WO2023236637A1 - Data management method and device - Google Patents

Data management method and device Download PDF

Info

Publication number
WO2023236637A1
WO2023236637A1 PCT/CN2023/085907 CN2023085907W WO2023236637A1 WO 2023236637 A1 WO2023236637 A1 WO 2023236637A1 CN 2023085907 W CN2023085907 W CN 2023085907W WO 2023236637 A1 WO2023236637 A1 WO 2023236637A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
request
access request
attribute value
authentication
Prior art date
Application number
PCT/CN2023/085907
Other languages
French (fr)
Chinese (zh)
Inventor
黄爽
王海靖
Original Assignee
华为云计算技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为云计算技术有限公司 filed Critical 华为云计算技术有限公司
Publication of WO2023236637A1 publication Critical patent/WO2023236637A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation

Definitions

  • the present application relates to the field of data management technology, and in particular to a data management method and device.
  • the database includes multiple data sets.
  • a data set consists of multiple data subsets.
  • data of multiple users or user groups are usually stored in the database, and data of different users or user groups are stored in different data subsets of the database.
  • the data tables include multiple data rows, and the data of different users or user groups are stored in different data rows, it is necessary to control that each user can only write and read their own data row.
  • the database After creating a data set, security administrators need to configure a large number of authentication rules for the data set based on users. After the database receives the access request, the database will determine the authentication rule to be used to authenticate the access request from the large number of authentication rules based on the access request. And when the access request complies with the authentication rules, the access request is allowed to access the data subset. When the access request does not comply with the authentication rules, the access request is not allowed to access the data subset.
  • This application provides a data management method and device. This application does not require the security administrator to configure authentication rules for each user, which effectively improves the efficiency of configuring authentication rules, thereby improving the efficiency of data management.
  • the technical solutions provided by this application are as follows:
  • this application provides a data management method.
  • the method includes: receiving a target access request sent by the first client.
  • the target access request is used to request access to a data set.
  • the data set has multiple attributes.
  • the data subset in the data set includes attribute values corresponding to the multiple attributes.
  • the target The access type of the access request includes writing data and/or reading data; the authentication rules for obtaining the data set, the authentication rules indicate: for any access request requesting access to the data set, when the first attribute value of any access request matches any When the second attribute value of any data subset involved in an access request satisfies the preset rules, any access request is given the permission to access any data subset, and the first attribute value is the corresponding authentication of the user information of any access request.
  • the attribute value of the right keyword is indicating: for any access request requesting access to the data set, when the first attribute value of any access request matches any
  • the second attribute value of any data subset involved in an access request satisfies the preset rules, any access request
  • the second attribute value is the attribute value of any data subset corresponding to the authentication keyword.
  • the authentication keyword is used to indicate one or more of multiple attributes; based on the user information of the target access request , obtain the first attribute value of the target access request; based on the authentication rules, the target data subset involved in the target access request, and the first attribute value, authenticate the target access request, and return a response to the target access request.
  • the data subset involved in the access request is the data subset written by the write data request.
  • the data subset involved in the access request is the data subset in the data set read by the read data request.
  • Authentication rules indicate the rules to be followed to authenticate access requests requesting access to the data set.
  • the preset rule is the condition that the first attribute value and the second attribute value need to meet when the access request has access permission.
  • the pre- The rule may be that the first attribute value and the second attribute value are equal.
  • the user's access behavior can be based on the preset rules.
  • the authentication rules in this solution are general rules applicable to all data subsets in the data set.
  • the authentication rules include authentication keywords and corresponding preset rules instead of each data subset. Set specific permission rules. Therefore, this solution does not require the security administrator to configure access rights rules for each data subset, which effectively improves the efficiency of configuring authentication rules, thereby improving the efficiency of data management.
  • the process of authenticating a target access request is a process of determining whether the second attribute value corresponding to the authentication keyword of the target data subset involved in the target access request and the first attribute value of the target access request satisfy the preset rules.
  • the target access request is authenticated based on the authentication rules, the target data subset involved in the target access request, and the first attribute value, including: obtaining the target data subset from the target data subset.
  • the second attribute value of the target access request when the first attribute value of the target access request and the second attribute value of the target data subset meet the preset rules, grant the target access request the permission to access the target data subset; in the third attribute value of the target access request When the first attribute value and the second attribute value of the target data subset do not satisfy the preset rules, the target access request is not granted the permission to access the target data subset.
  • the authentication key includes at least one of a user name, a user group name, and a role of the user.
  • the authentication key can be the default one on the server side.
  • the authentication key may be specified by the user.
  • the server can specify the authentication content, the user can specify the attribute keyword used to represent the authentication content, and the server can use the attribute keyword used to represent the authentication content. Identified as the authentication key.
  • obtaining the first attribute value of the target access request based on the user information of the target access request includes: querying the pre-stored relationship information based on the user information of the target access request, and obtaining the user information in the relationship information related to the target access request.
  • the third attribute value corresponding to the authentication keyword determine the third attribute value as the first attribute value of the target access request.
  • the pre-stored relationship information may include relevant information of all users who may initiate access to the data set in the server.
  • the relationship information records the standard attribute values of each user corresponding to the multiple attributes.
  • the server can query the relationship information according to the access request and obtain the third attribute value that belongs to the user who sent the target access request and is used to indicate the authentication keyword.
  • the implementation process can be implemented by authenticating the access request.
  • the user can specify the attribute keyword used to represent the authentication content in the maintenance request.
  • the data management method further includes: receiving a maintenance request sent by the second client, where the maintenance request is used to request maintenance of the data set, and the maintenance request carries authentication content.
  • the attribute keyword determine the attribute keyword as the authentication keyword.
  • the maintenance request includes a creation request and a modification request.
  • the attribute keyword indicating the authentication content is indicated in the creation request or the modification request.
  • the creation request is used to request the creation of the data set
  • the modification request is used to request the modification of the attributes of the data set.
  • the creation request may be a table creation request that requests the creation of a data table in the database.
  • the modification request may be a table modification request used to request modification of attributes of the data table.
  • the data set is a data table
  • the data subset is a data row in the data table
  • this application provides a data management device.
  • the data management device includes: a receiving module, used to receive a target access request sent by the first client, the target access request is used to request access to a data set, and the data set has Multiple attributes.
  • the data subset in the data set includes attribute values corresponding to multiple attributes.
  • the access type of the target access request includes writing data and/or reading data; the acquisition module is used to obtain the authentication rules and authentication rules of the data set.
  • the first attribute value is the attribute value corresponding to the authentication keyword of the user information of any access request.
  • the second attribute value is the attribute value corresponding to the authentication keyword of any data subset.
  • the authentication keyword is used to indicate one or more of multiple attributes;
  • the acquisition module is also used to obtain the first attribute value of the target access request based on the user information of the target access request;
  • the processing module is used to obtain the first attribute value of the target access request based on the authentication
  • the rules, the target data subset and the first attribute value involved in the target access request are used to authenticate the target access request and return a response to the target access request.
  • the processing module is specifically configured to: obtain the second attribute value of the target data subset from the target data subset; when the first attribute value of the target access request and the second attribute value of the target data subset satisfy a preset Rules grant a target access request permission to access a subset of the target data.
  • the authentication key includes at least one of a user name, a user group name, and a role of the user.
  • the acquisition module is specifically configured to: query pre-stored relationship information based on the user information of the target access request, and obtain the third attribute value corresponding to the user information and authentication keyword of the target access request in the relationship information;
  • the third attribute value is determined as the first attribute value of the target access request.
  • the receiving module is also configured to: receive a maintenance request sent by the second client, the maintenance request is used to request maintenance of the data set, the maintenance request carries an attribute keyword indicating the authentication content; determine the attribute keyword as Authentication keyword.
  • the maintenance request includes a creation request and a modification request.
  • the attribute keyword indicating the authentication content is indicated in the creation request or the modification request.
  • the creation request is used to request the creation of the data set, and the modification request is used to request the modification of attributes of the data set.
  • the data set is a data table
  • the data subset is the data rows in the data table.
  • this application provides a computer device, including a memory and a processor.
  • the memory stores program instructions
  • the processor runs the program instructions to execute the method provided in the first aspect of this application and any possible implementation thereof. .
  • this application provides a computer cluster, including multiple computer devices.
  • the multiple computer devices include multiple processors and multiple memories.
  • Program instructions are stored in the multiple memories, and the multiple processors run the program instructions.
  • the computer cluster is caused to execute the method provided in the first aspect of this application and any possible implementation manner thereof.
  • the application provides a computer-readable storage medium.
  • the computer-readable storage medium is a non-volatile computer-readable storage medium.
  • the computer-readable storage medium includes program instructions. When the program instructions are stored on a computer device, When running, the computer device is caused to execute the method provided in the first aspect of the application and any possible implementation manner thereof.
  • this application provides a computer program product containing instructions.
  • the computer program product When the computer program product is run on a computer, it causes the computer to execute the method provided in the first aspect of this application and any possible implementation thereof.
  • Figure 1 is a schematic diagram of an application scenario involved in a data management method provided by an embodiment of the present application
  • Figure 2 is a schematic diagram of an application scenario involved in another data management method provided by an embodiment of the present application.
  • Figure 3 is a schematic diagram of a data management method provided by an embodiment of the present application implemented through multiple functional modules deployed on the server;
  • Figure 4 is a flow chart of a data management method for reading data requests provided by an embodiment of the present application
  • Figure 5 is a flow chart of a method for obtaining authentication keywords of a data set provided by an embodiment of the present application
  • Figure 6 is a flow chart of a method for obtaining the first attribute value of a target read data request provided by an embodiment of the present application
  • Figure 7 is a flow chart of a data management method for writing data requests provided by an embodiment of the present application.
  • Figure 8 is a flow chart of a method for obtaining the first attribute value of a target write data request provided by an embodiment of the present application
  • Figure 9 is a schematic structural diagram of a data management device provided by an embodiment of the present application.
  • Figure 10 is a schematic structural diagram of a computer device provided by an embodiment of the present application.
  • Databases usually store data from multiple users or multiple user groups, and data from different users or different user groups are stored in different data subsets of the database. In order to ensure the security of data, it is necessary to control the permissions of users' access requests to the database.
  • the database when the database includes multiple data tables, the data tables include multiple data rows, and the data of different users or different user groups are stored in different data rows, access requests need to be processed according to the data rows.
  • Permission control refers to row-level data permission control to control that each user or user group can only write and read its own data rows.
  • an audit log table in the background can contain data records belonging to different users.
  • each user can only write and read his or her own data records.
  • rows 1 and 3 record the data of user 1
  • rows 2, 5 and 7 record the data of user 2
  • rows 4, 6 and 8 record the data of user 3, then By performing row-level data permission control on the audit log table, only user 1 is allowed to read and write data recorded in rows 1 and 3, user 2 is allowed to read and write data recorded in rows 2, 5, and 7, and user 3 is allowed to read and write data recorded in rows 4 and 7. Data recorded in rows 6 and 8.
  • rows 1 and 3 record the data of department 1
  • rows 2 and 5 record the data of department 2
  • rows 4 and 6 record the data of department 3
  • rows 7 and 8 The data recorded is the data of department 4.
  • the security administrator needs to configure authentication rules for each access object (such as a user or user group) that needs to access the data set, so that the data rows in the data set can be authorized according to the authentication rules. control.
  • the database can accommodate many data rows, and there are many access objects that require access. It takes a lot of time for security administrators to configure authentication rules and is error-prone. The configuration efficiency of authentication rules is low, resulting in data management. The efficiency is lower.
  • the authentication rules configured by the security administrator are usually represented by specific expressions. When authenticating access requests according to the authentication rules, they need to match the authentication rules of all data rows in the database. The authentication rules that need to match Excessive number leads to poor read and write performance of the database.
  • the embodiment of this application provides a data management method. By obtaining the authentication rules of the data set requested by the target access request, based on the user information of the target access request, obtain the first attribute value of the target access request, and control the authentication that is too narrow, the target data subset involved in the target access request, and The first attribute value authenticates the target access request and regulates the response to the target access request.
  • the data set has multiple attributes, the data subset in the data set includes attribute values corresponding to the multiple attributes, and the access type of the target access request includes writing data and/or reading data.
  • the access request is a write data request
  • the data subset involved in the access request is the data subset written by the write data request.
  • the access request is a read data request
  • the data subset involved in the access request is the data subset in the data set read by the read data request.
  • Authentication rules indicate the rules to be followed to authenticate access requests requesting access to the data set.
  • the authentication rule indicates: for any access request requesting access to a data set, when the first attribute value of any access request is the same as the second attribute value of any data subset involved in any access request, When preset rules are met, any access request is granted access to any subset of data.
  • the first attribute value is the attribute value of the authentication keyword corresponding to the user information of any access request.
  • the second attribute value is the attribute value corresponding to the authentication key of any data subset.
  • the authentication key is used to indicate one or more of multiple attributes of the data set.
  • the preset rule is the condition that the first attribute value and the second attribute value need to meet when the access request has access permission. For example, the preset rule may be that the first attribute value and the second attribute value are equal.
  • the authentication rules are general rules applicable to all data subsets in the data set, rather than rules bound to the user. Therefore, there is no need for the security administrator to configure authentication rules for each user, which effectively improves the efficiency of configuring authentication rules, thereby improving the efficiency of data management.
  • authentication is based on the authentication rules of the data set requested by the target access request. There is no need to match a large number of authentication rules, which reduces the complexity of data management and helps improve data reading. Write performance.
  • Figure 1 is a schematic diagram of an application scenario involved in a data management method provided by an embodiment of the present application.
  • the application scenario includes: a first client 10 and a server 20.
  • a communication connection is established between the first client 10 and the server 20 .
  • the first client 10 is used to send an access request to the server 20 .
  • the server 20 is configured to use the data management method provided by the embodiment of the present application to authenticate the received access request, and respond to the access request according to the authentication result.
  • the process of the server 20 authenticating the access request may include: obtaining the authentication rules of the data set, obtaining the first attribute value of the target access request based on the user information of the target access request; based on the authentication rules, the target access request The target data subset and the first attribute value are involved, the target access request is authenticated, and a response to the target access request is returned.
  • the authentication keyword in the embodiment of this application may be defaulted by the server 20 .
  • the authentication key can be user-specified.
  • the server can specify the authentication content
  • the user can specify the attribute keyword used to represent the authentication content
  • the server can determine the attribute keyword used to represent the authentication content as the authentication keyword.
  • This application implements The example does not specifically limit it.
  • the administrator of the server can specify an authentication keyword and require a subset of data stored in the server to be authenticated using this authentication keyword.
  • the authentication keyword is the server's default.
  • the user can instruct to create a data set in the server, and the user can specify an authentication key used to authenticate the data subset in the data set. At this time, the authentication key is specified by the user.
  • the administrator of the server can specify the authentication content and require a subset of data stored in the server to use the authentication content for authentication.
  • the user can specify the attribute keyword used to represent the authentication content, and the server can determine the authentication keyword based on it.
  • the server specifies the authentication content, and the user specifies the attribute keyword used to represent the authentication content.
  • the application scenario may also include a second client 30 .
  • the second client 30 has established a communication connection with the server 20 .
  • the second client 30 has the authority to maintain the data set on the server 20 .
  • the second client 30 has the authority to create a data set on the server 20 and/or modify the attributes of the data set.
  • the server 20 can specify the authentication content, and the second client 30 can send a maintenance request to the server 20 and indicate in the maintenance request an attribute keyword used to represent the authentication content. After the server 20 obtains the maintenance request, it can identify the attribute keyword representing the authentication content in the maintenance request according to the authentication content, and determine the attribute keyword as the authentication keyword.
  • the maintenance request may be a creation request requesting to create a data set in the server 20 .
  • the maintenance request may be a modification request requesting modifications to an attribute of the data set.
  • the first client that sends the access request and the second client that sends the maintenance request may also be the same client, which is not specifically limited in the embodiment of this application.
  • the first client 10, the second client 30 and the server 20 can be implemented by a physical machine, a physical machine cluster including multiple physical machines, a bare metal server, a cloud server, a virtual machine or a container, etc.
  • the server 20 can be implemented through software.
  • the server 20 can be independently deployed on a physical machine, a physical machine cluster, a bare metal server, a cloud server, a virtual machine or a container, or the server 20 can be deployed in a distributed manner on multiple physical machines or multiple physical machines.
  • a cluster multiple bare metal servers, multiple cloud servers, multiple virtual machines, and multiple containers. It should be understood that the server 20 can also be deployed on the same physical device as the first client 10 or the second client 30 .
  • the server 20 may be deployed on one or more of a physical machine, a physical machine cluster, a bare metal server, a cloud server, a virtual machine, and a container on a cloud platform.
  • a large number of basic resources owned by cloud service providers are deployed in the cloud platform.
  • computing resources, storage resources, network resources, etc. are deployed in the cloud platform, and the computing resources can be a large number of computer devices (such as servers).
  • the server 20 can utilize the basic resources deployed in the cloud platform to implement the data management method provided by the embodiment of the present application to authenticate the access request from the first client 10 and respond to the access request according to the authentication result.
  • the data management method provided by the embodiment of the present application can be abstracted by the cloud service provider on the cloud platform into a cloud service for managing data and provided to the user.
  • the cloud platform can use the server 20 to provide the user with cloud services for data management.
  • the user can write data to the server 20 and read data from the server 20 .
  • the server 20 uses the data management method provided by the embodiment of the present application to authenticate the access request, and responds to the access request according to the authentication result.
  • the cloud service can serve as an add-on feature to other services. For example, users may offer services to save data and provide data to other users.
  • users can purchase this cloud service.
  • the cloud service can use the data management method provided by the embodiment of the present application to authenticate the access request, and feed back the authentication result to the user, so that the user can respond to the access request based on the authentication result.
  • the cloud platform may be a cloud platform of a central cloud, an edge cloud, or a cloud platform including a central cloud and an edge cloud, which is not specifically limited in the embodiment of the present application.
  • the server 20 may be partially deployed in the cloud platform of the edge cloud and partially deployed in the cloud platform of the central cloud.
  • the data management method provided by the embodiments of this application can be applied to scenarios such as databases, big data SQL engines, or business intelligence (BI) that require permission control on data subsets.
  • the big data SQL engine can be an engine such as Hive or Spark.
  • the server 20 may be the server 20 of the engine.
  • the data management method provided by the embodiment of the present application can be implemented through a functional module deployed on the server 20 .
  • the functional module can be specifically implemented by a computer device executing a computer program.
  • the data management method provided by the embodiment of the present application can be implemented through multiple functional modules deployed on the server 20 .
  • the multiple functional modules can be deployed in a centralized manner or in a distributed manner.
  • the plurality of functional modules can be specifically implemented by one or more computer devices executing computer programs. Each computer device in the one or more computer devices can implement part or all of the functions in the data management method provided by the embodiments of the present application.
  • FIG. 3 is a schematic diagram of a data management method provided by an embodiment of the present application implemented through multiple functional modules deployed on the server 20 .
  • the server 20 includes: a data reading and writing module 201, a metadata module 202, an authentication module 203 and a data storage module 204.
  • the metadata module 202 is used to store description information of the data set.
  • the authentication module 203 is used to authenticate the user based on the access request sent by the first client, and feed back the authentication result to the data reading and writing module 201, so that the data reading and writing module 201 determines the first attribute value according to the authentication result.
  • the data storage module 204 is used to store data written into the data set.
  • the data reading and writing module 201 is used to receive the access request, obtain the description information of the data set requested by the access request from the metadata module 202 based on the access request, obtain the authentication result of the access request through the authentication module 203, and obtain the authentication result of the access request according to the description information. and the authentication result, execute the data management method provided by the embodiment of this application, authenticate the access request, and respond to the access request based on the authentication result.
  • the implementation process of each module in Figure 3 to realize its function Please refer to the relevant descriptions in the method embodiments below.
  • the access request can be a read data request or a write data request
  • the process of implementing the data management method is different for read data requests and write data requests, so the following is respectively for read data requests and write data requests.
  • the implementation process of this data management method is explained. As shown in Figure 4, for a read data request, the implementation process of the data management method includes the following steps:
  • Step 401 Obtain the authentication keyword of the data set.
  • a dataset is a collection of data that includes one or more subsets of data.
  • the dataset has several properties. All data subsets that can be recorded in the data set include attribute values corresponding to the multiple attributes.
  • the data set can be a data table.
  • a data table has one or more data rows and multiple data columns. At this time, the data subset can be the data rows in the data table. Different data rows are used to record information about different objects. Data columns are used to represent attributes of a data table. The content located in different columns in the data row is the attribute value of the attribute represented by the corresponding column. When the data table includes multiple data columns, the multiple data columns respectively represent multiple attributes of the data table.
  • the data subset is the data column in the data table, and the data row is used to represent the attribute of the data table.
  • the data set is a data table for a company that counts employee attendance.
  • the data table includes multiple rows and columns, and the data rows record the attendance information of different employees.
  • Data columns are used to represent attributes of a data table.
  • the attributes of this data table include: user name, user number, user group name, date, working time and off work time.
  • the contents in different columns in a data row respectively represent the attribute values of user name, user number, user group name, date, working time and off-duty time.
  • the contents represented by the data in this data row are: the content of the first column indicates that the attribute value of the user name is Zhang **, and the content of the second column indicates the user number.
  • the attribute value of is 010001
  • the attribute value of the third column indicating the user group name is Development Department
  • the attribute value of the fourth column indicating the date is 2022/5/10
  • the attribute value of the fifth column indicating working hours is 08: 56.
  • the sixth column indicates that the attribute value of off-duty time is 20:56.
  • the authentication key is used to indicate one or more of multiple attributes of the data set. And the multiple attributes indicated by the authentication keyword can be part or all of the multiple attributes of the data set.
  • the server is used to perform authentication based on an attribute indicated by the authentication keyword. For example, for the data set shown in Table 3, the authentication keyword can indicate the user group name in multiple attributes of the data set, and the server can perform authentication based on the user group name.
  • the server is configured to perform authentication based on the multiple attributes indicated by the authentication keyword.
  • the authentication keyword can indicate the user group name and user name in multiple attributes of the data set, and the server can perform authentication based on the user group name and user name.
  • all data subsets in the data set use the same authentication keyword. For example, when the authentication key indicates that the data set has multiple When one of the attributes is specified, all data subsets in the data set are authenticated using the authentication key indicating an attribute. For example, when the authentication key indicates more than one of multiple attributes of the data set, all data subsets in the data set are authenticated using the authentication key indicating the multiple attributes, and all data subsets use the authentication Multiple attributes indicated by keywords all correspond to the same.
  • the authentication keywords may be determined in various ways.
  • the embodiments of this application take the following examples as examples to illustrate:
  • the authentication keyword can be the server's default one.
  • the administrator of the server can specify an authentication keyword and require a subset of data stored in the server to use the authentication keyword for authentication.
  • administrators can specify that all data subsets stored in the server be authenticated using this authentication keyword.
  • administrators can instruct different types of data subsets to be authenticated using different authentication keys.
  • the authentication key may be specified by the user.
  • a user can instruct a data set to be created in the server, and the user can specify an authentication key used to authenticate a data subset in the data set.
  • the authentication keywords specified by the user can be the same or different.
  • the server can specify the authentication content
  • the user can specify the attribute keyword used to represent the authentication content
  • the server can determine the attribute keyword used to represent the authentication content as the authentication key.
  • Character For example, the administrator of the server can specify the authentication content and require a subset of data stored in the server to use the authentication content for authentication. Moreover, the administrator can specify that all data subsets stored in the server use this authentication content for authentication, or can instruct different types of data subsets to use different authentication content for authentication. Furthermore, different data may be represented in different ways, so the attribute keywords used by different data to represent the same authentication content may be different. Then the user can specify the attribute keyword used to represent the authentication content, and the server can determine the authentication keyword based on it.
  • step 401 may include: step 4011, receiving a maintenance request sent by the second client.
  • the maintenance request is used to request maintenance of the data set, and the maintenance request carries attributes used to represent the authentication content.
  • Keyword is used to represent the authentication content.
  • maintenance requests may include build requests and modification requests.
  • the attribute keyword may be indicated in a create request or modify request.
  • the create request is used to request the creation of a data set.
  • Modify requests are used to request modifications to attributes of a dataset. Modifying the attributes of the data set may include: adding attributes to the data set and/or modifying the original attributes of the data set to other attributes.
  • the creation request may request to create a data table.
  • the table creation request indicates multiple attributes that the data table needs to have, and one of the multiple attributes is used to represent the authentication content.
  • the server can determine the attribute keyword used to represent the attribute of the authentication content, and determine the attribute keyword as the authentication keyword.
  • the creation request only requests the establishment of a data table in the server, without specifying the attributes that the data table needs to have, or it specifies the attributes that the data table needs to have, but does not specify which attribute is used to represent the authentication content. Then the user can specify content not specified in the creation request by modifying the request. At this time, the server can determine the authentication keyword according to the instruction of the modification request.
  • the table creation request can be a data definition language (DDL) statement.
  • a table creation request can be:
  • the table creation request can be:
  • the server can authenticate the data read request based on the user information of the access request. Then, after the server determines the attribute keyword used to represent the user information based on the establishment request or modification request, the server can determine the attribute keyword as Authentication keyword.
  • the authentication key may include at least one of a user name, a user group name, and a role of the user. Among them, the user's role can be root user, etc.
  • the server can determine the attribute keyword used to represent the authentication content based on the establishment request and the authentication content that is authenticated based on the user information. is the "user group name", then the "user group name" can be determined as the authentication key.
  • authentication based on user information is an example and is not used to limit the implementation of authentication.
  • authentication can also be performed based on information such as the Internet protocol address (IP) address of the request to access the data set, which is not specifically limited in the embodiments of this application.
  • IP Internet protocol address
  • the data reading and writing module is used to receive a creation request or a modification request, and determine metadata such as the data set name of the data set, the attribute keywords of multiple attributes of the data set, and the owner of the data set according to the creation request or modification request. information and transmit metadata information to the metadata module.
  • the data reading and writing module is also used to determine the authentication keyword based on the establishment request or modification request, and transmit the authentication keyword to the metadata module.
  • the metadata module is used to store the above metadata information and authentication keywords.
  • Step 402 Receive a target read data request sent by the first client, where the target read data request is used to request to read a data set.
  • the target read data request needs to indicate the data set it requests to read, so that after receiving the target read data request, the server can authenticate the target read data request according to the instruction, and authenticate the target read data based on the authentication result. Request a response.
  • step 402 is executed by the data reading and writing module.
  • Step 403 Obtain the authentication rules of the data set.
  • the authentication rules indicate: for any read data request requesting to read the data set, when the first attribute value of any read data request matches the value of any data subset in the data set, When the second attribute value satisfies the preset rule, any data read request is given the permission to read any data subset.
  • the process of obtaining authentication rules for a data set is the process of determining common rules that apply to all data subsets in the data set. For example, when the authentication rules of a data set indicate authentication based on the authentication keyword "user group name", then all data subsets in the data set need to be authenticated based on the authentication keyword "user group name” .
  • the server configures authentication rules for each data set managed by the server based on the authentication keyword of the data set. After determining the data set requested by the target read data request, the server can query based on the data set to obtain the authentication rules configured by the server for the data set. It should be noted that for multiple data sets managed by the server, the authentication rules of different data sets may be the same or different, which is not specifically limited in the embodiments of this application.
  • Authentication rules are used to authenticate read data requests.
  • the authentication rules can perform authentication based on the user information of the read data request and the data subset involved in the read data request.
  • the authentication rules may indicate that when the user information of the read data request and the data subset involved in the read data request satisfy the preset rules, the read data request shall be given the right to read the corresponding data subset. limit.
  • the authentication rule may indicate: for any read data request requesting to read the data set, when the first attribute value of any read data request is consistent with any data sub-item involved in any read data request, When the second attribute value of the set meets the preset rules, any read data request is given the permission to read any data subset.
  • the first attribute value is the attribute value of the authentication keyword corresponding to the user information of any data read request.
  • the second attribute value is the attribute value corresponding to the authentication key of any data subset in the data set.
  • the authentication key is used to indicate one or more of multiple attributes of the data set.
  • the preset rule is the condition that the first attribute value and the second attribute value need to meet when the read data request has read permission.
  • the preset rule may be that the first attribute value and the second attribute value are equal.
  • the authentication rules can also limit different control permissions for access requests.
  • the control permissions for access requests include: write permission, read permission, and read-write permission.
  • Authentication rules can limit different control rights of access requests through different authentication keywords.
  • the authentication rule may indicate: for a read data request, when the first attribute value A of the read data request is the same as the second attribute value A of any data subset in the data set requested by the read data request, When the preset rules are met, the read data request is given permission to read any data subset.
  • the write data request is given the ability to write the data subset into the data set. permissions.
  • the access request is given the permission to read and write the data subset.
  • the authentication rules can also limit different control rights of access requests through preset rules.
  • the preset rule includes a first preset rule and a second preset rule
  • the read data request is given permission to read a subset of the data.
  • the write data request is given the permission to write the data subset into the data set.
  • the access request is given permission to read and write the data subset.
  • step 403 is executed by the data reading and writing module.
  • Step 404 Obtain the first attribute value of the target data read request based on the user information of the target data read request.
  • the authentication rules of a data set are general rules that apply to all data subsets in the data set. However, for different data subsets in the data set, the attribute values corresponding to the authentication keywords they carry are different. Therefore, after determining the general rules of the data set, the general rules need to be instantiated to obtain the information involved in the access request. Instantiation rules that apply to subsets of data.
  • the implementation process of instantiating general rules based on user information includes:
  • Step 4041 Query the pre-stored relationship information based on the user information requested by the target data read, and obtain the third attribute value in the relationship information corresponding to the user information requested by the target data read and the authentication keyword.
  • the pre-stored relationship information includes information about all users who may initiate access to the data set in the server.
  • the relationship information records the standard attribute values corresponding to the multiple attributes for each user.
  • the server can query the relationship information according to the user information of the target read data request, and obtain the third attribute value that belongs to the user who sent the target read data request and is used to indicate the authentication keyword.
  • the correspondence recorded in the relationship information includes: the relationship between the user's user name, user number, user group name of the user group to which the user belongs, and other standard attribute values of attribute keywords.
  • the server After receiving the target data read request sent by the client, the server can query the relationship information according to the user information of the target data read request, and obtain the third attribute value of the "user group name” corresponding to the user.
  • the fact that the relationship information records standard attribute values means that the attribute values recorded in the relationship information are all accurate attribute values corresponding to the user.
  • the second attribute value of the data subset requested by the user to read matches the first attribute value, it can be considered that the user has the permission to read the data subset, otherwise The user does not have permission to read this subset of data.
  • the content recorded in the relationship information can be obtained through pre-collection (such as filing), and its content has high credibility.
  • the implementation process of step 4041 can be implemented by authenticating the target read data request. After the target read data request is authenticated according to the user information of the target read data request, the relationship information corresponding to the user information can be obtained, and then the third attribute value corresponding to the user information is determined based on the relationship information, and then the first attribute value is obtained.
  • the server when the data management method provided by the embodiment of this application is applied to a big data engine such as Hive or Spark, the server can be the corresponding engine server.
  • this step 4041 can be implemented by the engine server through user authentication modules such as lightweight directory access protocol (lightweight directory access protocol, LDAP) and Kerberos.
  • LDAP lightweight directory access protocol
  • Kerberos Kerberos
  • step 4041 requires collaborative implementation of the data reading and writing module and the user authentication module.
  • the user authentication module is used to authenticate the target data read request, obtain the third attribute value, and transmit the third attribute value to the data reading and writing module.
  • Step 4042 Determine the third attribute value as the first attribute value of the target read data request.
  • the relationship information records the standard attribute values corresponding to multiple attributes of the user and the data set, after the third attribute value is obtained based on the relationship information, the third attribute value can be determined as the first attribute value.
  • Table 3 is part of the data table read by the target read data request
  • Table 4 is the relationship information corresponding to the data table
  • the authentication key is "user group name”.
  • the server After receiving the target read data request sent by the user "Zhang**”, the server queries the relationship information shown in Table 4 based on the user information used to indicate the user "Zhang**", and obtains the corresponding data for the user "Zhang**” If the third attribute value of "User Group Name" is "Development Department", then "Development Department" can be determined as the first attribute value.
  • the data reading and writing module performs step 4042.
  • Step 405 Obtain the second attribute value of the target data subset from the target data subset of the data set read by the target read data request.
  • the instantiation rule applicable to the data subset involved in the target read data request is obtained. Then the target read data request can be authenticated according to the instantiation rule, that is, based on the authentication rules, the target data subset of the data set read by the target read data request request, and the first attribute value, the target read data request can be authenticated. Authentication. When authenticating the target read data request, you can first obtain the second attribute value of each target data subset in the data set read by the target read data request request, and then authenticate the target read data request based on the second attribute value. .
  • the attribute value of each target data subset of the data set corresponding to the authentication keyword can be determined, and the attribute value can be determined as the corresponding target data subset.
  • Two attribute values For example, assuming that the authentication keyword is "user group name” and the data table requested by the target read data request is Table 3, then you can obtain based on the authentication keyword: The number of the data row corresponding to the user name "Zhang**" The second attribute value is "Development Department", the second attribute value of the data row corresponding to the user name "Li**" is "Process Department”, and the second attribute value of the data row corresponding to the user name "Wang**" is "Personnel” department”.
  • step 405 requires collaborative implementation of the data reading and writing module, the metadata module and the data storage module.
  • the data reading and writing module needs to obtain the metadata information of the data set from the metadata module.
  • the metadata information read the data set requested by the target read data request from the data storage module, and obtain each target in the data set.
  • the second attribute value of the data subset is the metadata information of the data set from the metadata module.
  • the data reading and writing module can obtain the metadata information of the data set from the table AUDIT_LOG of the metadata module, And the data storage module can be implemented through Hadoop distributed file system (hadoop distributed file system, HDFS).
  • hadoop distributed file system Hadoop distributed file system
  • Step 406 Authenticate the target read data request based on the first attribute value of the target data read request and the second attribute value of the target data subset, and return a response to the target read data request.
  • the authentication results include two types: the second attribute value of the target data subset and the first attribute value of the target read data request satisfy the preset rules; and the second attribute value of the target data subset matches the first attribute value of the target read data request.
  • the attribute value does not meet the preset rules.
  • responding to the read data request includes: when the second attribute value of the target data subset and the first attribute value of the target read data request satisfy the preset rules, determining that the target read data request has the ability to read the target data subset. Permission: When the second attribute value of the target data subset and the first attribute value of the target data read request do not meet the preset rules, it is determined that the target data read request does not have the permission to read the target data subset.
  • the server needs to authenticate all target data in the data set during the process of authenticating the target read data request. subset for authentication. And when the target read data request has the permission to read any target data subset, the target data subset is loaded into the memory. When the target read data request does not have permission to read any target data subset, the target data subset is prohibited from being loaded into memory. Then, after completing the authentication process for all target data subsets in the data set, all target data subsets loaded in the memory and belonging to the data set are fed back to the first client to complete the target read data request. The process of responding.
  • the data reading and writing module performs step 406.
  • the implementation process of the data management method includes the following steps:
  • Step 701 Obtain the authentication keyword of the data set.
  • step 401 Please refer to the corresponding content in step 401 for the implementation process of step 701, which will not be described again here.
  • Step 702 Receive a target write data request sent by the first client.
  • the target write data request is used to request to write a target data subset into the data set.
  • step 702 is executed by the data reading and writing module.
  • Step 703 Obtain the authentication rules of the data set.
  • the authentication rules indicate: for any write data request requesting to write data to the data set, when the first attribute value of any write data request matches any data requested to be written, When the second attribute value of the subset satisfies the preset rule, any write data request is given the permission to write any data subset to the data set.
  • the first attribute value is the attribute value of the authentication keyword corresponding to the user information of any write data request.
  • the second attribute value is the attribute value corresponding to the authentication key of any data subset requested to be written.
  • An authentication key is used to indicate one or more of multiple attributes.
  • step 403 is executed by the data reading and writing module. Moreover, please refer to the corresponding content in step 403 for the implementation process of step 703, which will not be described again here.
  • Step 704 Based on the target write data request, obtain the first attribute value of the target write data request.
  • step 704 includes: Step 7041: Based on the user information of the target write data request, query the pre-stored relationship information, and obtain the user information and authentication keywords in the relationship information related to the target write data request. The corresponding third attribute value.
  • Step 7042 Determine the third attribute value as the first attribute value of the target write data request.
  • Step 705 Obtain the second attribute value of the target data subset from the target data subset written by the target write data request.
  • step 705 requires collaborative implementation of the data reading and writing module, the metadata module and the data storage module. Please refer to the corresponding content in step 405 for the implementation process of step 705, which will not be described again here.
  • Step 706 Authenticate the target write data request based on the first attribute value of the target data write request and the second attribute value of the target data subset, and return a response to the target write data request.
  • responding to the target write data request includes: writing the target data subset into the data set.
  • the response to the target write data request includes: refusing to write the target data subset into the data set.
  • the server after obtaining the authentication rules of the data set, the server also needs to obtain the first attribute value of the target access request based on the user information of the target access request. And authenticate the target access request based on the authentication rules and the first attribute value.
  • the authentication rules are applicable to all data subsets in the data set. Use general rules rather than user-bound rules. Therefore, there is no need for the security administrator to configure authentication rules for each user, which effectively improves the efficiency of configuring authentication rules, thereby improving the efficiency of data management.
  • this data management method when this data management method is applied to scenarios such as databases, big data SQL engines, or business intelligence, it can effectively improve the user experience of the corresponding scenarios, such as improving the ease of use of the SQL engine.
  • authentication is based on the authentication rules of the data set requested by the target access request. There is no need to match a large number of authentication rules, which reduces the complexity of data management and helps improve data reading. Write performance.
  • the data management device 90 includes:
  • the receiving module 901 is used to receive a target access request sent by the first client.
  • the target access request is used to request access to a data set.
  • the data set has multiple attributes.
  • the data subset in the data set includes attribute values corresponding to the multiple attributes.
  • the access type of the target access request includes writing data and/or reading data.
  • the acquisition module 902 is used to obtain the authentication rules of the data set.
  • the authentication rules indicate: for any access request requesting access to the data set, when the first attribute value of any access request matches any data involved in any access request When the second attribute value of the subset meets the preset rules, any access request is given the permission to access any data subset.
  • the first attribute value is the attribute value of the authentication keyword corresponding to the user information of any access request.
  • the second attribute value is the attribute value corresponding to the authentication key of any data subset, and the authentication key is used to indicate one or more of multiple attributes.
  • the obtaining module 902 is also configured to obtain the first attribute value of the target access request based on the user information of the target access request.
  • the processing module 903 is configured to authenticate the target access request based on the authentication rules, the target data subset involved in the target access request, and the first attribute value, and return a response to the target access request.
  • the processing module 903 is specifically configured to: obtain the second attribute value of the target data subset from the target data subset; when the first attribute value of the target access request and the second attribute value of the target data subset satisfy a predetermined When setting up a rule, grant the target access request permission to access a subset of the target data.
  • the authentication key includes at least one of a user name, a user group name, and a role of the user.
  • the acquisition module 902 is specifically configured to: query pre-stored relationship information based on the user information of the target access request, and obtain the third attribute value corresponding to the user information and authentication keyword of the target access request in the relationship information; The third attribute value is determined as the first attribute value of the target access request.
  • the receiving module 901 is also configured to: receive a maintenance request sent by the second client, the maintenance request is used to request maintenance of the data set, the maintenance request carries an attribute keyword indicating the authentication content; determine the attribute keyword is the authentication key.
  • the maintenance request includes a creation request and a modification request.
  • the attribute keyword indicating the authentication content is indicated in the creation request or the modification request.
  • the creation request is used to request the creation of the data set, and the modification request is used to request the modification of attributes of the data set.
  • the data set is a data table
  • the data subset is the data rows in the data table.
  • the acquisition module after obtaining the authentication rules of the data set, the acquisition module also needs to obtain the first attribute value of the target access request based on the user information of the target access request.
  • the authentication rule is a general rule applicable to all data subsets in the data set, rather than a rule bound to the user. Therefore, there is no need for a security administrator to User configuration of authentication rules effectively improves the efficiency of configuration of authentication rules, thereby improving the efficiency of data management.
  • the data management device when the data management device is applied to scenarios such as databases, big data SQL engines, or business intelligence, it can effectively improve the user experience of the corresponding scenarios, such as improving the ease of use of the SQL engine.
  • authentication is based on the authentication rules of the data set requested by the target access request. There is no need to match a large number of authentication rules, which reduces the complexity of data management and helps improve data reading. Write performance.
  • FIG. 10 is a schematic structural diagram of a computer device provided by an embodiment of the present application.
  • the computer device 1000 includes a processor 1001, a memory 1002, a communication interface 1003 and a bus 1004. Among them, the processor 1001, the memory 1002, and the communication interface 1003 implement communication connections between each other through the bus 1004.
  • Processor 1001 may include a general-purpose processor and/or a special-purpose hardware chip.
  • General-purpose processors can include: central processing unit (CPU), microprocessor or graphics processing unit (GPU).
  • the CPU is, for example, a single-core processor (single-CPU) or a multi-core processor (multi-CPU).
  • a dedicated hardware chip is a high-performance processing hardware module.
  • Specialized hardware chips include at least one of a digital signal processor, an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a network processor (NP) One item.
  • the processor 1001 may also be an integrated circuit chip with signal processing capabilities. During the implementation process, part or all of the functions of the data management method of the present application can be completed by instructions in the form of hardware integrated logic circuits or software in the processor 1001 .
  • the memory 1002 is used to store computer programs, which include an operating system 1002a and executable codes (ie, program instructions) 1002b.
  • the memory 1002 is, for example, a read-only memory or other type of static storage device that can store static information and instructions, or a random access memory or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable memory device.
  • the memory 1002 is used to store outbound port queues, etc.
  • the memory 1002 exists independently, for example, and is connected to the processor 1001 through a bus 1004. Or the memory 1002 and the processor 1001 are integrated together.
  • the memory 1002 can store executable code. When the executable code stored in the memory 1002 is executed by the processor 1001, the processor 1001 is used to perform part or all of the functions of the data management method provided by the embodiment of the present application.
  • the processor 1001 performs the following process: receives a target access request sent by the first client, the target access request is used to request access to the data set; obtains the authentication rule of the data set, and the authentication rule indicates: for requesting access to the data set For any access request, when the first attribute value of any access request and the second attribute value of any data subset involved in any access request satisfy the preset rules, any access request is granted access to any data subset. set of permissions; based on the user information of the target access request, obtain the first attribute value of the target access request; based on the authentication rules, the target data subset involved in the target access request, and the first attribute value, authenticate the target access request, and returns a response to the target access request. Please refer to the relevant descriptions in the foregoing method embodiments for how the processor 1001 executes this process.
  • the memory 1002 may also include operating systems and other software modules and data required for running processes.
  • the communication interface 1003 uses a transceiver module such as but not limited to a transceiver to implement communication with other devices or communication networks.
  • the communication interface 1003 may be any one or any combination of the following devices: a network interface (such as an Ethernet interface), a wireless network card, and other devices with network access functions.
  • Bus 1004 is any type of communication bus used to interconnect internal components of a computer device (eg, memory 1002, processor 1001, communication interface 1003).
  • a computer device eg, memory 1002, processor 1001, communication interface 1003
  • system bus e.g., system bus.
  • the embodiment of the present application takes the interconnection of the above-mentioned devices inside the computer device through the bus 1004 as an example.
  • the above-mentioned devices inside the computer device 1000 may also communicate with each other using other connection methods besides the bus 1004.
  • the above-mentioned devices inside the computer device 1000 are interconnected through internal logical interfaces.
  • the above-mentioned plurality of devices can be respectively arranged on independent chips, or at least part or all of them can be arranged on the same chip. Whether each device is independently installed on different chips or integrated on one or more chips often depends on the needs of product design.
  • the embodiments of this application do not limit the specific implementation forms of the above devices.
  • the descriptions of the processes corresponding to each of the above drawings have different emphases. For parts that are not detailed in a certain process, you can refer to the relevant descriptions of other processes.
  • the above embodiments it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product that provides a program development platform includes one or more computer instructions. When these computer program instructions are loaded and executed on a computer device, the processes or functions of the data management method provided by the embodiments of the present application are fully or partially implemented.
  • computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another.
  • computer instructions may be transmitted over a wired connection from a website, computer, server or data center. (such as coaxial cable, optical fiber, digital subscriber line or wireless (such as infrared, wireless, microwave, etc.) to transmit to another website, computer, server or data center.
  • the computer-readable storage medium stores information that provides a program development platform Computer program instructions.
  • An embodiment of the present application also provides a computer cluster.
  • the computer cluster includes multiple computer devices.
  • the multiple computer devices include multiple processors and multiple memories.
  • Program instructions are stored in the multiple memories.
  • the multiple processors run the program instructions, so that the computer cluster executes as provided in the embodiments of the present application. data management methods.
  • For the implementation method of each computer device in the computer cluster please refer to the implementation method of the aforementioned computer equipment accordingly, which will not be described again here.
  • Embodiments of the present application also provide a computer-readable storage medium.
  • the computer-readable storage medium is a non-volatile computer-readable storage medium.
  • the computer-readable storage medium includes program instructions. When the program instructions are run on a computer device When, the computer device is caused to execute the data management method provided by the embodiment of the present application.
  • Embodiments of the present application also provide a computer program product containing instructions.
  • the computer program product When the computer program product is run on a computer, it causes the computer to execute the data management method provided by the embodiments of the present application.
  • the terms “first”, “second” and “third” are only used for description purposes and cannot be understood as indicating or implying relative importance.
  • the term “at least one” refers to one or more, and the term “plurality” refers to two or more, unless expressly limited otherwise.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Storage Device Security (AREA)

Abstract

The present application relates to the technical field of data management, and provides a data management method and device. The method comprises: receiving a target access request sent by a first client, the target access request being used for requesting to access a data set; obtaining an authentication rule of the data set, the authentication rule indicating that for any access request requesting to access the data set, when a first attribute value of any access request and a second attribute value of any data subset involved in any access request meet a preset rule, endowing any access request with the permission to access any data subset; obtaining a first attribute value of the target access request on the basis of user information of the target access request; and on the basis of the authentication rule, and a target data subset and the first attribute value involved in the target access request, authenticating the target access request, and returning a response to the target access request. According to the present application, a security administrator does not need to configure the authentication rule for each user, such that the configuration efficiency of the authentication rule is effectively improved.

Description

数据管理方法及装置Data management method and device
本申请要求于2022年06月08日提交的申请号为202210643182.9、发明名称为“数据管理方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本公开中。This application claims priority to the Chinese patent application with application number 202210643182.9 and the invention title "Data Management Method and Device" submitted on June 8, 2022, the entire content of which is incorporated into this disclosure by reference.
技术领域Technical field
本申请涉及数据管理技术领域,特别涉及一种数据管理方法及装置。The present application relates to the field of data management technology, and in particular to a data management method and device.
背景技术Background technique
数据库包括多个数据集。数据集包括多个数据子集。并且,数据库中通常存储有多个用户或用户组的数据,不同用户或用户组的数据存储在数据库的不同数据子集中。为了保证数据的安全性,需要对用户针对数据库中数据的访问请求进行权限控制。例如,当数据库包括多个数据表,数据表包括多个数据行,且不同用户或用户组的数据存储在不同的数据行中时,需要控制每个用户仅能写入和读取属于自己的数据行。The database includes multiple data sets. A data set consists of multiple data subsets. Moreover, data of multiple users or user groups are usually stored in the database, and data of different users or user groups are stored in different data subsets of the database. In order to ensure data security, it is necessary to control user access requests for data in the database. For example, when the database includes multiple data tables, the data tables include multiple data rows, and the data of different users or user groups are stored in different data rows, it is necessary to control that each user can only write and read their own data row.
目前,在建立数据集后,安全管理员需要按照用户为数据集配置大量鉴权规则。在数据库接收到访问请求后,数据库会根据访问请求在该大量鉴权规则中确定对该访问请求进行鉴权使用的鉴权规则。并在该访问请求符合鉴权规则时,允许通过该访问请求对数据子集进行访问,在该访问请求不符合鉴权规则时,不允许通过该访问请求对数据子集进行访问。Currently, after creating a data set, security administrators need to configure a large number of authentication rules for the data set based on users. After the database receives the access request, the database will determine the authentication rule to be used to authenticate the access request from the large number of authentication rules based on the access request. And when the access request complies with the authentication rules, the access request is allowed to access the data subset. When the access request does not comply with the authentication rules, the access request is not allowed to access the data subset.
但是,在该对访问请求进行权限控制的方案中,鉴权规则的配置效率较低,导致对数据进行管理的效率较低。However, in this solution for permission control of access requests, the configuration efficiency of authentication rules is low, resulting in low efficiency of data management.
发明内容Contents of the invention
本申请提供了一种数据管理方法及装置。本申请无需由安全管理员为每个用户配置鉴权规则,有效地提高了鉴权规则的配置效率,进而提高了对数据进行管理的效率。本申请提供的技术方案如下:This application provides a data management method and device. This application does not require the security administrator to configure authentication rules for each user, which effectively improves the efficiency of configuring authentication rules, thereby improving the efficiency of data management. The technical solutions provided by this application are as follows:
第一方面,本申请提供了一种数据管理方法。该方法包括:接收第一客户端发送的目标访问请求,目标访问请求用于请求对数据集进行访问,数据集具有多个属性,数据集中的数据子集包括多个属性对应的属性值,目标访问请求的访问类型包括写数据和/或读数据;获取数据集的鉴权规则,鉴权规则指示:对于请求访问数据集的任一访问请求,当任一访问请求的第一属性值与任一访问请求涉及的任一数据子集的第二属性值满足预设规则时,为任一访问请求赋予访问任一数据子集的权限,第一属性值为任一访问请求的用户信息对应鉴权关键字的属性值,第二属性值为任一数据子集对应鉴权关键字的属性值,鉴权关键字用于指示多个属性中的一个或多个;基于目标访问请求的用户信息,获取目标访问请求的第一属性值;基于鉴权规则、目标访问请求涉及的目标数据子集和第一属性值,对目标访问请求进行鉴权,并返回对目标访问请求的响应。In the first aspect, this application provides a data management method. The method includes: receiving a target access request sent by the first client. The target access request is used to request access to a data set. The data set has multiple attributes. The data subset in the data set includes attribute values corresponding to the multiple attributes. The target The access type of the access request includes writing data and/or reading data; the authentication rules for obtaining the data set, the authentication rules indicate: for any access request requesting access to the data set, when the first attribute value of any access request matches any When the second attribute value of any data subset involved in an access request satisfies the preset rules, any access request is given the permission to access any data subset, and the first attribute value is the corresponding authentication of the user information of any access request. The attribute value of the right keyword. The second attribute value is the attribute value of any data subset corresponding to the authentication keyword. The authentication keyword is used to indicate one or more of multiple attributes; based on the user information of the target access request , obtain the first attribute value of the target access request; based on the authentication rules, the target data subset involved in the target access request, and the first attribute value, authenticate the target access request, and return a response to the target access request.
其中,当访问请求为写数据请求时,访问请求涉及的数据子集是写数据请求请求写入的数据子集。当访问请求为读数据请求时,访问请求涉及的数据子集是读数据请求请求读取的数据集中的数据子集。鉴权规则指示对请求访问数据集的访问请求进行鉴权遵循的规则。预设规则为访问请求具有访问权限时,第一属性值和第二属性值需要满足的条件。例如,该预 设规则可以为第一属性值与第二属性值相等。Wherein, when the access request is a write data request, the data subset involved in the access request is the data subset written by the write data request. When the access request is a read data request, the data subset involved in the access request is the data subset in the data set read by the read data request. Authentication rules indicate the rules to be followed to authenticate access requests requesting access to the data set. The preset rule is the condition that the first attribute value and the second attribute value need to meet when the access request has access permission. For example, the pre- The rule may be that the first attribute value and the second attribute value are equal.
在本申请提供的数据管理方法中,在根据鉴权规则中的鉴权关键字获取用户信息和访问数据涉及的子数据集对应的属性值后,就可以基于预设规则来对用户的访问行为进行鉴权。不同于现有技术,本方案中的鉴权规则是数据集中所有数据子集均适用的通用规则,该鉴权规则中包括的是鉴权关键字和对应预设规则,而非每个数据子集的具体权限规则。因此,本方案无需由安全管理员为每个数据子集都配置访问权限规则,有效地提高了鉴权规则的配置效率,进而提高了对数据进行管理的效率。将该数据管理方法应用于数据库、大数据SQL引擎或商业智能等场景时,能够有效提高对应场景的用户体验,例如提高SQL引擎的易用性。对目标访问请求进行鉴权的过程,是判断目标访问请求涉及的目标数据子集对应鉴权关键字的第二属性值与目标访问请求的第一属性值是否满足预设规则的过程。则在一种可实现方式中,基于鉴权规则、目标访问请求涉及的目标数据子集和第一属性值,对目标访问请求进行鉴权,包括:从目标数据子集中,获取目标数据子集的第二属性值;在目标访问请求的第一属性值和目标数据子集的第二属性值满足预设规则时,为目标访问请求赋予访问目标数据子集的权限;在目标访问请求的第一属性值和目标数据子集的第二属性值不满足预设规则时,不为目标访问请求赋予访问目标数据子集的权限。In the data management method provided by this application, after obtaining the user information and the attribute values corresponding to the sub-data sets involved in the access data according to the authentication keywords in the authentication rules, the user's access behavior can be based on the preset rules. Perform authentication. Different from the existing technology, the authentication rules in this solution are general rules applicable to all data subsets in the data set. The authentication rules include authentication keywords and corresponding preset rules instead of each data subset. Set specific permission rules. Therefore, this solution does not require the security administrator to configure access rights rules for each data subset, which effectively improves the efficiency of configuring authentication rules, thereby improving the efficiency of data management. When this data management method is applied to scenarios such as databases, big data SQL engines, or business intelligence, it can effectively improve the user experience of the corresponding scenarios, such as improving the ease of use of the SQL engine. The process of authenticating a target access request is a process of determining whether the second attribute value corresponding to the authentication keyword of the target data subset involved in the target access request and the first attribute value of the target access request satisfy the preset rules. In an implementable manner, the target access request is authenticated based on the authentication rules, the target data subset involved in the target access request, and the first attribute value, including: obtaining the target data subset from the target data subset. the second attribute value of the target access request; when the first attribute value of the target access request and the second attribute value of the target data subset meet the preset rules, grant the target access request the permission to access the target data subset; in the third attribute value of the target access request When the first attribute value and the second attribute value of the target data subset do not satisfy the preset rules, the target access request is not granted the permission to access the target data subset.
在一种实现场景中,鉴权关键字包括用户名、用户组名和用户的角色中的至少一个。In an implementation scenario, the authentication key includes at least one of a user name, a user group name, and a role of the user.
在鉴权关键字的第一种确定方式中,鉴权关键字可以为服务端默认的。在鉴权关键字的第二种确定方式中,鉴权关键字可以是用户指定的。在鉴权关键字的第三种确定方式中,服务端可以指定鉴权内容,用户可以指定用于表示鉴权内容的属性关键字,服务端可以将该用于表示鉴权内容的属性关键字确定为鉴权关键字。In the first method of determining the authentication key, the authentication key can be the default one on the server side. In the second way of determining the authentication key, the authentication key may be specified by the user. In the third method of determining the authentication keyword, the server can specify the authentication content, the user can specify the attribute keyword used to represent the authentication content, and the server can use the attribute keyword used to represent the authentication content. Identified as the authentication key.
可选的,基于目标访问请求的用户信息,获取目标访问请求的第一属性值,包括:基于目标访问请求的用户信息,查询预先存储的关系信息,得到关系信息中与目标访问请求的用户信息和鉴权关键字对应的第三属性值;将第三属性值确定为目标访问请求的第一属性值。其中,预先存储的关系信息可以包括所有可能对服务端中数据集发起访问的用户的相关信息。对应于数据集具有多个属性,关系信息记载有各个用户与该多个属性对应的标准属性值。服务端接收到访问请求后,可以根据访问请求查询该关系信息,得到属于发送目标访问请求的用户且用于指示鉴权关键字的第三属性值。在一种可实现方式中,该实现过程可以通过对访问请求进行认证实现。Optionally, obtaining the first attribute value of the target access request based on the user information of the target access request includes: querying the pre-stored relationship information based on the user information of the target access request, and obtaining the user information in the relationship information related to the target access request. The third attribute value corresponding to the authentication keyword; determine the third attribute value as the first attribute value of the target access request. The pre-stored relationship information may include relevant information of all users who may initiate access to the data set in the server. Corresponding to the data set having multiple attributes, the relationship information records the standard attribute values of each user corresponding to the multiple attributes. After receiving the access request, the server can query the relationship information according to the access request and obtain the third attribute value that belongs to the user who sent the target access request and is used to indicate the authentication keyword. In an implementable manner, the implementation process can be implemented by authenticating the access request.
作为一种可实现方式,用户可以在维护请求中指定用于表示鉴权内容的属性关键字。则在接收第一客户端发送的目标访问请求之前,该数据管理方法还包括:接收第二客户端发送的维护请求,维护请求用于请求对数据集进行维护,维护请求携带有表示鉴权内容的属性关键字;将属性关键字确定为鉴权关键字。As an implementation method, the user can specify the attribute keyword used to represent the authentication content in the maintenance request. Before receiving the target access request sent by the first client, the data management method further includes: receiving a maintenance request sent by the second client, where the maintenance request is used to request maintenance of the data set, and the maintenance request carries authentication content. The attribute keyword; determine the attribute keyword as the authentication keyword.
其中,维护请求包括建立请求和修改请求,表示鉴权内容的属性关键字在建立请求或修改请求中指示,建立请求用于请求建立数据集,修改请求用于请求修改数据集的属性。例如,建立请求可以为请求在数据库中建立数据表的建表请求。修改请求可以为用于请求对数据表的属性进行修改的改表请求。Among them, the maintenance request includes a creation request and a modification request. The attribute keyword indicating the authentication content is indicated in the creation request or the modification request. The creation request is used to request the creation of the data set, and the modification request is used to request the modification of the attributes of the data set. For example, the creation request may be a table creation request that requests the creation of a data table in the database. The modification request may be a table modification request used to request modification of attributes of the data table.
在一种可实现方式种,数据集为数据表,数据子集为数据表中的数据行。In an implementation manner, the data set is a data table, and the data subset is a data row in the data table.
第二方面,本申请提供了一种数据管理装置。该数据管理装置包括:接收模块,用于接收第一客户端发送的目标访问请求,目标访问请求用于请求对数据集进行访问,数据集具有 多个属性,数据集中的数据子集包括多个属性对应的属性值,目标访问请求的访问类型包括写数据和/或读数据;获取模块,用于获取数据集的鉴权规则,鉴权规则指示:对于请求访问数据集的任一访问请求,当任一访问请求的第一属性值与任一访问请求涉及的任一数据子集的第二属性值满足预设规则时,为任一访问请求赋予访问任一数据子集的权限,第一属性值为任一访问请求的用户信息对应鉴权关键字的属性值,第二属性值为任一数据子集对应鉴权关键字的属性值,鉴权关键字用于指示多个属性中的一个或多个;获取模块,还用于基于目标访问请求的用户信息,获取目标访问请求的第一属性值;处理模块,用于基于鉴权规则、目标访问请求涉及的目标数据子集和第一属性值,对目标访问请求进行鉴权,并返回对目标访问请求的响应。In a second aspect, this application provides a data management device. The data management device includes: a receiving module, used to receive a target access request sent by the first client, the target access request is used to request access to a data set, and the data set has Multiple attributes. The data subset in the data set includes attribute values corresponding to multiple attributes. The access type of the target access request includes writing data and/or reading data; the acquisition module is used to obtain the authentication rules and authentication rules of the data set. Instruction: For any access request requesting access to a data set, when the first attribute value of any access request and the second attribute value of any data subset involved in any access request satisfy the preset rules, any access request is Request to grant permission to access any data subset. The first attribute value is the attribute value corresponding to the authentication keyword of the user information of any access request. The second attribute value is the attribute value corresponding to the authentication keyword of any data subset. , the authentication keyword is used to indicate one or more of multiple attributes; the acquisition module is also used to obtain the first attribute value of the target access request based on the user information of the target access request; the processing module is used to obtain the first attribute value of the target access request based on the authentication The rules, the target data subset and the first attribute value involved in the target access request are used to authenticate the target access request and return a response to the target access request.
可选地,处理模块,具体用于:从目标数据子集中,获取目标数据子集的第二属性值;在目标访问请求的第一属性值和目标数据子集的第二属性值满足预设规则时,为目标访问请求赋予访问目标数据子集的权限。Optionally, the processing module is specifically configured to: obtain the second attribute value of the target data subset from the target data subset; when the first attribute value of the target access request and the second attribute value of the target data subset satisfy a preset Rules grant a target access request permission to access a subset of the target data.
可选地,鉴权关键字包括用户名、用户组名和用户的角色中的至少一个。Optionally, the authentication key includes at least one of a user name, a user group name, and a role of the user.
可选地,获取模块,具体用于:基于目标访问请求的用户信息,查询预先存储的关系信息,得到关系信息中与目标访问请求的用户信息和鉴权关键字对应的第三属性值;将第三属性值确定为目标访问请求的第一属性值。Optionally, the acquisition module is specifically configured to: query pre-stored relationship information based on the user information of the target access request, and obtain the third attribute value corresponding to the user information and authentication keyword of the target access request in the relationship information; The third attribute value is determined as the first attribute value of the target access request.
可选地,接收模块还用于:接收第二客户端发送的维护请求,维护请求用于请求对数据集进行维护,维护请求携带有表示鉴权内容的属性关键字;将属性关键字确定为鉴权关键字。Optionally, the receiving module is also configured to: receive a maintenance request sent by the second client, the maintenance request is used to request maintenance of the data set, the maintenance request carries an attribute keyword indicating the authentication content; determine the attribute keyword as Authentication keyword.
可选地,维护请求包括建立请求和修改请求,表示鉴权内容的属性关键字在建立请求或修改请求中指示,建立请求用于请求建立数据集,修改请求用于请求修改数据集的属性。Optionally, the maintenance request includes a creation request and a modification request. The attribute keyword indicating the authentication content is indicated in the creation request or the modification request. The creation request is used to request the creation of the data set, and the modification request is used to request the modification of attributes of the data set.
可选地,数据集为数据表,数据子集为数据表中的数据行。Optionally, the data set is a data table, and the data subset is the data rows in the data table.
第三方面,本申请提供了一种计算机设备,包括存储器和处理器,存储器存储有程序指令,处理器运行程序指令以执行本申请第一方面以及其任一种可能的实现方式中提供的方法。In a third aspect, this application provides a computer device, including a memory and a processor. The memory stores program instructions, and the processor runs the program instructions to execute the method provided in the first aspect of this application and any possible implementation thereof. .
第四方面,本申请提供了一种计算机集群,包括多个计算机设备,多个计算机设备包括多个处理器和多个存储器,多个存储器中存储有程序指令,多个处理器运行程序指令,使得计算机集群执行本申请第一方面以及其任一种可能的实现方式中提供的方法。In a fourth aspect, this application provides a computer cluster, including multiple computer devices. The multiple computer devices include multiple processors and multiple memories. Program instructions are stored in the multiple memories, and the multiple processors run the program instructions. The computer cluster is caused to execute the method provided in the first aspect of this application and any possible implementation manner thereof.
第五方面,本申请提供了一种计算机可读存储介质,该计算机可读存储介质为非易失性计算机可读存储介质,该计算机可读存储介质包括程序指令,当程序指令在计算机设备上运行时,使得计算机设备执行本申请第一方面以及其任一种可能的实现方式中提供的方法。In a fifth aspect, the application provides a computer-readable storage medium. The computer-readable storage medium is a non-volatile computer-readable storage medium. The computer-readable storage medium includes program instructions. When the program instructions are stored on a computer device, When running, the computer device is caused to execute the method provided in the first aspect of the application and any possible implementation manner thereof.
第六方面,本申请提供了一种包含指令的计算机程序产品,当计算机程序产品在计算机上运行时,使得计算机执行本申请第一方面以及其任一种可能的实现方式中提供的方法。In a sixth aspect, this application provides a computer program product containing instructions. When the computer program product is run on a computer, it causes the computer to execute the method provided in the first aspect of this application and any possible implementation thereof.
附图说明Description of the drawings
图1是本申请实施例提供的一种数据管理方法涉及的应用场景的示意图;Figure 1 is a schematic diagram of an application scenario involved in a data management method provided by an embodiment of the present application;
图2是本申请实施例提供的另一种数据管理方法涉及的应用场景的示意图;Figure 2 is a schematic diagram of an application scenario involved in another data management method provided by an embodiment of the present application;
图3是本申请实施例提供的一种数据管理方法通过部署在服务端上的多个功能模块实现的示意图;Figure 3 is a schematic diagram of a data management method provided by an embodiment of the present application implemented through multiple functional modules deployed on the server;
图4是本申请实施例提供的一种针对读数据请求执行数据管理方法的流程图;Figure 4 is a flow chart of a data management method for reading data requests provided by an embodiment of the present application;
图5是本申请实施例提供的一种获取数据集的鉴权关键字的方法流程图; Figure 5 is a flow chart of a method for obtaining authentication keywords of a data set provided by an embodiment of the present application;
图6是本申请实施例提供的一种获取目标读数据请求的第一属性值的方法流程图;Figure 6 is a flow chart of a method for obtaining the first attribute value of a target read data request provided by an embodiment of the present application;
图7是本申请实施例提供的一种针对写数据请求执行数据管理方法的流程图;Figure 7 is a flow chart of a data management method for writing data requests provided by an embodiment of the present application;
图8是本申请实施例提供的一种获取目标写数据请求的第一属性值的方法流程图;Figure 8 is a flow chart of a method for obtaining the first attribute value of a target write data request provided by an embodiment of the present application;
图9是本申请实施例提供的一种数据管理装置的结构示意图;Figure 9 is a schematic structural diagram of a data management device provided by an embodiment of the present application;
图10是本申请实施例提供的一种计算机设备的结构示意图。Figure 10 is a schematic structural diagram of a computer device provided by an embodiment of the present application.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the purpose, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.
数据库中通常存储有多个用户或多个用户组的数据,不同用户或不同用户组的数据存储在数据库的不同数据子集中。为了保证数据的安全性,需要对用户针对数据库的访问请求进行权限控制。在一种实现场景中,当数据库包括多个数据表,数据表包括多个数据行,且不同用户或不同用户组的数据存储在不同的数据行中时,则需要对访问请求按照数据行进行权限控制,即进行行级数据的权限控制,以控制每个用户或用户组仅能写入和读取属于自己的数据行。Databases usually store data from multiple users or multiple user groups, and data from different users or different user groups are stored in different data subsets of the database. In order to ensure the security of data, it is necessary to control the permissions of users' access requests to the database. In one implementation scenario, when the database includes multiple data tables, the data tables include multiple data rows, and the data of different users or different user groups are stored in different data rows, access requests need to be processed according to the data rows. Permission control refers to row-level data permission control to control that each user or user group can only write and read its own data rows.
例如,在数据库或结构化查询语言(structured query language,SQL)引擎的使用场景中,若需要审计日志,则针对不同用户在前台界面的各类操作,后台均会将操作结果记录到审计日志。这样一来,后台的一张审计日志表可以包含属于不同用户的数据记录。通过对审计日志表进行行级数据的权限控制,能够使每个用户只能写入和读取属于自己的数据记录。如表1所示,第1和3行记录的是用户1的数据,第2、5和7行记录的是用户2的数据,第4、6和8行记录的是用户3的数据,则通过对审计日志表进行行级数据的权限控制,仅允许用户1读写第1和3行记录的数据,用户2读写第2、5和7行记录的数据,用户3读写第4、6和8行记录的数据。For example, in the usage scenario of database or structured query language (SQL) engine, if audit logs are required, the background will record the operation results to the audit log for various operations performed by different users on the front-end interface. In this way, an audit log table in the background can contain data records belonging to different users. By controlling row-level data permissions on the audit log table, each user can only write and read his or her own data records. As shown in Table 1, rows 1 and 3 record the data of user 1, rows 2, 5 and 7 record the data of user 2, and rows 4, 6 and 8 record the data of user 3, then By performing row-level data permission control on the audit log table, only user 1 is allowed to read and write data recorded in rows 1 and 3, user 2 is allowed to read and write data recorded in rows 2, 5, and 7, and user 3 is allowed to read and write data recorded in rows 4 and 7. Data recorded in rows 6 and 8.
表1
Table 1
又例如,在区分组织或区域的场景中,通过进行行级数据的权限控制,在不同组织/区域的用户访问某一数据表时,每个用户只能读写自己所在组织/区域的数据行。如表2所示,第1和3行记录的是部门1的数据,第2和5行记录的是部门2的数据,第4和6行记录的是部门3的数据,第7和8行记录的是部门4的数据,则通过进行行级数据的权限控制,仅允 许部门1的用户读写第1和3行记录的数据,部门2的用户读写第2和5行记录的数据,部门3的用户读写第4和6行记录的数据,部门4的用户读写第7和8行记录的数据。For another example, in a scenario where organizations or regions are distinguished, through row-level data permission control, when users from different organizations/regions access a certain data table, each user can only read and write data rows in his or her own organization/region. . As shown in Table 2, rows 1 and 3 record the data of department 1, rows 2 and 5 record the data of department 2, rows 4 and 6 record the data of department 3, and rows 7 and 8 The data recorded is the data of department 4. By performing row-level data permission control, only Users in department 1 can read and write data recorded in rows 1 and 3, users in department 2 can read and write data recorded in rows 2 and 5, users in department 3 can read and write data recorded in rows 4 and 6, and users in department 4 can read and write data recorded in rows 2 and 5. Read and write the data recorded in lines 7 and 8.
表2
Table 2
目前,在建立数据集后,安全管理员需要为对数据集有访问需求的每个访问对象(如用户或用户组)配置鉴权规则,以便于根据鉴权规则对数据集中的数据行进行权限控制。但是,数据库能够容纳的数据行较多,有访问需求的访问对象较多,安全管理员配置鉴权规则需要花费较多时间且容易出错,鉴权规则的配置效率较低,导致对数据进行管理的效率较低。并且,安全管理员配置的鉴权规则通常使用具体表达式表示,在根据鉴权规则对访问请求进行鉴权时,需要与数据库中所有数据行的鉴权规则进行匹配,需要匹配的鉴权规则的数量过多,导致数据库的读写性能较差。Currently, after creating a data set, the security administrator needs to configure authentication rules for each access object (such as a user or user group) that needs to access the data set, so that the data rows in the data set can be authorized according to the authentication rules. control. However, the database can accommodate many data rows, and there are many access objects that require access. It takes a lot of time for security administrators to configure authentication rules and is error-prone. The configuration efficiency of authentication rules is low, resulting in data management. The efficiency is lower. Moreover, the authentication rules configured by the security administrator are usually represented by specific expressions. When authenticating access requests according to the authentication rules, they need to match the authentication rules of all data rows in the database. The authentication rules that need to match Excessive number leads to poor read and write performance of the database.
本申请实施例提供了一种数据管理方法。通过获取目标访问请求请求访问的数据集的鉴权规则,基于目标访问请求的用户信息,获取目标访问请求的第一属性值,并驾驭鉴权过窄、目标访问请求涉及的目标数据子集和第一属性值,对目标访问请求进行鉴权,并范湖对目标访问请求的响应。The embodiment of this application provides a data management method. By obtaining the authentication rules of the data set requested by the target access request, based on the user information of the target access request, obtain the first attribute value of the target access request, and control the authentication that is too narrow, the target data subset involved in the target access request, and The first attribute value authenticates the target access request and regulates the response to the target access request.
其中,数据集具有多个属性,数据集中的数据子集包括多个属性对应的属性值,目标访问请求的访问类型包括写数据和/或读数据。当访问请求为写数据请求时,访问请求涉及的数据子集是写数据请求请求写入的数据子集。当访问请求为读数据请求时,访问请求涉及的数据子集是读数据请求请求读取的数据集中的数据子集。鉴权规则指示对请求访问数据集的访问请求进行鉴权遵循的规则。在本申请实施例中,鉴权规则指示:对于请求访问数据集的任一访问请求,当任一访问请求的第一属性值与任一访问请求涉及的任一数据子集的第二属性值满足预设规则时,为任一访问请求赋予访问该任一数据子集的权限。第一属性值为任一访问请求的用户信息对应鉴权关键字的属性值。第二属性值为该任一数据子集对应鉴权关键字的属性值。鉴权关键字用于指示数据集的多个属性中的一个或多个。预设规则为访问请求具有访问权限时,第一属性值和第二属性值需要满足的条件。例如,该预设规则可以为第一属性值与第二属性值相等。The data set has multiple attributes, the data subset in the data set includes attribute values corresponding to the multiple attributes, and the access type of the target access request includes writing data and/or reading data. When the access request is a write data request, the data subset involved in the access request is the data subset written by the write data request. When the access request is a read data request, the data subset involved in the access request is the data subset in the data set read by the read data request. Authentication rules indicate the rules to be followed to authenticate access requests requesting access to the data set. In the embodiment of this application, the authentication rule indicates: for any access request requesting access to a data set, when the first attribute value of any access request is the same as the second attribute value of any data subset involved in any access request, When preset rules are met, any access request is granted access to any subset of data. The first attribute value is the attribute value of the authentication keyword corresponding to the user information of any access request. The second attribute value is the attribute value corresponding to the authentication key of any data subset. The authentication key is used to indicate one or more of multiple attributes of the data set. The preset rule is the condition that the first attribute value and the second attribute value need to meet when the access request has access permission. For example, the preset rule may be that the first attribute value and the second attribute value are equal.
在该数据管理方法中,由于在获取数据集的鉴权规则后,还需要基于目标访问请求的用户信息,获取目标访问请求的第一属性值,并根据鉴权规则和第一属性值对目标访问请求进 行鉴权,可知该鉴权规则是数据集中所有数据子集均适用的通用规则,而不是与用户绑定的规则。因此,无需由安全管理员为每个用户配置鉴权规则,有效地提高了鉴权规则的配置效率,进而提高了对数据进行管理的效率。并且,在鉴权过程中,是基于目标访问请求请求访问的数据集的鉴权规则进行鉴权,无需匹配大量的鉴权规则,降低了对数据进行管理的复杂度,有助于提升数据读写性能。In this data management method, after obtaining the authentication rules of the data set, it is also necessary to obtain the first attribute value of the target access request based on the user information of the target access request, and then verify the target access request based on the authentication rules and the first attribute value. access request Performing authentication, we can see that the authentication rules are general rules applicable to all data subsets in the data set, rather than rules bound to the user. Therefore, there is no need for the security administrator to configure authentication rules for each user, which effectively improves the efficiency of configuring authentication rules, thereby improving the efficiency of data management. Moreover, during the authentication process, authentication is based on the authentication rules of the data set requested by the target access request. There is no need to match a large number of authentication rules, which reduces the complexity of data management and helps improve data reading. Write performance.
图1是本申请实施例提供的一种数据管理方法涉及的应用场景的示意图。如图1所示,该应用场景包括:第一客户端10和服务端20。第一客户端10与服务端20之间建立有通信连接。其中,第一客户端10用于向服务端20发送访问请求。服务端20用于采用本申请实施例提供的数据管理方法,对接收到的访问请求进行鉴权,并根据鉴权结果对访问请求进行响应。并且,服务端20对访问请求进行鉴权的过程可以包括:获取数据集的鉴权规则,基于目标访问请求的用户信息,获取目标访问请求的第一属性值;基于鉴权规则、目标访问请求涉及的目标数据子集和第一属性值,对目标访问请求进行鉴权,并返回对目标访问请求的响应。Figure 1 is a schematic diagram of an application scenario involved in a data management method provided by an embodiment of the present application. As shown in Figure 1, the application scenario includes: a first client 10 and a server 20. A communication connection is established between the first client 10 and the server 20 . Among them, the first client 10 is used to send an access request to the server 20 . The server 20 is configured to use the data management method provided by the embodiment of the present application to authenticate the received access request, and respond to the access request according to the authentication result. Furthermore, the process of the server 20 authenticating the access request may include: obtaining the authentication rules of the data set, obtaining the first attribute value of the target access request based on the user information of the target access request; based on the authentication rules, the target access request The target data subset and the first attribute value are involved, the target access request is authenticated, and a response to the target access request is returned.
可选地,本申请实施例中的鉴权关键字可以为服务端20默认的。或者,鉴权关键字可以是用户指定的。又或者,服务端可以指定鉴权内容,用户可以指定用于表示鉴权内容的属性关键字,服务端可以将该用于表示鉴权内容的属性关键字确定为鉴权关键字,本申请实施例对其不做具体限定。例如,服务端的管理人员可以指定鉴权关键字,要求存储在服务端中的数据子集使用该鉴权关键字进行鉴权,此时鉴权关键字即为服务端默认的。又例如,用户可以指示在服务端中建立数据集,且该用户可以指定对该数据集中的数据子集进行鉴权使用的鉴权关键字。此时,鉴权关键字是用户指定的。又例如,服务端的管理人员可以指定鉴权内容,要求存储在服务端中的数据子集使用该鉴权内容进行鉴权。用户可以指定用于表示鉴权内容的属性关键字,服务端可以根据其确定鉴权关键字。此时,服务端指定了鉴权内容,用户指定了用于表示鉴权内容的属性关键字。Optionally, the authentication keyword in the embodiment of this application may be defaulted by the server 20 . Alternatively, the authentication key can be user-specified. Alternatively, the server can specify the authentication content, the user can specify the attribute keyword used to represent the authentication content, and the server can determine the attribute keyword used to represent the authentication content as the authentication keyword. This application implements The example does not specifically limit it. For example, the administrator of the server can specify an authentication keyword and require a subset of data stored in the server to be authenticated using this authentication keyword. At this time, the authentication keyword is the server's default. For another example, the user can instruct to create a data set in the server, and the user can specify an authentication key used to authenticate the data subset in the data set. At this time, the authentication key is specified by the user. For another example, the administrator of the server can specify the authentication content and require a subset of data stored in the server to use the authentication content for authentication. The user can specify the attribute keyword used to represent the authentication content, and the server can determine the authentication keyword based on it. At this time, the server specifies the authentication content, and the user specifies the attribute keyword used to represent the authentication content.
在一种可实现方式中,如图2所示,该应用场景还可以包括第二客户端30。该第二客户端30与服务端20建立有通信连接。第二客户端30具有对服务端20上的数据集进行维护的权限。例如,第二客户端30具有在服务端20上建立数据集和/或对数据集的属性进行修改的权限。在一种实现场景中,服务端20可以指定鉴权内容,第二客户端30可以向服务端20发送维护请求,并在该维护请求中指示用于表示鉴权内容的属性关键字。服务端20获取维护请求后,可以在维护请求中,根据鉴权内容识别表示鉴权内容的属性关键字,并将该属性关键字确定为鉴权关键字。可选地,该维护请求可以为请求在服务端20中建立数据集的建立请求。或者,该维护请求可以为请求对数据集的属性进行修改的修改请求。需要说明的是,发送访问请求的第一客户端和发送维护请求的第二客户端也可以为同一客户端,本申请实施例对其不做具体限定。In an implementable manner, as shown in FIG. 2 , the application scenario may also include a second client 30 . The second client 30 has established a communication connection with the server 20 . The second client 30 has the authority to maintain the data set on the server 20 . For example, the second client 30 has the authority to create a data set on the server 20 and/or modify the attributes of the data set. In an implementation scenario, the server 20 can specify the authentication content, and the second client 30 can send a maintenance request to the server 20 and indicate in the maintenance request an attribute keyword used to represent the authentication content. After the server 20 obtains the maintenance request, it can identify the attribute keyword representing the authentication content in the maintenance request according to the authentication content, and determine the attribute keyword as the authentication keyword. Optionally, the maintenance request may be a creation request requesting to create a data set in the server 20 . Alternatively, the maintenance request may be a modification request requesting modifications to an attribute of the data set. It should be noted that the first client that sends the access request and the second client that sends the maintenance request may also be the same client, which is not specifically limited in the embodiment of this application.
可选地,该第一客户端10、第二客户端30和服务端20均可以通过物理机、包括多个物理机的物理机集群、裸金属服务器、云服务器、虚拟机或容器等实现。并且,服务端20可以通过软件实现。并且,服务端20可以独立地部署在物理机、物理机集群、裸金属服务器、云服务器、虚拟机或容器上,或者,服务端20可以分布式地部署在多个物理机、多个物理机集群、多个裸金属服务器、多个云服务器、多个虚拟机和多个容器中的一个或多个上。应理解,服务端20还可以与第一客户端10或第二客户端30部署在同一物理设备。 Optionally, the first client 10, the second client 30 and the server 20 can be implemented by a physical machine, a physical machine cluster including multiple physical machines, a bare metal server, a cloud server, a virtual machine or a container, etc. Moreover, the server 20 can be implemented through software. Moreover, the server 20 can be independently deployed on a physical machine, a physical machine cluster, a bare metal server, a cloud server, a virtual machine or a container, or the server 20 can be deployed in a distributed manner on multiple physical machines or multiple physical machines. On one or more of a cluster, multiple bare metal servers, multiple cloud servers, multiple virtual machines, and multiple containers. It should be understood that the server 20 can also be deployed on the same physical device as the first client 10 or the second client 30 .
在一种可实现方式中,服务端20可以部署在云平台的物理机、物理机集群、裸金属服务器、云服务器、虚拟机和容器中的一个或多个。云平台中部署有云服务提供商拥有的大量基础资源。例如云平台中部署有计算资源、存储资源和网络资源等,且该计算资源可以是大量的计算机设备(例如服务器)。服务端20可以利用该云平台中部署的基础资源实现本申请实施例提供的数据管理方法,以对来自第一客户端10的访问请求进行鉴权,并根据鉴权结果对访问请求进行响应。In an implementation manner, the server 20 may be deployed on one or more of a physical machine, a physical machine cluster, a bare metal server, a cloud server, a virtual machine, and a container on a cloud platform. A large number of basic resources owned by cloud service providers are deployed in the cloud platform. For example, computing resources, storage resources, network resources, etc. are deployed in the cloud platform, and the computing resources can be a large number of computer devices (such as servers). The server 20 can utilize the basic resources deployed in the cloud platform to implement the data management method provided by the embodiment of the present application to authenticate the access request from the first client 10 and respond to the access request according to the authentication result.
此时,本申请实施例提供的数据管理方法能够由云服务提供商在云平台抽象成一种用于对数据进行管理的云服务提供给用户。用户在云平台购买该云服务后,云平台能够利用服务端20向用户提供对数据进行管理的云服务。在一种实现场景中,用户可以向服务端20中写入数据,及从服务端20中读取数据。服务端20在接收到用户用于请求写入或读取数据的访问请求后,采用本申请实施例提供的数据管理方法对访问请求进行鉴权,并根据鉴权结果对访问请求进行响应。在另一种实现场景中,该云服务可以作为其他服务的附加功能。例如,用户可以向其他用户提供保存数据和向其他用户提供数据的服务。但用户为提高数据的安全性,可以购买该云服务。在用户的客户端接收到其他客户端发送的访问请求时,该用户可以使用该云服务决策如何对访问请求进行响应。此时,该云服务可以采用本申请实施例提供的数据管理方法对访问请求进行鉴权,并向该用户反馈鉴权结果,以便于该用户根据鉴权结果对访问请求进行响应。At this time, the data management method provided by the embodiment of the present application can be abstracted by the cloud service provider on the cloud platform into a cloud service for managing data and provided to the user. After the user purchases the cloud service on the cloud platform, the cloud platform can use the server 20 to provide the user with cloud services for data management. In an implementation scenario, the user can write data to the server 20 and read data from the server 20 . After receiving the user's access request for writing or reading data, the server 20 uses the data management method provided by the embodiment of the present application to authenticate the access request, and responds to the access request according to the authentication result. In another implementation scenario, the cloud service can serve as an add-on feature to other services. For example, users may offer services to save data and provide data to other users. However, in order to improve data security, users can purchase this cloud service. When a user's client receives an access request sent by another client, the user can use the cloud service to decide how to respond to the access request. At this time, the cloud service can use the data management method provided by the embodiment of the present application to authenticate the access request, and feed back the authentication result to the user, so that the user can respond to the access request based on the authentication result.
需要说明的是,在本申请实施例中,云平台可以是中心云的云平台、边缘云的云平台或包括中心云和边缘云的云平台,本申请实施例对其不做具体限定。并且,当云平台为包括中心云和边缘云的云平台时,该服务端20可以部分部署在边缘云的云平台中,部分部署在中心云的云平台中。It should be noted that in the embodiment of the present application, the cloud platform may be a cloud platform of a central cloud, an edge cloud, or a cloud platform including a central cloud and an edge cloud, which is not specifically limited in the embodiment of the present application. Moreover, when the cloud platform is a cloud platform including a central cloud and an edge cloud, the server 20 may be partially deployed in the cloud platform of the edge cloud and partially deployed in the cloud platform of the central cloud.
并且,本申请实施例提供的数据管理方法可以应用于数据库、大数据SQL引擎或商业智能(business intelligence,BI)等需要对数据子集进行权限控制的场景。并且,大数据SQL引擎可以为Hive或Spark等引擎。相应的,服务端20可以为引擎的服务端20。Moreover, the data management method provided by the embodiments of this application can be applied to scenarios such as databases, big data SQL engines, or business intelligence (BI) that require permission control on data subsets. Moreover, the big data SQL engine can be an engine such as Hive or Spark. Correspondingly, the server 20 may be the server 20 of the engine.
在一种可实现方式中,本申请实施例提供的数据管理方法可以通过部署在服务端20上的一个功能模块实现。并且,该功能模块具体可以通过一个计算机设备执行计算机程序实现。或者,本申请实施例提供的数据管理方法可以通过部署在服务端20上的多个功能模块实现。该多个功能模块可以采用集中式方式部署,或者采用分布式方式部署。相应的,该多个功能模块具体可以通过一个或多个计算机设备执行计算机程序实现。该一个或多个计算机设备中的每个计算机设备能够实现本申请实施例提供的数据管理方法中的部分或全部功能。In an implementation manner, the data management method provided by the embodiment of the present application can be implemented through a functional module deployed on the server 20 . Moreover, the functional module can be specifically implemented by a computer device executing a computer program. Alternatively, the data management method provided by the embodiment of the present application can be implemented through multiple functional modules deployed on the server 20 . The multiple functional modules can be deployed in a centralized manner or in a distributed manner. Correspondingly, the plurality of functional modules can be specifically implemented by one or more computer devices executing computer programs. Each computer device in the one or more computer devices can implement part or all of the functions in the data management method provided by the embodiments of the present application.
图3是本申请实施例提供的一种数据管理方法通过部署在服务端20上的多个功能模块实现的示意图。如图3所示,服务端20包括:数据读写模块201、元数据模块202、认证模块203和数据存储模块204。元数据模块202用于存储数据集的描述信息。认证模块203用于基于第一客户端发送的访问请求对用户进行认证,并向数据读写模块201反馈认证结果,以便于数据读写模块201根据认证结果确定第一属性值。数据存储模块204用于存储写入数据集中的数据。数据读写模块201用于接收访问请求,基于访问请求从元数据模块202中,获取访问请求所请求访问的数据集的描述信息,通过认证模块203获取对访问请求的认证结果,并根据描述信息和认证结果执行本申请实施例提供的数据管理方法,对访问请求进行鉴权,并基于鉴权结果对访问请求进行响应。其中,图3中各个模块实现其功能的实现过程, 请参考后面方法实施例中的相关描述。FIG. 3 is a schematic diagram of a data management method provided by an embodiment of the present application implemented through multiple functional modules deployed on the server 20 . As shown in Figure 3, the server 20 includes: a data reading and writing module 201, a metadata module 202, an authentication module 203 and a data storage module 204. The metadata module 202 is used to store description information of the data set. The authentication module 203 is used to authenticate the user based on the access request sent by the first client, and feed back the authentication result to the data reading and writing module 201, so that the data reading and writing module 201 determines the first attribute value according to the authentication result. The data storage module 204 is used to store data written into the data set. The data reading and writing module 201 is used to receive the access request, obtain the description information of the data set requested by the access request from the metadata module 202 based on the access request, obtain the authentication result of the access request through the authentication module 203, and obtain the authentication result of the access request according to the description information. and the authentication result, execute the data management method provided by the embodiment of this application, authenticate the access request, and respond to the access request based on the authentication result. Among them, the implementation process of each module in Figure 3 to realize its function, Please refer to the relevant descriptions in the method embodiments below.
应当理解的是,以上内容是对本申请实施例提供的数据管理方法的应用场景的示例性说明,并不构成对于数据管理方法的应用场景的限定,本领域普通技术人员可知,随着业务需求的改变,其应用场景可以根据应用需求进行调整,本申请实施例对其不做一一列举。It should be understood that the above content is an exemplary description of the application scenarios of the data management method provided by the embodiment of the present application, and does not constitute a limitation on the application scenarios of the data management method. Persons of ordinary skill in the art will know that as business needs evolve, Changes and application scenarios can be adjusted according to application requirements, and the embodiments of this application do not list them one by one.
下面对本申请实施例提供的数据管理方法的实现过程进行说明。并且,由于访问请求可以为读数据请求,也可以为写数据请求,且针对读数据请求和写数据请求实现该数据管理方法的过程有区别,所以下面分别针对读数据请求和写数据请求,对该数据管理方法的实现过程进行说明。如图4所示,对于读数据请求,该数据管理方法的实现过程包括以下步骤:The following describes the implementation process of the data management method provided by the embodiment of the present application. Moreover, since the access request can be a read data request or a write data request, and the process of implementing the data management method is different for read data requests and write data requests, so the following is respectively for read data requests and write data requests. The implementation process of this data management method is explained. As shown in Figure 4, for a read data request, the implementation process of the data management method includes the following steps:
步骤401、获取数据集的鉴权关键字。Step 401: Obtain the authentication keyword of the data set.
数据集是一个数据集合,其包括一个或多个数据子集。数据集具有多个属性。能够记载在数据集中的所有数据子集均包括该多个属性对应的属性值。在一种实现方式中,数据集可以为数据表。数据表具有一个或多个数据行、及多个数据列。此时,数据子集可以为数据表中的数据行。不同的数据行用于记载不同对象的信息。数据列用于表示数据表的属性。数据行中位于不同列中的内容为对应列表示的属性的属性值。当数据表包括多个数据列时,该多个数据列分别表示数据表的多个属性。或者,数据子集为数据表中的数据列,数据行用于表示数据表的属性。示例地,如表3所示,数据集为某公司统计员工考勤情况的数据表,该数据表包括多行多列,数据行记录不同员工的考勤信息。数据列用于表示数据表的属性。该数据表的属性包括:用户名、用户编号、用户组名、日期、上班时间和下班时间。一个数据行中位于不同列中内容分别表示用户名、用户编号、用户组名、日期、上班时间和下班时间的属性值。例如,对于用于表示员工张**考勤信息的数据行,该数据行中的数据表示的内容分别为:第一列内容表示用户名的属性值为张**,第二列内容表示用户编号的属性值为010001,第三列内容表示用户组名的属性值为开发部,第四列内容表示日期的属性值为2022/5/10,第五列内容表示上班时间的属性值为08:56,第六列内容表示下班时间的属性值为20:56。A dataset is a collection of data that includes one or more subsets of data. The dataset has several properties. All data subsets that can be recorded in the data set include attribute values corresponding to the multiple attributes. In one implementation, the data set can be a data table. A data table has one or more data rows and multiple data columns. At this time, the data subset can be the data rows in the data table. Different data rows are used to record information about different objects. Data columns are used to represent attributes of a data table. The content located in different columns in the data row is the attribute value of the attribute represented by the corresponding column. When the data table includes multiple data columns, the multiple data columns respectively represent multiple attributes of the data table. Or, the data subset is the data column in the data table, and the data row is used to represent the attribute of the data table. For example, as shown in Table 3, the data set is a data table for a company that counts employee attendance. The data table includes multiple rows and columns, and the data rows record the attendance information of different employees. Data columns are used to represent attributes of a data table. The attributes of this data table include: user name, user number, user group name, date, working time and off work time. The contents in different columns in a data row respectively represent the attribute values of user name, user number, user group name, date, working time and off-duty time. For example, for the data row used to represent the attendance information of employee Zhang **, the contents represented by the data in this data row are: the content of the first column indicates that the attribute value of the user name is Zhang **, and the content of the second column indicates the user number. The attribute value of is 010001, the attribute value of the third column indicating the user group name is Development Department, the attribute value of the fourth column indicating the date is 2022/5/10, and the attribute value of the fifth column indicating working hours is 08: 56. The sixth column indicates that the attribute value of off-duty time is 20:56.
表3
table 3
鉴权关键字用于指示数据集的多个属性中的一个或多个。且鉴权关键字指示的多个属性可以为数据集的多个属性中的部分或全部。当鉴权关键字用于指示数据集的多个属性中的一个时,服务端用于根据鉴权关键字指示的一个属性进行鉴权。例如,对于表3所示的数据集,鉴权关键字可以指示该数据集多个属性中的用户组名,则服务端可以根据用户组名进行鉴权。当鉴权关键字用于指示数据集的多个属性中的多个时,服务端用于根据鉴权关键字指示的多个属性进行鉴权。例如,对于表3所示的数据集,鉴权关键字可以指示该数据集多个属性中的用户组名和用户名,则服务端可以根据用户组名和用户名进行鉴权。并且,在本申请实施例中,数据集中所有数据子集使用的鉴权关键字相同。例如,当鉴权关键字指示数据集的多 个属性中的一个时,数据集中所有数据子集均使用指示一个属性的鉴权关键字进行鉴权。例如,当鉴权关键字指示数据集的多个属性中的多个时,数据集中所有数据子集均使用指示多个属性的鉴权关键字进行鉴权,且所有数据子集使用的鉴权关键字指示的多个属性均对应相同。The authentication key is used to indicate one or more of multiple attributes of the data set. And the multiple attributes indicated by the authentication keyword can be part or all of the multiple attributes of the data set. When the authentication keyword is used to indicate one of multiple attributes of the data set, the server is used to perform authentication based on an attribute indicated by the authentication keyword. For example, for the data set shown in Table 3, the authentication keyword can indicate the user group name in multiple attributes of the data set, and the server can perform authentication based on the user group name. When the authentication keyword is used to indicate multiple attributes of the data set, the server is configured to perform authentication based on the multiple attributes indicated by the authentication keyword. For example, for the data set shown in Table 3, the authentication keyword can indicate the user group name and user name in multiple attributes of the data set, and the server can perform authentication based on the user group name and user name. Moreover, in this embodiment of the present application, all data subsets in the data set use the same authentication keyword. For example, when the authentication key indicates that the data set has multiple When one of the attributes is specified, all data subsets in the data set are authenticated using the authentication key indicating an attribute. For example, when the authentication key indicates more than one of multiple attributes of the data set, all data subsets in the data set are authenticated using the authentication key indicating the multiple attributes, and all data subsets use the authentication Multiple attributes indicated by keywords all correspond to the same.
在本申请实施例中,鉴权关键字的确定方式可以有多种,本申请实施例以以下几种为例进行说明:In the embodiments of this application, the authentication keywords may be determined in various ways. The embodiments of this application take the following examples as examples to illustrate:
在第一种确定方式中,鉴权关键字可以为服务端默认的。例如,服务端的管理人员可以指定鉴权关键字,要求存储在服务端中的数据子集使用该鉴权关键字进行鉴权。并且,管理人员可以指定存储在服务端中的所有数据子集均使用该鉴权关键字进行鉴权。或者,管理人员可以指示不同类型的数据子集使用不同的鉴权关键字进行鉴权。In the first determination method, the authentication keyword can be the server's default one. For example, the administrator of the server can specify an authentication keyword and require a subset of data stored in the server to use the authentication keyword for authentication. Furthermore, administrators can specify that all data subsets stored in the server be authenticated using this authentication keyword. Alternatively, administrators can instruct different types of data subsets to be authenticated using different authentication keys.
在第二种确定方式中,鉴权关键字可以是用户指定的。例如,用户可以指示在服务端中建立数据集,且该用户可以指定对该数据集中的数据子集进行鉴权使用的鉴权关键字。并且,针对不同的数据集,用户指定的鉴权关键字可以相同也可以不同。In the second determination method, the authentication key may be specified by the user. For example, a user can instruct a data set to be created in the server, and the user can specify an authentication key used to authenticate a data subset in the data set. Moreover, for different data sets, the authentication keywords specified by the user can be the same or different.
在第三种确定方式中,服务端可以指定鉴权内容,用户可以指定用于表示鉴权内容的属性关键字,服务端可以将该用于表示鉴权内容的属性关键字确定为鉴权关键字。例如,服务端的管理人员可以指定鉴权内容,要求存储在服务端中的数据子集使用该鉴权内容进行鉴权。并且,管理人员可以指定存储在服务端中的所有数据子集均使用该鉴权内容进行鉴权,或者,可以指示不同类型的数据子集使用不同的鉴权内容进行鉴权。并且,不同数据的表示方式可能不同,因此不同数据用于表示相同鉴权内容的属性关键字可能不同。则用户可以指定用于表示鉴权内容的属性关键字,服务端可以根据其确定鉴权关键字。In the third determination method, the server can specify the authentication content, the user can specify the attribute keyword used to represent the authentication content, and the server can determine the attribute keyword used to represent the authentication content as the authentication key. Character. For example, the administrator of the server can specify the authentication content and require a subset of data stored in the server to use the authentication content for authentication. Moreover, the administrator can specify that all data subsets stored in the server use this authentication content for authentication, or can instruct different types of data subsets to use different authentication content for authentication. Furthermore, different data may be represented in different ways, so the attribute keywords used by different data to represent the same authentication content may be different. Then the user can specify the attribute keyword used to represent the authentication content, and the server can determine the authentication keyword based on it.
作为一种可实现方式,在服务端指定鉴权内容的场景下,用户可以在维护请求中指定用于表示鉴权内容的属性关键字。相应的,如图5所示,该步骤401可以包括:步骤4011、接收第二客户端发送的维护请求,维护请求用于请求对数据集进行维护,维护请求携带有用于表示鉴权内容的属性关键字;步骤4012、将属性关键字确定为鉴权关键字。As an implementation method, in the scenario where the server specifies the authentication content, the user can specify the attribute keyword used to represent the authentication content in the maintenance request. Correspondingly, as shown in Figure 5, step 401 may include: step 4011, receiving a maintenance request sent by the second client. The maintenance request is used to request maintenance of the data set, and the maintenance request carries attributes used to represent the authentication content. Keyword; Step 4012: Determine the attribute keyword as the authentication keyword.
可选地,维护请求可以包括建立请求和修改请求。则属性关键字可以在建立请求或修改请求中指示。其中,建立请求用于请求建立数据集。修改请求用于请求修改数据集的属性。修改数据集的属性可以包括:为数据集添加属性和/或将数据集的原有属性修改为其他属性。例如,建立请求可以请求建立数据表,该建表请求指示数据表需要具有的多个属性,及该多个属性中的一个属性用于表示鉴权内容。则服务端接收到该建表请求后,可以确定用于表示鉴权内容的属性的属性关键字,并将该属性关键字确定为鉴权关键字。又例如,建立请求仅请求在服务端中建立数据表,未指定该数据表需要具有的属性,或者,指定了数据表需要具有的属性,但未指定哪个属性用于表示鉴权内容。则用户可以通过修改请求指定建立请求未指定的内容。此时,服务端可以根据该修改请求的指示确定鉴权关键字。其中,建表请求可以为数据定义语言(data definition language,DDL)语句。Optionally, maintenance requests may include build requests and modification requests. The attribute keyword may be indicated in a create request or modify request. Among them, the create request is used to request the creation of a data set. Modify requests are used to request modifications to attributes of a dataset. Modifying the attributes of the data set may include: adding attributes to the data set and/or modifying the original attributes of the data set to other attributes. For example, the creation request may request to create a data table. The table creation request indicates multiple attributes that the data table needs to have, and one of the multiple attributes is used to represent the authentication content. After receiving the table creation request, the server can determine the attribute keyword used to represent the attribute of the authentication content, and determine the attribute keyword as the authentication keyword. For another example, the creation request only requests the establishment of a data table in the server, without specifying the attributes that the data table needs to have, or it specifies the attributes that the data table needs to have, but does not specify which attribute is used to represent the authentication content. Then the user can specify content not specified in the creation request by modifying the request. At this time, the server can determine the authentication keyword according to the instruction of the modification request. Among them, the table creation request can be a data definition language (DDL) statement.
例如,建表请求可以为:For example, a table creation request can be:
CREATE TABLE AUDIT_LOG(ACCOUNT INT,TIME_STAMP TIMESTAMP,LOG STRING)TBLPROPERTIES('row.access.user.mapping.columns'='ACCOUNT','row.access.type'='RW');CREATE TABLE AUDIT_LOG(ACCOUNT INT,TIME_STAMP TIMESTAMP,LOG STRING)TBLPROPERTIES('row.access.user.mapping.columns'='ACCOUNT','row.access.type'='RW');
或者,建表请求可以为: Alternatively, the table creation request can be:
CREATE TABLE AUDIT_LOG(ACCOUNT INT,TIME_STAMP TIMESTAMP,LOG STRING);CREATE TABLE AUDIT_LOG(ACCOUNT INT,TIME_STAMP TIMESTAMP,LOG STRING);
ALTER TABLE AUDIT_LOG SET TBLPROPERTIES('row.access.user.mapping.columns'='ACCOUNT','row.access.type'='RW');ALTER TABLE AUDIT_LOG SET TBLPROPERTIES('row.access.user.mapping.columns'='ACCOUNT','row.access.type'='RW');
可选地,服务端可以根据访问请求的用户信息对读数据请求进行鉴权,则服务端根据建立请求或修改请求确定用于表示用户信息的属性关键字后,可以将该属性关键字确定为鉴权关键字。并且,鉴权关键字可以包括用户名、用户组名和用户的角色中的至少一个。其中,用户的角色可以为根(root)用户等。例如,当建立请求指示属性关键字“用户组名”用于表示用户信息时,服务端根据建立请求和根据用户信息进行鉴权的鉴权内容,可以确定用于表示鉴权内容的属性关键字为“用户组名”,则可将“用户组名”确定为鉴权关键字。需要说明的是,根据用户信息进行鉴权是一种示例,不用于限定鉴权的实现方式。例如,还可以根据请求访问数据集的互联网协议地址(internet protocol,IP)地址等信息进行鉴权,本申请实施例对其不做具体限定。Optionally, the server can authenticate the data read request based on the user information of the access request. Then, after the server determines the attribute keyword used to represent the user information based on the establishment request or modification request, the server can determine the attribute keyword as Authentication keyword. Furthermore, the authentication key may include at least one of a user name, a user group name, and a role of the user. Among them, the user's role can be root user, etc. For example, when the establishment request indicates that the attribute keyword "user group name" is used to represent user information, the server can determine the attribute keyword used to represent the authentication content based on the establishment request and the authentication content that is authenticated based on the user information. is the "user group name", then the "user group name" can be determined as the authentication key. It should be noted that authentication based on user information is an example and is not used to limit the implementation of authentication. For example, authentication can also be performed based on information such as the Internet protocol address (IP) address of the request to access the data set, which is not specifically limited in the embodiments of this application.
在一种可实现方式中,当服务端的功能通过图3的多个功能模块协同实现时,完成步骤401需要数据读写模块和元数据模块协同实现。其中,数据读写模块用于接收建立请求或修改请求,根据建立请求或修改请求,确定数据集的数据集名称、数据集具有的多个属性的属性关键字和数据集的所有者等元数据信息,并将元数据信息传输至元数据模块。数据读写模块还用于根据建立请求或修改请求确定鉴权关键字,并将该鉴权关键字传输至元数据模块。元数据模块用于存储以上元数据信息和鉴权关键字。In an implementable manner, when the functions of the server are collaboratively implemented through multiple functional modules in Figure 3, completing step 401 requires collaborative implementation of the data reading and writing module and the metadata module. Among them, the data reading and writing module is used to receive a creation request or a modification request, and determine metadata such as the data set name of the data set, the attribute keywords of multiple attributes of the data set, and the owner of the data set according to the creation request or modification request. information and transmit metadata information to the metadata module. The data reading and writing module is also used to determine the authentication keyword based on the establishment request or modification request, and transmit the authentication keyword to the metadata module. The metadata module is used to store the above metadata information and authentication keywords.
步骤402、接收第一客户端发送的目标读数据请求,目标读数据请求用于请求读取数据集。Step 402: Receive a target read data request sent by the first client, where the target read data request is used to request to read a data set.
用户需要读取数据集中的数据时,可以通过第一客户端向服务端发送目标读数据请求。该目标读数据请求需要指示其请求读取的数据集,以便于服务端接收到该目标读数据请求后,能够根据该指示对目标读数据请求进行鉴权,并根据鉴权结果对目标读数据请求进行响应。When the user needs to read data in the data set, he or she can send a target data read request to the server through the first client. The target read data request needs to indicate the data set it requests to read, so that after receiving the target read data request, the server can authenticate the target read data request according to the instruction, and authenticate the target read data based on the authentication result. Request a response.
在一种可实现方式中,当服务端的功能通过图3的多个功能模块协同实现时,步骤402由数据读写模块执行。In an implementable manner, when the functions of the server are collaboratively implemented through multiple functional modules in Figure 3, step 402 is executed by the data reading and writing module.
步骤403、获取数据集的鉴权规则,鉴权规则指示:对于请求读取数据集的任一读数据请求,当任一读数据请求的第一属性值与数据集中的任一数据子集的第二属性值满足预设规则时,为任一读数据请求赋予读取任一数据子集的权限。Step 403: Obtain the authentication rules of the data set. The authentication rules indicate: for any read data request requesting to read the data set, when the first attribute value of any read data request matches the value of any data subset in the data set, When the second attribute value satisfies the preset rule, any data read request is given the permission to read any data subset.
获取数据集的鉴权规则的过程,是确定数据集中所有数据子集均适用的通用规则的过程。例如,当数据集的鉴权规则指示根据鉴权关键字“用户组名”进行鉴权时,则对于该数据集中的所有数据子集,均需要根据鉴权关键字“用户组名”进行鉴权。在本申请实施例中,服务端会根据数据集的鉴权关键字,为服务端管理的每个数据集配置鉴权规则。则在确定目标读数据请求请求读取的数据集后,服务端可以根据该数据集进行查询,以获取服务端为该数据集配置的鉴权规则。需要说明的是,对于服务端管理的多个数据集,不同数据集的鉴权规则可以相同或不同,本申请实施例对其不做具体限定。The process of obtaining authentication rules for a data set is the process of determining common rules that apply to all data subsets in the data set. For example, when the authentication rules of a data set indicate authentication based on the authentication keyword "user group name", then all data subsets in the data set need to be authenticated based on the authentication keyword "user group name" . In this embodiment of the present application, the server configures authentication rules for each data set managed by the server based on the authentication keyword of the data set. After determining the data set requested by the target read data request, the server can query based on the data set to obtain the authentication rules configured by the server for the data set. It should be noted that for multiple data sets managed by the server, the authentication rules of different data sets may be the same or different, which is not specifically limited in the embodiments of this application.
鉴权规则用于对读数据请求进行鉴权。可选地,鉴权规则可以根据读数据请求的用户信息与读数据请求涉及的数据子集进行鉴权。例如,鉴权规则可以指示读数据请求的用户信息与读数据请求涉及的数据子集在满足预设规则时,为读数据请求赋予读取对应数据子集的权 限。在一种可实现方式中,鉴权规则可以指示:对于请求读取数据集的任一读数据请求,当任一读数据请求的第一属性值与任一读数据请求涉及的任一数据子集的第二属性值满足预设规则时,为任一读数据请求赋予读取任一数据子集的权限。其中,第一属性值为任一读数据请求的用户信息对应鉴权关键字的属性值。第二属性值为数据集中任一数据子集对应鉴权关键字的属性值。鉴权关键字用于指示数据集的多个属性中的一个或多个。预设规则为读数据请求具有读取权限时,第一属性值和第二属性值需要满足的条件。例如,该预设规则可以为第一属性值与第二属性值相等。Authentication rules are used to authenticate read data requests. Optionally, the authentication rules can perform authentication based on the user information of the read data request and the data subset involved in the read data request. For example, the authentication rules may indicate that when the user information of the read data request and the data subset involved in the read data request satisfy the preset rules, the read data request shall be given the right to read the corresponding data subset. limit. In an implementable manner, the authentication rule may indicate: for any read data request requesting to read the data set, when the first attribute value of any read data request is consistent with any data sub-item involved in any read data request, When the second attribute value of the set meets the preset rules, any read data request is given the permission to read any data subset. The first attribute value is the attribute value of the authentication keyword corresponding to the user information of any data read request. The second attribute value is the attribute value corresponding to the authentication key of any data subset in the data set. The authentication key is used to indicate one or more of multiple attributes of the data set. The preset rule is the condition that the first attribute value and the second attribute value need to meet when the read data request has read permission. For example, the preset rule may be that the first attribute value and the second attribute value are equal.
可选地,鉴权规则还可以对访问请求的不同控制权限进行限定。访问请求的控制权限包括:写权限、读权限和读写权限。鉴权规则对访问请求的不同控制权限的限定可以通过不同的鉴权关键字实现。在一种可实现方式中,鉴权规则可以指示:对于读数据请求,当读数据请求的第一属性值A与读数据请求请求读取的数据集中任一数据子集的第二属性值A满足预设规则时,为读数据请求赋予读取任一数据子集的权限。当写数据请求的第一属性值B与写数据请求请求写入数据集的数据子集的第二属性值B满足预设规则时,为写数据请求赋予向数据集写入该数据子集的权限。当访问请求的第一属性值A与访问请求涉及的任一数据子集的第二属性值A满足预设规则,且访问请求的第一属性值B与访问请求涉及的任一数据子集的第二属性值B满足预设规则时,为访问请求赋予读取和写入数据子集的权限。Optionally, the authentication rules can also limit different control permissions for access requests. The control permissions for access requests include: write permission, read permission, and read-write permission. Authentication rules can limit different control rights of access requests through different authentication keywords. In an implementable manner, the authentication rule may indicate: for a read data request, when the first attribute value A of the read data request is the same as the second attribute value A of any data subset in the data set requested by the read data request, When the preset rules are met, the read data request is given permission to read any data subset. When the first attribute value B of the write data request and the second attribute value B of the data subset requested to be written into the data set satisfy the preset rules, the write data request is given the ability to write the data subset into the data set. permissions. When the first attribute value A of the access request and the second attribute value A of any data subset involved in the access request satisfy the preset rules, and the first attribute value B of the access request is consistent with the second attribute value A of any data subset involved in the access request, When the second attribute value B satisfies the preset rules, the access request is given the permission to read and write the data subset.
或者,鉴权规则还可以通过预设规则对访问请求的不同控制权限进行限定。例如,预设规则包括第一预设规则和第二预设规则时,当读数据请求的第一属性值与读数据请求请求读取的数据集中任一数据子集的第二属性值满足第一预设规则时,为读数据请求赋予读取数据子集的权限。当写数据请求的第一属性值与写数据请求请求写入数据集的数据子集的第二属性值满足第二预设规则时,为写数据请求赋予向数据集写入数据子集的权限。当访问请求的第一属性值与访问请求涉及的任一数据子集的第二属性值满足第二预设规则,且访问请求的第一属性值与访问请求涉及的数据子集的第二属性值满足第二预设规则时,为访问请求赋予读取和写入数据子集的权限。Alternatively, the authentication rules can also limit different control rights of access requests through preset rules. For example, when the preset rule includes a first preset rule and a second preset rule, when the first attribute value of the read data request and the second attribute value of any data subset in the data set requested by the read data request satisfy the first When a preset rule is set, the read data request is given permission to read a subset of the data. When the first attribute value of the write data request and the second attribute value of the data subset requested to be written into the data set by the write data request satisfy the second preset rule, the write data request is given the permission to write the data subset into the data set. . When the first attribute value of the access request and the second attribute value of any data subset involved in the access request satisfy the second preset rule, and the first attribute value of the access request and the second attribute value of the data subset involved in the access request When the value satisfies the second preset rule, the access request is given permission to read and write the data subset.
当服务端的功能通过图3的多个功能模块协同实现时,步骤403由数据读写模块执行。When the functions of the server are collaboratively implemented through multiple functional modules in Figure 3, step 403 is executed by the data reading and writing module.
步骤404、基于目标读数据请求的用户信息,获取目标读数据请求的第一属性值。Step 404: Obtain the first attribute value of the target data read request based on the user information of the target data read request.
数据集的鉴权规则是数据集中所有数据子集均适用的通用规则。但是,对于数据集中的不同数据子集,其携带的对应鉴权关键字的属性值不同,因此,在确定数据集的通用规则后,还需要对该通用规则进行实例化,得到访问请求涉及的数据子集适用的实例化规则。The authentication rules of a data set are general rules that apply to all data subsets in the data set. However, for different data subsets in the data set, the attribute values corresponding to the authentication keywords they carry are different. Therefore, after determining the general rules of the data set, the general rules need to be instantiated to obtain the information involved in the access request. Instantiation rules that apply to subsets of data.
对访问请求进行鉴权,是判断发送访问请求的用户是否具有对访问请求涉及的数据子集进行访问的权限,其具体是判断用户信息对应的第一属性值与数据子集对应的第二属性值是否匹配则的过程。由于能够预先通过合法途径,采集用户与数据集的属性的准确的对应关系,因此,可以基于用户信息对通用规则进行实例化。此时,对通用规则进行实例化的过程是针对每个用户建立其适用的鉴权规则的过程。相应的,建立通用规则的过程,可以看成是建立“以鉴权关键字为key进行鉴权”的规则的过程。对通用规则进行实例化的过程,可以看成是将“key”赋值为“value”,得到“key=value”(即鉴权关键字=第一属性值)的实例化规则的过程。Authentication of an access request is to determine whether the user who sends the access request has the authority to access the data subset involved in the access request. Specifically, it is to determine the first attribute value corresponding to the user information and the second attribute corresponding to the data subset. The process of checking whether the values match. Since the accurate correspondence between users and attributes of the data set can be collected in advance through legal channels, general rules can be instantiated based on user information. At this time, the process of instantiating general rules is the process of establishing applicable authentication rules for each user. Correspondingly, the process of establishing general rules can be regarded as the process of establishing rules for "authentication using the authentication keyword as the key". The process of instantiating general rules can be seen as the process of assigning "key" to "value" and obtaining the instantiation rule of "key=value" (that is, authentication key=first attribute value).
在一种可实现方式中,如图6所示,基于用户信息对通用规则进行实例化的实现过程包括: In an implementable manner, as shown in Figure 6, the implementation process of instantiating general rules based on user information includes:
步骤4041、基于目标读数据请求的用户信息,查询预先存储的关系信息,得到关系信息中与目标读数据请求的用户信息和鉴权关键字对应的第三属性值。Step 4041: Query the pre-stored relationship information based on the user information requested by the target data read, and obtain the third attribute value in the relationship information corresponding to the user information requested by the target data read and the authentication keyword.
预先存储的关系信息包括所有可能对服务端中数据集发起访问的用户的相关信息。对应于数据集具有多个属性,该关系信息记载有各个用户与该多个属性对应的标准属性值。服务端接收到目标读数据请求后,可以根据目标读数据请求的用户信息查询该关系信息,得到属于发送目标读数据请求的用户且用于指示鉴权关键字的第三属性值。例如,假设数据集的属性关键字分别为“用户名”、“用户编号”、“用户组名”、“日期”、“上班时间”和“下班时间”,且鉴权关键字为“用户组名”,关系信息记载的对应关系包括:用户的用户名、用户编号、用户所属用户组的用户组名等属性关键字的标准属性值之间的关系。则服务端接收到客户端发送的目标读数据请求后,可以根据该目标读数据请求的用户信息查询该关系信息,得到该用户对应的“用户组名”的第三属性值。其中,关系信息记载的是标准属性值是指:该关系信息记载的属性值均为与用户对应的准确的属性值。因此,根据该标准属性值确定第一属性值后,若用户请求读取的数据子集的第二属性值与该第一属性值匹配,可认为用户具有读取该数据子集的权限,否则用户不具有读取该数据子集的权限。该关系信息中记载的内容可以通过预先采集(如建档)等方式获得,其内容具有高可信度。The pre-stored relationship information includes information about all users who may initiate access to the data set in the server. Corresponding to the data set having multiple attributes, the relationship information records the standard attribute values corresponding to the multiple attributes for each user. After receiving the target read data request, the server can query the relationship information according to the user information of the target read data request, and obtain the third attribute value that belongs to the user who sent the target read data request and is used to indicate the authentication keyword. For example, assume that the attribute keys of the data set are "user name", "user number", "user group name", "date", "working time" and "off duty time", and the authentication key is "user group" Name", the correspondence recorded in the relationship information includes: the relationship between the user's user name, user number, user group name of the user group to which the user belongs, and other standard attribute values of attribute keywords. After receiving the target data read request sent by the client, the server can query the relationship information according to the user information of the target data read request, and obtain the third attribute value of the "user group name" corresponding to the user. The fact that the relationship information records standard attribute values means that the attribute values recorded in the relationship information are all accurate attribute values corresponding to the user. Therefore, after determining the first attribute value based on the standard attribute value, if the second attribute value of the data subset requested by the user to read matches the first attribute value, it can be considered that the user has the permission to read the data subset, otherwise The user does not have permission to read this subset of data. The content recorded in the relationship information can be obtained through pre-collection (such as filing), and its content has high credibility.
在一种可实现方式中,该步骤4041的实现过程可以通过对目标读数据请求进行认证实现。根据目标读数据请求的用户信息对目标读数据请求进行认证后,可以得到该用户信息对应的关系信息,然后根据该关系信息确定该用户信息对应的第三属性值,进而得到第一属性值。在一种实现场景中,当本申请实施例提供的数据管理方法应用于Hive或Spark等大数据引擎中时,服务端可以为对应的引擎服务端。相应的,该步骤4041可以由引擎服务端通过轻型目录访问协议(lightweight directory access protocol,LDAP)及Kerberos等用户认证模块实现。In an implementable manner, the implementation process of step 4041 can be implemented by authenticating the target read data request. After the target read data request is authenticated according to the user information of the target read data request, the relationship information corresponding to the user information can be obtained, and then the third attribute value corresponding to the user information is determined based on the relationship information, and then the first attribute value is obtained. In an implementation scenario, when the data management method provided by the embodiment of this application is applied to a big data engine such as Hive or Spark, the server can be the corresponding engine server. Correspondingly, this step 4041 can be implemented by the engine server through user authentication modules such as lightweight directory access protocol (lightweight directory access protocol, LDAP) and Kerberos.
并且,当服务端的功能通过图3的多个功能模块协同实现时,完成步骤4041需要数据读写模块和用户认证模块协同实现。其中,用户认证模块用于对目标读数据请求进行认证,得到第三属性值,并向数据读写模块传输该第三属性值。Moreover, when the functions of the server are collaboratively implemented through multiple functional modules in Figure 3, completing step 4041 requires collaborative implementation of the data reading and writing module and the user authentication module. The user authentication module is used to authenticate the target data read request, obtain the third attribute value, and transmit the third attribute value to the data reading and writing module.
步骤4042、将第三属性值确定为目标读数据请求的第一属性值。Step 4042: Determine the third attribute value as the first attribute value of the target read data request.
由于关系信息记载的是用户与数据集的多个属性对应的标准属性值,因此在基于关系信息得到第三属性值后,可以将该第三属性值确定为第一属性值。Since the relationship information records the standard attribute values corresponding to multiple attributes of the user and the data set, after the third attribute value is obtained based on the relationship information, the third attribute value can be determined as the first attribute value.
表4
Table 4
例如,假设表3为目标读数据请求请求读取的数据表的部分内容,表4为与该数据表对应的关系信息,鉴权关键字为“用户组名”。服务端接收到用户“张**”发送的目标读数据请求后,根据用于指示用户“张**”的用户信息,查询表4所示的关系信息,得到该用户“张**”对应的“用户组名”的第三属性值为“开发部”,则可将“开发部”确定为第一属性值。 For example, assume that Table 3 is part of the data table read by the target read data request, Table 4 is the relationship information corresponding to the data table, and the authentication key is "user group name". After receiving the target read data request sent by the user "Zhang**", the server queries the relationship information shown in Table 4 based on the user information used to indicate the user "Zhang**", and obtains the corresponding data for the user "Zhang**" If the third attribute value of "User Group Name" is "Development Department", then "Development Department" can be determined as the first attribute value.
当服务端的功能通过图3的多个功能模块协同实现时,由数据读写模块执行该步骤4042。When the functions of the server are collaboratively implemented through multiple functional modules in Figure 3, the data reading and writing module performs step 4042.
步骤405、从目标读数据请求请求读取的数据集的目标数据子集中,获取目标数据子集的第二属性值。Step 405: Obtain the second attribute value of the target data subset from the target data subset of the data set read by the target read data request.
在获取目标读数据请求的第一属性值后,即得到目标读数据请求涉及的数据子集适用的实例化规则。然后就可以根据该实例化规则对目标读数据请求进行鉴权,即基于鉴权规则、目标读数据请求请求读取的数据集的目标数据子集和第一属性值,对目标读数据请求进行鉴权。在对目标读数据请求进行鉴权时,可以先获取目标读数据请求请求读取的数据集中每个目标数据子集的第二属性值,然后根据该第二属性值对目标读数据请求进行鉴权。在一种可实现方式中,在确定鉴权关键字后,可以确定数据集的每个目标数据子集对应鉴权关键字的属性值,并将该属性值确定为对应目标数据子集的第二属性值。例如,假设鉴权关键字为“用户组名”,目标读数据请求请求读取的数据表为表3,则可以根据鉴权关键字得到:用户名“张**”对应的数据行的第二属性值为“开发部”,用户名“李**”对应的数据行的第二属性值为“流程部”,用户名“王**”对应的数据行的第二属性值为“人事部”。After obtaining the first attribute value of the target read data request, the instantiation rule applicable to the data subset involved in the target read data request is obtained. Then the target read data request can be authenticated according to the instantiation rule, that is, based on the authentication rules, the target data subset of the data set read by the target read data request request, and the first attribute value, the target read data request can be authenticated. Authentication. When authenticating the target read data request, you can first obtain the second attribute value of each target data subset in the data set read by the target read data request request, and then authenticate the target read data request based on the second attribute value. . In an implementable manner, after determining the authentication keyword, the attribute value of each target data subset of the data set corresponding to the authentication keyword can be determined, and the attribute value can be determined as the corresponding target data subset. Two attribute values. For example, assuming that the authentication keyword is "user group name" and the data table requested by the target read data request is Table 3, then you can obtain based on the authentication keyword: The number of the data row corresponding to the user name "Zhang**" The second attribute value is "Development Department", the second attribute value of the data row corresponding to the user name "Li**" is "Process Department", and the second attribute value of the data row corresponding to the user name "Wang**" is "Personnel" department".
当服务端的功能通过图3的多个功能模块协同实现时,完成步骤405需要数据读写模块、元数据模块和数据存储模块协同实现。其中,数据读写模块需要从元数据模块中获取数据集的元数据信息,根据元数据信息,从数据存储模块中读取目标读数据请求请求读取的数据集,并获取数据集中每个目标数据子集的第二属性值。在一种实现方式中,当本申请实施例提供的数据管理方法应用于Hive或Spark等大数据引擎中时,数据读写模块可以从元数据模块的表AUDIT_LOG中获取数据集的元数据信息,且数据存储模块可以通过Hadoop分布式文件系统(hadoop distributed file system,HDFS)实现。When the functions of the server are collaboratively implemented through multiple functional modules in Figure 3, completing step 405 requires collaborative implementation of the data reading and writing module, the metadata module and the data storage module. Among them, the data reading and writing module needs to obtain the metadata information of the data set from the metadata module. According to the metadata information, read the data set requested by the target read data request from the data storage module, and obtain each target in the data set. The second attribute value of the data subset. In one implementation, when the data management method provided by the embodiment of the present application is applied to a big data engine such as Hive or Spark, the data reading and writing module can obtain the metadata information of the data set from the table AUDIT_LOG of the metadata module, And the data storage module can be implemented through Hadoop distributed file system (hadoop distributed file system, HDFS).
步骤406、基于目标读数据请求的第一属性值和目标数据子集的第二属性值,对目标读数据请求进行鉴权,并返回对目标读数据请求的响应。Step 406: Authenticate the target read data request based on the first attribute value of the target data read request and the second attribute value of the target data subset, and return a response to the target read data request.
鉴权结果包括两种:目标数据子集的第二属性值与目标读数据请求的第一属性值满足预设规则,以及,目标数据子集的第二属性值与目标读数据请求的第一属性值不满足预设规则。相应的,对读数据请求进行响应包括:当目标数据子集的第二属性值与目标读数据请求的第一属性值满足预设规则时,确定目标读数据请求具有读取目标数据子集的权限;当目标数据子集的第二属性值与目标读数据请求的第一属性值不满足预设规则时,确定目标读数据请求的不具有读取目标数据子集的权限。并且,由于目标读数据请求请求读取的是数据集,数据集包括一个或多个目标数据子集,则服务端对目标读数据请求进行鉴权的过程中,需要针对该数据集中所有目标数据子集进行鉴权。并在目标读数据请求具有读取任一目标数据子集的权限时,将该目标数据子集加载在内存中。在目标读数据请求不具有读取任一目标数据子集的权限时,禁止将该目标数据子集加载在内存中。然后在完成针对该数据集中所有目标数据子集进行鉴权的过程后,将所有加载在内存中且属于该数据集的目标数据子集均反馈至第一客户端,完成对目标读数据请求进行响应的过程。The authentication results include two types: the second attribute value of the target data subset and the first attribute value of the target read data request satisfy the preset rules; and the second attribute value of the target data subset matches the first attribute value of the target read data request. The attribute value does not meet the preset rules. Correspondingly, responding to the read data request includes: when the second attribute value of the target data subset and the first attribute value of the target read data request satisfy the preset rules, determining that the target read data request has the ability to read the target data subset. Permission: When the second attribute value of the target data subset and the first attribute value of the target data read request do not meet the preset rules, it is determined that the target data read request does not have the permission to read the target data subset. Moreover, since the target read data request requests to read a data set, and the data set includes one or more target data subsets, the server needs to authenticate all target data in the data set during the process of authenticating the target read data request. subset for authentication. And when the target read data request has the permission to read any target data subset, the target data subset is loaded into the memory. When the target read data request does not have permission to read any target data subset, the target data subset is prohibited from being loaded into memory. Then, after completing the authentication process for all target data subsets in the data set, all target data subsets loaded in the memory and belonging to the data set are fed back to the first client to complete the target read data request. The process of responding.
当服务端的功能通过图3的多个功能模块协同实现时,由数据读写模块执行该步骤406。When the functions of the server are collaboratively implemented through multiple functional modules in Figure 3, the data reading and writing module performs step 406.
如图7所示,对于写数据请求,该数据管理方法的实现过程包括以下步骤:As shown in Figure 7, for a write data request, the implementation process of the data management method includes the following steps:
步骤701、获取数据集的鉴权关键字。Step 701: Obtain the authentication keyword of the data set.
该步骤701的实现过程请相应参考步骤401中的相应内容,此处不再赘述。 Please refer to the corresponding content in step 401 for the implementation process of step 701, which will not be described again here.
步骤702、接收第一客户端发送的目标写数据请求,目标写数据请求用于请求向数据集写入目标数据子集。Step 702: Receive a target write data request sent by the first client. The target write data request is used to request to write a target data subset into the data set.
用户需要向数据集中写入数据子集时,可以通过第一客户端向服务端发送目标写数据请求。该目标写数据请求需要指示其请求写入的数据集,以便于服务端接收到该目标写数据请求后,能够根据该指示对目标写数据请求进行鉴权,并根据鉴权结果对目标写数据请求进行响应。在一种可实现方式中,当服务端的功能通过图3的多个功能模块协同实现时,步骤702由数据读写模块执行。When the user needs to write a data subset into the data set, the user can send a target data writing request to the server through the first client. The target write data request needs to indicate the data set it requests to write, so that after the server receives the target write data request, it can authenticate the target write data request according to the instruction, and write the target data according to the authentication result. Request a response. In an implementable manner, when the functions of the server are collaboratively implemented through multiple functional modules in Figure 3, step 702 is executed by the data reading and writing module.
步骤703、获取数据集的鉴权规则,鉴权规则指示:对于请求向数据集写入数据的任一写数据请求,当任一写数据请求的第一属性值与请求写入的任一数据子集的第二属性值满足预设规则时,为任一写数据请求赋予向数据集写入任一数据子集的权限。Step 703: Obtain the authentication rules of the data set. The authentication rules indicate: for any write data request requesting to write data to the data set, when the first attribute value of any write data request matches any data requested to be written, When the second attribute value of the subset satisfies the preset rule, any write data request is given the permission to write any data subset to the data set.
其中,第一属性值为任一写数据请求的用户信息对应鉴权关键字的属性值。第二属性值为请求写入的任一数据子集对应鉴权关键字的属性值。鉴权关键字用于指示多个属性中的一个或多个。The first attribute value is the attribute value of the authentication keyword corresponding to the user information of any write data request. The second attribute value is the attribute value corresponding to the authentication key of any data subset requested to be written. An authentication key is used to indicate one or more of multiple attributes.
当服务端的功能通过图3的多个功能模块协同实现时,步骤403由数据读写模块执行。并且,该步骤703的实现过程请相应参考步骤403中的相应内容,此处不再赘述。When the functions of the server are collaboratively implemented through multiple functional modules in Figure 3, step 403 is executed by the data reading and writing module. Moreover, please refer to the corresponding content in step 403 for the implementation process of step 703, which will not be described again here.
步骤704、基于目标写数据请求,获取目标写数据请求的第一属性值。Step 704: Based on the target write data request, obtain the first attribute value of the target write data request.
如图8所示,该步骤704的实现过程包括:步骤7041、基于目标写数据请求的用户信息,查询预先存储的关系信息,得到关系信息中与目标写数据请求的用户信息和鉴权关键字对应的第三属性值。步骤7042、将第三属性值确定为目标写数据请求的第一属性值。当服务端的功能通过图3的多个功能模块协同实现时,完成步骤7041需要数据读写模块和用户认证模块协同实现。类似的,由数据读写模块执行步骤7042。该步骤704的实现过程请相应参考步骤404中的相应内容,此处不再赘述。As shown in Figure 8, the implementation process of step 704 includes: Step 7041: Based on the user information of the target write data request, query the pre-stored relationship information, and obtain the user information and authentication keywords in the relationship information related to the target write data request. The corresponding third attribute value. Step 7042: Determine the third attribute value as the first attribute value of the target write data request. When the functions of the server are collaboratively implemented through multiple functional modules in Figure 3, completing step 7041 requires collaborative implementation of the data reading and writing module and the user authentication module. Similarly, the data reading and writing module performs step 7042. For the implementation process of step 704, please refer to the corresponding content in step 404, which will not be described again here.
步骤705、从目标写数据请求请求写入的目标数据子集中,获取目标数据子集的第二属性值。Step 705: Obtain the second attribute value of the target data subset from the target data subset written by the target write data request.
在确定鉴权关键字后,可以确定待写入的目标数据子集中指示该鉴权关键字的属性关键字,并将该属性关键字的属性值确定为目标数据子集的第二属性值。当服务端的功能通过图3的多个功能模块协同实现时,完成步骤705需要数据读写模块、元数据模块和数据存储模块协同实现。该步骤705的实现过程请相应参考步骤405中的相应内容,此处不再赘述。After the authentication keyword is determined, an attribute keyword indicating the authentication keyword in the target data subset to be written can be determined, and the attribute value of the attribute keyword is determined as the second attribute value of the target data subset. When the functions of the server are collaboratively implemented through multiple functional modules in Figure 3, completing step 705 requires collaborative implementation of the data reading and writing module, the metadata module and the data storage module. Please refer to the corresponding content in step 405 for the implementation process of step 705, which will not be described again here.
步骤706、基于目标写数据请求第一属性值和目标数据子集的第二属性值,对目标写数据请求进行鉴权,并返回对目标写数据请求的响应。Step 706: Authenticate the target write data request based on the first attribute value of the target data write request and the second attribute value of the target data subset, and return a response to the target write data request.
当目标数据子集的第二属性值与目标写数据请求的第一属性值满足预设规则时,确定目标写数据请求具有写入目标数据子集的权限。此时,对目标写数据请求进行响应包括:向数据集中写入目标数据子集。当目标数据子集的第二属性值与目标读数据请求的第一属性值不满足预设规则时,确定目标写数据请求不具有写入目标数据子集的权限。此时,对目标写数据请求进行响应包括:拒绝将该目标数据子集写入数据集。当服务端的功能通过图3的多个功能模块协同实现时,由数据读写模块执行该步骤706。When the second attribute value of the target data subset and the first attribute value of the target write data request satisfy the preset rule, it is determined that the target write data request has the permission to write the target data subset. At this time, responding to the target write data request includes: writing the target data subset into the data set. When the second attribute value of the target data subset and the first attribute value of the target read data request do not satisfy the preset rules, it is determined that the target write data request does not have the permission to write the target data subset. At this time, the response to the target write data request includes: refusing to write the target data subset into the data set. When the functions of the server are collaboratively implemented through multiple functional modules in Figure 3, the data reading and writing module performs step 706.
综上所述,在本申请实施例提供的数据管理方法中,由于在获取数据集的鉴权规则后,服务端还需要基于目标访问请求的用户信息,获取目标访问请求的第一属性值,并根据鉴权规则和第一属性值对目标访问请求进行鉴权,可知该鉴权规则是数据集中所有数据子集均适 用的通用规则,而不是与用户绑定的规则。因此,无需由安全管理员为每个用户配置鉴权规则,有效地提高了鉴权规则的配置效率,进而提高了对数据进行管理的效率。此时,当将该数据管理方法应用于数据库、大数据SQL引擎或商业智能等场景时,能够有效提高对应场景的用户体验,例如提高SQL引擎的易用性。并且,在鉴权过程中,是基于目标访问请求请求访问的数据集的鉴权规则进行鉴权,无需匹配大量的鉴权规则,降低了对数据进行管理的复杂度,有助于提升数据读写性能。To sum up, in the data management method provided by the embodiment of the present application, after obtaining the authentication rules of the data set, the server also needs to obtain the first attribute value of the target access request based on the user information of the target access request. And authenticate the target access request based on the authentication rules and the first attribute value. It can be seen that the authentication rules are applicable to all data subsets in the data set. Use general rules rather than user-bound rules. Therefore, there is no need for the security administrator to configure authentication rules for each user, which effectively improves the efficiency of configuring authentication rules, thereby improving the efficiency of data management. At this time, when this data management method is applied to scenarios such as databases, big data SQL engines, or business intelligence, it can effectively improve the user experience of the corresponding scenarios, such as improving the ease of use of the SQL engine. Moreover, during the authentication process, authentication is based on the authentication rules of the data set requested by the target access request. There is no need to match a large number of authentication rules, which reduces the complexity of data management and helps improve data reading. Write performance.
需要说明的是,本申请实施例提供的数据管理方法的步骤先后顺序可以进行适当调整,步骤也可以根据情况进行相应增减。任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化的方法,都应涵盖在本申请的保护范围之内,因此不再赘述。It should be noted that the sequence of the steps of the data management method provided by the embodiments of the present application can be adjusted appropriately, and the steps can also be increased or decreased accordingly according to the situation. Any person familiar with the technical field can easily think of changing methods within the technical scope disclosed in this application, which should be covered by the protection scope of this application, and therefore will not be described again.
本申请实施例还提供了一种数据管理装置。如图9所示,该数据管理装置90包括:An embodiment of the present application also provides a data management device. As shown in Figure 9, the data management device 90 includes:
接收模块901,用于接收第一客户端发送的目标访问请求,目标访问请求用于请求对数据集进行访问,数据集具有多个属性,数据集中的数据子集包括多个属性对应的属性值,目标访问请求的访问类型包括写数据和/或读数据。The receiving module 901 is used to receive a target access request sent by the first client. The target access request is used to request access to a data set. The data set has multiple attributes. The data subset in the data set includes attribute values corresponding to the multiple attributes. , the access type of the target access request includes writing data and/or reading data.
获取模块902,用于获取数据集的鉴权规则,鉴权规则指示:对于请求访问数据集的任一访问请求,当任一访问请求的第一属性值与任一访问请求涉及的任一数据子集的第二属性值满足预设规则时,为任一访问请求赋予访问任一数据子集的权限,第一属性值为任一访问请求的用户信息对应鉴权关键字的属性值,第二属性值为任一数据子集对应鉴权关键字的属性值,鉴权关键字用于指示多个属性中的一个或多个。The acquisition module 902 is used to obtain the authentication rules of the data set. The authentication rules indicate: for any access request requesting access to the data set, when the first attribute value of any access request matches any data involved in any access request When the second attribute value of the subset meets the preset rules, any access request is given the permission to access any data subset. The first attribute value is the attribute value of the authentication keyword corresponding to the user information of any access request. The second attribute value is the attribute value corresponding to the authentication key of any data subset, and the authentication key is used to indicate one or more of multiple attributes.
获取模块902,还用于基于目标访问请求的用户信息,获取目标访问请求的第一属性值。The obtaining module 902 is also configured to obtain the first attribute value of the target access request based on the user information of the target access request.
处理模块903,用于基于鉴权规则、目标访问请求涉及的目标数据子集和第一属性值,对目标访问请求进行鉴权,并返回对目标访问请求的响应。The processing module 903 is configured to authenticate the target access request based on the authentication rules, the target data subset involved in the target access request, and the first attribute value, and return a response to the target access request.
可选地,处理模块903,具体用于:从目标数据子集中,获取目标数据子集的第二属性值;在目标访问请求的第一属性值和目标数据子集的第二属性值满足预设规则时,为目标访问请求赋予访问目标数据子集的权限。Optionally, the processing module 903 is specifically configured to: obtain the second attribute value of the target data subset from the target data subset; when the first attribute value of the target access request and the second attribute value of the target data subset satisfy a predetermined When setting up a rule, grant the target access request permission to access a subset of the target data.
可选地,鉴权关键字包括用户名、用户组名和用户的角色中的至少一个。Optionally, the authentication key includes at least one of a user name, a user group name, and a role of the user.
可选地,获取模块902,具体用于:基于目标访问请求的用户信息,查询预先存储的关系信息,得到关系信息中与目标访问请求的用户信息和鉴权关键字对应的第三属性值;将第三属性值确定为目标访问请求的第一属性值。Optionally, the acquisition module 902 is specifically configured to: query pre-stored relationship information based on the user information of the target access request, and obtain the third attribute value corresponding to the user information and authentication keyword of the target access request in the relationship information; The third attribute value is determined as the first attribute value of the target access request.
可选地,接收模块901还用于:接收第二客户端发送的维护请求,维护请求用于请求对数据集进行维护,维护请求携带有表示鉴权内容的属性关键字;将属性关键字确定为鉴权关键字。Optionally, the receiving module 901 is also configured to: receive a maintenance request sent by the second client, the maintenance request is used to request maintenance of the data set, the maintenance request carries an attribute keyword indicating the authentication content; determine the attribute keyword is the authentication key.
可选地,维护请求包括建立请求和修改请求,表示鉴权内容的属性关键字在建立请求或修改请求中指示,建立请求用于请求建立数据集,修改请求用于请求修改数据集的属性。Optionally, the maintenance request includes a creation request and a modification request. The attribute keyword indicating the authentication content is indicated in the creation request or the modification request. The creation request is used to request the creation of the data set, and the modification request is used to request the modification of attributes of the data set.
可选地,数据集为数据表,数据子集为数据表中的数据行。Optionally, the data set is a data table, and the data subset is the data rows in the data table.
综上所述,在本申请实施例提供的数据管理装置中,由于在获取数据集的鉴权规则后,获取模块还需要基于目标访问请求的用户信息,获取目标访问请求的第一属性值,以便于处理模块根据鉴权规则和第一属性值对目标访问请求进行鉴权,可知该鉴权规则是数据集中所有数据子集均适用的通用规则,而不是与用户绑定的规则。因此,无需由安全管理员为每个 用户配置鉴权规则,有效地提高了鉴权规则的配置效率,进而提高了对数据进行管理的效率。此时,当将该数据管理装置应用于数据库、大数据SQL引擎或商业智能等场景时,能够有效提高对应场景的用户体验,例如提高SQL引擎的易用性。并且,在鉴权过程中,是基于目标访问请求请求访问的数据集的鉴权规则进行鉴权,无需匹配大量的鉴权规则,降低了对数据进行管理的复杂度,有助于提升数据读写性能。To sum up, in the data management device provided by the embodiment of the present application, after obtaining the authentication rules of the data set, the acquisition module also needs to obtain the first attribute value of the target access request based on the user information of the target access request. In order to facilitate the processing module to authenticate the target access request based on the authentication rule and the first attribute value, it can be seen that the authentication rule is a general rule applicable to all data subsets in the data set, rather than a rule bound to the user. Therefore, there is no need for a security administrator to User configuration of authentication rules effectively improves the efficiency of configuration of authentication rules, thereby improving the efficiency of data management. At this time, when the data management device is applied to scenarios such as databases, big data SQL engines, or business intelligence, it can effectively improve the user experience of the corresponding scenarios, such as improving the ease of use of the SQL engine. Moreover, during the authentication process, authentication is based on the authentication rules of the data set requested by the target access request. There is no need to match a large number of authentication rules, which reduces the complexity of data management and helps improve data reading. Write performance.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的装置和模块的具体工作过程,可以参考前述方法实施例中的对应内容,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the above-described devices and modules can be referred to the corresponding content in the foregoing method embodiments, and will not be described again here.
本申请实施例提供了一种计算机设备。该计算机设备能够实现本申请实施例提供的数据管理方法中的部分或全部功能。图10是本申请实施例提供的一种计算机设备的结构示意图。如图10所示,该计算机设备1000包括处理器1001、存储器1002、通信接口1003和总线1004。其中,处理器1001、存储器1002、通信接口1003通过总线1004实现彼此之间的通信连接。An embodiment of the present application provides a computer device. The computer device can implement some or all of the functions in the data management method provided by the embodiments of the present application. Figure 10 is a schematic structural diagram of a computer device provided by an embodiment of the present application. As shown in Figure 10, the computer device 1000 includes a processor 1001, a memory 1002, a communication interface 1003 and a bus 1004. Among them, the processor 1001, the memory 1002, and the communication interface 1003 implement communication connections between each other through the bus 1004.
处理器1001可以包括通用处理器和/或专用硬件芯片。通用处理器可以包括:中央处理器(central processing unit,CPU)、微处理器或图形处理器(graphics processing unit,GPU)。CPU例如是一个单核处理器(single-CPU),又如是一个多核处理器(multi-CPU)。专用硬件芯片是一个高性能处理的硬件模块。专用硬件芯片包括数字信号处理器、专用集成电路(application-specific integrated circuit,ASIC)、现场可编程逻辑门阵列(field-programmable gate array,FPGA)或者网络处理器(network processer,NP)中的至少一项。处理器1001还可以是一种集成电路芯片,具有信号的处理能力。在实现过程中,本申请的数据管理方法的部分或全部功能,可以通过处理器1001中的硬件的集成逻辑电路或者软件形式的指令完成。Processor 1001 may include a general-purpose processor and/or a special-purpose hardware chip. General-purpose processors can include: central processing unit (CPU), microprocessor or graphics processing unit (GPU). The CPU is, for example, a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A dedicated hardware chip is a high-performance processing hardware module. Specialized hardware chips include at least one of a digital signal processor, an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a network processor (NP) One item. The processor 1001 may also be an integrated circuit chip with signal processing capabilities. During the implementation process, part or all of the functions of the data management method of the present application can be completed by instructions in the form of hardware integrated logic circuits or software in the processor 1001 .
存储器1002用于存储计算机程序,计算机程序包括操作系统1002a和可执行代码(即程序指令)1002b。存储器1002例如是只读存储器或可存储静态信息和指令的其它类型的静态存储设备,又如是随机存取存储器或者可存储信息和指令的其它类型的动态存储设备,又如是电可擦可编程只读存储器、只读光盘或其它光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其它磁存储设备,或者是能够用于携带或存储具有指令或数据结构形式的期望的可执行代码并能够由计算机存取的任何其它介质,但不限于此。例如存储器1002用于存放出端口队列等。存储器1002例如是独立存在,并通过总线1004与处理器1001相连接。或者存储器1002和处理器1001集成在一起。存储器1002可以存储可执行代码,当存储器1002中存储的可执行代码被处理器1001执行时,处理器1001用于执行本申请实施例提供的数据管理方法的部分或全部功能。例如,处理器1001执行以下过程:接收第一客户端发送的目标访问请求,目标访问请求用于请求对数据集进行访问;获取数据集的鉴权规则,鉴权规则指示:对于请求访问数据集的任一访问请求,当任一访问请求的第一属性值与任一访问请求涉及的任一数据子集的第二属性值满足预设规则时,为任一访问请求赋予访问任一数据子集的权限;基于目标访问请求的用户信息,获取目标访问请求的第一属性值;基于鉴权规则、目标访问请求涉及的目标数据子集和第一属性值,对目标访问请求进行鉴权,并返回对目标访问请求的响应。且处理器1001执行该过程的实现方式请相应参考前述方法实施例中的相关描述。存储器1002中还可以包括操作系统等其他运行进程所需的软件模块和数据等。 The memory 1002 is used to store computer programs, which include an operating system 1002a and executable codes (ie, program instructions) 1002b. The memory 1002 is, for example, a read-only memory or other type of static storage device that can store static information and instructions, or a random access memory or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable memory device. Read memory, read-only disc or other optical disc storage, optical disc storage (including compressed optical disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store Without limitation, any other medium that represents the desired executable code in the form of instructions or data structures and can be accessed by a computer. For example, the memory 1002 is used to store outbound port queues, etc. The memory 1002 exists independently, for example, and is connected to the processor 1001 through a bus 1004. Or the memory 1002 and the processor 1001 are integrated together. The memory 1002 can store executable code. When the executable code stored in the memory 1002 is executed by the processor 1001, the processor 1001 is used to perform part or all of the functions of the data management method provided by the embodiment of the present application. For example, the processor 1001 performs the following process: receives a target access request sent by the first client, the target access request is used to request access to the data set; obtains the authentication rule of the data set, and the authentication rule indicates: for requesting access to the data set For any access request, when the first attribute value of any access request and the second attribute value of any data subset involved in any access request satisfy the preset rules, any access request is granted access to any data subset. set of permissions; based on the user information of the target access request, obtain the first attribute value of the target access request; based on the authentication rules, the target data subset involved in the target access request, and the first attribute value, authenticate the target access request, and returns a response to the target access request. Please refer to the relevant descriptions in the foregoing method embodiments for how the processor 1001 executes this process. The memory 1002 may also include operating systems and other software modules and data required for running processes.
通信接口1003使用例如但不限于收发器一类的收发模块,来实现与其他设备或通信网络之间的通信。例如,通信接口1003可以是以下器件的任一种或任一种组合:网络接口(如以太网接口)、无线网卡等具有网络接入功能的器件。The communication interface 1003 uses a transceiver module such as but not limited to a transceiver to implement communication with other devices or communication networks. For example, the communication interface 1003 may be any one or any combination of the following devices: a network interface (such as an Ethernet interface), a wireless network card, and other devices with network access functions.
总线1004是任何类型的,用于实现计算机设备的内部器件(例如,存储器1002、处理器1001、通信接口1003)互连的通信总线。例如系统总线。本申请实施例以计算机设备内部的上述器件通过总线1004互连为例说明,可选地,计算机设备1000内部的上述器件还可以采用除了总线1004之外的其他连接方式彼此通信连接。例如,计算机设备1000内部的上述器件通过内部的逻辑接口互连。Bus 1004 is any type of communication bus used to interconnect internal components of a computer device (eg, memory 1002, processor 1001, communication interface 1003). For example, system bus. The embodiment of the present application takes the interconnection of the above-mentioned devices inside the computer device through the bus 1004 as an example. Optionally, the above-mentioned devices inside the computer device 1000 may also communicate with each other using other connection methods besides the bus 1004. For example, the above-mentioned devices inside the computer device 1000 are interconnected through internal logical interfaces.
需要说明的是,上述多个器件可以分别设置在彼此独立的芯片上,也可以至少部分的或者全部的设置在同一块芯片上。将各个器件独立设置在不同的芯片上,还是整合设置在一个或者多个芯片上,往往取决于产品设计的需要。本申请实施例对上述器件的具体实现形式不做限定。且上述各个附图对应的流程的描述各有侧重,某个流程中没有详述的部分,可以参见其他流程的相关描述。It should be noted that the above-mentioned plurality of devices can be respectively arranged on independent chips, or at least part or all of them can be arranged on the same chip. Whether each device is independently installed on different chips or integrated on one or more chips often depends on the needs of product design. The embodiments of this application do not limit the specific implementation forms of the above devices. The descriptions of the processes corresponding to each of the above drawings have different emphases. For parts that are not detailed in a certain process, you can refer to the relevant descriptions of other processes.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。提供程序开发平台的计算机程序产品包括一个或多个计算机指令,在计算机设备上加载和执行这些计算机程序指令时,全部或部分地实现本申请实施例提供的数据管理方法的流程或功能。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product that provides a program development platform includes one or more computer instructions. When these computer program instructions are loaded and executed on a computer device, the processes or functions of the data management method provided by the embodiments of the present application are fully or partially implemented.
并且,计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。计算机可读存储介质存储有提供程序开发平台的计算机程序指令。Furthermore, computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, computer instructions may be transmitted over a wired connection from a website, computer, server or data center. (such as coaxial cable, optical fiber, digital subscriber line or wireless (such as infrared, wireless, microwave, etc.) to transmit to another website, computer, server or data center. The computer-readable storage medium stores information that provides a program development platform Computer program instructions.
本申请实施例还提供了一种计算机集群。该计算机集群包括多个计算机设备,多个计算机设备包括多个处理器和多个存储器,多个存储器中存储有程序指令,多个处理器运行程序指令,使得计算机集群执行如本申请实施例提供的数据管理方法。其中,该计算机集群中各个计算机设备的实现方式请相应参考前述计算机设备的实现方式,此处不再赘述。An embodiment of the present application also provides a computer cluster. The computer cluster includes multiple computer devices. The multiple computer devices include multiple processors and multiple memories. Program instructions are stored in the multiple memories. The multiple processors run the program instructions, so that the computer cluster executes as provided in the embodiments of the present application. data management methods. For the implementation method of each computer device in the computer cluster, please refer to the implementation method of the aforementioned computer equipment accordingly, which will not be described again here.
本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质为非易失性计算机可读存储介质,该计算机可读存储介质包括程序指令,当程序指令在计算机设备上运行时,使得计算机设备执行如本申请实施例提供的数据管理方法。Embodiments of the present application also provide a computer-readable storage medium. The computer-readable storage medium is a non-volatile computer-readable storage medium. The computer-readable storage medium includes program instructions. When the program instructions are run on a computer device When, the computer device is caused to execute the data management method provided by the embodiment of the present application.
本申请实施例还提供了一种包含指令的计算机程序产品,当计算机程序产品在计算机上运行时,使得计算机执行本申请实施例提供的数据管理方法。Embodiments of the present application also provide a computer program product containing instructions. When the computer program product is run on a computer, it causes the computer to execute the data management method provided by the embodiments of the present application.
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps to implement the above embodiments can be completed by hardware, or can be completed by instructing relevant hardware through a program. The program can be stored in a computer-readable storage medium. The above-mentioned The storage media mentioned can be read-only memory, magnetic disks or optical disks, etc.
需要说明的是,本申请所涉及的信息(包括但不限于用户设备信息、用户个人信息等)、 数据(包括但不限于用于分析的数据、存储的数据、展示的数据等)以及信号,均为经用户授权或者经过各方充分授权的,且相关数据的收集、使用和处理需要遵守相关国家和地区的相关法律法规和标准。例如,本申请中涉及到的关系信息和归属信息等都是在充分授权的情况下获取的。It should be noted that the information involved in this application (including but not limited to user equipment information, user personal information, etc.), Data (including but not limited to data used for analysis, stored data, displayed data, etc.) and signals are authorized by the user or fully authorized by all parties, and the collection, use and processing of relevant data need to comply with relevant national regulations. and relevant regional laws, regulations and standards. For example, the relationship information and attribution information involved in this application were obtained with full authorization.
在本申请实施例中,术语“第一”、“第二”和“第三”仅用于描述目的,而不能理解为指示或暗示相对重要性。术语“至少一个”是指一个或多个,术语“多个”指两个或两个以上,除非另有明确的限定。In the embodiments of the present application, the terms "first", "second" and "third" are only used for description purposes and cannot be understood as indicating or implying relative importance. The term "at least one" refers to one or more, and the term "plurality" refers to two or more, unless expressly limited otherwise.
本申请中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。The term "and/or" in this application is just an association relationship describing related objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A exists alone, A and B exist simultaneously, alone There are three situations B. In addition, the character "/" in this article generally indicates that the related objects are an "or" relationship.
以上所述仅为本申请的可选实施例,并不用以限制本申请,凡在本申请的构思和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。 The above are only optional embodiments of the present application and are not intended to limit the present application. Any modifications, equivalent substitutions, improvements, etc. made within the concepts and principles of the present application shall be included in the protection of the present application. within the range.

Claims (18)

  1. 一种数据管理方法,其特征在于,所述方法包括:A data management method, characterized in that the method includes:
    接收第一客户端发送的目标访问请求,所述目标访问请求用于请求对数据集进行访问,所述数据集具有多个属性,所述数据集中的数据子集包括所述多个属性对应的属性值,所述目标访问请求的访问类型包括写数据和/或读数据;Receive a target access request sent by the first client. The target access request is used to request access to a data set. The data set has multiple attributes. The data subset in the data set includes the data corresponding to the multiple attributes. Attribute value, the access type of the target access request includes writing data and/or reading data;
    获取所述数据集的鉴权规则,所述鉴权规则指示:对于请求访问所述数据集的任一访问请求,当所述任一访问请求的第一属性值与所述任一访问请求涉及的任一数据子集的第二属性值满足预设规则时,为所述任一访问请求赋予访问所述任一数据子集的权限,所述第一属性值为所述任一访问请求的用户信息对应鉴权关键字的属性值,所述第二属性值为所述任一数据子集对应所述鉴权关键字的属性值,所述鉴权关键字用于指示所述多个属性中的一个或多个;Obtain the authentication rules of the data set, the authentication rules indicate: for any access request requesting access to the data set, when the first attribute value of the any access request is related to the any access request When the second attribute value of any data subset satisfies the preset rules, the permission to access the any data subset is given to any access request, and the first attribute value is the first attribute value of any access request. The user information corresponds to the attribute value of the authentication keyword. The second attribute value is the attribute value of any data subset corresponding to the authentication keyword. The authentication keyword is used to indicate the multiple attributes. one or more of;
    基于所述目标访问请求的用户信息,获取所述目标访问请求的第一属性值;Based on the user information of the target access request, obtain the first attribute value of the target access request;
    基于所述鉴权规则、所述目标访问请求涉及的目标数据子集和第一属性值,对所述目标访问请求进行鉴权,并返回对所述目标访问请求的响应。Based on the authentication rule, the target data subset involved in the target access request, and the first attribute value, the target access request is authenticated, and a response to the target access request is returned.
  2. 根据权利要求1所述的方法,其特征在于,所述基于所述鉴权规则、所述目标访问请求涉及的目标数据子集和第一属性值,对所述目标访问请求进行鉴权,包括:The method according to claim 1, characterized in that authenticating the target access request based on the authentication rules, the target data subset involved in the target access request and the first attribute value includes: :
    从所述目标数据子集中,获取所述目标数据子集的第二属性值;Obtain the second attribute value of the target data subset from the target data subset;
    在所述目标访问请求的第一属性值和所述目标数据子集的第二属性值满足所述预设规则时,为所述目标访问请求赋予访问所述目标数据子集的权限。When the first attribute value of the target access request and the second attribute value of the target data subset satisfy the preset rule, the target access request is granted permission to access the target data subset.
  3. 根据权利要求1或2所述的方法,其特征在于,所述鉴权关键字包括用户名、用户组名和用户的角色中的至少一个。The method according to claim 1 or 2, characterized in that the authentication keyword includes at least one of a user name, a user group name and a user role.
  4. 根据权利要求1至3任一所述的方法,其特征在于,所述基于所述目标访问请求的用户信息,获取所述目标访问请求的第一属性值,包括:The method according to any one of claims 1 to 3, characterized in that, based on the user information of the target access request, obtaining the first attribute value of the target access request includes:
    基于所述目标访问请求的用户信息,查询预先存储的关系信息,得到所述关系信息中与所述目标访问请求的用户信息和所述鉴权关键字对应的第三属性值;Based on the user information of the target access request, query the pre-stored relationship information to obtain the third attribute value corresponding to the user information of the target access request and the authentication keyword in the relationship information;
    将所述第三属性值确定为所述目标访问请求的第一属性值。The third attribute value is determined as the first attribute value of the target access request.
  5. 根据权利要求1至4任一所述的方法,其特征在于,在所述接收第一客户端发送的目标访问请求之前,所述方法还包括:The method according to any one of claims 1 to 4, characterized in that, before receiving the target access request sent by the first client, the method further includes:
    接收第二客户端发送的维护请求,所述维护请求用于请求对所述数据集进行维护,所述维护请求携带有表示鉴权内容的属性关键字;Receive a maintenance request sent by the second client, where the maintenance request is used to request maintenance of the data set, and the maintenance request carries an attribute keyword indicating the authentication content;
    将所述属性关键字确定为所述鉴权关键字。The attribute key is determined as the authentication key.
  6. 根据权利要求5所述的方法,其特征在于,所述维护请求包括建立请求和修改请求,表示鉴权内容的属性关键字在所述建立请求或所述修改请求中指示,所述建立请求用于请求建立所述数据集,所述修改请求用于请求修改所述数据集的属性。The method according to claim 5, characterized in that the maintenance request includes a creation request and a modification request, an attribute key representing the authentication content is indicated in the creation request or the modification request, and the creation request is The request is to create the data set, and the modification request is used to request to modify the attributes of the data set.
  7. 根据权利要求1至6任一所述的方法,其特征在于,所述数据集为数据表,所述数据子集为数据表中的数据行。The method according to any one of claims 1 to 6, characterized in that the data set is a data table, and the data subset is a data row in the data table.
  8. 一种数据管理装置,其特征在于,所述装置包括:A data management device, characterized in that the device includes:
    接收模块,用于接收第一客户端发送的目标访问请求,所述目标访问请求用于请求对数据集进行访问,所述数据集具有多个属性,所述数据集中的数据子集包括所述多个属性对应 的属性值,所述目标访问请求的访问类型包括写数据和/或读数据;A receiving module, configured to receive a target access request sent by the first client. The target access request is used to request access to a data set. The data set has multiple attributes. The data subset in the data set includes the Corresponding to multiple attributes Attribute value, the access type of the target access request includes writing data and/or reading data;
    获取模块,用于获取所述数据集的鉴权规则,所述鉴权规则指示:对于请求访问所述数据集的任一访问请求,当所述任一访问请求的第一属性值与所述任一访问请求涉及的任一数据子集的第二属性值满足预设规则时,为所述任一访问请求赋予访问所述任一数据子集的权限,所述第一属性值为所述任一访问请求的用户信息对应鉴权关键字的属性值,所述第二属性值为所述任一数据子集对应所述鉴权关键字的属性值,所述鉴权关键字用于指示所述多个属性中的一个或多个;Obtaining module, used to obtain the authentication rules of the data set, the authentication rules indicate: for any access request requesting access to the data set, when the first attribute value of any access request is the same as the When the second attribute value of any data subset involved in any access request satisfies the preset rules, the permission to access the any data subset is granted to any access request, and the first attribute value is the The user information of any access request corresponds to the attribute value of the authentication keyword, and the second attribute value is the attribute value of any data subset corresponding to the authentication keyword. The authentication keyword is used to indicate one or more of the plurality of attributes;
    所述获取模块,还用于基于所述目标访问请求的用户信息,获取所述目标访问请求的第一属性值;The acquisition module is also configured to obtain the first attribute value of the target access request based on the user information of the target access request;
    处理模块,用于基于所述鉴权规则、所述目标访问请求涉及的目标数据子集和第一属性值,对所述目标访问请求进行鉴权,并返回对所述目标访问请求的响应。A processing module configured to authenticate the target access request based on the authentication rule, the target data subset involved in the target access request, and the first attribute value, and return a response to the target access request.
  9. 根据权利要求8所述的装置,其特征在于,所述处理模块,具体用于:The device according to claim 8, characterized in that the processing module is specifically used for:
    从所述目标数据子集中,获取所述目标数据子集的第二属性值;Obtain the second attribute value of the target data subset from the target data subset;
    在所述目标访问请求的第一属性值和所述目标数据子集的第二属性值满足所述预设规则时,为所述目标访问请求赋予访问所述目标数据子集的权限。When the first attribute value of the target access request and the second attribute value of the target data subset satisfy the preset rule, the target access request is granted permission to access the target data subset.
  10. 根据权利要求8或9所述的装置,其特征在于,所述鉴权关键字包括用户名、用户组名和用户的角色中的至少一个。The device according to claim 8 or 9, characterized in that the authentication keyword includes at least one of a user name, a user group name and a user role.
  11. 根据权利要求8至10任一所述的装置,其特征在于,所述获取模块,具体用于:The device according to any one of claims 8 to 10, characterized in that the acquisition module is specifically used for:
    基于所述目标访问请求的用户信息,查询预先存储的关系信息,得到所述关系信息中与所述目标访问请求的用户信息和所述鉴权关键字对应的第三属性值;Based on the user information of the target access request, query the pre-stored relationship information to obtain the third attribute value corresponding to the user information of the target access request and the authentication keyword in the relationship information;
    将所述第三属性值确定为所述目标访问请求的第一属性值。The third attribute value is determined as the first attribute value of the target access request.
  12. 根据权利要求8至11任一所述的装置,其特征在于,所述接收模块还用于:The device according to any one of claims 8 to 11, characterized in that the receiving module is also used for:
    接收第二客户端发送的维护请求,所述维护请求用于请求对所述数据集进行维护,所述维护请求携带有表示鉴权内容的属性关键字;Receive a maintenance request sent by the second client, where the maintenance request is used to request maintenance of the data set, and the maintenance request carries an attribute keyword indicating the authentication content;
    将所述属性关键字确定为所述鉴权关键字。The attribute key is determined as the authentication key.
  13. 根据权利要求12所述的装置,其特征在于,所述维护请求包括建立请求和修改请求,表示鉴权内容的属性关键字在所述建立请求或所述修改请求中指示,所述建立请求用于请求建立所述数据集,所述修改请求用于请求修改所述数据集的属性。The device according to claim 12, characterized in that the maintenance request includes a creation request and a modification request, an attribute key representing the authentication content is indicated in the creation request or the modification request, and the creation request is The request is to create the data set, and the modification request is used to request to modify the attributes of the data set.
  14. 根据权利要求8至13任一所述的装置,其特征在于,所述数据集为数据表,所述数据子集为数据表中的数据行。The device according to any one of claims 8 to 13, characterized in that the data set is a data table, and the data subset is a data row in the data table.
  15. 一种计算机设备,其特征在于,包括存储器和处理器,所述存储器存储有程序指令,所述处理器运行所述程序指令以执行权利要求1至7任一所述的方法。A computer device, characterized in that it includes a memory and a processor, the memory stores program instructions, and the processor runs the program instructions to perform the method described in any one of claims 1 to 7.
  16. 一种计算机集群,其特征在于,包括多个计算机设备,所述多个计算机设备包括多个处理器和多个存储器,所述多个存储器中存储有程序指令,所述多个处理器运行所述程序指令,使得所述计算机集群执行权利要求1至7任一所述的方法。A computer cluster is characterized in that it includes a plurality of computer devices, the plurality of computer devices include a plurality of processors and a plurality of memories, the plurality of memories store program instructions, and the plurality of processors run The program instructions cause the computer cluster to execute the method described in any one of claims 1 to 7.
  17. 一种计算机可读存储介质,其特征在于,包括程序指令,当所述程序指令在计算机设备上运行时,使得所述计算机设备执行如权利要求1至7任一所述的方法。A computer-readable storage medium, characterized by comprising program instructions, which when the program instructions are run on a computer device, cause the computer device to execute the method according to any one of claims 1 to 7.
  18. 一种计算机程序产品,其特征在于,当所述计算机程序产品在计算机上运行时,使得所述计算机执行如权利要求1至7任一所述的方法。 A computer program product, characterized in that, when the computer program product is run on a computer, it causes the computer to execute the method according to any one of claims 1 to 7.
PCT/CN2023/085907 2022-06-08 2023-04-03 Data management method and device WO2023236637A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210643182.9A CN117235092A (en) 2022-06-08 2022-06-08 Data management method and device
CN202210643182.9 2022-06-08

Publications (1)

Publication Number Publication Date
WO2023236637A1 true WO2023236637A1 (en) 2023-12-14

Family

ID=89081359

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/085907 WO2023236637A1 (en) 2022-06-08 2023-04-03 Data management method and device

Country Status (2)

Country Link
CN (1) CN117235092A (en)
WO (1) WO2023236637A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101673375A (en) * 2009-09-25 2010-03-17 金蝶软件(中国)有限公司 Method and system for authorizing data of wage system
US20170132401A1 (en) * 2015-11-06 2017-05-11 Sap Se Data access rules in a database layer
US20180025174A1 (en) * 2016-07-21 2018-01-25 Salesforce.Com, Inc. Access controlled queries against user data in a datastore
CN109889517A (en) * 2019-02-14 2019-06-14 广州小鹏汽车科技有限公司 Data processing method, permissions data collection creation method, device and electronic equipment
CN111488598A (en) * 2020-04-09 2020-08-04 腾讯科技(深圳)有限公司 Access control method, device, computer equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101673375A (en) * 2009-09-25 2010-03-17 金蝶软件(中国)有限公司 Method and system for authorizing data of wage system
US20170132401A1 (en) * 2015-11-06 2017-05-11 Sap Se Data access rules in a database layer
US20180025174A1 (en) * 2016-07-21 2018-01-25 Salesforce.Com, Inc. Access controlled queries against user data in a datastore
CN109889517A (en) * 2019-02-14 2019-06-14 广州小鹏汽车科技有限公司 Data processing method, permissions data collection creation method, device and electronic equipment
CN111488598A (en) * 2020-04-09 2020-08-04 腾讯科技(深圳)有限公司 Access control method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN117235092A (en) 2023-12-15

Similar Documents

Publication Publication Date Title
US11716357B2 (en) Data access policies
US20210385087A1 (en) Zero-knowledge identity verification in a distributed computing system
US11082226B2 (en) Zero-knowledge identity verification in a distributed computing system
US20220021711A1 (en) Security Platform and Method for Efficient Access and Discovery
US9053302B2 (en) Obligation system for enterprise environments
US20170155686A1 (en) Fine-grained structured data store access using federated identity management
US10404757B1 (en) Privacy enforcement in the storage and access of data in computer systems
US10594737B1 (en) Distributed storage processing statement interception and modification
US20130311459A1 (en) Link analysis for enterprise environment
WO2020168692A1 (en) Mass data sharing method, open sharing platform and electronic device
US8051168B1 (en) Method and system for security and user account integration by reporting systems with remote repositories
US10771468B1 (en) Request filtering and data redaction for access control
TW202025020A (en) Block chain-based content management system, method and device and electronic equipment
US10013449B1 (en) Validating and non-validating secondary indexes for a table in a non-relational data store
US11019073B2 (en) Application-agnostic resource access control
US11595445B2 (en) Unified authorization with data control language for cloud platforms
WO2024027328A1 (en) Data processing method based on zero-trust data access control system
CN115758459A (en) Data authority management method and device
US11425132B2 (en) Cross-domain authentication in a multi-entity database system
US20230409968A1 (en) Multi-party machine learning using a database cleanroom
US11425126B1 (en) Sharing of computing resource policies
WO2023236637A1 (en) Data management method and device
RU2656739C1 (en) Data storage method and system
US11669527B1 (en) Optimized policy data structure for distributed authorization systems
US20130046720A1 (en) Domain based user mapping of objects

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23818805

Country of ref document: EP

Kind code of ref document: A1