CN115934671B - Access control list processing method, device, equipment and storage medium - Google Patents
Access control list processing method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115934671B CN115934671B CN202310247425.1A CN202310247425A CN115934671B CN 115934671 B CN115934671 B CN 115934671B CN 202310247425 A CN202310247425 A CN 202310247425A CN 115934671 B CN115934671 B CN 115934671B
- Authority
- CN
- China
- Prior art keywords
- acl
- ntfs
- ntfs acl
- inheritance
- directory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a processing method, a device, equipment and a storage medium of an access control list, which relate to the technical field of digital office and comprise the following steps: setting an NTFS ACL with inheritance attribute in a parent directory, and generating a priority ID of the NTFS ACL with inheritance attribute; an NTFS ACL with inheritance properties is an NTFS ACL that a child directory and/or a child file may inherit from a parent directory; ignoring the request to set the NTFS ACL with inheritance flags from the upper level at the target object; the target object comprises a subdirectory and a subfile; when the NTFS ACL of the target object is queried and inheritance is enabled by the target object, the NTFS ACL with inheritance properties is read from the parent directory according to the priority ID. The method can greatly improve the setting speed of the NTFS ACL.
Description
Technical Field
The invention relates to the technical field of digital office, in particular to a processing method of an access control list; also relates to a processing device, equipment and storage medium of the access control list.
Background
With the continuous development of digital office, a shared mode office scenario based on an SMB (Server Message Block ) protocol is increasingly applied inside enterprises. Compared with other application scenes, the requirement of file access rights in the office scene is more strict, and for different subdirectories under the same share, not only is the access directories among staff isolated from each other, but also the related personnel of an administrator group are ensured to be capable of carrying out proper rights control. In an enterprise office scenario, a server operating system taking a mass distributed storage cluster as an infrastructure is mainly a Linux system, and an SMB sharing service is provided on the server operating system. From the current native SMB service of the Linux system, the following disadvantages mainly exist:
Lacking optimization of batch ACL (Access Control Lists, access control list) settings permissions, when a Windows client changes permissions of a parent directory to child directories and child files, it is necessary to traverse each child directory and child file for settings. While some storage vendors implement support of NTFS (New Technology File System ) ACL rights, because it employs ACL storage that is still based on a single file, when there are millions or tens of millions of small files in bulk, ACL change operations through Windows clients are still required to traverse all files and make rights changes.
In view of this, how to solve the above technical defects has become a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The invention aims to provide a processing method of an access control list, which can greatly improve the setting speed of NTFS ACL. Another object of the present invention is to provide an apparatus, a device, and a storage medium for processing an access control list, which have the above technical effects.
In order to solve the above technical problems, the present invention provides a method for processing an access control list, including:
setting an NTFS ACL with inheritance attribute in a father directory, and generating a priority ID of the NTFS ACL with inheritance attribute; the NTFS ACL with inheritance attribute is an NTFS ACL inheritable from the parent directory by a child directory and/or a child file;
Ignoring the request to set the NTFS ACL with inheritance flags from the upper level at the target object; the target object comprises the subdirectory and the subfile;
when the NTFS ACL of the target object is queried and inheritance is enabled by the target object, the NTFS ACL with inheritance attribute is read from the parent directory according to the priority ID.
Optionally, the generating the priority ID of the NTFS ACL with inherited properties includes:
if the NTFS ACL with the inheritance attribute is applied to the subdirectory, generating a subdirectory priority ID;
and if the NTFS ACL with the inherited attribute is applied to the subfiles, generating a subfile priority ID.
Optionally, said reading the NTFS ACL with inherited properties from the parent directory includes:
and reading the NTFS ACL with the inherited attribute with the highest priority ID from the parent directory.
Optionally, the method further comprises:
and if the target object disables inheritance, reading NTFS ACL unique to the target object.
Optionally, the data structure of the NTFS ACL includes:
NTFS ACL identification, account body, rights type, inheritance type, and the priority ID.
Optionally, the NTFS ACL identification includes:
Presence identity, autocorrelation identity, automatic inheritance identity, and protection identity.
Optionally, the authority category includes:
the method comprises the steps of file reading data authority and directory enumeration sub-directory sub-file authority, file writing data authority and directory addition sub-file authority, additional data authority and directory addition sub-directory authority, file reading extension attribute authority, file writing extension attribute authority, file execution authority, file path traversing checking authority, sub-directory sub-file deleting authority, file reading attribute authority, file writing attribute authority, deleting authority, reading ACL information authority, ACL information changing authority, owner changing authority and file synchronizing authority.
Optionally, the permission type includes permission rights and refusal rights, and the permission rights and the refusal rights are stored in different extension attributes of the file metadata.
Optionally, setting the NTFS ACL includes:
if the NTFS ACL is applied to the current catalog, adding the NTFS ACL to a UNIX Access ACL linked list;
if the NTFS ACL is applied to the current catalogue, the sub-catalogue and the sub-file, adding the NTFS ACL to a UNIX Default ACL linked list and a UNIX Access ACL linked list;
If the NTFS ACL is applied to the subdirectories and the subfiles, the NTFS ACL is added to the UNIX Default ACL linked list.
Optionally, the method further comprises:
the read NTFS ACL is returned to the client.
Optionally, the returning the read NTFS ACL to the client includes:
and when the client is a windows client, merging the read Access ACL with the Default ACL, converting the merged Access ACL into a standard NTFS ACL, and returning the standard NTFS ACL to the windows client.
Optionally, the returning the read NTFS ACL to the client includes:
and when the client is a UNIX client, mapping the NTFS ACL into rwx authority and returning to the UNIX client.
Optionally, the method further comprises:
traversing the read NTFS ACL, and matching the read NTFS ACL with an access token of the client;
and if the matching is unsuccessful, refusing to process the operation request of the client.
Optionally, the method further comprises:
when modifying the target NTFS ACL of the subdirectory, forbidding inheritance on the subdirectory, and adding a priority ID for the modified target NTFS ACL; the target NTFS ACL is an NTFS ACL which belongs to the same user or user group as the NTFS ACL set by the father catalog, and the priority ID added for the modified target NTFS ACL is higher than the priority ID of the NTFS ACL set by the father catalog which belongs to the same user or user group.
Optionally, the method further comprises:
and when deleting the NTFS ACL of the subdirectory, disabling inheritance for the subdirectory and deleting the NTFS ACL of the subdirectory.
Optionally, the method further comprises:
when modifying the NTFS ACL with inherited properties of the parent directory, incrementing a priority ID of the NTFS ACL with inherited properties.
Optionally, the method further comprises:
when creating a child directory under the parent directory, acquiring the NTFS ACL of the parent directory, and when the parent directory has inheritable NTFS ACL, reserving the NTFS ACL of the created child directory as null.
In order to solve the technical problem, the present invention further provides a processing device for an access control list, including:
the generation module is used for setting the NTFS ACL with the inheritance attribute in the father catalog and generating the priority ID of the NTFS ACL with the inheritance attribute; the NTFS ACL with inheritance attribute is an NTFS ACL inheritable from the parent directory by a child directory and/or a child file;
a setting module for ignoring a request to set an NTFS ACL with an inheritance flag from a higher level at a target object; the target object comprises the subdirectory and the subfile;
and the reading module is used for reading the NTFS ACL with the inheritance attribute from the father directory according to the priority ID when the NTFS ACL of the target object is queried and inheritance is enabled by the target object.
In order to solve the technical problem, the present invention further provides an access control list processing device, including:
a memory for storing a computer program;
a processor for implementing the steps of the method for processing an access control list according to any one of the preceding claims when executing said computer program.
To solve the above technical problem, the present invention further provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method for processing an access control list as set forth in any one of the above.
The method for processing the access control list provided by the invention comprises the following steps: setting an NTFS ACL with inheritance attribute in a father directory, and generating a priority ID of the NTFS ACL with inheritance attribute; the NTFS ACL with inheritance attribute is an NTFS ACL inheritable from the parent directory by a child directory and/or a child file; ignoring the request to set the NTFS ACL with inheritance flags from the upper level at the target object; the target object comprises the subdirectory and the subfile; when the NTFS ACL of the target object is queried and inheritance is enabled by the target object, the NTFS ACL with inheritance attribute is read from the parent directory according to the priority ID.
Therefore, when the NTFS ACL with inheritance property is set in the father catalog, the processing method of the access control list generates corresponding priority ID, and for the NTFS ACL with inheritance property set in the father catalog, repeated setting of the child catalog and the child file is not needed, and when the NTFS ACL of the child catalog and the child file is queried, the inherited NTFS ACL is read from the father catalog only according to the priority ID, so that for the setting of the authority of a single user or a user group, the child catalog and the child file only need to rely on the NTFS ACL of the father catalog, and the setting speed of the NTFS ACL can be greatly improved.
The processing device, the equipment and the storage medium of the access control list provided by the invention have the technical effects.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required in the prior art and the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a method for processing an access control list according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an NTFS ACL interaction architecture according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an input/output result of an NTFS ACL according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an apparatus for processing an access control list according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an access control list processing device according to an embodiment of the present invention.
Detailed Description
The core of the invention is to provide a processing method of an access control list, which can greatly improve the setting speed of NTFS ACL. Another core of the present invention is to provide a processing apparatus, a device, and a storage medium for an access control list, which all have the above technical effects.
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, fig. 1 is a flowchart of a method for processing an access control list according to an embodiment of the present invention, and referring to fig. 1, the method is applied to a distributed storage cluster, and includes:
s101: setting an NTFS ACL with inheritance attribute in a father directory, and generating a priority ID of the NTFS ACL with inheritance attribute; the NTFS ACL with inheritance attribute is an NTFS ACL inheritable from the parent directory by a child directory and/or a child file;
when the father catalog setting can inherit the rights of the child catalog and the child file, the NTFS ACL supports the dynamic application inheritance rights through the setting operation, and at the moment, the Windows client can inquire the child catalog and the child file through traversing, and then set the rights to the child catalog and the child file step by step. If the NTFS ACL setting operation is executed in the distributed storage cluster, the cache information of the NTFS ACL is recorded at the same time, so that excessive permission change can cause obvious increase in time consumption. In order to reduce time consumption, the embodiment converts more setting processes of the NTFS ACL into query processes, and realizes quick setting of the NTFS ACL. For this reason, this embodiment extends the standard NTFS ACL structure, and adds a priority ID field. The priority ID may be represented in an unsigned integer. The priority ID is used to record the priority information of a single NTFS ACL of a parent directory, a child directory. After the SMB service receives the standard NTFS ACL, it automatically converts to the extended NTFS ACL, and attaches the priority ID, then when setting to the file, it automatically performs UNIX ACL compatible conversion.
When an NTFS ACL with inherited properties is set to a parent directory, a priority ID of the NTFS ACL with inherited properties is generated accordingly.
Wherein in some embodiments, the generating the priority ID of the NTFS ACL with inherited properties comprises:
if the NTFS ACL with the inheritance attribute is applied to the subdirectory, generating a subdirectory priority ID;
and if the NTFS ACL with the inherited attribute is applied to the subfiles, generating a subfile priority ID.
The priority IDs in this embodiment include a subdirectory inheritance priority ID and a subdirectory inheritance priority ID. The sub-directory inheritance priority ID is used to control sub-directory inheritance, and the sub-file inheritance priority ID is used to control sub-file inheritance.
For example, if the NTFS ACL for a certain user or group of users is only applied to the current shared root directory itself, the sub-directory inheritance priority ID and the sub-file inheritance priority ID may be set to 0. If the method is applied to the subdirectories, setting the subdirectory inheritance priority ID to be 1; if the method is applied to the subfiles, the subfile inheritance priority ID is set to be 1.
According to the application object of the NTFS ACL with inheritance attribute, the corresponding priority ID is set, so that the technical defects that in the prior art, in the UNIX ACL authority, the newly set inheritance authority only takes effect on a newly created file and cannot take effect on the existing file, and the inheritance processing of the UNIX ACL authority only can be applied to the subdirectory and the subfile at the same time and cannot be applied to one of the subdirectories and the subfiles independently can be effectively solved.
For the same user, when an NTFS ACL with inherited properties is initially set for a parent directory, a priority ID is automatically initialized. When the NTFS ACL with inherited properties is subsequently modified, the corresponding priority ID is incremented, e.g., by one. For the same user, the NTFS ACL with the largest priority ID and inherited attribute is the NTFS ACL ultimately inherited by the subdirectory and/or the subfile.
The extended NTFS ACL structure includes NTFS ACL identification, account body, rights type, and inheritance type in addition to the priority ID field. The NTFS ACL identification is used for indicating the attribute of the whole NTFS ACL, and comprises a presence identification, an autocorrelation identification, an automatic inheritance identification and a protection identification. Presence identification indicates whether an ACL exists; the autocorrelation identification is used for indicating that the current ACL information comes from own data; the automatic inheritance identification is used for indicating that the newly created child directory and child file automatically inherit the authority of the parent directory under the condition that the inheritance authority exists in the parent directory; the protection flag is used to control whether rights are allowed to be inherited from the previous level directory.
The account body may be identified with a SID for uniquely marking a user or group of users. Each NTFS ACL has an account body. Referring to fig. 2, when the client issues an NTFS ACL to the storage, the storage converts the account body, i.e., the account SID shown in fig. 2, into a user UID and user group GID form in UNIX ACL format.
To achieve finer control, in some embodiments, the permission types include file read data permission and directory enumeration sub-directory sub-file permission, file write data permission and directory addition sub-file permission, append data permission and directory addition sub-directory permission, file read extended attribute permission, file write extended attribute permission, file execution permission, file path traversal check permission, delete sub-directory sub-file permission, file read attribute permission, file write attribute permission, delete permission, read ACL information permission, modify owner permission, and file synchronization permission.
By setting the weight types, the technical defect that the prior art lacks support of the complete NTFS ACL authority types, when the NTFS ACL authority of a Windows client is sent to an SMB server in an SMB protocol message, the default is converted into UNIX ACL authority, and the UNIX ACL authority is only provided with three authority types of rwx, so that the technical defect that the refined control requirement of the NTFS ACL authority cannot be met can be effectively solved.
The rights type includes both permission and denial. The NTFS ACLs for both rights types are stored in different extended attributes of the file metadata. And when checking the rights, simultaneously reading the two types of rights to check. If the same user has both permission and denial of permission, the denial of permission may be prioritized.
The permission types comprise permission and refusal, so that the defect that in the prior art, UNIX ACL permission is only of permission type and exclusive permission of refusal type in NTFS ACL is absent can be effectively solved.
The inheritance type is used to identify how inheritance is to be performed. In some embodiments, inheritance types include inheritance from a superior directory, inheritance to a subdirectory, inheritance to a subfile, inheritance only, and monopolar inheritance. Inheritance from the superior directory means that the subdirectories and the subfiles inherit rights from the superior directory; rights inherited to the child directory represent that the parent directory inherits to the child directory; rights inherited to the child file representation parent directory inherit to the child file; inheriting only means that rights are inherited only and not used as a check; the monopole inheritance indicates that the authority of the parent directory is inherited to the child directory and the child file of the next level of the parent directory.
S102: ignoring the request to set the NTFS ACL with inheritance flags from the upper level at the target object; the target object comprises the subdirectory and the subfile;
when setting an NTFS ACL for a child directory, for the NTFS ACL that the child directory can inherit from a parent directory, the processing of the NTFS ACL is automatically ignored, the NTFS ACL that can inherit from the parent directory is not set in the child directory, and only the remaining NTFS ACLs that cannot inherit from the parent directory are processed, i.e. the NTFS ACLs unique to the child directory itself are set in the child directory.
When setting the NTFS ACL for the child file, the processing of the NTFS ACL which can be inherited from the father directory is automatically ignored, the NTFS ACL which can be inherited from the father directory is not set in the child file, and only the rest NTFS ACLs which can not be inherited from the father directory are processed, namely, the NTFS ACLs which are unique to the child file are set in the child file.
For example, referring to FIG. 3, the parent directory contains child directory 1, and child directory 1 further contains child file 2. After three inherited, inherited and inherited-only NTFS ACLs are configured on a parent directory, because inherited and inherited-only NTFS ACLs exist in a high-priority ID, the rights of NTFS ACLs 2 and 3 are not required to be configured on a subdirectory 1, and inheritable rights of the high-priority ID are automatically obtained from the parent directory when the subdirectory 1 is queried. For the sub-file 2 under the sub-directory 1, besides the unique NTFS ACL7 rights, 4 inheritable rights of NTFS ACL2, NTFS ACL3, NTFS ACL5 and NTFS ACL6 are automatically inherited from the upper two-level directory.
In addition, when a child directory is newly created under a parent directory, it is first determined whether or not the parent directory has inheritable rights. If so, the self rights are directly saved as empty for the newly created subdirectory. If not, the ACL information of the newly created subdirectory is generated according to the default permission mask.
For example, a child directory is created in a shared root directory, and an NTFS ACL of the shared root directory, i.e., a parent directory, is acquired. If there is an inheritable NTFS ACL, then the sub-directory's own NTFS ACL is left empty. If there is an inheritable NTFS ACL, the NTFS ACL of the subdirectory itself is generated according to a default permission mask.
In some embodiments, setting the NTFS ACL includes:
if the NTFS ACL is applied to the current catalog, adding the NTFS ACL to a UNIX Access ACL linked list;
if the NTFS ACL is applied to the current catalogue, the sub-catalogue and the sub-file, adding the NTFS ACL to a UNIX Default ACL linked list and a UNIX Access ACL linked list;
if the NTFS ACL is applied to the subdirectories and the subfiles, the NTFS ACL is added to a UNIX Default ACL linked list.
The UNIX ACL does not support the processing of rejecting types, and the conversion cost caused by directly converting the rejecting types of the NTFS ACL into the UNIX ACL with the completely equivalent rights is high, so that the allowed types and the rejecting types in the NTFS ACL are stored in different extension attributes of file metadata, and only the ACL with the allowed types is subjected to compatible processing. When an NTFS ACL setting request from a Windows client is received, the following different processing modes are divided according to the inheritance type of each ACL:
1. Rights are only used for the current directory and are added to the UNIX Access ACL linked list.
2. The authority is used for the current catalog, the subdirectory and the subfiles simultaneously, on one hand, one copy of authority information is added to the UNIX Access ACL linked list, and on the other hand, the authority information is added to the UNIX Default ACL linked list.
3. Rights are only used for subdirectories, subfiles, then NTFS ACL information is directly added to the UNIX defaultACL linked list.
S103: when the NTFS ACL of the target object is queried and inheritance is enabled by the target object, the NTFS ACL with inheritance attribute is read from the parent directory according to the priority ID.
When a client requests access to a file or directory, the client brings the desired access rights according to the user operation behavior. After receiving the file operation request, the SMB service actively reads the NTFS ACL of the accessed file.
Specifically, the client opens the specified file with the specified authority, the specified authority is determined by the operation mode of the client, the read-only mode opens the file to check the read authority, the read-write mode opens the file to check the read-write authority, the renaming operation to check the deletion authority and the sub-directory adding authority, and the other operations are checked according to the specified authority.
And the storage end reads NTFS ACL information of the file after receiving the file operation request. Firstly, reading NTFS ACL identification of a file, if the file is in a forbidden inheritance state, only reading Access ACL information and Default ACL information of the file, combining the Access ACL information and the Default ACL information, and converting the Access ACL information and the Default ACL information into a standard NTFS ACL format. If inheritance is enabled, the NTFS ACL information of the previous-level directory is automatically recursively read until the NTFS ACL information with the highest priority ID is read. All NTFS ACL information with highest priority ID gathers final NTFS ACL information of a block of composition file and returns.
In some embodiments, the returning the read NTFS ACL to the client includes:
and when the client is a windows client, merging the read Access ACL with the Default ACL, converting the merged Access ACL into a standard NTFS ACL, and returning the standard NTFS ACL to the windows client.
In other embodiments, the returning the read NTFS ACL to the client includes:
and when the client is a UNIX client, mapping the NTFS ACL into rwx authority and returning to the UNIX client.
Further, in some embodiments, further comprising:
traversing the read NTFS ACL, and matching the read NTFS ACL with an access token of the client;
And if the matching is unsuccessful, refusing to process the operation request of the client.
Specifically, the read NTFS ACL is matched with the user's own access token. The access token of the user contains the user SID, the user group SID, the SMB service of the storage cluster traverses the NTFS ACLs, and then each NTFS ACL searches and matches in the user access token. And if so, deducting the authority bits of the access authority requested by the client. When the user request authority is deducted to be 0, the traversal is ended, and a successful response is returned. If the user request authority still has redundant authority bits after all NTFS ACL information is traversed, the current NTFS ACL authority cannot meet the current access request, and the processing is directly refused.
In some embodiments, further comprising:
when modifying the target NTFS ACL of the subdirectory, forbidding inheritance on the subdirectory, and adding a priority ID for the modified target NTFS ACL; the target NTFS ACL is an NTFS ACL which belongs to the same user or user group as the NTFS ACL set by the father catalog, and the priority ID added for the modified target NTFS ACL is higher than the priority ID of the NTFS ACL set by the father catalog which belongs to the same user or user group.
Specifically, since the inherited NTFS ACL is not editable by default, inheritance needs to be disabled first before the Windows client modifies the rights, at which time modification of the NTFS ACL of a certain user/user group of child directories will directly override the NTFS ACL from the parent directory and be marked with a higher NTFS ACL priority ID.
In some embodiments, further comprising:
and when deleting the NTFS ACL of the subdirectory, disabling inheritance for the subdirectory and deleting the NTFS ACL of the subdirectory.
Under the condition that the sub-directory NTFS ACL has forbidden inheritance, the sub-directory NTFS ACL is directly deleted, and the next query operation of the sub-directory NTFS ACL is not affected.
And modifying the NTFS ACL of the parent directory again, wherein the child directory disables inheritance, so that when the NTFS ACL of the child directory is queried, if the current disabled inheritance state is judged, the fast NTFS ACL from the parent directory is automatically ignored, and the NTFS ACL set by the child directory is subject to.
One specific embodiment is described below in terms of four aspects of the extended definition, flash storage, compatibility translations, query verification of the NTFS ACL:
first is the extended definition of the NTFS ACL, which requires the following definition to be performed on the distributed storage cluster environment:
a standard NTFS ACL data structure is defined, which contains NTFS ACL identification, account SID, authority type and inheritance type. When a client side sends an NTFS ACL setting request in an SMB format, ACL data is read from a specified offset according to an SMB protocol specification and is parsed into a standard NTFS ACL data structure. The standard NTFS ACL data structure is also used for storing the authority information converted from the bottom layer, namely the authority information read from the file itself.
An extended NTFS ACL data structure is defined that contains, in addition to the NTFS ACL identification, rights type, inheritance type in the standard NTFS ACL data structure, a separate user UID, user group GID information, and priority ID.
The extended NTFS ACL data structure is applicable to both formats of UNIX Access/Default ACL.
And defining a mutual conversion interface of the account SID, the user UID and the user group GID, taking the account SID as a relative ID value, and adding a reference offset to obtain the user UID and the user group GID. In turn, the user UID, the user group GID, and the SMB service are combined for one SID generated by the cluster itself, and may be converted into a complete account SID.
And defining an inter-conversion interface of the NTFS ACL and the UNIX Access/Default ACL, judging the inheritance type of the NTFS ACL when the NTFS ACL is issued, and converting the NTFS ACL into a UNIX Access/Default ACL format. Conversely, after querying the file directory UNIX Access/Default ACL, merging is performed, and then the file directory UNIX Access/Default ACL is converted into a standard NTFS ACL format.
Secondly, the NTFS ACL is rapidly stored, and under the condition of the NTFS complete control authority, the Windows client can randomly modify the mapping directory authority. The following describes the rights quick change procedure with initial configuration NTFS full control rights and with administrator identity:
Step 1: the Windows client mounts the SMB service of the storage end with the identity of the administrator user, and the default Windows maps the network drive letter in a reverse order mode, so that a network mapping disk Z disk is obtained from the Windows client after successful authentication, and the administrator can randomly modify the NTFS ACL authority of the network mapping disk.
Step 2: and modifying NTFS ACL authority of the network mapping disk Z disk at the Windows client, adding a user1 as read-only authority, and only applying the inheritance range to the catalog, namely the Z disk. The user2 is added as a write-only right, and the inheritance range is applied to the directory and the subdirectories and the subfiles. The user3 is added as read-write authority, and the inheritance range is only applied to subdirectories and subfiles.
Creating the subdirectory dir1 under the Z disk, and judging the rights of reading the shared root directory to be inheritable when the storage side SMB service receives the creation request of the subdirectory dir 1. According to the step 2, the users 2 and 3 can be known to have inheritable rights, so that the storage side SMB service directly keeps the self rights of the subdirectory dir1 to be empty and is not independently set. When the client performs authority inquiry operation on the subdirectory dir1, the client can relatively quickly and directly check the inherited authority information of the user2 and the user3 because the ACL setting information of the parent directory exists in the cluster cache, and finally the client returns the inherited authority information to the client in the standard NTFS ACL data format of the subdirectory dir 1.
The method is characterized in that a user3 is modified on a Z disk of a Windows client from read-write permission to complete control, the inheritance mode is still applied to subdirectories and subfiles, and the complete control permission is inherited to the subdirectories and the subfiles for the client, so that all files under the Z disk directory are automatically queried, and the permission of the user3 is recursively set to complete control. For the storage side SMB service, when receiving the set right of the directory dir1, since the inheritance flag is included in the NTFS ACL, the difference processing of the NTFS ACL is directly ignored, and only the remaining NTFS ACL is marked with a difference. If not, no settings are issued. The metadata operation times in the storage cluster can be reduced through the inheritance processing mode.
After the processing of the steps 3 and 4, the authorities of the Z disk and the directory dir1 are changed into the user2 write-only and the user3 is completely controlled.
The subdirectory dir1 seen by the Windows client is in a right inheritance state by default, so that if the right of the user2 is to be independently modified, inheritance is disabled for the NTFS ACL of the subdirectory dir 1; inheritance is forbidden to the subdirectory dir1, the user2 is independently modified to be read-write permission, at the moment, the storage end receives permission setting of the subdirectory dir1 without inheritance marks, and meanwhile, the ACL marks are provided with inheritance forbidden states, so that the ACL marks are directly updated, and new ACL information is issued to metadata extension attributes of the subdirectory dir 1.
When the client side inquires the NTFS ACL of the subdirectory dir1 again, the dir1 is provided with a forbidden inheritance mark, so that the client side directly returns the NTFS ACL information of the client side and does not depend on the NTFS ACL information of the father directory.
Compatible conversion from NTFS ACL to UNIX ACL is required in the flow of NTFS ACL flash memory process, and the conversion steps are described below:
step 1: the method comprises the steps that a Windows client is mounted and modifies the Z disk authority of a network mapping disk, a user4 is added as a read-only authority, an inheritance range is only applied to the directory, when a storage side SMB service receives an NTFS ACL change request, the inheritance range is only applied to the directory, so that the authority is only converted into a UNIX Access ACL, the authority type is read-only, and an NTFS ACL priority ID is set to be 0, namely priority comparison is not participated.
Step 2: further adding a user5 as a write-only authority to the Z disk, applying the inheritance range to the catalog and the sub-catalog subfiles, when the SMB service at the storage end receives the NTFS ACL change request, on one hand, constructing an independent UNIX Access ACL write authority, on the other hand, constructing an independent UNIX Default ACL write authority, inheriting the type as sub-catalog inheritance, setting the NTFS ACL priority ID as an initial value 1, and identifying that the inherited NTFS ACL needs to participate in priority calculation.
When the client side reversely inquires NTFS ACL rights of the user5, the SMB service can inquire the UNIX Access ACL and the UNIX Default ACL of the user5 at the same time, and as the UNIX Default ACL rights of the user5 are not provided with only inherited identifications, the result of combining the rights and the UNIX ACL is still applied to the catalog and the subdirectory subfiles, and finally the constructed standard NTFS ACL can be correctly returned to the client side.
Step 3: the user6 is added as the read-write authority, the inheritance range is only applied to the sub-directory sub-files, and when the SMB service at the storage end receives the NTFS ACL change request, the authority is found not to be effective to the current directory, so that the independent UNIX Default ACL read-write authority is directly constructed, and the inheritance type is inheritance only of +sub-directory sub-files.
When the client side reversely inquires NTFS ACL rights of the user6, the SMB service only checks one UNIX Default ACL of the user6, and then the client side directly changes into a standard NTFS ACL.
Finally, the query and verification of the NTFS ACL authority are performed, the steps above have described the compatible conversion steps of the NTFS ACL and the UNIX ACL, and the following description of the query and verification steps of the fast NTFS ACL is performed:
step 1: the Windows client A mounts the SMB service of the storage end with the identity of an administrator user and maps the SMB service to a network mapping Z disk, then a user7 is added as read-only permission, an inheritance range is only applied to the directory, a user8 is added as write-only permission, the inheritance range is applied to the directory and the subdirectory subfiles, a user9 is added as read-write permission, and the inheritance range is only applied to the subdirectory subfiles.
Step 2: the Windows client B maps the SMB service with the user7 identity, then creates a new subdirectory under the network mapping disk, at this time, the client tries to open the mapping disk in a read-write mode, and the storage side SMB service reads NTFS ACL rights of the shared root directory, so that the user7 rights are read only, and the read-write rights of the client cannot be completely counteracted, so that the rejection error is directly reported.
Step 3: similarly, when another Windows client C maps the SMB service with the user8, the client cannot directly open the mapped viewing content due to the write-only authority, and only the subdirectory subfiles can be added by a pure write operation.
Step 4: the other Windows client D is used for mapping the SMB service by a user9, and the user9 has read-write access authority, so that verification is passed, and a subdirectory subfile can be normally created; and after the creation is completed, the authority of the sub-directory subfiles is reversely checked, and NTFS ACL authorities of two accounts of the inheritance user8 and the user9 can be correctly displayed.
In summary, in the processing method of the access control list provided by the invention, when the NTFS ACL with inherited attribute is set in the parent directory, the corresponding priority ID is generated, for the NTFS ACL with inherited attribute set in the parent directory, the repeated setting of the child directory and the child file is not needed, and when the NTFS ACL of the child directory and the child file is queried, the inherited NTFS ACL is read from the parent directory only according to the priority ID, so that for the setting of the authority of a single user or a user group, the child directory and the child file only need to rely on the NTFS ACL of the parent directory, thereby greatly improving the setting speed.
The invention also provides a processing device of the access control list, and the device can be referred to correspondingly with the method. Referring to fig. 4, fig. 4 is a schematic diagram of an apparatus for processing an access control list according to an embodiment of the present invention, and in combination with fig. 4, the apparatus includes:
a generating module 10, configured to set an NTFS ACL with inheritance properties in a parent directory, and generate a priority ID of the NTFS ACL with inheritance properties; the NTFS ACL with inheritance attribute is an NTFS ACL inheritable from the parent directory by a child directory and/or a child file;
a setting module 20 for ignoring a request to set an NTFS ACL with inheritance flags from the upper level at the target object; the target object comprises the subdirectory and the subfile;
a reading module 30, configured to read, when the NTFS ACL of the target object is queried and inheritance is enabled by the target object, the NTFS ACL with inheritance attribute from the parent directory according to the priority ID.
On the basis of the above embodiment, as a specific implementation manner, the generating module 10 includes:
a first generation unit, configured to generate a sub-directory priority ID if the NTFS ACL with inheritance attribute is applied to the sub-directory;
And the second generating unit is used for generating a sub-file priority ID if the NTFS ACL with the inheritance attribute is applied to the sub-file.
On the basis of the foregoing embodiment, as a specific implementation manner, the reading module is specifically configured to:
and reading the NTFS ACL with the inherited attribute with the highest priority ID from the parent directory.
On the basis of the above embodiment, as a specific implementation manner, the method further includes:
and the second reading module is used for reading the NTFS ACL unique to the target object if the target object disables inheritance.
Based on the foregoing embodiment, as a specific implementation manner, the data structure of the NTFS ACL includes:
NTFS ACL identification, account body, rights type, inheritance type, and the priority ID.
Based on the foregoing embodiment, as a specific implementation manner, the NTFS ACL identifier includes:
presence identity, autocorrelation identity, automatic inheritance identity, and protection identity.
On the basis of the above embodiment, as a specific implementation manner, the authority category includes:
the method comprises the steps of file reading data authority and directory enumeration sub-directory sub-file authority, file writing data authority and directory addition sub-file authority, additional data authority and directory addition sub-directory authority, file reading extension attribute authority, file writing extension attribute authority, file execution authority, file path traversing checking authority, sub-directory sub-file deleting authority, file reading attribute authority, file writing attribute authority, deleting authority, reading ACL information authority, ACL information changing authority, owner changing authority and file synchronizing authority.
On the basis of the embodiment, as a specific implementation manner, the permission type comprises permission rights and refusal rights, and the permission rights and the refusal rights are stored in different extension attributes of the file metadata.
On the basis of the above embodiment, as a specific implementation manner, setting the NTFS ACL includes:
if the NTFS ACL is applied to the current catalog, adding the NTFS ACL to a UNIX Access ACL linked list;
if the NTFS ACL is applied to the current catalogue, the sub-catalogue and the sub-file, adding the NTFS ACL to a UNIX Default ACL linked list and a UNIX Access ACL linked list;
if the NTFS ACL is applied to the subdirectories and the subfiles, the NTFS ACL is added to the UNIX Default ACL linked list.
On the basis of the above embodiment, as a specific implementation manner, the method further includes:
and the return module is used for returning the read NTFS ACL to the client.
On the basis of the above embodiment, as a specific implementation manner, the return module is specifically configured to:
and when the client is a windows client, merging the read Access ACL with the Default ACL, converting the merged Access ACL into a standard NTFS ACL, and returning the standard NTFS ACL to the windows client.
On the basis of the above embodiment, as a specific implementation manner, the return module is specifically configured to:
and when the client is a UNIX client, mapping the NTFS ACL into rwx authority and returning to the UNIX client.
On the basis of the above embodiment, as a specific implementation manner, the method further includes:
the matching module is used for traversing the read NTFS ACL and matching the read NTFS ACL with the access token of the client;
and the rejecting module is used for rejecting and processing the operation request of the client if the matching is unsuccessful.
On the basis of the above embodiment, as a specific implementation manner, the method further includes:
the first modification module is used for disabling inheritance for the subdirectory and adding a priority ID for the modified target NTFS ACL when the target NTFS ACL of the subdirectory is modified; the target NTFS ACL is an NTFS ACL which belongs to the same user or user group as the NTFS ACL set by the father catalog, and the priority ID added for the modified target NTFS ACL is higher than the priority ID of the NTFS ACL set by the father catalog which belongs to the same user or user group.
On the basis of the above embodiment, as a specific implementation manner, the method further includes:
And the deleting module is used for disabling inheritance of the NTFS ACL of the subdirectory and deleting the NTFS ACL of the subdirectory when deleting the NTFS ACL of the subdirectory.
On the basis of the above embodiment, as a specific implementation manner, the method further includes:
and the second modification module is used for incrementing the priority ID of the NTFS ACL with the inherited attribute when modifying the NTFS ACL with the inherited attribute of the parent directory.
On the basis of the above embodiment, as a specific implementation manner, the method further includes:
the creation module is used for acquiring the NTFS ACL of the parent directory when the child directory is created under the parent directory, and reserving the NTFS ACL of the created child directory to be empty when the parent directory has the inheritable NTFS ACL.
The processing device of the access control list provided by the invention can generate the corresponding priority ID when the NTFS ACL with inheritance property is set in the father catalog, the NTFS ACL with inheritance property set in the father catalog is not required to be repeatedly set in the son catalog and the son file, and when the NTFS ACL of the son catalog and the son file is queried, the inherited NTFS ACL is read from the father catalog only according to the priority ID, so that the setting speed of the authority of a single user or a user group can be greatly improved by the fact that the son catalog and the son file only depend on the NTFS ACL of the father catalog.
The invention also provides an apparatus for processing an access control list, as shown with reference to figure 5, comprising a memory 1 and a processor 2.
A memory 1 for storing a computer program;
a processor 2 for executing a computer program to perform the steps of:
setting an NTFS ACL with inheritance attribute in a father directory, and generating a priority ID of the NTFS ACL with inheritance attribute; the NTFS ACL with inheritance attribute is an NTFS ACL inheritable from the parent directory by a child directory and/or a child file; ignoring the request to set the NTFS ACL with inheritance flags from the upper level at the target object; the target object comprises the subdirectory and the subfile; when the NTFS ACL of the target object is queried and inheritance is enabled by the target object, the NTFS ACL with inheritance attribute is read from the parent directory according to the priority ID.
When the NTFS ACL with inheritance property is set in the father catalog, the processing equipment of the access control list generates corresponding priority ID, and the NTFS ACL with inheritance property set in the father catalog does not need to be repeatedly set in the son catalog and the son file, and when the NTFS ACL of the son catalog and the son file is queried, the inherited NTFS ACL is read from the father catalog only according to the priority ID, so that the setting speed of the authority of a single user or a user group can be greatly improved by the son catalog and the son file only depending on the NTFS ACL of the father catalog.
For the description of the apparatus provided by the present invention, refer to the above method embodiment, and the description of the present invention is omitted herein.
The present invention also provides a storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
setting an NTFS ACL with inheritance attribute in a father directory, and generating a priority ID of the NTFS ACL with inheritance attribute; the NTFS ACL with inheritance attribute is an NTFS ACL inheritable from the parent directory by a child directory and/or a child file; ignoring the request to set the NTFS ACL with inheritance flags from the upper level at the target object; the target object comprises the subdirectory and the subfile; when the NTFS ACL of the target object is queried and inheritance is enabled by the target object, the NTFS ACL with inheritance attribute is read from the parent directory according to the priority ID.
The computer readable storage medium provided by the invention can generate corresponding priority IDs when the NTFS ACL with inheritance property is set in the father catalog, the NTFS ACL with inheritance property set in the father catalog is not required to be repeatedly set in the son catalog and the son file, and when the NTFS ACL of the son catalog and the son file is queried, the inherited NTFS ACL is read from the father catalog only according to the priority IDs, so that the setting speed of the authority of a single user or a user group can be greatly improved by the son catalog and the son file only depending on the NTFS ACL of the father catalog.
The computer-readable storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
For the description of the storage medium provided by the present invention, refer to the above method embodiments, and the description of the present invention is omitted herein.
In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the apparatus, device and computer readable storage medium of the embodiment disclosure, since it corresponds to the method of the embodiment disclosure, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The method, the device, the equipment and the storage medium for processing the access control list provided by the invention are described in detail. The principles and embodiments of the present invention have been described herein with reference to specific examples, the description of which is intended only to facilitate an understanding of the method of the present invention and its core ideas. It should be noted that it will be apparent to those skilled in the art that various changes and modifications can be made herein without departing from the principles of the invention, which are also intended to fall within the scope of the appended claims.
Claims (20)
1. A method for processing an access control list, comprising:
setting an NTFS ACL with inheritance attribute in a father directory, and generating a priority ID of the NTFS ACL with inheritance attribute; the NTFS ACL with inheritance attribute is an NTFS ACL inheritable from the parent directory by a child directory and/or a child file; the priority ID is recorded in a priority ID field in the expanded NTFS ACL structure;
Ignoring a request to set an NTFS ACL with inheritance flags from a superordinate, not setting an NTFS ACL inheritable from a parent directory at the target object; the target object comprises the subdirectory and the subfile; the NTFS ACL with the inheritance mark from the upper level is an NTFS ACL inheritable from the parent directory for a child directory and/or a child file;
when the NTFS ACL of the target object is queried and inheritance is enabled by the target object, the NTFS ACL with inheritance attribute is read from the parent directory according to the priority ID.
2. The method of claim 1, wherein generating the priority ID of the NTFS ACL with inherited properties comprises:
if the NTFS ACL with the inheritance attribute is applied to the subdirectory, generating a subdirectory priority ID;
and if the NTFS ACL with the inherited attribute is applied to the subfiles, generating a subfile priority ID.
3. The method of claim 1, wherein the reading the NTFS ACL with inherited properties from the parent directory comprises:
and reading the NTFS ACL with the inherited attribute with the highest priority ID from the parent directory.
4. The method for processing an access control list according to claim 1, further comprising:
and if the target object disables inheritance, reading NTFS ACL unique to the target object.
5. The method for processing an access control list according to claim 1, wherein the data structure of the NTFS ACL includes:
NTFS ACL identification, account body, rights type, inheritance type, and the priority ID.
6. The method of claim 5, wherein the NTFS ACL identification comprises:
presence identity, autocorrelation identity, automatic inheritance identity, and protection identity.
7. The method for processing an access control list according to claim 5, wherein the permission category includes:
the method comprises the steps of file reading data authority and directory enumeration sub-directory sub-file authority, file writing data authority and directory addition sub-file authority, additional data authority and directory addition sub-directory authority, file reading extension attribute authority, file writing extension attribute authority, file execution authority, file path traversing checking authority, sub-directory sub-file deleting authority, file reading attribute authority, file writing attribute authority, deleting authority, reading ACL information authority, ACL information changing authority, owner changing authority and file synchronizing authority.
8. The method of claim 5, wherein the permission type includes a permission and a denial of permission, and wherein the permission and the denial of permission are stored in different extension attributes of the file metadata.
9. The method of processing an access control list according to claim 1, wherein setting an NTFS ACL comprises:
if the NTFS ACL is applied to the current catalog, adding the NTFS ACL to a UNIX Access ACL linked list;
if the NTFS ACL is applied to the current catalogue, the sub-catalogue and the sub-file, adding the NTFS ACL to a UNIX Default ACL linked list and a UNIX Access ACL linked list;
if the NTFS ACL is applied to the subdirectories and the subfiles, the NTFS ACL is added to the UNIX Default ACL linked list.
10. The method for processing an access control list according to claim 1, further comprising:
the read NTFS ACL is returned to the client.
11. The method for processing the access control list according to claim 10, wherein the returning the read NTFS ACL to the client includes:
and when the client is a windows client, merging the read Access ACL with the Default ACL, converting the merged Access ACL into a standard NTFS ACL, and returning the standard NTFS ACL to the windows client.
12. The method for processing the access control list according to claim 10, wherein the returning the read NTFS ACL to the client includes:
and when the client is a UNIX client, mapping the NTFS ACL into rwx authority and returning to the UNIX client.
13. The method for processing an access control list according to claim 1, further comprising:
traversing the read NTFS ACL, and matching the read NTFS ACL with an access token of the client;
and if the matching is unsuccessful, refusing to process the operation request of the client.
14. The method for processing an access control list according to claim 1, further comprising:
when modifying the target NTFS ACL of the subdirectory, forbidding inheritance on the subdirectory, and adding a priority ID for the modified target NTFS ACL; the target NTFS ACL is an NTFS ACL which belongs to the same user or user group as the NTFS ACL set by the father catalog, and the priority ID added for the modified target NTFS ACL is higher than the priority ID of the NTFS ACL set by the father catalog which belongs to the same user or user group.
15. The method for processing an access control list according to claim 1, further comprising:
And when deleting the NTFS ACL of the subdirectory, disabling inheritance for the subdirectory and deleting the NTFS ACL of the subdirectory.
16. The method for processing an access control list according to claim 1, further comprising:
when modifying the NTFS ACL with inherited properties of the parent directory, incrementing a priority ID of the NTFS ACL with inherited properties.
17. The method for processing an access control list according to claim 1, further comprising:
when creating a child directory under the parent directory, acquiring the NTFS ACL of the parent directory, and when the parent directory has inheritable NTFS ACL, reserving the NTFS ACL of the created child directory as null.
18. An apparatus for processing an access control list, comprising:
the generation module is used for setting the NTFS ACL with the inheritance attribute in the father catalog and generating the priority ID of the NTFS ACL with the inheritance attribute; the NTFS ACL with inheritance attribute is an NTFS ACL inheritable from the parent directory by a child directory and/or a child file; the priority ID is recorded in a priority ID field in the expanded NTFS ACL structure;
a setting module, configured to ignore a request for setting an NTFS ACL with an inheritance flag from a higher level at a target object, and not set an NTFS ACL inheritable from a parent directory at the target object; the target object comprises the subdirectory and the subfile; the NTFS ACL with the inheritance mark from the upper level is an NTFS ACL inheritable from the parent directory for a child directory and/or a child file;
And the reading module is used for reading the NTFS ACL with the inheritance attribute from the father directory according to the priority ID when the NTFS ACL of the target object is queried and inheritance is enabled by the target object.
19. A processing apparatus for an access control list, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method of processing an access control list according to any of claims 1 to 17 when executing said computer program.
20. A storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method of processing an access control list according to any of claims 1 to 17.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310247425.1A CN115934671B (en) | 2023-03-15 | 2023-03-15 | Access control list processing method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310247425.1A CN115934671B (en) | 2023-03-15 | 2023-03-15 | Access control list processing method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115934671A CN115934671A (en) | 2023-04-07 |
| CN115934671B true CN115934671B (en) | 2023-06-06 |
Family
ID=86556304
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310247425.1A Active CN115934671B (en) | 2023-03-15 | 2023-03-15 | Access control list processing method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115934671B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1848022A (en) * | 2005-04-13 | 2006-10-18 | 华为技术有限公司 | Authority control method based on access control list |
| CN103064957A (en) * | 2012-12-28 | 2013-04-24 | 华为技术有限公司 | Method and client for achieving ACL (Access Control List) |
| CN111274609A (en) * | 2020-01-19 | 2020-06-12 | 苏州浪潮智能科技有限公司 | User permission inheritance method and device of distributed file storage system |
| CN115795502A (en) * | 2022-11-18 | 2023-03-14 | 济南浪潮数据技术有限公司 | Authority management method and system of distributed file system and related components |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI263894B (en) * | 2003-10-15 | 2006-10-11 | Hon Hai Prec Ind Co Ltd | System and method for quickly getting user's permission in access control list |
| US8438611B2 (en) * | 2007-10-11 | 2013-05-07 | Varonis Systems Inc. | Visualization of access permission status |
| US20130091562A1 (en) * | 2011-10-05 | 2013-04-11 | Hitachi, Ltd. | Computer |
| CN107220558A (en) * | 2017-05-24 | 2017-09-29 | 郑州云海信息技术有限公司 | A kind of method of rights management, apparatus and system |
-
2023
- 2023-03-15 CN CN202310247425.1A patent/CN115934671B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1848022A (en) * | 2005-04-13 | 2006-10-18 | 华为技术有限公司 | Authority control method based on access control list |
| CN103064957A (en) * | 2012-12-28 | 2013-04-24 | 华为技术有限公司 | Method and client for achieving ACL (Access Control List) |
| CN111274609A (en) * | 2020-01-19 | 2020-06-12 | 苏州浪潮智能科技有限公司 | User permission inheritance method and device of distributed file storage system |
| CN115795502A (en) * | 2022-11-18 | 2023-03-14 | 济南浪潮数据技术有限公司 | Authority management method and system of distributed file system and related components |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115934671A (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7233959B2 (en) | Life-cycle management engine | |
| US6535879B1 (en) | Access control via properties system | |
| US7783737B2 (en) | System and method for managing supply of digital content | |
| US9507812B2 (en) | Systems and methods for scalable object storage | |
| CN107403105B (en) | Permission setting method and device for file system | |
| CA2746587C (en) | System and method for performing access control | |
| US6308181B1 (en) | Access control with delayed binding of object identifiers | |
| JP2008547118A (en) | Granting unified authority for heterogeneous applications | |
| WO2014153759A1 (en) | Method and device for managing access control permission | |
| BR112012033016B1 (en) | online service access control method and system using directory resources | |
| US6611848B1 (en) | Methods for maintaining data and attribute coherency in instances of sharable files | |
| US7657925B2 (en) | Method and system for managing security policies for databases in a distributed system | |
| US6687716B1 (en) | File consistency protocols and methods for carrying out the protocols | |
| US6633870B1 (en) | Protocols for locking sharable files and methods for carrying out the protocols | |
| CN115934671B (en) | Access control list processing method, device, equipment and storage medium | |
| US11609770B2 (en) | Co-managing links with a link platform and partner service | |
| CN111581156B (en) | File permission control method, device, equipment and medium | |
| JP4166704B2 (en) | Lifecycle management engine | |
| AU2022304619B2 (en) | Co-managing links with a link platform and partner service | |
| US20220414242A1 (en) | Links platform-as-a-service | |
| US11868494B1 (en) | Synchronization of access management tags between databases | |
| JP2001117803A (en) | Method and device for deciding access right and computer-readable recording medium recorded with access right deciding program | |
| CN117194332A (en) | User authority processing method, device, equipment and medium in file system | |
| CN117195171A (en) | Access right processing method, device, computer equipment and storage medium | |
| JPH04279941A (en) | Method and equipment for data processing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |