CN117828668A - Data query method, device and equipment - Google Patents

Data query method, device and equipment Download PDF

Info

Publication number
CN117828668A
CN117828668A CN202410009666.7A CN202410009666A CN117828668A CN 117828668 A CN117828668 A CN 117828668A CN 202410009666 A CN202410009666 A CN 202410009666A CN 117828668 A CN117828668 A CN 117828668A
Authority
CN
China
Prior art keywords
target
query
data
data table
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410009666.7A
Other languages
Chinese (zh)
Inventor
吕伟
陈朝明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
CCB Finetech Co Ltd
Original Assignee
China Construction Bank Corp
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp, CCB Finetech Co Ltd filed Critical China Construction Bank Corp
Priority to CN202410009666.7A priority Critical patent/CN117828668A/en
Publication of CN117828668A publication Critical patent/CN117828668A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application provides a data query method, a data query device and data query equipment. Relates to the technical field of information security. The method comprises the following steps: receiving a data access request sent by a client, wherein the data access request comprises a user identification of a target user and service query information; determining at least one data table corresponding to the service inquiry information; determining an original query statement corresponding to each data table to obtain at least one original query statement; determining target query authority of a target user on each data table according to the user identification; according to the target query authority of the target user on each data table, updating at least one original query statement to obtain at least one target query statement; and carrying out data query on at least one data table according to at least one target query statement to obtain target data, and sending the target data to the client. The method is beneficial to improving the flexibility of authority control in the data query process.

Description

Data query method, device and equipment
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a data query method, device, and equipment.
Background
The data authority refers to the visibility of the access of the system user to the data resource, and it can be understood that the user can access the data resource when the user meets the access authority condition of the data resource.
In the related art, for any one service module, before data query is performed through the service module, an authority module corresponding to the service module needs to be set. In the process of inquiring the data by the user, the business module and the corresponding authority module jointly control the user to inquire the data. When the service requirement corresponding to the service module changes, the authority module corresponding to the service module needs to be updated.
However, in the above process, the flexibility of performing authority control is poor in the process of data query.
Disclosure of Invention
The application provides a data query method, a device and equipment, which are used for solving the problem of poor flexibility of authority control in the process of data query in the prior art.
In a first aspect, the present application provides a data query method, including:
receiving a data access request sent by a client, wherein the data access request comprises a user identification of a target user and service query information;
Determining at least one data table corresponding to the service query information;
determining an original query statement corresponding to each data table to obtain at least one original query statement;
determining the target query authority of the target user to each data table according to the user identification;
according to the target query authority of the target user on each data table, updating the at least one original query statement to obtain at least one target query statement;
and carrying out data query on the at least one data table according to the at least one target query statement to obtain target data, and sending the target data to the client.
In one possible design, according to the target query authority of the target user on each data table, updating the at least one original query statement to obtain at least one target query statement, including:
acquiring a right control state of each data table, wherein the right control state is an open state or a closed state;
determining at least one target data table in the at least one data table according to the target query permission of the target user for each data table and the permission control state of each data table, wherein the target query permission of the target data table is a preset query permission;
Acquiring authority inquiry sentences corresponding to each target data table according to the user identification to obtain at least one authority inquiry sentence;
and updating the at least one original query statement according to the at least one authority query statement to obtain the at least one target query statement.
In one possible design, for any one target data table; acquiring the permission query statement corresponding to the target data table according to the user identifier, wherein the permission query statement comprises:
generating a query keyword according to the user identifier and the identifier of the target data table;
inquiring whether the permission inquiry statement exists in a preset database according to the inquiry keyword;
if yes, acquiring the permission query statement from the preset database;
if not, generating the permission query statement according to the user identification and the target data table, and correspondingly storing the permission query statement and the query keyword in the preset database.
In one possible design, generating the permission query statement according to the user identification and the target data table includes:
determining a first index field of the target data table in a preset database table according to the identification of the target data table, wherein the preset database table comprises the identification of each data table and the first index field;
Determining user authority data of the target user in the target data table and a second index field of the user authority data according to the user identification;
and performing splicing processing on the user identification, the first index field and the second index field to obtain the permission query statement.
In one possible design, the updating the at least one original query statement according to the at least one authority query statement to obtain the at least one target query statement includes:
and in the at least one original query statement, updating the original query statement of each target data table into the authority query statement of the target data table to obtain the at least one target query statement.
In one possible design, for any one data table; and determining the target query authority of the target user to the data table according to the user identification, wherein the target query authority comprises the following steps:
acquiring authority configuration information of the data table, wherein the authority configuration information comprises a plurality of user identifiers and preset inquiry authorities corresponding to each user identifier;
and in the permission configuration information, determining the preset query permission corresponding to the user identifier as the target query permission.
In one possible design, the method further comprises:
acquiring a creation request of user permission data of the target user, wherein the creation request comprises a target data table corresponding to the user permission data, an authorization type of the target user and a preset query permission;
determining a right control rule corresponding to the user right data and an execution method of the right control rule according to the authorization type and the preset query right;
and creating the user permission data according to the target data table, the permission control rule and the execution method.
In a second aspect, the present application provides a data query device, including:
the receiving module is used for receiving a data access request sent by the client, wherein the data access request comprises a user identification of a target user and service query information;
the determining module is used for determining at least one data table corresponding to the service inquiry information;
the determining module is further used for determining an original query statement corresponding to each data table to obtain at least one original query statement;
the determining module is further used for determining the target query authority of the target user to each data table according to the user identification;
The updating module is used for updating the at least one original query statement according to the target query authority of the target user on each data table to obtain at least one target query statement;
the query module is used for carrying out data query on the at least one data table according to the at least one target query statement to obtain target data;
and the sending module is used for sending the target data to the client.
In one possible design, the update module is specifically configured to:
acquiring a right control state of each data table, wherein the right control state is an open state or a closed state;
determining at least one target data table in the at least one data table according to the target query permission of the target user for each data table and the permission control state of each data table, wherein the target query permission of the target data table is a preset query permission;
acquiring authority inquiry sentences corresponding to each target data table according to the user identification to obtain at least one authority inquiry sentence;
and updating the at least one original query statement according to the at least one authority query statement to obtain the at least one target query statement.
In one possible design, for any one target data table; the updating module is specifically further configured to:
generating a query keyword according to the user identifier and the identifier of the target data table;
inquiring whether the permission inquiry statement exists in a preset database according to the inquiry keyword;
if yes, acquiring the permission query statement from the preset database;
if not, generating the permission query statement according to the user identification and the target data table, and correspondingly storing the permission query statement and the query keyword in the preset database.
In one possible design, the update module is specifically further configured to:
determining a first index field of the target data table in a preset database table according to the identification of the target data table, wherein the preset database table comprises the identification of each data table and the first index field;
determining user authority data of the target user in the target data table and a second index field of the user authority data according to the user identification;
and performing splicing processing on the user identification, the first index field and the second index field to obtain the permission query statement.
In one possible design, the update module is specifically further configured to:
and in the at least one original query statement, updating the original query statement of each target data table into the authority query statement of the target data table to obtain the at least one target query statement.
In one possible design, for any one data table; the determining module is specifically configured to:
acquiring authority configuration information of the data table, wherein the authority configuration information comprises a plurality of user identifiers and preset inquiry authorities corresponding to each user identifier;
and in the permission configuration information, determining the preset query permission corresponding to the user identifier as the target query permission.
In one possible design, the data query device further includes an acquisition module and a creation module, wherein:
the acquisition module is used for acquiring a creation request of the user permission data of the target user, wherein the creation request comprises a target data table corresponding to the user permission data, an authorization type of the target user and a preset query permission;
the determining module is further configured to determine, according to the authorization type and the preset query permission, a permission control rule corresponding to the user permission data, and an execution method of the permission control rule;
The creation module is configured to create the user permission data according to the target data table, the permission control rule, and the execution method.
In a third aspect, an embodiment of the present application provides a data query device, including: a processor and a memory; the memory stores computer-executable instructions; the processor executes computer-executable instructions stored in the memory, causing the processor to perform the data query method as described above in the first aspect and the various possible designs of the first aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, where computer-executable instructions are stored, and when executed by a processor, implement a data query method according to the first aspect and the various possible designs of the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product comprising a computer program which, when executed by a processor, implements the data query method according to the first aspect and the various possible designs of the first aspect.
The data query method, the device and the equipment provided by the application can receive the data access request sent by the client, wherein the data access request can comprise the user identification of the target user and service query information; determining at least one data table corresponding to the service query information, determining an original query statement of each data table, and determining a target query authority of a target user on each data table according to the user identification; the method comprises the steps of obtaining at least one original query statement by updating the at least one original query statement according to target query permission of a target user on each data table, obtaining at least one target query statement, and carrying out data query in the at least one data table according to the at least one target query statement to obtain target data; the target data may also be sent to the client. In the method, each service module does not need to be provided with an authority module independently, and the authority control in the data query process is more flexible by determining a plurality of data tables corresponding to the service query information, updating the original query statement of each data table based on the target query authority of a target user on each data table to obtain the target query statement, and further carrying out data query processing through the target query statement.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 2 is a flow chart of a data query method according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating a method for obtaining a permission query statement of a target data table according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a process for creating a user rights data set according to an embodiment of the present application;
fig. 5 is a flow chart of another data query method according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a data query device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of another data query device according to an embodiment of the present application;
fig. 8 is a schematic hardware structure of a data query device according to an embodiment of the present application.
Specific embodiments thereof have been shown by way of example in the drawings and will herein be described in more detail. These drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but to illustrate the concepts of the present application to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
In the technical scheme of the application, the processing of collecting, storing, using, processing, transmitting, providing, disclosing and the like of the related information such as financial data or user data accords with the regulations of related laws and regulations and does not violate the popular regulations. User information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to herein are both information and data that is authorized by the user or is fully authorized by the parties, and the collection, use, and processing of relevant data requires compliance with relevant laws and regulations and standards, and is provided with corresponding operational portals for the user to choose authorization or denial.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application. Referring to fig. 1, the client may send a data access request to the server, and the server may determine a target query authority of a target user according to the data access request, determine target data based on the target query authority of the target user, and send the target data to the client.
In the related art, for any one service module, before data query is performed through the service module, an authority module corresponding to the service module needs to be set. In the process of inquiring the data by the user, the business module and the corresponding authority module jointly control the user to inquire the data. When the service requirement corresponding to the service module changes, the authority module corresponding to the service module needs to be updated. However, in the above process, the flexibility of performing authority control is poor in the process of data query.
In view of this, the embodiments of the present application provide a data query method, which may receive a data access request sent by a client, where the data access request may include a user identifier of a target user and service query information; determining at least one data table corresponding to the service query information, determining an original query statement of each data table, and determining a target query authority of a target user on each data table according to the user identification; the method comprises the steps of obtaining at least one original query statement by updating the at least one original query statement according to target query permission of a target user on each data table, obtaining at least one target query statement, and carrying out data query in the at least one data table according to the at least one target query statement to obtain target data; the target data may also be sent to the client. In the method, each service module does not need to be provided with an authority module independently, and the authority control in the data query process is more flexible by determining a plurality of data tables corresponding to the service query information, updating the original query statement of each data table based on the target query authority of a target user on each data table to obtain the target query statement, and further carrying out data query processing through the target query statement.
The following describes the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 2 is a flow chart of a data query method according to an embodiment of the present application. Referring to fig. 2, the method may include:
in the embodiment of the present application, the method may be applied to a data query device, where the data query device may be the server in fig. 1. For example, the method may be implemented by a data querying device, or may be implemented by a chip in the data querying device, or may also be implemented by a data querying means in the data querying device.
S201, receiving a data access request sent by a client.
The data access request may include a user identification of the target user and service query information.
The user identification may include, but is not limited to, a user name, a user code, or a user login account.
By way of example, the business query information may be "query the target user for the last month of the transaction with the financial product 1".
S202, determining at least one data table corresponding to the service query information.
In one possible implementation manner, the service query information may be parsed to obtain a plurality of target query fields; acquiring a first corresponding relation, wherein the first corresponding relation comprises a plurality of data tables and at least one query field corresponding to each data table; at least one data table corresponding to the service query information may be determined according to the first correspondence and the plurality of target query fields.
S203, determining an original query statement corresponding to each data table to obtain at least one original query statement.
The original query statement may be a structured query language (Structured Query Language, SQL) statement.
In one example, the preset database may have a plurality of data tables stored therein, and a query keyword of each data table and an original query sentence corresponding to each data table. And generating a query keyword corresponding to each data table, and querying an original query statement corresponding to the data table in a preset database according to the query keyword corresponding to each data table. For example, the preset database may be a remote dictionary service (Remote Dictionary Server, redis).
S204, determining the target query authority of the target user to each data table according to the user identification.
In one possible implementation manner, for any one data table, the target query authority of the target user on the data table can be obtained by the following manner: acquiring authority configuration information of a data table, wherein the authority configuration information comprises a plurality of user identifiers and preset inquiry authorities corresponding to each user identifier; and in the permission configuration information, determining the preset query permission corresponding to the user identifier as a target query permission.
S205, according to the target query authority of the target user on each data table, updating at least one original query statement to obtain at least one target query statement.
In one example, the query rights may include, but are not limited to, 7 query rights as shown below: all data can be checked, only the user's own data can be checked, only the user's department can be checked, only the configuration department data can be checked, only the user's department and configuration department data can be checked, only specific configuration data can be checked, and only data conforming to the data rules can be checked.
Optionally, at least one target query statement may be obtained by performing steps S2051-S2054 as follows:
S2051, acquiring the authority control state of each data table.
The entitlement control state may be an on state or an off state.
S2052, determining at least one target data table in at least one data table according to the target query authority of the target user on each data table and the authority control state of each data table.
The target query authority of the target data table is a preset query authority. By way of example, the preset query permissions may include at least one of the following permissions: only the user's own data, only the user's department data, only the configuration department data, only the user's department and configuration department data, only specific configuration data, and only data that meets the data rules can be viewed.
For any data table, if the authority control state of the data table is an open state and the target query authority of the data table is a preset query authority, determining the data table as a target data table; and if the permission control state of the data table is in a closed state or the target query permission of the data table is not the preset query permission, determining that the data table is a non-target data table.
S2053, acquiring authority inquiry sentences corresponding to each target data table according to the user identification to obtain at least one authority inquiry sentence.
It should be noted that, the obtaining of the permission query statement corresponding to each target data table will be described in detail in the embodiment of fig. 3.
S2054, updating at least one original query statement according to at least one authority query statement to obtain at least one target query statement.
Alternatively, the at least one target query statement may be obtained by: and in the at least one original query statement, updating the original query statement of each target data table into the authority query statement of the target data table to obtain at least one target query statement.
S206, carrying out data query on at least one data table according to at least one target query statement to obtain target data, and sending the target data to the client.
In one example, the target data may be obtained by executing a target query statement corresponding to each data table, querying target sub-data in each data table, and performing a stitching process on the target sub-data queried in at least one data table.
The data query method provided by the embodiment of the application can receive the data access request sent by the client, wherein the data access request can comprise the user identification of the target user and service query information; determining at least one data table corresponding to the service query information, determining an original query statement of each data table, and determining a target query authority of a target user on each data table according to the user identification; the method comprises the steps of obtaining at least one original query statement by updating the at least one original query statement according to target query permission of a target user on each data table, obtaining at least one target query statement, and carrying out data query in the at least one data table according to the at least one target query statement to obtain target data; the target data may also be sent to the client. In the method, each service module does not need to be provided with an authority module independently, and the authority control in the data query process is more flexible by determining a plurality of data tables corresponding to the service query information, updating the original query statement of each data table based on the target query authority of a target user on each data table to obtain the target query statement, and further carrying out data query processing through the target query statement.
Fig. 3 is a flowchart of a method for obtaining a permission query statement of a target data table according to an embodiment of the present application. Referring to fig. 3, the method includes:
s301, generating a query keyword according to the user identifier and the identifier of the target data table.
The user identification may be a user name or a user number and the identification of the target data table may be a name of the target data table. For example, the user identification is "user 1", the target data table is "employee information table", and the query keyword may be "user 1+employee information table".
S302, inquiring whether permission inquiry sentences of the target data table exist in a preset database according to the inquiry keywords.
If yes, then execute S303; if not, S304 is performed.
For example, the preset database may be Redis.
S303, acquiring permission query sentences from a preset database.
S304, determining a first index field of the target data table in a preset database table according to the identification of the target data table.
The preset database table comprises identification of each data table and a first index field.
Before data query, a preset database table needs to be configured in the database, and the preset database table can comprise a data resource table, a data resource field table, a rule group table, a data rule table, a rule group expression record table and a user permission data set table.
(1) Data resource table: may include, but is not limited to, a number of fields as shown below: the first index field of the data table (e.g., the number of the data table), the identification of the data table (Chinese or English name), the type of the data table, the number of the data table at the top level of the data table, the associated SQL of the data table, the identification of the user rights data set, the validation flag, the page presentation filtering condition information, and the validation data filtering condition information.
The type of the data table can be a primary data table or a secondary data table, if the query authority of the data table 1 depends on the query authority of the data table 2, the type of the data table 1 is determined to be the secondary data table, the number of the upper data table of the data table 1 is the number of the data table 2, and the correlation SQL of the data table is the correlation SQL between the data table 1 and the data table 2; if the query authority of the data table 1 does not depend on the query authorities of other data tables, determining the type of the data table 1 as a primary data table.
The authority control state of the data table can be determined through the effective mark, and if the effective mark exists, the authority control state of the data table is determined to be an on state; and if the validation mark does not exist, determining that the authority control state of the data table is a closed state.
The display condition of the data in the data table on the page can be controlled through the page display filtering condition information; the validation data of the data table may be controlled by validation data filtering condition information.
(2) Data resource field table: may include, but is not limited to, a number of fields as follows: the field number, a first index field of the data table (e.g., the number of the data table), chinese names of a plurality of fields corresponding to the data table, english names of a plurality of fields corresponding to the data table, usage type, data type, and query pattern type.
Optionally, the user may determine the data rule according to the service requirement, and may further configure the usage type of each data table according to the data rule. The data types may be strings, values, dates, JSON format strings, and list data strings. The query pattern type may include a user number of the user, a department number in which the user is located, and a first index field of the data table.
(3) Rule set table: may include, but is not limited to, a number of fields as follows: rule group number, first index field of the data table (e.g., number of the data table), rule group name, rule group type, authorization department number list, authorization role number list, authorization user number list, preset query authority, configuration institution number list, and object index list of the data object.
In one example, the authorization types may include: department, role, department-role, and user. Exemplary: roles may be common employees and department managers. The preset query authority may include: all data can be checked, only the user's own data can be checked, only the user's department can be checked, only the configuration department data can be checked, only the user's department and configuration department data can be checked, only specific configuration data can be checked, and only data conforming to the data rules can be checked.
(4) Data rule table: may include, but is not limited to, a number of fields as shown below: rule number, rule group number, field number, operation symbol, field value, rule sequence number, and rule connection symbol.
(5) Rule set expression record table: may include, but is not limited to, a number of fields as shown below: the rule set expression generates a record number, a first index field of the data table (e.g., the number of the data table), a rule set expression name, a rule set number list, an operation code list, an validation identifier, a current running state, and a current step.
At least one rule set may be combined into a rule set expression by intersection, union, and difference set calculations.
(6) User rights data set table: may include, but is not limited to, a number of fields as shown below: the user rights data set generates a record number, a user number, and a first index field of the data table (e.g., the number of the data table).
After the database table is created in the database, the current effective expression and effective user authority data set information of a certain data table can be queried in the resource authority main page, and a rule group list and a rule group expression list can also be queried.
S305, determining user authority data of the target user in the target data table and a second index field of the user authority data according to the user identification.
In the embodiment of the application, according to the target data table, user permission data corresponding to the target user can be created and stored in a preset database. Optionally, a creation request of user permission data of the target user may be obtained, where the creation request includes a target data table corresponding to the user permission data, an authorization type of the target user, and a preset query permission; determining a right control rule corresponding to user right data and an execution method of the right control rule according to the authorization type and the preset query right; and creating user permission data according to the target data table, the permission control rule and the execution method.
For example, assuming that there are user a of department 1 and user B of department 2, a data table named a portfolio information table is created, the resource field of the data table includes a first index field of the data table, a creator number, and a creator department number. The business requirement is that user a can view department 1 data and user B can view department 1 and department 2 data. Based on the business requirement, a rule group 1 can be newly added, an authorization type is selected as a role, the role is selected as a department manager, and a preset query authority is selected as a rule capable of only checking the data of the department; and a rule group 2 is added, the authorization type is selected as a user, the user B is selected, the preset query authority is selected as a configuration department data only, and the configuration department is selected as a department 1. The rights control rules of the user rights data may be stored by rule set expressions, which may be, for example, based on the business requirements: rule set 1U rule set 2. The rule set expression is executed as follows: parsing rule set 1, users A and B can view home gate data, parsing rule set 2, user B can view department 1 data.
S306, splicing the user identification, the first index field and the second index field to obtain a permission query statement, and correspondingly storing the permission query statement and the query keyword in a preset database.
And generating a template according to the authority query statement, and performing splicing processing on the user identifier, the first index field and the second index field to obtain the authority query statement. The rights inquiry statement of the target data table may be saved in a preset database in the form of hashed (hashed) data types.
According to the data query method provided by the embodiment of the invention, the authority query statement of each target data table can be obtained, and in at least one original query statement, the original query statement of each target data is updated to the authority query statement of the target data table, so that at least one target query statement is obtained, and further, the data query processing is carried out through the target query statement, so that the authority control in the data query process is more flexible.
Fig. 4 is a schematic diagram of a process for creating a user rights data set according to an embodiment of the present application. Referring to fig. 4, the method includes:
s401, determining a target data table in response to an operation instruction for selecting a control in the permission configuration page.
The operation instruction may include an identification of the target data table.
S402, determining the type of the target data table.
The type of the target data table may be a primary data table or a secondary data table.
S403, in response to the rule set creation request, creating the rule set of the target data table based on the type of the target data table.
The rule group creation request comprises a rule group name to be created, an authorization type corresponding to the rule group and a preset query authority.
If the type of the target data table is a primary data table, generating a rule group corresponding to the target data table according to the name of the rule group to be created, the authorization type corresponding to the rule group and the preset query authority; if the type of the target data table is a secondary data table, judging whether resource information (for example, a first index field and an identifier of the data table) of a primary data table associated with the target data table is configured, if so, creating a rule group of the target data table as a default rule group, and placing the default rule group at a first position of a rule group expression when the rule group expression is generated subsequently; if not, ending the rule group creation process.
If the preset query authority is that only specific configuration data can be checked, executing a configuration data creation process before creating a rule group of the target data table; if the preset query authority is that only data conforming to the data rule can be viewed, the data rule creation process needs to be performed before creating the rule group of the target data table.
S404, in response to the rule group expression creation request, creating a rule group expression.
Optionally, the rule group expression includes an identification of a plurality of rule groups, and a connection manner of the plurality of rule groups.
S405, executing a rule group expression.
After determining that the rule group expression execution is completed, steps S406 and S407 may also be executed.
S406, responding to clicking operation of the preview control in the permission configuration page, and generating a preview page.
The preview page comprises a first display area and a second display area, wherein the first display area is used for displaying a user authority data set A table, and data in the user authority data set A table are authority data generated after executing the rule group expression. The second display area is used to display a user rights data set B table that may be used to store currently validated user rights data.
S407, responding to clicking operation of the generation control in the permission configuration page, and generating a user permission data set.
If the user permission data set B table stores the user permission data corresponding to the target data table generated previously, the step S407 may be implemented to update the user permission data in the user permission data set B table, for example, the data not in the user permission data set a table may be deleted in the user permission data set B table, and the data increment of the user permission data set a table may be added to the user permission data set B table.
In an application process, the data query method provided in the embodiments of the present application may be implemented based on a model-view-controller (Model View Controller, MVC) architecture system, and a description is given below of the data query method based on the MVC architecture system with reference to fig. 5.
Fig. 5 is a flowchart of another data query method according to an embodiment of the present application. Referring to fig. 5, the method includes:
s501, the client sends a data access request to the server.
The user can trigger the client to send a data access request to the server by clicking a query control on a display page of the client.
The data access request may include a user identification of the target user and service query information.
S502, the server receives the data access request and creates a request thread corresponding to the data access request.
The server runs a control (controller) layer, a service (service) layer and a mapping (mapper). The layer, the server side can receive the data access request through the control layer. The server side can carry out simple parameter verification on the data access request through a control layer, and call service logic to realize a service layer after the verification is passed. When complex business logic is processed, the server needs to call various data access mapping (mapper) layer interfaces through a service (service) layer.
S503, the server stores the user identification in a thread variable of the request thread.
In the data query method provided by the embodiment of the application, a data authority entry mark annotation can be added at a control layer, and the data authority entry mark annotation can be used for indicating that the subsequent database query operation may need data authority. In one possible implementation, a permission entry annotation slice may be set in the server based on the spring annotation and slice-oriented programming (Aspect Oriented Programming, AOP) slice technique, through which an operation of adding a data permission entry tag annotation at the control layer is implemented. For example, the user identification may be obtained in the data access request and stored in a thread local variable (ThreadLocal < String >) of the requesting thread.
S504, the server determines at least one data table corresponding to the service inquiry information.
The server may determine a service query method corresponding to the service query information through a control (controller) layer, and call a service (service) layer based on the service query method, and then the service (service) layer calls a data access mapping (mapper) layer interface to determine at least one data table corresponding to the service query information.
S505, the server determines the target query authority of the target user to each data table according to the user identification stored in the thread variable.
S506, the server acquires the authority control state corresponding to each data table, and determines a target data table in at least one data table according to the target query authority and the authority control state of the target user on each data table.
Note that, the specific execution process of S505 to S506 may refer to the specific execution process of S204 to S205, and will not be described herein.
S507, the server acquires the authority inquiry statement corresponding to each target data table according to the user identification in the thread variable, and at least one authority inquiry statement is obtained.
In the data query method provided by the embodiment of the application, a resource interception annotation can be added in a mapping (mapper) layer, and at least one authority query statement is obtained based on the resource interception annotation. The data resource interception annotation may comprise a data resource information list comprising identifications of a plurality of data tables to be rights controlled and data interception locations.
In one possible implementation, the resource interception annotation facet may be set in the server based on the spring's annotation and facet-oriented programming (Aspect Oriented Programming, AOP) facet technique. When data query is carried out, the service end calls a method with a resource interception annotation through a service (service) layer, and realizes the following processes through a resource interception annotation section based on the method with the resource interception annotation: acquiring a user identifier from a thread variable, and determining at least one target data table to be subjected to authority control and a data interception position of each target data table according to a resource interception annotation and the user identifier; acquiring related information of each target data table in a data resource table in a preset database table according to the identification of each target data table on the resource interception annotation, wherein the related information can comprise a first index field, identification, type, effective mark and the like of the target data table; judging the authority control state of each target data table according to the effective mark of each target data table; if the permission control state is an on state, acquiring permission query sentences corresponding to all the target data tables; the identification of each target data table, and the permission query statement and the data interception position corresponding to each target data table can be packaged in one interception configuration file (for example, a java bean), and the interception configuration file (for example, a java bean) corresponding to each target data table is stored in a thread local variable (thread local < List < java bean >) of the request thread to wait for the use of the customized interceptor.
It should be noted that, the process of obtaining the permission query statement by the resource interception annotation section may be performed with reference to the embodiment of fig. 3.
S508, the server updates the original query statement of each target data table into the authority query statement of the target data table in at least one original query statement to obtain at least one target query statement.
The server may operate an interceptor, and the server may call the interceptor to execute step S508. The interceptor may be within at least one configuration file (e.g., a java bean) in the requesting thread. For any configuration file, determining an original query statement corresponding to a target data table in the configuration file in at least one original query statement; and updating the original query statement corresponding to the target data table at the update position into the authority query statement of the target data table based on the update position indicated in the configuration file. For example, a regular expression matching method may be used to update the original query statement of the target data table at the update location to the authority query statement of the target data table. In some examples, other alternative methods may be used to update the original query statement of the target data table at the update location to the authority query statement of the target data table, and the embodiment of the application is not limited to the alternative method.
The Interceptor can be a mybatis Interceptor, a mybatis Interceptor (Interceptor) interface can be realized based on a preset Interceptor class, and interception notes are added. The interception annotation (@ Signature) is used to describe that the interceptor's interface is the executor (executor) and the interception method is the query method. The mapping statement (MappedStatement) object may be acquired by intercepting a call (invocation) parameter of the (Intercept) method, and acquiring a binding SQL (BoundSql) object based on a binding SQL acquisition method (getBundSql) method of the MappedStatement object. Then realizing SQL data source (SqlSource) interface of mybatis by controlling data source class (DataAuthSqlSource) through data authority, constructing DataAuthSqlSource object package BoundSql object; constructing a MappedStatement new object through the MappedStatement object and the DataAuthSqlSource object; obtaining a reflection object class (MetaObject) object according to the MappedStatement new object; acquiring an original Sql from a BoundSql object, and acquiring configuration files (JavaBean) of each target data table from thread variables of a data access request; according to the original Sql and the configuration files of each target data table, a set value (setValue) function of a reflection object class (MetaObject) object is called to update at least one original query statement, so as to obtain at least one target query statement; and replacing the MappedStatement old object in the index parameter with the MappedStatement new object.
S509, the server performs data query on at least one data table according to at least one target query statement to obtain target data.
S510, the server side sends target data to the client side.
Note that, the specific execution process of S509 to S510 may refer to the specific execution process of S206, and will not be described herein.
According to the data query method provided by the embodiment of the application, the target data table corresponding to the service query information and the authority data query statement of the target data table can be determined by using the annotation of spring and the AOP section technology, at least one original query statement corresponding to the service query information can be intercepted based on the interceptor, the original query statement of the target data table is updated into the authority query statement in the at least one original query statement, and the authority control of the data resource can be realized under the condition of no invasion to the service code, so that the authority control in the data query process is more flexible.
Fig. 6 is a schematic structural diagram of a data query device according to an embodiment of the present application. Referring to fig. 6, the data query device 10 may include:
a receiving module 11, configured to receive a data access request sent by a client, where the data access request includes a user identifier of a target user and service query information;
A determining module 12, configured to determine at least one data table corresponding to the service query information;
the determining module 12 is further configured to determine an original query statement corresponding to each data table, so as to obtain at least one original query statement;
the determining module 12 is further configured to determine, according to the user identifier, a target query permission of the target user for each data table;
the updating module 13 is configured to update the at least one original query statement according to the target query authority of the target user on each data table, so as to obtain at least one target query statement;
a query module 14, configured to perform a data query on the at least one data table according to the at least one target query statement, so as to obtain target data;
and the sending module 15 is used for sending the target data to the client.
The data query device provided in the embodiment of the present application has similar implementation principles and technical effects to those of the above embodiment, and specific reference may be made to the above embodiment, which is not repeated herein.
In one possible design, the updating module 13 is specifically configured to:
acquiring a right control state of each data table, wherein the right control state is an open state or a closed state;
Determining at least one target data table in the at least one data table according to the target query permission of the target user for each data table and the permission control state of each data table, wherein the target query permission of the target data table is a preset query permission;
acquiring authority inquiry sentences corresponding to each target data table according to the user identification to obtain at least one authority inquiry sentence;
and updating the at least one original query statement according to the at least one authority query statement to obtain at least one target query statement.
In one possible design, for any one target data table; the updating module 13 is specifically further configured to:
generating a query keyword according to the user identifier and the identifier of the target data table;
inquiring whether the permission inquiry statement exists in a preset database according to the inquiry keyword;
if yes, acquiring the permission query statement from the preset database;
if not, generating the permission query statement according to the user identification and the target data table, and correspondingly storing the permission query statement and the query keyword in the preset database.
In one possible design, the updating module 13 is specifically further configured to:
determining a first index field of the target data table in a preset database table according to the identification of the target data table, wherein the preset database table comprises the identification of each data table and the first index field;
determining user authority data of the target user in the target data table and a second index field of the user authority data according to the user identification;
and performing splicing processing on the user identification, the first index field and the second index field to obtain the permission query statement.
In one possible design, the updating module 13 is specifically further configured to:
and in the at least one original query statement, updating the original query statement of each target data table into the authority query statement of the target data table to obtain at least one target query statement.
In one possible design, for any one data table; the determining module 12 is specifically configured to:
acquiring authority configuration information of the data table, wherein the authority configuration information comprises a plurality of user identifiers and preset inquiry authorities corresponding to each user identifier;
And in the permission configuration information, determining the preset query permission corresponding to the user identifier as the target query permission.
Fig. 7 is a schematic structural diagram of another data query device according to an embodiment of the present application. Referring to fig. 7, based on the structure of the data query device 10 shown in fig. 6, the data query device 10 further includes an obtaining module 16 and a creating module 17, where:
the obtaining module 16 is configured to obtain a creation request of user permission data of the target user, where the creation request includes a target data table corresponding to the user permission data, an authorization type of the target user, and a preset query permission;
the determining module 12 is further configured to determine, according to the authorization type and the preset query permission, a permission control rule corresponding to the user permission data, and an execution method of the permission control rule;
the creation module 17 is configured to create the user right data according to the target data table, the right control rule, and the execution method.
The data query device provided in the embodiment of the present application has similar implementation principles and technical effects to those of the above embodiment, and specific reference may be made to the above embodiment, which is not repeated herein.
It should be noted that, it should be understood that the division of the modules of the above apparatus is merely a division of a logic function, and may be fully or partially integrated into a physical entity or may be physically separated. And these modules may all be implemented in software in the form of calls by the processing element; or can be realized in hardware; the method can also be realized in a form of calling software by a processing element, and the method can be realized in a form of hardware by a part of modules. The modules may be processing elements that are individually set up, may be implemented as integrated in a chip of the above-described apparatus, or may be stored in a memory of the above-described apparatus in the form of program codes, and the functions of the above-described modules may be called and executed by a processing element of the above-described apparatus. In addition, all or part of the modules can be integrated together or can be independently implemented. The processing element here may be an integrated circuit with signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in a software form.
Fig. 8 is a schematic hardware structure of a data query device according to an embodiment of the present application. Referring to fig. 8, the data querying device 20 may include a processor 21 and a memory 22. Wherein the processor 21 and the memory 22 may communicate; the processor 21 and the memory 22 are in communication via a communication bus 23, as an example.
The memory 22 is used for storing computer-executable instructions;
the processor 21 is configured to execute the computer-executable instructions stored in the memory 22, so that the processor 21 executes the technical solution as shown in the foregoing method embodiment.
Optionally, the data querying device 20 may also include a communication interface, which may include a transmitter and/or a receiver.
Alternatively, the processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution.
The embodiment of the application also provides a chip for running the instruction, and the chip is used for executing the technical scheme of the data query method in the embodiment.
The embodiment of the application also provides a computer readable storage medium, wherein computer execution instructions are stored in the computer readable storage medium, and when the computer execution instructions are executed by a processor, the computer is caused to execute the technical scheme of the data query method of the embodiment.
The embodiment of the application also provides a computer program product, which comprises a computer program, wherein the computer program is stored in a computer readable storage medium, and at least one processor can read the computer program from the computer readable storage medium, and the technical scheme of the data query method in the embodiment can be realized when the at least one processor executes the computer program.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, e.g., the division of modules is merely a logical function division, and there may be additional divisions of actual implementation, e.g., multiple modules may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
The modules illustrated as separate components may or may not be physically separate, and components shown as modules may or may not be physical units, may be located in one place, or may be distributed over multiple network units. Some or all of the modules may be selected according to actual needs to implement the solution of this embodiment.
In addition, each functional module in each embodiment of the present application may be integrated in one processing unit, or each module may exist alone physically, or two or more modules may be integrated in one unit. The units formed by the modules can be realized in a form of hardware or a form of hardware and software functional units.
The integrated modules, which are implemented in the form of software functional modules, may be stored in a computer readable storage medium. The software functional modules described above are stored in a storage medium and include instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or processor to perform some steps of the methods of the various embodiments of the present application.
It should be understood that the above processor may be a central processing unit (Central Processing Unit, abbreviated as CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, abbreviated as DSP), application specific integrated circuits (Application Specific Integrated Circuit, abbreviated as ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present invention may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in a processor for execution.
The memory may comprise a high-speed RAM memory, and may further comprise a non-volatile memory NVM, such as at least one magnetic disk memory, and may also be a U-disk, a removable hard disk, a read-only memory, a magnetic disk or optical disk, etc.
The bus may be an industry standard architecture (Industry Standard Architecture, ISA) bus, an external device interconnect (Peripheral Component Interconnect, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, the buses in the drawings of the present application are not limited to only one bus or one type of bus.
The storage medium may be implemented by any type or combination of volatile or nonvolatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disk. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an application specific integrated circuit (Application Specific Integrated Circuits, ASIC for short). Of course, the processor and the storage medium may reside as discrete components in an electronic control unit or master control device.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a computer readable storage medium. The program, when executed, performs steps including the method embodiments described above; and the aforementioned storage medium includes: various media that can store program code, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.

Claims (11)

1. A method of querying data, comprising:
receiving a data access request sent by a client, wherein the data access request comprises a user identification of a target user and service query information;
determining at least one data table corresponding to the service query information;
determining an original query statement corresponding to each data table to obtain at least one original query statement;
determining the target query authority of the target user to each data table according to the user identification;
according to the target query authority of the target user on each data table, updating the at least one original query statement to obtain at least one target query statement;
and carrying out data query on the at least one data table according to the at least one target query statement to obtain target data, and sending the target data to the client.
2. The method of claim 1, wherein updating the at least one original query term according to the target query authority of the target user for each data table to obtain at least one target query term comprises:
acquiring a right control state of each data table, wherein the right control state is an open state or a closed state;
Determining at least one target data table in the at least one data table according to the target query permission of the target user for each data table and the permission control state of each data table, wherein the target query permission of the target data table is a preset query permission;
acquiring authority inquiry sentences corresponding to each target data table according to the user identification to obtain at least one authority inquiry sentence;
and updating the at least one original query statement according to the at least one authority query statement to obtain the at least one target query statement.
3. The method of claim 2, wherein for any one target data table; acquiring the permission query statement corresponding to the target data table according to the user identifier, wherein the permission query statement comprises:
generating a query keyword according to the user identifier and the identifier of the target data table;
inquiring whether the permission inquiry statement exists in a preset database according to the inquiry keyword;
if yes, acquiring the permission query statement from the preset database;
if not, generating the permission query statement according to the user identification and the target data table, and correspondingly storing the permission query statement and the query keyword in the preset database.
4. A method according to claim 3, wherein generating the permission query statement from the user identification and the target data table comprises:
determining a first index field of the target data table in a preset database table according to the identification of the target data table, wherein the preset database table comprises the identification of each data table and the first index field;
determining user authority data of the target user in the target data table and a second index field of the user authority data according to the user identification;
and performing splicing processing on the user identification, the first index field and the second index field to obtain the permission query statement.
5. The method of claim 2, wherein updating the at least one original query statement based on the at least one authority query statement to obtain the at least one target query statement comprises:
and in the at least one original query statement, updating the original query statement of each target data table into the authority query statement of the target data table to obtain the at least one target query statement.
6. The method of any one of claims 1-5, wherein for any one of the data tables; and determining the target query authority of the target user to the data table according to the user identification, wherein the target query authority comprises the following steps:
acquiring authority configuration information of the data table, wherein the authority configuration information comprises a plurality of user identifiers and preset inquiry authorities corresponding to each user identifier;
and in the permission configuration information, determining the preset query permission corresponding to the user identifier as the target query permission.
7. The method according to any one of claims 1-6, further comprising:
acquiring a creation request of user permission data of the target user, wherein the creation request comprises a target data table corresponding to the user permission data, an authorization type of the target user and a preset query permission;
determining a right control rule corresponding to the user right data and an execution method of the right control rule according to the authorization type and the preset query right;
and creating the user permission data according to the target data table, the permission control rule and the execution method.
8. A data query device, comprising:
the receiving module is used for receiving a data access request sent by the client, wherein the data access request comprises a user identification of a target user and service query information;
the determining module is used for determining at least one data table corresponding to the service inquiry information;
the determining module is further used for determining an original query statement corresponding to each data table to obtain at least one original query statement;
the determining module is further used for determining the target query authority of the target user to each data table according to the user identification;
the updating module is used for updating the at least one original query statement according to the target query authority of the target user on each data table to obtain at least one target query statement;
the query module is used for carrying out data query on the at least one data table according to the at least one target query statement to obtain target data;
and the sending module is used for sending the target data to the client.
9. A data query device, comprising: a processor, and a memory communicatively coupled to the processor;
The memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1 to 7.
10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1 to 7.
11. A computer program product comprising a computer program which, when executed by a processor, implements the method of any one of claims 1 to 7.
CN202410009666.7A 2024-01-02 2024-01-02 Data query method, device and equipment Pending CN117828668A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410009666.7A CN117828668A (en) 2024-01-02 2024-01-02 Data query method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410009666.7A CN117828668A (en) 2024-01-02 2024-01-02 Data query method, device and equipment

Publications (1)

Publication Number Publication Date
CN117828668A true CN117828668A (en) 2024-04-05

Family

ID=90505636

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410009666.7A Pending CN117828668A (en) 2024-01-02 2024-01-02 Data query method, device and equipment

Country Status (1)

Country Link
CN (1) CN117828668A (en)

Similar Documents

Publication Publication Date Title
CN109214197B (en) Method, apparatus and storage medium for processing private data based on block chain
AU2021212135B2 (en) Building and managing data-processing attributes for modelled data sources
US8341104B2 (en) Method and apparatus for rule-based masking of data
US8504919B2 (en) Portable cross platform database accessing method and system
US20180227325A1 (en) Management of calls to transformed operations and objects
KR101422859B1 (en) Permission-based document server
CN109981619A (en) Data capture method, device, medium and electronic equipment
CN113377805B (en) Data query method and device, electronic equipment and computer readable storage medium
CN111767095A (en) Micro-service generation method and device, terminal equipment and storage medium
CN108763960A (en) Access authorization for resource management method and device
CN108776756A (en) Access authorization for resource management method and device
CN111464487B (en) Access control method, device and system
CN110851127A (en) Universal evidence storage method based on block chain
CN114297704A (en) Data desensitization method and device, storage medium and electronic equipment
CN113254470B (en) Data modification method, device, computer equipment and storage medium
CN114386853A (en) Data auditing processing method, device and equipment based on universal auditing model
CN111062676A (en) Method and device for realizing government affair approval process
CN116881275A (en) Database query method, device and storage medium
CN117828668A (en) Data query method, device and equipment
CN112000727B (en) Desensitization display method for dynamically configured service data
CN112800033B (en) Data operation request processing method and device, computer equipment and storage medium
CN113205302A (en) Data interaction method, device, equipment and storage medium
KR102235775B1 (en) Personal information processing agency and management method and computer program
US20230132634A1 (en) Systems and methods for redacted statement delivery to third-party institutions
US20230342481A1 (en) On-demand real-time tokenization systems and methods

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination