CN116127436A - Multi-tenant authority management method and system - Google Patents

Multi-tenant authority management method and system Download PDF

Info

Publication number
CN116127436A
CN116127436A CN202310245051.XA CN202310245051A CN116127436A CN 116127436 A CN116127436 A CN 116127436A CN 202310245051 A CN202310245051 A CN 202310245051A CN 116127436 A CN116127436 A CN 116127436A
Authority
CN
China
Prior art keywords
resource
database
storage platform
tenant
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310245051.XA
Other languages
Chinese (zh)
Inventor
徐嘉文
王昴
张伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hefei Gotion High Tech Power Energy Co Ltd
Original Assignee
Hefei Guoxuan High Tech Power Energy Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hefei Guoxuan High Tech Power Energy Co Ltd filed Critical Hefei Guoxuan High Tech Power Energy Co Ltd
Priority to CN202310245051.XA priority Critical patent/CN116127436A/en
Publication of CN116127436A publication Critical patent/CN116127436A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Abstract

The invention discloses a multi-tenant authority management method and a system, wherein the method comprises the steps of receiving a resource access request sent by a user; searching a predefined resource isolation strategy based on the resource access request to obtain all matched resource types, wherein the resource isolation strategy abstracts the relation among tenants, resource types and authorities, the resource types are file data resources obtained through abstraction according to the action of a storage platform, and the storage platform comprises at least two of a Hadoop system database, a time sequence database, a relation database, a graph database and an analysis database; and accessing the storage platform based on all the matched resource types and the access rights of the storage platform corresponding to the resource types. The unified authority management framework for the data platform provided by the invention can uniformly manage all the big data storage platforms, so that the system is simple and efficient.

Description

Multi-tenant authority management method and system
Technical Field
The invention relates to the technical field of rights management, in particular to a multi-tenant rights management method and system.
Background
Lithium batteries can generate a large amount of data during the production process, and in particular, can be divided into three categories: (1) device data: technological parameters of the equipment, such as equipment state, fault information, operation and maintenance information and other data; (2) production process data: actual measurement data generated in the production process, such as welding power, welding head temperature, wind speed, tension, current, voltage, operation times, switching state and the like; (3) Status and information data of each process/step, such as operator, shift, start time date, end time date, equipment ID, etc.; (4) product data: product and quality trace-back related data such as yield, input, output, scrapped, utilization, OEE, product quality, process quality, product parameters, etc.
In the big data storage platform, different storage modes are needed according to the characteristics of different data types, for example, the production process data and the equipment data have the characteristics of high acquisition frequency, large data volume and the like, and a high-throughput time sequence database is suitable to be used in the storage process. The product data is important for decision support, and the data volume is not very large, so that the storage of a relational database similar to MySQL is required to be selected to be consistent. Meanwhile, because of production process data, equipment data and the like, large data volume aggregation analysis is required, and meanwhile, the query efficiency is required, and a large data analysis type database is also indispensable. Data during the continuous operation of the production line for 7 x 24 hours needs to be archived for long-term storage, so that a hdfs-like storage system is also an indispensable part of a data platform.
Therefore, the data source in the lithium battery manufacturing industry is relatively wide, all requirements cannot be met by a storage unit of the Hadoop ecological system alone, a large number of different types of large data storage and analysis frameworks are required to be introduced, but because a multi-tenant data platform needs to perform data authority management and control on different storage computing media, the authority management framework of the open source in the large data field cannot manage unified authorities such as the Hadoop system, a time sequence database, a relational database and the like.
The most commonly used entitlement control model at present in terms of entitlement control models is the RBAC model, which is a role-based entitlement control model, i.e. a user is given a defined role by which the entitlement is controlled. As shown in fig. 1, a user has a role and may have multiple roles, with each role corresponding to a different right. The RBAC model has three elements, user, role, and rights in turn, the rights generally include two aspects, menu rights and data rights, as shown in fig. 2. The RBAC entitlement control model is applicable to only a single software system, such as a particular database, etc. Big data open source components such as Hadoop and spark have self authority control methods, and each scattered big data frame cannot be integrated together for unified management by using an RBAC authority control model.
In the related art, in a method for managing multi-tenant space resources proposed in patent application document with publication number CN113986528A, an independent resource and a corresponding first authority are allocated to each tenant, a plurality of users are created by each tenant, and resources corresponding to the tenant are allocated to the plurality of users corresponding to the tenant; however, the configuration and management of space resources, namely memory CPU resources are realized in the scheme, the final memory realization mode is realized by using a Linux specific operation command, and the efficiency is low; in addition, the scheme adopts an open-source authority management framework to carry out task scheduling by using cluster resources, so that a Hadoop system, a time sequence database, a relational database, a graph database and the like cannot be subjected to unified authority management.
Disclosure of Invention
The technical problem to be solved by the invention is how to realize unified data authority management and control on different storage computing media.
The invention solves the technical problems by the following technical means:
in a first aspect, the present invention proposes a multi-tenant rights management method, the method comprising:
receiving a resource access request sent by a user, wherein the resource access request carries tenant information;
searching a predefined resource isolation strategy based on the resource access request to obtain all matched resource types, wherein the resource isolation strategy abstracts the relation among tenants, resource types and authorities, the resource types are file data resources obtained through abstraction according to the action of a storage platform, and the storage platform comprises at least two of a Hadoop system database, a time sequence database, a relation database, a graph database and an analysis database;
and accessing the storage platform based on all the matched resource types and the access rights of the storage platform corresponding to the resource types.
Further, before the receiving the resource access request sent by the user, the method further includes:
defining file data resources corresponding to different storage platforms, wherein the file data resources comprise file paths, databases, queues, columns, tables, column families, time sequences and indexes;
defining the operation authority of different tenants on the storage platform;
and abstracting the relation among the tenant, the resource type and the operation authority as the resource isolation strategy.
Further, the defining the operation authority of different tenants on the storage platform includes:
and using a list allowances ACL and a list DenyACL to represent the operation authority of the tenant to the storage platform, wherein the list allowances ACL describes the condition that access is allowed, and the list DenyACL describes the condition that access is refused.
Further, the list DenyACL is higher in priority than the list AllowACL, the list DenyACL is higher in exclusion priority than the list DenyACL, and the list AllowACL is higher in exclusion priority than the list AllowACL.
Further, accessing the storage platform based on all the matched resource types and the access rights of the storage platform corresponding to the resource types includes:
1) judging whether the authority corresponding to the matched resource is access refusal, if so, executing the step 2), otherwise, executing the step 3);
2) Judging whether the authority of the resource is abnormal or not, if so, executing the step 3), and if not, refusing access;
3) Judging whether the authority of the resource is allowed to be accessed, if so, executing the step 4), otherwise, executing the step 5);
4) Judging whether the authority of the resource is a refused abnormal strategy, if so, executing the step 5), and if not, allowing access;
5) Access is denied or decisions are downloaded to the access control layer of the storage platform.
Further, after the storage platform receives a resource access request of a tenant, verifying the authority of the tenant by utilizing the pre-pulled resource isolation policy, and performing corresponding operation after the verification is passed.
Further, when the storage platform is a Hadoop system database, the method further includes:
loading a permission realization class by utilizing a permission expansion interface of the storage platform;
and starting a pulling thread to regularly pull the resource isolation strategy, and storing the strategy in a file and a memory.
Further, when the storage platform is a time series database or a relational database or a graph database or an analytical database, the method further comprises:
collecting and synchronizing metadata information of the time sequence database or the relation database or the graph database or the analysis database to be unified to a MetaStore metadata database of the Hive platform;
starting a HiveServer2 class loader to load the authority realization class;
and starting a pulling thread to regularly pull the resource isolation strategy, and storing the strategy in a file and a memory.
In addition, the invention also provides a multi-tenant authority management system, which comprises:
the receiving module is used for receiving a resource access request sent by a user, wherein the resource access request carries tenant information;
the matching module is used for searching a predefined resource isolation strategy based on the resource access request to obtain all matched resource types, wherein the resource isolation strategy abstracts the relation among tenants, resource types and authorities, the resource types are file data resources obtained through abstraction according to the action of a storage platform, and the storage platform comprises at least two of a Hadoop system database, a time sequence database, a relational database, a graph database and an analysis type database;
and the access module is used for accessing the storage platform based on all the matched resource types and the access rights of the storage platform corresponding to the resource types.
Further, the system also comprises a policy configuration module for:
defining file data resources corresponding to different storage platforms, wherein the file data resources comprise file paths, databases, queues, columns, tables, column families, time sequences and indexes;
defining the operation authority of different tenants on the storage platform;
and abstracting the relation among the tenant, the resource type and the operation authority as the resource isolation strategy.
The invention has the advantages that:
(1) Because the data sources in the lithium battery manufacturing industry are relatively wide, all requirements cannot be met by the storage units of the Hadoop ecological system alone, and the time sequence database, the relational database, the graph database and the analysis type database are also needed, in order to uniformly manage and control the data platforms, the rights control system needs to be compatible with multiple scenes; in addition, the authority management server directly searches all matched resources according to the resource request of the user, and based on the access authorities of the storage platforms corresponding to all the matched resources and the resource types, the authority verification is realized in the compiling stage, so that the efficiency is higher, and the authority management server can customize strategies; therefore, the unified authority management framework for the data platform is suitable for the characteristic of multiple data classifications in the lithium battery manufacturing industry.
(2) Aiming at the newly added big data component, corresponding integration can be completed by only abstracting file data resources such as managed files, database tables and the like according to the action of the big data component, and corresponding interfaces are realized.
(3) If the right management server side is not matched with the proper strategy, the access request can be issued to the corresponding storage platform, and the storage platform performs right verification processing according to the measurement which is pulled in advance.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
FIG. 1 is a schematic diagram of RBAC model role-rights control, referred to in the background section of the invention;
FIG. 2 is a schematic diagram of the entitlement control scheme of the RBAC model referred to in the background section of the present invention;
FIG. 3 is a flow chart of a multi-tenant rights management method in an embodiment of the invention;
FIG. 4 is a flow chart of strategy execution in an embodiment of the present invention;
FIG. 5 is a schematic diagram of an hdfs platform integration strategy in an embodiment of the invention;
FIG. 6 is a schematic view of Hbase plateau integration strategy in an embodiment of the present invention;
FIG. 7 is a Hive platform integration policy diagram of an embodiment of the invention;
FIG. 8 is a Yarn platform integration strategy diagram in an embodiment of the invention;
FIG. 9 is a schematic diagram of an integration strategy of a relational database and a time-ordered database according to an embodiment of the present invention;
fig. 10 is a block diagram of a multi-tenant rights management system in an embodiment of the invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described in the following in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 3, a first embodiment of the present invention proposes a multi-tenant rights management method, which includes the following steps:
s10, receiving a resource access request sent by a user, wherein the resource access request carries tenant information;
it should be noted that, an administrator allocates corresponding tenants and groups for various service policy plans in advance, and stores the corresponding tenants and groups in a database.
S20, searching a predefined resource isolation strategy based on the resource access request to obtain all matched resource types, wherein the resource isolation strategy abstracts the relation among tenants, resource types and authorities, the resource types are file data resources obtained through abstraction according to the action of a storage platform, and the storage platform comprises at least two of a Hadoop system database, a time sequence database, a relational database, a graph database and an analysis type database;
s30, accessing the storage platform based on all the matched resource types and the access rights of the storage platform corresponding to the resource types.
The lithium battery manufacturing industry has many data classifications, and different storage methods, processing methods, and the like are required according to different types of data. For example, production process data is more conveniently stored using a time-stamped time series database, while result data is more conveniently queried using a relational database. Therefore, the data in the lithium battery manufacturing industry needs to be stored in a storage unit of the Hadoop ecological system alone, so that all requirements cannot be met, a large number of different types of large data storage and analysis frames, such as a time sequence database, a relational database, a graph database and an analysis database, need to be introduced, and in order to uniformly manage and control a data platform, the authority control system needs to be compatible with multiple scenes.
According to the embodiment, the resource isolation strategy is predefined and managed by the authority management server, resources managed by the storage platforms are abstractly divided according to the actions of the different storage platforms, resource authorities are disassembled and unified, the relationship among tenants, resource types and authorities is abstractly represented, and different tenants can have corresponding data authorities for the resource types corresponding to different storage platforms only by configuring corresponding strategies at the authority management server, so that unified data authority management and control of different storage platforms are realized, and convenience and rapidness are realized; in addition, the authority management server directly searches all matched resources according to the resource request of the user, and based on the access authorities of the storage platforms corresponding to all the matched resources and the resource types, the authority verification is realized in the compiling stage, so that the efficiency is higher, and the authority management server can customize strategies; therefore, the unified authority management framework for the data platform is suitable for the characteristic of multiple data classifications in the lithium battery manufacturing industry.
In one embodiment, in the step S10: before receiving the resource access request sent by the user, the method further comprises the following steps:
defining file data resources corresponding to different storage platforms, wherein the file data resources comprise file paths, databases, queues, columns, tables, column families, time sequences and indexes;
defining the operation authority of different tenants on the storage platform;
and abstracting the relation among the tenant, the resource type and the operation authority as the resource isolation strategy.
Specifically, the resource types of different big data components, that is, the resource types of the storage platform accessed to the unified rights management platform are defined, wherein the resource types corresponding to the different big data components are different, and the embodiment abstracts a resource list related to the big data platform as shown in the following table 1:
TABLE 1
Big data platform assembly Controlling resource names
hdfs File path
hbase List, column group, column
hive Database, table, column
yarn Queues
Relational database Databases, tables, columns, indexes, and the like
Time sequence database Watch, time series, etc
Graph database Points, edges, etc
Analytical database Databases, tables, columns, indexes, and the like
Specifically, the rights of different components are defined, and the rights corresponding to different big data components are different, as shown in table 2:
TABLE 2
Big data platform assembly Rights item
hdfs Reading, writing, and executing
hbase Reading, writing, and executing
hive Querying, adding, modifying and deleting
yarn Submitting tasks
Relational database Querying, adding, modifying and deleting
Time sequence database Querying, adding and deleting
Graph database Querying, adding, modifying and deleting
Analytical database Querying, adding, modifying and deleting
It should be noted that, since the data of the industrial scene manufacturing process is basically structured and has a certain time sequence, it is necessary to introduce a time series database or the like. In this embodiment, for such a correspondence relation of resources, according to the characteristics of the big data component, the corresponding file data resource is abstracted, for example, the hdfs platform is responsible for managing files, so that the file data resource type corresponding to the hdfs platform is a file path, and similarly, the hbase platform is used for presenting to a user column group, a table, and the like, and so that the file data resource type corresponding to the hbase platform is a table, a column group, and a column. Other types of storage platforms are analogized, and concrete forms of resources are obtained through abstraction according to the characteristics of the components. By defining the resource isolation policy, different tenants can have corresponding data rights to different resources as long as corresponding policies are configured at the rights management server.
In an embodiment, the defining the operation rights of different tenants to the storage platform includes:
and using a list allowances ACL and a list DenyACL to represent the operation authority of the tenant to the storage platform, wherein the list allowances ACL describes the condition that access is allowed, and the list DenyACL describes the condition that access is refused.
It should be noted that, the rights are expressed by a list allowances and a list DenyACL, similar to the whitelist and blacklist mechanisms, the list allowances are used for describing the case of allowing access, the list DenyACL is used for describing the case of refusing access, wherein the list DenyACL is higher in priority than the list allowances, the list DenyACL is higher in exclusion priority than the list DenyACL, and the list allowances is higher in exclusion priority than the list allowances.
It should be noted that, in this embodiment, the priority of the policy is defined, the reject policy is set to be higher than the allow policy, and when the permission is checked, an abnormal alarm can be given as long as the policy is found in the blacklist, which can ensure the security to the maximum extent and improve the checking efficiency.
In one embodiment, as shown in fig. 4, the step S30: based on the access rights of all the matched resources and the corresponding storage platforms of the resource types, accessing the storage platforms comprises the following steps:
1) judging whether the authority corresponding to the matched resource is access refusal, if so, executing the step 2), otherwise, executing the step 3);
2) Judging whether the authority of the resource is abnormal or not, if so, executing the step 3), and if not, refusing access;
3) Judging whether the authority of the resource is allowed to be accessed, if so, executing the step 4), otherwise, executing the step 5);
4) Judging whether the authority of the resource is a refused abnormal strategy, if so, executing the step 5), and if not, allowing access;
5) Access is denied or decisions are downloaded to the access control layer of the storage platform.
In this embodiment, when the rights management server receives the resource access request sent by the user, first, a preliminary check is performed, if the check is passed, the access of the corresponding storage platform is performed, if the decision to be issued cannot be confirmed, the access request is issued to the access control layer of the storage platform, so that the preliminary check can be performed at the compiling stage when the user submits the task, and compared with the implementation of using Linux specific operation commands, the task check efficiency is improved.
It should be noted that if no policy can make a decision to access, it is generally assumed that no rights are denied to access, and the rights control system supports the downloading of the selection decision to the access control layer of the specific component.
In an embodiment, after the storage platform receives a resource access request of a tenant, verifying the authority of the tenant by using the pre-pulled resource isolation policy, and performing corresponding operation after the verification is passed.
In an embodiment, when the storage platform is a Hadoop ecological platform, the method further includes:
loading a permission realization class by utilizing a permission expansion interface of the storage platform;
and starting a pulling thread to regularly pull the resource isolation strategy, and storing the strategy in a file and a memory.
Specifically, as each big data component of the Hadoop ecology has a permission expansion interface, the interface description is generally positioned in the following catalogue of the module jar packet related to the permission: the resources\META-INF\services, so that the components related to the Hadoop big data can be realized through a rights extension interface.
(1) As shown in fig. 5, the hdfs platform implements the rights control procedure as follows:
starting hdfs, and loading the plug-in codes of the permission control module by a class loader;
simultaneously starting a policy service to pull policies from the right management server, and storing one copy of policies in the hdfs file and the memory;
different tenants access the directory of the hdfs file;
performing authority verification by using a checkPermission method for the access request to reach NameNode;
and recording an audit log.
(2) As shown in fig. 6, the Hbase platform implementation authority control process is:
starting HMaster and RegionServer to load authority realization class by class loader;
starting a pulling policy thread to pull policies from the right management server, wherein one hdfs file and one memory exist;
the user sends out a request for adding, deleting and checking;
performing authority verification by using an HMaster and a HRegoonServer;
and recording an audit log.
(3) As shown in fig. 7, the Hive platform implements the permission control procedure as follows:
starting a HiveServer2 class loader to load the authority realization class;
starting a pulling policy thread to pull policies from the right management server, wherein one hdfs file and one memory exist;
the user sends out a request for adding, deleting and checking;
the HiveServer2 performs authority verification in the rule stage;
and recording an audit log.
(4) As shown in fig. 8, the yan platform implements a rights control procedure as follows:
starting a resource manager class loader to load a permission realization class;
starting a pulling policy thread to pull policies from the right management server, wherein one hdfs file and one memory exist;
submitting a task by a user;
the resource manager performs authority verification in the analysis task stage;
and recording an audit log.
In an embodiment, when the storage platform is a time series database or a relational database or a graph database or an analytical database, the method further comprises:
collecting and synchronizing metadata information of the time sequence database or the relation database or the graph database or the analysis database to be unified to a MetaStore metadata database of the Hive platform;
starting a HiveServer2 class loader to load the authority realization class;
and starting a pulling thread to regularly pull the resource isolation strategy, and storing the strategy in a file and a memory.
Specifically, as shown in fig. 9, since databases such as MySQL, starblocks, clickHouse, etc. do not belong to Hadoop ecology, and an API interface related to authority control is not provided for the authority service to implement, the integration policy needs to be reset, and in this embodiment, the authority control is completed by means of the Hive's MetaStore service, specifically:
collecting metadata information of the synchronous database and unifying the metadata information to a MetaStore metadata database of Hive;
starting a HiveServer2 class loader to load the authority realization class;
starting a pulling policy thread to pull policies from the right management server, wherein one hdfs file and one memory exist;
the user sends out a request for adding, deleting and checking;
the HiveServer2 performs authority verification in the rule stage;
and recording an audit log.
In this embodiment, resources managed by each component of the big data platform are abstracted into files, data tables, and the like, and unified steps are used: loading the implementation class, pulling the strategy, submitting the task, checking the authority, logging and the like. Different tenants can have corresponding data rights to different resources only by configuring corresponding resource isolation strategies at the rights management server, and rights of different tenants can be managed in a centralized manner in the distributed big data platform, so that convenience and rapidness are realized.
In this embodiment, the above description of integrating big data components related to lithium battery manufacturing industry into a unified rights management framework describes a method for integrating each component into a rights control framework, and in the following, for a tenant, the following rights items with big data components are configured at a rights management server, as shown in table 3:
TABLE 3 Table 3
Big data platform assembly Rights item
hdfs Read/write file path/tmp
hbase Read table t_sample
hive Query database h_sample
yarn Submitting task to queue sample_queue
Relational database Query library r_sample
Time sequence database Adding data to the table time_sample
The tenant submitting task can only be submitted to an example_queue queue, the assigned/tmp directory can only be accessed when the hdfs is accessed, and the data can only be added to a time_example table when the database is written.
The lithium battery manufacturing industry has many data classifications, and different storage methods, processing methods, and the like are required according to different types of data. For example, production process data is more conveniently stored using a time-stamped time-series database, and result data is more conveniently queried using a relational database, and one skilled in the art can define relationships between tenants, resources, and rights according to specific needs.
As shown in fig. 10, a second embodiment of the present invention proposes a multi-tenant rights management system, the system comprising:
a receiving module 10, configured to receive a resource access request sent by a user, where the resource access request carries tenant information;
the matching module 20 is configured to search a predefined resource isolation policy based on the resource access request to obtain all the matched resource types, where the resource isolation policy abstracts a relationship among a tenant, a resource type, and a right, the resource types are file data resources obtained by abstracting according to an action of a storage platform, and the storage platform includes at least two of a Hadoop system database, a time sequence database, a relational database, a graph database, and an analysis database;
and the access module 30 is used for accessing the storage platform based on all the matched resource types and the access rights of the storage platform corresponding to the resource types.
According to the embodiment, through predefining a resource isolation strategy, resources managed by the storage platforms are subjected to abstract division according to the actions of the different storage platforms, resource authorities are disassembled and unified, the relationship among tenants, resource types and authorities is expressed in an abstract mode, and different tenants can have corresponding data authorities for the resource types corresponding to the different storage platforms only by configuring corresponding strategies at the authority management server, so that unified data authority management and control of the different storage platforms are realized, and convenience and rapidness are realized; in addition, the authority management server directly searches all matched resources according to the resource request of the user, and based on the access authorities of all matched resources and the corresponding storage platforms of the resource types, the authority verification is realized in the compiling stage, so that the efficiency is higher.
In an embodiment, the system further comprises a policy configuration module, specifically configured to:
defining file data resources corresponding to different storage platforms, wherein the file data resources comprise file paths, databases, queues, columns, tables, column families, time sequences and indexes;
defining the operation authority of different tenants on the storage platform;
and abstracting the relation among the tenant, the resource type and the operation authority as the resource isolation strategy.
In an embodiment, the operation authority of the tenant to the storage platform is represented by a list allowanacl and a list DenyACL, wherein the list allowanacl describes the condition that access is allowed, and the list DenyACL describes the condition that access is refused.
The list DenyACL is higher in priority than the list AllowACL, the list DenyACL is higher in exclusion priority than the list DenyACL, and the list AllowACL is higher in exclusion priority than the list AllowACL.
In an embodiment, the storage platform comprises at least two of an hfs platform, an hbase platform, a hive platform, a yarn platform, a relational database, and a time series database.
In one embodiment, the access module 30 is specifically configured to:
1) judging whether the authority corresponding to the matched resource is access refusal, if so, executing the step 2), otherwise, executing the step 3);
2) Judging whether the authority of the resource is abnormal or not, if so, executing the step 3), and if not, refusing access;
3) Judging whether the authority of the resource is allowed to be accessed, if so, executing the step 4), otherwise, executing the step 5);
4) Judging whether the authority of the resource is a refused abnormal strategy, if so, executing the step 5), and if not, allowing access;
5) Access is denied or decisions are downloaded to the access control layer of the storage platform.
In an embodiment, the storage platform includes a loading module, a policy pulling module, and a rights verification module, wherein:
the loading module is used for loading the permission realization class by utilizing a permission expansion interface of the storage platform or starting a HiveServer2 class loader to load the permission realization class;
the strategy pulling module is used for starting a pulling thread to regularly pull the resource isolation strategy and storing the resource isolation strategy in a file and a memory;
the permission verification module is used for verifying the permission of the tenant after the storage platform receives the access request of the tenant, and carrying out corresponding operation after the verification is passed.
In an embodiment, the storage platform further includes a synchronization module, specifically configured to:
and collecting and synchronizing metadata information of the relational database or the time sequence database to be unified to a MetaStore metadata database of the Hive platform.
When the storage platform is a relational database or a time-series database, the authority control is performed by the MetaStore service of Hive.
It should be noted that, it may be understood that the user side pulls the corresponding resource isolation policy from the rights management server side, and submits the big data calculation task and the access request to the rights management server side.
Rights management server: and providing a unified tenant policy distribution place, wherein policy implementation of all components is required to be registered in a rights management system and unified to be embodied.
When receiving a resource access request submitted by a user terminal, the right management server firstly searches a matched resource type, performs preliminary verification on access rights of a storage platform based on the resource type, and accesses the storage platform if the verification is passed; and if the verification is not passed, issuing a resource access request to the storage platform.
Each storage platform: because tasks submitted by tenants may need to access different big data components, when different big data components are involved, the different big data components can go to a server pull policy to perform corresponding verification.
It should be noted that, other embodiments of the multi-tenant authority management system or the implementation method thereof according to the present invention may refer to the above method embodiments, and are not repeated herein.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.

Claims (10)

1. A multi-tenant rights management method, the method comprising:
receiving a resource access request sent by a user, wherein the resource access request carries tenant information;
searching a predefined resource isolation strategy based on the resource access request to obtain all matched resource types, wherein the resource isolation strategy abstracts the relation among tenants, resource types and authorities, the resource types are file data resources obtained through abstraction according to the action of a storage platform, and the storage platform comprises at least two of a Hadoop system database, a time sequence database, a relation database, a graph database and an analysis database;
and accessing the storage platform based on all the matched resource types and the access rights of the storage platform corresponding to the resource types.
2. The multi-tenant entitlement management method of claim 1, wherein prior to the receiving the user-sent resource access request, the method further comprises:
defining file data resource types corresponding to different storage platforms, wherein the file data resource types comprise file paths, databases, queues, columns, tables, column families, time sequences and indexes;
defining the operation authority of different tenants on the storage platform;
and abstracting the relation among the tenant, the resource type and the operation authority as the resource isolation strategy.
3. The multi-tenant rights management method of claim 2, wherein the defining the operating rights of different tenants for the storage platform comprises:
and using a list allowances ACL and a list DenyACL to represent the operation authority of the tenant to the storage platform, wherein the list allowances ACL describes the condition that access is allowed, and the list DenyACL describes the condition that access is refused.
4. The multi-tenant entitlement management method of claim 3, wherein the list DenyACL has a higher priority than the list allocacl, wherein the list DenyACL has a higher exclusion priority than the list DenyACL, and wherein the list allocacl has a higher exclusion priority than the list allocacl.
5. The multi-tenant entitlement management method of claim 1, wherein accessing the storage platform based on all matched resource types and access rights of the storage platform to which the resource types correspond comprises:
1) judging whether the authority corresponding to the matched resource is access refusal, if so, executing the step 2), otherwise, executing the step 3);
2) Judging whether the authority of the resource is abnormal or not, if so, executing the step 3), and if not, refusing access;
3) Judging whether the authority of the resource is allowed to be accessed, if so, executing the step 4), otherwise, executing the step 5);
4) Judging whether the authority of the resource is a refused abnormal strategy, if so, executing the step 5), and if not, allowing access;
5) Access is denied or the resource access request is downloaded to an access control layer of the storage platform.
6. The multi-tenant rights management method of claim 5, wherein after the storage platform receives a tenant's resource access request, the tenant's rights are verified using the pre-pulled resource isolation policy, and a corresponding operation is performed after the verification is passed.
7. The multi-tenant entitlement management method of claim 6, wherein when the storage platform is a Hadoop architecture database, the method further comprises:
loading a permission realization class by utilizing a permission expansion interface of the storage platform;
and starting a pulling thread to regularly pull the resource isolation strategy, and storing the strategy in a file and a memory.
8. The multi-tenant rights management method of claim 6, wherein when the storage platform is a time series database or a relational database or a graph database or an analytical database, the method further comprises:
collecting and synchronizing metadata information of the time sequence database or the relation database or the graph database or the analysis database to be unified to a MetaStore metadata database of the Hive platform;
starting a HiveServer2 class loader to load the authority realization class;
and starting a pulling thread to regularly pull the resource isolation strategy, and storing the strategy in a file and a memory.
9. A multi-tenant rights management system, the system comprising:
the receiving module is used for receiving a resource access request sent by a user, wherein the resource access request carries tenant information;
the matching module is used for searching a predefined resource isolation strategy based on the resource access request to obtain all matched resource types, wherein the resource isolation strategy abstracts the relation among tenants, resource types and authorities, the resource types are file data resources obtained through abstraction according to the action of a storage platform, and the storage platform comprises at least two of a Hadoop system database, a time sequence database, a relational database, a graph database and an analysis type database;
and the access module is used for accessing the storage platform based on all the matched resource types and the access rights of the storage platform corresponding to the resource types.
10. The multi-tenant entitlement management system of claim 9, wherein the system further comprises a policy configuration module to:
defining file data resources corresponding to different storage platforms, wherein the file data resources comprise file paths, databases, queues, columns, tables, column families, time sequences and indexes;
defining the operation authority of different tenants on the storage platform;
and abstracting the relation among the tenant, the resource type and the operation authority as the resource isolation strategy.
CN202310245051.XA 2023-03-09 2023-03-09 Multi-tenant authority management method and system Pending CN116127436A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310245051.XA CN116127436A (en) 2023-03-09 2023-03-09 Multi-tenant authority management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310245051.XA CN116127436A (en) 2023-03-09 2023-03-09 Multi-tenant authority management method and system

Publications (1)

Publication Number Publication Date
CN116127436A true CN116127436A (en) 2023-05-16

Family

ID=86310193

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310245051.XA Pending CN116127436A (en) 2023-03-09 2023-03-09 Multi-tenant authority management method and system

Country Status (1)

Country Link
CN (1) CN116127436A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116980233A (en) * 2023-09-21 2023-10-31 宝略科技(浙江)有限公司 Authorization verification method, system and medium for discrete data high-frequency access

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116980233A (en) * 2023-09-21 2023-10-31 宝略科技(浙江)有限公司 Authorization verification method, system and medium for discrete data high-frequency access
CN116980233B (en) * 2023-09-21 2024-01-30 宝略科技(浙江)有限公司 Authorization verification method and system for discrete data during high-frequency access

Similar Documents

Publication Publication Date Title
US11449562B2 (en) Enterprise data processing
US11755628B2 (en) Data relationships storage platform
US10248671B2 (en) Dynamic migration script management
US8819068B1 (en) Automating creation or modification of database objects
US7676831B2 (en) Role-based access control management for multiple heterogeneous application components
US20100161577A1 (en) Method of Reconciling Resources in the Metadata Hierarchy
CN114077602B (en) Data migration method and device, electronic equipment and storage medium
CN116127436A (en) Multi-tenant authority management method and system
CN115203750B (en) Hive data authority control and security audit method and system based on Hive plug-in
CN109144978A (en) Right management method and device
CN113434158A (en) User-defined management method, device, equipment and medium for big data component
CN109885642A (en) Classification storage method and device towards full-text search
CN110532279A (en) Big data platform authority control method, device, computer equipment and storage medium
CN113259714B (en) Content distribution processing method and device, electronic equipment and storage medium
Yu et al. Design and implementation of business access control in new generation power grid dispatching and control system
CN112202723A (en) Authority management method and device for big data cluster component
CN107885834B (en) Hadoop big data assembly unified verification system
CN104040537A (en) Systems and methods of automatic generation and execution of database queries
Du et al. A semantic‐aware data generator for ETL workflows
CN117194542A (en) Objectified data management method based on heterogeneous storage technology
George Deciphering the Path to Cost Efficiency and Sustainability in the Snowflake Environment
Kromer Monitor, Manage, and Optimize
Beran et al. SODA a distributed data management framework for the Internet of services
CN117131526A (en) Hive table authority control method and device, computer equipment and storage medium
CN117668811A (en) Offline feature management platform, offline feature management method, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination