WO2017028517A1 - Method for managing data file in cloud, cloud management point, and system - Google Patents

Method for managing data file in cloud, cloud management point, and system Download PDF

Info

Publication number
WO2017028517A1
WO2017028517A1 PCT/CN2016/074317 CN2016074317W WO2017028517A1 WO 2017028517 A1 WO2017028517 A1 WO 2017028517A1 CN 2016074317 W CN2016074317 W CN 2016074317W WO 2017028517 A1 WO2017028517 A1 WO 2017028517A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
server
data file
hash value
protection policy
Prior art date
Application number
PCT/CN2016/074317
Other languages
French (fr)
Chinese (zh)
Inventor
翟征德
申宇
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017028517A1 publication Critical patent/WO2017028517A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method for managing data files in a cloud, a cloud management point, and a system.
  • the cloud With the development of cloud computing technology, a large number of data files containing personally identifiable data (PII) are stored in the cloud system (referred to as the cloud). For the purpose of ensuring the user's data file availability, the cloud system usually copies the user's data file to generate multiple copies of the file, and saves the generated multiple copies of the file to different servers or different storage partitions of the same server.
  • PII personally identifiable data
  • ACL Access Control List
  • ACL does not copy at the same time as the data file is copied, and multiple copies of the data file can not be protected by the same access policy of the source data file.
  • ACL does not copy at the same time as the data file is copied, and multiple copies of the data file can not be protected by the same access policy of the source data file.
  • the source data file F is initially stored on a server of the data center A and is readable only to the user U, and when the source data file F is copied to a server of the data center B, it is stored in the data center after being copied.
  • the copy file E on a server of B loses the protection of the access policy of the source data file F, and the unauthorized user V can also access the data in the copy file E, thereby causing data leakage of the source data file F.
  • the present invention provides a method for managing data files in a cloud, a cloud management point, and a system to solve the problem of data leakage in the prior art.
  • the technical solutions are as follows:
  • a first aspect of the present invention discloses a method for managing a data file in a cloud, the method comprising:
  • the first server calculates a file identifier of the current data file to be processed, and sends the file identifier to the cloud management point, so that the cloud management point searches for a file protection policy of the data file according to the file identifier;
  • the first server processes the current data file to be processed.
  • the file identifier is a file hash hash value
  • the file protection policy includes file flow range restriction information
  • the method further includes:
  • the first server acquires an execution action of the first server on the data file
  • the first server calculating the file identifier of the current data file to be processed includes: the first server calculating a file Hash of the current data file to be copied value;
  • the method further includes:
  • the second server calculates a file hash value of the copied data file
  • the cloud management point searches for a file protection policy including the file hash value of the copied data file according to the file hash value of the copied data file, and further according to the second service
  • the address information of the server updates the file location list information in the file protection policy including the file hash value of the copied data file; the file location list information includes location information stored in the data file.
  • the file identifier is a file hash value
  • the file protection policy includes file access restriction permission information
  • the method further includes:
  • the first server acquires an execution action of the first server on the data file
  • the first server calculates the file identifier of the current data file to be processed, including: the first server calculates a file Hash of the current data file to be accessed. value;
  • the address information of the file
  • the file identifier is a file hash hash value
  • the file protection policy includes file access restriction permission information
  • the method further includes:
  • the first server acquires an execution action of the first server on the data file
  • the first server calculates a file identifier of the current data file to be processed, including: the first server calculates a file hash value of the current data file to be modified. ;
  • the method when the current data file to be modified is allowed to be modified by the first server, the first server After the content of the current data file to be modified is modified, the method further includes:
  • the first server calculates a file hash value of the modified data file
  • the first server sends a file hash update message to the cloud management point, where the file hash update message includes a file hash value of the current data file to be modified and a file hash value of the modified data file, to And causing the cloud management point to associate the file hash value of the current data file to be modified and the file hash value of the modified data file to the same file protection policy according to the file hash value update message.
  • a second aspect of the present invention discloses another method for managing data files in a cloud, which is applied to a cloud management point, where the cloud management points are communicatively connected to different servers, and the cloud management points are stored with different data files.
  • File protection policy includes:
  • the cloud management point searches for a file protection policy including the file identifier according to the file identifier;
  • the cloud management point sends the file protection policy to the first server, so that the first server determines, according to the file protection policy, whether the processing action to be performed by the first server is allowed to be executed.
  • the file identifier is a file hash hash value
  • the method further includes:
  • the cloud management point searches for a file protection policy including a file hash value of the copied data file according to a file hash value of the copied data file;
  • the cloud management point updates the file location list information in the file protection policy including the file hash value of the copied data file according to the address information of the second server; the file location list information includes data file storage Location information.
  • the second possible implementation manner of the second aspect further includes:
  • the cloud management point searches for a file protection policy including a file hash value of the data file to be deleted according to the file hash value of the data file to be deleted;
  • the file identifier is a file hash hash value
  • the method further includes:
  • a file hash update message sent by the first server receives, by the cloud management point, a file hash update message sent by the first server, where the file hash update message includes a file hash value of the data file before modification and a file hash value of the modified data file;
  • cloud management point associates the file hash value of the data file before the modification with the file hash value of the modified data file to the same file protection policy according to the file hash update message.
  • the cloud management point updates the message according to the file hash value, and the data file before the modification
  • the file hash value and the file hash value of the modified data file are associated with the same file protection policy including:
  • the cloud management point searches for a file protection policy including the file hash value of the data file before the modification according to the file hash value of the data file before the modification and the file hash value of the modified data file, respectively, and includes a file protection policy of the file hash value of the modified data file;
  • a file hash value of another data file is added to the hash value field in the at least one file protection policy.
  • a third aspect of the invention discloses a server comprising:
  • a first calculating unit configured to calculate a file identifier of the current data file to be processed
  • a file identifier sending unit configured to send the file identifier to a cloud management point, so that the cloud management point searches for a file protection policy of the data file according to the file identifier;
  • a file protection policy receiving unit configured to receive the file protection policy returned by the cloud management point
  • a determining unit configured to determine, according to the file protection policy, whether the data file allows the server to perform processing
  • the processing unit is configured to process the current data file to be processed when the determining unit determines that the data file allows the server to perform processing.
  • the file identifier is a file hash hash value
  • the file protection policy includes file flow range restriction information
  • the server further includes:
  • a first execution action obtaining unit configured to acquire an execution action of the server on the data file
  • the first calculating unit is configured to: when the execution action acquired by the first execution action acquiring unit is to copy the data file to the second server, calculate a file hash value of the current data file to be copied;
  • the determining unit is configured to determine, according to the file flow range limitation information in the file protection policy, whether the current data file to be copied is allowed to be copied to the second server, where the file flow range limitation information includes Allows the scope of data file replication to flow.
  • the file identifier is a file hash value
  • the file protection policy includes file access restriction permission information
  • the server further includes:
  • a second execution action obtaining unit configured to acquire an execution action of the server on the data file
  • the first calculating unit is specifically configured to: when the execution action acquired by the second execution action acquiring unit is to allow the third server to access the data file, calculate a file hash value of the data file to be accessed currently;
  • the determining unit is configured to determine, according to the file access restriction permission information in the file protection policy, whether the current to-be-accessed data file is allowed to be accessed by the third server, where the file access restriction permission information includes Allow access to the address information of the data file.
  • the file identifier is a file hash hash value
  • the file protection policy includes file access restriction permission information
  • the server further includes:
  • a third execution action obtaining unit configured to acquire an execution action of the server on the data file
  • the first calculating unit is specifically configured to: when the execution action acquired by the third execution action acquiring unit is to modify the content of the data file, the file hash value of the data file to be modified currently;
  • the determining unit is configured to determine, according to the file access restriction permission information in the file protection policy, whether the current data file to be modified is allowed to be modified by the first server, where the file access restriction permission information includes Access to data files.
  • the method further includes:
  • a second calculating unit configured to calculate a file hash value of the modified data file
  • An update message sending unit configured to send a file hash update message to the cloud management point, where the file hash update message includes a file hash value of the current data file to be modified and a file hash value of the modified data file So that the cloud management point updates the message according to the file hash value, and associates the file hash value of the current data file to be modified with the file hash value of the modified data file to the same file protection policy.
  • a fourth aspect of the present invention discloses a cloud management point, where the cloud management point is in communication with a different server, and the cloud management point stores a file protection policy for different data files; the cloud management point includes:
  • a first receiving unit configured to receive a file identifier sent by the first server
  • a first searching unit configured to search for a file protection policy including the file identifier according to the file identifier
  • a first sending unit configured to send the file protection policy to the first server, so that The first server determines, according to the file protection policy, whether a corresponding processing action to be performed by the first server is allowed to be executed.
  • the file identifier is a file hash hash value
  • the cloud management point further includes:
  • a second receiving unit configured to receive a file location update message sent by the second server, where the file location update message includes a file hash value of the copied data file and address information of the second server;
  • a second searching unit configured to search, according to the file hash value of the copied data file, a file protection policy that includes a file hash value of the copied data file;
  • an updating unit configured to update, according to address information of the second server, file location list information in a file protection policy that includes a file hash value of the copied data file; the file location list information includes data file storage Location information.
  • the method further includes:
  • a third receiving unit configured to receive a file hash value of the data file to be deleted sent by the first server
  • a third search unit configured to search for a file protection policy including a file hash value of the data file to be deleted according to the file hash value of the data file to be deleted;
  • An information obtaining unit configured to acquire file location list information of a data file to be deleted from a file protection policy of a file hash value of the data file to be deleted;
  • a second sending unit configured to send, according to the file location list information of the data file to be deleted, a deletion message to each server in the file location list information of the data file to be deleted, so that the servers are The delete message deletes the data file to be deleted.
  • the file identifier refers to a file hash hash value
  • the cloud management point further includes:
  • a fourth receiving unit configured to receive a file hash update message sent by the first server, where the file hash update message includes a file hash value of the data file before the modification and a file hash value of the modified data file;
  • a Hash value update unit configured to update the message according to the file hash value, and the number before the modification
  • the file hash value of the file and the file hash value of the modified data file are associated with the same file protection policy.
  • the Hash value update unit includes:
  • a first search subunit configured to search, according to the file hash value of the data file before the modification, a file protection policy including a file hash value of the data file before the modification;
  • a second search subunit configured to search, according to the file hash value of the modified data file, a file protection policy including a file hash value of the modified data file;
  • a hash value adding subunit configured to add a file hash value of another data file to the first lookup subunit and/or the second lookup subunit when it finds that at least one file protection policy exists At least one file protection policy in the hash value field.
  • a fifth aspect of the invention discloses a cloud system comprising a client, a server as described above, and a cloud management point as described above.
  • the first server first calculates a file identifier of the current data file to be processed before performing corresponding processing on the current data file to be processed, and further And receiving, by the file protection policy, a file protection policy corresponding to the file identifier returned by the cloud management point, determining, according to the file protection policy, whether the current data file to be processed is allowed to perform corresponding processing, and if allowed, the first server is further configured to the current data to be processed.
  • the file is processed accordingly.
  • the invention uses the same file protection policy as the source data file in the multiple copy files generated by the source data file, so that the unauthorized users in the prior art are also protected by the file protection policy when accessing the copy file. To prevent data leakage.
  • FIG. 1 is a flowchart of a method for managing a data file in a cloud according to the present invention
  • FIG. 2 is another flow chart of a method for managing data files in the cloud according to the present invention.
  • FIG. 3 is still another flowchart of a method for managing data files in a cloud according to the present invention.
  • FIG. 4 is still another flowchart of a method for managing data files in a cloud according to the present invention.
  • FIG. 5 is still another flowchart of a method for managing data files in a cloud according to the present invention.
  • FIG. 6 is still another flowchart of a method for managing data files in a cloud according to the present invention.
  • FIG. 7 is still another flowchart of a method for managing data files in a cloud according to the present invention.
  • FIG. 8 is a schematic structural diagram of a server according to the present invention.
  • FIG. 9 is a schematic structural diagram of a cloud management point according to the present invention.
  • FIG. 10 is a schematic structural diagram of another server according to the present invention.
  • FIG. 11 is another schematic structural diagram of a cloud management point according to the present invention.
  • FIG. 12 is a schematic structural diagram of a cloud system according to the present invention.
  • the application scenario of the present invention is a cloud system, which includes a client, a server, and a cloud management point.
  • Cloud systems are also commonly referred to as clouds, or cloud data centers.
  • the data file is stored in the server, and the data file may be a source data file or a copy file.
  • the cloud management point stores a file protection policy for the source data file and the copy file.
  • the server in the present invention needs to view a file protection policy corresponding to a certain data file stored in the cloud management point, only when the file protection policy is recorded.
  • the content allows the server to perform operations on such a data file, such as copying, accessing, modifying, etc., the server can continue to perform subsequent operations.
  • the present invention firstly requires the client, the server, and the cloud management point to cooperate in advance to complete the setting of the data file, and the method includes:
  • step 001 the client sends the data file to the server.
  • step 002 the server receives the data file and saves it.
  • Step 003 the server calculates a file hash value of the data file, and the file is hashed The value and address information of the server are sent to the cloud management point.
  • step 004 the cloud management point receives and saves the file hash value and the address information of the server.
  • Step 005 The client sets a file protection policy of the data file on the cloud management point, where the file protection policy includes a file hash value and address information of the server.
  • the present invention uses a file hash value as an identification of a data file to mark different data files. If the contents of the data file are consistent, the file hash value obtained by calculating the contents of the same data file using the same hash algorithm is also the same. Therefore, the present invention can determine that the contents of the two data files are the same as long as the file hash values of the two data files are the same, that is, the two data files are determined to be derived (that is, one is a source data file, and one is a copy file). , or both are duplicate files). At the same time, multiple data files with the same hash value in the present invention will correspond to the same file protection policy on the cloud management point, and are protected by the file protection policy.
  • the file protection policy in the present invention may include file access restriction permission information, file circulation range restriction information, file location list information, and file hash value.
  • the file access restriction permission information includes address information and access rights that allow access to the data file;
  • the file flow range restriction information includes a range that allows the data file to be copied, and
  • the file location list information includes location information of the data file.
  • Hash 123A indicates that the data file has a hash value of 123A; Acess:Li, 10.11.*.* indicates that the user Li and the server whose server address range is 10.11.*.* can access the data file, where Li Read indicates that user Li reads the data file; Restrictions: Germany indicates that the data file can be streamed in servers and data centers in Germany; Locations: A indicates that the data file is stored on server A.
  • the method includes:
  • Step 101 The first server calculates a file identifier of the current data file to be processed, and sends the file identifier to the cloud management point, so that the cloud management point searches for the file according to the file identifier.
  • File protection policy for data files
  • the file identifier is specifically a file hash value.
  • the first server when the first server receives an operation instruction sent by the client, where the operation instruction includes performing a copy, access, or modify control instruction on the data file A, the first server first calculates the data file. A file identifier and send the file ID to the cloud management point. At this time, the cloud management point searches for the file protection policy a including the file identifier according to the file identifier, and returns the file protection policy a to the first server.
  • Step 102 The first server receives the file protection policy returned by the cloud management point.
  • Step 103 The first server determines, according to the file protection policy, whether the current data file to be processed allows the first server to perform processing. If so, step 104 is performed, and if not, step 105 is performed.
  • Step 104 The first server processes the current data file to be processed.
  • step 105 the first server rejects the processing.
  • step 105 may further include the step 106: the first server returns a reject message to the client, to notify the client that the first server does not allow the client to perform the operation requested by the client.
  • the first server before performing the corresponding processing on the data file to be processed, the first server first calculates the file identifier of the current data file to be processed, and then receives the returned by the cloud management point.
  • the file protection policy corresponding to the file identifier determines whether the current data file to be processed is allowed to perform corresponding processing according to the file protection policy. If allowed, the first server performs corresponding processing on the current data file to be processed.
  • the invention uses the same file protection policy as the source data file in the multiple copy files generated by the source data file, so that the unauthorized users in the prior art are also protected by the file protection policy when accessing the copy file. To prevent data leakage.
  • the method is as shown in FIG. 2, including:
  • Step 201 The first server acquires an action performed by the first server on the data file.
  • Step 202 When the performing action is to copy the data file to the second server, the first server calculates a file hash value of the current data file to be copied.
  • the first server when the client initiates the copying of the data file A to be copied on the first server 10.11.1.2 to the second server 10.11.2.2 to the first server 10.11.1.2, the first server first calculates the current to be copied.
  • the file Hash value of data file A is 123A.
  • Step 203 The first server sends the file hash value to the cloud management point.
  • the cloud management point After receiving the file hash value 123A, the cloud management point searches for the file protection policy a including the file hash value 123A, and returns the file protection policy a to the first server 10.11.1.2.
  • Step 204 The first server determines, according to the file distribution range restriction information in the file protection policy, whether the current data file to be copied is allowed to be copied to the second server. If so, step 205 is performed, and if not, step 206 is performed.
  • Step 205 The first server copies the current data file to be copied to the second server.
  • Step 206 The first server refuses to copy the current data file to be copied to the second server.
  • the file circulation range restriction information includes a range in which the data file copy is allowed to flow. Assuming that the current file circulation range restriction information is restrictions: Germany, the first server 10.11.1.2 determines whether the second server 10.11.2.2 belongs to the address range of Germany. If yes, go to step 205, the first server 10.11.1.2 copies the data file A to the second server 10.11.2.2, if not, proceeds to step 206, the first server 10.11.1.2 rejects the data file to be copied. A is copied to the second server 10.11.2.2.
  • the method may further include the step 207: the first server returns a confirmation message to the client.
  • the method may further include step 208: the first server returns to the client. A rejection message tells the client that the copy operation is not allowed.
  • the method may further include:
  • Step 209 The second server calculates a file hash value of the copied data file.
  • the second server calculates the file hash value of the data file A.
  • Step 210 The second server sends a file location update message to the cloud management point, where the file location update message includes a file hash value of the copied data file and address information of the second server, so that the The cloud management point searches for a file protection policy including the file hash value of the copied data file according to the file hash value of the copied data file, and further updates the information according to the address information of the second server.
  • File location list information in a file protection policy of a file hash value of the copied data file the file location list information includes location information stored in the data file.
  • the second server in the present invention actively calculates the file hash value of the data file A, and sends the file hash value of the data file A together with the address information of the second server to the cloud management point.
  • the address information of the second server may be the IP address information of the second server or the like.
  • the cloud management point After receiving the file hash value of the data file A and the address information of the second server, the cloud management point finds the file protection policy a including the file hash value 123A according to the file hash value 123A of the data file A, and in the file protection policy.
  • the address information of the second server is added to the Locations field of the file location list information in a.
  • the method is as shown in FIG. 3, including:
  • Step 301 The first server acquires an action performed by the first server on the data file.
  • Step 302 When the performing action is that the third server is allowed to access the data file, the first server calculates a file hash value of the data file to be accessed currently.
  • the third server actively initiates access request information to the first server, where the access request information includes the address information of the third server and the current data file to be accessed.
  • the access request information when the third server 10.17.3.4 sends the access request information to the first server 10.11.1.2, the access request information includes the address information 10.17.3.4 of the third server and the current to be accessed.
  • the first server 10.11.1.2 also calculates the file hash value of the data file B currently to be accessed. For example, the file Hash value of data file B is 234B.
  • Step 303 The first server sends the file hash value to the cloud management point.
  • the cloud management point After receiving the file hash value 234B, the cloud management point searches for the file protection policy b including the file hash value 234B, and returns the file protection policy b to the first server 10.11.1.2.
  • Step 304 The first server determines, according to the file access restriction permission information in the file protection policy, whether the current data file to be accessed is allowed to be accessed by the third server. If so, step 305 is performed, and if not, step 306 is performed.
  • step 305 the first server allows the third server to access the data file.
  • Step 306 the first server rejects the third server to access the data file.
  • the file access restriction permission information includes address information that allows access to the data file. Assuming that the current file access restriction permission information is Acess:Li, 10.11.*.*, the first server 10.11.1.2 determines whether the third server 10.17.3.4 belongs to the range of Li or 10.11.*.*. If yes, step 305 is performed, the first server 10.11.1.2 allows the third server 10.17.3.4 to access the data file B, and if not, executes step 306, the first server 10.11.1.2 rejects the third server 10.17.3.4 access data File B.
  • the third server 10.17.3.4 does not belong to the range of Li or 10.11.*.*, so the first server 10.11.1.2 rejects the third server 10.17.3.4 to access the data file B.
  • the method may further include the step 307: the first server returns a reject message to the third server. , telling the third server that the access operation is not allowed.
  • the content of a data file (which may be a source data file or a copy file) may be modified.
  • the content of the data file before the modification is the height parameter of the recorded user Jack, for example, the height is 174 cm
  • the subsequent content may involve adding the weight parameter of the user Jack, for example, the weight is 120KG.
  • the modified data file is a new data file derived from the data file before the modification
  • the modified data file should also be subjected to the same file protection policy as the data file before the modification, and will be modified before
  • the data file and the modified data file are associated with the same file protection policy. Based on this, as the first service in the present invention
  • the method is as shown in FIG. 4, including:
  • Step 401 The first server acquires an action performed by the first server on the data file.
  • Step 402 When the performing action is to modify the content of the data file, the first server calculates a file hash value of the current data file to be modified.
  • the first server when the client wants to modify a certain data file C on the first server, that is, when the first server wants to modify the content of the data file C, the first server still calculates the current waiting.
  • the file hash value of the modified data file C For example, the file Hash value of data file C is 345C.
  • Step 403 The first server sends the file hash value to the cloud management point.
  • the cloud management point After receiving the file hash value 345C, the cloud management point searches for the file protection policy c including the file hash value 345C, and returns the file protection policy c to the first server.
  • Step 404 The first server determines, according to the file access restriction permission information in the file protection policy, whether the current data file to be modified is allowed to be modified by the first server. If so, step 405 is performed, and if not, step 408 is performed.
  • Step 405 The first server modifies the content of the current data file to be modified.
  • the file access restriction permission information includes access rights of the data file, and the access rights include read, read, write, and the like. Assuming that the file access restriction permission information in the current file protection policy c is write, then the first server can modify the content of the data file C at this time. If the file access restriction in the file protection policy c allows the information to be read-only, the first server cannot modify the content of the data file C.
  • the present invention further includes:
  • Step 406 The first server calculates a file hash value of the modified data file.
  • the modified data file C is marked as the data file D, and the first server recalculates the file hash value of the data file D.
  • the file Hash value of data file D is 356D.
  • Step 407 The first server sends a file hash update message to the cloud management point, where the file hash update message includes a file hash value of the data file before the modification and a file hash value of the modified data file, to And causing the cloud management point to associate the file hash value of the data file before the modification with the file hash value of the modified data file according to the file hash update message.
  • the file hash update message includes a file hash value of the data file before the modification and a file hash value of the modified data file
  • the first server sends the file hash value 345C of the data file before the modification and the file hash value 356D of the modified data file to the cloud management point.
  • the cloud management point After receiving the file hash value 345C of the data file before the modification and the file hash value 356D of the modified data file, the cloud management point searches for the file protection policy c including the file hash value 345C, and includes the file. Hash value 356D file protection policy d.
  • the cloud management point finds the file protection policy c including the file hash value 345C
  • the file hash value 356D of the modified data file is added in the Hash field of the file protection policy c.
  • the cloud management point finds the file protection policy d including the file hash value 356D
  • the file hash value 345C of the data file before the modification is added in the Hash field of the file protection policy d.
  • the cloud management point finds the file protection policy c including the file hash value 345C and the file protection policy d including the file hash value 356D
  • the modified version is also added in the Hash field of the file protection policy c.
  • the file Hash value 356D of the data file, and the file hash value 345C of the data file before the modification are added in the Hash field of the file protection policy d.
  • the file protection policy c corresponding to the saved on the cloud management point is in the form of:
  • the modified data file D should be subject to the same file protection policy as the original data file C.
  • the first server first needs to calculate the hash value 345C of the data file C before the modification, and modify the data file C to obtain the modified data file D, and calculate the hash value 356D of the modified data file D. Further, the first server simultaneously sends the hash value 345C of the data file C before modification and the hash value 356D of the modified data file D to the cloud management point.
  • the cloud management point searches for the matching file protection policy based on the hash value 345C and the hash value 356D. slightly. When the cloud management point finds that only the file protection policy c including the hash value 345C exists, it is determined that the file protection policy c is a file protection policy for simultaneously protecting the data file C and the data file D. At this time, the cloud management point adds the hash value 356D of the data file D in the Hash field of the file protection policy c. At this time, the file protection policy c is stored in the following manner:
  • this embodiment also includes another application scenario, that is, when the data file C is copied from the first server C to the second server E, and the second server E needs to modify the copy file E, the implementation process of the copy and The implementation of the modification is the same as the previous method. If the foregoing is still taken as an example, the storage mode of the file protection policy c is:
  • the cloud management point also needs to update the location information of the data file in real time.
  • Step 408 The first server does not allow modification of the content of the current data file to be modified.
  • the method may further include the step 408: the first server returns a reject message to the client, to notify The client does not allow this modification.
  • the first server first calculates the file hash value of the current data file to be processed before performing corresponding processing on the current data file to be processed. And receiving a file protection policy corresponding to the file hash value returned by the cloud management point, determining, according to the file protection policy, whether the current to-be-processed data file is allowed to perform corresponding processing, and if allowed, the first server is still waiting for the current process.
  • the processed data files are processed accordingly.
  • the invention uses the same file protection policy as the source data file in the multiple copy files generated by the source data file, so that the unauthorized users in the prior art are also protected by the file protection policy when accessing the copy file. To prevent data leakage.
  • the present invention may also have a case where a data file corresponds to multiple file protection policies.
  • the user defines a plurality of file protection policies corresponding to a certain data file in advance on the cloud management point; or, the data file A corresponds to the file protection policy a on the cloud management point, and the data file B corresponds to the file on the cloud management point. Protection strategy b, and when the content of the data file B is modified, the content of the modified data file B happens to be the same as the content of the data file A, then the file hash value of the modified data file B should be the same as the data file.
  • a file Hash value is the same, then there are two file protection policies a and file protection policies b corresponding to the same file hash value stored on the cloud management point. Then, in the case that the above one data file corresponds to multiple file protection policies, the present invention can still be processed by the same processing method as the above embodiment.
  • the cloud management point finds multiple file protection policies including the file hash value. And sending the multiple file protection policies to the first server together.
  • the first server receives the multiple file protection policies, and then determines, according to each file protection policy, whether the current data file to be processed is allowed to be processed by the first server. If the plurality of file protection policies allow, the first server processes the current data file to be processed; and if at least one of the plurality of file protection policies does not allow the first server to perform processing, the first The server refused to process.
  • the first server when the first server wants to copy the current data file to be copied to the application scenario on the second server, if the first server receives multiple file protections returned by the cloud management point, a policy, and the file distribution range restriction information in the at least one file protection policy of the plurality of file protection policies does not allow the first server to copy the current data file to be copied to the second server, and the first server rejects the current The data file to be copied is copied to the second server.
  • the first server when the first server receives the application scenario of the access request information sent by the third server, if the first server receives multiple file protection policies returned by the cloud management point, the multiple The file access restriction in at least one of the file protection policies allows the third server to access the data file, and the first server denies the third server access to the data file.
  • the first server when the first server wants to modify the current data file to be modified, if the first server receives multiple file protection policies returned by the cloud management point, the multiple The file access restriction in the at least one file protection policy in the file protection policy allows the first server to modify the content of the data file, and the first server cannot modify the content of the current data file to be modified.
  • the present invention further provides a method for managing data files in a cloud, where the method applies a cloud management point, and the cloud management points are connected to different servers, and A file protection policy for different data files is stored on the cloud management point; the method includes, as shown in FIG. 5:
  • Step 501 The cloud management point receives the file identifier sent by the first server.
  • Step 502 The cloud management point searches for a file protection policy including the file identifier according to the file identifier.
  • the file identifier is specifically a file hash value.
  • the cloud management point stores a file protection policy for different data files, where each file protection policy includes a file hash value, and the cloud management point implements file protection including the file hash value according to the file hash value. Strategy.
  • Step 503 The cloud management point sends the file protection policy to the first server, so that the first server determines, according to the file protection policy, whether the processing action to be performed by the first server is allowed to be executed.
  • the first server when the first server wants to perform some processing operation on a certain data file, the first server sends the file identifier of the data file to the cloud management point to the file protection policy of the data file, and then the cloud management Determining, according to the file identifier, a file protection policy including the file identifier, and returning the file protection policy to the first server, so that the first server determines, according to the file protection policy, whether the processing action to be performed by the first server is allowed to be executed. .
  • a plurality of file protection policies including the same file identifier may be stored on the cloud management point.
  • the cloud management point sends the found multiple file protection policies including the file identifier to the first a server, so that the first server determines, according to the multiple file protection policies, whether the processing action to be performed by the first server is allowed to be executed.
  • the first server rejects the processing.
  • the present invention further describes that the file identifier is specifically a file hash value.
  • the method further includes:
  • Step 504 The cloud management point receives the file location update message sent by the second server.
  • the file location update message includes a file hash value of the copied data file and address information of the second server.
  • the second server sends the data file to the cloud management point.
  • a file location update message the file location update message including a file hash value of the copied data file and address information of the second server.
  • Step 505 The cloud management point searches for a file protection policy including a file hash value of the copied data file according to the file hash value of the copied data file.
  • Step 506 The cloud management point updates the file location list information in the file protection policy that includes the file hash value of the copied data file according to the address information of the second server.
  • the file location list information includes location information stored in the data file.
  • the cloud management point records the address information of the server to which the data file is copied, so as to record the location information of the same data file.
  • the present invention records the address information of all data files through the cloud management point, and can clearly know the storage location of each data file.
  • the cloud management point in the present invention may also involve an application scenario for deleting data files.
  • the cloud system when deleting the source data file and the copy file, the cloud system needs to know the storage location of the source data file and all the copy files, and since the cloud system cannot recognize the derivative relationship between the source data file and the copy file, the cloud system also The location of the different copy files of the source data file cannot be known, and it is impossible to uniformly delete all the files, which makes the data file deletion difficult.
  • the present invention since the address information of all the data files recorded in the cloud management point can be clearly Knowing the storage location of each data file, the present invention can easily find the storage location of the data file (including the source data file and the copy file) when deleting the source data file and the copy file, thereby instructing the corresponding server to delete the data file.
  • the specific method is shown in Figure 6, including:
  • Step 601 The cloud management point receives a file hash value of the data file to be deleted sent by the first server.
  • Step 602 The cloud management point searches for a file protection policy including a file hash value of the data file to be deleted according to the file hash value of the data file to be deleted.
  • Step 603 The cloud management point acquires file location list information of the data file to be deleted from the file protection policy of the file hash value of the data file to be deleted.
  • Step 604 The cloud management point sends, according to the file location list information of the data file to be deleted, a deletion message to each server in the file location list information of the data file to be deleted, so that the servers are according to the Delete message deletes the data file to be deleted.
  • the file location list information in the file protection policy is used to record all the storage location information of the data file, and the cloud management point sequentially searches all the servers storing the data file according to the file location list information, and The all servers send a delete message such that all of the servers delete the data file in accordance with the delete message.
  • the cloud management point only needs to find the file protection policy of the data file to be deleted, and searches according to the file location list information in the file protection policy.
  • Each server storing the data file to be deleted is sent to each server to complete the deletion of the data file on each server.
  • the invention realizes the function of uniformly deleting data files, and ensures the thoroughness of data deletion.
  • the cloud management point finds multiple file protection policies including the file hash value of the data file to be deleted, the cloud management point is from the data file to be deleted.
  • the file location list information of the data file to be deleted is sequentially obtained in multiple file protection policies of the file hash value, and then the file location list information in all the file protection policies obtained is collected and combined to obtain the data file to be deleted. Address information for each server.
  • FIG. 7 it also shows another flowchart of a method for managing data files in the cloud provided by the present invention, including:
  • Step 701 The cloud management point receives a file hash update message sent by the first server, where the file hash update message includes a file hash value of the data file before the modification and a file hash value of the modified data file.
  • Step 702 The cloud management point associates the file hash value of the data file before the modification with the file hash value of the modified data file to the same file protection policy according to the file hash update message.
  • the cloud management point searches for a file protection policy including the file hash value of the data file before the modification according to the file hash value of the data file before the modification and the file hash value of the modified data file, respectively.
  • a file protection policy including a file hash value of the modified data file.
  • a file hash value of another data file is added to the hash value field in the at least one file protection policy.
  • the cloud management point searches for the file protection policy a of the file hash value 123A of the data file before the modification according to the file hash value 123A of the data file before the modification, and simultaneously according to the file Hash of the modified data file.
  • the value 134B is to find whether or not the file protection policy b of the file hash value 134B of the data file before the modification is included.
  • the cloud management point finds the file protection policy a according to the file hash value 123A and does not find the file protection policy b including the hash value 134B, the cloud management point adds the hash value 134B to the hash value field in the file protection policy a. , that is, "Hash: 123A, 134B".
  • the cloud management point adds the hash value 123A to the hash in the file protection policy b.
  • the cloud management point adds the hash value 123A to the hash in the file protection policy b.
  • the cloud management point finds both the file protection policy a and the file protection policy b, the cloud management point will still add the hash value 134B to the hash value field in the file protection policy a, that is, "Hash: 123A, 134B".
  • the hash value 123A is added to the hash value field in the file protection policy b, that is, "Hash: 134B, 123A”.
  • the present invention further provides a server, as shown in FIG. 8, comprising: a first computing unit 10, a file identifier sending unit 20, and a file protection policy receiving unit 30. , the determining unit 40 and the processing unit 50. among them,
  • the first calculating unit 10 is configured to calculate a file identifier of the current data file to be processed
  • a file identifier sending unit 20 configured to send the file identifier to a cloud management point, so that the cloud management point searches for a file protection policy of the data file according to the file identifier;
  • the file protection policy receiving unit 30 is configured to receive the file protection policy returned by the cloud management point;
  • the determining unit 40 is configured to determine, according to the file protection policy, whether the data file allows the server to perform processing
  • the processing unit 50 is configured to process the current data file to be processed when the determining unit 40 determines that the data file allows the server to perform processing.
  • the file identifier is a file hash value
  • the file protection policy includes file flow range restriction information.
  • the server further includes: a first execution action obtaining unit 60. among them,
  • a first execution action obtaining unit 60 configured to acquire an execution action of the server on the data file
  • the first calculating unit 10 is specifically configured to: when the execution action acquired by the first execution action acquiring unit 60 is to copy the data file to the second server, calculate a file hash value of the current data file to be copied;
  • the determining unit 40 is configured to determine, according to the file flow range limitation information in the file protection policy, whether the current data file to be copied is allowed to be copied to the second server; wherein the file flow range limitation information Includes a range that allows data file replication to flow.
  • the file identifier refers to a file hash value
  • the file protection policy includes file access restriction permission information
  • the server further includes: a first execution action obtaining unit 70. among them,
  • the second execution action obtaining unit 70 is configured to acquire an execution action of the server on the data file.
  • the first calculating unit 10 is specifically configured to: when the execution action acquired by the second execution action acquiring unit 70 is to allow the third server to access the data file, calculate a file hash value of the data file to be accessed currently;
  • the determining unit 40 is configured to determine, according to the file access restriction permission information in the file protection policy, whether the current to-be-accessed data file is allowed to be accessed by the third server, where the file access restriction permission information is Includes address information that allows access to data files.
  • the file identifier refers to a file hash value
  • the file protection policy includes file access restriction permission information
  • the server further includes: a third execution action obtaining unit 80. among them,
  • the third execution action obtaining unit 80 is configured to acquire an execution action of the server on the data file.
  • the first calculating unit 10 is specifically configured to: when the execution action acquired by the third execution action acquiring unit 80 is to modify the content of the data file, the file hash value of the data file to be modified currently;
  • the determining unit 40 is specifically configured to: determine, according to the file access restriction permission information in the file protection policy, whether the current data file to be modified is allowed to be modified by the first server; wherein the file access restriction permission information Includes access to data files.
  • the invention further includes:
  • a second calculating unit 91 configured to calculate a file hash value of the modified data file
  • the update message sending unit 92 is configured to send a file hash update message to the cloud management point, where the file hash update message includes a file hash value of the current data file to be modified and a file hash of the modified data file.
  • the value is such that the cloud management point updates the message according to the file hash value, and associates the file hash value of the current data file to be modified with the file hash value of the modified data file to the same file protection policy.
  • the present invention further provides a cloud management point, as shown in FIG. 9, the cloud management point is communicatively connected to different servers, and the cloud management point is File protection policies for different data files are stored.
  • the cloud management point includes: a first receiving unit 100, a first searching unit 200, and a first sending unit 300. among them,
  • the first receiving unit 100 is configured to receive a file identifier sent by the first server.
  • the first searching unit 200 is configured to search for a file protection policy including the file identifier according to the file identifier.
  • the first sending unit 300 is configured to send the file protection policy to the first server, so that the first server determines, according to the file protection policy, whether a corresponding processing action to be performed by the first server is allowed. carried out.
  • the file identifier refers to a file hash value
  • the cloud management point further includes:
  • a second receiving unit 400 configured to receive a file location update message sent by the second server, where the file location update message includes a file hash value of the copied data file and address information of the second server;
  • the second searching unit 500 is configured to search, according to the file hash value of the copied data file, a file protection policy that includes a file hash value of the copied data file;
  • the updating unit 600 is configured to update the file location list information in the file protection policy including the file hash value of the copied data file according to the address information of the second server; the file location list information includes a data file Stored location information.
  • it also includes:
  • the third receiving unit 700 is configured to receive a file hash value of the data file to be deleted sent by the first server;
  • the third searching unit 800 is configured to search for a file protection policy including a file hash value of the data file to be deleted according to the file hash value of the data file to be deleted;
  • the information obtaining unit 900 is configured to obtain file location list information of the data file to be deleted from a file protection policy of the file hash value of the data file to be deleted;
  • the second sending unit 1000 is configured to send, according to the file location list information of the data file to be deleted, a deletion message to each server in the file location list information of the data file to be deleted, so that the servers are based on The delete message deletes the data file to be deleted.
  • the file identifier refers to a file hash value
  • the cloud management point further includes:
  • the fourth receiving unit 1100 is configured to receive a file hash update message sent by the first server, where the file hash update message includes a file hash value of the data file before modification and a file hash value of the modified data file;
  • the Hash value updating unit 1200 is configured to associate the file hash value of the data file before the modification and the file hash value of the modified data file to the same file protection policy according to the file hash update message.
  • the hash value update unit 1200 further includes:
  • the first search sub-unit 1201 is configured to search, according to the file hash value of the data file before the modification, a file protection policy that includes a file hash value of the data file before the modification;
  • a second search subunit 1202 configured to search, according to the file hash value of the modified data file, a file protection policy that includes a file hash value of the modified data file;
  • the Hash value adding sub-unit 1203 is configured to add a file hash value of another data file to the first lookup subunit and/or the second lookup subunit when it finds that at least one file protection policy exists The hash value field in at least one file protection policy.
  • the present invention further provides a server, which may be a host server including computing power, or a personal computer PC, or a portable computer or terminal, etc., and the specific embodiment of the present invention is not correct.
  • the specific implementation of the server is limited.
  • FIG. 10 is another schematic structural diagram of a server provided by the present invention. As shown in FIG. 10, the server 10000 includes:
  • a first processor 11100 a first communication interface 11200, a first memory 11300, and a first bus 11400.
  • the first processor 11100, the first communication interface 11200, and the first memory 11300 complete communication with each other through the first bus 11400.
  • the first processor 11100 is configured to execute the first program 11110.
  • the first program 11110 can include program code, the program code including computer operating instructions.
  • the first processor 11100 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present invention.
  • CPU central processing unit
  • ASIC Application Specific Integrated Circuit
  • the first memory 11300 is configured to store the first program 11110.
  • the first memory 11300 may include a high speed RAM memory and may also include a non-volatile memory such as at least one disk memory.
  • the first program 11110 may specifically include: calculating a file identifier of the current data file to be processed, and sending the file identifier to the cloud management point, so that the cloud management point searches for the file of the data file according to the file identifier. Protection strategy;
  • the current data file to be processed is processed.
  • the file identifier refers to a file hash value
  • the file protection policy includes file flow range restriction information
  • the method further includes: acquiring an execution action of the data file by the server; and when the performing action is to copy the data file to the second server, calculating a file hash value of the current data file to be copied;
  • the file circulation range restriction information includes a range of allowing the data file to be copied and transferred.
  • the file identifier refers to a file hash value
  • the file protection policy includes file access restriction permission information
  • the method further includes: acquiring an execution action of the data file by the server; and when the performing action is to allow the third server to access the data file, calculating a file hash value of the current data file to be accessed;
  • the file access restriction permission information includes address information that allows access to the data file.
  • the file identifier refers to a file hash hash value
  • the file protection policy includes file access restriction permission information
  • the method further includes: acquiring an execution action of the data file by the server; and when the performing action is to modify the content of the data file, calculating a file hash value of the current data file to be modified;
  • the method further includes: calculating a file hash value of the modified data file;
  • the file hash value update message including a file hash value of the current data file to be modified and a file hash value of the modified data file, so that the cloud management point updates the message according to the file hash value, and the file of the current data file to be modified is
  • the hash value and the file hash value of the modified data file are associated with the same file protection policy.
  • FIG. 11 is another schematic structural diagram of a cloud management point provided by the present invention. As shown in FIG. 11, the cloud management point 20000 includes:
  • a second processor (processor) 21100 a second communication interface (Communications Interface) 21200, a second memory (memory) 21300, and a second bus 21400.
  • the second processor 21100, the second communication interface 21200, and the second memory 21300 complete communication with each other through the second bus 21400.
  • the second processor 21100 is configured to execute the second program 21110.
  • the second program 21110 can include program code, the program code including computer operating instructions.
  • the second processor 21100 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present invention.
  • CPU central processing unit
  • ASIC Application Specific Integrated Circuit
  • the second memory 21300 is configured to store the second program 21110.
  • the second memory 21300 may include a high speed RAM memory and may also include a non-volatile memory such as at least one disk memory.
  • the second program 21110 may specifically include: receiving a file identifier sent by the first server;
  • the file identifier refers to a file hash value
  • the method further includes receiving a file location update message sent by the second server, where the file location update message includes a file hash value of the copied data file and address information of the second server;
  • Searching for a file protection policy including a file hash value of the copied data file according to the file hash value of the copied data file;
  • the file location list information includes location information stored in the data file.
  • the method further includes receiving a file hash value of the data file to be deleted sent by the first server;
  • Searching for a file protection policy including a file hash value of the data file to be deleted according to the file hash value of the data file to be deleted;
  • the file identifier refers to a file hash value
  • the method further includes receiving a file hash update message sent by the first server, where the file hash update message includes a file hash value of the data file before the modification and a file hash value of the modified data file;
  • the file hash value of the modified data file and the file hash value of the modified data file are associated with the same file protection policy.
  • a file hash value of another data file is added to the hash value field in the at least one file protection policy.
  • the present invention also provides a cloud system, as shown in FIG. 12, including a client, a server, and a cloud management point.

Abstract

The present invention provides a method for managing a data file in cloud, a cloud management point, and a system. The method comprises: a first server calculates a file identifier of a data file to be processed currently, and sends the file identifier to a cloud management point, so that the cloud management point searches for a file protection policy of the data file according to the file identifier; the first server receives the file protection policy returned by the cloud management point; the first server determines, according to the file protection policy, whether the data file allows the first server to execute processing; and if yes, the first server processes the data file to be processed currently. In the present invention, multiple duplicate files generated from a source data file adopt a file protection policy the same as that of the source data file, and therefore, when an unauthorized user in the prior art accesses a duplicate file, the access of the duplicate file is also protected by the file protection policy, thereby preventing data leakage.

Description

一种云中数据文件的管理方法、云管理点和系统Method for managing data files in cloud, cloud management point and system 技术领域Technical field
本发明涉及通信技术领域,更具体地说,涉及一种云中数据文件的管理方法、云管理点和系统。The present invention relates to the field of communications technologies, and in particular, to a method for managing data files in a cloud, a cloud management point, and a system.
背景技术Background technique
随着云计算技术的发展,大量含有个人数据(personally identifiable data,PII)的数据文件被存储到了云系统中(简称云中)。云系统出于保证用户的数据文件可用性的目的,通常会复制用户的数据文件生成多个副本文件,并将生成的多个副本文件分别保存在不同的服务器,或同一服务器不同的存储分区中。With the development of cloud computing technology, a large number of data files containing personally identifiable data (PII) are stored in the cloud system (referred to as the cloud). For the purpose of ensuring the user's data file availability, the cloud system usually copies the user's data file to generate multiple copies of the file, and saves the generated multiple copies of the file to different servers or different storage partitions of the same server.
目前对于数据文件的保护主要使用ACL(Access control list,访问控制列表)。ACL是数据文件的元数据的一部分,定义了系统中不同用户对该数据文件的不同访问权限(读、写等)。At present, the protection of data files mainly uses an ACL (Access Control List). ACL is a part of the metadata of the data file, which defines different access rights (read, write, etc.) of different data users to the data file.
然而在实际应用过程中,ACL并不会随着数据文件的复制而同时复制,数据文件生成的多个副本文件也就无法受到源数据文件相同访问策略的保护。对于非授权用户来说,尽管其不能直接访问源数据文件中的数据,却可以通过访问不受ACL保护的副本文件来获取数据,造成数据泄露。例如,源数据文件F初始在数据中心A的某台服务器上存储,只对用户U可读,而当源数据文件F被复制到数据中心B的某台服务器上时,复制后存储在数据中心B的某台服务器上的副本文件E失去了源数据文件F的访问策略的保护,那么非授权用户V也能访问副本文件E中的数据,从而造成源数据文件F的数据泄露。However, in the actual application process, ACL does not copy at the same time as the data file is copied, and multiple copies of the data file can not be protected by the same access policy of the source data file. For an unauthorized user, although it cannot directly access the data in the source data file, it can obtain data by accessing a copy file that is not protected by the ACL, resulting in data leakage. For example, the source data file F is initially stored on a server of the data center A and is readable only to the user U, and when the source data file F is copied to a server of the data center B, it is stored in the data center after being copied. The copy file E on a server of B loses the protection of the access policy of the source data file F, and the unauthorized user V can also access the data in the copy file E, thereby causing data leakage of the source data file F.
发明内容Summary of the invention
有鉴于此,本发明提供一种云中数据文件的管理方法、云管理点和系统,以解决现有技术中容易造成数据泄露的问题。技术方案如下: In view of this, the present invention provides a method for managing data files in a cloud, a cloud management point, and a system to solve the problem of data leakage in the prior art. The technical solutions are as follows:
本发明的第一方面公开了一种云中数据文件的管理方法,该方法包括:A first aspect of the present invention discloses a method for managing a data file in a cloud, the method comprising:
第一服务器计算当前待处理的数据文件的文件标识,并将所述文件标识发送至云管理点,以使得所述云管理点依据所述文件标识查找所述数据文件的文件保护策略;The first server calculates a file identifier of the current data file to be processed, and sends the file identifier to the cloud management point, so that the cloud management point searches for a file protection policy of the data file according to the file identifier;
所述第一服务器接收所述云管理点返回的所述文件保护策略;Receiving, by the first server, the file protection policy returned by the cloud management point;
所述第一服务器依据所述文件保护策略判断所述数据文件是否允许所述第一服务器执行处理;Determining, by the first server, whether the data file allows the first server to perform processing according to the file protection policy;
如果允许,则所述第一服务器对当前待处理的数据文件进行处理。If allowed, the first server processes the current data file to be processed.
结合第一方面,在第一方面的第一种可能的实现方式中,所述文件标识是指文件哈希Hash值;所述文件保护策略包括文件流转范围限制信息;With reference to the first aspect, in a first possible implementation manner of the first aspect, the file identifier is a file hash hash value; and the file protection policy includes file flow range restriction information;
所述第一服务器计算当前待处理的数据文件的文件标识之前,所述方法还包括:Before the first server calculates the file identifier of the data file to be processed, the method further includes:
所述第一服务器获取所述第一服务器对所述数据文件的执行动作;The first server acquires an execution action of the first server on the data file;
当所述执行动作为将所述数据文件复制到第二服务器时,所述第一服务器计算当前待处理的数据文件的文件标识包括:所述第一服务器计算当前待复制的数据文件的文件Hash值;When the performing action is to copy the data file to the second server, the first server calculating the file identifier of the current data file to be processed includes: the first server calculating a file Hash of the current data file to be copied value;
所述第一服务器依据所述文件保护策略判断所述数据文件是否允许所述第一服务器执行处理,具体包括:Determining, by the first server, whether the data file allows the first server to perform processing according to the file protection policy, specifically:
所述第一服务器依据所述文件保护策略中的文件流转范围限制信息,判断所述当前待复制的数据文件是否允许复制到所述第二服务器;其中所述文件流转范围限制信息包括允许数据文件复制流转的范围。Determining, by the first server, whether the current data file to be copied is allowed to be copied to the second server according to the file flow range restriction information in the file protection policy; wherein the file flow range restriction information includes an allow data file Copy the range of the flow.
结合第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,当所述第一服务器将所述当前待复制的数据文件复制到所述第二服务器后,所述方法还包括:In conjunction with the first possible implementation of the first aspect, in a second possible implementation manner of the first aspect, after the first server copies the current data file to be copied to the second server, The method further includes:
所述第二服务器计算复制后的数据文件的文件Hash值;The second server calculates a file hash value of the copied data file;
所述第二服务器发送文件位置更新消息至所述云管理点,所述文件位置更新消息包括所述复制后的数据文件的文件Hash值和所述第二服务器的地址信息,以使得所述云管理点依据所述复制后的数据文件的文件Hash值查找到包括所述复制后的数据文件的文件Hash值的文件保护策略,进一步依据所述第二服 务器的地址信息更新所述包括所述复制后的数据文件的文件Hash值的文件保护策略中的文件位置列表信息;所述文件位置列表信息包括数据文件存储的位置信息。Sending, by the second server, a file location update message to the cloud management point, where the file location update message includes a file hash value of the copied data file and address information of the second server, so that the cloud The management point searches for a file protection policy including the file hash value of the copied data file according to the file hash value of the copied data file, and further according to the second service The address information of the server updates the file location list information in the file protection policy including the file hash value of the copied data file; the file location list information includes location information stored in the data file.
结合第一方面,在第一方面的第三种可能的实现方式中,所述文件标识是指文件Hash值;所述文件保护策略包括文件访问限制允许信息;With reference to the first aspect, in a third possible implementation manner of the first aspect, the file identifier is a file hash value; and the file protection policy includes file access restriction permission information;
所述第一服务器计算当前待处理的数据文件的文件标识之前,所述方法还包括:Before the first server calculates the file identifier of the data file to be processed, the method further includes:
所述第一服务器获取所述第一服务器对所述数据文件的执行动作;The first server acquires an execution action of the first server on the data file;
当所述执行动作为将允许第三服务器访问所述数据文件时,所述第一服务器计算当前待处理的数据文件的文件标识包括:所述第一服务器计算当前待访问的数据文件的文件Hash值;When the performing action is that the third server is allowed to access the data file, the first server calculates the file identifier of the current data file to be processed, including: the first server calculates a file Hash of the current data file to be accessed. value;
所述第一服务器依据所述文件保护策略判断所述数据文件是否允许所述第一服务器执行处理,具体包括:Determining, by the first server, whether the data file allows the first server to perform processing according to the file protection policy, specifically:
所述第一服务器依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待访问的数据文件是否允许被所述第三服务器访问;其中所述文件访问限制允许信息包括允许访问数据文件的地址信息。Determining, by the first server, whether the current to-be-accessed data file is allowed to be accessed by the third server according to the file access restriction permission information in the file protection policy; wherein the file access restriction permission information includes allowing access to the data. The address information of the file.
结合第一方面,在第一方面的第四种可能的实现方式中,所述文件标识是指文件哈希Hash值;所述文件保护策略包括文件访问限制允许信息;With reference to the first aspect, in a fourth possible implementation manner of the first aspect, the file identifier is a file hash hash value, and the file protection policy includes file access restriction permission information.
所述第一服务器计算当前待处理的数据文件的文件标识之前,所述方法还包括:Before the first server calculates the file identifier of the data file to be processed, the method further includes:
所述第一服务器获取所述第一服务器对所述数据文件的执行动作;The first server acquires an execution action of the first server on the data file;
当所述执行动作为将所述数据文件的内容进行修改时,所述第一服务器计算当前待处理的数据文件的文件标识包括:所述第一服务器计算当前待修改的数据文件的文件Hash值;When the performing action is to modify the content of the data file, the first server calculates a file identifier of the current data file to be processed, including: the first server calculates a file hash value of the current data file to be modified. ;
所述第一服务器依据所述文件保护策略判断所述数据文件是否允许所述第一服务器执行处理,具体包括:Determining, by the first server, whether the data file allows the first server to perform processing according to the file protection policy, specifically:
所述第一服务器依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待修改的数据文件是否允许被所述第一服务器修改;其中所述文件访问限制允许信息包括数据文件的访问权限。 Determining, by the first server, whether the current data file to be modified is allowed to be modified by the first server according to the file access restriction permission information in the file protection policy; wherein the file access restriction permission information includes a data file access permission.
结合第一方面的第四种可能的实现方式,在第一方面的第五种可能的实现方式中,当所述当前待修改的数据文件允许被所述第一服务器修改,所述第一服务器对所述当前待修改的数据文件的内容进行修改后,所述方法还包括:In conjunction with the fourth possible implementation of the first aspect, in a fifth possible implementation manner of the first aspect, when the current data file to be modified is allowed to be modified by the first server, the first server After the content of the current data file to be modified is modified, the method further includes:
所述第一服务器计算修改后的数据文件的文件Hash值;The first server calculates a file hash value of the modified data file;
所述第一服务器发送文件Hash值更新消息至所述云管理点,所述文件Hash值更新消息包括所述当前待修改的数据文件的文件Hash值和修改后的数据文件的文件Hash值,以使得所述云管理点依据所述文件Hash值更新消息,将所述当前待修改的数据文件的文件Hash值和修改后的数据文件的文件Hash值关联到同一文件保护策略上。The first server sends a file hash update message to the cloud management point, where the file hash update message includes a file hash value of the current data file to be modified and a file hash value of the modified data file, to And causing the cloud management point to associate the file hash value of the current data file to be modified and the file hash value of the modified data file to the same file protection policy according to the file hash value update message.
本发明的第二方面公开了另一种云中数据文件的管理方法,应用于云管理点,所述云管理点与不同服务器通信连接,且所述云管理点上存储有针对不同数据文件的文件保护策略;所述方法包括:A second aspect of the present invention discloses another method for managing data files in a cloud, which is applied to a cloud management point, where the cloud management points are communicatively connected to different servers, and the cloud management points are stored with different data files. File protection policy; the method includes:
所述云管理点接收第一服务器发送的文件标识;Receiving, by the cloud management point, a file identifier sent by the first server;
所述云管理点依据所述文件标识,查找包括所述文件标识的文件保护策略;The cloud management point searches for a file protection policy including the file identifier according to the file identifier;
所述云管理点将所述文件保护策略发送至所述第一服务器,以使得所述第一服务器依据所述文件保护策略判断所述第一服务器欲执行的处理动作是否被允许执行。The cloud management point sends the file protection policy to the first server, so that the first server determines, according to the file protection policy, whether the processing action to be performed by the first server is allowed to be executed.
结合第二方面,在第二方面的第一种可能的实现方式,所述文件标识是指文件哈希Hash值,所述方法还包括:With reference to the second aspect, in a first possible implementation manner of the second aspect, the file identifier is a file hash hash value, and the method further includes:
所述云管理点接收第二服务器发送的文件位置更新消息,所述文件位置更新消息包括复制后的数据文件的文件Hash值和所述第二服务器的地址信息;Receiving, by the cloud management point, a file location update message sent by the second server, where the file location update message includes a file hash value of the copied data file and address information of the second server;
所述云管理点依据所述复制后的数据文件的文件Hash值查找包括所述复制后的数据文件的文件Hash值的文件保护策略;The cloud management point searches for a file protection policy including a file hash value of the copied data file according to a file hash value of the copied data file;
所述云管理点依据所述第二服务器的地址信息更新所述包括所述复制后的数据文件的文件Hash值的文件保护策略中的文件位置列表信息;所述文件位置列表信息包括数据文件存储的位置信息。The cloud management point updates the file location list information in the file protection policy including the file hash value of the copied data file according to the address information of the second server; the file location list information includes data file storage Location information.
结合第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式,还包括: With reference to the first possible implementation of the second aspect, the second possible implementation manner of the second aspect further includes:
所述云管理点接收所述第一服务器发送的欲删除的数据文件的文件Hash值;Receiving, by the cloud management point, a file hash value of the data file to be deleted sent by the first server;
所述云管理点依据所述欲删除的数据文件的文件Hash值,查找包括所述欲删除的数据文件的文件Hash值的文件保护策略;The cloud management point searches for a file protection policy including a file hash value of the data file to be deleted according to the file hash value of the data file to be deleted;
所述云管理点从所述欲删除的数据文件的文件Hash值的文件保护策略中获取欲删除的数据文件的文件位置列表信息;Obtaining, by the cloud management point, file location list information of the data file to be deleted from a file protection policy of a file hash value of the data file to be deleted;
所述云管理点依据所述欲删除的数据文件的文件位置列表信息,向所述欲删除的数据文件的文件位置列表信息中的各服务器发送删除消息,以使得所述各服务器依据所述删除消息删除所述欲删除的数据文件。Sending, by the cloud management point, the deletion message to each server in the file location list information of the data file to be deleted according to the file location list information of the data file to be deleted, so that the servers are deleted according to the The message deletes the data file to be deleted.
结合第二方面,在第二方面的第三种可能的实现方式中,所述文件标识是指文件哈希Hash值,所述方法还包括:With reference to the second aspect, in a third possible implementation manner of the second aspect, the file identifier is a file hash hash value, and the method further includes:
所述云管理点接收所述第一服务器发送的文件Hash值更新消息,所述文件Hash值更新消息包括修改前的数据文件的文件Hash值和修改后的数据文件的文件Hash值;Receiving, by the cloud management point, a file hash update message sent by the first server, where the file hash update message includes a file hash value of the data file before modification and a file hash value of the modified data file;
所述云管理点依据所述文件Hash值更新消息,将所述修改前的数据文件的文件Hash值和所述修改后的数据文件的文件Hash值关联到同一文件保护策略上。And the cloud management point associates the file hash value of the data file before the modification with the file hash value of the modified data file to the same file protection policy according to the file hash update message.
结合第二方面的第三种可能的实现方式,在第二方面的第四种可能的实现方式中,所述云管理点依据所述文件Hash值更新消息,将所述修改前的数据文件的文件Hash值和所述修改后的数据文件的文件Hash值关联到同一文件保护策略上包括:In conjunction with the third possible implementation of the second aspect, in a fourth possible implementation manner of the second aspect, the cloud management point updates the message according to the file hash value, and the data file before the modification The file hash value and the file hash value of the modified data file are associated with the same file protection policy including:
所述云管理点分别依据所述修改前的数据文件的文件Hash值和所述修改后的数据文件的文件Hash值,查找包括所述修改前的数据文件的文件Hash值的文件保护策略和包括所述修改后的数据文件的文件Hash值的文件保护策略;The cloud management point searches for a file protection policy including the file hash value of the data file before the modification according to the file hash value of the data file before the modification and the file hash value of the modified data file, respectively, and includes a file protection policy of the file hash value of the modified data file;
当查找到存在有至少一个文件保护策略时,将另一数据文件的文件Hash值添加到所述至少一个文件保护策略中的Hash值字段中。When it is found that there is at least one file protection policy, a file hash value of another data file is added to the hash value field in the at least one file protection policy.
本发明的第三方面公开了一种服务器,包括:A third aspect of the invention discloses a server comprising:
第一计算单元,用于计算当前待处理的数据文件的文件标识; a first calculating unit, configured to calculate a file identifier of the current data file to be processed;
文件标识发送单元,用于将所述文件标识发送至云管理点,以使得所述云管理点依据所述文件标识查找所述数据文件的文件保护策略;a file identifier sending unit, configured to send the file identifier to a cloud management point, so that the cloud management point searches for a file protection policy of the data file according to the file identifier;
文件保护策略接收单元,用于接收所述云管理点返回的所述文件保护策略;a file protection policy receiving unit, configured to receive the file protection policy returned by the cloud management point;
判断单元,用于依据所述文件保护策略判断所述数据文件是否允许所述服务器执行处理;a determining unit, configured to determine, according to the file protection policy, whether the data file allows the server to perform processing;
处理单元,用于当所述判断单元判断所述数据文件允许所述服务器执行处理时,对当前待处理的数据文件进行处理。The processing unit is configured to process the current data file to be processed when the determining unit determines that the data file allows the server to perform processing.
结合第三方面,在第三方面的第一种可能的实现方式中,所述文件标识是指文件哈希Hash值;所述文件保护策略包括文件流转范围限制信息;所述服务器还包括:With reference to the third aspect, in a first possible implementation manner of the third aspect, the file identifier is a file hash hash value; the file protection policy includes file flow range restriction information; and the server further includes:
第一执行动作获取单元,用于获取所述服务器对所述数据文件的执行动作;a first execution action obtaining unit, configured to acquire an execution action of the server on the data file;
所述第一计算单元,具体用于当所述第一执行动作获取单元获取的所述执行动作为将所述数据文件复制到第二服务器时计算当前待复制的数据文件的文件Hash值;The first calculating unit is configured to: when the execution action acquired by the first execution action acquiring unit is to copy the data file to the second server, calculate a file hash value of the current data file to be copied;
所述判断单元具体用于,依据所述文件保护策略中的文件流转范围限制信息,判断所述当前待复制的数据文件是否允许复制到所述第二服务器;其中所述文件流转范围限制信息包括允许数据文件复制流转的范围。The determining unit is configured to determine, according to the file flow range limitation information in the file protection policy, whether the current data file to be copied is allowed to be copied to the second server, where the file flow range limitation information includes Allows the scope of data file replication to flow.
结合第三方面,在第三方面的第二种可能的实现方式中,所述文件标识是指文件Hash值;所述文件保护策略包括文件访问限制允许信息;所述服务器还包括:With reference to the third aspect, in a second possible implementation manner of the third aspect, the file identifier is a file hash value; the file protection policy includes file access restriction permission information; and the server further includes:
第二执行动作获取单元,用于获取所述服务器对所述数据文件的执行动作;a second execution action obtaining unit, configured to acquire an execution action of the server on the data file;
所述第一计算单元具体用于当所述第二执行动作获取单元获取的所述执行动作为将允许第三服务器访问所述数据文件时,计算当前待访问的数据文件的文件Hash值; The first calculating unit is specifically configured to: when the execution action acquired by the second execution action acquiring unit is to allow the third server to access the data file, calculate a file hash value of the data file to be accessed currently;
所述判断单元具体用于,依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待访问的数据文件是否允许被所述第三服务器访问;其中所述文件访问限制允许信息包括允许访问数据文件的地址信息。The determining unit is configured to determine, according to the file access restriction permission information in the file protection policy, whether the current to-be-accessed data file is allowed to be accessed by the third server, where the file access restriction permission information includes Allow access to the address information of the data file.
结合第三方面,在第三方面的第三种可能的实现方式中,所述文件标识是指文件哈希Hash值;所述文件保护策略包括文件访问限制允许信息;所述服务器还包括:With reference to the third aspect, in a third possible implementation manner of the third aspect, the file identifier is a file hash hash value; the file protection policy includes file access restriction permission information; and the server further includes:
第三执行动作获取单元,用于获取所述服务器对所述数据文件的执行动作;a third execution action obtaining unit, configured to acquire an execution action of the server on the data file;
所述第一计算单元具体用于当所述第三执行动作获取单元获取的所述执行动作为将所述数据文件的内容进行修改时,当前待修改的数据文件的文件Hash值;The first calculating unit is specifically configured to: when the execution action acquired by the third execution action acquiring unit is to modify the content of the data file, the file hash value of the data file to be modified currently;
所述判断单元具体用于,依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待修改的数据文件是否允许被所述第一服务器修改;其中所述文件访问限制允许信息包括数据文件的访问权限。The determining unit is configured to determine, according to the file access restriction permission information in the file protection policy, whether the current data file to be modified is allowed to be modified by the first server, where the file access restriction permission information includes Access to data files.
结合第三方面的第三种可能的实现方式,在第三方面的第二种可能的实现方式中,还包括:In conjunction with the third possible implementation of the third aspect, in a second possible implementation manner of the third aspect, the method further includes:
第二计算单元,用于计算修改后的数据文件的文件Hash值;a second calculating unit, configured to calculate a file hash value of the modified data file;
更新消息发送单元,用于发送文件Hash值更新消息至所述云管理点,所述文件Hash值更新消息包括所述当前待修改的数据文件的文件Hash值和修改后的数据文件的文件Hash值,以使得所述云管理点依据所述文件Hash值更新消息,将所述当前待修改的数据文件的文件Hash值和修改后的数据文件的文件Hash值关联到同一文件保护策略上。An update message sending unit, configured to send a file hash update message to the cloud management point, where the file hash update message includes a file hash value of the current data file to be modified and a file hash value of the modified data file So that the cloud management point updates the message according to the file hash value, and associates the file hash value of the current data file to be modified with the file hash value of the modified data file to the same file protection policy.
本发明的第四方面公开了一种云管理点,所述云管理点与不同服务器通信连接,且所述云管理点上存储有针对不同数据文件的文件保护策略;所述云管理点包括:A fourth aspect of the present invention discloses a cloud management point, where the cloud management point is in communication with a different server, and the cloud management point stores a file protection policy for different data files; the cloud management point includes:
第一接收单元,用于接收第一服务器发送的文件标识;a first receiving unit, configured to receive a file identifier sent by the first server;
第一查找单元,用于依据所述文件标识,查找包括所述文件标识的文件保护策略;a first searching unit, configured to search for a file protection policy including the file identifier according to the file identifier;
第一发送单元,用于将所述文件保护策略发送至所述第一服务器,以使得 所述第一服务器依据所述文件保护策略判断所述第一服务器欲执行的相应处理动作是否被允许执行。a first sending unit, configured to send the file protection policy to the first server, so that The first server determines, according to the file protection policy, whether a corresponding processing action to be performed by the first server is allowed to be executed.
结合第四方面,在第四方面的第一种可能的实现方式中,所述文件标识是指文件哈希Hash值,所述云管理点还包括:With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the file identifier is a file hash hash value, and the cloud management point further includes:
第二接收单元,用于接收第二服务器发送的文件位置更新消息,所述文件位置更新消息包括复制后的数据文件的文件Hash值和所述第二服务器的地址信息;a second receiving unit, configured to receive a file location update message sent by the second server, where the file location update message includes a file hash value of the copied data file and address information of the second server;
第二查找单元,用于依据所述复制后的数据文件的文件Hash值查找包括所述复制后的数据文件的文件Hash值的文件保护策略;a second searching unit, configured to search, according to the file hash value of the copied data file, a file protection policy that includes a file hash value of the copied data file;
更新单元,用于依据所述第二服务器的地址信息更新所述包括所述复制后的数据文件的文件Hash值的文件保护策略中的文件位置列表信息;所述文件位置列表信息包括数据文件存储的位置信息。And an updating unit, configured to update, according to address information of the second server, file location list information in a file protection policy that includes a file hash value of the copied data file; the file location list information includes data file storage Location information.
结合第四方面的第一种可能的实现方式,在第四方面的第二种可能的实现方式中,还包括:In conjunction with the first possible implementation of the fourth aspect, in a second possible implementation manner of the fourth aspect, the method further includes:
第三接收单元,用于接收所述第一服务器发送的欲删除的数据文件的文件Hash值;a third receiving unit, configured to receive a file hash value of the data file to be deleted sent by the first server;
第三查找单元,用于依据所述欲删除的数据文件的文件Hash值,查找包括所述欲删除的数据文件的文件Hash值的文件保护策略;a third search unit, configured to search for a file protection policy including a file hash value of the data file to be deleted according to the file hash value of the data file to be deleted;
信息获取单元,用于从所述欲删除的数据文件的文件Hash值的文件保护策略中获取欲删除的数据文件的文件位置列表信息;An information obtaining unit, configured to acquire file location list information of a data file to be deleted from a file protection policy of a file hash value of the data file to be deleted;
第二发送单元,用于依据所述欲删除的数据文件的文件位置列表信息,向所述欲删除的数据文件的文件位置列表信息中的各服务器发送删除消息,以使得所述各服务器依据所述删除消息删除所述欲删除的数据文件。a second sending unit, configured to send, according to the file location list information of the data file to be deleted, a deletion message to each server in the file location list information of the data file to be deleted, so that the servers are The delete message deletes the data file to be deleted.
结合第四方面的第四种可能的实现方式,所述文件标识是指文件哈希Hash值,所述云管理点还包括:With reference to the fourth possible implementation of the fourth aspect, the file identifier refers to a file hash hash value, and the cloud management point further includes:
第四接收单元,用于接收所述第一服务器发送的文件Hash值更新消息,所述文件Hash值更新消息包括修改前的数据文件的文件Hash值和修改后的数据文件的文件Hash值;a fourth receiving unit, configured to receive a file hash update message sent by the first server, where the file hash update message includes a file hash value of the data file before the modification and a file hash value of the modified data file;
Hash值更新单元,用于依据所述文件Hash值更新消息,将所述修改前的数 据文件的文件Hash值和所述修改后的数据文件的文件Hash值关联到同一文件保护策略上。a Hash value update unit, configured to update the message according to the file hash value, and the number before the modification The file hash value of the file and the file hash value of the modified data file are associated with the same file protection policy.
结合第四方面,在第四方面的第三种可能的实现方式,所述Hash值更新单元包括:With reference to the fourth aspect, in a third possible implementation manner of the fourth aspect, the Hash value update unit includes:
第一查找子单元,用于依据所述修改前的数据文件的文件Hash值查找包括所述修改前的数据文件的文件Hash值的文件保护策略;a first search subunit, configured to search, according to the file hash value of the data file before the modification, a file protection policy including a file hash value of the data file before the modification;
第二查找子单元,用于依据所述修改后的数据文件的文件Hash值查找包括所述修改后的数据文件的文件Hash值的文件保护策略;a second search subunit, configured to search, according to the file hash value of the modified data file, a file protection policy including a file hash value of the modified data file;
Hash值添加子单元,用于当所述第一查找子单元和/或所述第二查找子单元查找到存在有至少一个文件保护策略时,将另一数据文件的文件Hash值添加到所述至少一个文件保护策略中的Hash值字段中。a hash value adding subunit, configured to add a file hash value of another data file to the first lookup subunit and/or the second lookup subunit when it finds that at least one file protection policy exists At least one file protection policy in the hash value field.
本发明的第五方面公开了一种云系统,包括客户端、如上所述的服务器和如上所述的云管理点。A fifth aspect of the invention discloses a cloud system comprising a client, a server as described above, and a cloud management point as described above.
应用本发明的上述技术方案,本发明提供的云中数据文件的管理方法中,第一服务器在对当前待处理的数据文件执行相应处理前,首先计算当前待处理的数据文件的文件标识,进而接收云管理点返回的所述文件标识对应的文件保护策略,依据所述文件保护策略判断所述当前待处理的数据文件是否允许执行相应处理,如果允许,第一服务器再对当前待处理的数据文件进行相应处理。本发明将源数据文件生成的多个副本文件同样采用与源数据文件相同的文件保护策略,那么针对现有技术中的非授权用户来说,其在访问副本文件时也受到文件保护策略的保护,防止了数据泄露。According to the above technical solution of the present invention, in the method for managing data files in the cloud provided by the present invention, the first server first calculates a file identifier of the current data file to be processed before performing corresponding processing on the current data file to be processed, and further And receiving, by the file protection policy, a file protection policy corresponding to the file identifier returned by the cloud management point, determining, according to the file protection policy, whether the current data file to be processed is allowed to perform corresponding processing, and if allowed, the first server is further configured to the current data to be processed. The file is processed accordingly. The invention uses the same file protection policy as the source data file in the multiple copy files generated by the source data file, so that the unauthorized users in the prior art are also protected by the file protection policy when accessing the copy file. To prevent data leakage.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is an embodiment of the present invention, and those skilled in the art can obtain other drawings according to the provided drawings without any creative work.
图1为本发明提供的一种云中数据文件的管理方法的一种流程图;FIG. 1 is a flowchart of a method for managing a data file in a cloud according to the present invention;
图2为本发明提供的一种云中数据文件的管理方法的另一种流程图; 2 is another flow chart of a method for managing data files in the cloud according to the present invention;
图3为本发明提供的一种云中数据文件的管理方法的再一种流程图;FIG. 3 is still another flowchart of a method for managing data files in a cloud according to the present invention; FIG.
图4为本发明提供的一种云中数据文件的管理方法的再一种流程图;FIG. 4 is still another flowchart of a method for managing data files in a cloud according to the present invention; FIG.
图5为本发明提供的一种云中数据文件的管理方法的再一种流程图;FIG. 5 is still another flowchart of a method for managing data files in a cloud according to the present invention;
图6为本发明提供的一种云中数据文件的管理方法的再一种流程图;FIG. 6 is still another flowchart of a method for managing data files in a cloud according to the present invention;
图7为本发明提供的一种云中数据文件的管理方法的再一种流程图;FIG. 7 is still another flowchart of a method for managing data files in a cloud according to the present invention;
图8为本发明提供的一种服务器的结构示意图;FIG. 8 is a schematic structural diagram of a server according to the present invention; FIG.
图9为本发明提供的一种云管理点的结构示意图;FIG. 9 is a schematic structural diagram of a cloud management point according to the present invention; FIG.
图10为本发明提供的一种服务器的另一种结构示意图;FIG. 10 is a schematic structural diagram of another server according to the present invention; FIG.
图11为本发明提供的一种云管理点的另一种结构示意图;11 is another schematic structural diagram of a cloud management point according to the present invention;
图12为本发明提供的一种云系统的结构示意图。FIG. 12 is a schematic structural diagram of a cloud system according to the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明的应用场景为云系统中,云系统包括客户端、服务器和云管理点。通常云系统也称之为云中,或云数据中心。其中,服务器中存储有数据文件,该数据文件可以是源数据文件,也可以是副本文件,云管理点中存储有对源数据文件以及副本文件的文件保护策略。本发明中的服务器在执行对某个数据文件诸如复制、访问、修改等操作时,都需要查看云管理点中存储的对应该某个数据文件的文件保护策略,只有当文件保护策略中记载的内容允许服务器执行对该某个数据文件诸如复制、访问、修改等操作时,服务器才能继续执行后续操作。The application scenario of the present invention is a cloud system, which includes a client, a server, and a cloud management point. Cloud systems are also commonly referred to as clouds, or cloud data centers. The data file is stored in the server, and the data file may be a source data file or a copy file. The cloud management point stores a file protection policy for the source data file and the copy file. When performing operations on a certain data file, such as copying, accessing, and modifying, the server in the present invention needs to view a file protection policy corresponding to a certain data file stored in the cloud management point, only when the file protection policy is recorded. When the content allows the server to perform operations on such a data file, such as copying, accessing, modifying, etc., the server can continue to perform subsequent operations.
那么在具体介绍本发明技术方案前,本发明首先需要客户端、服务器和云管理点三者预先配合完成对数据文件的设置,其方法包括:Before the technical solution of the present invention is specifically introduced, the present invention firstly requires the client, the server, and the cloud management point to cooperate in advance to complete the setting of the data file, and the method includes:
步骤001,客户端发送数据文件至服务器。In step 001, the client sends the data file to the server.
步骤002,服务器接收数据文件并保存。In step 002, the server receives the data file and saves it.
步骤003,服务器计算该数据文件的文件Hash(哈希)值,并将文件Hash 值和服务器的地址信息发送至云管理点。Step 003, the server calculates a file hash value of the data file, and the file is hashed The value and address information of the server are sent to the cloud management point.
步骤004,云管理点接收并保存文件Hash值和服务器的地址信息。In step 004, the cloud management point receives and saves the file hash value and the address information of the server.
步骤005,客户端在云管理点上设置该数据文件的文件保护策略,所述文件保护策略包括文件Hash值和服务器的地址信息。Step 005: The client sets a file protection policy of the data file on the cloud management point, where the file protection policy includes a file hash value and address information of the server.
在本发明中,本发明使用文件Hash值作为数据文件的标识,来标记不同的数据文件。如果数据文件的内容一致,那么采用相同的Hash算法计算相同数据文件的内容得到的文件Hash值也是相同的。因此,本发明只要判断两个数据文件的文件Hash值相同,则可判断该两个数据文件的内容相同,即确定该两个数据文件为衍生关系(即一个为源数据文件,一个为副本文件,或两个均为副本文件)。同时,本发明中Hash值相同的多个数据文件都会对应到云管理点上的同一文件保护策略,同时受该文件保护策略的保护。In the present invention, the present invention uses a file hash value as an identification of a data file to mark different data files. If the contents of the data file are consistent, the file hash value obtained by calculating the contents of the same data file using the same hash algorithm is also the same. Therefore, the present invention can determine that the contents of the two data files are the same as long as the file hash values of the two data files are the same, that is, the two data files are determined to be derived (that is, one is a source data file, and one is a copy file). , or both are duplicate files). At the same time, multiple data files with the same hash value in the present invention will correspond to the same file protection policy on the cloud management point, and are protected by the file protection policy.
更具体的,本发明中的文件保护策略可以包括文件访问限制允许信息、文件流转范围限制信息、文件位置列表信息和文件Hash值。其中,文件访问限制允许信息包括允许访问数据文件的地址信息和访问权限;文件流转范围限制信息包括允许数据文件复制流转的范围;文件位置列表信息包括数据文件的位置信息。其具体的存储方式可如下所示:More specifically, the file protection policy in the present invention may include file access restriction permission information, file circulation range restriction information, file location list information, and file hash value. The file access restriction permission information includes address information and access rights that allow access to the data file; the file flow range restriction information includes a range that allows the data file to be copied, and the file location list information includes location information of the data file. Its specific storage method can be as follows:
Hash:123A;Hash: 123A;
文件访问限制允许信息Acess:Li read,10.11.*.*;File access restriction allows information Acess:Li read,10.11.*.*;
文件流转范围限制信息restrictions:Germany;File circulation range restriction information restrictions:Germany;
文件位置列表信息Locations:A。File location list information Locations: A.
其中,Hash:123A表示该数据文件的文件Hash值为123A;Acess:Li,10.11.*.*表示用户Li以及服务器地址范围在10.11.*.*内的服务器都可以访问该数据文件,其中Li read表示用户Li只读该数据文件;Restrictions:Germany表示该数据文件可以在德国境内的服务器和数据中心中流转;Locations:A表示该数据文件存储在服务器A上。Among them, Hash: 123A indicates that the data file has a hash value of 123A; Acess:Li, 10.11.*.* indicates that the user Li and the server whose server address range is 10.11.*.* can access the data file, where Li Read indicates that user Li reads the data file; Restrictions: Germany indicates that the data file can be streamed in servers and data centers in Germany; Locations: A indicates that the data file is stored on server A.
下面发明人将介绍本发明提供的云中数据文件的管理方法的具体实现方法,如图1所示,方法包括:The following inventors will introduce a specific implementation method for managing a data file in the cloud provided by the present invention. As shown in FIG. 1, the method includes:
步骤101,第一服务器计算当前待处理的数据文件的文件标识,并将所述文件标识发送至云管理点,以使得所述云管理点依据所述文件标识,查找所述 数据文件的文件保护策略。Step 101: The first server calculates a file identifier of the current data file to be processed, and sends the file identifier to the cloud management point, so that the cloud management point searches for the file according to the file identifier. File protection policy for data files.
其中可选的,文件标识具体为文件Hash值。Optionally, the file identifier is specifically a file hash value.
在本实施例中,当第一服务器接收到客户端发送的某种操作指令,该操作指令包括如要对数据文件A执行复制、访问或修改等控制指令时,第一服务器首先计算该数据文件A的文件标识,并将文件标识发送至云管理点。此时,云管理点会依据该文件标识查找到包括该文件标识的文件保护策略a,进而将文件保护策略a返回至第一服务器。In this embodiment, when the first server receives an operation instruction sent by the client, where the operation instruction includes performing a copy, access, or modify control instruction on the data file A, the first server first calculates the data file. A file identifier and send the file ID to the cloud management point. At this time, the cloud management point searches for the file protection policy a including the file identifier according to the file identifier, and returns the file protection policy a to the first server.
步骤102,第一服务器接收所述云管理点返回的所述文件保护策略。Step 102: The first server receives the file protection policy returned by the cloud management point.
步骤103,第一服务器依据所述文件保护策略判断所述当前待处理的数据文件是否允许所述第一服务器执行处理。如果允许,执行步骤104,如果不允许,执行步骤105。Step 103: The first server determines, according to the file protection policy, whether the current data file to be processed allows the first server to perform processing. If so, step 104 is performed, and if not, step 105 is performed.
步骤104,第一服务器对当前待处理的数据文件进行处理。Step 104: The first server processes the current data file to be processed.
步骤105,第一服务器拒绝处理。In step 105, the first server rejects the processing.
当然可选的,步骤105后还可以进一步包括步骤106:第一服务器向客户端返回拒绝消息,以告知客户端第一服务器不允许执行客户端要求的操作。Optionally, after step 105, step 105 may further include the step 106: the first server returns a reject message to the client, to notify the client that the first server does not allow the client to perform the operation requested by the client.
因此本发明提供的云中数据文件的管理方法中,第一服务器在对当前待处理的数据文件执行相应处理前,首先计算当前待处理的数据文件的文件标识,进而接收云管理点返回的所述文件标识对应的文件保护策略,依据所述文件保护策略判断所述当前待处理的数据文件是否允许执行相应处理,如果允许,第一服务器再对当前待处理的数据文件进行相应处理。本发明将源数据文件生成的多个副本文件同样采用与源数据文件相同的文件保护策略,那么针对现有技术中的非授权用户来说,其在访问副本文件时也受到文件保护策略的保护,防止了数据泄露。Therefore, in the method for managing data files in the cloud provided by the present invention, before performing the corresponding processing on the data file to be processed, the first server first calculates the file identifier of the current data file to be processed, and then receives the returned by the cloud management point. The file protection policy corresponding to the file identifier determines whether the current data file to be processed is allowed to perform corresponding processing according to the file protection policy. If allowed, the first server performs corresponding processing on the current data file to be processed. The invention uses the same file protection policy as the source data file in the multiple copy files generated by the source data file, so that the unauthorized users in the prior art are also protected by the file protection policy when accessing the copy file. To prevent data leakage.
为了更清楚地说明本发明的技术方案,本发明将以服务器欲执行复制、访问、修改等应用场景进行具体介绍。In order to explain the technical solution of the present invention more clearly, the present invention will be specifically described in the application scenario in which the server wants to perform replication, access, modification, and the like.
首先,对于当第一服务器欲将当前待复制的数据文件复制到第二服务器上的应用场景来说,其方法如图2所示,包括:First, for an application scenario in which the first server wants to copy the current data file to be copied to the second server, the method is as shown in FIG. 2, including:
步骤201,第一服务器获取所述第一服务器对所述数据文件的执行动作。 Step 201: The first server acquires an action performed by the first server on the data file.
步骤202,当所述执行动作为将所述数据文件复制到第二服务器时,所述第一服务器计算所述当前待复制的数据文件的文件Hash值。Step 202: When the performing action is to copy the data file to the second server, the first server calculates a file hash value of the current data file to be copied.
具体地,例如客户端向第一服务器10.11.1.2发起将第一服务器10.11.1.2上当前待复制的数据文件A复制到第二服务器10.11.2.2时,第一服务器首先计算所述当前待复制的数据文件A的文件Hash值123A。Specifically, for example, when the client initiates the copying of the data file A to be copied on the first server 10.11.1.2 to the second server 10.11.2.2 to the first server 10.11.1.2, the first server first calculates the current to be copied. The file Hash value of data file A is 123A.
步骤203,第一服务器将所述文件Hash值发送至云管理点。Step 203: The first server sends the file hash value to the cloud management point.
云管理点在接收到所述文件Hash值123A后,查找包括所述文件Hash值123A的文件保护策略a,并将文件保护策略a返回至第一服务器10.11.1.2。After receiving the file hash value 123A, the cloud management point searches for the file protection policy a including the file hash value 123A, and returns the file protection policy a to the first server 10.11.1.2.
步骤204,第一服务器依据所述文件保护策略中的文件流转范围限制信息,判断所述当前待复制的数据文件是否允许复制到所述第二服务器。如果允许,执行步骤205,如果不允许,执行步骤206。Step 204: The first server determines, according to the file distribution range restriction information in the file protection policy, whether the current data file to be copied is allowed to be copied to the second server. If so, step 205 is performed, and if not, step 206 is performed.
步骤205,第一服务器将所述当前待复制的数据文件复制到所述第二服务器。Step 205: The first server copies the current data file to be copied to the second server.
步骤206,第一服务器拒绝将所述当前待复制的数据文件复制到所述第二服务器。Step 206: The first server refuses to copy the current data file to be copied to the second server.
在本实施例中,文件流转范围限制信息包括允许数据文件复制流转的范围。假设当前文件流转范围限制信息为restrictions:Germany,则第一服务器10.11.1.2判断第二服务器10.11.2.2是否属于Germany这个地址范围。如果属于,则执行步骤205,第一服务器10.11.1.2将数据文件A复制到第二服务器10.11.2.2,如果不属于,则执行步骤206,第一服务器10.11.1.2拒绝将当前待复制的数据文件A复制到第二服务器10.11.2.2。In the present embodiment, the file circulation range restriction information includes a range in which the data file copy is allowed to flow. Assuming that the current file circulation range restriction information is restrictions: Germany, the first server 10.11.1.2 determines whether the second server 10.11.2.2 belongs to the address range of Germany. If yes, go to step 205, the first server 10.11.1.2 copies the data file A to the second server 10.11.2.2, if not, proceeds to step 206, the first server 10.11.1.2 rejects the data file to be copied. A is copied to the second server 10.11.2.2.
当然可选的,在本实施例中,当第一服务器10.11.1.2将数据文件A复制到第二服务器10.11.2.2后,方法还可以进一步包括步骤207:第一服务器向客户端返回一确认消息,告知客户端已完成复制;且当第一服务器10.11.1.2拒绝将当前待复制的数据文件A复制到第二服务器10.11.2.2后,方法还可以进一步包括步骤208:第一服务器向客户端返回一拒绝消息,告知客户端该复制操作不被允许。Optionally, in this embodiment, after the first server 10.11.1.2 copies the data file A to the second server 10.11.2.2, the method may further include the step 207: the first server returns a confirmation message to the client. After the first server 10.11.1.2 refuses to copy the data file A to be copied to the second server 10.11.2.2, the method may further include step 208: the first server returns to the client. A rejection message tells the client that the copy operation is not allowed.
此外在本实施例中,如果当第一服务器将所述当前待复制的数据文件复制到所述第二服务器后,所述方法还可以进一步包括: In addition, in this embodiment, if the first server copies the data file to be copied to the second server, the method may further include:
步骤209,第二服务器计算复制后的数据文件的文件Hash值。Step 209: The second server calculates a file hash value of the copied data file.
在数据文件A被成功复制到第二服务器后,第二服务器计算该数据文件A的文件Hash值。After the data file A is successfully copied to the second server, the second server calculates the file hash value of the data file A.
步骤210,第二服务器发送文件位置更新消息至所述云管理点,所述文件位置更新消息包括所述复制后的数据文件的文件Hash值和所述第二服务器的地址信息,以使得所述云管理点依据所述复制后的数据文件的文件Hash值查找到包括所述复制后的数据文件的文件Hash值的文件保护策略,进一步依据所述第二服务器的地址信息更新所述包括所述复制后的数据文件的文件Hash值的文件保护策略中的文件位置列表信息;所述文件位置列表信息包括数据文件存储的位置信息。Step 210: The second server sends a file location update message to the cloud management point, where the file location update message includes a file hash value of the copied data file and address information of the second server, so that the The cloud management point searches for a file protection policy including the file hash value of the copied data file according to the file hash value of the copied data file, and further updates the information according to the address information of the second server. File location list information in a file protection policy of a file hash value of the copied data file; the file location list information includes location information stored in the data file.
在本实施例中,由于同一数据文件A被复制到了第二服务器中,那么对应的,云管理点上应该记录下该数据文件A被复制到第二服务器中的事实。因此,本发明中的第二服务器会主动计算该数据文件A的文件Hash值,并将数据文件A的文件Hash值和第二服务器的地址信息一同发送至云管理点。其中,第二服务器的地址信息可以为第二服务器的IP地址信息等。In this embodiment, since the same data file A is copied to the second server, correspondingly, the fact that the data file A is copied to the second server should be recorded on the cloud management point. Therefore, the second server in the present invention actively calculates the file hash value of the data file A, and sends the file hash value of the data file A together with the address information of the second server to the cloud management point. The address information of the second server may be the IP address information of the second server or the like.
云管理点接收到该数据文件A的文件Hash值和第二服务器的地址信息后,会依据数据文件A的文件Hash值123A找到包括该文件Hash值123A的文件保护策略a,并在文件保护策略a中的文件位置列表信息Locations字段中添加第二服务器的地址信息。After receiving the file hash value of the data file A and the address information of the second server, the cloud management point finds the file protection policy a including the file hash value 123A according to the file hash value 123A of the data file A, and in the file protection policy. The address information of the second server is added to the Locations field of the file location list information in a.
进一步,对于当第一服务器接收到第三服务器发送的访问请求信息的应用场景来说,其方法如图3所示,包括:Further, for the application scenario that the first server receives the access request information sent by the third server, the method is as shown in FIG. 3, including:
步骤301,第一服务器获取所述第一服务器对所述数据文件的执行动作。Step 301: The first server acquires an action performed by the first server on the data file.
步骤302,当所述执行动作为将允许第三服务器访问所述数据文件时,所述第一服务器计算所述当前待访问的数据文件的文件Hash值。Step 302: When the performing action is that the third server is allowed to access the data file, the first server calculates a file hash value of the data file to be accessed currently.
通常在实际应用过程中,第三服务器会主动向第一服务器发起访问请求信息,该访问请求信息包括第三服务器的地址信息和当前待访问的数据文件。Generally, in the actual application process, the third server actively initiates access request information to the first server, where the access request information includes the address information of the third server and the current data file to be accessed.
在本实施例中,第三服务器10.17.3.4向第一服务器10.11.1.2发送访问请求信息时,该访问请求信息包括第三服务器的地址信息10.17.3.4和当前待访问的 数据文件B。第一服务器10.11.1.2也是先计算所述当前待访问的数据文件B的文件Hash值。如数据文件B的文件Hash值为234B。In this embodiment, when the third server 10.17.3.4 sends the access request information to the first server 10.11.1.2, the access request information includes the address information 10.17.3.4 of the third server and the current to be accessed. Data file B. The first server 10.11.1.2 also calculates the file hash value of the data file B currently to be accessed. For example, the file Hash value of data file B is 234B.
步骤303,第一服务器将所述文件Hash值发送至云管理点。Step 303: The first server sends the file hash value to the cloud management point.
云管理点在接收到所述文件Hash值234B后,查找包括所述文件Hash值234B的文件保护策略b,并将文件保护策略b返回至第一服务器10.11.1.2。After receiving the file hash value 234B, the cloud management point searches for the file protection policy b including the file hash value 234B, and returns the file protection policy b to the first server 10.11.1.2.
步骤304,第一服务器依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待访问的数据文件是否允许被所述第三服务器访问。如果允许,执行步骤305,如果不允许,执行步骤306。Step 304: The first server determines, according to the file access restriction permission information in the file protection policy, whether the current data file to be accessed is allowed to be accessed by the third server. If so, step 305 is performed, and if not, step 306 is performed.
步骤305,第一服务器允许第三服务器访问数据文件。In step 305, the first server allows the third server to access the data file.
步骤306,第一服务器拒绝第三服务器访问数据文件。 Step 306, the first server rejects the third server to access the data file.
在本实施例中,文件访问限制允许信息包括允许访问数据文件的地址信息。假设当前文件访问限制允许信息为Acess:Li,10.11.*.*,则第一服务器10.11.1.2判断第三服务器10.17.3.4是否属于Li或者10.11.*.*的范围。如果属于,则执行步骤305,第一服务器10.11.1.2允许第三服务器10.17.3.4访问数据文件B,如果不属于,则执行步骤306,第一服务器10.11.1.2拒绝第三服务器10.17.3.4访问数据文件B。In the present embodiment, the file access restriction permission information includes address information that allows access to the data file. Assuming that the current file access restriction permission information is Acess:Li, 10.11.*.*, the first server 10.11.1.2 determines whether the third server 10.17.3.4 belongs to the range of Li or 10.11.*.*. If yes, step 305 is performed, the first server 10.11.1.2 allows the third server 10.17.3.4 to access the data file B, and if not, executes step 306, the first server 10.11.1.2 rejects the third server 10.17.3.4 access data File B.
而在本实施例中,显然第三服务器10.17.3.4不属于Li或者10.11.*.*的范围,所以第一服务器10.11.1.2拒绝第三服务器10.17.3.4访问数据文件B。In the present embodiment, it is obvious that the third server 10.17.3.4 does not belong to the range of Li or 10.11.*.*, so the first server 10.11.1.2 rejects the third server 10.17.3.4 to access the data file B.
当然可选的,在本实施例中,当第一服务器10.11.1.2拒绝第三服务器10.17.3.4访问数据文件B后,方法还可以进一步包括步骤307:第一服务器向第三服务器返回一拒绝消息,告知第三服务器该访问操作不被允许。Optionally, in this embodiment, after the first server 10.11.1.2 rejects the third server 10.17.3.4 to access the data file B, the method may further include the step 307: the first server returns a reject message to the third server. , telling the third server that the access operation is not allowed.
更进一步的,在实际应用时,有时会涉及将某个数据文件(可能是源数据文件,也可能是副本文件)的内容进行修改。例如修改前的数据文件的内容为记录的用户Jack的身高参数,例如身高174cm,那么后续可能会涉及添加用户Jack的体重参数等内容,例如体重120KG。而由于修改后的数据文件是以修改前的数据文件为基础而衍生得到的新的数据文件,那么该修改后的数据文件也应受到与修改前的数据文件相同的文件保护策略,即将修改前的数据文件和修改后的数据文件关联到同一文件保护策略。基于此,对于本发明中当第一服务 器欲对当前待修改的数据文件进行修改的应用场景来说,其方法如图4所示,包括:Further, in practical applications, sometimes the content of a data file (which may be a source data file or a copy file) may be modified. For example, if the content of the data file before the modification is the height parameter of the recorded user Jack, for example, the height is 174 cm, then the subsequent content may involve adding the weight parameter of the user Jack, for example, the weight is 120KG. Since the modified data file is a new data file derived from the data file before the modification, the modified data file should also be subjected to the same file protection policy as the data file before the modification, and will be modified before The data file and the modified data file are associated with the same file protection policy. Based on this, as the first service in the present invention For an application scenario in which the data file to be modified is to be modified, the method is as shown in FIG. 4, including:
步骤401,第一服务器获取所述第一服务器对所述数据文件的执行动作。Step 401: The first server acquires an action performed by the first server on the data file.
步骤402,当所述执行动作为将所述数据文件的内容进行修改时,所述第一服务器计算所述当前待修改的数据文件的文件Hash值。Step 402: When the performing action is to modify the content of the data file, the first server calculates a file hash value of the current data file to be modified.
在本实施例中,例如客户端欲将第一服务器上的某个数据文件C进行修改时,即第一服务器欲对数据文件C的内容进行修改时,第一服务器仍先计算所述当前待修改的数据文件C的文件Hash值。如数据文件C的文件Hash值为345C。In this embodiment, for example, when the client wants to modify a certain data file C on the first server, that is, when the first server wants to modify the content of the data file C, the first server still calculates the current waiting. The file hash value of the modified data file C. For example, the file Hash value of data file C is 345C.
步骤403,第一服务器将所述文件Hash值发送至云管理点。Step 403: The first server sends the file hash value to the cloud management point.
云管理点在接收到所述文件Hash值345C后,查找包括所述文件Hash值345C的文件保护策略c,并将文件保护策略c返回至第一服务器。After receiving the file hash value 345C, the cloud management point searches for the file protection policy c including the file hash value 345C, and returns the file protection policy c to the first server.
步骤404,第一服务器依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待修改的数据文件是否允许被所述第一服务器修改。如果允许,执行步骤405,如果不允许,执行步骤408。Step 404: The first server determines, according to the file access restriction permission information in the file protection policy, whether the current data file to be modified is allowed to be modified by the first server. If so, step 405 is performed, and if not, step 408 is performed.
步骤405,第一服务器对所述当前待修改的数据文件的内容进行修改。Step 405: The first server modifies the content of the current data file to be modified.
在本实施例中,文件访问限制允许信息包括数据文件的访问权限,访问权限包括只读(read)、可读可写(write)等。假设当前文件保护策略c中的文件访问限制允许信息为write,那么此时第一服务器即可实现对数据文件C的内容进行修改。而如果文件保护策略c中的文件访问限制允许信息为只读,那么第一服务器则不可对数据文件C的内容进行修改。In this embodiment, the file access restriction permission information includes access rights of the data file, and the access rights include read, read, write, and the like. Assuming that the file access restriction permission information in the current file protection policy c is write, then the first server can modify the content of the data file C at this time. If the file access restriction in the file protection policy c allows the information to be read-only, the first server cannot modify the content of the data file C.
在第一服务器完成对数据文件C内容的修改后,本发明还进一步包括:After the first server completes the modification of the content of the data file C, the present invention further includes:
步骤406,第一服务器计算修改后的数据文件的文件Hash值。Step 406: The first server calculates a file hash value of the modified data file.
在本实施例中,当第一服务器将数据文件C的内容进行修改后,修改后的数据文件C标记为数据文件D,此时第一服务器重新计算数据文件D的文件Hash值。如数据文件D的文件Hash值为356D。In this embodiment, after the first server modifies the content of the data file C, the modified data file C is marked as the data file D, and the first server recalculates the file hash value of the data file D. For example, the file Hash value of data file D is 356D.
步骤407,第一服务器发送文件Hash值更新消息至所述云管理点,所述文件Hash值更新消息包括所述修改前的数据文件的文件Hash值和修改后的数据文件的文件Hash值,以使得所述云管理点依据所述文件Hash值更新消息,将所述修改前的数据文件的文件Hash值和修改后的数据文件的文件Hash值关联到 同一文件保护策略上。Step 407: The first server sends a file hash update message to the cloud management point, where the file hash update message includes a file hash value of the data file before the modification and a file hash value of the modified data file, to And causing the cloud management point to associate the file hash value of the data file before the modification with the file hash value of the modified data file according to the file hash update message. The same file protection strategy.
在本实施例中,第一服务器会将修改前的数据文件的文件Hash值345C和修改后的数据文件的文件Hash值356D一同发送至云管理点。云管理点在接收到所述修改前的数据文件的文件Hash值345C和修改后的数据文件的文件Hash值356D后,查找包括所述文件Hash值345C的文件保护策略c,以及包括所述文件Hash值356D的文件保护策略d。In this embodiment, the first server sends the file hash value 345C of the data file before the modification and the file hash value 356D of the modified data file to the cloud management point. After receiving the file hash value 345C of the data file before the modification and the file hash value 356D of the modified data file, the cloud management point searches for the file protection policy c including the file hash value 345C, and includes the file. Hash value 356D file protection policy d.
当云管理点查找到包括所述文件Hash值345C的文件保护策略c时,在文件保护策略c的Hash字段中添加修改后的数据文件的文件Hash值356D。同理,当云管理点查找到包括所述文件Hash值356D的文件保护策略d时,在文件保护策略d的Hash字段中添加修改前的数据文件的文件Hash值345C。而如果云管理点均查找到包括所述文件Hash值345C的文件保护策略c和包括所述文件Hash值356D的文件保护策略d时,则同时在文件保护策略c的Hash字段中添加修改后的数据文件的文件Hash值356D,以及在文件保护策略d的Hash字段中添加修改前的数据文件的文件Hash值345C。When the cloud management point finds the file protection policy c including the file hash value 345C, the file hash value 356D of the modified data file is added in the Hash field of the file protection policy c. Similarly, when the cloud management point finds the file protection policy d including the file hash value 356D, the file hash value 345C of the data file before the modification is added in the Hash field of the file protection policy d. If the cloud management point finds the file protection policy c including the file hash value 345C and the file protection policy d including the file hash value 356D, the modified version is also added in the Hash field of the file protection policy c. The file Hash value 356D of the data file, and the file hash value 345C of the data file before the modification are added in the Hash field of the file protection policy d.
具体地,例如,在第一服务器上存储的数据文件C的内容为“Jack.height=174cm”,在云管理点上对应保存的文件保护策略c的形式为:Specifically, for example, the content of the data file C stored on the first server is “Jack.height=174 cm”, and the file protection policy c corresponding to the saved on the cloud management point is in the form of:
“Hash:345C;"Hash: 345C;
Access:Li;Access: Li;
Restrictions:Germany;Restrictions:Germany;
Locations:C”。Locations: C".
如果当前第一服务器需要对该数据文件C的内容进行修改,具体地,需要在其记载的内容中增加“Jack.weight=120KG”的信息时,由于修改后的数据文件D是基于原数据文件C进行的,那么修改后的数据文件D应与原数据文件C受到相同的文件保护策略。If the current first server needs to modify the content of the data file C, specifically, it is necessary to add "Jack.weight=120KG" information to the content of the record, because the modified data file D is based on the original data file. If C is performed, then the modified data file D should be subject to the same file protection policy as the original data file C.
此时,第一服务器首先需要计算得知修改前的数据文件C的Hash值345C,进行修改数据文件C得到修改后的数据文件D,计算修改后的数据文件D的Hash值356D。进一步,第一服务器将修改前的数据文件C的Hash值345C和修改后的数据文件D的Hash值356D同时发送至云管理点。At this time, the first server first needs to calculate the hash value 345C of the data file C before the modification, and modify the data file C to obtain the modified data file D, and calculate the hash value 356D of the modified data file D. Further, the first server simultaneously sends the hash value 345C of the data file C before modification and the hash value 356D of the modified data file D to the cloud management point.
云管理点依据Hash值345C和Hash值356D去查找与之匹配的文件保护策 略。当云管理点查找到只存在包括Hash值345C的文件保护策略c时,确定该文件保护策略c为同时用于保护数据文件C和数据文件D的文件保护策略。此时,云管理点在文件保护策略c的Hash字段中添加数据文件D的Hash值356D,此时文件保护策略c的存储方式为:The cloud management point searches for the matching file protection policy based on the hash value 345C and the hash value 356D. slightly. When the cloud management point finds that only the file protection policy c including the hash value 345C exists, it is determined that the file protection policy c is a file protection policy for simultaneously protecting the data file C and the data file D. At this time, the cloud management point adds the hash value 356D of the data file D in the Hash field of the file protection policy c. At this time, the file protection policy c is stored in the following manner:
“Hash:345C,356D;"Hash: 345C, 356D;
Access:Li;Access: Li;
Restrictions:Germany;Restrictions:Germany;
Locations:C”。Locations: C".
当然本实施例还包括另一种应用场景,即当数据文件C从第一服务器C复制到第二服务器E,而第二服务器E需要对该副本文件E进行修改时,其复制的实现过程和修改的实现过程同前述方法相同。如果仍以前述为例来说,此时其文件保护策略c的存储方式为:Of course, this embodiment also includes another application scenario, that is, when the data file C is copied from the first server C to the second server E, and the second server E needs to modify the copy file E, the implementation process of the copy and The implementation of the modification is the same as the previous method. If the foregoing is still taken as an example, the storage mode of the file protection policy c is:
“Hash:345C,356D;"Hash: 345C, 356D;
Access:Li;Access: Li;
Restrictions:Germany;Restrictions:Germany;
Locations:C,E”。Locations: C, E".
其中云管理点也需要实时将数据文件的位置信息进行更新。The cloud management point also needs to update the location information of the data file in real time.
步骤408,第一服务器不允许对当前待修改的数据文件的内容进行修改。Step 408: The first server does not allow modification of the content of the current data file to be modified.
当然可选的,在本实施例中,当第一服务器不允许对当前待修改的数据文件的内容进行修改后,方法还可以进一步包括步骤408:第一服务器向客户端返回一拒绝消息,告知客户端该修改操作不被允许。Optionally, in this embodiment, after the first server does not allow the content of the data file to be modified to be modified, the method may further include the step 408: the first server returns a reject message to the client, to notify The client does not allow this modification.
因此应用本发明的上述技术方案,本发明提供的云中数据文件的管理方法中,第一服务器在对当前待处理的数据文件执行相应处理前,首先计算当前待处理的数据文件的文件Hash值,进而接收云管理点返回的所述文件Hash值对应的文件保护策略,依据所述文件保护策略判断所述当前待处理的数据文件是否允许执行相应处理,如果允许,第一服务器再对当前待处理的数据文件进行相应处理。本发明将源数据文件生成的多个副本文件同样采用与源数据文件相同的文件保护策略,那么针对现有技术中的非授权用户来说,其在访问副本文件时也受到文件保护策略的保护,防止了数据泄露。 Therefore, in the above-mentioned technical solution of the present invention, in the method for managing data files in the cloud provided by the present invention, the first server first calculates the file hash value of the current data file to be processed before performing corresponding processing on the current data file to be processed. And receiving a file protection policy corresponding to the file hash value returned by the cloud management point, determining, according to the file protection policy, whether the current to-be-processed data file is allowed to perform corresponding processing, and if allowed, the first server is still waiting for the current process. The processed data files are processed accordingly. The invention uses the same file protection policy as the source data file in the multiple copy files generated by the source data file, so that the unauthorized users in the prior art are also protected by the file protection policy when accessing the copy file. To prevent data leakage.
在上述实施例的基础上,本发明还可能会存在一个数据文件对应多个文件保护策略的情况。例如,用户预先在云管理点上定义了对应某个数据文件的多个文件保护策略情况;或者,数据文件A对应云管理点上的文件保护策略a,数据文件B对应云管理点上的文件保护策略b,而当数据文件B的内容进行修改后,恰巧其修改后的数据文件B的内容与数据文件A的内容相同,那么此时修改后的数据文件B的文件Hash值应与数据文件A的文件Hash值相同,那么此时也就出现了在云管理点上存储有对应同一文件Hash值的两个文件保护策略a和文件保护策略b的情况。那么对于上述一个数据文件对应多个文件保护策略的情况,本发明仍可以采用上述实施例相同的处理方法来进行处理。Based on the above embodiments, the present invention may also have a case where a data file corresponds to multiple file protection policies. For example, the user defines a plurality of file protection policies corresponding to a certain data file in advance on the cloud management point; or, the data file A corresponds to the file protection policy a on the cloud management point, and the data file B corresponds to the file on the cloud management point. Protection strategy b, and when the content of the data file B is modified, the content of the modified data file B happens to be the same as the content of the data file A, then the file hash value of the modified data file B should be the same as the data file. A file Hash value is the same, then there are two file protection policies a and file protection policies b corresponding to the same file hash value stored on the cloud management point. Then, in the case that the above one data file corresponds to multiple file protection policies, the present invention can still be processed by the same processing method as the above embodiment.
其中具体地,当第一服务器计算当前待处理的数据文件的文件Hash值,并将所述文件Hash值发送至云管理点后,云管理点查找到包括该文件Hash值的多个文件保护策略,进而将该多个文件保护策略一同发送给第一服务器。Specifically, when the first server calculates a file hash value of the current data file to be processed, and sends the file hash value to the cloud management point, the cloud management point finds multiple file protection policies including the file hash value. And sending the multiple file protection policies to the first server together.
第一服务器接收到该多个文件保护策略,进而依次依据每个文件保护策略判断所述当前待处理的数据文件是否允许被第一服务器执行处理。如果该多个文件保护策略都允许,则第一服务器对当前待处理的数据文件进行处理;而如果该多个文件保护策略中的至少一个文件保护策略不允许第一服务器执行处理,则第一服务器拒绝处理。The first server receives the multiple file protection policies, and then determines, according to each file protection policy, whether the current data file to be processed is allowed to be processed by the first server. If the plurality of file protection policies allow, the first server processes the current data file to be processed; and if at least one of the plurality of file protection policies does not allow the first server to perform processing, the first The server refused to process.
更具体的,例如对于上述实施例中,当第一服务器欲将当前待复制的数据文件复制到第二服务器上的应用场景来说,如果第一服务器接收到云管理点返回的多个文件保护策略,而该多个文件保护策略中的至少一个文件保护策略中的文件流转范围限制信息不允许第一服务器将当前待复制的数据文件复制到第二服务器,则第一服务器拒绝将所述当前待复制的数据文件复制到第二服务器。More specifically, for example, in the foregoing embodiment, when the first server wants to copy the current data file to be copied to the application scenario on the second server, if the first server receives multiple file protections returned by the cloud management point, a policy, and the file distribution range restriction information in the at least one file protection policy of the plurality of file protection policies does not allow the first server to copy the current data file to be copied to the second server, and the first server rejects the current The data file to be copied is copied to the second server.
同理,对于上述实施例中,当第一服务器接收到第三服务器发送的访问请求信息的应用场景来说,如果第一服务器接收到云管理点返回的多个文件保护策略,而该多个文件保护策略中的至少一个文件保护策略中的文件访问限制允许信息不允许第三服务器访问数据文件,则第一服务器拒绝第三服务器访问数据文件。 Similarly, in the foregoing embodiment, when the first server receives the application scenario of the access request information sent by the third server, if the first server receives multiple file protection policies returned by the cloud management point, the multiple The file access restriction in at least one of the file protection policies allows the third server to access the data file, and the first server denies the third server access to the data file.
同理,对于上述实施例中,当第一服务器欲对当前待修改的数据文件进行修改的应用场景来说,如果第一服务器接收到云管理点返回的多个文件保护策略,而该多个文件保护策略中的至少一个文件保护策略中的文件访问限制允许信息不允许第一服务器对数据文件的内容进行修改,则第一服务器不能对当前待修改的数据文件的内容进行修改。Similarly, in the above embodiment, when the first server wants to modify the current data file to be modified, if the first server receives multiple file protection policies returned by the cloud management point, the multiple The file access restriction in the at least one file protection policy in the file protection policy allows the first server to modify the content of the data file, and the first server cannot modify the content of the current data file to be modified.
基于前文关于本发明提供的一种云中数据文件的管理方法,本发明还提供一种云中数据文件的管理方法,该方法应用云管理点,所述云管理点与不同服务器通信连接,且所述云管理点上存储有针对不同数据文件的文件保护策略;所述方法包括,如图5所示:Based on the foregoing method for managing data files in the cloud provided by the present invention, the present invention further provides a method for managing data files in a cloud, where the method applies a cloud management point, and the cloud management points are connected to different servers, and A file protection policy for different data files is stored on the cloud management point; the method includes, as shown in FIG. 5:
步骤501,云管理点接收第一服务器发送的文件标识。Step 501: The cloud management point receives the file identifier sent by the first server.
步骤502,云管理点依据所述文件标识,查找包括所述文件标识的文件保护策略。Step 502: The cloud management point searches for a file protection policy including the file identifier according to the file identifier.
在本发明中可选的,文件标识具体为文件Hash值。具体地,云管理点上存储有针对不同数据文件的文件保护策略,其中每个文件保护策略中均包括文件Hash值,云管理点依据文件Hash值来实现查找包括所述文件Hash值的文件保护策略。Optionally, in the present invention, the file identifier is specifically a file hash value. Specifically, the cloud management point stores a file protection policy for different data files, where each file protection policy includes a file hash value, and the cloud management point implements file protection including the file hash value according to the file hash value. Strategy.
步骤503,云管理点将所述文件保护策略发送至所述第一服务器,以使得所述第一服务器依据所述文件保护策略判断所述第一服务器欲执行的处理动作是否被允许执行。Step 503: The cloud management point sends the file protection policy to the first server, so that the first server determines, according to the file protection policy, whether the processing action to be performed by the first server is allowed to be executed.
在本发明中,当第一服务器欲对某个数据文件执行某种处理操作时,第一服务器都会向云管理点发送该数据文件的文件标识来所要该数据文件的文件保护策略,进而云管理点依据文件标识查找到包括所述文件标识的文件保护策略,将其返回至第一服务器,以使得第一服务器依据所述文件保护策略判断所述第一服务器欲执行的处理动作是否被允许执行。In the present invention, when the first server wants to perform some processing operation on a certain data file, the first server sends the file identifier of the data file to the cloud management point to the file protection policy of the data file, and then the cloud management Determining, according to the file identifier, a file protection policy including the file identifier, and returning the file protection policy to the first server, so that the first server determines, according to the file protection policy, whether the processing action to be performed by the first server is allowed to be executed. .
此外在本发明中,云管理点上可能存储有包括同一文件标识的多个文件保护策略,此时,云管理点会将查找到的包括所述文件标识的多个文件保护策略一同发送至第一服务器,以使得所述第一服务器依据该多个文件保护策略来判断所述第一服务器欲执行的处理动作是否被允许执行。 In addition, in the present invention, a plurality of file protection policies including the same file identifier may be stored on the cloud management point. In this case, the cloud management point sends the found multiple file protection policies including the file identifier to the first a server, so that the first server determines, according to the multiple file protection policies, whether the processing action to be performed by the first server is allowed to be executed.
其中,当该多个文件保护策略中的至少一个文件保护策略不允许第一服务器执行处理,则第一服务器拒绝处理。Wherein, when at least one of the plurality of file protection policies does not allow the first server to perform processing, the first server rejects the processing.
其中,可选的,本发明以文件标识具体为文件Hash值为例继续说明,在上述实施例的基础上,还包括:Optionally, the present invention further describes that the file identifier is specifically a file hash value. On the basis of the foregoing embodiment, the method further includes:
步骤504,云管理点接收第二服务器发送的文件位置更新消息。所述文件位置更新消息包括复制后的数据文件的文件Hash值和所述第二服务器的地址信息。Step 504: The cloud management point receives the file location update message sent by the second server. The file location update message includes a file hash value of the copied data file and address information of the second server.
在本实施例中,如果第一服务器欲执行的处理动作为将数据文件复制到第二服务器,那么在第一服务器完成将数据文件复制到第二服务器后,第二服务器会向云管理点发送文件位置更新消息,所述文件位置更新消息包括复制后的数据文件的文件Hash值和所述第二服务器的地址信息。In this embodiment, if the processing action to be performed by the first server is to copy the data file to the second server, after the first server finishes copying the data file to the second server, the second server sends the data file to the cloud management point. a file location update message, the file location update message including a file hash value of the copied data file and address information of the second server.
步骤505,云管理点依据所述复制后的数据文件的文件Hash值查找包括所述复制后的数据文件的文件Hash值的文件保护策略。Step 505: The cloud management point searches for a file protection policy including a file hash value of the copied data file according to the file hash value of the copied data file.
步骤506,云管理点依据所述第二服务器的地址信息更新所述包括所述复制后的数据文件的文件Hash值的文件保护策略中的文件位置列表信息。所述文件位置列表信息包括数据文件存储的位置信息。Step 506: The cloud management point updates the file location list information in the file protection policy that includes the file hash value of the copied data file according to the address information of the second server. The file location list information includes location information stored in the data file.
在本实施例中,每当数据文件被复制到另一服务器上时,云管理点都会记录下该数据文件被复制到的服务器的地址信息,以实现对同一数据文件的存储的位置信息的记录。In this embodiment, whenever the data file is copied to another server, the cloud management point records the address information of the server to which the data file is copied, so as to record the location information of the same data file. .
因此本发明通过云管理点记录所有数据文件的地址信息,能够清楚获知每个数据文件的存储位置。Therefore, the present invention records the address information of all data files through the cloud management point, and can clearly know the storage location of each data file.
在上述实施例的基础上,本发明中的云管理点还会涉及删除数据文件的应用场景。Based on the above embodiments, the cloud management point in the present invention may also involve an application scenario for deleting data files.
现有技术中在删除源数据文件和副本文件时,云系统需要获知源数据文件和所有副本文件的存储位置,而由于云系统无法识别源数据文件与副本文件间的衍生关系,那么云系统也就无法获知该源数据文件的不同副本文件的位置,也就无法实现统一删除所有文件,造成数据文件删除困难。In the prior art, when deleting the source data file and the copy file, the cloud system needs to know the storage location of the source data file and all the copy files, and since the cloud system cannot recognize the derivative relationship between the source data file and the copy file, the cloud system also The location of the different copy files of the source data file cannot be known, and it is impossible to uniformly delete all the files, which makes the data file deletion difficult.
而本发明,由于在云管理点中记录的所有数据文件的地址信息,能够清楚 获知每个数据文件的存储位置,那么在删除源数据文件和副本文件时,本发明能够轻松查找到该数据文件(包括源数据文件和副本文件)的存储位置,进而指示相应的服务器删除数据文件,具体方法如图6所示,包括:According to the present invention, since the address information of all the data files recorded in the cloud management point can be clearly Knowing the storage location of each data file, the present invention can easily find the storage location of the data file (including the source data file and the copy file) when deleting the source data file and the copy file, thereby instructing the corresponding server to delete the data file. The specific method is shown in Figure 6, including:
步骤601,云管理点接收所述第一服务器发送的欲删除的数据文件的文件Hash值。Step 601: The cloud management point receives a file hash value of the data file to be deleted sent by the first server.
步骤602,云管理点依据所述欲删除的数据文件的文件Hash值,查找包括所述欲删除的数据文件的文件Hash值的文件保护策略。Step 602: The cloud management point searches for a file protection policy including a file hash value of the data file to be deleted according to the file hash value of the data file to be deleted.
步骤603,云管理点从所述欲删除的数据文件的文件Hash值的文件保护策略中获取欲删除的数据文件的文件位置列表信息。Step 603: The cloud management point acquires file location list information of the data file to be deleted from the file protection policy of the file hash value of the data file to be deleted.
步骤604,云管理点依据所述欲删除的数据文件的文件位置列表信息,向所述欲删除的数据文件的文件位置列表信息中的各服务器发送删除消息,以使得所述各服务器依据所述删除消息删除所述欲删除的数据文件。Step 604: The cloud management point sends, according to the file location list information of the data file to be deleted, a deletion message to each server in the file location list information of the data file to be deleted, so that the servers are according to the Delete message deletes the data file to be deleted.
在本实施例中,文件保护策略中的文件位置列表信息用于记录的该数据文件的所有存储位置信息,云管理点依据文件位置列表信息依次查找到存储有该数据文件的所有服务器,并向该所有服务器发送删除消息,以使得该所有服务器依据所述删除消息删除所述数据文件。In this embodiment, the file location list information in the file protection policy is used to record all the storage location information of the data file, and the cloud management point sequentially searches all the servers storing the data file according to the file location list information, and The all servers send a delete message such that all of the servers delete the data file in accordance with the delete message.
因此应用本发明的上述技术方案,本发明在删除源数据文件和副本文件时,只需云管理点查找该需要删除的数据文件的文件保护策略,依据文件保护策略中的文件位置列表信息来查找到存储有该需要删除的数据文件的各服务器,进而下发删除消息至各服务器,以完成在各服务器上删除数据文件的目的。本发明实现了统一删除数据文件的功能,且保证了数据删除的彻底性。Therefore, when the source data file and the copy file are deleted, the cloud management point only needs to find the file protection policy of the data file to be deleted, and searches according to the file location list information in the file protection policy. Each server storing the data file to be deleted is sent to each server to complete the deletion of the data file on each server. The invention realizes the function of uniformly deleting data files, and ensures the thoroughness of data deletion.
还需要说明的是,在本实施例中,如果云管理点查找到包括所述欲删除的数据文件的文件Hash值的多个文件保护策略时,云管理点从所述欲删除的数据文件的文件Hash值的多个文件保护策略中依次获取欲删除的数据文件的文件位置列表信息,进而将获得的所有文件保护策略中的文件位置列表信息求并集,以此获得该需要删除的数据文件的各服务器的地址信息。It should be noted that, in this embodiment, if the cloud management point finds multiple file protection policies including the file hash value of the data file to be deleted, the cloud management point is from the data file to be deleted. The file location list information of the data file to be deleted is sequentially obtained in multiple file protection policies of the file hash value, and then the file location list information in all the file protection policies obtained is collected and combined to obtain the data file to be deleted. Address information for each server.
此外,如图7所示,其还示出了本发明提供的一种云中数据文件的管理方法的另一流程图,包括: In addition, as shown in FIG. 7, it also shows another flowchart of a method for managing data files in the cloud provided by the present invention, including:
步骤701,云管理点接收所述第一服务器发送的文件Hash值更新消息,所述文件Hash值更新消息包括修改前的数据文件的文件Hash值和修改后的数据文件的文件Hash值。Step 701: The cloud management point receives a file hash update message sent by the first server, where the file hash update message includes a file hash value of the data file before the modification and a file hash value of the modified data file.
步骤702,云管理点依据所述文件Hash值更新消息,将所述修改前的数据文件的文件Hash值和所述修改后的数据文件的文件Hash值关联到同一文件保护策略上。Step 702: The cloud management point associates the file hash value of the data file before the modification with the file hash value of the modified data file to the same file protection policy according to the file hash update message.
具体地,云管理点分别依据所述修改前的数据文件的文件Hash值和所述修改后的数据文件的文件Hash值,查找包括所述修改前的数据文件的文件Hash值的文件保护策略和包括所述修改后的数据文件的文件Hash值的文件保护策略。Specifically, the cloud management point searches for a file protection policy including the file hash value of the data file before the modification according to the file hash value of the data file before the modification and the file hash value of the modified data file, respectively. A file protection policy including a file hash value of the modified data file.
当查找到存在有至少一个文件保护策略时,将另一数据文件的文件Hash值添加到所述至少一个文件保护策略中的Hash值字段中。When it is found that there is at least one file protection policy, a file hash value of another data file is added to the hash value field in the at least one file protection policy.
具体例如,云管理点依据修改前的数据文件的文件Hash值123A去查找是否包括所述修改前的数据文件的文件Hash值123A的文件保护策略a,并同时依据修改后的数据文件的文件Hash值134B去查找是否包括所述修改前的数据文件的文件Hash值134B的文件保护策略b。For example, the cloud management point searches for the file protection policy a of the file hash value 123A of the data file before the modification according to the file hash value 123A of the data file before the modification, and simultaneously according to the file Hash of the modified data file. The value 134B is to find whether or not the file protection policy b of the file hash value 134B of the data file before the modification is included.
当云管理点依据文件Hash值123A查找到文件保护策略a,而未查找到包括Hash值134B的文件保护策略b时,云管理点将Hash值134B添加到文件保护策略a中的Hash值字段中,即“Hash:123A,134B”。When the cloud management point finds the file protection policy a according to the file hash value 123A and does not find the file protection policy b including the hash value 134B, the cloud management point adds the hash value 134B to the hash value field in the file protection policy a. , that is, "Hash: 123A, 134B".
同理,如果云管理点依据文件Hash值134B查找到文件保护策略b,而未查找到包括Hash值123A的文件保护策略a时,云管理点将Hash值123A添加到文件保护策略b中的Hash值字段中,即“Hash:134B,123A”。Similarly, if the cloud management point finds the file protection policy b according to the file hash value 134B and does not find the file protection policy a including the hash value 123A, the cloud management point adds the hash value 123A to the hash in the file protection policy b. In the value field, "Hash: 134B, 123A".
当然如果云管理点同时找到文件保护策略a和文件保护策略b时,则云管理点依旧会将Hash值134B添加到文件保护策略a中的Hash值字段中,即“Hash:123A,134B”,同时将Hash值123A添加到文件保护策略b中的Hash值字段中,即“Hash:134B,123A”。 Of course, if the cloud management point finds both the file protection policy a and the file protection policy b, the cloud management point will still add the hash value 134B to the hash value field in the file protection policy a, that is, "Hash: 123A, 134B". At the same time, the hash value 123A is added to the hash value field in the file protection policy b, that is, "Hash: 134B, 123A".
基于前文本发明提供的一种云中数据文件的管理方法,本发明还提供一种服务器,如图8所示,包括:第一计算单元10、文件标识发送单元20、文件保护策略接收单元30、判断单元40和处理单元50。其中,The present invention further provides a server, as shown in FIG. 8, comprising: a first computing unit 10, a file identifier sending unit 20, and a file protection policy receiving unit 30. , the determining unit 40 and the processing unit 50. among them,
第一计算单元10,用于计算当前待处理的数据文件的文件标识;The first calculating unit 10 is configured to calculate a file identifier of the current data file to be processed;
文件标识发送单元20,用于将所述文件标识发送至云管理点,以使得所述云管理点依据所述文件标识查找所述数据文件的文件保护策略;a file identifier sending unit 20, configured to send the file identifier to a cloud management point, so that the cloud management point searches for a file protection policy of the data file according to the file identifier;
文件保护策略接收单元30,用于接收所述云管理点返回的所述文件保护策略;The file protection policy receiving unit 30 is configured to receive the file protection policy returned by the cloud management point;
判断单元40,用于依据所述文件保护策略判断所述数据文件是否允许所述服务器执行处理;The determining unit 40 is configured to determine, according to the file protection policy, whether the data file allows the server to perform processing;
处理单元50,用于当所述判断单元40判断所述数据文件允许所述服务器执行处理时,对当前待处理的数据文件进行处理。The processing unit 50 is configured to process the current data file to be processed when the determining unit 40 determines that the data file allows the server to perform processing.
其中可选的,所述文件标识是指文件Hash值;所述文件保护策略包括文件流转范围限制信息;所述服务器还包括:第一执行动作获取单元60。其中,Optionally, the file identifier is a file hash value, and the file protection policy includes file flow range restriction information. The server further includes: a first execution action obtaining unit 60. among them,
第一执行动作获取单元60,用于获取所述服务器对所述数据文件的执行动作;a first execution action obtaining unit 60, configured to acquire an execution action of the server on the data file;
第一计算单元10具体用于当所述第一执行动作获取单元60获取的所述执行动作为将所述数据文件复制到第二服务器时,计算当前待复制的数据文件的文件Hash值;The first calculating unit 10 is specifically configured to: when the execution action acquired by the first execution action acquiring unit 60 is to copy the data file to the second server, calculate a file hash value of the current data file to be copied;
所述判断单元40具体用于,依据所述文件保护策略中的文件流转范围限制信息,判断所述当前待复制的数据文件是否允许复制到所述第二服务器;其中所述文件流转范围限制信息包括允许数据文件复制流转的范围。The determining unit 40 is configured to determine, according to the file flow range limitation information in the file protection policy, whether the current data file to be copied is allowed to be copied to the second server; wherein the file flow range limitation information Includes a range that allows data file replication to flow.
其中可选的,所述文件标识是指文件Hash值;所述文件保护策略包括文件访问限制允许信息;所述服务器还包括:第一执行动作获取单元70。其中,Optionally, the file identifier refers to a file hash value; the file protection policy includes file access restriction permission information; and the server further includes: a first execution action obtaining unit 70. among them,
第二执行动作获取单元70,用于获取所述服务器对所述数据文件的执行动作。The second execution action obtaining unit 70 is configured to acquire an execution action of the server on the data file.
第一计算单元10具体用于当所述第二执行动作获取单元70获取的所述执行动作为将允许第三服务器访问所述数据文件时,计算当前待访问的数据文件的文件Hash值; The first calculating unit 10 is specifically configured to: when the execution action acquired by the second execution action acquiring unit 70 is to allow the third server to access the data file, calculate a file hash value of the data file to be accessed currently;
所述判断单元40具体用于,依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待访问的数据文件是否允许被所述第三服务器访问;其中所述文件访问限制允许信息包括允许访问数据文件的地址信息。The determining unit 40 is configured to determine, according to the file access restriction permission information in the file protection policy, whether the current to-be-accessed data file is allowed to be accessed by the third server, where the file access restriction permission information is Includes address information that allows access to data files.
其中可选的,所述文件标识是指文件Hash值;所述文件保护策略包括文件访问限制允许信息;所述服务器还包括:第三执行动作获取单元80。其中,Optionally, the file identifier refers to a file hash value; the file protection policy includes file access restriction permission information; and the server further includes: a third execution action obtaining unit 80. among them,
第三执行动作获取单元80,用于获取所述服务器对所述数据文件的执行动作。The third execution action obtaining unit 80 is configured to acquire an execution action of the server on the data file.
第一计算单元10具体用于当所述第三执行动作获取单元80获取的所述执行动作为将所述数据文件的内容进行修改时,当前待修改的数据文件的文件Hash值;The first calculating unit 10 is specifically configured to: when the execution action acquired by the third execution action acquiring unit 80 is to modify the content of the data file, the file hash value of the data file to be modified currently;
所述判断单元40具体用于,依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待修改的数据文件是否允许被所述第一服务器修改;其中所述文件访问限制允许信息包括数据文件的访问权限。The determining unit 40 is specifically configured to: determine, according to the file access restriction permission information in the file protection policy, whether the current data file to be modified is allowed to be modified by the first server; wherein the file access restriction permission information Includes access to data files.
此外可选的,本发明还包括:In addition, the invention further includes:
第二计算单元91,用于计算修改后的数据文件的文件Hash值;a second calculating unit 91, configured to calculate a file hash value of the modified data file;
更新消息发送单元92,用于发送文件Hash值更新消息至所述云管理点,所述文件Hash值更新消息包括所述当前待修改的数据文件的文件Hash值和修改后的数据文件的文件Hash值,以使得所述云管理点依据所述文件Hash值更新消息,将所述当前待修改的数据文件的文件Hash值和修改后的数据文件的文件Hash值关联到同一文件保护策略上。The update message sending unit 92 is configured to send a file hash update message to the cloud management point, where the file hash update message includes a file hash value of the current data file to be modified and a file hash of the modified data file. The value is such that the cloud management point updates the message according to the file hash value, and associates the file hash value of the current data file to be modified with the file hash value of the modified data file to the same file protection policy.
基于前文本发明提供的一种云中数据文件的管理方法,本发明还提供一种云管理点,如图9所示,所述云管理点与不同服务器通信连接,且所述云管理点上存储有针对不同数据文件的文件保护策略。所述云管理点包括:第一接收单元100、第一查找单元200和第一发送单元300。其中,The present invention further provides a cloud management point, as shown in FIG. 9, the cloud management point is communicatively connected to different servers, and the cloud management point is File protection policies for different data files are stored. The cloud management point includes: a first receiving unit 100, a first searching unit 200, and a first sending unit 300. among them,
第一接收单元100,用于接收第一服务器发送的文件标识;The first receiving unit 100 is configured to receive a file identifier sent by the first server.
第一查找单元200,用于依据所述文件标识,查找包括所述文件标识的文件保护策略; The first searching unit 200 is configured to search for a file protection policy including the file identifier according to the file identifier.
第一发送单元300,用于将所述文件保护策略发送至所述第一服务器,以使得所述第一服务器依据所述文件保护策略判断所述第一服务器欲执行的相应处理动作是否被允许执行。The first sending unit 300 is configured to send the file protection policy to the first server, so that the first server determines, according to the file protection policy, whether a corresponding processing action to be performed by the first server is allowed. carried out.
其中可选的,所述文件标识是指文件Hash值,所述云管理点还包括:Optionally, the file identifier refers to a file hash value, and the cloud management point further includes:
第二接收单元400,用于接收第二服务器发送的文件位置更新消息,所述文件位置更新消息包括复制后的数据文件的文件Hash值和所述第二服务器的地址信息;a second receiving unit 400, configured to receive a file location update message sent by the second server, where the file location update message includes a file hash value of the copied data file and address information of the second server;
第二查找单元500,用于依据所述复制后的数据文件的文件Hash值查找包括所述复制后的数据文件的文件Hash值的文件保护策略;The second searching unit 500 is configured to search, according to the file hash value of the copied data file, a file protection policy that includes a file hash value of the copied data file;
更新单元600,用于依据所述第二服务器的地址信息更新所述包括所述复制后的数据文件的文件Hash值的文件保护策略中的文件位置列表信息;所述文件位置列表信息包括数据文件存储的位置信息。The updating unit 600 is configured to update the file location list information in the file protection policy including the file hash value of the copied data file according to the address information of the second server; the file location list information includes a data file Stored location information.
可选的,还包括:Optionally, it also includes:
第三接收单元700,用于接收所述第一服务器发送的欲删除的数据文件的文件Hash值;The third receiving unit 700 is configured to receive a file hash value of the data file to be deleted sent by the first server;
第三查找单元800,用于依据所述欲删除的数据文件的文件Hash值,查找包括所述欲删除的数据文件的文件Hash值的文件保护策略;The third searching unit 800 is configured to search for a file protection policy including a file hash value of the data file to be deleted according to the file hash value of the data file to be deleted;
信息获取单元900,用于从所述欲删除的数据文件的文件Hash值的文件保护策略中获取欲删除的数据文件的文件位置列表信息;The information obtaining unit 900 is configured to obtain file location list information of the data file to be deleted from a file protection policy of the file hash value of the data file to be deleted;
第二发送单元1000,用于依据所述欲删除的数据文件的文件位置列表信息,向所述欲删除的数据文件的文件位置列表信息中的各服务器发送删除消息,以使得所述各服务器依据所述删除消息删除所述欲删除的数据文件。The second sending unit 1000 is configured to send, according to the file location list information of the data file to be deleted, a deletion message to each server in the file location list information of the data file to be deleted, so that the servers are based on The delete message deletes the data file to be deleted.
可选的,所述文件标识是指文件Hash值,所述云管理点还包括:Optionally, the file identifier refers to a file hash value, and the cloud management point further includes:
第四接收单元1100,用于接收所述第一服务器发送的文件Hash值更新消息,所述文件Hash值更新消息包括修改前的数据文件的文件Hash值和修改后的数据文件的文件Hash值;The fourth receiving unit 1100 is configured to receive a file hash update message sent by the first server, where the file hash update message includes a file hash value of the data file before modification and a file hash value of the modified data file;
Hash值更新单元1200,用于依据所述文件Hash值更新消息,将所述修改前的数据文件的文件Hash值和所述修改后的数据文件的文件Hash值关联到同一文件保护策略上。 The Hash value updating unit 1200 is configured to associate the file hash value of the data file before the modification and the file hash value of the modified data file to the same file protection policy according to the file hash update message.
其中,Hash值更新单元1200还包括:The hash value update unit 1200 further includes:
第一查找子单元1201,用于依据所述修改前的数据文件的文件Hash值查找包括所述修改前的数据文件的文件Hash值的文件保护策略;The first search sub-unit 1201 is configured to search, according to the file hash value of the data file before the modification, a file protection policy that includes a file hash value of the data file before the modification;
第二查找子单元1202,用于依据所述修改后的数据文件的文件Hash值查找包括所述修改后的数据文件的文件Hash值的文件保护策略;a second search subunit 1202, configured to search, according to the file hash value of the modified data file, a file protection policy that includes a file hash value of the modified data file;
Hash值添加子单元1203,用于当所述第一查找子单元和/或所述第二查找子单元查找到存在有至少一个文件保护策略时,将另一数据文件的文件Hash值添加到所述至少一个文件保护策略中的Hash值字段中。The Hash value adding sub-unit 1203 is configured to add a file hash value of another data file to the first lookup subunit and/or the second lookup subunit when it finds that at least one file protection policy exists The hash value field in at least one file protection policy.
基于前文所述,本发明还提供了一种服务器,该服务器可能是包含计算能力的主机服务器,或者是个人计算机PC,或者是可携带的便携式计算机或终端等等,本发明具体实施例并不对服务器的具体实现做限定。Based on the foregoing, the present invention further provides a server, which may be a host server including computing power, or a personal computer PC, or a portable computer or terminal, etc., and the specific embodiment of the present invention is not correct. The specific implementation of the server is limited.
图10为本发明提供的服务器的另一种结构示意图。如图10所示,服务器10000包括:FIG. 10 is another schematic structural diagram of a server provided by the present invention. As shown in FIG. 10, the server 10000 includes:
第一处理器(processor)11100,第一通信接口(Communications Interface)11200,第一存储器(memory)11300,第一总线11400。A first processor 11100, a first communication interface 11200, a first memory 11300, and a first bus 11400.
第一处理器11100,第一通信接口11200,第一存储器11300通过第一总线11400完成相互间的通信。The first processor 11100, the first communication interface 11200, and the first memory 11300 complete communication with each other through the first bus 11400.
第一处理器11100,用于执行第一程序11110。The first processor 11100 is configured to execute the first program 11110.
具体地,第一程序11110可以包括程序代码,所述程序代码包括计算机操作指令。In particular, the first program 11110 can include program code, the program code including computer operating instructions.
第一处理器11100可能是一个中央处理器CPU,或者是特定集成电路ASIC(Application Specific Integrated Circuit),或者是被配置成实施本发明实施例的一个或多个集成电路。The first processor 11100 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present invention.
第一存储器11300,用于存放第一程序11110。第一存储器11300可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。第一程序11110具体可以包括:计算当前待处理的数据文件的文件标识,并将所述文件标识发送至云管理点,以使得所述云管理点依据所述文件标识查找所述数据文件的文件保护策略; The first memory 11300 is configured to store the first program 11110. The first memory 11300 may include a high speed RAM memory and may also include a non-volatile memory such as at least one disk memory. The first program 11110 may specifically include: calculating a file identifier of the current data file to be processed, and sending the file identifier to the cloud management point, so that the cloud management point searches for the file of the data file according to the file identifier. Protection strategy;
接收所述云管理点返回的所述文件保护策略;Receiving the file protection policy returned by the cloud management point;
依据所述文件保护策略判断所述数据文件是否允许所述服务器执行处理;Determining, according to the file protection policy, whether the data file allows the server to perform processing;
如果允许,则对当前待处理的数据文件进行处理。If allowed, the current data file to be processed is processed.
可选的,所述文件标识是指文件Hash值;所述文件保护策略包括文件流转范围限制信息;Optionally, the file identifier refers to a file hash value; and the file protection policy includes file flow range restriction information;
还包括,获取所述服务器对所述数据文件的执行动作;当所述执行动作为将所述数据文件复制到第二服务器时,计算当前待复制的数据文件的文件Hash值;The method further includes: acquiring an execution action of the data file by the server; and when the performing action is to copy the data file to the second server, calculating a file hash value of the current data file to be copied;
依据所述文件保护策略中的文件流转范围限制信息,判断所述当前待复制的数据文件是否允许复制到所述第二服务器;其中所述文件流转范围限制信息包括允许数据文件复制流转的范围。Determining, according to the file circulation range restriction information in the file protection policy, whether the current data file to be copied is allowed to be copied to the second server; wherein the file distribution range restriction information includes a range of allowing the data file to be copied and transferred.
可选的,所述文件标识是指文件Hash值;所述文件保护策略包括文件访问限制允许信息;Optionally, the file identifier refers to a file hash value; and the file protection policy includes file access restriction permission information;
还包括,获取所述服务器对所述数据文件的执行动作;当所述执行动作为将允许第三服务器访问所述数据文件时,计算当前待访问的数据文件的文件Hash值;The method further includes: acquiring an execution action of the data file by the server; and when the performing action is to allow the third server to access the data file, calculating a file hash value of the current data file to be accessed;
依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待访问的数据文件是否允许被所述第三服务器访问;其中所述文件访问限制允许信息包括允许访问数据文件的地址信息。Determining, according to the file access restriction permission information in the file protection policy, whether the current to-be-accessed data file is allowed to be accessed by the third server; wherein the file access restriction permission information includes address information that allows access to the data file.
可选的,所述文件标识是指文件哈希Hash值;所述文件保护策略包括文件访问限制允许信息;Optionally, the file identifier refers to a file hash hash value; and the file protection policy includes file access restriction permission information;
还包括,获取所述服务器对所述数据文件的执行动作;当所述执行动作为将所述数据文件的内容进行修改时,计算当前待修改的数据文件的文件Hash值;The method further includes: acquiring an execution action of the data file by the server; and when the performing action is to modify the content of the data file, calculating a file hash value of the current data file to be modified;
依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待修改的数据文件是否允许被所述第一服务器修改;其中所述文件访问限制允许信息包括数据文件的访问权限。Determining, according to the file access restriction permission information in the file protection policy, whether the current data file to be modified is allowed to be modified by the first server; wherein the file access restriction permission information includes an access right of the data file.
可选的,还包括,计算修改后的数据文件的文件Hash值;Optionally, the method further includes: calculating a file hash value of the modified data file;
发送文件Hash值更新消息至所述云管理点,所述文件Hash值更新消息包括 所述当前待修改的数据文件的文件Hash值和修改后的数据文件的文件Hash值,以使得所述云管理点依据所述文件Hash值更新消息,将所述当前待修改的数据文件的文件Hash值和修改后的数据文件的文件Hash值关联到同一文件保护策略上。Sending a file hash value update message to the cloud management point, the file hash value update message including a file hash value of the current data file to be modified and a file hash value of the modified data file, so that the cloud management point updates the message according to the file hash value, and the file of the current data file to be modified is The hash value and the file hash value of the modified data file are associated with the same file protection policy.
图11为本发明提供的云管理点的另一种结构示意图。如图11所示,云管理点20000包括:FIG. 11 is another schematic structural diagram of a cloud management point provided by the present invention. As shown in FIG. 11, the cloud management point 20000 includes:
第二处理器(processor)21100,第二通信接口(Communications Interface)21200,第二存储器(memory)21300,第二总线21400。A second processor (processor) 21100, a second communication interface (Communications Interface) 21200, a second memory (memory) 21300, and a second bus 21400.
第二处理器21100,第二通信接口21200,第二存储器21300通过第二总线21400完成相互间的通信。The second processor 21100, the second communication interface 21200, and the second memory 21300 complete communication with each other through the second bus 21400.
第二处理器21100,用于执行第二程序21110。The second processor 21100 is configured to execute the second program 21110.
具体地,第二程序21110可以包括程序代码,所述程序代码包括计算机操作指令。In particular, the second program 21110 can include program code, the program code including computer operating instructions.
第二处理器21100可能是一个中央处理器CPU,或者是特定集成电路ASIC(Application Specific Integrated Circuit),或者是被配置成实施本发明实施例的一个或多个集成电路。The second processor 21100 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present invention.
第二存储器21300,用于存放第二程序21110。第二存储器21300可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。第二程序21110具体可以包括:接收第一服务器发送的文件标识;The second memory 21300 is configured to store the second program 21110. The second memory 21300 may include a high speed RAM memory and may also include a non-volatile memory such as at least one disk memory. The second program 21110 may specifically include: receiving a file identifier sent by the first server;
依据所述文件标识,查找包括所述文件标识的文件保护策略;Searching for a file protection policy including the file identifier according to the file identifier;
将所述文件保护策略发送至所述第一服务器,以使得所述第一服务器依据所述文件保护策略判断所述第一服务器欲执行的处理动作是否被允许执行。Sending the file protection policy to the first server, so that the first server determines, according to the file protection policy, whether the processing action to be performed by the first server is allowed to be executed.
可选的,所述文件标识是指文件Hash值;Optionally, the file identifier refers to a file hash value;
还包括,接收第二服务器发送的文件位置更新消息,所述文件位置更新消息包括复制后的数据文件的文件Hash值和所述第二服务器的地址信息;The method further includes receiving a file location update message sent by the second server, where the file location update message includes a file hash value of the copied data file and address information of the second server;
依据所述复制后的数据文件的文件Hash值查找包括所述复制后的数据文件的文件Hash值的文件保护策略; Searching for a file protection policy including a file hash value of the copied data file according to the file hash value of the copied data file;
依据所述第二服务器的地址信息更新所述包括所述复制后的数据文件的文件Hash值的文件保护策略中的文件位置列表信息;所述文件位置列表信息包括数据文件存储的位置信息。And updating the file location list information in the file protection policy including the file hash value of the copied data file according to the address information of the second server; the file location list information includes location information stored in the data file.
还包括,接收所述第一服务器发送的欲删除的数据文件的文件Hash值;The method further includes receiving a file hash value of the data file to be deleted sent by the first server;
依据所述欲删除的数据文件的文件Hash值,查找包括所述欲删除的数据文件的文件Hash值的文件保护策略;Searching for a file protection policy including a file hash value of the data file to be deleted according to the file hash value of the data file to be deleted;
从所述欲删除的数据文件的文件Hash值的文件保护策略中获取欲删除的数据文件的文件位置列表信息;Obtaining, from a file protection policy of a file hash value of the data file to be deleted, file location list information of the data file to be deleted;
依据所述欲删除的数据文件的文件位置列表信息,向所述欲删除的数据文件的文件位置列表信息中的各服务器发送删除消息,以使得所述各服务器依据所述删除消息删除所述欲删除的数据文件。And sending, according to the file location list information of the data file to be deleted, a deletion message to each server in the file location list information of the data file to be deleted, so that each server deletes the desire according to the deletion message. Deleted data file.
可选的,文件标识是指文件Hash值;Optionally, the file identifier refers to a file hash value;
还包括,接收所述第一服务器发送的文件Hash值更新消息,所述文件Hash值更新消息包括修改前的数据文件的文件Hash值和修改后的数据文件的文件Hash值;The method further includes receiving a file hash update message sent by the first server, where the file hash update message includes a file hash value of the data file before the modification and a file hash value of the modified data file;
依据所述文件Hash值更新消息,将所述修改前的数据文件的文件Hash值和所述修改后的数据文件的文件Hash值关联到同一文件保护策略上。And according to the file hash value update message, the file hash value of the modified data file and the file hash value of the modified data file are associated with the same file protection policy.
还包括,分别依据所述修改前的数据文件的文件Hash值和所述修改后的数据文件的文件Hash值,查找包括所述修改前的数据文件的文件Hash值的文件保护策略和包括所述修改后的数据文件的文件Hash值的文件保护策略;And further comprising: searching for a file protection policy including the file hash value of the data file before the modification according to the file hash value of the data file before the modification and the file hash value of the modified data file, respectively, and including the file protection policy a file protection policy for the file hash value of the modified data file;
当查找到存在有至少一个文件保护策略时,将另一数据文件的文件Hash值添加到所述至少一个文件保护策略中的Hash值字段中。When it is found that there is at least one file protection policy, a file hash value of another data file is added to the hash value field in the at least one file protection policy.
基于前文所述,本发明还提供一种云系统,如图12所示,包括客户端、服务器和云管理点。Based on the foregoing, the present invention also provides a cloud system, as shown in FIG. 12, including a client, a server, and a cloud management point.
需要说明的是,本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。对于装置类实施例而言,由于其与方法实施例基本相似,所 以描述的比较简单,相关之处参见方法实施例的部分说明即可。It should be noted that each embodiment in the specification is described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same similar parts between the embodiments are referred to each other. can. For the device type embodiment, since it is basically similar to the method embodiment, The description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should also be noted that in this context, relational terms such as first and second are used merely to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply these entities. There is any such actual relationship or order between operations. Furthermore, the term "comprises" or "comprises" or "comprises" or any other variations thereof is intended to encompass a non-exclusive inclusion, such that a process, method, article, or device that comprises a plurality of elements includes not only those elements but also Other elements, or elements that are inherent to such a process, method, item, or device. An element that is defined by the phrase "comprising a ..." does not exclude the presence of additional equivalent elements in the process, method, item, or device that comprises the element.
以上对本发明所提供的一种云中数据文件的管理方法、云管理点和系统进行了详细介绍,本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。 The method for managing data files in the cloud, the cloud management point and the system provided by the present invention are described in detail above. The principles and implementation manners of the present invention are described in the specific examples. The description of the above embodiments is only The method for understanding the present invention and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present invention, there will be changes in specific embodiments and application scopes. The description should not be construed as limiting the invention.

Claims (22)

  1. 一种云中数据文件的管理方法,其特征在于,包括:A method for managing data files in a cloud, comprising:
    第一服务器计算当前待处理的数据文件的文件标识,并将所述文件标识发送至云管理点,以使得所述云管理点依据所述文件标识查找所述数据文件的文件保护策略;The first server calculates a file identifier of the current data file to be processed, and sends the file identifier to the cloud management point, so that the cloud management point searches for a file protection policy of the data file according to the file identifier;
    所述第一服务器接收所述云管理点返回的所述文件保护策略;Receiving, by the first server, the file protection policy returned by the cloud management point;
    所述第一服务器依据所述文件保护策略判断所述数据文件是否允许所述第一服务器执行处理;Determining, by the first server, whether the data file allows the first server to perform processing according to the file protection policy;
    如果允许,则所述第一服务器对当前待处理的数据文件进行处理。If allowed, the first server processes the current data file to be processed.
  2. 根据权利要求1所述的管理方法,其特征在于,所述文件标识是指文件哈希Hash值;所述文件保护策略包括文件流转范围限制信息;The management method according to claim 1, wherein the file identifier refers to a file hash hash value; and the file protection policy includes file stream range restriction information;
    所述第一服务器计算当前待处理的数据文件的文件标识之前,所述方法还包括:Before the first server calculates the file identifier of the data file to be processed, the method further includes:
    所述第一服务器获取所述第一服务器对所述数据文件的执行动作;The first server acquires an execution action of the first server on the data file;
    当所述执行动作为将所述数据文件复制到第二服务器时,所述第一服务器计算当前待处理的数据文件的文件标识包括:所述第一服务器计算当前待复制的数据文件的文件Hash值;When the performing action is to copy the data file to the second server, the first server calculating the file identifier of the current data file to be processed includes: the first server calculating a file Hash of the current data file to be copied value;
    所述第一服务器依据所述文件保护策略判断所述数据文件是否允许所述第一服务器执行处理,具体包括:Determining, by the first server, whether the data file allows the first server to perform processing according to the file protection policy, specifically:
    所述第一服务器依据所述文件保护策略中的文件流转范围限制信息,判断所述当前待复制的数据文件是否允许复制到所述第二服务器;其中所述文件流转范围限制信息包括允许数据文件复制流转的范围。Determining, by the first server, whether the current data file to be copied is allowed to be copied to the second server according to the file flow range restriction information in the file protection policy; wherein the file flow range restriction information includes an allow data file Copy the range of the flow.
  3. 根据权利要求2所述的管理方法,其特征在于,当所述第一服务器将所述当前待复制的数据文件复制到所述第二服务器后,所述方法还包括:The management method according to claim 2, wherein after the first server copies the data file to be copied to the second server, the method further includes:
    所述第二服务器计算复制后的数据文件的文件Hash值;The second server calculates a file hash value of the copied data file;
    所述第二服务器发送文件位置更新消息至所述云管理点,所述文件位置更新消息包括所述复制后的数据文件的文件Hash值和所述第二服务器的地址信息,以使得所述云管理点依据所述复制后的数据文件的文件Hash值查找到包括所述复制后的数据文件的文件Hash值的文件保护策略,进一步依据所述第 二服务器的地址信息更新所述包括所述复制后的数据文件的文件Hash值的文件保护策略中的文件位置列表信息;所述文件位置列表信息包括数据文件存储的位置信息。Sending, by the second server, a file location update message to the cloud management point, where the file location update message includes a file hash value of the copied data file and address information of the second server, so that the cloud The management point searches for a file protection policy including the file hash value of the copied data file according to the file hash value of the copied data file, further according to the The address information of the second server updates the file location list information in the file protection policy including the file hash value of the copied data file; the file location list information includes location information stored in the data file.
  4. 根据权利要求1所述的管理方法,其特征在于,所述文件标识是指文件Hash值;所述文件保护策略包括文件访问限制允许信息;The management method according to claim 1, wherein the file identifier refers to a file hash value; and the file protection policy includes file access restriction permission information;
    所述第一服务器计算当前待处理的数据文件的文件标识之前,所述方法还包括:Before the first server calculates the file identifier of the data file to be processed, the method further includes:
    所述第一服务器获取所述第一服务器对所述数据文件的执行动作;The first server acquires an execution action of the first server on the data file;
    当所述执行动作为将允许第三服务器访问所述数据文件时,所述第一服务器计算当前待处理的数据文件的文件标识包括:所述第一服务器计算当前待访问的数据文件的文件Hash值;When the performing action is that the third server is allowed to access the data file, the first server calculates the file identifier of the current data file to be processed, including: the first server calculates a file Hash of the current data file to be accessed. value;
    所述第一服务器依据所述文件保护策略判断所述数据文件是否允许所述第一服务器执行处理,具体包括:Determining, by the first server, whether the data file allows the first server to perform processing according to the file protection policy, specifically:
    所述第一服务器依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待访问的数据文件是否允许被所述第三服务器访问;其中所述文件访问限制允许信息包括允许访问数据文件的地址信息。Determining, by the first server, whether the current to-be-accessed data file is allowed to be accessed by the third server according to the file access restriction permission information in the file protection policy; wherein the file access restriction permission information includes allowing access to the data. The address information of the file.
  5. 根据权利要求1所述的管理方法,其特征在于,所述文件标识是指文件哈希Hash值;所述文件保护策略包括文件访问限制允许信息;The management method according to claim 1, wherein the file identifier refers to a file hash hash value; and the file protection policy includes file access restriction permission information;
    所述第一服务器计算当前待处理的数据文件的文件标识之前,所述方法还包括:Before the first server calculates the file identifier of the data file to be processed, the method further includes:
    所述第一服务器获取所述第一服务器对所述数据文件的执行动作;The first server acquires an execution action of the first server on the data file;
    当所述执行动作为将所述数据文件的内容进行修改时,所述第一服务器计算当前待处理的数据文件的文件标识包括:所述第一服务器计算当前待修改的数据文件的文件Hash值;When the performing action is to modify the content of the data file, the first server calculates a file identifier of the current data file to be processed, including: the first server calculates a file hash value of the current data file to be modified. ;
    所述第一服务器依据所述文件保护策略判断所述数据文件是否允许所述第一服务器执行处理,具体包括:Determining, by the first server, whether the data file allows the first server to perform processing according to the file protection policy, specifically:
    所述第一服务器依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待修改的数据文件是否允许被所述第一服务器修改;其中所述文件访问限制允许信息包括数据文件的访问权限。 Determining, by the first server, whether the current data file to be modified is allowed to be modified by the first server according to the file access restriction permission information in the file protection policy; wherein the file access restriction permission information includes a data file access permission.
  6. 根据权利要求5所述的管理方法,其特征在于,当所述当前待修改的数据文件允许被所述第一服务器修改,所述第一服务器对所述当前待修改的数据文件的内容进行修改后,所述方法还包括:The management method according to claim 5, wherein when the data file to be modified is allowed to be modified by the first server, the first server modifies the content of the current data file to be modified. Thereafter, the method further includes:
    所述第一服务器计算修改后的数据文件的文件Hash值;The first server calculates a file hash value of the modified data file;
    所述第一服务器发送文件Hash值更新消息至所述云管理点,所述文件Hash值更新消息包括所述当前待修改的数据文件的文件Hash值和修改后的数据文件的文件Hash值,以使得所述云管理点依据所述文件Hash值更新消息,将所述当前待修改的数据文件的文件Hash值和修改后的数据文件的文件Hash值关联到同一文件保护策略上。The first server sends a file hash update message to the cloud management point, where the file hash update message includes a file hash value of the current data file to be modified and a file hash value of the modified data file, to And causing the cloud management point to associate the file hash value of the current data file to be modified and the file hash value of the modified data file to the same file protection policy according to the file hash value update message.
  7. 一种云中数据文件的管理方法,其特征在于,应用于云管理点,所述云管理点与不同服务器通信连接,且所述云管理点上存储有针对不同数据文件的文件保护策略;所述方法包括:A method for managing data files in a cloud is characterized in that it is applied to a cloud management point, the cloud management point is communicatively connected to different servers, and a file protection policy for different data files is stored on the cloud management point; The methods include:
    所述云管理点接收第一服务器发送的文件标识;Receiving, by the cloud management point, a file identifier sent by the first server;
    所述云管理点依据所述文件标识,查找包括所述文件标识的文件保护策略;The cloud management point searches for a file protection policy including the file identifier according to the file identifier;
    所述云管理点将所述文件保护策略发送至所述第一服务器,以使得所述第一服务器依据所述文件保护策略判断所述第一服务器欲执行的处理动作是否被允许执行。The cloud management point sends the file protection policy to the first server, so that the first server determines, according to the file protection policy, whether the processing action to be performed by the first server is allowed to be executed.
  8. 根据权利要求7所述的管理方法,其特征在于,所述文件标识是指文件哈希Hash值,所述方法还包括:The management method according to claim 7, wherein the file identifier is a file hash hash value, and the method further comprises:
    所述云管理点接收第二服务器发送的文件位置更新消息,所述文件位置更新消息包括复制后的数据文件的文件Hash值和所述第二服务器的地址信息;Receiving, by the cloud management point, a file location update message sent by the second server, where the file location update message includes a file hash value of the copied data file and address information of the second server;
    所述云管理点依据所述复制后的数据文件的文件Hash值查找包括所述复制后的数据文件的文件Hash值的文件保护策略;The cloud management point searches for a file protection policy including a file hash value of the copied data file according to a file hash value of the copied data file;
    所述云管理点依据所述第二服务器的地址信息更新所述包括所述复制后的数据文件的文件Hash值的文件保护策略中的文件位置列表信息;所述文件位置列表信息包括数据文件存储的位置信息。The cloud management point updates the file location list information in the file protection policy including the file hash value of the copied data file according to the address information of the second server; the file location list information includes data file storage Location information.
  9. 根据权利要求8所述的管理方法,其特征在于,还包括: The management method according to claim 8, further comprising:
    所述云管理点接收所述第一服务器发送的欲删除的数据文件的文件Hash值;Receiving, by the cloud management point, a file hash value of the data file to be deleted sent by the first server;
    所述云管理点依据所述欲删除的数据文件的文件Hash值,查找包括所述欲删除的数据文件的文件Hash值的文件保护策略;The cloud management point searches for a file protection policy including a file hash value of the data file to be deleted according to the file hash value of the data file to be deleted;
    所述云管理点从所述欲删除的数据文件的文件Hash值的文件保护策略中获取欲删除的数据文件的文件位置列表信息;Obtaining, by the cloud management point, file location list information of the data file to be deleted from a file protection policy of a file hash value of the data file to be deleted;
    所述云管理点依据所述欲删除的数据文件的文件位置列表信息,向所述欲删除的数据文件的文件位置列表信息中的各服务器发送删除消息,以使得所述各服务器依据所述删除消息删除所述欲删除的数据文件。Sending, by the cloud management point, the deletion message to each server in the file location list information of the data file to be deleted according to the file location list information of the data file to be deleted, so that the servers are deleted according to the The message deletes the data file to be deleted.
  10. 根据权利要求7所述的管理方法,其特征在于,所述文件标识是指文件哈希Hash值,所述方法还包括:The management method according to claim 7, wherein the file identifier is a file hash hash value, and the method further comprises:
    所述云管理点接收所述第一服务器发送的文件Hash值更新消息,所述文件Hash值更新消息包括修改前的数据文件的文件Hash值和修改后的数据文件的文件Hash值;Receiving, by the cloud management point, a file hash update message sent by the first server, where the file hash update message includes a file hash value of the data file before modification and a file hash value of the modified data file;
    所述云管理点依据所述文件Hash值更新消息,将所述修改前的数据文件的文件Hash值和所述修改后的数据文件的文件Hash值关联到同一文件保护策略上。And the cloud management point associates the file hash value of the data file before the modification with the file hash value of the modified data file to the same file protection policy according to the file hash update message.
  11. 根据权利要求10所述的管理方法,其特征在于,所述云管理点依据所述文件Hash值更新消息,将所述修改前的数据文件的文件Hash值和所述修改后的数据文件的文件Hash值关联到同一文件保护策略上包括:The management method according to claim 10, wherein the cloud management point updates the message of the file before the modification and the file of the modified data file according to the file hash update message. Hash values associated with the same file protection policy include:
    所述云管理点分别依据所述修改前的数据文件的文件Hash值和所述修改后的数据文件的文件Hash值,查找包括所述修改前的数据文件的文件Hash值的文件保护策略和包括所述修改后的数据文件的文件Hash值的文件保护策略;The cloud management point searches for a file protection policy including the file hash value of the data file before the modification according to the file hash value of the data file before the modification and the file hash value of the modified data file, respectively, and includes a file protection policy of the file hash value of the modified data file;
    当查找到存在有至少一个文件保护策略时,将另一数据文件的文件Hash值添加到所述至少一个文件保护策略中的Hash值字段中。When it is found that there is at least one file protection policy, a file hash value of another data file is added to the hash value field in the at least one file protection policy.
  12. 一种服务器,其特征在于,包括:A server, comprising:
    第一计算单元,用于计算当前待处理的数据文件的文件标识; a first calculating unit, configured to calculate a file identifier of the current data file to be processed;
    文件标识发送单元,用于将所述文件标识发送至云管理点,以使得所述云管理点依据所述文件标识查找所述数据文件的文件保护策略;a file identifier sending unit, configured to send the file identifier to a cloud management point, so that the cloud management point searches for a file protection policy of the data file according to the file identifier;
    文件保护策略接收单元,用于接收所述云管理点返回的所述文件保护策略;a file protection policy receiving unit, configured to receive the file protection policy returned by the cloud management point;
    判断单元,用于依据所述文件保护策略判断所述数据文件是否允许所述服务器执行处理;a determining unit, configured to determine, according to the file protection policy, whether the data file allows the server to perform processing;
    处理单元,用于当所述判断单元判断所述数据文件允许所述服务器执行处理时,对当前待处理的数据文件进行处理。The processing unit is configured to process the current data file to be processed when the determining unit determines that the data file allows the server to perform processing.
  13. 根据权利要求12所述的服务器,其特征在于,所述文件标识是指文件哈希Hash值;所述文件保护策略包括文件流转范围限制信息;所述服务器还包括:The server according to claim 12, wherein the file identifier refers to a file hash hash value; the file protection policy includes file flow range restriction information; and the server further includes:
    第一执行动作获取单元,用于获取所述服务器对所述数据文件的执行动作;a first execution action obtaining unit, configured to acquire an execution action of the server on the data file;
    所述第一计算单元,具体用于当所述第一执行动作获取单元获取的所述执行动作为将所述数据文件复制到第二服务器时,计算当前待复制的数据文件的文件Hash值;The first calculating unit is configured to: when the execution action acquired by the first execution action acquiring unit is to copy the data file to the second server, calculate a file hash value of the current data file to be copied;
    所述判断单元具体用于,依据所述文件保护策略中的文件流转范围限制信息,判断所述当前待复制的数据文件是否允许复制到所述第二服务器;其中所述文件流转范围限制信息包括允许数据文件复制流转的范围。The determining unit is configured to determine, according to the file flow range limitation information in the file protection policy, whether the current data file to be copied is allowed to be copied to the second server, where the file flow range limitation information includes Allows the scope of data file replication to flow.
  14. 根据权利要求12所述的服务器,其特征在于,所述文件标识是指文件Hash值;所述文件保护策略包括文件访问限制允许信息;所述服务器还包括:The server according to claim 12, wherein the file identifier refers to a file hash value; the file protection policy includes file access restriction permission information; and the server further includes:
    第二执行动作获取单元,用于获取所述服务器对所述数据文件的执行动作;a second execution action obtaining unit, configured to acquire an execution action of the server on the data file;
    所述第一计算单元,具体用于当所述第二执行动作获取单元获取的所述执行动作为将允许第三服务器访问所述数据文件时,计算当前待访问的数据文件的文件Hash值; The first calculating unit is configured to: when the execution action acquired by the second execution action acquiring unit is to allow the third server to access the data file, calculate a file hash value of the data file to be accessed currently;
    所述判断单元具体用于,依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待访问的数据文件是否允许被所述第三服务器访问;其中所述文件访问限制允许信息包括允许访问数据文件的地址信息。The determining unit is configured to determine, according to the file access restriction permission information in the file protection policy, whether the current to-be-accessed data file is allowed to be accessed by the third server, where the file access restriction permission information includes Allow access to the address information of the data file.
  15. 根据权利要求12所述的服务器,其特征在于,所述文件标识是指文件哈希Hash值;所述文件保护策略包括文件访问限制允许信息;所述服务器还包括:The server according to claim 12, wherein the file identifier refers to a file hash hash value; the file protection policy includes file access restriction permission information; and the server further comprises:
    第三执行动作获取单元,用于获取所述服务器对所述数据文件的执行动作;a third execution action obtaining unit, configured to acquire an execution action of the server on the data file;
    所述第一计算单元,具体用于当所述第三执行动作获取单元获取的所述执行动作为将所述数据文件的内容进行修改时,当前待修改的数据文件的文件Hash值;The first calculating unit is specifically configured to: when the execution action acquired by the third execution action acquiring unit is to modify the content of the data file, the file Hash value of the data file to be modified currently;
    所述判断单元具体用于,依据所述文件保护策略中的文件访问限制允许信息,判断所述当前待修改的数据文件是否允许被所述第一服务器修改;其中所述文件访问限制允许信息包括数据文件的访问权限。The determining unit is configured to determine, according to the file access restriction permission information in the file protection policy, whether the current data file to be modified is allowed to be modified by the first server, where the file access restriction permission information includes Access to data files.
  16. 根据权利要求15所述的服务器,其特征在于,还包括:The server according to claim 15, further comprising:
    第二计算单元,用于计算修改后的数据文件的文件Hash值;a second calculating unit, configured to calculate a file hash value of the modified data file;
    更新消息发送单元,用于发送文件Hash值更新消息至所述云管理点,所述文件Hash值更新消息包括所述当前待修改的数据文件的文件Hash值和修改后的数据文件的文件Hash值,以使得所述云管理点依据所述文件Hash值更新消息,将所述当前待修改的数据文件的文件Hash值和修改后的数据文件的文件Hash值关联到同一文件保护策略上。An update message sending unit, configured to send a file hash update message to the cloud management point, where the file hash update message includes a file hash value of the current data file to be modified and a file hash value of the modified data file So that the cloud management point updates the message according to the file hash value, and associates the file hash value of the current data file to be modified with the file hash value of the modified data file to the same file protection policy.
  17. 一种云管理点,其特征在于,所述云管理点与不同服务器通信连接,且所述云管理点上存储有针对不同数据文件的文件保护策略;所述云管理点包括:A cloud management point, wherein the cloud management point is in communication with a different server, and the cloud management point stores a file protection policy for different data files; the cloud management point includes:
    第一接收单元,用于接收第一服务器发送的文件标识;a first receiving unit, configured to receive a file identifier sent by the first server;
    第一查找单元,用于依据所述文件标识,查找包括所述文件标识的文件保护策略; a first searching unit, configured to search for a file protection policy including the file identifier according to the file identifier;
    第一发送单元,用于将所述文件保护策略发送至所述第一服务器,以使得所述第一服务器依据所述文件保护策略判断所述第一服务器欲执行的相应处理动作是否被允许执行。a first sending unit, configured to send the file protection policy to the first server, so that the first server determines, according to the file protection policy, whether a corresponding processing action to be performed by the first server is allowed to be executed .
  18. 根据权利要求17所述的云管理点,其特征在于,所述文件标识是指文件哈希Hash值,所述云管理点还包括:The cloud management point according to claim 17, wherein the file identifier is a file hash hash value, and the cloud management point further includes:
    第二接收单元,用于接收第二服务器发送的文件位置更新消息,所述文件位置更新消息包括复制后的数据文件的文件Hash值和所述第二服务器的地址信息;a second receiving unit, configured to receive a file location update message sent by the second server, where the file location update message includes a file hash value of the copied data file and address information of the second server;
    第二查找单元,用于依据所述复制后的数据文件的文件Hash值查找包括所述复制后的数据文件的文件Hash值的文件保护策略;a second searching unit, configured to search, according to the file hash value of the copied data file, a file protection policy that includes a file hash value of the copied data file;
    更新单元,用于依据所述第二服务器的地址信息更新所述包括所述复制后的数据文件的文件Hash值的文件保护策略中的文件位置列表信息;所述文件位置列表信息包括数据文件存储的位置信息。And an updating unit, configured to update, according to address information of the second server, file location list information in a file protection policy that includes a file hash value of the copied data file; the file location list information includes data file storage Location information.
  19. 根据权利要求18所述的云管理点,其特征在于,还包括:The cloud management point according to claim 18, further comprising:
    第三接收单元,用于接收所述第一服务器发送的欲删除的数据文件的文件Hash值;a third receiving unit, configured to receive a file hash value of the data file to be deleted sent by the first server;
    第三查找单元,用于依据所述欲删除的数据文件的文件Hash值,查找包括所述欲删除的数据文件的文件Hash值的文件保护策略;a third search unit, configured to search for a file protection policy including a file hash value of the data file to be deleted according to the file hash value of the data file to be deleted;
    信息获取单元,用于从所述欲删除的数据文件的文件Hash值的文件保护策略中获取欲删除的数据文件的文件位置列表信息;An information obtaining unit, configured to acquire file location list information of a data file to be deleted from a file protection policy of a file hash value of the data file to be deleted;
    第二发送单元,用于依据所述欲删除的数据文件的文件位置列表信息,向所述欲删除的数据文件的文件位置列表信息中的各服务器发送删除消息,以使得所述各服务器依据所述删除消息删除所述欲删除的数据文件。a second sending unit, configured to send, according to the file location list information of the data file to be deleted, a deletion message to each server in the file location list information of the data file to be deleted, so that the servers are The delete message deletes the data file to be deleted.
  20. 根据权利要求17所述的云管理点,其特征在于,所述文件标识是指文件哈希Hash值,所述云管理点还包括:The cloud management point according to claim 17, wherein the file identifier is a file hash hash value, and the cloud management point further includes:
    第四接收单元,用于接收所述第一服务器发送的文件Hash值更新消息,所述文件Hash值更新消息包括修改前的数据文件的文件Hash值和修改后的数据文件的文件Hash值; a fourth receiving unit, configured to receive a file hash update message sent by the first server, where the file hash update message includes a file hash value of the data file before the modification and a file hash value of the modified data file;
    Hash值更新单元,用于依据所述文件Hash值更新消息,将所述修改前的数据文件的文件Hash值和所述修改后的数据文件的文件Hash值关联到同一文件保护策略上。The Hash value update unit is configured to associate the file hash value of the data file before the modification and the file hash value of the modified data file to the same file protection policy according to the file hash update message.
  21. 根据权利要求20所述的云管理点,其特征在于,所述Hash值更新单元包括:The cloud management point according to claim 20, wherein the hash value update unit comprises:
    第一查找子单元,用于依据所述修改前的数据文件的文件Hash值查找包括所述修改前的数据文件的文件Hash值的文件保护策略;a first search subunit, configured to search, according to the file hash value of the data file before the modification, a file protection policy including a file hash value of the data file before the modification;
    第二查找子单元,用于依据所述修改后的数据文件的文件Hash值查找包括所述修改后的数据文件的文件Hash值的文件保护策略;a second search subunit, configured to search, according to the file hash value of the modified data file, a file protection policy including a file hash value of the modified data file;
    Hash值添加子单元,用于当所述第一查找子单元和/或所述第二查找子单元查找到存在有至少一个文件保护策略时,将另一数据文件的文件Hash值添加到所述至少一个文件保护策略中的Hash值字段中。a hash value adding subunit, configured to add a file hash value of another data file to the first lookup subunit and/or the second lookup subunit when it finds that at least one file protection policy exists At least one file protection policy in the hash value field.
  22. 一种云系统,其特征在于,包括客户端、如上权利要求12-16任一项所述的服务器和如上权利要求17-21任一项所述的云管理点。 A cloud system, comprising a client, the server of any of claims 12-16, and the cloud management point of any of the preceding claims 17-21.
PCT/CN2016/074317 2015-08-18 2016-02-23 Method for managing data file in cloud, cloud management point, and system WO2017028517A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510507065.XA CN106469281B (en) 2015-08-18 2015-08-18 Management method of data files in cloud, cloud management point and system
CN201510507065.X 2015-08-18

Publications (1)

Publication Number Publication Date
WO2017028517A1 true WO2017028517A1 (en) 2017-02-23

Family

ID=58051892

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/074317 WO2017028517A1 (en) 2015-08-18 2016-02-23 Method for managing data file in cloud, cloud management point, and system

Country Status (2)

Country Link
CN (1) CN106469281B (en)
WO (1) WO2017028517A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108108633B (en) * 2017-12-20 2021-07-13 中国科学院深圳先进技术研究院 Data file and access method, device and equipment thereof
CN116701304B (en) * 2023-07-06 2023-11-03 北京应天海乐科技发展有限公司 File management method, device, equipment and storage medium for self-service equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102592103A (en) * 2011-01-17 2012-07-18 中国电信股份有限公司 Secure file processing method, equipment and system
CN103209189A (en) * 2013-04-22 2013-07-17 哈尔滨工业大学深圳研究生院 Distributed file system-based mobile cloud storage safety access control method
CN103491532A (en) * 2013-09-24 2014-01-01 北京大学 Cooperative privacy protection method and system based on Android platform
CN103973646A (en) * 2013-01-31 2014-08-06 中国电信股份有限公司 Method, client device and system for storing services by aid of public cloud

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102855419B (en) * 2012-07-20 2015-09-09 北京亿赛通科技发展有限责任公司 The data file copyright guard method of intelligent terminal
CN102842002B (en) * 2012-07-20 2016-04-20 北京亿赛通科技发展有限责任公司 The digital media copyright protection method of intelligent terminal
CN103793658B (en) * 2012-10-30 2016-08-31 华耀(中国)科技有限公司 A kind of protection system and method for off-line files based on VPN
WO2015143596A1 (en) * 2014-03-24 2015-10-01 华为技术有限公司 File downloading method, apparatus and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102592103A (en) * 2011-01-17 2012-07-18 中国电信股份有限公司 Secure file processing method, equipment and system
CN103973646A (en) * 2013-01-31 2014-08-06 中国电信股份有限公司 Method, client device and system for storing services by aid of public cloud
CN103209189A (en) * 2013-04-22 2013-07-17 哈尔滨工业大学深圳研究生院 Distributed file system-based mobile cloud storage safety access control method
CN103491532A (en) * 2013-09-24 2014-01-01 北京大学 Cooperative privacy protection method and system based on Android platform

Also Published As

Publication number Publication date
CN106469281B (en) 2020-01-17
CN106469281A (en) 2017-03-01

Similar Documents

Publication Publication Date Title
US11334562B2 (en) Blockchain based data management system and method thereof
US20170206353A1 (en) Method and system for preventing malicious alteration of data in computer system
US8745095B2 (en) Systems and methods for scalable object storage
CN108628658B (en) License management method and device for container
US11151261B2 (en) Blockchain system with severable data and cryptographic proof
CN106682186B (en) File access control list management method and related device and system
JP6633059B2 (en) Rating files
EP3000071A1 (en) Data protection for organizations on computing devices
US11347890B2 (en) Systems and methods for multi-region data center connectivity
WO2020038400A1 (en) Access control policy configuration method, device and system, and storage medium
WO2021115231A1 (en) Authentication method and related device
CN109302448B (en) Data processing method and device
WO2018233051A1 (en) Data release method and device, and server and storage medium
US10248678B2 (en) Enabling placement control for consistent hashing-based object stores
JP6712922B2 (en) Data leakage prevention system and data leakage prevention method
US11086995B2 (en) Malware scanning for network-attached storage systems
WO2018094962A1 (en) Method, apparatus and system for migrating file permission
US20160173611A1 (en) Techniques for prevent information disclosure via dynamic secure cloud resources
US10404702B1 (en) System and method for tenant network identity-based authentication and authorization for administrative access in a protection storage system
RU2491623C1 (en) System and method of verifying trusted files
WO2017028517A1 (en) Method for managing data file in cloud, cloud management point, and system
US9922035B1 (en) Data retention system for a distributed file system
JP2023517531A (en) System and method for protecting folders from unauthorized file modification
JP5860259B2 (en) Determination program and determination apparatus
US11630809B2 (en) Method and system for using micro objects

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16836382

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16836382

Country of ref document: EP

Kind code of ref document: A1