
According to the technical scheme of the embodiment of the invention, the credibility of the current operation is determined by executing the operation information collected in the file operation process, and then the authorization subject to which the file operation belongs is dynamically authorized according to the credibility of the operation, so that the full life cycle of the user operation can be monitored, the dynamic authorization is carried out on the authorization subject based on the credibility of the file operation, and the HDFS stored at the bottom layer is ensured to be always in a credible state.
Example two
Fig. 2a is a flowchart of a dynamic authorization method based on a trust metric according to a second embodiment of the present invention, which is further detailed based on the above embodiment, and provides specific steps for dynamically authorizing an authorization subject to which a file operation belongs based on the trust of the file operation. As shown in fig. 2a, the method comprises:
s210, in the process of executing the file operation, operation information associated with the file operation is acquired.
And S220, determining the reliability of the file operation according to the operation information.
And S230, adjusting the original credit value of the authorization subject to which the file operation belongs based on the credibility of the file operation to obtain an updated credit value.
In the embodiment of the invention, when the authorization subject executes the file operation each time, the credibility of the file operation each time is determined, and the original credit value is adjusted according to the credibility of the file operation each time, so that the credit value is continuously updated to obtain the updated credit value. The credibility of the file operation and the credit value of the authorization subject are in positive correlation, and the higher the credibility of the file operation is, the higher the credit value of the corresponding authorization subject is.
S240, dynamically authorizing the authorization subject based on the updated credit value; wherein the higher the credibility of the file operation is, the higher the credit value of the authorized subject is.
In the embodiment of the invention, after the credit value of the authorization subject is updated according to the credibility of the current file operation, the authorization subject is dynamically authorized based on the obtained updated credit value. Specifically, the corresponding relationship between the credit value range and the authorization level may be pre-established, and after the updated credit value is obtained, the credit value range in which the updated credit value is located is determined first, and then dynamic authorization is performed for the authorization subject according to the authorization level corresponding to the located credit value range. The higher the credibility of the file operation is, the higher the credit value of the authorization subject is, and the higher the authority level which can be allocated to the authorization subject is.
Optionally, dynamically authorizing the authorization subject based on the updated credit value includes:
determining a target credit value range to which the updated credit value belongs in at least one candidate credit value range divided in advance;
and determining a target authority level corresponding to the target credit value range based on the corresponding relation between the candidate credit value range and the authority level, and granting the authority corresponding to the target authority level to the authorization subject.
In this optional embodiment, a specific manner is provided for only dynamically authorizing an authorized subject based on updating a credit value, where: after the updated credit value is obtained, a target credit value range to which the current updated credit value belongs is determined in a plurality of candidate credit value ranges divided in advance. Further, a target authority level corresponding to the target credit value range is determined based on the corresponding relation between the candidate credit value range and the authority level, and finally the authority corresponding to the target authority level is granted to the authorization subject.
Optionally, the embodiment of the present invention further includes:
responding to a file writing request of a user, initiating a file query request to a management node, and reading a stored file block associated with a file to be written in the file writing request in a data node based on position information fed back by the management node;
judging whether the stored file block is in an abnormal state or not based on historical operation information associated with the stored file block in the file operation log;
and under the condition that the stored file block does not belong to the abnormal state, writing the file to be written into the data node based on the position information, and storing the operation information in the file writing process into a file operation log.
In this optional embodiment, as shown in fig. 2b, in response to a file writing request of a user, a file querying request is initiated to a management node, where the file querying request is used to instruct the management node to query whether a file block included in a current file to be written is stored in a data node. If yes, the management node feeds back the position information of the stored file blocks to the client. And the client reads the stored file block associated with the file to be written in the data node according to the position information. Further, historical operation information associated with the stored file block is acquired from the file operation log, and the read operation information associated with the stored file block is compared with the historical operation information to determine whether the stored file block is in an abnormal state, for example, to determine the integrity of the read file. And if the file is in the abnormal state, interrupting the current file writing operation and initiating an abnormal prompt. And if the file does not belong to the abnormal state, continuously writing other file blocks of the file to be written into the data stage on the basis of the position information. In the process of writing the file block, the operation information of the file writing process is stored in the file operation log. The operation information written in the file operation log may include identity information, file information, time information, network traffic information, and the like of the writing user. And if the writing time exceeds the set time threshold, the writing is considered to be abnormal, the terminal operation is executed, and an alarm prompt is carried out.
In addition, if the current file to be written is not stored in the data node, a new file index is created in the management node, and the client needs to determine at least one data node for file storage. Specifically, the determined at least one data node is formed into a pipeline, and the file blocks are written into the data nodes in a serial mode. The last data node in the pipeline can determine the integrity of the written file block by checking the CRC-32 check code, and the correctness in the transmission process of the file block is ensured. And after the verification is completed, a message for confirming the successful writing is sent to the client in a reverse direction.
Optionally, the embodiment of the present invention further includes:
responding to a file reading request of a user, sending a file reading request to a management node, reading file blocks in a data node based on position information fed back by the management node, and splicing the read file blocks into a file to be read;
judging whether the file to be read is abnormal or not based on the current operation information of the file to be read and historical operation information associated with the file to be read in the file operation log;
and under the condition that the file to be read is abnormal, reading the file and reporting an error, and storing the current operation information into a file operation log.
In this optional embodiment, as shown in fig. 2c, in response to a file reading request of a user, a client sends a file reading request to a management node, where the file reading request is used to instruct the management node to acquire location information of a file to be read. And the client reads the file blocks in the data nodes according to the position information fed back by the management node, and splices the read file blocks to obtain the file to be read. Further, the client reads historical operation information associated with the current file to be read from the file operation log, compares the historical operation information with operation information associated with the reading process of the file to be read, and determines whether the file to be read is abnormal, for example, an SHA-32 verification code of a file block can be obtained from the file operation log, and whether the file is abnormal is determined by verifying the SHA-32 and CRC-32 verification codes of the file block. And under the condition that the file to be read is abnormal, reading the file and reporting an error, and storing the current operation information into a file operation log. And under the condition that the file to be read is not abnormal, displaying the read file to be read. The position information fed back to the client by the management node comprises initial address information of each file block in the file to be read.
It is noted that in order to facilitate querying of operational information, an index of user dimensions, time dimensions, and file dimensions may be created when performing file operation log records.
The time dimension can be in units of days, the operation information of the same date can be recorded in the same category, and a user can search the file operation log through the date and view the operation information of all file operations in the corresponding date range.
The user dimension means that the logs are classified according to different users or user groups, and all historical operations performed by the users or the user groups can be visually seen under the classification, so that credibility analysis can be performed on the behaviors of specific users or users in one user group.
The file dimension is based on the size of the file block with the minimum HDFS, all historical operation information of the file block can be searched in the dimension, and the problem is located conveniently.
According to the technical scheme of the embodiment of the invention, the credibility of the current file operation is determined according to the operation information, the original credit value of the authorization main body to which the file operation belongs is adjusted according to the credibility to obtain the updated credit value, the authorization main body is dynamically authorized based on the updated credit value finally, the full life cycle monitoring of the file operation can be carried out in a credibility measurement mode, and the authority of the authorization main body is dynamically adjusted based on the credibility of the file operation, so that the HDFS is kept in a credible state, and the security of the HDFS stored file is improved.
EXAMPLE III
Fig. 3 is a schematic structural diagram of a dynamic authorization apparatus based on a confidence metric according to a third embodiment of the present invention. As shown in fig. 3, the apparatus includes:
an operation information obtaining module 310, configured to obtain operation information associated with a file operation in a process of executing the file operation;
a reliability determining module 320, configured to determine reliability of the file operation according to the operation information;
and the dynamic authorization module 330 is configured to dynamically authorize an authorization subject to which the file operation belongs based on the credibility of the file operation.
According to the technical scheme of the embodiment of the invention, the credibility of the current operation is determined by executing the operation information acquired in the file operation process, and then the authorization main body to which the file operation belongs is dynamically authorized according to the credibility of the operation, so that the full life cycle of the user operation can be monitored, the dynamic authorization is carried out on the authorization main body based on the credibility of the file operation, and the HDFS stored at the bottom layer is ensured to be always in a credible state.
Optionally, the dynamic authorization module 330 includes:
the updating credit value determining unit is used for adjusting the original credit value of the authorization subject to which the file operation belongs based on the credibility of the file operation to obtain an updating credit value;
a dynamic authorization unit, configured to perform dynamic authorization on the authorization subject based on the updated credit value;
wherein the higher the credibility of the file operation is, the higher the credit value of the authorization subject is.
Optionally, the dynamic authorization unit is specifically configured to:
determining a target credit value range to which the updated credit value belongs in at least one candidate credit value range divided in advance;
and determining a target authority level corresponding to the target credit value range based on the corresponding relation between the candidate credit value range and the authority level, and granting the authority corresponding to the target authority level to the authorization subject.
Optionally, the credibility determining module 320 is specifically configured to:
and inputting the operation information into an operation credibility model, and acquiring the credibility of the file operation output by the operation credibility model.
Optionally, the dynamic authorization apparatus based on the trust metric further includes:
the stored file block reading module is used for responding to a file writing request of a user, initiating a file query request to a management node, and reading a stored file block related to a file to be written in the file writing request in a data node based on position information fed back by the management node;
the file block state judging module is used for judging whether the stored file block is in an abnormal state or not based on historical operation information associated with the stored file block in a file operation log;
and the first log storage module is used for writing the file to be written into a data node based on the position information and storing the operation information in the file writing process into a file operation log under the condition that the stored file block does not belong to an abnormal state.
Optionally, the dynamic authorization apparatus based on the trust metric further includes:
the file to be read acquisition module is used for responding to a file reading request of a user, sending the file reading request to the management node, reading file blocks in the data node based on the position information fed back by the management node, and splicing the read file blocks into a file to be read;
the file state judging module is used for judging whether the file to be read is abnormal or not based on the current operation information of the file to be read and historical operation information associated with the file to be read in a file operation log;
and the second log storage module is used for performing file reading error reporting and storing the current operation information to a file operation log under the condition that the file to be read is abnormal.
Optionally, the dynamic authorization apparatus based on the trust metric further includes:
the operation information reading module is used for reading operation information related to file operation in the file operation log;
and the credibility model building module is used for taking the operation information as a sample to build an operation credibility model.
The dynamic authorization device based on the credibility measurement provided by the embodiment of the invention can execute the dynamic authorization method based on the credibility measurement provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Example four
FIG. 4 illustrates a block diagram of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data necessary for the operation of the electronic apparatus 10 can also be stored. The processor 11, the ROM 12, and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to the bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. Processor 11 performs the various methods and processes described above, such as a dynamic authorization method based on a trustworthiness metric.
In some embodiments, the dynamic authorization method based on the trustworthiness metric may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the above-described trust metric-based dynamic authorization method may be performed. Alternatively, in other embodiments, the processor 11 may be configured by any other suitable means (e.g., by means of firmware) to perform a dynamic authorization method based on trust metrics.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Computer programs for implementing the methods of the present invention can be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user may provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the Internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A dynamic authorization method based on credibility measurement is characterized by comprising the following steps:
acquiring operation information associated with file operation in the process of executing the file operation;
determining the credibility of the file operation according to the operation information;
and dynamically authorizing the authorization subject to which the file operation belongs based on the credibility of the file operation.
2. The method of claim 1, wherein dynamically authorizing the authorization subject to which the file operation belongs based on the trustworthiness of the file operation comprises:
adjusting an original credit value of an authorization subject to which the file operation belongs based on the credibility of the file operation to obtain an updated credit value;
dynamically authorizing the authorization principal based on the updated credit value;
wherein the higher the credibility of the file operation is, the higher the credit value of the authorization subject is.
3. The method of claim 2, wherein dynamically authorizing the authorization principal based on the updated credit value comprises:
determining a target credit value range to which the updated credit value belongs in at least one candidate credit value range divided in advance;
and determining a target authority level corresponding to the target credit value range based on the corresponding relation between the candidate credit value range and the authority level, and granting the authority corresponding to the target authority level to the authorization subject.
4. The method of claim 1, wherein determining the trustworthiness of the file operation based on the operation information comprises:
and inputting the operation information into an operation credibility model, and acquiring the credibility of the file operation output by the operation credibility model.
5. The method of claim 1, further comprising:
responding to a file writing request of a user, initiating a file query request to a management node, and reading a stored file block associated with a file to be written in the file writing request in a data node based on position information fed back by the management node;
judging whether the stored file block is in an abnormal state or not based on historical operation information associated with the stored file block in a file operation log;
and under the condition that the stored file block does not belong to the abnormal state, writing the file to be written into a data node based on the position information, and storing the operation information in the file writing process into a file operation log.
6. The method of claim 1, further comprising:
responding to a file reading request of a user, sending a file reading request to a management node, reading file blocks in a data node based on position information fed back by the management node, and splicing the read file blocks into a file to be read;
judging whether the file to be read is abnormal or not based on the current operation information of the file to be read and historical operation information associated with the file to be read in a file operation log;
and under the condition that the file to be read is abnormal, reading the file and reporting an error, and storing the current operation information into a file operation log.
7. The method of claim 4, wherein the operational credibility model is constructed by:
reading operation information associated with file operation in a file operation log;
and taking the operation information as a sample, and constructing an operation credibility model.
8. A dynamic authorization apparatus based on a trust metric, comprising:
the operation information acquisition module is used for acquiring operation information associated with the file operation in the process of executing the file operation;
the credibility determining module is used for determining the credibility of the file operation according to the operation information;
and the dynamic authorization module is used for dynamically authorizing the authorization subject to which the file operation belongs based on the credibility of the file operation.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
10. A computer-readable storage medium storing computer instructions for causing a processor to implement the dynamic authorization method based on trust metrics of any one of claims 1-7 when executed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211365826.9A CN115630347A (en) | 2022-10-31 | 2022-10-31 | Dynamic authorization method, device, equipment and storage medium based on credibility measurement |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211365826.9A CN115630347A (en) | 2022-10-31 | 2022-10-31 | Dynamic authorization method, device, equipment and storage medium based on credibility measurement |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115630347A true CN115630347A (en) | 2023-01-20 |
Family
ID=84908290
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211365826.9A Pending CN115630347A (en) | 2022-10-31 | 2022-10-31 | Dynamic authorization method, device, equipment and storage medium based on credibility measurement |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115630347A (en) |
-
2022
- 2022-10-31 CN CN202211365826.9A patent/CN115630347A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9239887B2 (en) | Automatic correlation of dynamic system events within computing devices | |
EP4099170B1 (en) | Method and apparatus of auditing log, electronic device, and medium | |
CN112445854B (en) | Multi-source service data real-time processing method, device, terminal and storage medium | |
US20210092160A1 (en) | Data set creation with crowd-based reinforcement | |
CN109543891B (en) | Method and apparatus for establishing capacity prediction model, and computer-readable storage medium | |
CN111124917B (en) | Method, device, equipment and storage medium for managing and controlling public test cases | |
US11366821B2 (en) | Epsilon-closure for frequent pattern analysis | |
US11212162B2 (en) | Bayesian-based event grouping | |
CN114443437A (en) | Alarm root cause output method, apparatus, device, medium, and program product | |
CN115396280B (en) | Alarm data processing method, device, equipment and storage medium | |
CN115086047B (en) | Interface authentication method and device, electronic equipment and storage medium | |
CN116578646A (en) | Time sequence data synchronization method, device, equipment and storage medium | |
CN116089985A (en) | Encryption storage method, device, equipment and medium for distributed log | |
CN115719167A (en) | Vehicle information safety monitoring method and device | |
CN116011677A (en) | Time sequence data prediction method and device, electronic equipment and storage medium | |
CN115630347A (en) | Dynamic authorization method, device, equipment and storage medium based on credibility measurement | |
CN115509853A (en) | Cluster data anomaly detection method and electronic equipment | |
CN114896418A (en) | Knowledge graph construction method and device, electronic equipment and storage medium | |
CN114281586A (en) | Fault determination method and device, electronic equipment and computer readable storage medium | |
CN113052509A (en) | Model evaluation method, model evaluation apparatus, electronic device, and storage medium | |
CN112764957A (en) | Application fault delimiting method and device | |
CN111552703A (en) | Data processing method and device | |
CN114650252B (en) | Routing method and device based on enterprise service bus and computer equipment | |
CN116149971B (en) | Equipment fault prediction method and device, electronic equipment and storage medium | |
US12124326B2 (en) | Automatic correlation of dynamic system events within computing devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |