CN116484338A

CN116484338A - Database access method and device

Info

Publication number: CN116484338A
Application number: CN202310416784.5A
Authority: CN
Inventors: 陈小伟; 薛小康
Original assignee: Beijing Oceanbase Technology Co Ltd
Current assignee: Beijing Oceanbase Technology Co Ltd
Priority date: 2023-04-18
Filing date: 2023-04-18
Publication date: 2023-07-25

Abstract

One or more embodiments of the present disclosure provide a method and an apparatus for accessing a database, which relate to the field of computer technology. Responding to an access request of a user for a database, acquiring a Uniform Resource Locator (URL), wherein the URL is generated by a privilege access management system and is used for carrying authentication information of the user and connection configuration information of the database; analyzing the URL to obtain identity verification information and connection configuration information; transmitting the authentication information to a database so that the database verifies the access rights of the user based on the authentication information; if the user has the access right of the database, the connection is established with the database according to the connection configuration information so that the user can access the database. The method and the device realize automatic login of the Web client for database access and automatic configuration of database connection in the privilege access management system, and effectively reduce security risks brought by database access.

Description

Database access method and device

Technical Field

One or more embodiments of the present disclosure relate to the field of computer technologies, and in particular, to a method and an apparatus for accessing a database.

Background

Privileged access management (Privileged Access Management, PAM), is a security control mechanism that manages and controls access to sensitive resources such as IT systems, networks, applications, and data. Its goal is to ensure that only authorized users can use the privileged rights while reducing security threats due to improper privileged access.

In the related art, when a database is accessed through a Web client in a privileged access management system, access credentials of the Web client need to be provided, thereby causing a rights management mechanism of the database to be detached from the privileged access management system, which may pose a certain data security risk.

Disclosure of Invention

In view of this, one or more embodiments of the present disclosure provide a database access method and apparatus.

In order to achieve the above object, one or more embodiments of the present disclosure provide the following technical solutions:

according to a first aspect of one or more embodiments of the present description, applied to a Web client deployed in a privileged access management system, the method includes:

responding to an access request of a user for a database, acquiring a Uniform Resource Locator (URL), wherein the URL is generated by a privilege access management system and is used for carrying authentication information of the user and connection configuration information of the database;

analyzing the URL to obtain identity verification information and connection configuration information;

transmitting the authentication information to a database so that the database verifies the access rights of the user based on the authentication information;

if the user has the access right of the database, the connection is established with the database according to the connection configuration information so that the user can access the database.

According to a second aspect of one or more embodiments of the present specification, there is provided a database access method applied to a server in which a database is deployed, the method comprising:

responding to an access request of a user for a database, and receiving authentication information of the user sent by a Web client;

verifying the access rights of the user based on the authentication information;

if the user has the access right of the database, responding to the connection configuration information sent by the Web client, and establishing connection with the Web client so that the user accesses the database;

the Web client is deployed in the privilege access management system, the authentication information and the connection configuration information are acquired by the Web client through analyzing a URL, and the URL is generated by the privilege access management system and is used for carrying the authentication information of the user and the connection configuration information of the database.

According to a third aspect of one or more embodiments of the present specification, there is provided a database access apparatus applied to a Web client deployed in a privileged access management system, the apparatus comprising:

the acquisition module is used for responding to an access request of a user for the database, acquiring a Uniform Resource Locator (URL), wherein the URL is generated by the privilege access management system and is used for carrying authentication information of the user and connection configuration information of the database;

the analysis module is used for analyzing the URL to obtain the identity verification information and the connection configuration information;

the authentication module is used for sending the identity authentication information to the database so that the database can authenticate the access right of the user based on the identity authentication information;

and the connection module is used for establishing connection with the database according to the connection configuration information if the user has the access right of the database so as to facilitate the user to access the database.

According to a fourth aspect of one or more embodiments of the present specification, there is provided a database access apparatus for application to a server in which a database is deployed, the apparatus comprising:

the receiving module is used for responding to the access request of the user for the database and receiving the authentication information of the user sent by the Web client;

the verification module is used for verifying the access right of the user based on the identity verification information;

the connection module is used for responding to the connection configuration information sent by the Web client and establishing connection with the Web client if the user has the access right of the database so that the user can access the database;

According to a fifth aspect of one or more embodiments of the present specification, there is provided an electronic device, comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor implements a method as in the first aspect or a method as in the second aspect by executing executable instructions.

According to a sixth aspect of one or more embodiments of the present description, a computer-readable storage medium is presented, on which computer instructions are stored, which instructions, when executed by a processor, implement the steps as the method of the first aspect, or if the steps as the method of the second aspect.

According to the database access method provided by the specification, the privilege access management system and the Web client for accessing the database are integrated in authority management, and the security of parameter transmission is ensured through the URL, so that the automatic login of the Web client and the automatic configuration of database connection are realized, and the security risk brought by database access is effectively reduced.

Drawings

Fig. 1 is a schematic diagram of a system architecture according to an exemplary embodiment.

Fig. 2 is a flowchart of a method for accessing a database according to an exemplary embodiment.

Fig. 3 is a flow chart of yet another database access method provided by an exemplary embodiment.

Fig. 4 is an interactive flow diagram of a database access method according to an exemplary embodiment.

Fig. 5 is a flowchart of an access right verification method according to an exemplary embodiment.

Fig. 6 is a schematic diagram of an apparatus according to an exemplary embodiment.

Fig. 7 is a schematic structural diagram of a database access apparatus according to an exemplary embodiment.

Fig. 8 is a schematic diagram of a structure of yet another database access apparatus according to an exemplary embodiment.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with aspects of one or more embodiments of the present description as detailed in the accompanying claims.

It should be noted that: in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; while various steps described in this specification may be combined into a single step in other embodiments.

Privileged access management (Privileged Access Management, PAM) is a solution that contains network security policies and access management tools for controlling and policing and protecting users with privileged access rights. The privileged access management system can ensure that the privileged account or credential is authorized to only conduct operational actions within it for all usage scenarios.

In this description, a privileged access management system may also be understood as a fort machine. The bastion machine is a privileged access management security device, typically a springboard server, for controlling and monitoring access to internal network resources. The bastion machines are typically deployed in a separate network area, with only authorized users having access to internal network resources through the bastion machine. The main purpose of the fort is to provide an extra layer of security to reduce the chance that a malicious attacker can enter the internal network.

In a privileged access management system, database privileged access management (Database Privileged Access Management, DPAM) is a privileged access management mechanism that protects sensitive data in a database from unauthorized access and abuse.

With the development of information technology, the database can be accessed remotely through the Web client, and compared with the database client in the traditional desktop application form, the database has the greatest advantage of being convenient for users to use, namely, the users can directly use through the webpage without installing other software.

Specifically, the database client in the form of the Web application can be displayed to the user through the webpage opened by the browser, and the user can log in the Web client by using the account number, so that operations such as data storage, query and the like for the database are completed through the Web client.

Because the Web client of the database needs to be used after logging in, in the privilege access management system, if the Web client is logged in by the way of conventionally typing in an account, the privilege management system based on the privilege access management system may be invalid. For example, a user without database access rights in the privileged access management system steals an account number for the Web client to log in, i.e., can type in an access address of the Web client in a browser of any host, and access the database by entering the Web client through the account number, thereby creating a risk of data disclosure.

Therefore, the method integrates the authority verification process of the database and the privilege access management system, and the privilege access management system performs unified management on the user authority, so that the safety risk problem caused by non-unified authority management is solved.

Fig. 1 is a schematic diagram of a system architecture according to an exemplary embodiment. The system architecture 100 may be applied to a database access method or a database access apparatus provided in the present specification, including: privileged access management system 101 and database 102.

The user may further launch a Web client corresponding to the database 102 in the privileged access management system 101 by logging into the privileged access management system 101.

It should be noted that, the Web client in the embodiment of the present disclosure may be understood as an operating environment or an operating container of a Web program, and its main function is to present a Web resource requested by a user to a server, and display the Web resource in a browser window. For example, the Web client may be a Web browser, a Web application, or the like, which is not limited by the embodiments of the present specification.

Illustratively, the Web client may be a Web browser in the privileged access management system 101, which establishes an access connection with the database 102 by typing an access address of the database in an address bar of the Web browser, i.e., by the method provided in the present specification.

In some embodiments, the Web client may also be an application program encapsulated based on Web technology, where the application program may pass parameters through a URL to implement the database access method provided in the present specification.

A common feature of the Web client is that the user identity needs to be verified when the Web client is started. The user may use the Web client corresponding to the database 102 only if the user passes the authentication (i.e., the user has the access right of the database 102).

The database 102 may be any kind of database, for example, mySQL, oracle, oceanBase, etc.

In some embodiments, database 102 is deployed on a server capable of communicating with privileged access management system 101.

The server may be a single server, or may be a server cluster or cloud server composed of a plurality of servers. For example, the server may be an interworking server or a background server between a plurality of heterogeneous systems, or may be an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers.

Those skilled in the art will appreciate that the number of privileged access management systems and databases shown in fig. 1 is merely illustrative and that any number of terminals and servers may be provided as desired, and this description is not limiting.

The present exemplary embodiment will be described in detail below with reference to the accompanying drawings and examples.

First, the embodiments of the present specification provide a database access method that can be performed by a Web client deployed in a privileged access management system, the Web client being in network communication with a database.

Fig. 2 is a flowchart of a database access method according to an exemplary embodiment, and as shown in fig. 2, the database access method according to the embodiment of the present disclosure includes the following steps.

S201, a uniform resource locator URL is acquired in response to an access request of a user for a database, and the URL is generated by a privilege access management system and used for carrying authentication information of the user and connection configuration information of the database.

The uniform resource locator (Uniform Resource Locator, URL), also referred to as a web page address, is a standard resource address on the internet.

In some embodiments, URLs may be used to carry and communicate information. Such as authentication information of the user and connection configuration information of the database.

Wherein the authentication information may be an identity token (token) generated by the privileged access management system. After a user logs into the privileged access management system based on conventional means (e.g., a user name and password), the privileged access management system generates an identity token for the user for use in verifying the user's identity in subsequent operations.

The connection configuration information is used to record parameters needed to access the database, such as database type (ORACLE, mySQL, etc.), database user name, database password, default database, host IP/domain name, port, etc. In addition to the above general parameters, the embodiments of the present specification reserve an extended configuration field in the connection configuration information to provide a supplement to the aforementioned parameters to adapt to the connection and access of various databases.

Because the number of parameters carried by the information is large, and some of the parameters include special characters in the URL that need to be escape. To avoid that the URL cannot be normally escape, the embodiment of the present disclosure may convert the information into a string sequence (for example, performing JSON serialization), and then perform encoding processing (for example, BASE64 encoding) on the string sequence to generate the URL.

In some embodiments, since the information carried in the URL generally includes sensitive information such as a database user name, a database password, etc., before the authentication information and the connection configuration information are generated into the URL, encryption processing may be performed in advance to ensure information security.

S202, analyzing the URL to obtain the identity verification information and the connection configuration information.

According to the URL generation mode, in the embodiment of the present specification, the URL is decoded to obtain a string sequence. And then, performing deserialization processing on the character string sequence to obtain the authentication information of the user and the connection configuration information of the database.

In some embodiments, if the authentication information and the connection configuration information obtained by parsing are encrypted information, then the same encryption algorithm is used to decrypt the information at this time, so as to obtain the original information.

And S203, the identity verification information is sent to a database, so that the database verifies the access authority of the user based on the identity verification information.

In some embodiments, the user's access rights are verified by a database querying the privilege access management system for authentication information.

Specifically, the privileged access management system is provided with a privileged account service module which is used for storing and managing login credentials such as account information, authentication information and the like of the user. If the database inquires that the user corresponding to the authentication information has the access right of the database (namely, the authentication information is valid) in the privileged account service module, the user login information corresponding to the user can be obtained, and the user login information is used for enabling the Web client to be in a login state.

Based on the above verification manner, the present specification is enabled to maintain uniform rights management in a privileged access management system. That is, even if login information of the Web client or connection configuration information of the database is leaked, the user authenticated by the non-privileged access management system cannot access the database.

In addition, if the account information corresponding to the user login information does not exist in the database, the account information can be automatically created in the database for the user, so that the authority record in the database is consistent with the privilege access management system.

In some embodiments, to further increase the security of the privileged access management system, it may be provided that the authentication information (e.g., identity token) fails after being queried by the database, so as to avoid the risk of data leakage caused by theft of the authentication information.

S204, if the user has the access right of the database, connection is established with the database according to the connection configuration information so that the user can access the database.

In some embodiments, the Web client needs to be in a log-in state before establishing a connection with the database.

Specifically, if the user has access rights to the database, the Web client may receive user login information returned by the database. Based on the user login information, the login of the Web client can be completed.

It should be noted that, only when the Web client is in the login state, the user can access the database through the Web client.

Based on the same inventive concept, the embodiments of the present specification also provide another database access method that may be performed by a server deployed with a database, the server being in network communication with a Web client deployed in a privileged access management system. Fig. 3 is a flowchart of yet another database access method according to an exemplary embodiment, and as shown in fig. 3, the database access method according to the embodiment of the present disclosure includes the following steps.

S301, receiving authentication information of a user sent by a Web client in response to an access request of the user for a database.

S302, based on the identity verification information, verifying the access right of the user.

S302, if the user has the access right of the database, connection is established with the Web client in response to the connection configuration information sent by the Web client so that the user can access the database.

In some embodiments, the URL is generated by the privileged access management system after serializing and encoding the identity information and the connection configuration information.

In some embodiments, the authentication information includes an identity token generated by the privileged access management system, which is invalidated after being queried by the database.

In some embodiments, the database may also return user login information to the Web client to cause the Web client to complete login based on the user login information, the user login information being obtained by the database after verifying the user's access rights.

In some embodiments, based on the authentication information, the way to verify the access rights of the user may be: inquiring whether the identity verification information is valid or not in the privilege access management system; if so, the user has access to the database.

The above description of the embodiment shown in fig. 3 is intended to emphasize the differences from the embodiment shown in fig. 2, where the same or similar parts may be referred to each other, and for brevity, this description will not be repeated here.

According to the database access method provided by the specification, the privilege access management system is integrated with the Web client of the database in authority management, and the security of parameter transmission is ensured through the URL, so that the automatic login of the Web client and the automatic configuration of database connection are realized, and the security risk brought by database access is effectively reduced.

The following describes the interaction flow of the database access method in the embodiment of the present specification in detail with reference to fig. 4.

Fig. 4 is an interactive flow diagram of a database access method according to an exemplary embodiment. In fig. 4, for clarity, the privileged access management system, web client, database, and privileged account service module will be shown as different principals. In practical applications, the Web client is a Web client deployed in a privileged access management system, which may be started by a Web browser in the privileged access management system. The privileged account service module is a sub-module in the privileged access management system that is typically deployed on the same server as the privileged access management system. The database is deployed on a server separate from the privileged access management system, which may communicate with the privileged access management system over a network.

Specifically, the interactive flow of the database access method in the present specification includes the following steps.

S401, a user logs in a privilege access management system.

S402, the privileged access management system starts a Web client (e.g., web browser) and passes a URL thereto.

S403, the Web client analyzes the URL to obtain the identity verification information and the connection configuration information.

S404, the Web client sends the authentication information to the database.

S405, the database verifies the identity of the user in the privileged account service module based on the identity verification information.

S406, the privileged account service module returns the verification result and the user login information to the database.

S407, if the account corresponding to the user login information does not exist in the database, automatically creating the account.

And S408, the database returns the user login information to the Web client so that the Web client is in a login state.

S409, the Web client calls the current user information, such as user name, nickname, etc., to the database.

S410, the database returns the current user information to the Web client.

S411, the Web client establishes connection with the database according to the connection configuration information.

And S412, the database returns a connection establishment result to the Web client.

So far, if the Web client side successfully establishes connection with the database, the user can further access the database through the Web client side.

The database access method and the interaction flow thereof are described in detail respectively, and for the sake of understanding, the access right verification section involved therein will be further described.

As shown in fig. 5, the access right verification method includes the following steps.

S501, constructing an identity inquiry message by a database, wherein the message is used for carrying identity verification information.

S502, the database sends the identity inquiry message to the privileged access management system.

S503, the database judges whether the user login information is obtained successfully, if so, S504 is executed, otherwise, S505 is executed. Wherein. And after the privilege access management system confirms that the user has access rights through the identity authentication information, the user login information is returned to the database.

And S504, the database further returns the user login information to the Web client so that the Web client can successfully log in.

S505, the user does not have access rights, and the Web client login fails.

Fig. 6 is a schematic diagram of an apparatus according to an exemplary embodiment. Referring to fig. 6, at the hardware level, the device includes a processor 602, an internal bus 604, a network interface 606, a memory 608, and a non-volatile storage 610, although other hardware required by other services is possible. One or more embodiments of the present description may be implemented in a software-based manner, such as by the processor 602 reading a corresponding computer program from the non-volatile memory 610 into the memory 608 and then running. Of course, in addition to software implementation, one or more embodiments of the present disclosure do not exclude other implementation manners, such as a logic device or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but may also be hardware or a logic device.

Referring to fig. 7, fig. 7 provides a database access apparatus 700, which may be applied to the device shown in fig. 6 to implement the technical solution of the present specification. The database access device 700 may include:

the acquiring module 701 is configured to respond to an access request of a user to a database, and acquire a uniform resource locator URL, where the URL is generated by the privileged access management system and is used to carry authentication information of the user and connection configuration information of the database.

The parsing module 702 is configured to parse the URL to obtain authentication information and connection configuration information.

And a verification module 703, configured to send the authentication information to the database, so that the database verifies the access rights of the user based on the authentication information.

And the connection module 704 is configured to establish a connection with the database according to the connection configuration information if the user has access rights to the database, so that the user accesses the database.

In some embodiments, parsing module 702 may be used to: decoding the URL to obtain a character string sequence; and performing deserialization processing on the character string sequence to obtain authentication information of the user and connection configuration information of the database.

In some embodiments, the connection module 704 may also be used to: receiving user login information returned by the database, wherein the user login information is obtained by the database after the access authority of the user is verified; and finishing the login of the Web client based on the user login information.

Referring to fig. 8, fig. 8 provides another database access apparatus 800, which may be applied to the device shown in fig. 6 to implement the technical solution of the present specification. The database access apparatus 800 may include:

a receiving module 801, configured to receive authentication information of a user sent by a Web client in response to an access request of the user for a database;

a verification module 802, configured to verify an access right of a user based on the authentication information;

a connection module 803, configured to, if the user has access rights to the database, establish a connection with the Web client in response to the connection configuration information sent by the Web client, so that the user accesses the database;

In some embodiments, the connection module 803 is further to: and returning user login information to the Web client so that the Web client can complete login based on the user login information, wherein the user login information is obtained by the database after the access authority of the user is verified.

In some embodiments, the verification module 802 is to: inquiring whether the identity verification information is valid or not in the privilege access management system; if so, the user has access to the database.

The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.

In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.

It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.

The foregoing description of the preferred embodiment(s) is (are) merely intended to illustrate the embodiment(s) of the present invention, and it is not intended to limit the embodiment(s) of the present invention to the particular embodiment(s) described.

Claims

1. A database access method applied to a Web client deployed in a privileged access management system, the method comprising:

responding to an access request of a user for a database, acquiring a Uniform Resource Locator (URL), wherein the URL is generated by the privilege access management system and is used for carrying authentication information of the user and connection configuration information of the database;

analyzing the URL to obtain the identity verification information and the connection configuration information;

transmitting the authentication information to the database so that the database verifies the access rights of the user based on the authentication information;

if the user has the access right of the database, establishing connection with the database according to the connection configuration information so that the user accesses the database.

2. The method of claim 1, wherein the parsing the URL to obtain the authentication information of the user and the connection configuration information of the database includes:

decoding the URL to obtain a character string sequence;

and performing deserialization processing on the character string sequence to obtain the authentication information of the user and the connection configuration information of the database.

3. The method of claim 1, prior to said establishing a connection with said database according to said connection configuration information, said method further comprising:

receiving user login information returned by the database, wherein the user login information is obtained by the database after the access authority of the user is verified;

and finishing the login of the Web client based on the user login information.

4. The method of claim 1, the authentication information comprising an identity token generated by the privileged access management system, the identity token being invalidated upon being queried by the database.

5. The method of claim 1, wherein the user's access rights are verified by the database querying the privileged access management system for the authentication information.

6. A database access method applied to a server, the server having a database deployed therein, the method comprising:

receiving authentication information of a user sent by a Web client in response to an access request of the user for the database;

verifying the access rights of the user based on the identity verification information;

if the user has the access right of the database, establishing connection with the Web client in response to the connection configuration information sent by the Web client so that the user accesses the database;

the Web client is deployed in a privilege access management system, the authentication information and the connection configuration information are acquired by the Web client through analysis of a URL, and the URL is generated by the privilege access management system and is used for carrying the authentication information of the user and the connection configuration information of the database.

7. The method of claim 6, wherein the URL is generated by the privileged access management system after serializing and encoding the identity information and the connection configuration information.

8. The method of claim 6, further comprising, prior to said establishing a connection with said Web client in response to said connection configuration information sent by said Web client:

and returning user login information to the Web client so that the Web client can complete login based on the user login information, wherein the user login information is obtained by the database after the access authority of the user is verified.

9. The method of claim 6, the authentication information comprising an identity token generated by the privileged access management system, the identity token being invalidated upon being queried by the database.

10. The method of claim 6, the verifying the access rights of the user based on the authentication information, comprising:

querying the privileged access management system whether the authentication information is valid;

and if the data is valid, the user has the access right of the database.

11. A database access apparatus for use with a Web client deployed in a privileged access management system, the apparatus comprising:

the acquisition module is used for responding to an access request of a user for a database and acquiring a Uniform Resource Locator (URL), wherein the URL is generated by the privilege access management system and is used for carrying the identity verification information of the user and the connection configuration information of the database;

and the connection module is used for establishing connection with the database according to the connection configuration information if the user has the access right of the database so that the user can access the database.

12. A database access apparatus for use with a server in which a database is deployed, the apparatus comprising:

13. An electronic device, comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor is configured to implement the method of any one of claims 1 to 5, or the method of any one of claims 6 to 10, by executing the executable instructions.

14. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method of any of claims 1 to 5 or the steps of the method of any of claims 6 to 10.