JP2005310126A - Distributed data storage device, data constitution management server therefor, client terminal, and job consignment system comprising distributed data storage device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a distributed data storage device and job consignment system in which maintenance is facilitated and security against unauthorized access is improved. <P>SOLUTION: A distributed data storage device 3 comprises a data storage server group 30 for storing substance data A of a relational database while separating the data for each attribute, and a data constitution management server 32 which is connected with the data storage server group 30 via a communication line 31 while being physically separated from the data storage server group 30, and includes a data management function 33 for managing the substance data A and a table management function 34 for managing a table 38 comprised of storage place information 36 of the substance data A. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  In particular, the present invention relates to a device that stores data in a relational database in a distributed manner, and a business consignment system using the same.

  Conventionally, business data of companies has been managed with a relational database management system. When the business data has an enormous amount of data, considering the processing load of the relational temporary table management function, etc., as shown in FIG. 11A, a plurality of relational temporary table management functions 101 and a management server 102 are provided. In many cases, the distributed database system 100 is constructed (see, for example, Patent Document 1).

JP 2003-228508 A

  However, in the distributed database system 100 as described above, it is necessary to manage the remaining area of the table for each relational temporary table management function 101. When the table area is expanded, a storage device is added to the relational temporary table. Settings such as the management function 101 must be changed. Further, it is necessary to update the relational temporary table management function 101 and backup business data for each relational database. For this reason, the distributed database system 100 has a problem that the operation cost of the system is high and maintenance is required.

  Furthermore, in the distributed database system 100, the individual relational temporary table management function 101 is connected to the management server via the network 103, and unauthorized access is likely to occur. If the security of any temporary table management function 101 is violated, the distributed database system 100 is configured so that each relational temporary table management function 101 conceptually shows the relational database in FIG. Since the data A is stored in the form of the table 104, there is a problem that the meaning content of the business data leaks to the outside.

  On the other hand, for example, when a contractor company that outsources business lends business data to a contractor company and the contractor company operates the loaned business data on the distributed database system 100, an operator of the contractor company is a client. There is a risk of unauthorized access such as social engineering using the terminal 105, and it has also been required to prevent such a situation.

  SUMMARY OF THE INVENTION An object of the present invention is to provide a data distribution storage device and a business consignment system that are easy to maintain and highly secure against unauthorized access.

  In order to solve the above-mentioned problems, a first means according to the present invention includes a data distribution storage device, a data storage server group in which entity data of a relational database is stored separately for each attribute, and the data storage server group and physical Data configuration management server connected via a communication line in a state of being separated from each other and having a data management function for managing the entity data and a table management function for managing a table composed of storage location information of the entity data The data management function stores the entity data in the data storage server group, creates storage location information of the entity data and passes it to the table management function, and the table management function receives the received data The entity data is constructed from an application that forms the table from storage location information and handles the relational database. The storage location information of the entity data is obtained from the table and passed to the data management function, and the data management function uses the data storage server based on the received storage location information. The entity data is acquired from the group and transferred to the table management function, and the table management function is configured to pass the received entity data to the application.

  In the data distribution storage device of the first means, since the entity data of the relational database is stored separately for each attribute in the data storage server group, even if unauthorized access is made to each data storage server, The entity data only flows out, and the entity data does not leak in such a way that the meaning content of the entity data can be grasped. In particular, if dummy data or the like is included in the entity data, it becomes difficult to restore the entire relational database even if a large amount of entity data is leaked.

  Further, in the data distribution storage device of the first means, since the entity data is stored for each attribute for each physically separated data storage server, social engineering becomes difficult. For each attribute, it is not limited to only assigning one data storage server for each attribute that constitutes a record, but entity data that is a combination with which the semantic content of the attributes is irrelevant is combined into one data. It also includes storing in a storage server. Moreover, although physically separated means a state in which each other is configured from separate hardware, in order to increase safety against social engineering, etc., in the present invention, on separate hardware, It is preferable to install in different places (room, building, geographical location).

  Furthermore, in the data distribution storage device of the first means, when the data management function stores the entity data in the data storage server group, it creates storage location information of the entity data and passes it to the table management function, The table management function configures the table from the received storage location information, and when the application handling the relational database requests access to the entity data, the table management function stores the storage location information of the entity data. The data management function acquires the entity data from the data storage server group based on the received storage location information and passes it to the table management function, and the table management function In order to pass the received entity data to the application, the data structure Be unauthorized access to the management server, it becomes only the storage location information flows out, it is possible to prevent the actual data from leaking to the outside.

  In addition, in the data distribution storage device of the first means, since the data configuration management server is arranged in a state physically separated from the data storage server group, social engineering becomes more difficult.

  In the data distribution storage device of the first means, since the table is composed of the storage location information of the entity data, it is irrelevant to the data size of the entity data. That is, since the data size per storage location information is constant, the table size of the table is simply proportional to the number of actual data. Thereby, in the data distribution storage device of the first means, the trial calculation of the table size of the data configuration management server becomes easy, and the device design becomes easy.

  In the data distribution storage device of the first means, when adding or deleting a data storage server to or from the data storage server group, only the environment setting of the data management function is performed. The capacity adjustment is facilitated and the time for stopping the operation of the relational database is shortened.

  In particular, in the data distribution storage device of the first means, the table management function holds the storage location information in the form of the logical storage location information, and the data management function stores the storage location information in the physical storage location information. It is preferable that the metadata indicating the association between the storage location information is held.

  According to this configuration, even if the physical storage location information changes due to the update of the entity data or the like, the association of both storage location information is indicated in the metadata, so the logical storage location information is No need to change. Thereby, the data distribution storage device of the first means does not change the logical storage location information of the same entity data, and can ensure data transparency for the application.

  By the way, in the data distribution storage device of the first means, a plurality of the data configuration management servers can be provided. Thereby, since the data configuration management server is made redundant, steady operation of the data distribution storage device is facilitated.

  Furthermore, in the data distribution storage device of the first means, the data configuration management server encrypts the storage location information with an encryption key, and inputs at least the decryption key of the encryption key to the data configuration management server The decryption key piece for the management server and the decryption key piece for the terminal input from the client terminal using the application, and the storage location information is decrypted with all the decryption key pieces being input. Can be configured.

  According to this configuration, since the storage location information is not known unless all the decryption key pieces are input, the security against unauthorized access is further enhanced. Note that the decryption key can be composed of more decryption key pieces as necessary. For example, an AP server decryption key piece input to an application server storing an application handling the relational database and a storage server decryption key piece input to the data storage server group may be added.

  As described above, the data distribution storage device of the first means does not hold the entity data in the relational database table. Therefore, the entity data is transferred between the application and the data storage server group through processing by the data management function and the table management function. Therefore, in the data distribution storage device of the first means, if the scale of the table or the transfer processing amount of the entity data increases, the processing load on the device side becomes very large, and the data configuration management server and the data Since the communication load between the storage server group is also increased, the transaction speed between the application and the data configuration management server is reduced.

  Therefore, the second means according to the present invention is a state in which the data distribution storage device is physically separated from the data storage server group in which the entity data of the relational database is stored separately for each attribute, and the data storage server group. The temporary table management function for handling the table holding the entity data on the volatile memory, and the metadata describing the storage location information of the entity data as the structure of the table. A data configuration management server including a metadata management function that manages the metadata in correspondence with each other, and the data configuration management server creates the metadata when the entity data is stored in the data storage server group, and the metadata management function The table is restored to the volatile memory based on the metadata managed by the database and the storage structure of the metadata. It was constructed in.

  In the data distribution storage device of the second means, the data storage server group in which the actual data of the relational database is stored separately for each attribute, and the data storage server group are connected via a communication line in a state of being physically separated A temporary table management function for handling the table holding the entity data on a volatile memory, and metadata for managing the metadata describing the storage location information of the entity data in association with the structure of the table Since the data configuration management server including the management function is provided, for example, when retrieving data, the entity data is directly transferred only between the database server and the application that handles the relational database. For this reason, the data distribution storage device of the second means has the processing speed between the application and the data configuration management server as the first even when the scale of the table and the transfer processing amount of the entity data increase. Not slower than means.

  However, since the table holds entity data, if the table is invaded into a building where the hard disk drive is installed at night or the like, the entity data will flow out in a form that can understand the meaning. As a means for preventing this, it is conceivable that the actual data of the table is deleted outside the use time of the relational database.

  Conventionally, the actual data of the table is recorded on the hard disk drive. However, in order to completely erase the actual data of the table, it is necessary to perform an overwrite process of the hard disk drive. Since this process takes time, it is troublesome for the administrator. In particular, in the case of data that is used every day, such as a relational database of customer management data, it is almost impossible for the administrator to manually delete the actual data in the table every day.

  Therefore, in the data distribution storage device of the second means, the data berth server handles the table holding the entity data on a volatile memory, and the entity data is divided for each attribute and the data storage server group. Devised to be stored in. As a result, the table is held on the volatile memory, and therefore disappears when the volatile memory is cleared or the apparatus is de-energized. For this reason, the complete erasing operation of the table can be performed in a very short time as compared with the case of overwriting the hard disk drive. In addition, there is no worry of data leakage even if a server or the like equipped with the temporary table management function is stolen. The effect obtained in that the entity data of the relational database is stored separately for each attribute in the data storage server group is the same as the data distribution storage device of the first means.

  However, in the data distribution storage device of the second means, since the table is completely erased, it is necessary to ensure the recoverability of the table. That is, for each entity data, the correspondence information between the structure of the table and the entity data such as record number, attribute, cell number, index, etc. is stored on a hard disk different from the table in the volatile memory. In this case, more information than that of the means 1 must be managed, and the effect of improving the processing speed when a data update process is requested from the application cannot be expected.

  Therefore, in the data distribution storage device of the second means, the data configuration management server includes a metadata management function for managing the metadata describing the storage location information of the entity data in association with the structure of the table, When the entity data is stored in the data storage server group, the metadata is created, and the table is restored on the volatile memory based on the metadata managed by the metadata management function and the storage structure of the metadata. It was configured as follows. As a result, the table structure such as the record number, attribute, cell number, and index of the table is associated with the entity data through the metadata management function, so that the table can be restored. . Even if the data structure management server is illegally accessed and the metadata is leaked, the entity data can be prevented from leaking directly to the outside.

  The storage of the entity data in the data storage server group is preferably performed in the background every time processing such as update is performed in order to ensure fault tolerance of the table. You may make it store collectively before an apparatus stop.

  However, if unauthorized access is made to both the data configuration management server and the data storage server group, the table may be restored based on the metadata. For this reason, it is preferable to encrypt the metadata as in the first means.

  Therefore, also in the data distribution storage device of the second means, the data configuration management server encrypts the metadata managed by the metadata management function with an encryption key, and uses at least the decryption key of the encryption key as the above It is composed of a decryption key piece for management server inputted to the data configuration management server and a decryption key piece for terminal inputted from the client terminal using the relational database, and the above metadata in a state where all decryption key pieces are inputted. Can be configured to decrypt.

  As described above, in the data distribution storage device of the second means, since the table holding the entity data is handled on the volatile memory, the entity data can be stored in the background. For this reason, it becomes possible to perform complicated processing when storing the entity data.

  Therefore, in the data distribution storage device of the second means, the data configuration management server delimits the entity data divided for each attribute by a fixed unit data, reversibly replaces the order relation between the units, and holds the replacement rule information. In addition, it is preferable to adopt a configuration in which the scrambled data after the replacement is divided and stored in the data storage server group. According to this configuration, even if the entity data flows out of the data storage server group, it is extremely difficult to grasp the contents. More preferably, if the replacement rule information is also encrypted in the same manner as the metadata, even if the replacement rule information is stolen, the security of the entity data becomes higher.

  In the data distribution storage device of the second means, when adding or deleting a data storage server to the data storage server group, only the environment setting of the data configuration management server is performed. The storage capacity can be easily adjusted, and the time for stopping the operation of the relational database can be shortened.

  In the data distribution storage device of the second means, the metadata is divided into logical storage location information consisting of a character string uniquely derived from the entity data and physical storage location information to the data storage server group. It is preferable to have a corresponding structure.

  According to this configuration, even if the physical storage location information changes due to the update of the entity data, it is not necessary to change the logical storage location information. Thereby, even in the data distribution storage device of the second means, it is possible to ensure data transparency for the application.

  Of course, the data distribution management device of the second means can also provide a plurality of data configuration management servers.

  Further, according to the present invention, the business consignment system includes a client terminal arranged in a consignee company outsourced from a consignment source, and a third party in a third party position with the consignment source and the consignment company. A data distribution storage device according to the present invention disposed in an institution, and an application server connected to the data distribution storage device and connected to the client terminal via a communication line, and the entity data of the relational database Consists of business data of the consignment source, and the application server handling the relational database is stored in the application server.

  In the business consignment system according to the present invention, as described above, since business data is stored in a data distributed storage device that is highly secure against unauthorized access, the above-described entity data consisting of business data leaks in a form that allows understanding of the semantic content. Can be prevented. Moreover, according to the business consignment system according to the present invention, since the data distribution storage device is arranged under the control of a third party, the business consignment system is highly safe for social engineering.

  As described above, according to the data distribution storage device according to the present invention, the management of the relational database and the management of the entity data are made independent, so that the maintenance of the device is easy and only the entity data is leaked. Therefore, it is difficult to grasp the meaning content of the entity data. For this reason, the data distribution storage device according to the present invention can improve security against unauthorized access. Moreover, according to the business consignment system using the data distribution storage device according to the present invention, it is possible to provide a business consignment system with high safety against unauthorized access to business data, particularly social engineering.

  Hereinafter, a first embodiment of a data distribution storage device and a business consignment system according to the present invention will be described with reference to FIGS. As shown in FIG. 1, the business consignment system 1 includes a client terminal 2 disposed in a consignee company O outsourced from a consignment source (not shown), the consignment source and the consignment company O, and a third party. Distributed data storage device 3 arranged in third party organization T in the position of the user, application connected to data distribution storage device 3 via communication line 5 and connected to client terminal 2 via communication line 4 And a server 6.

  The data distribution storage device 3 includes a data storage server group 30 and a data configuration management server 32 that is physically separated from the data storage server group 30 and connected via a communication line 31.

  As the communication line 4, the communication line 5, and the communication line 31, for example, a dedicated line for bidirectional communication or an IP network can be used.

  The data storage server group 30 includes data storage servers 30a, 30b, and 30c in a physically separated state, and stores entity data A obtained by dividing the entity data A of the relational database for each attribute. Here, the entity data A is data held in a normal relational database table (see FIG. 11B).

  In the present invention, storage can be used for the data storage servers 30a, 30b, and 30c. However, since the data configuration management server 32 to be described later manages the entity data A, there is no need to construct a DBMS in each of the data storage servers 30a, 30b, and 30c. Further, since the individual data storage servers 30a, 30b, and 30c only store the actual data A for each attribute, it is not possible to obtain a storage capacity as that of a normal relational database. For this reason, the data distribution storage device 3 can realize a reduction in cost when, for example, a device such as a personal computer is used for each of the data storage servers 30a, 30b, and 30c.

  As shown in FIG. 2, the data configuration management server 32 has a data management function 33 for managing the entity data A and a table management function 34 for managing a table 38 composed of storage location information of the entity data A. Then, logical storage location information described later is created.

  The data management function 33 virtually manages the data storage server group 30. When the entity data A is stored in the data storage server group 30, the entity in the data storage server group 30 is stored as the storage location information of the entity data A. The physical storage location information of data A is created.

  As shown in FIGS. 2, 3A, and 3B, the physical file name 35 can be used for the physical storage location information, and the logical file name (URL) 36 can be used for the logical storage location information. . For example, the URL 36 includes a node name: path / file name associated with each data storage server constituting the data storage server group 30.

  Further, the data management function 33 creates metadata indicating the correspondence between the physical storage location information and the logical storage location information, and holds it as a metadata file 37. The metadata file 37 is a data file in which a physical file name 35 and a URL 36 are associated with each other as conceptually shown in FIG. The data management function 33 records a checksum, data replication information, data size, access right, system log, update log, and the like in the metadata file 37.

  The data management function 33 passes the URL 36 to the table management function 34, acquires the physical file name 35 from the metadata file 37 based on the URL 36 received from the table management function 34, and uses this as a file handle to store the data storage server group 30. The entity data A is acquired and passed to the table management function 34.

  On the other hand, the table management function 34 constructs a table 38 from the received URL 36. The table 38 stores the URL 36 in a relational database table as conceptually shown in FIG. The table 38 can be normalized and divided into a plurality of tables.

  When the application 39 handling the relational database requests access to the entity data A, the table management function 34 obtains the URL 36 of the entity data A from the table 38, passes it to the data management function 33, and receives it. A record is restored from the entity data A and passed to the application 39.

  The application 39 (AP) is stored in the application server 6. The application 39 accesses the table 38 of the table management function 34 by SQL or the like and handles the relational database.

  On the other hand, the data configuration management server 32 encrypts the URL 36 with an encryption key. The decryption key can be composed of a management server decryption key piece input to the data configuration management server 32 and a terminal decryption key piece input from the client terminal 2. As such an encryption method, for example, a secret sharing method can be used. The data configuration management server 32 decrypts the URL 36 with all decryption key pieces being input.

  The system flow of the business consignment system 1 having the above configuration will be described with reference to FIGS. In the business consignment system 1, as a premise for starting operation, business data is lent to a third party organization T when the consignment source outsources business to the consignee company O.

  In the third party organization T, the loaned business data is input to the data distribution storage device 3 as initial data. The data configuration management server 32 stores the entity data A in the data storage server group 30 separately for each attribute. The data management function 33 writes the above various information in the metadata file 37 and the table management function 34 in the table 38. At this time, the table management function 34 encrypts each URL 36 of the table 38 with an encryption key, and creates a terminal decryption key piece and a management server decryption key piece from the encryption key by a secret sharing method.

  The entrusted company O receives the password for using the application 39 and the terminal decryption key fragment input to the IC card from the third party organization T and inputs them to the client terminal 2. When the third party organization T stores the management server decryption key fragment from the data configuration management server 32 into the data storage server group 30, the data management function 33 creates storage location information for the management server decryption key fragment. . Note that the fingerprint authentication data of the operator of the entrusted company O may be input to the client terminal 2.

  Thus, the business consignment system 1 and the data distribution storage device 3 are in a standby state.

  The login to the business consignment system will be described. As shown in FIG. 4, when the consignment company O uses the entity data A composed of the business data, it logs in to the application server 6. A password and a terminal decryption key fragment are input from the client terminal 2 and sent to the application server 6 (S1). The application server 6 sends a decryption key restoration request together with the terminal decryption key fragment to the data configuration management server 32 (S2).

  The table management function 34 of the data configuration management server 32 acquires the storage location information of the decryption key piece for the management server and sends it to the data management function 33 (S3), and the data management function 33 sends the decryption for the management server to the data storage server group 30. Key piece storage location information and an acquisition request are sent (S4).

  The data storage server group 30 sends the management server decryption key fragment to the table management function 34 of the data configuration management server 32 based on the received storage location information of the management server decryption key fragment (S5).

  The table management function 34 determines whether the management server decryption key piece has been successfully acquired (S6). If it is determined that acquisition has failed, re-acquisition is performed (S8). On the other hand, if it is determined that acquisition has been performed, the table management function 34 decrypts from the management server decryption key fragment and the terminal decryption key fragment. The key is restored (S9). The table management function 34 determines whether the decryption key has been restored (S7). When the table management function 34 determines that the restoration has failed, the table management function 34 notifies the application server 6 of authentication rejection, and the application server 6 notifies the client terminal 2 that authentication has been rejected (S16). 2 displays login failure (S17).

  On the other hand, if the table management function 34 determines that the restoration is successful in S7, it makes the decryption key resident in the memory (S10).

  Following S10, the application server 6 performs password authentication and determines whether the authentication is successful (S11). Here, when the password authentication is successful, the client terminal 2 is notified of the login permission, and the client terminal 2 displays the login success (S12).

  The login process of the business consignment system 1 is thus completed, and the consignment destination company O can use the application 39.

  On the other hand, when the password authentication fails, the client terminal 2 and the table management function 34 are notified (S13). The client terminal 2 that has received the notification displays a login failure (S14). In response to the notification, the table management function 34 releases the memory residence of the decryption key (S15).

  Next, a flow when the outsourced company O logs out from the application server 6 will be described. As shown in FIG. 5, a logout command is input from the client terminal 2 and sent to the application server 6 (S21), and the application server 6 notifies the table management function 34 of a logout request (S22).

  Upon receiving the notification, the table management function 34 releases the memory residence of the decryption key and notifies the application server 6 of this (S23). In the application server 6, the application 39 performs necessary internal processing (S24), sends the processing result to the client terminal 2, and the client terminal 2 that has received the processing result displays the completion of logout (S25).

  The logout process of the business consignment system 1 is thus completed.

  Next, a flow in the case where the contracted company O performs data update work of the data distribution storage device 1 during execution of the contracted work will be described with reference to FIG. First, the entrusted company O additionally inputs business data from the client terminal 2 and sends it to the application server 6 (S31). Receiving the additional business data, the application server 6 sends a relation database record addition request to the table management function 34 (S32).

  The table management function 34 starts a new record addition process (S33), and sends the entity data A in the received business data to the data management function 33 (S34). The data management function 33 determines the storage location of the entity data A (S35), and transfers the entity data A to the data storage server group 30 (S36). The data storage server group 30 stores the received entity data A (S37).

  Next, the data management function 33 records an additional log of the entity data A and writes it in the metadata file 37 of the entity data A (S38), and notifies the table management function 34 of the URL 36 of the entity data A. (S39). Upon receiving the notification, the table management function 34 updates the record, encrypts the URL 36 (S40), and notifies the application server 6 of the completion of the update. Upon receiving the notification, the application server 6 performs necessary internal processing (S41) and sends the processing result of the application 39 to the client terminal 2. Receiving the processing result, the client terminal 2 displays the update result (S42).

  Thus, the data update operation of the business consignment system 1 is completed.

  The data management function 33 transfers the entity data A to the data storage server group 30 when replicating the entity data A in response to a replication command (S43). The data storage server group 30 stores the received entity data A (S44). Next, the data management function 33 creates a redundant log record of the entity data A (S45).

  Next, a flow when the entrusted company O performs a search operation of the entity data A during the entrustment work will be described with reference to FIG. First, the entrusted company O inputs search conditions from the client terminal 2 and sends them to the application server 6 (S51). The application server 6 that has received the search condition sends a database search request to the table management function 34 (S52). In response to this, the table management function 34 decrypts the URL 36 of the table 38, starts the record search process (S53), and determines whether there is corresponding business data (S54).

  If the table management function 34 determines that there is corresponding business data, it acquires the URL 36 of the entity data A and sends the URL 36 to the data management function 33 (S55). In response to this, the data management function 33 refers to the metadata file 37 and sends an acquisition request for the entity data A to the data storage server group 30 (S58). A is sent to the data management function 33 (S59).

  The data management function 33 determines whether the actual data A has been successfully acquired (S60). Here, if the data management function 33 determines that the acquisition of the entity data A is successful, the data management function 33 passes the data to the table management function 34. The table management function 34 restores the record and sends it to the application server 6 (S61). In the application server 6 that has received the record, the application 39 performs necessary internal processing (S62), and sends the processing result of the application 39 to the client terminal 2. Receiving the processing result, the client terminal 2 displays the update result (S63). This completes the work data search operation.

  On the other hand, if the data management function 33 determines that the acquisition of the entity data A has failed, the data management function 33 tries to acquire the entity data A again (S64).

  As described above, according to the business consignment system 1 and the data distribution storage device 3 according to the first embodiment of the present invention, the management of the relational database and the management of the entity data A are made independent, so that maintenance is easy. In addition, even if the entity data A is leaked, it is difficult to grasp the meaning content of the business data, so that the security against unauthorized access can be improved.

  The data distribution storage device 3 according to the present invention can also be used for other business systems. For example, a second embodiment according to the present invention is shown in FIG. Hereinafter, the same components as those in the first embodiment are denoted by the same reference numerals, and description thereof is omitted. In the second embodiment, a DBMS server 40 is connected to the application server 6, and the DBMS server 40 is also connected to a data configuration management server 32. Further, the data configuration management server 32 is connected to the application server 6 through a backup communication line.

  In this configuration, the relational database is normally operated by the DBMS server 40 and the data distribution storage device 3 is used as a backup system for the DBMS server 40, as has been widely performed conventionally. As described above, the data distribution storage device 3 is particularly suitable as a backup system because the number of data storage servers can be easily increased and the cost of the data storage server group 30 can be reduced.

  Further, the data distribution storage device 3 according to the present invention can duplicate the data configuration management server 32. For example, a third embodiment according to the present invention is shown in FIG. In the third embodiment, two sets of data configuration management servers 32 and 32 are connected to the application server 6, and the data storage server group 30 is connected to both data configuration management servers 32 and 32.

  In this configuration, when both data configuration management servers 32 and 32 are synchronized, the load applied to each data configuration management server 32 during operation can be distributed, and when one of the data configuration management servers 32 fails On the other hand, the other data configuration management server 32 can perform a degenerate operation.

  As yet another duplex form, a fourth embodiment according to the present invention is shown in FIG. In the fourth embodiment, the application server 6 is connected to each data configuration management server 32 in the third embodiment. Further, the respective data configuration management servers 32 and 32 are arranged in a state of being physically separated from each other.

In this configuration, since the data configuration management servers 32 and 32 to be accessed for each of the client terminals 2 and 2 can be divided, security measures can be performed more locally, and the user who has a shorter line distance can use it. When the data configuration management server 32 is accessed, the communication burden can be reduced.

  The overall configuration of the fifth embodiment according to the present invention is shown in FIG. The data distribution storage device 50 according to the fifth embodiment includes a data configuration management server 51 and a data storage server group 52 connected to the application server 6, and the data configuration management server 51 and the data distribution storage device 50 are connected to a network. 53 and connected in a physically separated state.

  The data configuration management server 51 includes a temporary table management function 54 that handles the customer management table 60 of the relational database on the volatile memory 57, and metadata 70 that describes storage location information of the entity data held in the table 60. The metadata management function 56 is managed in correspondence with the structure of FIG. 2. The temporary table management function 54 and the metadata management function 56 each configured as a server are connected via a communication line 55. The data storage server group 52 is the same as that in the first embodiment, and a description thereof will be omitted.

  The temporary table management function 54 considers the volatile memory 57 as a virtual hard disk drive and uses it for data storage and the like, as well as a record 61a as a single file unit, as conceptually shown in FIG. For example, a database management function for handling a customer management table 60 holding entity data on the volatile memory 57 like entity data 63a (AB12...) Whose attribute of the record 61a is customer ID 62 is provided. The temporary table management function 54 divides the entity data divided for each attribute into fixed unit data, reversibly replaces the order relation between units, holds the replacement rule information, and divides the scrambled data after the replacement. Are stored in the data storage server group 52.

  The temporary table management function 54 creates metadata 70 when the entity data of the customer management table 60 is stored in the data storage server group 52. As conceptually shown in FIG. 14, the metadata 70 has a directory structure having the attribute name of the customer management table 71. For example, the metadata 70 includes entity data for each attribute of the customer management table 60 such as a customer ID 72. The structure has a lower hierarchy in which metadata is stored, and is managed by the metadata management function 56.

  The temporary table management function 54 divides the entity data held in the record 61a for each attribute or a combination of semantic contents that does not cause a problem even if the data leaks. That is, the customer management table 60 is divided into customer ID, name and address, telephone number and date of birth, and the like. The following processing will be described by taking the entity data 63a (ABCD1234567890) of the customer ID 62 as a representative example.

  Next, the temporary table management function 54 fragments the entity data 63a with a certain data length. Since the constant data length to be fragmented is preferably an integer multiple of the pack size described later in terms of access performance, in this example, the constant data length of the fragment data 64a and 64b is 8 bytes. The following processing will be described using fragment data 64a (ABCD1234) as an example.

  Next, the temporary table management function 54 delimits the fragment data 64a with fixed unit data, and reversibly replaces the order relationship between the units (hereinafter, the fixed unit data is referred to as a shuffle size). In this example, since the shuffle size is 1 byte, the order relationship between units is (0), (1),..., (7) in order from the left in FIG. In the replacement rule information, a random number unique to the entity data 63a is used. The replacement is performed by dividing the fragment data 64a into shuffle size units and exchanging any two units determined by the random numbers.

  In this example, if the inherent random number of the entity data 63a is “06142537”, the constituent numbers of the random number are divided into two sets from the left side for each set, and the unit data is exchanged with the corresponding order relation. That is, (0) number data “A” and (6) number data “3”, (1) number data “B” and (4) number data “1” of the fragment data 64a. The scrambled data 65a is obtained from the fragment data 64a. The random number is described in the metadata as the replacement rule information of the entity data 63a, and is stored in the metadata management function 56 in an encrypted state.

  Next, the temporary table management function 54 further divides the scrambled data 65a into a fixed size (hereinafter, the fixed size is referred to as a pack size). In view of access performance, it is desirable that the data length of the fragment data is a multiple of the pack size. In this example, the pack size is 2 bytes and the data length of the fragment data is 8 bytes.

  The divided data 66a to 66d are randomly stored in the nodes 52a to 52d of the data storage server group 52. Here, the reason why the divided data 66a to 66d are stored at random is to further increase the safety against data leakage.

  The entity data 63a is restored by performing the above processes in reverse order. That is, when the divided data 66a to d are combined, the original scrambled data 65a is obtained. When the same exchange process is performed again with reference to the random number, the fragment data 64a is obtained. When the fragment data 64a and 64b are combined, the entity data 63a is obtained. Is restored.

  The temporary table management function 54 adds random number data and adjusts the data to a fixed data length if any of the fragment data is less than the fixed data length. For example, since fragment data 64b (567890 $%) originally has only 6 bytes (567890), it is set to 8 bytes by adding random number data “$%”. When random number data is added in this way, there is an advantage that it becomes difficult to restore and interpret the divided data 66a to 66d. The random number data included in the divided data is removed at the stage of combining the fragment data 64a and 64b.

  When the temporary table management function 54 stores the entity data 63a as the divided data 66a to d in the data storage server group 52, the temporary table management function 54 combines the logical storage location information of the entity data 63a and the physical storage location information of the divided data 66a to d. To the metadata management function 56 as metadata. For example, the metadata of the entity data 63a stored in the lower hierarchy of the customer ID 72 associates the logical storage location information with the physical storage location information of the divided data 66a to 66d in the data storage server group 52. It has a structure.

  The logical storage location information is a character string in which the entity data held in the record 61a is calculated by a one-way function (hash function) and the corresponding sequential number of the attribute of the customer management table 60 is added to the hash value. . The physical storage location information describes the physical storage location information of each of the divided data 66a to 66d stored at random.

  The temporary table management function 54 refers to the logical storage location information in the customer ID 72 and restores the actual data 63a from each of the divided data 66a to 66d, and similarly records the record 61a from the other lower layers of the customer management table 71. The other entity records constituting the entity data are restored and combined based on the sequential number of the logical storage location information corresponding to the physical storage location information of each entity data, so that the entity data is in the order of the attributes in the customer management table 60. The retained record 61a is restored as one file.

  As described above, since the metadata 70 as a whole has a hierarchical structure corresponding to the structure of the customer management table 60, the data structure management server 51 has the metadata 70 as (table name-attribute name). Since the directory structure is used, the customer management table 60 can be collectively restored on the volatile memory 57 by designating the upper table name. In addition, since the temporary table management function 54 can collectively obtain the storage locations of all the entity data related to the customer management table 60, the access from the temporary table management function 54 to the data storage server group 52 can be processed in parallel. Thus, the other records 61b can also be restored in parallel to increase the transaction speed.

  Similarly to the first embodiment, the data configuration management server 51 encrypts the metadata 70 managed by the metadata management function 56 with an encryption key, and uses at least the decryption key of the encryption key as the data configuration management server. The decryption key piece for the management server inputted to 51 and the decryption key piece for the terminal inputted from the client terminal using the relational database, and the metadata 70 is decrypted with all the decryption key pieces inputted. It is supposed to be.

  The system flow of the data distribution storage device 50 having the above configuration will be described with reference to FIGS. In the following description, for ease of understanding, the reference numerals of FIGS. 12 to 14 are added as appropriate, but the reference numerals are omitted in FIGS. 15 to 19.

  As a pre-use stage of the data distribution storage device 50, the business manager (O) of the outsourced company is a person who manages the application server 6 and has the authority to use the customer management table 60. The third-party organization creates one system key that enables access to the data distribution storage device 50 for each database. This system key corresponds to the encryption key and the decryption key, and consists of a unique random number. The decryption key piece for the management server is obtained by XOR dividing the system key with the password of the business administrator (O) or the hash value of fingerprint data (hereinafter referred to as user key), and is stored in the data storage server group 52. Yes. The metadata management function 56 stores the physical storage location information of the management server decryption key piece in association with the logical storage location information consisting of the hash value of the user name of the business administrator (O). . On the other hand, the terminal decryption key piece is the user key held by the business administrator (O). In the fifth embodiment, the application server 6 functions as the client terminal.

  FIGS. 15 and 16 show a schematic flow from when the business administrator (O) accesses the data distribution storage device 50 from the application server 6 until the application server 6 enters a standby state. As shown in FIG. 15, first, the business administrator (O) sends a business start request, a user name, and the user key from the application server 6 to the DBMS server 54 (s200).

  The temporary table management function 54 calls the business start function in response to the business start request (s201), and the business start function performs metadata management for the system key restoration processing request, the hash value of the user name, and the user key. The function 56 is sent (s202).

  The metadata management function 56 acquires the physical storage location information of the decryption key fragment for the management server corresponding to the logical storage location information consisting of the hash value of the user name (s204), and uses this physical storage location information as the physical storage location information. Based on this, the management server decryption key fragment is obtained from the data storage server group 52 (s205), the management server decryption key fragment and the user key are XORed to restore the system key, and the restoration completion notification is temporarily stored. This is sent to the business start function of the management function 54 (s206).

  The business start function of the temporary table management function 54 sends a metadaemon activation request to the metadata management function 56 (s208).

  In response to this, the metadata management function 56 activates the metadaemon function (s209), and sends an activation completion notification to the work start function of the temporary table management function 54. Here, the metadaemon function makes the system key resident in the system memory and enables the encryption / decryption processing of the metadata 70 and the like.

  When the business start function of the temporary table management function 54 receives the metadaemon activation completion notification, the data distribution storage device 50 enters a use ready state (s210).

  As shown in FIG. 16, the business start function sends a RAM-DB start request to the RAM-DB start function (s211), and the RAM-DB start function receives this and starts the RAM disk function and the database management function ( s212, s213) and initialization processing (s214) of the volatile memory 57 by the RAM disk function, and an initialization completion notification is sent to the business start function of the temporary table management function 54 (s215).

  In response to this, the business start function of the temporary table management function 54 sends a restoration request for the customer management table 60 to the DB load execution function of the temporary table management function 54 (s216), and the DB load execution function receives it. Then, a batch transmission request for the metadata 70 is sent to the metadata management function 56 (s217), and the metadata management function 56 receives the request and decrypts the metadata 70 and sends it to the DB load execution function in batch ( s218).

  The DB load execution function of the temporary table management function 54 sends a request for transmission of entity data to be held in the customer management table 60 from the received metadata 70 to each of the nodes 52a to 52d of the data storage server group 52, and the data storage server group 52 When each piece of divided data is received, the entity data is restored at any time (s219).

  Next, the DB load execution function of the temporary table management function 54 creates a file of one record by combining the restored entity data based on the sequential number of the logical storage location information, and converts it into a text file as needed. A DB load file is created by appending to (s220). Next, the DB load execution function transmits the DB load file to the database management function, and the database management function that has received the DB load file completely stores the customer management table 60 in which the actual data is stored in the volatile memory 57. Restoration is performed, and a restoration completion notification is sent to the business start function of the temporary table management function 54 (s221).

  In response to this, the business start function of the temporary table management function 54 sends a DB update start request to the DB update process start function of the temporary table management function 54 (s223), and the DB update process start function receives this request. It starts (s224), validates the DB update trigger process (s225), starts the DB update daemon, and sends a start completion notification to the work start function of the temporary table management function 54 (s226). Through the processes so far, the customer management table 60 is ready for update processing.

  The business start function of the temporary table management function 54 receives the DB update daemon activation completion notification, causes the application server 6 to output a result display (s227), and the application server 6 enters a standby state (s228).

  17 and 18 show a case where the client terminal 2 managed by the business administrator (O) accesses the customer management table 60 via the application 39 stored in the application server 6 and executes various handling processes. The system flow is shown schematically.

  As shown in FIG. 17, first, the client terminal 2 sends a login request to the application server 6 (s229), and the application server 6 receives this and performs login authentication (s230). The terminal 2 can access the customer management table 60 via the application 39 (s231).

  When the client terminal 2 sends a search processing request to the application server 6 in the state of (s231) (s232), the application server 6 sends the SQL of “SELECT” to the temporary table management function 54 (s233), and the temporary table management. The function 54 performs SELECT processing (s234), acquires the corresponding file and entity data from the customer management table 60 (s235), and displays the search result on the client terminal 2 via the application server 6 (s236).

  When the client terminal 2 sends an additional processing request and additional data to the application server 6 in the state of (s231) (s237), the application server 6 sends an SQL of “INSERT” to the temporary table management function 54 (s238). The temporary table management function 54 executes trigger processing to activate the file insertion function (s241).

  The file insertion function of the temporary table management function 54 creates divided data by making the additional data scrambled data (s242), stores each divided data in the data storage server group 52 at random, and logically adds the additional data. The storage location information is created (s243), and the physical storage location information of each divided data is sent to the metadata management function 56 (s244). The metadata management function 56 associates the logical storage location information created by the file insertion function with the physical storage location information of each divided data by updating the corresponding metadata, and sends an update completion notification to the temporary table management function. 54 is sent to the file insertion function (s245).

  In response to this, the file insertion function of the temporary table management function 54 ends the trigger process (s246), and causes the client terminal 2 to display the additional process result via the application server 6 (s247).

  As shown in FIG. 18, in the state of (s231), when the client terminal 2 sends an update processing request and update data to the application server 6 (s248), the application server 6 displays the SQL for “UPDATE” as a temporary table management function. 54 (s249), the temporary table management function 54 receives this, performs UPDATE processing (s250), searches the customer management table 60 for the relevant update target file (s260), and triggers when the update target file is found The process is executed to activate the file deletion function of the temporary table management function 54 (s270). The file deletion function sends a request to delete the entity data held in the update target file to the data storage server group 52 (s271), and the data storage server group 52 receives the request and deletes the corresponding entity data. In response to this, the metadata management function 56 deletes the metadata of the corresponding entity data and sends a completion notification to the temporary table management function 54 (s273).

  In response to this, the temporary table management function 54 executes trigger processing (s274) and activates the file insertion function (s275). The file insertion function creates divided data by using the update data as scrambled data (s276), randomly stores each divided data in the data storage server group 52, and creates logical storage information of the update data ( s277), together with the physical storage location information of each divided data, it is sent to the metadata management function 56 (s278). The metadata management function 56 associates the logical storage location information created by the file insertion function with the physical storage location information of each divided data by updating the corresponding metadata, and sends an update completion notification to the temporary table management function. 54 is sent to the file insertion function (s278).

  In response to this, the temporary table management function 54 ends the trigger process (s279), and causes the client terminal 2 to display the result of the update process via the application server 6 (s280).

  FIG. 19 shows a schematic flow when the business administrator (O) terminates access between the application server 6 and the data distribution storage device 50. As shown in FIG. 19, first, the business administrator (O) sends a business end request from the application server 6 to the temporary table management function 54 while the application server 6 is in a standby state (s281).

  In response to this, the temporary table management function 54 activates the business end function (s282), and the business end function sends a DB update process stop request to the DB update process stop function of the temporary table management function 54 (s283). The update process stop function stops the DB update daemon (s284) and invalidates the DB update trigger (s285).

  Next, the business end function sends a request for deleting the customer management table 60 to the RAM-DB stop function (s289), and the RAM-DB stop function receives this and stops the processing of the customer management table 60 (s290). Then, the customer management table 60 on the volatile memory 57 is erased, and an erase completion notice is sent to the business end function (s291).

  In response to this, the business termination function sends a metadaemon stop request to the metadata management function 56 (s293), and the metadata management function 56 stops the metadaemon function and sends a stop completion notification to the temporary table management function 54. It is sent to the business end function (s294).

  In response to this, the business termination function displays the business termination processing result on the application server 6 (s295), and the access between the application server 6 and the data distribution storage device 50 is terminated (s296).

1 is an overall configuration diagram showing a first embodiment of a business consignment system and a data distribution storage device according to the present invention. The system block diagram of the data distribution storage apparatus of FIG. (A) Configuration diagram of metadata file created by data management function of data configuration management server of FIG. 1, (b) Table configuration diagram created by table management function. The system flow figure at the time of login of the business consignment system and data distribution storage apparatus of FIG. The system flow figure at the time of logout of the business consignment system and data distribution storage apparatus of FIG. The system flow figure at the time of the data update operation | work of the business consignment system and data distribution storage apparatus of FIG. The system flow figure at the time of the data search operation | work of the business consignment system and data distribution storage apparatus of FIG. The whole block diagram which shows 2nd Embodiment of the data distribution storage apparatus which concerns on this invention. The whole block diagram which shows 3rd Embodiment of the data distribution storage apparatus which concerns on this invention. The whole block diagram which shows 4th Embodiment of the data distribution storage apparatus which concerns on this invention. (A) The whole block diagram of the conventional distributed database, (b) The table block diagram created with the conventional distributed database. The whole block diagram which shows 5th Embodiment of the data distribution storage apparatus which concerns on this invention. The conceptual diagram which shows the storage process of the customer management table handled with the data distribution storage apparatus of 5th Embodiment, and the entity data hold | maintained at this customer management table. The conceptual diagram which shows the whole structure of the metadata stored in the metadata management function of 5th Embodiment. FIG. 10 is a schematic partial system flow diagram illustrating a first half of a schematic flow from when the business administrator accesses the data distribution storage device according to the fifth embodiment from the application server to the standby state in the fifth embodiment. FIG. 16 is a schematic partial system flow diagram illustrating the continuation of FIG. 15. In 5th Embodiment, the outline system flow figure of the process in which a client terminal accesses a customer management table, the process in which a client terminal searches a customer management table, and the process in which the said client terminal adds data to a customer management table. FIG. 10 is a schematic system flow diagram of processing in which a client terminal updates a customer management table in the fifth embodiment. FIG. 16 is a schematic system flow diagram of processing in which a business administrator terminates access between an application server and a data distribution storage device in the fifth embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Business consignment system 2 Client terminal 3, 50 Data distribution storage apparatus 4, 5, 31 Communication line 6 Application server 30, 52 Data storage server group 30a, 30b, 30c Data storage server 32, 51 Data configuration management server 33 Data management function 34 Table management function 35 Physical file name 36 Logical file name 37 Metadata file 38 Table 39 Application 51 Data configuration management server 54 Temporary table management function 56 Metadata management function 57 Volatile memory 60 Customer management table 63a, A Entity data 65a Scramble Data 66a-d Split data 70 Metadata O Contracted company T Third party

Claims (10)

  Data storage server group that stores entity data of relational database separately for each attribute, and data that is connected to the data storage server group through a communication line in a physically separated state, and manages the entity data A data configuration management server having a management function and a table management function for managing a table composed of storage location information of the entity data, and the data management function stores the entity data in the data storage server group; Storage location information of the entity data is created and passed to the table management function. The table management function configures the table from the received storage location information, and accesses the entity data from an application that handles the relational database. The storage location information of the entity data is The data management function acquires the entity data from the data storage server group based on the received storage location information and passes it to the table management function. A function is a data distribution storage device that delivers the received entity data to the application.   The data distribution storage device according to claim 1, wherein a plurality of the data configuration management servers are provided.   The data configuration management server encrypts the storage location information with an encryption key, and uses at least the management server decryption key piece input to the data configuration management server and the application as the decryption key of the encryption key. 3. The distributed data storage according to claim 1, wherein the storage location information is composed of terminal decryption key pieces input from a client terminal, and the storage location information is decrypted in a state where all the decryption key pieces are inputted. apparatus.   A data storage server group in which entity data of the relational database is stored separately for each attribute, and is connected to the data storage server group through a communication line in a state of being physically separated from the data storage server group, and the entity data is retained. A temporary table management function for handling a table on a volatile memory, and a data configuration management server including a metadata management function for managing metadata describing storage location information of the entity data in association with the structure of the table The data configuration management server creates the metadata when the entity data is stored in the data storage server group, and stores the table based on the metadata managed by the metadata management function and the storage structure of the metadata. A data distribution storage device for restoring the data on the volatile memory.   The data configuration management server encrypts metadata managed by the metadata management function with an encryption key, and at least a decryption key piece for the management server input to the data configuration management server as a decryption key of the encryption key And a decryption key fragment for a terminal input from a client terminal using the relational database, and the metadata is decrypted with all the decryption key fragments being input. Data distribution storage device.   The data configuration management server divides the entity data divided for each attribute into fixed unit data, reversibly replaces the order relation between units, holds the replacement rule information, and divides the scrambled data after the replacement. 6. The data distribution storage apparatus according to claim 4, wherein the data storage server group stores the data storage server group.   7. The client terminal disposed in a contractor company outsourced from the contractor and the third party located in a third party with the contractor and the contractor company as a third party. A data distribution storage device according to any one of the above and an application server connected to the data distribution storage device and connected to the client terminal via a communication line, and the entity data in the relational database is the delegation source A business consignment system in which an application server handling the relational database is stored in the application server.   It is connected through a communication line in a state of being physically separated from a group of data storage servers that store the entity data of the relational database for each attribute, and a data management function for managing the entity data and the entity data A table management function for managing a table composed of storage location information, wherein the data management function creates storage location information for the entity data and stores the entity data when the entity data is stored in the data storage server group; The table management function configures the table from the received storage location information, and the storage of the entity data is requested when an application that handles the relational database requests access to the entity data. Obtain location information from the table and pass it to the data management function. The function acquires the entity data from the data storage server group based on the received storage location information and passes it to the table management function, and the table management function passes the received entity data to the application. Management server.   It is connected via a communication line in a state of being physically separated from a group of data storage servers that store the actual data of the relational database for each attribute, and temporarily manages the relational database table on the volatile memory. A table management function, and a metadata management function for managing metadata describing storage location information of the entity data in association with the structure of the table, and storing the entity data in the data storage server group, the metadata A data configuration management server that restores the table on the volatile memory based on the metadata managed by the metadata management function and the storage structure of the metadata.   A client terminal connected to the data distribution storage device according to any one of claims 1 to 6 through an application server storing an application that handles the relational database, and accessing the relational database through the application.

Images