CN116644400A - Data access system and method - Google Patents

Data access system and method Download PDF

Info

Publication number
CN116644400A
CN116644400A CN202310723488.XA CN202310723488A CN116644400A CN 116644400 A CN116644400 A CN 116644400A CN 202310723488 A CN202310723488 A CN 202310723488A CN 116644400 A CN116644400 A CN 116644400A
Authority
CN
China
Prior art keywords
user
data access
node
data
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310723488.XA
Other languages
Chinese (zh)
Inventor
刘晰元
毛福林
郭钰洁
郭强
张航
赵恒熠
张嫄
魏晨曦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of China Ltd
Original Assignee
Bank of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of China Ltd filed Critical Bank of China Ltd
Priority to CN202310723488.XA priority Critical patent/CN116644400A/en
Publication of CN116644400A publication Critical patent/CN116644400A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0629Configuration or reconfiguration of storage systems
    • G06F3/0637Permissions

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Human Computer Interaction (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a data access system and a method, comprising the following steps: a data access subsystem, and, a rights search engine, the rights search engine constructed based on an elastiscearch technique, comprising: the system comprises a plurality of nodes, wherein the memory of the nodes stores at least one main fragment or a copy fragment of the mapping relation between the user of the data access subsystem and the service data access authority; the data access subsystem is used for receiving an access request for target data sent by the first client and sending an authentication request for judging whether a first user corresponding to the first client has permission to access the target data to the first node through the micro service; the first node is used for sending an authentication request to the second node so as to acquire a result of whether the first user has permission to access the target data; and the data access subsystem is also used for sending the target data to the first client when the first user returned by the first node has the right of accessing the target data. The method of the application improves the authentication efficiency of data access.

Description

Data access system and method
Technical Field
The application relates to the field of big data, in particular to a data access system and a data access method.
Background
In the enterprise-level architecture data management platform, authority of users of different institutions, lines and job levels on business data has complex and clear regulations. Different levels of authority, or, often, access rights to business data by users of a line are different. How to guarantee efficient and high availability management of service data access rights is a difficult problem that enterprise-level architecture data governance platforms have to face.
Currently, authentication of the user's business data access rights is typically implemented based on a traditional database (e.g., oracle database), or MySQL database. However, the above method has a problem in that the permission authentication rate is low.
Disclosure of Invention
The application provides a data access system and a data access method, which are used for solving the problem of low service data access permission identification rate.
In a first aspect, the present application provides a data access method, a data access system comprising: a data access subsystem, and a rights search engine, the rights search engine constructed based on an elastiscearch technique, comprising: the system comprises a plurality of nodes, wherein the memory of the nodes stores at least one main fragment or a copy fragment of the mapping relation between the user of the data access subsystem and the service data access authority;
The data access subsystem is used for receiving an access request for target data sent by a first client and sending an authentication request for judging whether a first user corresponding to the first client has permission to access the target data to a first node through a micro service; the first node is any node in the plurality of nodes;
the first node is configured to send the authentication request to a second node, so as to obtain a result of whether the first user has permission to access the target data; the second node is a first fragmented node storing the mapping relation between the first user and the service data access authority;
the data access subsystem is further configured to send the target data to the first client when the first user returned by the first node has permission to access the target data.
Optionally, the plurality of nodes further includes: the master node of the authority search engine is used for:
reading user data from a user database of the data access subsystem;
reading service authority data from a service database of the data access subsystem;
According to the read user data and service authority data, constructing a mapping relation between the user of the data access subsystem and the service data access authority in an inverted index mode;
fragmenting a mapping relation between a user of the data access subsystem and the service data access authority;
and distributing the corresponding fragments to each node.
Optionally, the master node of the rights search engine is specifically configured to:
creating a temporary table;
importing the read user data, service data and authority data into the temporary table;
taking the service identifier as a unit, acquiring default authority and authority of service data of each user for each service;
and constructing the mapping relation between the users of the data access subsystem and the service data access rights by adopting an inverted index mode according to the default rights and the authorized rights of each user for the service data of each service.
Optionally, the master node of the rights search engine is specifically configured to receive configuration parameters, where the configuration parameters include at least one of the following: the number of fragments and the fragment distribution strategy;
according to the number of fragments, the mapping relation between the identification of the user of the data access subsystem and the service data access authority is fragmented;
And/or the number of the groups of groups,
and distributing the corresponding fragments to each node according to the fragment distribution strategy.
Alternatively to this, the method may comprise,
the data access subsystem is further configured to:
receiving a right acquisition request sent by a second client; the permission acquisition request carries an identifier of a second user corresponding to the second client and an identifier of a third user of permission to be queried;
determining whether the second user has the right to inquire the data access right of a third user according to the identification of the second user and the identification of the third user to be inquired;
if the second user is determined to have the right to inquire the data access right of the third user, sending a right inquiry request to the third node, wherein the right inquiry request is used for requesting to inquire the data access right of the third user; the third node is any node in the plurality of nodes;
the third node is further configured to send the authentication request to a fourth node to obtain a data access right of the third user; the fourth node is a node storing a second fragment comprising the mapping relation of the third user and the service data access authority;
And the data access subsystem is further used for outputting the data access authority of the third user to the second client when receiving the data access authority of the third user returned by the third node.
Optionally, the data access subsystem is further configured to receive a permission configuration change request of the third user sent by the second client;
and the third node is further configured to control, according to the permission configuration change request, the node storing the master shard to execute an operation corresponding to the permission configuration change request, so that the node storing the master shard synchronously controls other nodes storing copies of the second shard to synchronously execute corresponding operations.
Optionally, the operations corresponding to the permission configuration change request include: deleting at least one data access right of the third user and/or modifying at least one data access right of the third user.
In a second aspect, the present application provides a data access method, a data access system comprising: a data access subsystem, and a rights search engine, the rights search engine constructed based on an elastiscearch technique, comprising: the method comprises the steps that a plurality of nodes are arranged, at least one main fragment or a copy fragment of the mapping relation between a user of the data access subsystem and service data access authority is stored in a memory of each node, and the method comprises the following steps:
The data access subsystem receives an access request for target data sent by a first client, and sends an authentication request for judging whether a first user corresponding to the first client has permission to access the target data or not to a first node through a micro service; the first node is any node in the plurality of nodes;
the first node sends the authentication request to a second node to acquire a result of whether the first user has permission to access the target data; the second node is a first fragmented node storing the mapping relation between the first user and the service data access authority;
and the data access subsystem sends the target data to the first client when receiving that the first user returned by the first node has the right to access the target data.
Optionally, the plurality of nodes further includes: the method further comprises the steps of:
the master node of the authority search engine reads user data from a user database of the data access subsystem;
the master node of the authority search engine reads service authority data from a service database of the data access subsystem;
The main node of the authority search engine constructs the mapping relation between the user of the data access subsystem and the service data access authority in an inverted index mode according to the read user data and service authority data;
the main node of the authority search engine segments the mapping relation between the identification of the user of the data access subsystem and the service data access authority;
and the master node of the authority search engine distributes corresponding fragments to each node.
Optionally, the main node of the rights search engine constructs a mapping relationship between the user of the data access subsystem and the service data access rights by adopting an inverted index mode according to the read user data, service data and rights data, and the mapping relationship comprises:
creating a temporary table by a main node of the authority search engine;
the main node of the authority search engine imports the read user data, service data and authority data into the temporary table;
the master node of the authority search engine takes the service identifier as a unit to acquire the default authority and the authorized authority of each user for the service data of each service;
and the master node of the authority search engine constructs the mapping relation between the users of the data access subsystem and the service data access authorities in an inverted index mode according to the default authority and the authorized authority of each user for the service data of each service.
The application provides a data access system and a method, wherein an authority search engine of the data access system is constructed based on an elastic search technology, the authority search engine comprises a plurality of nodes, and at least one main fragment or a copy fragment of the mapping relation between a user of a data access subsystem and service data access authority is stored in a memory of the nodes. Because the authority search engine of the data access system is constructed based on the elastic search technology, authentication is carried out according to the mapping relation between the users stored in the memory and the access authority of the service data, the back and forth reading of the internal and external memory data is not involved, the time and cost loss caused by the process can be reduced, the authentication efficiency is improved, the overall data access performance of the system is improved, the high availability of the data access system, especially the authority search engine is ensured, and meanwhile, the high concurrency can be provided based on the storage form of the memory.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
FIG. 1 is a schematic diagram of a data access system according to the present application;
FIG. 2 is a schematic diagram of a rights search engine provided by the present application;
fig. 3 is a schematic flow chart of a data access method provided by the application.
Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with related laws and regulations and standards, and provide corresponding operation entries for the user to select authorization or rejection.
It should be noted that the data access system and method of the present application may be used in the big data field, and may be used in any field other than the big data field.
Currently, in enterprise-level architecture data governance platforms, authentication of data access rights is typically performed based on a conventional Oracle database or Gbase database. Since the database adopts a column storage mode, rights retrieval based on the database is often inefficient. Authentication retrieval is performed based on a MySQL database, and an index for authentication retrieval needs to be established based on data in the database. However, the index is often built based on a unique and deep understanding of the business, or the information sufficient to optimize the index can be obtained by long-term logging and query call screening after the data governance platform is brought online. Otherwise, the authentication search speed is slower, and the index optimization period is longer.
In addition, the database used by the method is based on the storage and retrieval modes of the external memory. If the authentication search needs to be carried out, the internal memory and the external memory are required to be continuously read, so that the time and the cost are greatly consumed, the efficiency of the authentication search is reduced, and the related requirements of real-time data authentication in the field of data management cannot be met.
Elasticsearch (ES) is a distributed, highly extended, highly real-time search and data analysis engine. Unlike the method for establishing indexes in MySQL database, ES establishes an inverted index (inverted index) based on full data in an inverted index manner, where the inverted index includes full data, and is not an index constructed by screening partial data based on full data, that is, is constructed without consuming a large amount of optimization cycle time indexes. In addition, the inverted index established by the ES is directly loaded into the memory for storage, when the ES is searched, the internal and external memory data are not required to be read back and forth, and the data search speed is improved based on the data search of the memory.
In view of this, the present application provides a data access system, which includes an authority search engine, the authority search engine is constructed based on an elastic search technology, and the user data access authority to be retrieved is directly stored in the memory, so that the authentication speed of the data access authority of the data access system can be improved without performing internal and external data reading. It should be understood that the data access system provided by the present application may be applied to an enterprise-level data governance platform, and may also be applied to other data governance scenarios, which the present application is not limited to.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of a data access system according to the present application, as shown in fig. 1, the data access system includes: the system comprises a data access subsystem and an authority search engine, wherein the authority search engine is constructed based on an elastic search technology and comprises a plurality of nodes, and at least one primary shard (primary shard) or a duplicate shard (duplicate shard) of the mapping relation between a user of the data access subsystem and the service data access authority is stored in a memory of each node.
The application is not limited to the type and content of the data included in the data access system, for example, the data access system can be a data access system applied to an enterprise-level architecture data management platform, and can also be a system applied to other data access scenes. The node may be, for example, a computer or a server. The application is not limited to the number of the main fragments and the copy fragments corresponding to the mapping relation between the user of the data access subsystem and the service data access authority, and can be determined by a person skilled in the art according to actual conditions.
Based on the data access system architecture, the data access subsystem can receive an access request for target data sent by a first client, and send an authentication request to the first node through a micro service, wherein the authentication request is corresponding to the first client, and whether the first user has permission to access the target data. Correspondingly, the first node receives the authentication request.
The first client may be, for example, any computer, mobile phone, or the like. The access request may include, for example, an identification of the first user, such as a number or a name of the first user. The first user may be any user with authentication requirements. The present application is not limited to the specific data content of the target data, and may be any data stored in a database of the data access system, for example. The micro-service may be, for example, an interface integration that integrates interfaces including rights search engine services. The data access subsystem may send the authentication request to the first node of the rights search engine via the micro-service. The first node may be any one of a plurality of nodes, and in some embodiments, the first node is also referred to as a coordinator node.
Subsequently, the first node may send an authentication request to the second node, which in turn receives the authentication request.
The second node is a node storing a first fragment including a mapping relation between the first user and the service data access right. The first shard may be a master shard or a replica shard. For example, after receiving the above-mentioned authentication request, the first node may determine a second node for performing an authentication operation based on the authentication request and transmit the authentication request to the second node. The method for determining the second node by the first node is not limited, for example, hash value calculation can be performed according to the authentication request, so as to determine the second node, and the specific implementation manner can refer to the prior art and is not repeated herein.
Subsequently, the second node may perform authentication search based on the authentication request to obtain a result of whether the first user has the right to access the target data, and send the result to the first node. The first node then sends the result to the data access subsystem. Correspondingly, the data access subsystem receives a result of whether the first user returned by the first node has the right to access the target data. And sending the target data to the first client when the result indicates that the first user has the right to access the target data.
The authority search engine of the data access system provided by the embodiment is constructed based on an elastic search technology, the authority search engine comprises a plurality of nodes, and at least one main fragment or a copy fragment of the mapping relation between the users of the data access subsystem and the service data access authority is stored in the memories of the nodes. Because the authority search engine of the data access system is constructed based on the elastic search technology, authentication is carried out according to the mapping relation between the users stored in the memory and the access authority of the service data, the back and forth reading of the internal and external memory data is not involved, the time and cost loss caused by the process can be reduced, the authentication efficiency is improved, the overall data access performance of the system is improved, the high availability of the data access system, especially the authority search engine is ensured, and meanwhile, the high concurrency can be provided based on the storage form of the memory.
In addition, the authority search engine is constructed based on the elastic search technology and comprises a plurality of nodes with distributed characteristics, so that the authority search engine has good horizontal expansion flexibility. Furthermore, the data access system of the application stores the constructed mapping relation between the user and the service data access authority in a fragmentation storage mode, and can store the copy fragments, so that the data access system has good disaster recovery capability. A node downtime does not affect the overall authentication capability of the system.
Fig. 2 is a schematic diagram of an authority search engine according to the present application, as shown in fig. 2, optionally, the plurality of nodes further includes: the master node of the rights search engine.
Any node of the authority search engine can be elected as a master node, and the application is not limited to the election mode of the master node in the authority search engine, for example, any mode of the existing master node election modes can be adopted. One or more databases may be included in the data access subsystem, such as one or more of a user database, a business rights database, and the like.
Taking a user database and a service authority database as examples in the data access subsystem, a master node of the authority search engine can read user data from the user database of the data access subsystem; and reading the service authority data from the service authority database of the data access subsystem.
The user data may include, for example, a mapping relationship between an identification of a user and a service level. The service level may include, for example, one or more of a line, a job level, an affiliated institution, etc. The service rights data may include, for example, an authorized right and a default right. The default authority may include, for example, a mapping relationship of authority of the service level for different service data. The authorization rights may for example comprise a mapping of rights of different users to different numbers of services. The present application is not limited to the data content included in the service data, and may include, for example, a service identifier.
Subsequently, the master node can construct the mapping relation between the user of the data access subsystem and the service data access authority in an inverted index mode according to the read user data and the service authority data.
For example, the master node may first create a temporary table, and then import the read user data and service authority data into the temporary table; then, taking the service identifier as a unit, acquiring default authority and authorized authority of each user for service data of each service; and then, constructing a mapping relation between the user of the data access subsystem and the service data access authority by adopting an inverted index mode according to the default authority and the authorized authority of each user for the service data of each service. For example, the master node may first establish an index Mapping based on information of the organization, the bar, etc. to which the user belongs, and the authorized rights and default rights of the product. In the process, different pieces of information with different granularities are segmented through a Type and a word segmentation device (Analyzer) to establish an inverted index. Specifically, the manner of constructing the mapping relationship between the user of the data access subsystem and the service data access authority by adopting the inverted index manner may refer to the prior art, and will not be described herein.
Or, the master node may also acquire default authority and authorized authority of each user for service data of each service by using the user identifier as a unit; and then, constructing a mapping relation between the user of the data access subsystem and the service data access authority by adopting an inverted index mode according to the default authority and the authorized authority of each user for the service data of each service.
Subsequently, the master node may segment the mapping relationship between the user of the data access subsystem and the service data access authority, and after the segmentation is completed, distribute the corresponding segmentation to each node (the slave node shown in fig. 2).
The application is not limited to the number of slices and the correspondence between slices and nodes. The master node can perform slicing according to the preset slicing number, and can also perform slicing according to the acquired slicing number input by the user. Illustratively, the master node may receive configuration parameters including at least one of: number of slices, and slice distribution policy. When the configuration parameter includes the number of fragments, the master node may fragment the mapping relationship between the identifier of the user of the data access subsystem and the access authority of the service data according to the number of fragments included in the configuration parameter. The present application is not limited to the specific data content included in each slice, and the data amount, and those skilled in the art can set the present application according to the actual situation.
The master node can distribute the corresponding fragments to each node according to a preset fragment distribution strategy, or can distribute fragments according to the fragment distribution strategy in the configuration parameters when the configuration parameters centrally comprise the fragment distribution strategy. The application is not limited to the specific shard distribution manner of the shard distribution policy characterization. A node may be distributed with one or more shards. Alternatively, the slices may include a main slice and a duplicate slice corresponding to the main slice. The master shard and the corresponding replica shard may be distributed to the same node or may be distributed to different nodes. If there are duplicate slices, the application does not limit the number of duplicate slices corresponding to each main slice.
In this embodiment, the main node of the search engine adopts the inverted index mode, constructs the mapping relationship between the user of the data access subsystem and the service data access authority based on the read user data and service authority data, and distributes the mapping relationship to the corresponding node after the mapping relationship is fragmented. Unlike the prior art, which uses MySQL database to perform authentication search, index creation is required according to experience of manager, and the method for creating inverted index creates inverted index based on full data, which is simple and rapid, and does not need long-term index optimization process.
In addition, based on the characteristics of the inverted index, once the inverted index in the ES is loaded into the cache, most access operations are read operations on the memory, and the consumption of the read rate caused by accessing the disk, namely accessing the external memory, is omitted. Furthermore, the data can be compressed by establishing the inverted index, so that the disk reading and writing and the consumption of the memory are reduced. Furthermore, since the inverted index cannot be modified once created, the inverted index is not required to be locked, the problem of mutual exclusion caused by multithreading and the like is not required to be considered, and the authentication performance of the authority search engine is further improved.
Optionally, the data access subsystem may further receive a rights acquisition request sent by the second client. The permission acquisition request carries an identifier of a second user corresponding to the second client and an identifier of a third user to be queried for permission.
The second client may be, for example, a computer, a mobile phone, etc. The present application is not limited to the representation modes of the identifiers of the second user and the third user, and may be, for example, the number of the user, or the identification card number, etc. The present application is not limited to the number of third users, and may be 1 or more.
Subsequently, the data access subsystem may determine, according to the identifier of the second user and the identifier of the third user to be queried for the permission, whether the second user has the permission to query for the data access permission of the third user. The data access subsystem may, for example, store a mapping of the identity of the second user and the rights to query the data access rights of the third user. The data access subsystem may determine, based on the identification of the second user, whether the second user has permission to query the third user for data access rights.
If the second user is determined to have the right to query the data access right of the third user, the data access subsystem may send a right query request to the third node, and the corresponding third node receives the right query request. The permission query request is for requesting a query for data access permission of the third user. The third node is any one of a plurality of nodes, and in some embodiments, the third node is also referred to as a coordinator node.
Subsequently, the third node may send an authentication request to the fourth node to obtain the data access rights of the third user. The fourth node is a node of the second segment storing the mapping relation between the third user and the service data access authority.
The third node may, for example, after receiving the permission query request, determine, according to the request, a node storing a second fragment including a mapping relationship of the third user and the service data access permission. Then, the third node selects a fourth node from the nodes, and sends an authentication request to the fourth node, and correspondingly, the fourth node receives the authentication request. The present application is not limited to the manner in which the third node selects the fourth node from the nodes storing the second fragments including the mapping relationship between the third user and the service data access right, and may, for example, use a polling manner or select according to any other load balancing policy.
Subsequently, the fourth node may obtain the data access right of the third user according to the second fragment query of the stored mapping relationship between the third user and the service data access right, and send the data access right to the third node. The third node then sends the data access rights of the third user to the data access subsystem. Correspondingly, the data access subsystem receives the data access right of the third user returned by the third node and outputs the data access right of the third user to the second client.
In this embodiment, the data access subsystem may acquire the data access right of the third user by using the right search engine according to the right acquisition request sent by the second client. By the method, the data access authority of the user of the data access system can be quickly checked, and the application scene of the data access system is enriched.
Optionally, on the basis of any one of the embodiments, the data access subsystem may be further configured to receive a request for changing the permission configuration of the third user sent by the second client, and/or a request for adding a user permission sent by the second client.
The operations corresponding to the permission configuration change request include: deleting at least one data access right of the third user and/or modifying at least one data access right of the third user. The modification here may be, for example, to modify at least one data access right of the third user from authorized to unauthorized or from unauthorized to authorized.
The data access subsystem receives the permission configuration change request of the third user sent by the second client, sends the permission configuration change request to the third node, determines a node where a main partition storing the mapping relationship between the third user corresponding to the permission configuration change request and the service data access permission is located according to the permission configuration change request, and sends the permission configuration change request to the node where the main partition is stored. And the node executes the operation corresponding to the permission configuration change request according to the permission configuration change request, so that the node storing the main fragment synchronously controls other nodes storing the second copy fragment to synchronously execute the corresponding operation, and the permission configuration change is realized.
In this embodiment, the data access subsystem performs configuration change on the authority of the third user stored in the authority search engine according to the authority configuration change request of the third user sent by the second client. By the method, the data in the authority search engine can be flexibly changed, and the use requirements of more comprehensive and multidimensional users are met.
The application also provides a data access method, the data access system comprises: a data access subsystem, and, a rights search engine, the rights search engine constructed based on an elastiscearch technique, comprising: and the memory of the nodes stores at least one fragment or fragment copy of the mapping relation between the user of the data access subsystem and the service data access authority. The same or similar content as in the above embodiment may refer to the above embodiment, and will not be described herein. Fig. 3 is a flow chart of a data access method provided by the present application, as shown in fig. 3, the method includes:
S101, the data access subsystem receives an access request for target data sent by a first client, and sends an authentication request for judging whether a first user corresponding to the first client has permission to access the target data to the first node through a micro service.
The first node is any node of a plurality of nodes.
S102, the first node sends an authentication request to the second node to acquire a result of whether the first user has permission to access the target data.
The second node is a node of a first fragment storing a mapping relation between the first user and the service data access right.
And S103, when the data access subsystem receives that the first user returned by the first node has the right of accessing the target data, the data access subsystem sends the target data to the first client.
Optionally, the plurality of nodes further includes: the method further comprises the steps of:
the master node of the authority search engine reads user data from a user database of the data access subsystem; the master node of the authority search engine reads service data from a service database of the data access subsystem; the master node of the authority search engine reads authority data from an authority database of the data access subsystem; the master node of the authority search engine constructs a mapping relation between a user of the data access subsystem and the service data access authority in an inverted index mode according to the read user data, service data and the authority data; the main node of the authority search engine segments the mapping relation between the identification of the user of the data access subsystem and the service data access authority; the master node of the rights search engine distributes the corresponding shards to each node.
For example, the main node constructs a mapping relationship between the user of the data access subsystem and the service data access authority in an inverted index manner according to the read user data, service data and authority data, and may include:
creating a temporary table by a master node of the authority search engine; the main node of the authority search engine imports the read user data, service data and authority data into a temporary table; the master node of the authority search engine takes the service identifier as a unit to acquire the default authority and the authorized authority of each user for the service data of each service; and the master node of the authority search engine constructs the mapping relation between the users of the data access subsystem and the service data access authorities in an inverted index mode according to the default authority and the authorized authority of each user for the service data of each service.
In one possible implementation manner, the method further includes receiving, by a master node of the rights search engine, a configuration parameter; according to the number of fragments, the mapping relation between the identification of the user of the data access subsystem and the service data access authority is fragmented; and/or distributing the corresponding fragments to each node according to the fragment distribution strategy. The configuration parameters include at least one of: number of slices, and slice distribution policy.
One possible implementation manner, the method further comprises a data access subsystem, which receives a right acquisition request sent by the second client; determining whether the second user has the right to inquire the data access right of a third user according to the identification of the second user and the identification of the third user to be inquired; if the second user is determined to have the right to inquire the data access right of the third user, sending a right inquiry request to the third node, wherein the right inquiry request is used for requesting to inquire the data access right of the third user; the third node sends the authentication request to a fourth node to acquire the data access authority of the third user; and when receiving the data access right of the third user returned by the third node, the data access subsystem outputs the data access right of the third user to the second client. The permission acquisition request carries an identifier of a second user corresponding to the second client and an identifier of a third user of permission to be queried; the third node is any node in the plurality of nodes; the fourth node is a node storing a second fragment including the mapping relation between the third user and the service data access authority.
For example, the method further includes the data access subsystem receiving a permission configuration change request of the third user sent by the second client; and the third node controls the fifth node to execute the operation corresponding to the authority configuration change request according to the authority configuration change request, so that the fifth node synchronously controls other nodes storing the second fragment copy to synchronously execute the corresponding operation.
Optionally, the operations corresponding to the permission configuration change request include: deleting at least one data access right of the third user and/or modifying at least one data access right of the third user.
The data access method provided by the embodiment of the application can be applied to the data access system, and the implementation principle and the technical effect are similar and are not repeated here.
Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A data access system, the data access system comprising: a data access subsystem, and a rights search engine, the rights search engine constructed based on an elastiscearch technique, comprising: the system comprises a plurality of nodes, wherein the memory of the nodes stores at least one main fragment or a copy fragment of the mapping relation between the user of the data access subsystem and the service data access authority;
the data access subsystem is used for receiving an access request for target data sent by a first client and sending an authentication request for judging whether a first user corresponding to the first client has permission to access the target data to a first node through a micro service; the first node is any node in the plurality of nodes;
the first node is configured to send the authentication request to a second node, so as to obtain a result of whether the first user has permission to access the target data; the second node is a first fragmented node storing the mapping relation between the first user and the service data access authority;
The data access subsystem is further configured to send the target data to the first client when the first user returned by the first node has permission to access the target data.
2. The system of claim 1, wherein the plurality of nodes further comprises: the master node of the authority search engine is used for:
reading user data from a user database of the data access subsystem;
reading service authority data from a service database of the data access subsystem;
according to the read user data and service authority data, constructing a mapping relation between the user of the data access subsystem and the service data access authority in an inverted index mode;
fragmenting a mapping relation between a user of the data access subsystem and the service data access authority;
and distributing the corresponding fragments to each node.
3. The system according to claim 2, wherein the master node of the rights search engine is specifically configured to:
creating a temporary table;
importing the read user data, service data and authority data into the temporary table;
Taking the service identifier as a unit, acquiring default authority and authority of service data of each user for each service;
and constructing the mapping relation between the users of the data access subsystem and the service data access rights by adopting an inverted index mode according to the default rights and the authorized rights of each user for the service data of each service.
4. The system according to claim 2, wherein the master node of the rights search engine is specifically configured to receive configuration parameters, the configuration parameters comprising at least one of: the number of fragments and the fragment distribution strategy;
according to the number of fragments, the mapping relation between the identification of the user of the data access subsystem and the service data access authority is fragmented;
and/or the number of the groups of groups,
and distributing the corresponding fragments to each node according to the fragment distribution strategy.
5. The system of any one of claims 1-4, wherein,
the data access subsystem is further configured to:
receiving a right acquisition request sent by a second client; the permission acquisition request carries an identifier of a second user corresponding to the second client and an identifier of a third user of permission to be queried;
Determining whether the second user has the right to inquire the data access right of a third user according to the identification of the second user and the identification of the third user to be inquired;
if the second user is determined to have the right to inquire the data access right of the third user, sending a right inquiry request to the third node, wherein the right inquiry request is used for requesting to inquire the data access right of the third user; the third node is any node in the plurality of nodes;
the third node is further configured to send the authentication request to a fourth node to obtain a data access right of the third user; the fourth node is a node storing a second fragment comprising the mapping relation of the third user and the service data access authority;
and the data access subsystem is further used for outputting the data access authority of the third user to the second client when receiving the data access authority of the third user returned by the third node.
6. The system of claim 5, wherein the system further comprises a controller configured to control the controller,
the data access subsystem is further used for receiving a permission configuration change request of the third user, which is sent by the second client;
And the third node is further configured to control, according to the permission configuration change request, the node storing the master shard to execute an operation corresponding to the permission configuration change request, so that the node storing the master shard synchronously controls other nodes storing copies of the second shard to synchronously execute corresponding operations.
7. The system of claim 6, wherein the operations corresponding to the permission configuration change request include: deleting at least one data access right of the third user and/or modifying at least one data access right of the third user.
8. A method of data access, the data access system comprising: a data access subsystem, and a rights search engine, the rights search engine constructed based on an elastiscearch technique, comprising: the method comprises the steps that a plurality of nodes are arranged, at least one main fragment or a copy fragment of the mapping relation between a user of the data access subsystem and service data access authority is stored in a memory of each node, and the method comprises the following steps:
the data access subsystem receives an access request for target data sent by a first client, and sends an authentication request for judging whether a first user corresponding to the first client has permission to access the target data or not to a first node through a micro service; the first node is any node in the plurality of nodes;
The first node sends the authentication request to a second node to acquire a result of whether the first user has permission to access the target data; the second node is a first fragmented node storing the mapping relation between the first user and the service data access authority;
and the data access subsystem sends the target data to the first client when receiving that the first user returned by the first node has the right to access the target data.
9. The method of claim 8, wherein the plurality of nodes further comprises: the method further comprises the steps of:
the master node of the authority search engine reads user data from a user database of the data access subsystem;
the master node of the authority search engine reads service authority data from a service database of the data access subsystem;
the main node of the authority search engine constructs the mapping relation between the user of the data access subsystem and the service data access authority in an inverted index mode according to the read user data and service authority data;
the main node of the authority search engine segments the mapping relation between the identification of the user of the data access subsystem and the service data access authority;
And the master node of the authority search engine distributes corresponding fragments to each node.
10. The method of claim 9, wherein the constructing, by the master node of the rights search engine, a mapping relationship between the user of the data access subsystem and the service data access rights by means of inverted indexes according to the read user data, service data, and rights data comprises:
creating a temporary table by a main node of the authority search engine;
the main node of the authority search engine imports the read user data, service data and authority data into the temporary table;
the master node of the authority search engine takes the service identifier as a unit to acquire the default authority and the authorized authority of each user for the service data of each service;
and the master node of the authority search engine constructs the mapping relation between the users of the data access subsystem and the service data access authorities in an inverted index mode according to the default authority and the authorized authority of each user for the service data of each service.
CN202310723488.XA 2023-06-16 2023-06-16 Data access system and method Pending CN116644400A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310723488.XA CN116644400A (en) 2023-06-16 2023-06-16 Data access system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310723488.XA CN116644400A (en) 2023-06-16 2023-06-16 Data access system and method

Publications (1)

Publication Number Publication Date
CN116644400A true CN116644400A (en) 2023-08-25

Family

ID=87643452

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310723488.XA Pending CN116644400A (en) 2023-06-16 2023-06-16 Data access system and method

Country Status (1)

Country Link
CN (1) CN116644400A (en)

Similar Documents

Publication Publication Date Title
CN111902810B (en) Hybrid cloud chain management of centralized and decentralized data
CN112579606A (en) Workflow data processing method and device, computer equipment and storage medium
CN111221840B (en) Data processing method and device, data caching method, storage medium and system
CN105426375B (en) A kind of calculation method and device of relational network
CN106911770A (en) A kind of data sharing method and system based on many cloud storages
CN103488687A (en) Searching system and searching method of big data
CN107391600A (en) Method and apparatus for accessing time series data in internal memory
CN106021506A (en) File storage method and apparatus for cluster system
CN106372266A (en) Cache and accessing method of cloud operation system based on aspects and configuration documents
WO2016169237A1 (en) Data processing method and device
CN111917834A (en) Data synchronization method and device, storage medium and computer equipment
CN108647266A (en) A kind of isomeric data is quickly distributed storage, exchange method
CN110706148A (en) Face image processing method, device, equipment and storage medium
CN110716990A (en) Multi-data-source management system applied to data transaction
CN116450607A (en) Data processing method, device and storage medium
CN116644400A (en) Data access system and method
CN103207835A (en) Mass data storage method through self-adaptive Range partitions
CN114116681B (en) Data migration method and device
CN111061759A (en) Data query method and device
CN111708844B (en) Data processing method, device and equipment based on block chain
CN115277242A (en) Access control method and device for digital object
CN110363515B (en) Rights and interests card account information inquiry method, system, server and readable storage medium
CN114625729B (en) Service data storage method and device, electronic equipment and storage medium
CN118132778B (en) Spatial image file distributed storage method and device considering spatial characteristics
CN117591040B (en) Data processing method, device, equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination