WO2020177548A1 - Blockchain authority control method and device - Google Patents

Blockchain authority control method and device Download PDF

Info

Publication number
WO2020177548A1
WO2020177548A1 PCT/CN2020/076086 CN2020076086W WO2020177548A1 WO 2020177548 A1 WO2020177548 A1 WO 2020177548A1 CN 2020076086 W CN2020076086 W CN 2020076086W WO 2020177548 A1 WO2020177548 A1 WO 2020177548A1
Authority
WO
WIPO (PCT)
Prior art keywords
operated
account
blockchain
permission
authority
Prior art date
Application number
PCT/CN2020/076086
Other languages
French (fr)
Chinese (zh)
Inventor
莫楠
廖飞强
白兴强
李辉忠
张开翔
范瑞彬
Original Assignee
深圳前海微众银行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海微众银行股份有限公司 filed Critical 深圳前海微众银行股份有限公司
Publication of WO2020177548A1 publication Critical patent/WO2020177548A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the embodiments of the present invention relate to the field of technology and finance technology, and in particular to a method and device for controlling permissions of a blockchain.
  • Blockchain is the use of block chain data structure to verify and store data, the use of distributed node consensus algorithms to generate and update data, the use of cryptography to ensure the security of data transmission and access, and the use of smart contracts composed of automated script codes.
  • a new distributed infrastructure and calculation method for programming and manipulating data For the public chain in the blockchain, there is no restriction on node joining, and the data on the chain is completely open, suitable for some publicization, and does not involve privacy information storage. But for private chains and consortium chains, because some private data storage is involved, it is necessary to control the permissions of the blockchain.
  • the role corresponding to the account is determined through the preset first association relationship, and then the authority of the account is determined according to the preset authority of the role, and then based on the authority of the account, the corresponding interface is called to the blockchain.
  • the Merkle tree of the main body of the block is operated to complete the transaction.
  • the corresponding relationship between roles and permissions needs to be saved in advance, and at the same time, the account permissions are limited to the preset permissions of the role, resulting in insufficient fine-grained control of the account permissions.
  • the embodiments of the present invention provide a blockchain permission control method and device.
  • an embodiment of the present invention provides a method for controlling permissions on a blockchain.
  • Each block in the blockchain stores a ledger in the form of a table.
  • the method includes:
  • the transaction request including transaction information and a transaction account
  • the operation content is executed in the table to be operated.
  • the authority table is preset and the authority of each account on the table in the blockchain is stored in the authority table, when the transaction account initiates a transaction and needs to operate the table in the blockchain, you can query the authority table to determine the operation authority and execute the table Operation to realize the authority control of the blockchain. Since the specific permissions of the account can be set freely in the permission table, and the account permissions can be added or deleted based on actual needs, compared with the role-based permission control, the control of the account permissions is more fine-grained and it is convenient to manage the account permissions.
  • the table to be operated is a system table or a user table
  • the system table is used to control the system functions of the blockchain
  • the user table is used to control the business functions of the blockchain.
  • the method before the determining the authority account corresponding to the table to be operated from the preset authority table, the method includes:
  • the method further includes:
  • the operation record of the table to be operated is sent to other network nodes in the blockchain network, so that the other network node determines from the permission table the corresponding table to be operated according to the identifier of the table to be operated
  • the authority account when it is determined that the transaction account matches the authority account corresponding to the table to be operated, execute the operation content in the table to be operated.
  • the other network nodes can verify the validity of the operation record of the table to be operated and execute the operation content, thereby realizing the synchronization of the table content in the blockchain network and ensuring Consistency and security of tables in the blockchain.
  • it also includes:
  • the permission table is located in a block of the blockchain
  • the updated permission table takes effect in the next block of the current block.
  • an embodiment of the present invention provides a permission control device for a blockchain.
  • Each block in the blockchain stores a ledger in the form of a table.
  • the device includes:
  • the obtaining module is used to obtain a transaction request, the transaction request including transaction information and a transaction account;
  • the analysis module is used to determine the table to be operated and the content of the operation in the table to be operated according to the transaction information, the table to be operated is located in a block of the blockchain;
  • the screening module is used to determine the authority account corresponding to the table to be operated from the preset authority table;
  • the control module is configured to execute the operation content in the table to be operated when it is determined that the transaction account matches the authority account corresponding to the table to be operated.
  • the table to be operated is a system table or a user table
  • the system table is used to control the system functions of the blockchain
  • the user table is used to control the business functions of the blockchain.
  • the screening module is also used to:
  • the operation content is a write operation.
  • control module is also used to:
  • the operation record of the table to be operated is sent to other network nodes in the blockchain network, so that the other network node determines from the permission table the corresponding table to be operated according to the identifier of the table to be operated
  • the authority account when it is determined that the transaction account matches the authority account corresponding to the table to be operated, execute the operation content in the table to be operated.
  • the screening module is also used to:
  • the updated permission table takes effect in the next block of the current block, and the permission table is located in a block of the blockchain.
  • an embodiment of the present invention provides a computer device, including at least one processing unit and at least one storage unit, wherein the storage unit stores a computer program, and when the program is executed by the processing unit, The processing unit executes the steps of the permission control method of the blockchain.
  • an embodiment of the present invention provides a computer-readable medium that stores a computer program executable by a computer device.
  • the program runs on the computer device, the computer device executes the authority control of the blockchain.
  • an embodiment of the present invention provides a computer program product, the computer program product includes a calculation program stored on a computer-readable medium, the computer program includes program instructions, when the program instructions are executed by a computer device , So that the computer equipment executes the steps of the blockchain permission control method.
  • the authority table is preset and the authority of each account to the table in the blockchain is stored in the authority table
  • the transaction account initiates a transaction and needs to operate the table in the blockchain, it can be determined by querying the authority table Operate permissions and perform operations on tables to achieve permission control on the blockchain. Since the specific permissions of the account can be set freely in the permission table, and the account permissions can be added or deleted based on actual needs, compared with the role-based permission control, the control of the account permissions is more fine-grained and it is convenient to manage the account permissions.
  • FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present invention.
  • FIG. 2 is a schematic flowchart of a method for controlling permissions on a blockchain according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a method for controlling permissions on a blockchain according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a method for controlling permissions on a blockchain according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of a permission control device for a blockchain provided by an embodiment of the present invention.
  • Fig. 6 is a schematic structural diagram of a computer device provided by an embodiment of the present invention.
  • Blockchain uses block-chain data structure to verify and store data, uses distributed node consensus algorithm to generate and update data, uses cryptography to ensure the security of data transmission and access, and is composed of automated script codes A new distributed infrastructure and calculation method for programming and manipulating data with smart contracts.
  • consortium chain The consortium chain is between a public chain and a private chain. Several organizations jointly maintain a block chain with an access mechanism. The generation of each block is determined by a preselected node.
  • Smart contract is a service program written in solidity language that implements specific logic, and is published on the alliance chain in a binary manner for contract participants to execute and call on the alliance chain.
  • a control mechanism for accessing blockchain functions is achieved by controlling access to the blockchain. For example, based on the distributed storage of the FISCO BCOS alliance chain platform, by controlling the access to tables in the blockchain To achieve access to blockchain functions.
  • the consortium chain network includes multiple network nodes 101.
  • the node 101 includes a block chain authority control device.
  • the network node 101 may be a server or a server cluster composed of several servers, and the network nodes 101 are connected through a wireless network.
  • each organization corresponds to one or more network nodes 101, and the tables in each network node 101 in the alliance chain are synchronized in real time.
  • the institution initiates a transaction request through the transaction account in the network node 101.
  • the network node 101 After receiving the transaction request, the network node 101 determines the table to be operated and the operation content in the table to be operated according to the transaction information. Then, the authority account corresponding to the table to be operated is determined from the preset authority table, and when it is determined that the transaction account matches the authority account corresponding to the table to be operated, the operation content is executed in the table to be operated. The network node 101 then generates the operation record of the table to be operated and sends the operation record of the table to be operated to other network nodes 101 in the blockchain network.
  • the operation record includes the identifier of the table to be operated, operation content and transaction account.
  • the other network nodes 101 determine the permission account corresponding to the table to be operated from the permission table according to the identifier of the table to be operated, and when it is determined that the transaction account matches the permission account corresponding to the table to be operated, the operation content is executed in the table to be operated.
  • an embodiment of the present invention provides a flow of a blockchain permission control method, which can be executed by a blockchain permission control device, as shown in Figure 2, including The following steps:
  • Step S201 Obtain a transaction request.
  • the transaction request is initiated by the transaction account, and the transaction request includes transaction information and the transaction account.
  • Different transactions correspond to different transaction information.
  • the transaction information is the name of the table involved in deploying the contract, contract-related data, etc.
  • Step S202 Determine the table to be operated and the operation content in the table to be operated according to the transaction information.
  • the table to be operated is located in a block of the blockchain, and different transaction information corresponds to different tables to be operated.
  • the table to be operated can be a system table or a user table.
  • the system table is used to control the system functions of the blockchain
  • the user table is used to control the business functions of the blockchain.
  • the transaction account is based on the permissions in the permission table. Operate the system table of the blockchain to control the system functions of the blockchain.
  • the transaction account operates the user table of the blockchain according to the permissions in the permission table to control the business functions of the blockchain.
  • system tables include _sys_tables_ table, _sys_cns_ table, _sys_miners_ table, _sys_config_ table, _sys_table_access_ table, etc.
  • the sys_tables_ table stores the table field information of all tables in the blockchain system, and all table field information needs to be stored in the _sys_tables_ table before table creation can be performed. Deploying the contract needs to establish the contract table, and the contract operation user table needs to create the user table first. Therefore, permission control acts on the _sys_tables_ table to control the deployment of the contract and the creation of the user table.
  • the _sys_cns_ table saves CNS information for deploying contracts in the blockchain using Contract Name Service (Contract Name Service, CNS for short).
  • CNS information includes the contract name, contract version number, contract deployment address, and contract application binary interface (Application Binary Interfac, ABI for short).
  • Using CNS to deploy contracts requires CNS information to be written into the _sys_cns_ table. Therefore, permission control acts on the _sys_cns_ table to control whether an account has the permission to deploy contracts using CNS.
  • the _sys_miners_ table stores the information of all node types in the blockchain. There are three types of nodes in the blockchain network, namely, accounting nodes, observation nodes, and free nodes. The conversion of these three types of node types can be realized by operating the _sys_miners_ table. Therefore, permission control acts on the _sys_miners_ table to control the type conversion of blockchain nodes.
  • the _sys_config_ table saves system configuration information in the blockchain, such as setting tx_count_limit (the upper limit of the number of transactions in the block) and tx_gas_limit (the upper limit of gas for transactions). Therefore, permission control acts on the _sys_config_ table to control the setting permissions of system configuration information.
  • the user table is a table related to the business, and the authority control acting on each user table will finely control the related business functions.
  • the user table 1 is an operating user table of contract A, which includes a list of users who can operate contract A.
  • the user table 2 is a user table of loan services, which includes a list of users who can loan services.
  • Step S203 Determine the authority account corresponding to the table to be operated from the preset authority table.
  • the permission table is used to store permission setting information, and the permission table also belongs to a system table.
  • the permission control usage rules are determined. For example, a management node can be selected from the blockchain network, and then the account corresponding to the management node can be an administrator account. Only the administrator account can use the permission setting function, and the non-administrator account has no permission setting function.
  • the permission table is located in a block of the blockchain. When the permission table is updated, the updated permission table takes effect in the next block of the current block.
  • a new block is generated after the current block, and the new permission record is stored in the block body of the new block.
  • the permission record A is modified in the permission table, a new block is generated after the current block, and the modified permission record A is stored in the block body of the new block.
  • the embodiment of the present invention provides an example of a permission table, as shown in Table 1:
  • a permission record in the permission table, includes table name, account name, effective block height, and status fields.
  • the effective block height is the position and status of the effective block of the permission record in the blockchain.
  • a preset permission contract interface can be used to operate the permission table.
  • Permission contract interfaces include insert interface, remove interface, queryByName interface, etc.
  • the insert interface sets permission records through the table name and account address, and returns the number of records set. The set record will be saved in the permission table, and the same permission record is refused to be set repeatedly, that is, 0 is directly returned.
  • the remove interface removes the set permission records through the table name and account address, and returns the number of removed records.
  • the _status_ field of the record to be removed is set from "0" to "1", and the repeated removal of the same permission record is refused, that is, 0 is directly returned.
  • the queryByName interface queries the set permission records through the table name, and the records are returned in the form of json strings. This interface is used to query the permission records.
  • Java SDK side API and command line tool commands are as follows:
  • String add This API calls the insert interface of the permission contract to set permission information.
  • the corresponding command is addAuthority (abbreviated command is aa), and the parameters are the table name and account address.
  • This API calls the queryByName interface of the permission contract to query permission information.
  • the corresponding command is queryAuthority (the abbreviated command is qa), and the parameter is the table name.
  • Step S204 when it is determined that the transaction account matches the authority account corresponding to the table to be operated, the operation content is executed in the table to be operated.
  • the operation content is a write operation
  • the authority account corresponding to the table to be operated is determined from the preset authority table, and when it is determined that the transaction account matches the authority account corresponding to the table to be operated, The write operation is performed in the table to be operated.
  • the operation content is a read operation
  • the read operation is performed in the table to be operated.
  • setting transaction account 1 needs to deploy a HelloWorld contract, and the network node receives a transaction request, and the transaction request includes the content of transaction account 1 and HelloWorld contract.
  • the network node determines that the transaction account 1 needs to write the contents of the HelloWorld contract into the _sys_tables_ table based on the transaction information, it queries the permission record of the _sys_tables_ table from the permission table to determine the permission account of the _sys_tables_ table. If trading account 1 is included in the authority account, write the content of the HelloWorld contract to the _sys_tables_ table, otherwise refuse to write the content of the HelloWorld contract to the _sys_tables_ table. When the network node determines that the transaction account 1 needs to read the content of the sys_tables_ table according to the transaction information, it directly reads the content of the sys_tables_ table.
  • the authority account corresponding to the table to be operated is determined from the preset authority table, and when it is determined that the transaction account matches the authority account corresponding to the table to be operated, Perform a write operation or a read operation in the table to be operated.
  • the permission table corresponding to the read operation and the permission table corresponding to the write operation can be preset.
  • the operation content is a write operation
  • the authorization account corresponding to the table to be operated is determined from the authorization table corresponding to the write operation, and when it is determined that the transaction account matches the authorization account corresponding to the table to be operated, the write operation is performed in the table to be operated.
  • the authorization account corresponding to the table to be operated is determined from the authorization table corresponding to the read operation, and when it is determined that the transaction account matches the authorization account corresponding to the table to be operated, the read operation is performed in the table to be operated.
  • the authority table is preset and the authority of each account on the table in the blockchain is stored in the authority table, when the transaction account initiates a transaction and needs to operate the table in the blockchain, you can query the authority table to determine the operation authority and execute the table Operation to realize the authority control of the blockchain. Since the specific permissions of the account can be set freely in the permission table, and the account permissions can be added or deleted based on actual needs, compared with the role-based permission control, the control of the account permissions is more fine-grained and it is convenient to manage the account permissions.
  • an operation record of the table to be operated is generated, the operation record includes the identifier of the table to be operated, the operation content and the transaction account, and the operation record of the table to be operated is sent to the blockchain network
  • Other network nodes other network nodes determine the permission account corresponding to the table to be operated from the permission table according to the identifier of the table to be operated, and when it is determined that the transaction account matches the permission account corresponding to the table to be operated, the operation content is executed in the table to be operated .
  • the tables of each network node in the blockchain network are synchronized in real time.
  • a network node performs a write operation in the table to be operated and changes the content in the table to be operated, it needs to synchronize the changed content in the table to be operated to other network nodes in the blockchain network.
  • other network nodes receive the operation record of the operation table, they first need to verify the legitimacy of the operation record of the operation table. Specifically, according to the identifier of the table to be operated in the operation record, determine the permission corresponding to the table to be operated from the permission table.
  • the operation record is determined to be legal, and then the operation content is executed in the table to be operated, so as to synchronize the content of the table in the blockchain network and ensure that the blockchain is Consistency and safety of the table.
  • the following describes a block chain permission control method provided by the embodiments of the present invention in combination with specific implementation scenarios.
  • the method is executed by a network node. As shown in FIG. 4, the method includes the following step:
  • Step S401 Obtain a transaction request of the transaction account.
  • Step S402 Determine the list to be operated and the content of the operation according to the transaction request.
  • the table to be operated can be a system table or a user table.
  • Step S403 It is judged whether the operation content is a write operation, if not, step S404 is executed, otherwise, step S405 is executed.
  • Step S404 obtain the query result.
  • step S405 it is judged whether there is a permission record cache, if yes, step S406 is executed, otherwise, step S409 is executed.
  • the permission record when a certain permission record has been queried in the permission table before, the permission record can be cached, so when a request for querying permission records is received, the cache can be directly queried instead of querying the permission table every time , Thereby improving query efficiency.
  • step S406 it is judged whether the transaction account has authority, if so, step S407 is executed, otherwise, step S408 is executed.
  • Step S407 perform a write operation.
  • Step S408 Reject the write operation.
  • Step S409 query the permission table.
  • the network node receives the transaction request.
  • the transaction request deploys the HelloWorld contract for transaction account 1.
  • the transaction to deploy the contract needs to write to the _sys_tables_ table.
  • the network node queries the permission record of the _sys_tables_ table in the permission table, and determines the permission account of the _sys_tables_ table from the permission record. Then compare trading account 1 with the authority account of the _sys_tables_ table.
  • the transaction account 1 is the authority account of the _sys_tables_ table
  • write the relevant content of the HelloWorld contract into the _sys_tables_ table to deploy The contract is successful.
  • the network node receives a transaction request, the transaction request deploys the HelloWorld contract for transaction account 2.
  • the transaction to deploy the contract needs to write to the _sys_tables_ table.
  • the network node queries the permission record of the _sys_tables_ table in the permission table, and determines the permission account of the _sys_tables_ table from the permission record. Then compare trading account 2 with the authority account of the _sys_tables_ table.
  • the network node receives the transaction request.
  • the transaction request adds the operating user mm of the HelloWorld contract to the transaction account 2 and needs to write to the user table A.
  • the network node queries the permission record of user table A in the permission table, and determines the permission account of user table A from the permission record. Then the transaction account 2 is compared with the authority account of the user table A, and when the comparison result is that the transaction account 2 is the authority account of the user table A, the relevant information of the user mm is written into the user table A.
  • the transaction request adds the operating user nn of the HelloWorld contract to the transaction account 3, and the user table A needs to be written.
  • the network node queries the permission record of user table A in the permission table, and determines the permission account of user table A from the permission record. Then compare the transaction account 3 with the authority account of the user table A. When the comparison result is that the transaction account 3 is not the authority account of the user table A, the addition fails.
  • the authority table is preset and the authority of each account to the table in the blockchain is stored in the authority table
  • the transaction account initiates a transaction and needs to operate the table in the blockchain, it can be determined by querying the authority table Operate permissions and perform operations on tables to achieve permission control on the blockchain. Since the specific permissions of the account can be set freely in the permission table, and the account permissions can be added or deleted based on actual needs, compared with the role-based permission control, the control of the account permissions is more fine-grained and it is convenient to manage the account permissions.
  • an embodiment of the present invention provides a block chain permission control device. As shown in FIG. 5, the device 500 includes:
  • the obtaining module 501 is configured to obtain a transaction request, the transaction request including transaction information and a transaction account;
  • the analysis module 502 is configured to determine the table to be operated and the operation content in the table to be operated according to the transaction information, the table to be operated is located in a block of the blockchain;
  • the screening module 503 is configured to determine the authority account corresponding to the table to be operated from the preset authority table;
  • the control module 504 is configured to execute the operation content in the table to be operated when it is determined that the transaction account matches the authority account corresponding to the table to be operated.
  • the table to be operated is a system table or a user table
  • the system table is used to control the system functions of the blockchain
  • the user table is used to control the business functions of the blockchain.
  • the screening module 503 is further configured to:
  • the operation content is a write operation.
  • control module 504 is further configured to:
  • the operation record of the table to be operated is sent to other network nodes in the blockchain network, so that the other network node determines from the permission table the corresponding table to be operated according to the identifier of the table to be operated
  • the authority account when it is determined that the transaction account matches the authority account corresponding to the table to be operated, execute the operation content in the table to be operated.
  • the screening module 503 is further configured to:
  • the updated permission table takes effect in the next block of the current block, and the permission table is located in a block of the blockchain.
  • an embodiment of the present invention provides a computer device. As shown in FIG. 6, it includes at least one processor 601 and a memory 602 connected to the at least one processor.
  • the embodiment of the present invention does not limit the processor.
  • the connection between the processor 601 and the memory 602 in FIG. 6 is taken as an example.
  • the bus can be divided into address bus, data bus, control bus, etc.
  • the memory 602 stores instructions that can be executed by at least one processor 601. By executing the instructions stored in the memory 602, the at least one processor 601 can execute the aforementioned blockchain permission control method. step.
  • the processor 601 is the control center of the computer equipment, which can use various interfaces and lines to connect to various parts of the computer equipment, and control the authority by running or executing instructions stored in the memory 602 and calling data stored in the memory 602 .
  • the processor 601 may include one or more processing units, and the processor 601 may integrate an application processor and a modem processor.
  • the application processor mainly processes the operating system, user interface, and application programs, etc.
  • the adjustment processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 601.
  • the processor 601 and the memory 602 may be implemented on the same chip, and in some embodiments, they may also be implemented on separate chips.
  • the processor 601 may be a general-purpose processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors Logic devices and discrete hardware components can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of the present invention.
  • the general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present invention may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
  • the memory 602 as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs and modules.
  • the memory 602 may include at least one type of storage medium, for example, it may include flash memory, hard disk, multimedia card, card-type memory, random access memory (Random Access Memory, RAM), static random access memory (Static Random Access Memory, SRAM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), magnetic memory, disk , CD, etc.
  • the memory 602 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
  • the memory 602 in the embodiment of the present invention may also be a circuit or any other device capable of realizing a storage function, for storing program instructions and/or data.
  • the embodiments of the present invention provide a computer-readable medium that stores a computer program executable by a computer device.
  • the computer device executes the blockchain Steps of the permission control method.
  • the embodiments of the present invention provide a computer program product.
  • the computer program product includes a calculation program stored on a computer-readable medium.
  • the computer program includes program instructions. When executed, the computer equipment is made to execute the steps of the permission control method of the blockchain.
  • the embodiments of the present invention may be provided as methods or computer program products. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • a computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.

Abstract

Embodiments of the present invention relate to the technical field of science technology and finance, and provide a blockchain authority control method and device. The method comprises: obtaining a transaction request, the transaction request comprising transaction information and a transaction account, and then determining a table to be operated and operation content according to the transaction information; determining from a preset authority table an authorized account corresponding to said table, and executing the operation content in said table if it is determined that the transaction account matches the authorized account corresponding to said table. Because the authority of each account for tables in the blockchain is stored in an authority table in advance, when a transaction account initiate a transaction and needs to operate a table in the blockchain, the authority control of the blockchain can be achieved by querying the authority table to determine the operation authority and then performing the operation on the table. In the authority table, the authority of an account can be freely set and can be added or deleted according to needs, so that a more fine-grained control of the account authority can be achieved, compared with the role-based authority control, thereby facilitating the management of account authority.

Description

一种区块链的权限控制方法及装置Method and device for controlling permission of blockchain
相关申请的交叉引用Cross references to related applications
本申请要求在2019年03月05日提交中国专利局、申请号为201910163011.4、申请名称为“一种区块链的权限控制方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 201910163011.4, and the application name is "a method and device for controlling the authority of a blockchain" on March 5, 2019, the entire content of which is incorporated by reference In this application.
技术领域Technical field
本发明实施例涉及科技金融技术领域,尤其涉及一种区块链的权限控制方法及装置。The embodiments of the present invention relate to the field of technology and finance technology, and in particular to a method and device for controlling permissions of a blockchain.
背景技术Background technique
区块链是利用块链式数据结构来验证与存储数据、利用分布式节点共识算法来生成和更新数据、利用密码学的方式保证数据传输和访问的安全、利用自动化脚本代码组成的智能合约来编程和操作数据的一种全新的分布式基础架构与计算方式。对于区块链中的公有链来说,节点加入不限制,链上的数据完全开放,适用于一些公众化,不涉及隐私的信息存储。但是对于私有链以及联盟链来说,由于涉及一些隐私的数据存储,因此需要对区块链的权限进行控制。目前,在对联盟链进行权限控制时,通过预设的第一关联关系确定账户对应的角色,然后根据角色的预设权限确定账户的权限,之后再基于账户的权限调用对应接口对区块链中区块主体的Merkle树进行操作,完成交易。该方法中需要预先保存角色与权限的对应关系,同时账户权限受限于角色的预设权限,导致对账户权限的控制不够细粒度。Blockchain is the use of block chain data structure to verify and store data, the use of distributed node consensus algorithms to generate and update data, the use of cryptography to ensure the security of data transmission and access, and the use of smart contracts composed of automated script codes. A new distributed infrastructure and calculation method for programming and manipulating data. For the public chain in the blockchain, there is no restriction on node joining, and the data on the chain is completely open, suitable for some publicization, and does not involve privacy information storage. But for private chains and consortium chains, because some private data storage is involved, it is necessary to control the permissions of the blockchain. At present, when controlling the authority of the alliance chain, the role corresponding to the account is determined through the preset first association relationship, and then the authority of the account is determined according to the preset authority of the role, and then based on the authority of the account, the corresponding interface is called to the blockchain. The Merkle tree of the main body of the block is operated to complete the transaction. In this method, the corresponding relationship between roles and permissions needs to be saved in advance, and at the same time, the account permissions are limited to the preset permissions of the role, resulting in insufficient fine-grained control of the account permissions.
发明内容Summary of the invention
由于目前基于角色的权限控制方法中账户权限受限于角色的预设权限,对账户权限的控制不够细粒度的问题,本发明实施例提供了一种区块链的权 限控制方法及装置。Due to the problem that the account permissions in the current role-based permission control method are limited to the preset permissions of the role, and the control of the account permissions is not fine-grained enough, the embodiments of the present invention provide a blockchain permission control method and device.
一方面,本发明实施例提供了一种区块链的权限控制方法,区块链中的各区块以表格形式存储账本,该方法包括:On the one hand, an embodiment of the present invention provides a method for controlling permissions on a blockchain. Each block in the blockchain stores a ledger in the form of a table. The method includes:
获取交易请求,所述交易请求包括交易信息和交易账户;Acquiring a transaction request, the transaction request including transaction information and a transaction account;
根据所述交易信息确定待操作表和在所述待操作表中的操作内容,所述待操作表位于区块链的区块中;Determine the table to be operated and the operation content in the table to be operated according to the transaction information, the table to be operated is located in a block of the blockchain;
从预设的权限表中确定所述待操作表对应的权限账户;Determine the authority account corresponding to the table to be operated from the preset authority table;
在确定所述交易账户与所述待操作表对应的权限账户匹配时,在所述待操作表中执行所述操作内容。When it is determined that the transaction account matches the authority account corresponding to the table to be operated, the operation content is executed in the table to be operated.
由于预先设置权限表,将各个账户对区块链中表的权限保存在权限表中,故交易账户发起交易需要操作区块链中的表时,可以通过查询权限表确定操作权限并对表执行操作,实现对区块链的权限控制。由于权限表中可以自由设置账户的具体权限,并基于实际需要对账户权限进行增删,相较于基于角色进行权限控制来说,对账户权限的控制更加细粒度,同时便于对账户权限进行管理。其次,由于区块链中的数据是以表的形式存储,而不是基于Merkle树形式存储,相较于直接基于角色的权限控制方法对区块链中表进行操作来说,根据权限表中的账户权限对区块链中表进行操作的方法,其效果更佳。Since the authority table is preset and the authority of each account on the table in the blockchain is stored in the authority table, when the transaction account initiates a transaction and needs to operate the table in the blockchain, you can query the authority table to determine the operation authority and execute the table Operation to realize the authority control of the blockchain. Since the specific permissions of the account can be set freely in the permission table, and the account permissions can be added or deleted based on actual needs, compared with the role-based permission control, the control of the account permissions is more fine-grained and it is convenient to manage the account permissions. Secondly, because the data in the blockchain is stored in the form of a table, rather than based on the Merkle tree, compared to the direct role-based access control method to operate on the table in the blockchain, according to the permission table The method of operating the tables in the blockchain with account permissions has better results.
可选地,所述待操作表为系统表或用户表,所述系统表用于控制所述区块链的系统功能,所述用户表用于控制所述区块链的业务功能。Optionally, the table to be operated is a system table or a user table, the system table is used to control the system functions of the blockchain, and the user table is used to control the business functions of the blockchain.
可选地,所述从预设的权限表中确定所述待操作表对应的权限账户之前,包括:Optionally, before the determining the authority account corresponding to the table to be operated from the preset authority table, the method includes:
确定所述操作内容为写操作。It is determined that the operation content is a write operation.
可选地,所述在所述待操作表中执行所述操作内容之后,还包括:Optionally, after executing the operation content in the to-be-operation table, the method further includes:
生成所述待操作表的操作记录,所述操作记录包括待操作表标识、操作内容和交易账户;Generating an operation record of the table to be operated, where the operation record includes an identifier of the table to be operated, operation content, and transaction account;
将所述待操作表的操作记录发送至区块链网络中的其他网络节点,以使所述其他网络节点根据所述待操作表标识,从所述权限表中确定所述待操作 表对应的权限账户,在确定所述交易账户与所述待操作表对应的权限账户匹配时,在所述待操作表中执行所述操作内容。The operation record of the table to be operated is sent to other network nodes in the blockchain network, so that the other network node determines from the permission table the corresponding table to be operated according to the identifier of the table to be operated The authority account, when it is determined that the transaction account matches the authority account corresponding to the table to be operated, execute the operation content in the table to be operated.
通过将待操作表的操作记录发送至其他网络节点,以使其他网络节点对待操作表的操作记录的合法性进行验证后执行操作内容,从而实现在区块链网络中同步表的内容,保证了区块链中表的一致性和安全性。By sending the operation record of the table to be operated to other network nodes, the other network nodes can verify the validity of the operation record of the table to be operated and execute the operation content, thereby realizing the synchronization of the table content in the blockchain network and ensuring Consistency and security of tables in the blockchain.
可选地,还包括:Optionally, it also includes:
所述权限表位于区块链的区块中;The permission table is located in a block of the blockchain;
在更新所述权限表时,更新后的所述权限表在当前区块的下一个区块生效。When the permission table is updated, the updated permission table takes effect in the next block of the current block.
一方面,本发明实施例提供了一种区块链的权限控制装置,所述区块链中的各区块以表格形式存储账本,该装置包括:On the one hand, an embodiment of the present invention provides a permission control device for a blockchain. Each block in the blockchain stores a ledger in the form of a table. The device includes:
获取模块,用于获取交易请求,所述交易请求包括交易信息和交易账户;The obtaining module is used to obtain a transaction request, the transaction request including transaction information and a transaction account;
分析模块,用于根据所述交易信息确定待操作表和在所述待操作表中的操作内容,所述待操作表位于区块链的区块中;The analysis module is used to determine the table to be operated and the content of the operation in the table to be operated according to the transaction information, the table to be operated is located in a block of the blockchain;
筛选模块,用于从预设的权限表中确定所述待操作表对应的权限账户;The screening module is used to determine the authority account corresponding to the table to be operated from the preset authority table;
控制模块,用于在确定所述交易账户与所述待操作表对应的权限账户匹配时,在所述待操作表中执行所述操作内容。The control module is configured to execute the operation content in the table to be operated when it is determined that the transaction account matches the authority account corresponding to the table to be operated.
可选地,所述待操作表为系统表或用户表,所述系统表用于控制所述区块链的系统功能,所述用户表用于控制所述区块链的业务功能。Optionally, the table to be operated is a system table or a user table, the system table is used to control the system functions of the blockchain, and the user table is used to control the business functions of the blockchain.
可选地,所述筛选模块还用于:Optionally, the screening module is also used to:
从预设的权限表中确定所述待操作表对应的权限账户之前,确定所述操作内容为写操作。Before determining the permission account corresponding to the table to be operated from the preset permission table, it is determined that the operation content is a write operation.
可选地,所述控制模块还用于:Optionally, the control module is also used to:
在所述待操作表中执行所述操作内容之后,生成所述待操作表的操作记录,所述操作记录包括待操作表标识、操作内容和交易账户;After executing the operation content in the to-be-operated table, generate an operation record of the to-be-operated table, the operation record including the identifier of the to-be-operated table, the operation content and the transaction account;
将所述待操作表的操作记录发送至区块链网络中的其他网络节点,以使所述其他网络节点根据所述待操作表标识,从所述权限表中确定所述待操作 表对应的权限账户,在确定所述交易账户与所述待操作表对应的权限账户匹配时,在所述待操作表中执行所述操作内容。The operation record of the table to be operated is sent to other network nodes in the blockchain network, so that the other network node determines from the permission table the corresponding table to be operated according to the identifier of the table to be operated The authority account, when it is determined that the transaction account matches the authority account corresponding to the table to be operated, execute the operation content in the table to be operated.
可选地,所述筛选模块还用于:Optionally, the screening module is also used to:
在更新所述权限表时,更新后的所述权限表在当前区块的下一个区块生效,所述权限表位于区块链的区块中。When the permission table is updated, the updated permission table takes effect in the next block of the current block, and the permission table is located in a block of the blockchain.
一方面,本发明实施例提供了一种计算机设备,包括至少一个处理单元、以及至少一个存储单元,其中,所述存储单元存储有计算机程序,当所述程序被所述处理单元执行时,使得所述处理单元执行区块链的权限控制方法的步骤。In one aspect, an embodiment of the present invention provides a computer device, including at least one processing unit and at least one storage unit, wherein the storage unit stores a computer program, and when the program is executed by the processing unit, The processing unit executes the steps of the permission control method of the blockchain.
一方面,本发明实施例提供了一种计算机可读介质,其存储有可由计算机设备执行的计算机程序,当所述程序在计算机设备上运行时,使得所述计算机设备执行区块链的权限控制方法的步骤。On the one hand, an embodiment of the present invention provides a computer-readable medium that stores a computer program executable by a computer device. When the program runs on the computer device, the computer device executes the authority control of the blockchain. Method steps.
一方面,本发明实施例提供了一种计算机程序产品,所述计算机程序产品包括存储在计算机可读介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机设备执行时,使得计算机设备执行区块链的权限控制方法的步骤。On the one hand, an embodiment of the present invention provides a computer program product, the computer program product includes a calculation program stored on a computer-readable medium, the computer program includes program instructions, when the program instructions are executed by a computer device , So that the computer equipment executes the steps of the blockchain permission control method.
本发明实施例中,由于预先设置权限表,将各个账户对区块链中表的权限保存在权限表中,故交易账户发起交易需要操作区块链中的表时,可以通过查询权限表确定操作权限并对表执行操作,实现对区块链的权限控制。由于权限表中可以自由设置账户的具体权限,并基于实际需要对账户权限进行增删,相较于基于角色进行权限控制来说,对账户权限的控制更加细粒度,同时便于对账户权限进行管理。其次,由于区块链中的数据是以表的形式存储,而不是基于Merkle树形式存储,相较于直接基于角色的权限控制方法对区块链中表进行操作来说,根据权限表中的账户权限对区块链中表进行操作的方法,其效果更佳。In the embodiment of the present invention, since the authority table is preset and the authority of each account to the table in the blockchain is stored in the authority table, when the transaction account initiates a transaction and needs to operate the table in the blockchain, it can be determined by querying the authority table Operate permissions and perform operations on tables to achieve permission control on the blockchain. Since the specific permissions of the account can be set freely in the permission table, and the account permissions can be added or deleted based on actual needs, compared with the role-based permission control, the control of the account permissions is more fine-grained and it is convenient to manage the account permissions. Secondly, because the data in the blockchain is stored in the form of a table, rather than based on the Merkle tree, compared to the direct role-based access control method to operate on the table in the blockchain, according to the permission table The method of operating the tables in the blockchain with account permissions has better results.
附图说明Description of the drawings
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly describe the technical solutions in the embodiments of the present invention, the following will briefly introduce the drawings needed in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings may be obtained from these drawings without creative labor.
图1为本发明实施例提供的一种应用场景示意图;FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present invention;
图2为本发明实施例提供的一种区块链的权限控制方法的流程示意图;FIG. 2 is a schematic flowchart of a method for controlling permissions on a blockchain according to an embodiment of the present invention;
图3为本发明实施例提供的一种区块链的权限控制方法的流程示意图;FIG. 3 is a schematic flowchart of a method for controlling permissions on a blockchain according to an embodiment of the present invention;
图4为本发明实施例提供的一种区块链的权限控制方法的流程示意图;FIG. 4 is a schematic flowchart of a method for controlling permissions on a blockchain according to an embodiment of the present invention;
图5为本发明实施例提供的一种区块链的权限控制装置的结构示意图;5 is a schematic structural diagram of a permission control device for a blockchain provided by an embodiment of the present invention;
图6为本发明实施例提供的一种计算机设备的结构示意图。Fig. 6 is a schematic structural diagram of a computer device provided by an embodiment of the present invention.
具体实施方式detailed description
为了使本发明的目的、技术方案及有益效果更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the objectives, technical solutions and beneficial effects of the present invention clearer, the following further describes the present invention in detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, but not to limit the present invention.
为了方便理解,下面对本发明实施例中涉及的名词进行解释。To facilitate understanding, the terms involved in the embodiments of the present invention are explained below.
区块链:区块链是利用块链式数据结构来验证与存储数据、利用分布式节点共识算法来生成和更新数据、利用密码学的方式保证数据传输和访问的安全、利用自动化脚本代码组成的智能合约来编程和操作数据的一种全新的分布式基础架构与计算方式。Blockchain: Blockchain uses block-chain data structure to verify and store data, uses distributed node consensus algorithm to generate and update data, uses cryptography to ensure the security of data transmission and access, and is composed of automated script codes A new distributed infrastructure and calculation method for programming and manipulating data with smart contracts.
联盟链:联盟链介于公有链和私有链之间,由若干组织共同维护一条区块链,具有准入机制,每个区块的生成由预选节点决定。Consortium chain: The consortium chain is between a public chain and a private chain. Several organizations jointly maintain a block chain with an access mechanism. The generation of each block is determined by a preselected node.
智能合约:智能合约是以solidity语言编写的实现了特定逻辑的服务程序,并以二进制的方式发布于联盟链上,供合约参与方在联盟链上执行调用。Smart contract: A smart contract is a service program written in solidity language that implements specific logic, and is published on the alliance chain in a binary manner for contract participants to execute and call on the alliance chain.
权限控制:通过控制访问区块链的权限来实现的一种访问区块链功能的控制机制,比如,以FISCO BCOS联盟链平台的分布式存储为背景,通过控 制访问区块链中表的权限来实现区块链功能的访问。Access control: A control mechanism for accessing blockchain functions is achieved by controlling access to the blockchain. For example, based on the distributed storage of the FISCO BCOS alliance chain platform, by controlling the access to tables in the blockchain To achieve access to blockchain functions.
本发明实施例中的区块链的权限控制方法可以应用于区块链网络场景中,示例性地,在如图1所示联盟链网络中,联盟链网络中包括多个网络节点101,网络节点101中包括区块链的权限控制装置,网络节点101可以是一台服务器或若干台服务器组成的服务器集群,网络节点101节点之间通过无线网络连接。维护联盟链的机构中,每个机构对应一个或多个网络节点101,联盟链中各网络节点101中的表实时同步。针对每个网络节点,机构在网络节点101中通过交易账户发起交易请求,网络节点101在接收到交易请求后,根据交易信息确定待操作表和在待操作表中的操作内容。然后从预设的权限表中确定待操作表对应的权限账户,在确定交易账户与待操作表对应的权限账户匹配时,在待操作表中执行操作内容。网络节点101之后生成待操作表的操作记录并将待操作表的操作记录发送至区块链网络中的其他网络节点101,操作记录包括待操作表标识、操作内容和交易账户。其他网络节点101根据待操作表标识,从权限表中确定待操作表对应的权限账户,在确定交易账户与待操作表对应的权限账户匹配时,在待操作表中执行操作内容。The permission control method of the blockchain in the embodiment of the present invention can be applied to a blockchain network scenario. For example, in the consortium chain network as shown in FIG. 1, the consortium chain network includes multiple network nodes 101. The node 101 includes a block chain authority control device. The network node 101 may be a server or a server cluster composed of several servers, and the network nodes 101 are connected through a wireless network. Among the organizations that maintain the alliance chain, each organization corresponds to one or more network nodes 101, and the tables in each network node 101 in the alliance chain are synchronized in real time. For each network node, the institution initiates a transaction request through the transaction account in the network node 101. After receiving the transaction request, the network node 101 determines the table to be operated and the operation content in the table to be operated according to the transaction information. Then, the authority account corresponding to the table to be operated is determined from the preset authority table, and when it is determined that the transaction account matches the authority account corresponding to the table to be operated, the operation content is executed in the table to be operated. The network node 101 then generates the operation record of the table to be operated and sends the operation record of the table to be operated to other network nodes 101 in the blockchain network. The operation record includes the identifier of the table to be operated, operation content and transaction account. The other network nodes 101 determine the permission account corresponding to the table to be operated from the permission table according to the identifier of the table to be operated, and when it is determined that the transaction account matches the permission account corresponding to the table to be operated, the operation content is executed in the table to be operated.
基于图1所示的应用场景图,本发明实施例提供了一种区块链的权限控制方法的流程,该方法的流程可以由区块链的权限控制装置执行,如图2所示,包括以下步骤:Based on the application scenario diagram shown in FIG. 1, an embodiment of the present invention provides a flow of a blockchain permission control method, which can be executed by a blockchain permission control device, as shown in Figure 2, including The following steps:
步骤S201,获取交易请求。Step S201: Obtain a transaction request.
具体地,交易请求由交易账户发起,交易请求包括交易信息和交易账户。不同的交易对应的交易信息不同,比如,当交易请求为部署合约时,交易信息为部署合约时涉及的表的名称、合约相关的数据等。Specifically, the transaction request is initiated by the transaction account, and the transaction request includes transaction information and the transaction account. Different transactions correspond to different transaction information. For example, when the transaction request is a deployment contract, the transaction information is the name of the table involved in deploying the contract, contract-related data, etc.
步骤S202,根据交易信息确定待操作表和在待操作表中的操作内容。Step S202: Determine the table to be operated and the operation content in the table to be operated according to the transaction information.
待操作表位于区块链的区块中,不同的交易信息对应不同的待操作表。待操作表可以为系统表或用户表,系统表用于控制区块链的系统功能,用户表用于控制区块链的业务功能,具体如图3所示,交易账户根据权限表中的权限操作区块链的系统表,控制区块链的系统功能,交易账户根据权限表中 的权限操作区块链的用户表,控制区块链的业务功能。The table to be operated is located in a block of the blockchain, and different transaction information corresponds to different tables to be operated. The table to be operated can be a system table or a user table. The system table is used to control the system functions of the blockchain, and the user table is used to control the business functions of the blockchain. As shown in Figure 3, the transaction account is based on the permissions in the permission table. Operate the system table of the blockchain to control the system functions of the blockchain. The transaction account operates the user table of the blockchain according to the permissions in the permission table to control the business functions of the blockchain.
具体地,系统表包括_sys_tables_表、_sys_cns_表、_sys_miners_表、_sys_config_表、_sys_table_access_表等。Specifically, the system tables include _sys_tables_ table, _sys_cns_ table, _sys_miners_ table, _sys_config_ table, _sys_table_access_ table, etc.
sys_tables_表保存区块链系统中所有表的建表字段信息,所有创建表的字段信息需要存储在_sys_tables_表中才可以进行表的创建。部署合约需要建立合约表,合约操作用户表需要首先创建用户表,因此,权限控制作用于_sys_tables_表可以控制合约的部署和用户表的创建。The sys_tables_ table stores the table field information of all tables in the blockchain system, and all table field information needs to be stored in the _sys_tables_ table before table creation can be performed. Deploying the contract needs to establish the contract table, and the contract operation user table needs to create the user table first. Therefore, permission control acts on the _sys_tables_ table to control the deployment of the contract and the creation of the user table.
_sys_cns_表保存区块链中利用合约命名服务(Contract Name Service,简称CNS)部署合约的CNS信息。CNS信息包括合约名称、合约版本号、合约部署的地址以及合约应用程序二进制接口(Application Binary Interfac,简称ABI)。利用CNS部署合约需要将CNS信息写入_sys_cns_表。因此,权限控制作用于_sys_cns_表可以控制某个账户是否具有利用CNS部署合约的权限。The _sys_cns_ table saves CNS information for deploying contracts in the blockchain using Contract Name Service (Contract Name Service, CNS for short). CNS information includes the contract name, contract version number, contract deployment address, and contract application binary interface (Application Binary Interfac, ABI for short). Using CNS to deploy contracts requires CNS information to be written into the _sys_cns_ table. Therefore, permission control acts on the _sys_cns_ table to control whether an account has the permission to deploy contracts using CNS.
_sys_miners_表保存区块链中所有节点类型的信息,区块链网络中有三类节点,分别是记账节点、观察节点和游离节点。这三类节点类型的转换可以通过操作_sys_miners_表来实现。因此,权限控制作用于_sys_miners_表可以控制区块链节点类型转换。The _sys_miners_ table stores the information of all node types in the blockchain. There are three types of nodes in the blockchain network, namely, accounting nodes, observation nodes, and free nodes. The conversion of these three types of node types can be realized by operating the _sys_miners_ table. Therefore, permission control acts on the _sys_miners_ table to control the type conversion of blockchain nodes.
_sys_config_表保存区块链中系统配置信息,比如设置tx_count_limit(区块中的交易数量上限)和tx_gas_limit(交易的gas上限)。因此,权限控制作用于_sys_config_表可以控制系统配置信息的设置权限。The _sys_config_ table saves system configuration information in the blockchain, such as setting tx_count_limit (the upper limit of the number of transactions in the block) and tx_gas_limit (the upper limit of gas for transactions). Therefore, permission control acts on the _sys_config_ table to control the setting permissions of system configuration information.
用户表为与业务相关的表,权限控制作用于每一个用户表将精细控制相关的业务功能。示例性地,用户表1为合约A的操作用户表,其中包括可以操作合约A的用户名单。示例性地,用户表2为贷款业务的用户表,其中包括可以贷款业务的用户名单。The user table is a table related to the business, and the authority control acting on each user table will finely control the related business functions. Illustratively, the user table 1 is an operating user table of contract A, which includes a list of users who can operate contract A. Exemplarily, the user table 2 is a user table of loan services, which includes a list of users who can loan services.
步骤S203,从预设的权限表中确定待操作表对应的权限账户。Step S203: Determine the authority account corresponding to the table to be operated from the preset authority table.
具体地,权限表用于存储权限设置信息,权限表也属于一种系统表,在联盟链组建之前,确定权限控制使用规则。比如,可以从区块链网络中推选出管理节点,然后将管理节点对应的账户为管理员账户,只有管理员账户可 以使用权限设置功能,非管理员账户无权限设置功能。在设置一个账户对某个表的权限时,在权限表中添加该账户对应的权限记录。可选地,权限表位于区块链的区块中,在更新权限表时,更新后的权限表在当前区块的下一个区块生效,比如,在权限表中添加新权限记录时,在当前区块之后生成新区块,将新权限记录保存在新区块的区块主体中。比如,在权限表中修改权限记录A时,在当前区块之后生成新区块,将修改后的权限记录A保存在新区块的区块主体中。Specifically, the permission table is used to store permission setting information, and the permission table also belongs to a system table. Before the alliance chain is formed, the permission control usage rules are determined. For example, a management node can be selected from the blockchain network, and then the account corresponding to the management node can be an administrator account. Only the administrator account can use the permission setting function, and the non-administrator account has no permission setting function. When setting an account's authority to a certain table, add the authority record corresponding to the account in the authority table. Optionally, the permission table is located in a block of the blockchain. When the permission table is updated, the updated permission table takes effect in the next block of the current block. For example, when a new permission record is added to the permission table, A new block is generated after the current block, and the new permission record is stored in the block body of the new block. For example, when the permission record A is modified in the permission table, a new block is generated after the current block, and the modified permission record A is stored in the block body of the new block.
示例性地,本发明实施例提供了一种权限表的示例,如表1所示:Exemplarily, the embodiment of the present invention provides an example of a permission table, as shown in Table 1:
表1.Table 1.
字段Field 类型Types of 是否为空Is it empty 主键Primary key 描述description
table_nametable_name stringstring no Yes 表名称Table name
addressaddress stringstring no  To 账户地址Account address
enable_numenable_num stringstring no  To 生效区块高度Effective block height
_status__status_ stringstring no  To 状态字段Status field
由表1可知,在权限表中,一条权限记录包括表名称、账户名称、生效区块高度以及状态字段,其中,生效区块高度为条权限记录在区块链中生效的区块位置,状态字段为“0”时,表示权限记录处于正常生效状态,状态字段为“1”时,表示权限记录处于失效状态。It can be seen from Table 1 that in the permission table, a permission record includes table name, account name, effective block height, and status fields. Among them, the effective block height is the position and status of the effective block of the permission record in the blockchain. When the field is "0", it means that the authority record is in a normal effective state, and when the status field is "1", it means that the authority record is in an invalid state.
具体实施中,可以采用预设的权限合约接口对权限表进行操作。权限合约接口包括insert接口、remove接口、queryByName接口等。insert接口通过表名称和账户地址设置权限记录,返回设置的记录数。设置的记录将保存于权限表,拒绝重复设置相同的权限记录,即直接返回0。remove接口通过表名称和账户地址移除设置的权限记录,返回移除的记录数。移除记录即将记录的_status_字段由“0”设置为”1”,拒绝重复移除相同的权限记录,即直接返回0。queryByName接口通过表名称查询设置的权限记录,记录以json字符串的形式返回,该接口用于查询权限记录。In specific implementation, a preset permission contract interface can be used to operate the permission table. Permission contract interfaces include insert interface, remove interface, queryByName interface, etc. The insert interface sets permission records through the table name and account address, and returns the number of records set. The set record will be saved in the permission table, and the same permission record is refused to be set repeatedly, that is, 0 is directly returned. The remove interface removes the set permission records through the table name and account address, and returns the number of removed records. The _status_ field of the record to be removed is set from "0" to "1", and the repeated removal of the same permission record is refused, that is, 0 is directly returned. The queryByName interface queries the set permission records through the table name, and the records are returned in the form of json strings. This interface is used to query the permission records.
针对用户,提供区块链适配的Java sdk端的权限控制API,供开发者使用。 提供命令行工具,供运维者使用。Java sdk端API和命令行工具命令如下:For users, provide blockchain-adapted Java SDK end permission control API for developers to use. Provide command line tools for operators to use. The Java SDK side API and command line tool commands are as follows:
String add:该API调用权限合约的insert接口,可以设置权限信息。对应的命令为addAuthority(缩写命令为aa),参数为表名称和账户地址。String add: This API calls the insert interface of the permission contract to set permission information. The corresponding command is addAuthority (abbreviated command is aa), and the parameters are the table name and account address.
String remove:该API调用权限合约的remove接口,可以移除权限记录。对应的命令为removeAuthority(缩写命令为ra),参数为表名称和账户地址。String remove: This API calls the remove interface of the permission contract to remove permission records. The corresponding command is removeAuthority (abbreviated command is ra), and the parameters are the table name and account address.
List query:该API调用权限合约的queryByName接口,可以查询权限信息。对应的命令为queryAuthority(缩写命令为qa),参数为表名称。List query: This API calls the queryByName interface of the permission contract to query permission information. The corresponding command is queryAuthority (the abbreviated command is qa), and the parameter is the table name.
步骤S204,在确定交易账户与待操作表对应的权限账户匹配时,在待操作表中执行操作内容。Step S204, when it is determined that the transaction account matches the authority account corresponding to the table to be operated, the operation content is executed in the table to be operated.
在一种可能的实施方式中,操作内容为写操作时,从预设的权限表中确定所述待操作表对应的权限账户,在确定交易账户与待操作表对应的权限账户匹配时,在待操作表中执行写操作。操作内容为读操作时,在待操作表中执行读操作。示例性地,设定交易账户1需要部署一个HelloWorld合约,网络节点接收到交易请求,交易请求中包括交易账户1、HelloWorld合约的内容。当网络节点根据交易信息确定交易账户1需要将HelloWorld合约的内容写入_sys_tables_表,则从权限表中查询_sys_tables_表的权限记录,确定_sys_tables_表的权限账户。如果权限账户中包括交易账户1,则将HelloWorld合约的内容写入_sys_tables_表,否则拒绝将HelloWorld合约的内容写入_sys_tables_表。当网络节点根据交易信息确定交易账户1需要读取sys_tables_表的内容时,直接读取sys_tables_表的内容。In a possible implementation, when the operation content is a write operation, the authority account corresponding to the table to be operated is determined from the preset authority table, and when it is determined that the transaction account matches the authority account corresponding to the table to be operated, The write operation is performed in the table to be operated. When the operation content is a read operation, the read operation is performed in the table to be operated. Exemplarily, setting transaction account 1 needs to deploy a HelloWorld contract, and the network node receives a transaction request, and the transaction request includes the content of transaction account 1 and HelloWorld contract. When the network node determines that the transaction account 1 needs to write the contents of the HelloWorld contract into the _sys_tables_ table based on the transaction information, it queries the permission record of the _sys_tables_ table from the permission table to determine the permission account of the _sys_tables_ table. If trading account 1 is included in the authority account, write the content of the HelloWorld contract to the _sys_tables_ table, otherwise refuse to write the content of the HelloWorld contract to the _sys_tables_ table. When the network node determines that the transaction account 1 needs to read the content of the sys_tables_ table according to the transaction information, it directly reads the content of the sys_tables_ table.
在一种可能的实施方式中,操作内容为写操作或读操作时,从预设的权限表中确定待操作表对应的权限账户,在确定交易账户与待操作表对应的权限账户匹配时,在待操作表中执行写操作或读操作。具体地,可以预先设置读操作对应的权限表和写操作对应的权限表。当操作内容为写操作时,从写操作对应的权限表中确定待操作表对应的权限账户,在确定交易账户与待操作表对应的权限账户匹配时,在待操作表中执行写操作。当操作内容为读操作时,从读操作对应的权限表中确定待操作表对应的权限账户,在确定交易 账户与待操作表对应的权限账户匹配时,在待操作表中执行读操作。In a possible implementation, when the operation content is a write operation or a read operation, the authority account corresponding to the table to be operated is determined from the preset authority table, and when it is determined that the transaction account matches the authority account corresponding to the table to be operated, Perform a write operation or a read operation in the table to be operated. Specifically, the permission table corresponding to the read operation and the permission table corresponding to the write operation can be preset. When the operation content is a write operation, the authorization account corresponding to the table to be operated is determined from the authorization table corresponding to the write operation, and when it is determined that the transaction account matches the authorization account corresponding to the table to be operated, the write operation is performed in the table to be operated. When the operation content is a read operation, the authorization account corresponding to the table to be operated is determined from the authorization table corresponding to the read operation, and when it is determined that the transaction account matches the authorization account corresponding to the table to be operated, the read operation is performed in the table to be operated.
由于预先设置权限表,将各个账户对区块链中表的权限保存在权限表中,故交易账户发起交易需要操作区块链中的表时,可以通过查询权限表确定操作权限并对表执行操作,实现对区块链的权限控制。由于权限表中可以自由设置账户的具体权限,并基于实际需要对账户权限进行增删,相较于基于角色进行权限控制来说,对账户权限的控制更加细粒度,同时便于对账户权限进行管理。其次,由于区块链中的数据是以表的形式存储,而不是基于Merkle树形式存储,相较于直接基于角色的权限控制方法对区块链中表进行操作来说,根据权限表中的账户权限对区块链中表进行操作的方法,其效果更佳。Since the authority table is preset and the authority of each account on the table in the blockchain is stored in the authority table, when the transaction account initiates a transaction and needs to operate the table in the blockchain, you can query the authority table to determine the operation authority and execute the table Operation to realize the authority control of the blockchain. Since the specific permissions of the account can be set freely in the permission table, and the account permissions can be added or deleted based on actual needs, compared with the role-based permission control, the control of the account permissions is more fine-grained and it is convenient to manage the account permissions. Secondly, because the data in the blockchain is stored in the form of a table, rather than based on the Merkle tree, compared to the direct role-based access control method to operate on the table in the blockchain, according to the permission table The method of operating the tables in the blockchain with account permissions has better results.
可选地,在待操作表中执行操作内容之后,生成待操作表的操作记录,操作记录包括待操作表标识、操作内容和交易账户,将待操作表的操作记录发送至区块链网络中的其他网络节点,其他网络节点根据待操作表标识,从权限表中确定待操作表对应的权限账户,在确定交易账户与待操作表对应的权限账户匹配时,在待操作表中执行操作内容。Optionally, after the operation content is executed in the table to be operated, an operation record of the table to be operated is generated, the operation record includes the identifier of the table to be operated, the operation content and the transaction account, and the operation record of the table to be operated is sent to the blockchain network Other network nodes, other network nodes determine the permission account corresponding to the table to be operated from the permission table according to the identifier of the table to be operated, and when it is determined that the transaction account matches the permission account corresponding to the table to be operated, the operation content is executed in the table to be operated .
具体实施中,区块链网络中各个网络节点的表实时同步。当一个网络节点在待操作表中执行写操作,变更待操作表中的内容时,需要将待操作表中变更的内容同步至区块链网络中的其他网络节点。其他网络节点在接收到操作表的操作记录时,首先需要对操作表的操作记录的合法性进行验证,具体是根据操作记录中的待操作表标识,从权限表中确定待操作表对应的权限账户,在确定交易账户与待操作表对应的权限账户匹配时,确定操作记录合法,然后在待操作表中执行操作内容,从而实现在区块链网络同步表的内容,保证了区块链中表的一致性和安全性。In specific implementation, the tables of each network node in the blockchain network are synchronized in real time. When a network node performs a write operation in the table to be operated and changes the content in the table to be operated, it needs to synchronize the changed content in the table to be operated to other network nodes in the blockchain network. When other network nodes receive the operation record of the operation table, they first need to verify the legitimacy of the operation record of the operation table. Specifically, according to the identifier of the table to be operated in the operation record, determine the permission corresponding to the table to be operated from the permission table. Account, when it is determined that the transaction account matches the authority account corresponding to the table to be operated, the operation record is determined to be legal, and then the operation content is executed in the table to be operated, so as to synchronize the content of the table in the blockchain network and ensure that the blockchain is Consistency and safety of the table.
为了更好的解释本发明实施例,下面结合具体的实施场景描述本发明实施例提供的一种区块链的权限控制方法,该方法由网络节点执行,如图4所示,该方法包括以下步骤:In order to better explain the embodiments of the present invention, the following describes a block chain permission control method provided by the embodiments of the present invention in combination with specific implementation scenarios. The method is executed by a network node. As shown in FIG. 4, the method includes the following step:
步骤S401,获取交易账户的交易请求。Step S401: Obtain a transaction request of the transaction account.
步骤S402,根据交易请求确定待操作表和操作内容。Step S402: Determine the list to be operated and the content of the operation according to the transaction request.
待操作表可以为系统表或用户表。The table to be operated can be a system table or a user table.
步骤S403,判断操作内容是否为写操作,若否,则执行步骤S404,否则执行步骤S405。Step S403: It is judged whether the operation content is a write operation, if not, step S404 is executed, otherwise, step S405 is executed.
步骤S404,获取查询结果。Step S404, obtain the query result.
步骤S405,判断是否有权限记录缓存,若是,则执行步骤S406,否则执行步骤S409。In step S405, it is judged whether there is a permission record cache, if yes, step S406 is executed, otherwise, step S409 is executed.
具体地,当某一条权限记录之前在权限表中被查询过时,可以将该条权限记录进行缓存,故接收到查询权限记录的请求时,可以直接查询缓存,而不需要每次都查询权限表,从而提高查询效率。Specifically, when a certain permission record has been queried in the permission table before, the permission record can be cached, so when a request for querying permission records is received, the cache can be directly queried instead of querying the permission table every time , Thereby improving query efficiency.
骤S406,判断交易账户是否有权限,若是,则执行步骤S407,否则执行步骤S408。In step S406, it is judged whether the transaction account has authority, if so, step S407 is executed, otherwise, step S408 is executed.
步骤S407,执行写操作。Step S407, perform a write operation.
步骤S408,拒绝写操作。Step S408: Reject the write operation.
步骤S409,查询权限表。Step S409, query the permission table.
下面结合具体的实施场景举例说明,针对系统表,设定预先通过命令工具aa设置交易账户1拥有对_sys_tables_的写权限。网络节点接收交易请求,该交易请求为交易账户1部署HelloWorld合约,部署合约的交易需要对_sys_tables_表进行写操作。网络节点查询权限表中_sys_tables_表的权限记录,从权限记录中确定_sys_tables_表的权限账户。然后将交易账户1与_sys_tables_表的权限账户进行比对,当比对结果为交易账户1是_sys_tables_表的权限账户时,将HelloWorld合约的相关内容写入_sys_tables_表,从而部署合约成功。当网络节点接收交易请求,该交易请求为交易账户2部署HelloWorld合约,部署合约的交易需要对_sys_tables_表进行写操作。网络节点查询权限表中_sys_tables_表的权限记录,从权限记录中确定_sys_tables_表的权限账户。然后将交易账户2与_sys_tables_表的权限账户进行比对,当比对结果为交易账户2不是_sys_tables_表的权限账户时,不允许交易账户2将HelloWorld合约的相关内容写入_sys_tables_表,从而部署合约失败。The following is an example based on specific implementation scenarios. For system tables, set the transaction account 1 to have write permission to _sys_tables_ through the command tool aa in advance. The network node receives the transaction request. The transaction request deploys the HelloWorld contract for transaction account 1. The transaction to deploy the contract needs to write to the _sys_tables_ table. The network node queries the permission record of the _sys_tables_ table in the permission table, and determines the permission account of the _sys_tables_ table from the permission record. Then compare trading account 1 with the authority account of the _sys_tables_ table. When the comparison result is that the transaction account 1 is the authority account of the _sys_tables_ table, write the relevant content of the HelloWorld contract into the _sys_tables_ table to deploy The contract is successful. When the network node receives a transaction request, the transaction request deploys the HelloWorld contract for transaction account 2. The transaction to deploy the contract needs to write to the _sys_tables_ table. The network node queries the permission record of the _sys_tables_ table in the permission table, and determines the permission account of the _sys_tables_ table from the permission record. Then compare trading account 2 with the authority account of the _sys_tables_ table. When the comparison result is that the transaction account 2 is not the authority account of the _sys_tables_ table, the transaction account 2 is not allowed to write the relevant content of the HelloWorld contract into _sys_tables _ Table, thus the deployment contract failed.
针对用户表,设定预先通过命令工具aa设置交易账户2拥有对用户表A的写权限,用户表A为HelloWorld合约的操作用户表。网络节点接收交易请求,该交易请求为交易账户2添加HelloWorld合约的操作用户mm,需要对用户表A进行写操作。网络节点查询权限表中用户表A的权限记录,从权限记录中确定用户表A的权限账户。然后将交易账户2与用户表A的权限账户进行比对,当比对结果为交易账户2是用户表A的权限账户时,将用户mm的相关信息写入用户表A。当网络节点接收交易请求,该交易请求为交易账户3添加HelloWorld合约的操作用户nn,需要对用户表A进行写操作。网络节点查询权限表中用户表A的权限记录,从权限记录中确定用户表A的权限账户。然后将交易账户3与用户表A的权限账户进行比对,当比对结果为交易账户3不是用户表A的权限账户时,添加失败。For the user table, set the transaction account 2 to have the write permission to the user table A through the command tool aa in advance. The user table A is the operation user table of the HelloWorld contract. The network node receives the transaction request. The transaction request adds the operating user mm of the HelloWorld contract to the transaction account 2 and needs to write to the user table A. The network node queries the permission record of user table A in the permission table, and determines the permission account of user table A from the permission record. Then the transaction account 2 is compared with the authority account of the user table A, and when the comparison result is that the transaction account 2 is the authority account of the user table A, the relevant information of the user mm is written into the user table A. When the network node receives a transaction request, the transaction request adds the operating user nn of the HelloWorld contract to the transaction account 3, and the user table A needs to be written. The network node queries the permission record of user table A in the permission table, and determines the permission account of user table A from the permission record. Then compare the transaction account 3 with the authority account of the user table A. When the comparison result is that the transaction account 3 is not the authority account of the user table A, the addition fails.
本发明实施例中,由于预先设置权限表,将各个账户对区块链中表的权限保存在权限表中,故交易账户发起交易需要操作区块链中的表时,可以通过查询权限表确定操作权限并对表执行操作,实现对区块链的权限控制。由于权限表中可以自由设置账户的具体权限,并基于实际需要对账户权限进行增删,相较于基于角色进行权限控制来说,对账户权限的控制更加细粒度,同时便于对账户权限进行管理。其次,由于区块链中的数据是以表的形式存储,而不是基于Merkle树形式存储,相较于直接基于角色的权限控制方法对区块链中表进行操作来说,根据权限表中的账户权限对区块链中表进行操作的方法,其效果更佳。In the embodiment of the present invention, since the authority table is preset and the authority of each account to the table in the blockchain is stored in the authority table, when the transaction account initiates a transaction and needs to operate the table in the blockchain, it can be determined by querying the authority table Operate permissions and perform operations on tables to achieve permission control on the blockchain. Since the specific permissions of the account can be set freely in the permission table, and the account permissions can be added or deleted based on actual needs, compared with the role-based permission control, the control of the account permissions is more fine-grained and it is convenient to manage the account permissions. Secondly, because the data in the blockchain is stored in the form of a table, rather than based on the Merkle tree, compared to the direct role-based access control method to operate on the table in the blockchain, according to the permission table The method of operating the tables in the blockchain with account permissions has better results.
基于相同的技术构思,本发明实施例提供了一种区块链的权限控制装置,如图5所示,该装置500包括:Based on the same technical concept, an embodiment of the present invention provides a block chain permission control device. As shown in FIG. 5, the device 500 includes:
获取模块501,用于获取交易请求,所述交易请求包括交易信息和交易账户;The obtaining module 501 is configured to obtain a transaction request, the transaction request including transaction information and a transaction account;
分析模块502,用于根据所述交易信息确定待操作表和在所述待操作表中的操作内容,所述待操作表位于区块链的区块中;The analysis module 502 is configured to determine the table to be operated and the operation content in the table to be operated according to the transaction information, the table to be operated is located in a block of the blockchain;
筛选模块503,用于从预设的权限表中确定所述待操作表对应的权限账户;The screening module 503 is configured to determine the authority account corresponding to the table to be operated from the preset authority table;
控制模块504,用于在确定所述交易账户与所述待操作表对应的权限账户匹配时,在所述待操作表中执行所述操作内容。The control module 504 is configured to execute the operation content in the table to be operated when it is determined that the transaction account matches the authority account corresponding to the table to be operated.
可选地,所述待操作表为系统表或用户表,所述系统表用于控制所述区块链的系统功能,所述用户表用于控制所述区块链的业务功能。Optionally, the table to be operated is a system table or a user table, the system table is used to control the system functions of the blockchain, and the user table is used to control the business functions of the blockchain.
可选地,所述筛选模块503还用于:Optionally, the screening module 503 is further configured to:
从预设的权限表中确定所述待操作表对应的权限账户之前,确定所述操作内容为写操作。Before determining the permission account corresponding to the table to be operated from the preset permission table, it is determined that the operation content is a write operation.
可选地,所述控制模块504还用于:Optionally, the control module 504 is further configured to:
在所述待操作表中执行所述操作内容之后,生成所述待操作表的操作记录,所述操作记录包括待操作表标识、操作内容和交易账户;After executing the operation content in the to-be-operated table, generate an operation record of the to-be-operated table, the operation record including the identifier of the to-be-operated table, the operation content and the transaction account;
将所述待操作表的操作记录发送至区块链网络中的其他网络节点,以使所述其他网络节点根据所述待操作表标识,从所述权限表中确定所述待操作表对应的权限账户,在确定所述交易账户与所述待操作表对应的权限账户匹配时,在所述待操作表中执行所述操作内容。The operation record of the table to be operated is sent to other network nodes in the blockchain network, so that the other network node determines from the permission table the corresponding table to be operated according to the identifier of the table to be operated The authority account, when it is determined that the transaction account matches the authority account corresponding to the table to be operated, execute the operation content in the table to be operated.
可选地,所述筛选模块503还用于:Optionally, the screening module 503 is further configured to:
在更新所述权限表时,更新后的所述权限表在当前区块的下一个区块生效,所述权限表位于区块链的区块中。When the permission table is updated, the updated permission table takes effect in the next block of the current block, and the permission table is located in a block of the blockchain.
基于相同的技术构思,本发明实施例提供了一种计算机设备,如图6所示,包括至少一个处理器601,以及与至少一个处理器连接的存储器602,本发明实施例中不限定处理器601与存储器602之间的具体连接介质,图6中处理器601和存储器602之间通过总线连接为例。总线可以分为地址总线、数据总线、控制总线等。Based on the same technical concept, an embodiment of the present invention provides a computer device. As shown in FIG. 6, it includes at least one processor 601 and a memory 602 connected to the at least one processor. The embodiment of the present invention does not limit the processor. For the specific connection medium between the 601 and the memory 602, the connection between the processor 601 and the memory 602 in FIG. 6 is taken as an example. The bus can be divided into address bus, data bus, control bus, etc.
在本发明实施例中,存储器602存储有可被至少一个处理器601执行的指令,至少一个处理器601通过执行存储器602存储的指令,可以执行前述的区块链的权限控制方法中所包括的步骤。In the embodiment of the present invention, the memory 602 stores instructions that can be executed by at least one processor 601. By executing the instructions stored in the memory 602, the at least one processor 601 can execute the aforementioned blockchain permission control method. step.
其中,处理器601是计算机设备的控制中心,可以利用各种接口和线路连接计算机设备的各个部分,通过运行或执行存储在存储器602内的指令以 及调用存储在存储器602内的数据,从而控制权限。可选的,处理器601可包括一个或多个处理单元,处理器601可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器601中。在一些实施例中,处理器601和存储器602可以在同一芯片上实现,在一些实施例中,它们也可以在独立的芯片上分别实现。Among them, the processor 601 is the control center of the computer equipment, which can use various interfaces and lines to connect to various parts of the computer equipment, and control the authority by running or executing instructions stored in the memory 602 and calling data stored in the memory 602 . Optionally, the processor 601 may include one or more processing units, and the processor 601 may integrate an application processor and a modem processor. The application processor mainly processes the operating system, user interface, and application programs, etc. The adjustment processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 601. In some embodiments, the processor 601 and the memory 602 may be implemented on the same chip, and in some embodiments, they may also be implemented on separate chips.
处理器601可以是通用处理器,例如中央处理器(CPU)、数字信号处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件,可以实现或者执行本发明实施例中公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。The processor 601 may be a general-purpose processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors Logic devices and discrete hardware components can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of the present invention. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present invention may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
存储器602作为一种非易失性计算机可读存储介质,可用于存储非易失性软件程序、非易失性计算机可执行程序以及模块。存储器602可以包括至少一种类型的存储介质,例如可以包括闪存、硬盘、多媒体卡、卡型存储器、随机访问存储器(Random Access Memory,RAM)、静态随机访问存储器(Static Random Access Memory,SRAM)、可编程只读存储器(Programmable Read Only Memory,PROM)、只读存储器(Read Only Memory,ROM)、带电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、磁性存储器、磁盘、光盘等等。存储器602是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。本发明实施例中的存储器602还可以是电路或者其它任意能够实现存储功能的装置,用于存储程序指令和/或数据。The memory 602, as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs and modules. The memory 602 may include at least one type of storage medium, for example, it may include flash memory, hard disk, multimedia card, card-type memory, random access memory (Random Access Memory, RAM), static random access memory (Static Random Access Memory, SRAM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), magnetic memory, disk , CD, etc. The memory 602 is any other medium that can be used to carry or store desired program codes in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory 602 in the embodiment of the present invention may also be a circuit or any other device capable of realizing a storage function, for storing program instructions and/or data.
基于同一发明构思,本发明实施例提供了一种计算机可读介质,其存储有可由计算机设备执行的计算机程序,当所述程序在计算机设备上运行时,使得所述计算机设备执行区块链的权限控制方法的步骤。Based on the same inventive concept, the embodiments of the present invention provide a computer-readable medium that stores a computer program executable by a computer device. When the program runs on the computer device, the computer device executes the blockchain Steps of the permission control method.
基于同一发明构思,本发明实施例提供了一种计算机程序产品,所述计算机程序产品包括存储在计算机可读介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机设备执行时,使得计算机设备执行区块链的权限控制方法的步骤。Based on the same inventive concept, the embodiments of the present invention provide a computer program product. The computer program product includes a calculation program stored on a computer-readable medium. The computer program includes program instructions. When executed, the computer equipment is made to execute the steps of the permission control method of the blockchain.
本领域内的技术人员应明白,本发明的实施例可提供为方法、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods or computer program products. Therefore, the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权 利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。Although the preferred embodiments of the present invention have been described, those skilled in the art can make additional changes and modifications to these embodiments once they learn the basic creative concept. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and all changes and modifications falling within the scope of the present invention.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. In this way, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention is also intended to include these modifications and variations.

Claims (11)

  1. 一种区块链的权限控制方法,其特征在于,所述区块链中的各区块以表格形式存储账本,所述方法包括:A method for controlling permissions of a blockchain, characterized in that each block in the blockchain stores a ledger in the form of a table, and the method includes:
    获取交易请求,所述交易请求包括交易信息和交易账户;Acquiring a transaction request, the transaction request including transaction information and a transaction account;
    根据所述交易信息确定待操作表和在所述待操作表中的操作内容,所述待操作表位于区块链的区块中;Determine the table to be operated and the operation content in the table to be operated according to the transaction information, the table to be operated is located in a block of the blockchain;
    从预设的权限表中确定所述待操作表对应的权限账户;Determine the authority account corresponding to the table to be operated from the preset authority table;
    在确定所述交易账户与所述待操作表对应的权限账户匹配时,在所述待操作表中执行所述操作内容。When it is determined that the transaction account matches the authority account corresponding to the table to be operated, the operation content is executed in the table to be operated.
  2. 如权利要求1所述的方法,其特征在于,所述待操作表为系统表或用户表,所述系统表用于控制所述区块链的系统功能,所述用户表用于控制所述区块链的业务功能。The method according to claim 1, wherein the table to be operated is a system table or a user table, the system table is used to control system functions of the blockchain, and the user table is used to control the The business function of the blockchain.
  3. 如权利要求1所述的方法,其特征在于,所述从预设的权限表中确定所述待操作表对应的权限账户之前,包括:8. The method according to claim 1, wherein before the determining from the preset permission table the permission account corresponding to the table to be operated, the method comprises:
    确定所述操作内容为写操作。It is determined that the operation content is a write operation.
  4. 如权利要求1所述的方法,其特征在于,所述在所述待操作表中执行所述操作内容之后,还包括:The method according to claim 1, wherein after executing the operation content in the to-be-operation table, the method further comprises:
    生成所述待操作表的操作记录,所述操作记录包括待操作表标识、操作内容和交易账户;Generating an operation record of the table to be operated, where the operation record includes an identifier of the table to be operated, operation content, and transaction account;
    将所述待操作表的操作记录发送至区块链网络中的其他网络节点,以使所述其他网络节点根据所述待操作表标识,从所述权限表中确定所述待操作表对应的权限账户,在确定所述交易账户与所述待操作表对应的权限账户匹配时,在所述待操作表中执行所述操作内容。The operation record of the table to be operated is sent to other network nodes in the blockchain network, so that the other network node determines from the permission table the corresponding table to be operated according to the identifier of the table to be operated The authority account, when it is determined that the transaction account matches the authority account corresponding to the table to be operated, execute the operation content in the table to be operated.
  5. 如权利要求1至4任一所述的方法,其特征在于,还包括:The method according to any one of claims 1 to 4, further comprising:
    所述权限表位于区块链的区块中;The permission table is located in a block of the blockchain;
    在更新所述权限表时,更新后的所述权限表在当前区块的下一个区块生 效。When the permission table is updated, the updated permission table takes effect in the next block of the current block.
  6. 一种区块链的权限控制装置,其特征在于,所述区块链中的各区块以表格形式存储账本,所述装置包括:A permission control device for a block chain, characterized in that each block in the block chain stores a ledger in the form of a table, and the device includes:
    获取模块,用于获取交易请求,所述交易请求包括交易信息和交易账户;The obtaining module is used to obtain a transaction request, the transaction request including transaction information and a transaction account;
    分析模块,用于根据所述交易信息确定待操作表和在所述待操作表中的操作内容,所述待操作表位于区块链的区块中;The analysis module is used to determine the table to be operated and the content of the operation in the table to be operated according to the transaction information, the table to be operated is located in a block of the blockchain;
    筛选模块,用于从预设的权限表中确定所述待操作表对应的权限账户;The screening module is used to determine the authority account corresponding to the table to be operated from the preset authority table;
    控制模块,用于在确定所述交易账户与所述待操作表对应的权限账户匹配时,在所述待操作表中执行所述操作内容。The control module is configured to execute the operation content in the table to be operated when it is determined that the transaction account matches the authority account corresponding to the table to be operated.
  7. 如权利要求6所述的装置,其特征在于,所述待操作表为系统表或用户表,所述系统表用于控制所述区块链的系统功能,所述用户表用于控制所述区块链的业务功能。The device according to claim 6, wherein the table to be operated is a system table or a user table, the system table is used to control the system functions of the blockchain, and the user table is used to control the The business function of the blockchain.
  8. 如权利要求6所述的装置,其特征在于,所述筛选模块还用于:The device according to claim 6, wherein the screening module is further used for:
    从预设的权限表中确定所述待操作表对应的权限账户之前,确定所述操作内容为写操作。Before determining the permission account corresponding to the table to be operated from the preset permission table, it is determined that the operation content is a write operation.
  9. 一种计算机设备,其特征在于,包括至少一个处理单元、以及至少一个存储单元,其中,所述存储单元存储有计算机程序,当所述程序被所述处理单元执行时,使得所述处理单元执行权利要求1~5任一权利要求所述方法的步骤。A computer device, which is characterized by comprising at least one processing unit and at least one storage unit, wherein the storage unit stores a computer program, and when the program is executed by the processing unit, the processing unit executes The steps of the method according to any one of claims 1 to 5.
  10. 一种计算机可读介质,其特征在于,其存储有可由计算机设备执行的计算机程序,当所述程序在计算机设备上运行时,使得所述计算机设备执行权利要求1~5任一所述方法的步骤。A computer-readable medium, characterized in that it stores a computer program that can be executed by a computer device, and when the program runs on a computer device, the computer device executes the method described in any one of claims 1 to 5 step.
  11. 一种计算机程序产品,其特征在于,所述计算机程序产品包括存储在计算机可读介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机设备执行时,使所述计算机设备执行权利要求1~5任一所述方法的步骤。A computer program product, characterized in that the computer program product includes a calculation program stored on a computer-readable medium, the computer program includes program instructions, and when the program instructions are executed by a computer device, the computer The device executes the steps of any one of claims 1 to 5.
PCT/CN2020/076086 2019-03-05 2020-02-20 Blockchain authority control method and device WO2020177548A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910163011.4 2019-03-05
CN201910163011.4A CN110008665B (en) 2019-03-05 2019-03-05 Authority control method and device for blockchain

Publications (1)

Publication Number Publication Date
WO2020177548A1 true WO2020177548A1 (en) 2020-09-10

Family

ID=67166331

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/076086 WO2020177548A1 (en) 2019-03-05 2020-02-20 Blockchain authority control method and device

Country Status (2)

Country Link
CN (1) CN110008665B (en)
WO (1) WO2020177548A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117709947A (en) * 2024-02-05 2024-03-15 广东通莞科技股份有限公司 POS machine settlement authority management method based on blockchain

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110008665B (en) * 2019-03-05 2024-02-06 深圳前海微众银行股份有限公司 Authority control method and device for blockchain
CN112468525B (en) * 2019-09-06 2022-06-28 傲为有限公司 Domain name management system based on block chain
CN113761581A (en) * 2021-09-24 2021-12-07 支付宝(杭州)信息技术有限公司 Authority control method and device in block chain and electronic equipment
CN115001718B (en) * 2022-08-04 2023-01-20 树根格致科技(湖南)有限公司 Data processing method and device, computer equipment and readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911373A (en) * 2017-11-24 2018-04-13 中钞信用卡产业发展有限公司杭州区块链技术研究院 A kind of block chain right management method and system
CN108012582A (en) * 2017-08-18 2018-05-08 达闼科技成都有限公司 block chain system and authority management method thereof
CN109087214A (en) * 2018-07-23 2018-12-25 江苏恒宝智能系统技术有限公司 A kind of natural gas life payment management system based on block chain
CN109344631A (en) * 2018-09-18 2019-02-15 百度在线网络技术(北京)有限公司 The data modification and block verification method, device, equipment and medium of block chain
CN110008665A (en) * 2019-03-05 2019-07-12 深圳前海微众银行股份有限公司 A kind of authority control method and device of block chain

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106796685A (en) * 2016-12-30 2017-05-31 深圳前海达闼云端智能科技有限公司 Block chain authority control method and device and node equipment
CN109241365B (en) * 2018-08-23 2020-11-20 泰链(厦门)科技有限公司 Block chain system construction method, medium, computer equipment and block chain system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108012582A (en) * 2017-08-18 2018-05-08 达闼科技成都有限公司 block chain system and authority management method thereof
CN107911373A (en) * 2017-11-24 2018-04-13 中钞信用卡产业发展有限公司杭州区块链技术研究院 A kind of block chain right management method and system
CN109087214A (en) * 2018-07-23 2018-12-25 江苏恒宝智能系统技术有限公司 A kind of natural gas life payment management system based on block chain
CN109344631A (en) * 2018-09-18 2019-02-15 百度在线网络技术(北京)有限公司 The data modification and block verification method, device, equipment and medium of block chain
CN110008665A (en) * 2019-03-05 2019-07-12 深圳前海微众银行股份有限公司 A kind of authority control method and device of block chain

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117709947A (en) * 2024-02-05 2024-03-15 广东通莞科技股份有限公司 POS machine settlement authority management method based on blockchain
CN117709947B (en) * 2024-02-05 2024-04-19 广东通莞科技股份有限公司 POS machine settlement authority management method based on blockchain

Also Published As

Publication number Publication date
CN110008665A (en) 2019-07-12
CN110008665B (en) 2024-02-06

Similar Documents

Publication Publication Date Title
WO2020177548A1 (en) Blockchain authority control method and device
CN110636492B (en) Handover of mobile service providers using blockchains
JP7382108B2 (en) Efficient verification for blockchain
US11190525B2 (en) Blockchain system and permission management method thereof
KR20190111037A (en) Smart Contract Upgrade Method and System by Consortium Blockchain
CN112003858B (en) Block chain-based platform docking method, electronic device and storage medium
TW202024953A (en) Data structure reading and updating method and device and electronic equipment
CN112862490B (en) Output consensus method under asynchronous network
US11070563B2 (en) Trace-based transaction validation and commitment
WO2021027532A1 (en) Authority verification method and device for smart contract
CN110855777A (en) Node management method and device based on block chain
CN111177701B (en) Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip
CN110955448A (en) Intelligent contract separation method, contract processing method, apparatus, device and medium
WO2022134797A1 (en) Data fragmentation storage method and apparatus, a computer device, and a storage medium
CN109802832A (en) A kind of processing method of data file, system, big data processing server and computer storage medium
CN111127206A (en) Block chain data access control method and device based on intelligent contract
US20150156193A1 (en) Creating and managing certificates in a role-based certificate store
CN114357498A (en) Data desensitization method and device
KR100692999B1 (en) Key cache management through multiple localities
CN108713200A (en) For the method being loaded into the embedded-type security element of mobile terminal device will to be subscribed to
CN113742681B (en) Account management method and device, computer equipment and storage medium
CN117014175A (en) Permission processing method and device of cloud system, electronic equipment and storage medium
CN115270195A (en) Block chain-based stock information deposit management method, system and device
CN110602690B (en) Encryption method and device applied to ZigBee system
CN110610069A (en) Method and device for calling REST interface in web system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20766601

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 19.01.2022)

122 Ep: pct application non-entry in european phase

Ref document number: 20766601

Country of ref document: EP

Kind code of ref document: A1