CN116975893A

CN116975893A - Access request processing method and device, storage medium and computer equipment

Info

Publication number: CN116975893A
Application number: CN202311024255.7A
Authority: CN
Inventors: 黄奉线; 秦松鄂; 张刚; 熊平; 姜志
Original assignee: Kangjian Information Technology Shenzhen Co Ltd
Current assignee: Kangjian Information Technology Shenzhen Co Ltd
Priority date: 2023-08-14
Filing date: 2023-08-14
Publication date: 2023-10-31

Abstract

The invention discloses an access request processing method and device, a storage medium and computer equipment, relates to the technical field of databases and the digital medical field, and mainly aims to solve the problem of lower accuracy of authority control on an access request. The method mainly comprises the steps of receiving an access request for accessing a target database, wherein the access request carries information to be verified and query sentences, and the information to be verified at least comprises one of user information and application program information; authenticating the user information and/or the application program information according to the authentication information list, the target access object obtained by analyzing the query statement and the expected operation content; if the authentication result is that the authentication is passed, configuring the access right of the access request as a complete access right, and sending the access request carrying the complete access right to a server where the target database is located, so that the query statement is executed on the server. The method is mainly used for controlling the access request authority.

Description

Access request processing method and device, storage medium and computer equipment

Technical Field

The present invention relates to the field of database technologies and digital medical technologies, and in particular, to a method and apparatus for processing an access request, a storage medium, and a computer device.

Background

With the rapid development of network technology and big data, the distributed computing open-source architecture hadoop is used for mass data storage, data retrieval and statistical analysis in more and more industries and fields. The core distributed database (Hive) of the hadoop architecture is used as the most mature computing engine, provides the most critical metadata for most computing and storage frameworks, and how to ensure the security of information in Hive is the key of big data application.

The existing control of the distributed database access request is mainly based on a distributed file authentication information list (HDFS ACL) of a server at a distributed database side, and the method needs to conduct role division on users in advance so as to determine access rights according to different roles of the users. However, since the ACL only provides 32-bit rights support, and further needs to allocate a part to inheritance and an operating system, the rights bits of the remaining configurable roles are very limited, which results in larger granularity of role division, which results in lower rights control precision for access requests, especially for digital medical platforms, the composition of users is complex, accurate division cannot be realized by only a few roles, and the rights control precision for access requests cannot meet the requirements.

Disclosure of Invention

In view of the above, the present invention provides a method and apparatus for processing an access request, a storage medium, and a computer device, and aims to provide a method and apparatus for processing an access request, which mainly aims at the problems that the existing method and apparatus for controlling the rights of an access request has low accuracy, and especially for a digital medical platform, the composition of a user is complex, and the method and apparatus for processing an access request cannot accurately divide the access request only by a plurality of roles, and the accuracy of controlling the rights of an access request cannot meet requirements.

According to one aspect of the present invention, there is provided an access request processing method, including:

receiving an access request for accessing a target database, wherein the access request carries information to be verified and query sentences, and the information to be verified at least comprises one of user information and application program information;

authenticating the user information and/or the application program information according to the authentication information list, the target access object obtained by analyzing the query statement and the expected operation content;

if the authentication result is that the authentication is passed, configuring the access right of the access request as a complete access right, and sending the access request carrying the complete access right to a server where the target database is located, so that the query statement is executed on the server.

Further, the target access object includes a target data table to be accessed and a target access field, the authentication information list includes a correspondence between at least one operation authority of different fields in different data tables and different users and/or different application programs, and authenticating the user information and/or the application program information according to the authentication information list and the target access object and the expected operation content obtained by analyzing the query statement includes:

performing reverse analysis on the query statement to obtain a target data table, a target access object in the target data table and expected operation content;

identifying from the authentication information list at least one authorized user and/or at least one authorized application matching the target data table, the target access field, the intended operating content;

and determining an authentication result based on a matching result of the authorized user and the user information and/or a matching result of the authorized application and the application program information.

Further, the access request is submitted based on the first client or the query component, and before the access request for accessing the target database is received, the method further comprises:

When the access request is submitted through the first client, acquiring information to be verified from the first client, and associating the information to be verified with the access request;

when the access request is submitted based on the query component, identifying a second client corresponding to the query component, wherein the second client is configured in advance based on the business class of the query component;

obtaining information to be verified from the second client, and associating the information to be verified with the access request;

the first client is used for submitting an access request of the operation and maintenance analysis dimension, and the query component is used for submitting an access request of the business service dimension.

Further, the information to be verified further includes an access key, and before the user information and/or the application information are authenticated according to the authentication information list and the target access object and the expected operation content obtained by analyzing the query statement, the method further includes:

checking the access authority of the first client or the second client based on the access key;

if the verification result is that the verification is passed, authenticating the user information and the application program information;

And if the verification result is that the verification is not passed, generating prompt information for representing that the current client is not authorized.

Further, the access request further carries a target resource queue, and if the authentication result is that the authentication is passed, the access right of the access request is configured as a complete access right, and the access request carrying the complete access right is sent to a server where the target database is located, so that the query statement is executed on the server, where the execution includes:

and if the authentication result is that the authentication is passed, the access request is sent to the target resource queue of the server where the target database is located, so that the query statement is executed based on the target resource corresponding to the target resource queue, and the target resource is configured based on the service class corresponding to the access request.

Further, the method further comprises:

and if the user information corresponds to the authentication exemption user or the application program information corresponds to the authentication exemption application, configuring an authentication result to pass authentication.

Further, if the authentication result is that the authentication is passed, configuring the access right of the access request as a complete access right, and after sending the access request carrying the complete access right to the server where the target database is located, the method further includes:

Acquiring an execution result of the query statement;

and storing the authentication result, the execution result and the access request into corresponding access statistics items in the access details to obtain updated access details, wherein the access statistics items comprise access pre-execution matters, access in-execution matters and access post-execution matters.

According to another aspect of the present invention, there is provided an access request processing apparatus including:

the receiving module is used for receiving an access request for accessing the target database, wherein the access request carries information to be verified and query sentences, and the information to be verified at least comprises one of user information and application program information;

the authentication module is used for authenticating the user information and/or the application program information according to the target access object and the expected operation content which are obtained by analyzing the authentication information list and the query statement;

and the sending module is used for configuring the access right of the access request as the complete access right if the authentication result is that the authentication is passed, and sending the access request carrying the complete access right to a server where the target database is located, so that the query statement is executed on the server.

Further, the authentication module includes:

the analysis unit is used for carrying out inverse analysis on the query statement to obtain a target data table, a target access object in the target data table and expected operation content;

a matching unit, configured to identify at least one authorized user and/or at least one authorized application that matches the target data table, the target access field, the expected operation content from the authentication information list;

and the determining unit is used for determining an authentication result based on the matching result of the authorized user and the user information and/or the matching result of the authorized application and the application program information.

Further, the apparatus further comprises:

the first association module is used for acquiring information to be verified from the first client when the access request is submitted through the first client, and associating the information to be verified with the access request;

the identification module is used for identifying a second client corresponding to the query component when the access request is submitted based on the query component, wherein the second client is configured in advance based on the service class of the query component;

The second association module is used for acquiring information to be verified from the second client and associating the information to be verified with the access request;

Further, the apparatus further comprises:

the verification module is used for verifying the access authority of the first client or the second client based on the access key;

the authentication module is further configured to authenticate the user information and the application information if the verification result is that the verification is passed;

and the generation module is used for generating prompt information for representing that the current client is unauthorized if the verification result is not passed.

Further, the sending module includes:

and the sending unit is used for sending the access request to the target resource queue of the server where the target database is located if the authentication result is that the authentication is passed, so as to execute the query statement based on the target resource corresponding to the target resource queue, wherein the target resource is configured based on the service class corresponding to the access request.

Further, the apparatus further comprises:

and the configuration module is used for configuring the authentication result as passing authentication if the user information corresponds to the authentication exemption user or the application program information corresponds to the authentication exemption application.

Further, the apparatus further comprises:

the acquisition module is also used for acquiring an execution result of the query statement;

and the storage module is used for storing the authentication result, the execution result and the access request into corresponding access statistics items in the access list to obtain updated access list, wherein the access statistics items comprise access pre-execution items, access in-execution items and access post-execution items.

According to still another aspect of the present invention, there is provided a storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the above access request processing method.

According to still another aspect of the present invention, there is provided a computer apparatus including: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;

The memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the access request processing method.

By means of the technical scheme, the technical scheme provided by the embodiment of the invention has at least the following advantages:

the invention provides an access request processing method and device, a storage medium and computer equipment, wherein an access request for accessing a target database is received firstly, the access request carries information to be checked and query sentences, and the information to be checked at least comprises one of user information and application program information; authenticating the user information and/or the application program information according to the authentication information list, the target access object obtained by analyzing the query statement and the expected operation content; if the authentication result is that the authentication is passed, configuring the access right of the access request as a complete limit, and sending the access request carrying the complete access right to a server where the target database is located, so that the query statement is executed on the server. Compared with the prior art, the embodiment of the invention realizes the authority control of the user dimension and the application dimension of the access request through the authentication information list, realizes the authentication of the user individual and the comprehensive authentication of the application plus the user individual, and greatly reduces the granularity of the access authority control, thereby effectively improving the accuracy of the access authority control, and especially meeting the requirement of the accurate access authority control of different user individuals to the maximum extent for a digital medical service platform and various related service scenes.

The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:

FIG. 1 shows a flow chart of an access request processing method provided by an embodiment of the invention;

FIG. 2 is a flowchart of another method for processing an access request according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of an access request flow according to an embodiment of the present invention;

FIG. 4 is a block diagram showing an access request processing apparatus according to an embodiment of the present invention;

fig. 5 shows a schematic structural diagram of a computer device according to an embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

Aiming at the existing control of the access request of the distributed database, the control is mainly based on a distributed file authentication information list (HDFS ACL) of a server at the side of the distributed database, and the method needs to divide the roles of the users in advance so as to determine the access rights according to different roles of the users. However, since the ACL only provides 32-bit rights support, and further needs to allocate a part to inheritance and an operating system, the rights bits of the remaining configurable roles are very limited, which results in larger granularity of role division, which results in lower rights control precision for access requests, especially for digital medical platforms, the composition of users is complex, accurate division cannot be realized by only a few roles, and the rights control precision for access requests cannot meet the requirements. The embodiment of the invention provides an access request processing method, as shown in fig. 1, which comprises the following steps:

101. An access request to access a target database is received.

In the embodiment of the present invention, the current execution body is an authentication component between the client side initiating the access request and the server where the target database is located, and the authentication component may be installed on the client side, the target access server side, or on the request forwarding server side. The target database is a Hive database to be accessed by the access request, for example, a health database of enterprise staff associated with the existence business of the health medical service enterprise, or a database in other business fields, etc., which is not particularly limited in the embodiment of the present invention. The access request carries information to be verified and query sentences, and the information to be verified at least comprises one of user information and application program information. The user information is attribute information of the user sending the access request, such as a login account, a user name, a user ID, etc., and the application information is an application used when sending the access request, for example, a digital medical platform client, an application related to health big data query, etc., and may also be an application in other fields.

102. And authenticating the user information and/or the application program information according to the target access object and the expected operation content which are obtained by analyzing the authentication information list and the query statement.

In the embodiment of the invention, the query statement specifically describes which data table in which database is specific and what operation is performed on which specific field in the data table, so that the target access object and the expected operation content which are required to be accessed by the current access request can be confirmed by analyzing the query statement. The target access object is a data table and a specific field in the data table, for example, a disease table column in a disease data table, which need to be accessed and operated. The expected operation content is an operation performed on the target field, such as an operation of adding, deleting, modifying, querying, and the like. After the target access object and the expected operation content are obtained through analysis, the user and/or the application with the corresponding authority are matched from the authentication information list based on the content. And judging whether the user information corresponding to the current access request and/or the application program information is a user or an application in the authentication information list, if so, indicating that the authentication is passed, and if not, indicating that the user or the application which has submitted the current access request does not have the right to execute the corresponding operation content, and if not, indicating that the authentication is not passed. The authentication dimension may be a user dimension, an application dimension, or both. For example, the authority of the query operation on the field of company a in the disease information table in the physical examination data table corresponds to users 005 to 020; and the authority for performing the adding operation on the fields in the disease information list in the data list corresponds to the application C, and the authority for performing the modifying and deleting operation on the fields in the disease information list in the data list corresponds to the application C and the user 001.

It should be noted that, since the rights in the authentication information list are configured for different users, different access rights can be divided for different users, that is, a user-right rather than a role-right, so that fine particle division of access rights control is realized, and thus the accuracy of access rights control is greatly improved. In addition, the authorization information list is configured with permissions for the application and the combination of the application and the user, that is, the access permissions can be configured for a specific application or a user using a specific application, for example, the application a is only used for data query, the application B is used for data modification, and the permissions of the same user logged in through the application B and logged in through the application a are different. By adding the dimension authority, granularity of access authority division is further improved, accuracy of access authority control is further improved, and safety of data is effectively ensured.

103. If the authentication result is that the authentication is passed, configuring the access right of the access request as a complete access right, and sending the access request carrying the complete access right to a server where the target database is located, so that the query statement is executed on the server.

In the embodiment of the invention, if the authentication result indicates that the user who sends the access request currently has the authority to execute the access request or the application program which sends the access request has the authority to execute the access request, the query statement carried by the current access request can be executed in the target database, and then the access request is sent to the server where the target database is located, so that the corresponding operation is carried out on the data in the target database by executing the query statement. Wherein the query statement is a structured query language (Structured Query Language, SQL).

It should be noted that, since the target database itself has role-based control over the access rights, when the authentication result is passing authentication, it is necessary to configure an access role for the access request. Since the user information and the application program information of the Access request are authenticated and are executable contents, the Access Role is configured to be the complete Access right, namely, the Access right of the query statement in the target database is the right of complete development, namely, full Access hole. By pre-authentication of the access request, when the access request reaches the server where the target database is located, the authority of the distributed file authentication information list (HDFS ACL) of the server at the side of the distributed database only needs to be configured with the complete access authority role, and more division of the user roles is not needed, so that the limitation on the residual authority limit of the HDFS ACL is reduced while the control accuracy of the access authority is improved.

In one embodiment of the present invention, for further explanation and limitation, as shown in fig. 2, the step of authenticating the user information and/or the application information according to the authentication information list and the target data table and the target access field obtained by parsing the query statement includes:

201. and carrying out reverse analysis on the query statement to obtain a target data table, a target access object in the target data table and expected operation content.

202. Identifying from the authentication information list at least one authorized user and/or at least one authorized application matching the target data table, the target access field, the intended operating content;

203. and determining an authentication result based on a matching result of the authorized user and the user information and/or a matching result of the authorized application and the application program information.

In the embodiment of the invention, the authentication information list comprises the corresponding relation between at least one operation authority of different fields in different data tables and different users and/or different application programs. The authentication information list is a permission correspondence configured in advance for databases that are expected to be accessed, and data tables in the respective databases, table column names in the respective data tables, and expected operation contents. And if the authority of the user or the application program exceeds the validity period, deleting the user or the application program from the authentication information list. Before authentication is performed by using the authentication information list, the query statement is reversely parsed to determine a target access object and expected operation content which are required to be accessed by the query statement. The target access object comprises a target data table to be accessed and a target access field in the target data table. Based on the authentication information list, the access authority configuration of the user can accurately access the field, namely the list in the data list, for example, if the user is a non-self user, the user can be limited to only have the authority of accessing the health physical examination state of the patient, namely whether the physical examination is completed or not, and the privacy safety of the user is ensured. The access authority of the user to the specific access field can be limited, for example, modification, addition and deletion authorities are configured for the internal user of the physical examination mechanism, and only viewing authorities are configured for the user viewing the physical examination result. In addition, the configuration of the authority of the application may be the same as the configuration of the user, and the embodiments of the present invention are not described herein again. Wherein,,

It should be noted that, control of access rights is realized from multiple dimensions based on the authentication information list, and definition of a control unit with a user as the minimum rights is realized from the user dimension; from the data dimension of the operation, a data access unit with the data list as the minimum is realized; the operation unit taking each operation content as the minimum is realized from the dimension of the operation content, so that the fine granularity configuration of the access right is realized based on the configuration of the authentication information list, the flexibility and the accuracy of the access right control are greatly improved, and the accuracy of the access request right control is further improved.

In one embodiment of the present invention, for further explanation and limitation, the step access request is submitted based on the first client or the query component, and before the step of receiving the access request for accessing the target database, the method further includes:

identifying a second client corresponding to the query component when the access request is submitted based on the query component;

And acquiring information to be verified from the second client, and associating the information to be verified with the access request.

In the embodiment of the invention, the access request can be submitted in the form of a Hadoop Client command line through a database Client (a first Client), or can be submitted through a query component under the scene that the database Client is not installed. Since the operation and maintenance personnel typically perform database access based on the terminal on which the database client is installed, the first client is used to submit an access request of the operation and maintenance analysis dimension; the access of other business services is usually required to access the database in an online mode, and the database client is not directly used for submitting the information to be checked, so that the information to be checked is obtained through a second client which has a corresponding relation with the query component by means of the query component. The query component is a component obtained by secondary development based on prest-JDBC, when an access request is submitted through the query component, the query component is online based on a second server which is preset and corresponds to the current query component, and information such as user information, application information, keys and the like of the second server is used as information to be verified of the access request. The second client side is configured based on the service type of the query component in advance, namely, access requests initiated by different services are submitted based on different query components. Because the clients corresponding to different query components are different and the information to be verified corresponding to different clients is different, the control of different service access authorities can be realized by configuring different clients for different service query components. For example, a client with access right as the query right of the physical examination data table is configured for the query component of the health analysis and acquisition service, and a client with access right as the query right of the disease data table is configured for the query interval of the disease analysis and acquisition service so as to ensure the security of data.

In the embodiment of the invention, the first client comprises a right management client, an audit management client, a plurality of customized clients and a plurality of public-oriented clients. As shown in fig. 3, an access request flow diagram is shown. The access request submitted by the query component is based on the prest engine and the monitoring component to acquire the corresponding information to be verified of the second client, authentication service is invoked to authenticate the information to be verified, and after authentication passes, the distributed file system Hdfs is accessed with complete access authority. The authority management client, the audit management client and the customization client directly call the authentication service to authenticate. The authentication exempted customized client (customized client 1) is accessed directly according to the customized authority content noble distributed file system without calling authentication service. Public Client (Client 1, client 2) and customized Client without authentication exemption (customized Client 2) acquire information to be verified based on a Hive hook (Hive Hock inHive-Client) of a distributed database, call authentication service to authenticate the information to be verified, and access Hdfs through Hive metadata storage (Hive-Metastore) and a resource manager (YARN) after authentication is passed.

It should be noted that, through the query component developed, the scenarios of massive usage of the OLAP connection service access, the application access and the like, such as access, algorithm analysis and the like, as well as the data bin construction and BI data analysis are all included in the access request control management range, the daily average data access amount reaches the P level, and hundreds of thousands of access requests can be processed.

In an embodiment of the present invention, for further explanation and limitation, before the step of authenticating the user information and/or the application information according to the authentication information list and the target access object and the expected operation content obtained by parsing the query statement, the method further includes:

In the embodiment of the invention, the information to be verified also comprises an access key. In order to further secure the database information, the access client is restricted based on the key, i.e. the identity of the access client is verified based on the key before authenticating the user information or the application information. The key is issued by a back-end server where the database is located for the first Client and a second Client corresponding to the query component, so that the access request can be submitted only through the Hadoop Client and the Presto-JDBC query component, and the access request is prevented from being submitted through a way such as a thread remote port of HibeServer2, so that the security of data access is ensured from the port access side.

In an embodiment of the present invention, for further explanation and limitation, if the authentication result is passing authentication, configuring the access right of the access request as a complete access right, and sending the access request carrying the complete access right to a server where the target database is located, so that the query statement is executed on the server, where the step includes:

and if the authentication result is that the authentication is passed, sending the access request to the target resource queue of the server where the target database is located, so as to execute the query statement based on the target resource corresponding to the target resource queue.

In the embodiment of the invention, the access request also carries a target resource queue, and the target resource is configured based on the service class corresponding to the access request. The resource queue is a queuing queue for storing query sentences which are required to be processed by corresponding running resources, and the running resources corresponding to different resource queues are different, for example, 5 running processors are configured for the resource queue A, and 2 running processors are configured for the resource queue A. The access amount of the access requests of different business categories has larger difference, for example, the access amount of the physical examination inquiry service business is larger, the access amount of the electronic illness information is much lower than that of the physical examination inquiry service business, different resource queues are configured for different access requests according to the business category corresponding to the access request, the queuing time of executing the access requests can be reduced for the request with large access amount, the invalid occupation of operation resources can be avoided for the request with small access amount, and the reasonable allocation of the operation resources can be realized, so that the execution efficiency of the access request is ensured, and meanwhile, the utilization rate of the operation resources is improved.

In one embodiment of the present invention, for further explanation and limitation, the method further comprises:

In the embodiment of the invention, aiming at some special service scenes, for example, a system administrator maintains a database, queries the database based on an application program for internal management, and the like, the safety of users and applications is ensured sufficiently, and authentication exemption can be configured for the users or the application programs without authenticating the users and the applications. When the user information characterizes that the current user is an authentication exemption user or the application information characterizes that the application program of the current submitting request is an authentication exemption application, the user information or the application information is not required to be authenticated based on an authentication information list, an authentication result is directly configured to pass authentication, and the user or the application program is configured with a higher authority than the full access authority. By configuring authentication exemption for the user or the application, special field requirements of the exemption service can be met, and therefore the applicability and flexibility of access request control are improved.

In an embodiment of the present invention, for further explanation and limitation, if the authentication result is passing authentication, the step configures the access right of the access request to be a full access right, and after sending the access request carrying the full access right to the server where the target database is located, the method further includes:

acquiring an execution result of the query statement;

and storing the authentication result, the execution result and the access request into corresponding access statistics items in the access details to obtain updated access details.

In the embodiment of the invention, in order to meet the audit service requirement of the access request, the detail of the access request is recorded after the processing of the access request is completed. The access statistics item comprises an access execution item, an access execution item and an access execution item. The pre-execution matters may include all information carried by the access request, corresponding service types, information of an engine (query component, client) on which the request is based, a service platform and the like, an authentication result and the like. The accessing executing items may include in-line or executing query statement information, etc. The post-access-execution items include the results of periodic statistical analysis of pre-access-execution items and during-access-execution items. Rights management personnel and Audit management personnel can view the access details through corresponding Authority Manager and audio Manager clients. After the authority is subjected to flow management and audit management, the state of the system can be perceived in real time, and related early warning processing, such as authentication abnormity early warning, access request execution queuing number exceeding a threshold value and the like, can be performed.

The invention provides an access request processing method, which comprises the steps of firstly, receiving an access request for accessing a target database, wherein the access request carries information to be checked and inquiry sentences, and the information to be checked at least comprises one of user information and application program information; authenticating the user information and/or the application program information according to the authentication information list, the target access object obtained by analyzing the query statement and the expected operation content; if the authentication result is that the authentication is passed, configuring the access right of the access request as a complete limit, and sending the access request carrying the complete access right to a server where the target database is located, so that the query statement is executed on the server. Compared with the prior art, the embodiment of the invention realizes the authority control of the user dimension and the application dimension of the access request through the authentication information list, realizes the authentication of the user individual and the comprehensive authentication of the application plus the user individual, and greatly reduces the granularity of the access authority control, thereby effectively improving the accuracy of the access authority control, and especially meeting the requirement of the accurate access authority control of different user individuals to the maximum extent for a digital medical service platform and various related service scenes.

Further, as an implementation of the method shown in fig. 1, an embodiment of the present invention provides an access request processing apparatus, as shown in fig. 4, where the apparatus includes:

the receiving module 31 is configured to receive an access request for accessing a target database, where the access request carries information to be verified and a query statement, and the information to be verified at least includes one of user information and application information;

the authentication module 32 is configured to authenticate the user information and/or the application information according to the authentication information list and the target access object and the expected operation content obtained by parsing the query statement;

and the sending module 33 is configured to configure the access right of the access request as a complete access right if the authentication result is that the authentication is passed, and send the access request carrying the complete access right to a server where the target database is located, so that the query statement is executed on the server.

Further, the authentication module 32 includes:

Further, the apparatus further comprises:

the authentication module 32 is further configured to authenticate the user information and the application information if the verification result is that verification is passed;

Further, the transmitting module 33 includes:

Further, the apparatus further comprises:

The acquisition module is used for acquiring an execution result of the query statement;

The invention provides an access request processing device, which firstly receives an access request for accessing a target database, wherein the access request carries information to be checked and inquiry sentences, and the information to be checked at least comprises one of user information and application program information; authenticating the user information and/or the application program information according to the authentication information list, the target access object obtained by analyzing the query statement and the expected operation content; if the authentication result is that the authentication is passed, configuring the access right of the access request as a complete limit, and sending the access request carrying the complete access right to a server where the target database is located, so that the query statement is executed on the server. Compared with the prior art, the embodiment of the invention realizes the authority control of the user dimension and the application dimension of the access request through the authentication information list, realizes the authentication of the user individual and the comprehensive authentication of the application plus the user individual, and greatly reduces the granularity of the access authority control, thereby effectively improving the accuracy of the access authority control, and especially meeting the requirement of the accurate access authority control of different user individuals to the maximum extent for a digital medical service platform and various related service scenes.

According to an embodiment of the present invention, there is provided a storage medium storing at least one executable instruction that can perform the access request processing method in any of the above-described method embodiments.

Fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present invention, and the specific embodiment of the present invention is not limited to the specific implementation of the computer device.

As shown in fig. 5, the computer device may include: a processor 402, a communication interface (Communications Interface) 404, a memory 406, and a communication bus 408.

Wherein: processor 402, communication interface 404, and memory 406 communicate with each other via communication bus 408.

A communication interface 404 for communicating with network elements of other devices, such as clients or other servers.

The processor 402 is configured to execute the program 410, and may specifically perform relevant steps in the above-described embodiments of the method for processing an access request.

In particular, program 410 may include program code including computer-operating instructions.

The processor 402 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present invention. The one or more processors included in the computer device may be the same type of processor, such as one or more CPUs; but may also be different types of processors such as one or more CPUs and one or more ASICs.

Memory 406 for storing programs 410. Memory 406 may comprise high-speed RAM memory or may also include non-volatile memory (non-volatile memory), such as at least one disk memory.

Program 410 may be specifically operable to cause processor 402 to:

It will be appreciated by those skilled in the art that the modules or steps of the invention described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may alternatively be implemented in program code executable by computing devices, so that they may be stored in a memory device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than that shown or described, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps within them may be fabricated into a single integrated circuit module for implementation. Thus, the present invention is not limited to any specific combination of hardware and software.

The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims

1. An access request processing method, comprising:

2. The method according to claim 1, wherein the target access object includes a target data table to be accessed and a target access field, the authentication information list includes a correspondence between at least one operation authority of different fields in different data tables and different users and/or different application programs, and the authenticating the user information and/or the application program information according to the authentication information list and the target access object and the expected operation content obtained by parsing the query statement includes:

3. The method of claim 1, wherein the access request is submitted based on a first client or query component, the method further comprising, prior to receiving the access request to access the target database:

4. A method according to claim 3, wherein the information to be verified further comprises an access key, and before the user information and/or the application information is authenticated according to the authentication information list and the target access object and the expected operation content obtained by parsing the query statement, the method further comprises:

5. The method according to claim 1, wherein the access request further carries a target resource queue, and if the authentication result is that the access request passes authentication, configuring the access right of the access request as a full access right, and sending the access request carrying the full access right to a server where the target database is located, so that the query statement is executed on the server includes:

6. The method according to claim 1, wherein the method further comprises:

7. The method according to any one of claims 1-6, wherein if the authentication result is that the authentication is passed, configuring the access right of the access request as a full access right, and after sending the access request carrying the full access right to the server where the target database is located, the method further comprises:

acquiring an execution result of the query statement;

8. An access request processing apparatus, comprising:

9. A storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the access request processing method of any one of claims 1-7.

10. A computer device, comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;

The memory is configured to store at least one executable instruction, where the executable instruction causes the processor to perform the operations corresponding to the access request processing method according to any one of claims 1 to 7.