CN116611088A - Data access authority control method, device, equipment and readable storage medium - Google Patents
Data access authority control method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN116611088A CN116611088A CN202310597779.9A CN202310597779A CN116611088A CN 116611088 A CN116611088 A CN 116611088A CN 202310597779 A CN202310597779 A CN 202310597779A CN 116611088 A CN116611088 A CN 116611088A
- Authority
- CN
- China
- Prior art keywords
- authentication
- operation command
- client
- data access
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 238000012545 processing Methods 0.000 claims abstract description 45
- 238000004458 analytical method Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 5
- 230000005856 abnormality Effects 0.000 claims description 4
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 14
- 239000010410 layer Substances 0.000 description 8
- 238000012795 verification Methods 0.000 description 5
- 230000003321 amplification Effects 0.000 description 4
- 238000003199 nucleic acid amplification method Methods 0.000 description 4
- 238000003672 processing method Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 239000002356 single layer Substances 0.000 description 3
- 230000009466 transformation Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000013024 troubleshooting Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application discloses a data access right control method, a device, equipment and a readable storage medium, which are based on a client and a server built in a data service component, wherein the method comprises the following steps: the server intercepts an operation command aiming at a database sent by the client; determining the operation type of the operation command to generate an authentication request containing the operation type for authenticating the operation command; determining authentication information corresponding to the authentication request according to the operation type; invoking an authentication operation corresponding to the authentication information to perform table field level authentication processing, and acquiring an authentication result; and returning the authentication result to the client so that the client can perform operation scheduling according to the authentication result. The application can solve the problem of incompatibility among different authority control components, and can authenticate the full-type operation instruction to ensure the safety of data access.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for controlling data access rights.
Background
As the requirements for data identity authentication become more and more strict, the classification of access identities becomes more and more fine, and the data access authentication is not only the identity authentication of access paths, but also the security verification to the table and field levels. At present, various security holes exist in the processing mode of authentication in the industry, the multiplexing open source assembly realizes authentication, and the problem that many grammars are incompatible exists, so that the authentication is not thorough; after authentication fails in a zepp line-based authentication mode, in order to ensure that a task with authority can be normally executed, the highest authority is directly given to a user, so that the identity authority is amplified in an endless manner, and the data security cannot be ensured; in addition, other authentication modes have the defects of complex logic, large memory occupation, poor universality and the like, cannot completely meet the data security access requirement, and easily cause frequent data security accidents so as to disturb the stable order of the market.
In summary, how to implement a fully compatible data authentication scheme and ensure data security is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the application provides a data access authority control method, a device, a system, electronic equipment and a computer storage medium, which can solve the problem of incompatibility among different authority control components and authenticate full-type operation instructions to ensure the safety of data access.
The first aspect of the embodiment of the application provides a data access right control method, which is based on a client and a server built in a data service assembly, and comprises the following steps:
the server intercepts an operation command aiming at a database sent by the client;
determining the operation type of the operation command to generate an authentication request containing the operation type for authenticating the operation command;
determining authentication information corresponding to the authentication request according to the operation type;
invoking an authentication operation corresponding to the authentication information to perform table field level authentication processing, and acquiring an authentication result;
and returning the authentication result to the client so that the client can perform operation scheduling according to the authentication result.
Optionally, the calling the authentication operation corresponding to the authentication information performs table field level authentication processing, including:
if the operation type is non-compatible grammar reading operation, carrying out grammar tree analysis on the operation command, extracting corresponding first authentication information, packaging the first authentication information into data which can be identified by an authentication platform, and sending the packaged first authentication information to the authentication platform for table segment level authentication processing;
and if the operation type is compatible grammar read-write operation, extracting second authentication information representing whether the operation type is query operation or not, and sending the second authentication information to the authentication platform for table field level authentication processing.
Optionally, before the sending the encapsulated first authentication information to the authentication platform for table field level authentication processing, the method further includes:
judging whether an uncertain field exists in the first authentication information;
if the uncertain field exists, all field information under the table corresponding to the uncertain field is called as target information;
replacing the uncertainty field with the target information.
Optionally, before the parsing of the syntax tree for the operation command, the method further includes:
determining the nesting layer number of the operation command, and judging whether the nesting layer number reaches a threshold value or not;
if the operation command is reached, inquiring and disassembling the operation command to obtain a plurality of subcommands; wherein the number of nesting layers for each of the subcommands is below the threshold;
correspondingly, the operation command is parsed by a syntax tree, specifically: and carrying out semantic analysis on each subcommand.
Accordingly, a second aspect of the embodiment of the present application provides a server, which is built on a data service assembly, where the server includes:
the command interception unit is used for intercepting an operation command aiming at the database sent by the client side by the server side;
a type determining unit, configured to determine an operation type of the operation command, so as to generate an authentication request that includes the operation type and authenticates the operation command;
an authentication information determining unit, configured to determine authentication information corresponding to the authentication request according to the operation type;
the authentication processing unit is used for calling the authentication operation corresponding to the authentication information to perform table field level authentication processing and obtaining an authentication result;
and the authentication feedback unit is used for returning the authentication result to the client so that the client can perform operation scheduling according to the authentication result.
Accordingly, a third aspect of the embodiment of the present application provides a data access right control method, based on a client and a server set up in a data service component, the method including:
the client receives an operation command of a user for the database;
the operation command is sent to a server;
and receiving an authentication result returned by the server for carrying out table field level authentication processing on the operation command, and submitting the operation command to an execution scheduling sequence if the returned authentication result shows that the authentication is successful.
Optionally, the method further comprises:
if the returned authentication result shows authentication failure, outputting an operation abnormality, and stopping executing the operation command.
Accordingly, a fourth aspect of the present application provides a client, configured to be set up on a data service assembly, including:
the command receiving unit is used for receiving an operation command of a user for the database by the client;
the command sending unit is used for sending the operation command to the server;
and the result receiving unit is used for receiving an authentication result returned by the server for carrying out table field level authentication processing on the operation command, and submitting the operation command to an execution scheduling sequence if the returned authentication result shows that the authentication is successful.
Accordingly, an electronic device provided in a fifth aspect of the embodiment of the present application includes:
a processor and a storage medium;
the processor is used for realizing each instruction;
the storage medium is configured to store a plurality of instructions for loading and executing the data access rights control method described above by the processor.
The sixth aspect of the embodiment of the present application further provides a computer readable storage medium, where a plurality of instructions are stored, where the instructions are adapted to be loaded by a processor, to perform any of the steps in the data access right control method provided by the embodiment of the present application.
The seventh aspect of the embodiment of the present application further provides a computer program product, which includes a computer program or instructions, where the computer program or instructions, when executed by a processor, implement any of the data access right control methods provided by the embodiments of the present application.
According to the method, the data service component is subjected to invasive transformation, the operation command which is received in the data service component and aims at the database is intercepted, authentication and authentication logic is implanted, the operation command is subjected to authentication processing by the service end after corresponding table field information is extracted according to the operation type, and the service end returns an authentication result and then carries out corresponding operation interception and release through the client end, and the method is embedded into the data service component in a service mode through the client end and the service end to realize control of data access authority, so that the variation of the original code of the data service component is small, meanwhile, authority control is directly carried out in the data service component, the compatibility problem among multiple components does not exist, and the problem of incompatibility of grammar in an industrial data authentication scheme is solved; meanwhile, authentication is carried out on all operation commands, the problem of authority endless amplification is avoided, and the safety of data access is ensured; meanwhile, the method has the advantages of no large-scale calculation, small volume and small occupied resource, realizes the lightweight authentication of the list and the column, and constructs a highly universal authentication system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is an application scenario schematic diagram of a data classification system provided in an embodiment of the present application;
fig. 2 is a flow chart of a method for controlling data access rights according to an embodiment of the present application;
FIG. 3 is another flow chart of a method for controlling data access rights according to an embodiment of the present application;
FIG. 4 is a schematic diagram of authentication implementation provided by an embodiment of the present application;
fig. 5 is a schematic structural diagram of an authentication architecture according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an information acquisition unit according to an embodiment of the present application;
FIG. 7 is a schematic diagram of an embedded interface provided by an embodiment of the present application;
fig. 8 is a schematic structural diagram of an authentication set processing unit according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of an authentication platform according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a server provided by an embodiment of the present application;
fig. 11 is a schematic structural diagram of a client according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to fall within the scope of the application.
Secure access to data is very important for secure operation and development in various fields. According to the previous investigation and numerous data comparison findings, the main authentication processing methods of the current industry for the data service components including Spark and database interfacing with the user side mainly include the following (the following description is given by taking the data service component as Spark as an example, and the authentication processing methods of other data service components such as database are not described in detail herein, and reference is made to the following description):
(1) Hive-based Spark authentication mode;
the Spark authentication mode based on Hive (a data warehouse tool based on Hadoop, which is a mechanism capable of storing, querying and analyzing large-scale data stored in Hadoop) combines the access right control functions of a joint range to form an intermediary service by using user identification and user input (SQL) analysis owned by the Hive's service, and the intermediary service is controlled by Spa rkSQL thriftserver (wherein the threft refers to an interface description language and binary communication protocol, which is used for defining and creating a cross-language service, and in the scheme, the method is mainly used for information transfer of a client module and a server module) to achieve the purpose of controlling the right of the intermediary service. The industry multiplexes the Hive authentication mode, adopts the original Hive authentication interface, and the manufacturer using the scheme selects the ignored processing mode for the place where Sp mark and Hive grammar are not compatible.
Although Spark's syntax is fully compliant with the SQL99 standard, spark and Hive's syntax is not fully compatible due to their own special syntax construction and specific use. For simple SQL (single-layer query) authentication, multiplexing HiveDriver authentication class can be compatible, and for slightly complex SQL (multi-layer nested query, for example), grammar analysis errors and authentication failure can occur, so that tasks are abnormal to exit, and tasks with authority to complete cannot be successfully executed. Therefore, multiplexing the open source component to realize authentication has many grammar incompatibility problems, resulting in incomplete authentication.
(2) Spark authentication mode based on zeppline;
the zeppelin multi-tenant is realized, queries submitted by different users are corresponding to queues of different yarns, and meanwhile, table-level authentication is realized on the queries submitted by the users, so that the access security is enhanced. Authenticating the SQL submitted by the zeppel in using the coding mode to achieve the spark application of the zeppel. In order to realize authority verification, zeppelin accesses the ThriftServer of spark through jdbc, and before executing query statement, authority verification is carried out on user roles and statements, RESTful interface auth service provided by Hive is connected through http, user role and cmd are provided for authority verification, and after the authentication is passed, the query statement is submitted to the ThriftServer of spark for processing.
After authentication failure caused by various factors (including but not limited to faults of external components, incompatible grammar, channel transmission problems and the like), in order to ensure that the authorized tasks can be normally executed, the user is directly given the highest authority, so that the identity authority is amplified endlessly, and the security of the data asset is seriously threatened to a certain extent. Therefore, the method is used for ensuring that all tasks can be normally executed and adapting to authentication failure scenes, so that the authority is amplified without end, and the data security is difficult to ensure.
(3) Spark authentication mode based on kyuubi;
the sparks in kyuubi is obtained through reflection, the source code is transformed to be injected into spark.sql.extensions, parameters spark.sql.extensions are added in a starting script of kyuubi, and authority authentication classes are specified. And obtaining a logical execution plan of spark, and then completing authority authentication in a custom Rule through a custom Optimizer Rule. If the authentication is successful, other execution stages of the task are finished continuously, and if the authentication is failed, the error prompt is directly reported and the client is exited.
However, when the method processes too many requests on the same day, if the control and optimization processing are not performed, the third party service GC (AVA/. NET garbage collector, program running in the memory, needs to continuously collect the memory space applied in the earlier stage but no longer used by the mechanism) is serious, even the phenomenon of memory leakage occurs, the service avalanche state is very easy to occur, the authentication service is not available, and the whole business product line is broken down. After the fault occurs, the troubleshooting link is long, the number of the related services is large, and the troubleshooting period is long. Therefore, the method completes authentication by means of the external components, the service is too bulky, faults frequently occur, and the maintenance difficulty is high.
(4) Spark authentication mode based on self-grinding products.
By means of a data authentication system of a company self-research product, SQL submitted by a user is firstly disassembled, table name information is disassembled, the table name information is packaged into a format which can be identified by the system, the table name information is submitted to the data authentication system for table level authentication, and an authentication mark is returned to a Spark inlet. If the status code is 1 (authentication is successful), SQL is continued, and if the status code is 0 (authentication is failed), the operation is aborted.
The authentication action is completed by means of company self-research products, so that the Spark authentication module cannot be decoupled and cannot be fused with an open source community, and popularization and universality are poor.
The hierarchical classification of data is not only the authentication of the access path, but also the security verification to the table and field level. Based on the above, the technical problems to be solved by the application are as follows: 1. the method solves the difficult problems of incompatible grammar and endless amplification of authority in the data authentication scheme in the industry. 2. The table and column lightweight authentication is realized, and a highly universal authentication system is constructed.
Based on this, the embodiment of the application provides a method, a device, equipment and a readable storage medium for controlling data access authority, wherein the equipment can be electronic equipment, and the readable storage medium can be a computer readable storage medium. The data access right control device may be integrated in an electronic device, which may be a server or a device such as a terminal.
The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, network acceleration services (Content Delivery Network, CDN), basic cloud computing services such as big data and an artificial intelligent platform.
The terminal may be, but not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the present application is not limited herein.
For example, as shown in fig. 1, an operation command for a database sent by the client may be intercepted by a server; determining the operation type of the operation command to generate an authentication request containing the operation type for authenticating the operation command; determining authentication information corresponding to the authentication request according to the operation type; invoking an authentication operation corresponding to the authentication information to perform table field level authentication processing, and acquiring an authentication result; and returning the authentication result to the client so that the client can perform operation scheduling according to the authentication result.
The operation command of the user for the database can be received through the client; the operation command is sent to a server; and receiving an authentication result returned by the server for carrying out table field level authentication processing on the operation command, and submitting the operation command to an execution scheduling sequence if the returned authentication result shows that the authentication is successful.
The term "plurality" in the embodiments of the present application means two or more. "first" and "second" and the like in the embodiments of the present application are used for distinguishing descriptions and are not to be construed as implying relative importance.
The following will describe in detail. The following description of the embodiments is not intended to limit the preferred embodiments.
Referring to fig. 2 and fig. 4, in this embodiment, a data access right control method is provided and applied to a server, as shown in fig. 2, a specific flow of the data access right control method may be as follows:
step 101, the server intercepts an operation command for a database sent by the client.
The operation command may be an instruction issued by the user to perform an operation on the database, for example, an SQL operation such as DDL (data definition language in Mysql, main operations include creating/deleting a database, creating/deleting a table, updating table list information, etc.), DML, TCL, DCL, DQL, and the like.
In the application, the server and the client are both arranged in the data service component, the traditional lower data service component has no authentication function and can only be realized through external equipment or components, so that the problems of incomplete authentication and incompatibility are easy to occur.
As shown in fig. 5 and 6, in some embodiments, the interception operation of the operation command may be implemented by an information acquisition unit inside the server, and the information acquisition unit may be responsible for SQL operation command interception, code injection, SQL syntax tree parsing, processing of query requests, and so on.
In this embodiment, the type of the data service component of the application is not limited, and the implementation manner of intercepting the operation command is different when the data service component is correspondingly applied to different data service components, so that the intercepting operation command can be set according to the actual application scenario.
For further understanding, please refer to fig. 7, fig. 7 is a schematic diagram of an embedded interface according to an embodiment of the present application. In this embodiment, taking Spark as an example of an applied data service component, spark may perform SQL (standard computer language for accessing and processing a database, that is, an operation command for the database) execution through three interfaces (sp air-SQL mode, spark-jdbc mode, spark-shell mode), as shown in fig. 7, but regardless of the mode of starting a task, the task is finally processed by a Spark-processing method, so that a client may intercept and inject the operation command for the database by the Spark-processing method.
Step 102, determining the operation type of the operation command to generate an authentication request containing the operation type for authenticating the operation command.
In some embodiments, after intercepting an operation command of a user, the operation command is classified by using a custom rule, which may be classified into a read operation type and a write operation type, or may further be further classified into a refinement type of the read operation type and the write operation type.
Step 103, determining authentication information corresponding to the authentication request according to the operation type.
The authentication information is information that needs to authenticate the operation command, such as a user name, a table name, a field name, and the like, corresponding to the operation command requesting authentication, so as to identify the authentication information and identify whether the information has corresponding authority. Therefore, the authentication information needed to be authenticated can be determined according to different operation types corresponding to the operation command, for example, the reading operation can obtain the corresponding table name and field name, and the writing operation can obtain the corresponding table name and the like.
Step 104, invoking an authentication operation corresponding to the authentication information to perform table field level authentication processing, and obtaining an authentication result.
Optionally, step 104 may include:
if the operation type is non-compatible grammar reading operation, carrying out grammar tree analysis on the operation command, extracting corresponding first authentication information, packaging the first authentication information into data which can be identified by an authentication platform, and sending the packaged first authentication information to the authentication platform for table segment level authentication processing;
and if the operation type is compatible grammar read-write operation, extracting second authentication information representing whether the operation type is query operation or not, and sending the second authentication information to the authentication platform for table field level authentication processing.
The incompatible grammar operation is a special grammar operation of the data service component relative to other components, namely, a grammar of hive incompatible spark, such as create table tablename as select, and the like. The authentication component is generally difficult to be compatible and identified, and in the embodiment, authentication processing is performed on the authentication component and other operations respectively.
As shown in fig. 4 to 6 and fig. 8 to 9, in some embodiments, the syntax tree analysis may be performed on the operation command corresponding to the incompatible syntax read operation through an ANTLR (Another Tool for Language Recognition, a syntax analyzer, for example, an open source syntax analyzer that may automatically generate a syntax tree according to input and visually display, for example, input an SQL, and may parse information such as table names and field names of the syntax tree), so as to avoid the problem that the authentication efficiency is affected due to the syntax incompatibility in the authentication process. Note that, in addition to invoking ANTLR to parse the syntax tree for operation naming, other components may be invoked, which is not limited herein.
For compatible grammar read-write operation, in the process of executing the authentication task, the monitoring HOOK recognizes that the authentication operation can be automatically completed, for example, the read operation is passed to the read operation authentication module of the authentication platform, and the write operation is passed to the write operation authentication module of the authentication platform, as shown in fig. 4. In the running process of the HOOK task, when the metadata stored in the Hive Metastore of the authentication platform is changed, the monitoring HOOK receives the request in real time, and for the CreateTable operation of creating a Table, the engine authentication end creates the read-write permission of the Table, and then writes the permission dimension into the data authentication platform; for Drop Table operation of deleting a Table, the engine authentication terminal deletes the read-write authority of the Table; for Alter Table rename to operation of modifying the table name, creating the authority dimension of the new table, transplanting the write authority of the whole table, and then deleting the authority dimension of the old table; for the Alter Table change/add/replace columns operation of the modify table element, a new field permission dimension is created and the old field permission dimension is deleted.
The above authentication is performed by the authentication platform Hive Metastore (a service component of Hive, which mainly stores metadata information of a table), that is, the Hive Metastore authentication end in FIG. 5.
Optionally, before the step of sending the encapsulated first authentication information to the authentication platform for table field level authentication processing, the method further includes:
judging whether an uncertain field exists in the first authentication information;
if the uncertain field exists, all field information under the table corresponding to the uncertain field is called as target information;
replacing the uncertainty field with the target information.
Based on the above embodiment, in order to further improve the comprehensiveness of authentication, it is found through research that some uncertain fields may exist in some operation requests, for example, "select" may cause that actual information corresponding to a field cannot be authenticated after such fields are extracted to authentication information, and further, before the server side sends the authentication information to the identity authentication platform to perform table field level authentication processing, whether an uncertain field exists in the authentication information may be judged first; if the target information exists, all field information under the table corresponding to the uncertain field is called as the target information; the target information is replaced with an uncertainty field to avoid the information from being missed.
In the method, when the information of the uncertain field such as 'select' exists in the authentication set, firstly, a Hive Metastere (a metadata query component) is connected to acquire all the fields of the table, and the uncertain information in the authentication set is replaced by the acquired field information, so that the comprehensiveness of the authentication can be ensured.
For complex queries (multi-layer nested queries), firstly, disassembling the complex queries into simple queries (single-layer queries), and performing word sense analysis, grammar tree analysis steps such as grammar tree construction and the like on the disassembled operation command to obtain a final authentication set. For example, the operation command is "Insert into table01 select from table02", which means that after all data in table 2 is queried, a new table 1 is inserted, so that the operation command needs to be an authentication request for two tables, for example, the first authentication request needs to identify whether the user has authority to write table 1, and further needs to query whether the user has authority to read table 2 data, and the operation command can be split into 2 simple query operations of querying table 1 authority and querying table 2 authority. For example, the operation command "select a, b from t" for a complex nested query may be split into operation commands "select a, b from t" for a single-layer query.
Optionally, before the step of "parse the syntax tree for the operation command", the method further includes:
determining the nesting layer number of the operation command, and judging whether the nesting layer number reaches a threshold value or not;
if the operation command is reached, inquiring and disassembling the operation command to obtain a plurality of subcommands; wherein the number of nesting layers for each of the subcommands is below the threshold;
correspondingly, the operation command is parsed by a syntax tree, specifically: and carrying out semantic analysis on each subcommand.
And step 105, returning the authentication result to the client so that the client performs operation scheduling according to the authentication result.
As shown in fig. 4, optionally, before step 105, ACL (an access control technology based on packet filtering, which can filter the data packet on the interface according to the set condition, and allow it to pass or discard) is further performed on the authentication information, specifically, SQL authentication, DDL operation processing, etc. are performed by obtaining ACL information of the authentication information, so as to achieve the purposes of accessing cloud storage data, table, field authentication, and after the ACL authentication passes, the information acquisition unit submits the authentication result to the yann to execute scheduling, and if the authentication fails, the information acquisition end directly throws exception and suspends the action.
Referring to fig. 3 and fig. 4, in this embodiment, a data access right control method is provided and applied to a client, as shown in fig. 3, a specific flow of the data access right control method may be as follows:
step 201, the client receives an operation command of a user for a database;
the operation command may be a user initiated instruction to operate on the database, as described in step 101. SQL operations such as DDL (data definition language in Mysql, main operations include creating/deleting databases, creating/deleting tables, updating table list information, etc.), DML, TCL, DCL, DQL, and the like.
Step 202, sending the operation command to a server.
Specifically, when the client is started, the server can be connected with Mysql (a relational database management system) according to the user identity, and meanwhile, the client module acquires necessary authentication credentials to perform SQL interception, code injection, SQL syntax tree analysis and the like, and the server can perform SQL authentication, DDL operation processing and the like to achieve the purposes of accessing cloud storage data, tables and field authentication.
Step 203, receiving an authentication result returned by the server for performing table field level authentication processing on the operation command, and submitting the operation command to an execution scheduling sequence if the returned authentication result shows that the authentication is successful.
Specifically, when the server side returns an authentication result, if the returned authentication result indicates that the authentication is successful, i.e. the authentication has operation authority, the client side submits an operation command to an execution scheduling sequence to be released, and continues to execute tasks, such as allowing reading or writing; if the returned authentication result shows authentication failure, namely the current operation command is verified to have no operation authority, the client can output operation abnormality and directly throw the abnormality to terminate the task.
According to the method, the data service component is subjected to invasive transformation, the operation command which is received in the data service component and aims at the database is intercepted, authentication and authentication logic is implanted, the operation command is subjected to authentication processing by the service end after corresponding table field information is extracted according to the operation type, and the service end returns an authentication result and then carries out corresponding operation interception and release through the client end, and the method is embedded into the data service component in a service mode through the client end and the service end to realize control of data access authority, so that the variation of the original code of the data service component is small, meanwhile, authority control is directly carried out in the data service component, the compatibility problem among multiple components does not exist, and the problem of incompatibility of grammar in an industrial data authentication scheme is solved; meanwhile, authentication is carried out on all operation commands, the problem of authority endless amplification is avoided, and the safety of data access is ensured; meanwhile, the method has the advantages of no large-scale calculation, small volume and small occupied resource, realizes the lightweight authentication of the list and the column, and constructs a highly universal authentication system.
The method described in the above embodiments will be described in further detail below.
As shown in fig. 10, a schematic structural diagram of a service end provided by an embodiment of the present application, where the service end may be built on a data service assembly, specifically includes:
the command interception unit is used for intercepting an operation command aiming at the database sent by the client side by the server side;
a type determining unit, configured to determine an operation type of the operation command, so as to generate an authentication request that includes the operation type and authenticates the operation command;
an authentication information determining unit, configured to determine authentication information corresponding to the authentication request according to the operation type;
the authentication processing unit is used for calling the authentication operation corresponding to the authentication information to perform table field level authentication processing and obtaining an authentication result;
and the authentication feedback unit is used for returning the authentication result to the client so that the client can perform operation scheduling according to the authentication result.
As shown in fig. 11, a schematic structural diagram of a client provided in an embodiment of the present application may be built on a data service assembly, and specifically includes:
the command receiving unit is used for receiving an operation command of a user for the database by the client;
the command sending unit is used for sending the operation command to the server;
and the result receiving unit is used for receiving an authentication result returned by the server for carrying out table field level authentication processing on the operation command, and submitting the operation command to an execution scheduling sequence if the returned authentication result shows that the authentication is successful.
According to the method, the data service component is subjected to invasive transformation, the operation command which is received in the data service component and aims at the database is intercepted, authentication and authentication logic is implanted, the operation command is subjected to authentication processing by the service end after corresponding table field information is extracted according to the operation type, and the service end returns an authentication result and then carries out corresponding operation interception and release through the client end, and the method is embedded into the data service component in a service mode through the client end and the service end to realize control of data access authority, so that the variation of the original code of the data service component is small, meanwhile, authority control is directly carried out in the data service component, the compatibility problem among multiple components does not exist, and the problem of incompatibility of grammar in an industrial data authentication scheme is solved; meanwhile, authentication is carried out on all operation commands, the problem of authority endless amplification is avoided, and the safety of data access is ensured; meanwhile, the method has the advantages of no large-scale calculation, small volume and small occupied resource, realizes the lightweight authentication of the list and the column, and constructs a highly universal authentication system.
Corresponding to the above method embodiment, the embodiment of the present application further provides a computer device, where a computer device described below and a data access right control method described above may be referred to correspondingly.
The computer device includes:
a memory for storing a computer program;
a processor, configured to implement the steps of the data access right control method of the method embodiment when executing a computer program:
the server intercepts an operation command aiming at a database sent by the client;
determining the operation type of the operation command to generate an authentication request containing the operation type for authenticating the operation command;
determining authentication information corresponding to the authentication request according to the operation type;
invoking an authentication operation corresponding to the authentication information to perform table field level authentication processing, and acquiring an authentication result;
and returning the authentication result to the client so that the client can perform operation scheduling according to the authentication result.
Specifically, referring to fig. 12, a schematic diagram of a specific structure of a computer device according to the present embodiment, where the computer device may have a relatively large difference due to different configurations or performances, may include one or more processors (central processing units, CPU) 522 (e.g., one or more processors) and a memory 532, where the memory 532 stores one or more computer applications 542 or data 544. Wherein the memory 532 may be transient storage or persistent storage. The program stored in the memory 532 may include one or more modules (not shown), each of which may include a series of instruction operations in the data processing apparatus. Still further, the central processor 522 may be arranged to communicate with a memory 532 and execute a series of instruction operations in the memory 532 on the computer device 301.
The computer device 301 may also include one or more power supplies 526, one or more wired or wireless network interfaces 550, one or more input/output interfaces 558, and/or one or more operating systems 541.
The steps in the data access right control method described above may be implemented by the structure of the computer device.
Corresponding to the above method embodiments, the embodiments of the present application further provide a readable storage medium, where a readable storage medium described below and a data access right control method described above may be referred to correspondingly.
A readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the data access rights control method of the above method embodiments.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only memory (ROM), a random access memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, which may store program codes.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Those skilled in the art may implement the described functionality using different approaches for each particular application, but such implementation is not intended to be limiting.
Claims (10)
1. A method for controlling data access rights, which is characterized in that the method comprises the following steps of:
the server intercepts an operation command aiming at a database sent by the client;
determining the operation type of the operation command to generate an authentication request containing the operation type for authenticating the operation command;
determining authentication information corresponding to the authentication request according to the operation type;
invoking an authentication operation corresponding to the authentication information to perform table field level authentication processing, and acquiring an authentication result;
and returning the authentication result to the client so that the client can perform operation scheduling according to the authentication result.
2. The data access right control method according to claim 1, wherein the invoking the authentication operation corresponding to the authentication information performs a table field level authentication process, comprising:
if the operation type is non-compatible grammar reading operation, carrying out grammar tree analysis on the operation command, extracting corresponding first authentication information, packaging the first authentication information into data which can be identified by an authentication platform, and sending the packaged first authentication information to the authentication platform for table segment level authentication processing;
and if the operation type is compatible grammar read-write operation, extracting second authentication information representing whether the operation type is query operation or not, and sending the second authentication information to the authentication platform for table field level authentication processing.
3. The method according to claim 2, further comprising, before said sending the encapsulated first authentication information to the authentication platform for table field level authentication processing:
judging whether an uncertain field exists in the first authentication information;
if the uncertain field exists, all field information under the table corresponding to the uncertain field is called as target information;
replacing the uncertainty field with the target information.
4. The data access right control method according to claim 2, further comprising, before said parsing said operation command into a syntax tree:
determining the nesting layer number of the operation command, and judging whether the nesting layer number reaches a threshold value or not;
if the operation command is reached, inquiring and disassembling the operation command to obtain a plurality of subcommands; wherein the number of nesting layers for each of the subcommands is below the threshold;
correspondingly, the operation command is parsed by a syntax tree, specifically: and carrying out semantic analysis on each subcommand.
5. A server, characterized in that is built in a data service component, the server includes:
the command interception unit is used for intercepting an operation command aiming at the database sent by the client side by the server side;
a type determining unit, configured to determine an operation type of the operation command, so as to generate an authentication request that includes the operation type and authenticates the operation command;
an authentication information determining unit, configured to determine authentication information corresponding to the authentication request according to the operation type;
the authentication processing unit is used for calling the authentication operation corresponding to the authentication information to perform table field level authentication processing and obtaining an authentication result;
and the authentication feedback unit is used for returning the authentication result to the client so that the client can perform operation scheduling according to the authentication result.
6. A method for controlling data access rights, which is characterized in that the method comprises the following steps of:
the client receives an operation command of a user for the database;
the operation command is sent to a server;
and receiving an authentication result returned by the server for carrying out table field level authentication processing on the operation command, and submitting the operation command to an execution scheduling sequence if the returned authentication result shows that the authentication is successful.
7. The data access rights control method of claim 6, further comprising:
if the returned authentication result shows authentication failure, outputting an operation abnormality, and stopping executing the operation command.
8. A client, characterized by being built on a data service component, comprising:
the command receiving unit is used for receiving an operation command of a user for the database by the client;
the command sending unit is used for sending the operation command to the server;
and the result receiving unit is used for receiving an authentication result returned by the server for carrying out table field level authentication processing on the operation command, and submitting the operation command to an execution scheduling sequence if the returned authentication result shows that the authentication is successful.
9. A computer device, comprising:
a memory for storing a computer program;
processor for implementing the data access rights control method according to any one of claims 1 to 4 and/or the steps of the data access rights control method according to claim 6 or 7 when executing the computer program.
10. A readable storage medium, characterized in that the readable storage medium has stored thereon a computer program which, when executed by a processor, implements the data access right control method according to any one of claims 1 to 4 and/or the steps of the data access right control method according to claim 6 or 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310597779.9A CN116611088A (en) | 2023-05-25 | 2023-05-25 | Data access authority control method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310597779.9A CN116611088A (en) | 2023-05-25 | 2023-05-25 | Data access authority control method, device, equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116611088A true CN116611088A (en) | 2023-08-18 |
Family
ID=87676144
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310597779.9A Pending CN116611088A (en) | 2023-05-25 | 2023-05-25 | Data access authority control method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116611088A (en) |
-
2023
- 2023-05-25 CN CN202310597779.9A patent/CN116611088A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2020233367A1 (en) | Blockchain data storage and query method, apparatus and device, and storage medium | |
| US11573965B2 (en) | Data partitioning and parallelism in a distributed event processing system | |
| US11068439B2 (en) | Unsupervised method for enriching RDF data sources from denormalized data | |
| CN114039792B (en) | Data access authority control method, device, equipment and readable storage medium | |
| US10409801B2 (en) | Validation of web-based database updates | |
| KR20200096309A (en) | Versioned hierarchical data structures in a distributed data store | |
| US11941034B2 (en) | Conversational database analysis | |
| US10120915B2 (en) | Integrated framework for secured data provisioning and management | |
| CN105868204A (en) | Method and apparatus for converting script language SQL of Oracle | |
| KR20140112427A (en) | Low latency query engine for apache hadoop | |
| US11501010B2 (en) | Application-provisioning framework for database platforms | |
| US10719506B2 (en) | Natural language query generation | |
| WO2017036211A1 (en) | Structure comparison method and apparatus for databases | |
| US10394805B2 (en) | Database management for mobile devices | |
| CN115203750B (en) | Hive data authority control and security audit method and system based on Hive plug-in | |
| WO2016046658A1 (en) | Simplifying invocation of import procedures to transfer data from data sources to data targets | |
| US9489423B1 (en) | Query data acquisition and analysis | |
| Xu et al. | ZQL: a unified middleware bridging both relational and NoSQL databases | |
| CN114969441A (en) | Knowledge mining engine system based on graph database | |
| WO2022033079A1 (en) | Pico base station configuration method and apparatus, and storage medium and electronic apparatus | |
| US20150347506A1 (en) | Methods and apparatus for specifying query execution plans in database management systems | |
| US11567957B2 (en) | Incremental addition of data to partitions in database tables | |
| CN116611088A (en) | Data access authority control method, device, equipment and readable storage medium | |
| Chardonnens | Big data analytics on high velocity streams | |
| CN113868138A (en) | Method, system, equipment and storage medium for acquiring test data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |