CN116541863A - File system authority authentication mode compatible with IP and ID - Google Patents
File system authority authentication mode compatible with IP and ID Download PDFInfo
- Publication number
- CN116541863A CN116541863A CN202310535586.0A CN202310535586A CN116541863A CN 116541863 A CN116541863 A CN 116541863A CN 202310535586 A CN202310535586 A CN 202310535586A CN 116541863 A CN116541863 A CN 116541863A
- Authority
- CN
- China
- Prior art keywords
- user
- read
- access
- client
- rights
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims description 12
- 238000012217 deletion Methods 0.000 claims description 4
- 230000037430 deletion Effects 0.000 claims description 4
- 238000012423 maintenance Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- 238000010200 validation analysis Methods 0.000 abstract description 2
- 230000009471 action Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses a file system authority authentication mode compatible with IP and ID, which specifically comprises the following steps: s1, an administrator admin creates an ID1 and an ID2 at a storage server, and sets access rights of the ID1 and the ID2 to be read-write and read-only respectively; s2, setting a client IP at a storage server by an administrator admin: 192.168.0.10 (read-write, read-only or access denied); the invention relates to the technical field of file systems. The file system authority authentication mode compatible with the IP and the ID realizes more detailed user authority. Different users can access the cluster at the same client by using different IDs, so that different access rights can be obtained, and a more flexible authentication mode is provided. When the user authenticates, if the ID is appointed, the storage server performs ID authentication; if the ID is not specified, the storage server performs IP validation. The user can choose whether to designate an ID to decide whether to perform ID authentication or IP authentication.
Description
Technical Field
The invention relates to the technical field of file systems, in particular to a file system authority authentication mode compatible with IP and ID.
Background
The system which the user participates in is basically involved in carrying out authority management, the authority management belongs to the category of system security, the authority management realizes the control of the user accessing the system, and the user can access and only can access the authorized resources according to the security rules or the security policies. The authority management comprises two parts, namely user identity authentication and authorization, which are authentication and authorization for short. The user of the resource requiring access control is firstly subjected to identity authentication, and the user has the access right of the resource after the authentication is passed.
Identity authentication is the process of determining whether a user is a legitimate user. The most commonly used simple identity authentication method is that the system judges whether the identity of the user is correct by checking whether the user name and the password input by the user are consistent with the user name and the password stored in the system.
The conventional file system only uses an IP authentication method, and the flowchart is shown in fig. 1, which has a disadvantage in that finer granularity of rights management cannot be performed for a plurality of users under the same IP. For example, user a and user B access the file store on client 192.168.0.10 at the same time, and the access rights of user a and user B can only be IP:192.168.0.10 rights. If user a wants to distinguish from user B's rights to access the storage (e.g., user a uses read-write rights, user B uses read-only rights), conventional IP rights authenticators cannot do so. This is the object of our patent.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a file system authority authentication mode compatible with IP and ID, and solves the problem that the traditional file system only uses the IP authentication mode.
In order to achieve the above purpose, the invention is realized by the following technical scheme: a file system authority authentication mode compatible with IP and ID specifically comprises the following steps:
s1, an administrator admin creates an ID1 and an ID2 at a storage server, and sets access rights of the ID1 and the ID2 to be read-write and read-only respectively;
s2, setting a client IP at a storage server by an administrator admin: 192.168.0.10 (read-write, read-only or access denied);
s3, the user A (or the user B) appoints the ID1 (or the ID 2) to access the storage on the node of the client IP 192.168.0.10, and sends an authentication request to the storage server;
s4, after receiving an access request of a user A (user B), the storage server authenticates the ID1 (or the ID 2) and returns a read-write (or read-only) access right of the client;
s5, after receiving the response of the storage server, the user A (or the user B) starts to access the storage in a read-write (or read-only) mode;
s6, returning to the step 3, and if the storage is accessed by using the ID which is not designated by the A (or the user B), sending an authentication request to a storage server;
s7, after the storage server receives the access request of the user A (or the user B), if the authentication request does not specify the ID, the storage server sends the IP to the client: 192.168.0.10 authentication and returning the corresponding access rights (read-write, read-only or access refusal) of the client;
s8, after receiving the permission returned by the storage server, the user A (or the user B) starts to access the storage by using the permission corresponding to the IP.
Preferably, in the step S1, the naming rule of the ID is composed of any character of letters, numbers, ' - ', ' _ ', and, + ', and the maximum length is 255 bytes. The administrator admin is responsible for maintenance (creation and deletion) of IDs and rights allocation.
Preferably, in the S1, each ID corresponds to a respective access right, and mainly includes: read-write rights, read-only rights and denial of access. The user can use different IDs more flexibly to obtain different rights to access the storage.
Preferably, in the step S2, when the user installs and stores the client, if the ID is specified, the server preferably uses ID authentication when authenticating, and returns the access right corresponding to the client ID. If the user does not assign ID when the user mounts and stores, the server uses IP to authenticate and returns the authority corresponding to the IP of the client.
Advantageous effects
The invention provides a file system authority authentication mode compatible with IP and ID. Compared with the prior art, the method has the following beneficial effects:
(1) The file system authority authentication mode compatible with the IP and the ID realizes more detailed user authority. Different users can access the cluster at the same client by using different IDs, so that different access rights can be obtained.
(2) The file system authority authentication mode compatible with the IP and the ID provides a more flexible authentication mode. When the user authenticates, if the ID is appointed, the storage server performs ID authentication; if the ID is not specified, the storage server performs IP validation. The user can choose whether to designate an ID to decide whether to perform ID authentication or IP authentication.
Drawings
FIG. 1 is a flow chart of a conventional file system of the present invention;
FIG. 2 is a schematic diagram of ID management of the present invention;
fig. 3 is a flow chart of the IP and ID compatible authentication of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1-3, the present invention provides a technical solution: a file system authority authentication mode compatible with IP and ID specifically comprises the following steps:
s1, an administrator admin creates an ID1 and an ID2 at a storage server, and sets access rights of the ID1 and the ID2 to be read-write and read-only respectively;
s2, setting a client IP at a storage server by an administrator admin: 192.168.0.10 (read-write, read-only or access denied);
s3, the user A (or the user B) appoints the ID1 (or the ID 2) to access the storage on the node of the client IP 192.168.0.10, and sends an authentication request to the storage server;
s4, after receiving an access request of a user A (user B), the storage server authenticates the ID1 (or the ID 2) and returns a read-write (or read-only) access right of the client;
s5, after receiving the response of the storage server, the user A (or the user B) starts to access the storage in a read-write (or read-only) mode;
s6, returning to the step 3, and if the storage is accessed by using the ID which is not designated by the A (or the user B), sending an authentication request to a storage server;
s7, after the storage server receives the access request of the user A (or the user B), if the authentication request does not specify the ID, the storage server sends the IP to the client: 192.168.0.10 authentication and returning the corresponding access rights (read-write, read-only or access refusal) of the client;
s8, after receiving the permission returned by the storage server, the user A (or the user B) starts to access the storage by using the permission corresponding to the IP, and meanwhile, contents which are not described in detail in the specification belong to the prior art known to the person skilled in the art.
In the present invention, in the step S1, the naming rule of the ID is composed of any character of letters, numbers, ' - ', ' _ ', and, + ', and the maximum length is 255 bytes. The administrator admin is responsible for maintenance (creation and deletion) and authority allocation of IDs, and in S1, each ID corresponds to a respective access authority, and mainly includes: read-write rights, read-only rights and denial of access. In the S2, when the user mounts the storage on the client, if the ID is specified, the ID authentication is preferentially used when the server authenticates, and the access right corresponding to the client ID is returned. If the user does not assign ID when the user mounts and stores, the server uses IP to authenticate and returns the authority corresponding to the IP of the client.
The administrator maintains the rights of the client ID in a unified way. Including rights addition, rights update, rights deletion and rights viewing for a certain ID. As shown in fig. 2.
When a certain ID adds permission, the client can use the ID to carry out login authentication, when the server carries out permission authentication, firstly, whether the user designates the ID or not is judged, if the ID exists, the access permission of the corresponding ID is inquired from the permission rule list of the ID, and the access permission is returned to the client. If the user does not specify the ID, the client IP is obtained, the access right of the corresponding IP is queried from the right rule list of the IP, and the access right is returned to the client. The authentication flow of the right of the server is shown in fig. 3.
Traditional distributed file storage (such as nfs) can only provide IP mode authentication, and a user accesses a cluster at a client and can only use the authority of the client IP. If there are multiple users on the client, each user is expected to have different access storage rights, and conventional file storage cannot meet the requirements. The patent aims to solve the problem and proposes a compatible IP and ID authentication mode.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (4)
1. A file system authority authentication mode compatible with IP and ID is characterized in that: the method specifically comprises the following steps:
s1, an administrator admin creates an ID1 and an ID2 at a storage server, and sets access rights of the ID1 and the ID2 to be read-write and read-only respectively;
s2, setting a client IP at a storage server by an administrator admin: 192.168.0.10 (read-write, read-only or access denied);
s3, the user A (or the user B) appoints the ID1 (or the ID 2) to access the storage on the node of the client IP 192.168.0.10, and sends an authentication request to the storage server;
s4, after receiving an access request of a user A (user B), the storage server authenticates the ID1 (or the ID 2) and returns a read-write (or read-only) access right of the client;
s5, after receiving the response of the storage server, the user A (or the user B) starts to access the storage in a read-write (or read-only) mode;
s6, returning to the step 3, and if the storage is accessed by using the ID which is not designated by the A (or the user B), sending an authentication request to a storage server;
s7, after the storage server receives the access request of the user A (or the user B), if the authentication request does not specify the ID, the storage server sends the IP to the client: 192.168.0.10 authentication and returning the corresponding access rights (read-write, read-only or access refusal) of the client;
s8, after receiving the permission returned by the storage server, the user A (or the user B) starts to access the storage by using the permission corresponding to the IP.
2. The method for authenticating the rights of the file system compatible with the IP and the ID according to claim 1, wherein: in the step S1, the naming rule of the ID is composed of any character of letters, numbers, ' - ', ' _ ' + ' and 255 bytes in maximum length. The administrator admin is responsible for maintenance (creation and deletion) of IDs and rights allocation.
3. The method for authenticating the rights of the file system compatible with the IP and the ID according to claim 1, wherein: in the step S1, each ID corresponds to a respective access right, and mainly includes: read-write rights, read-only rights and denial of access. The user can use different IDs more flexibly to obtain different rights to access the storage.
4. The method for authenticating the rights of the file system compatible with the IP and the ID according to claim 1, wherein: in the step S2, when the user installs and stores the client, if the ID is specified, the server preferably uses ID authentication when authenticating, and returns the access right corresponding to the client ID. If the user does not assign ID when the user mounts and stores, the server uses IP to authenticate and returns the authority corresponding to the IP of the client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310535586.0A CN116541863A (en) | 2023-05-12 | 2023-05-12 | File system authority authentication mode compatible with IP and ID |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310535586.0A CN116541863A (en) | 2023-05-12 | 2023-05-12 | File system authority authentication mode compatible with IP and ID |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116541863A true CN116541863A (en) | 2023-08-04 |
Family
ID=87446680
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310535586.0A Pending CN116541863A (en) | 2023-05-12 | 2023-05-12 | File system authority authentication mode compatible with IP and ID |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116541863A (en) |
-
2023
- 2023-05-12 CN CN202310535586.0A patent/CN116541863A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8387137B2 (en) | Role-based access control utilizing token profiles having predefined roles | |
| US20210073806A1 (en) | Data processing system utilising distributed ledger technology | |
| US8387136B2 (en) | Role-based access control utilizing token profiles | |
| US8510818B2 (en) | Selective cross-realm authentication | |
| US7185359B2 (en) | Authentication and authorization across autonomous network systems | |
| CA2489303C (en) | Managing secure resources in web resources that are accessed by multiple portals | |
| US6119230A (en) | Distributed dynamic security capabilities | |
| US7496952B2 (en) | Methods for authenticating a user's credentials against multiple sets of credentials | |
| US7107610B2 (en) | Resource authorization | |
| US8209394B2 (en) | Device-specific identity | |
| US7103784B1 (en) | Group types for administration of networks | |
| US20110185403A1 (en) | Method and apparatus for controlling access to a network resource | |
| US9081982B2 (en) | Authorized data access based on the rights of a user and a location | |
| US9882914B1 (en) | Security group authentication | |
| CN108881218B (en) | Data security enhancement method and system based on cloud storage management platform | |
| US20080320574A1 (en) | System, method and program for authentication and access control | |
| US8726335B2 (en) | Consigning authentication method | |
| US9467448B2 (en) | Consigning authentication method | |
| US11956228B2 (en) | Method and apparatus for securely managing computer process access to network resources through delegated system credentials | |
| CN112334898A (en) | System and method for managing multi-domain access credentials for users having access to multiple domains | |
| CN116541863A (en) | File system authority authentication mode compatible with IP and ID | |
| Gkotsis | Creating a Windows Active Directory Lab and Performing Simulated Attacks | |
| JPH06274431A (en) | Certifying and approving method in different machine kind connecting environment | |
| Carmichael et al. | Identity Management Whitepaper |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |