WO2023236637A1 - Procédé et dispositif de gestion de données - Google Patents
Procédé et dispositif de gestion de données Download PDFInfo
- Publication number
- WO2023236637A1 WO2023236637A1 PCT/CN2023/085907 CN2023085907W WO2023236637A1 WO 2023236637 A1 WO2023236637 A1 WO 2023236637A1 CN 2023085907 W CN2023085907 W CN 2023085907W WO 2023236637 A1 WO2023236637 A1 WO 2023236637A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- request
- access request
- attribute value
- authentication
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 126
- 238000013523 data management Methods 0.000 title claims abstract description 69
- 230000004044 response Effects 0.000 claims abstract description 14
- 238000012423 maintenance Methods 0.000 claims description 39
- 238000012986 modification Methods 0.000 claims description 31
- 230000004048 modification Effects 0.000 claims description 31
- 230000015654 memory Effects 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 description 42
- 230000006870 function Effects 0.000 description 19
- 238000004891 communication Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 238000013500 data storage Methods 0.000 description 6
- 238000012550 audit Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 238000011161 development Methods 0.000 description 4
- 239000002184 metal Substances 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
Definitions
- the present application relates to the field of data management technology, and in particular to a data management method and device.
- the database includes multiple data sets.
- a data set consists of multiple data subsets.
- data of multiple users or user groups are usually stored in the database, and data of different users or user groups are stored in different data subsets of the database.
- the data tables include multiple data rows, and the data of different users or user groups are stored in different data rows, it is necessary to control that each user can only write and read their own data row.
- the database After creating a data set, security administrators need to configure a large number of authentication rules for the data set based on users. After the database receives the access request, the database will determine the authentication rule to be used to authenticate the access request from the large number of authentication rules based on the access request. And when the access request complies with the authentication rules, the access request is allowed to access the data subset. When the access request does not comply with the authentication rules, the access request is not allowed to access the data subset.
- This application provides a data management method and device. This application does not require the security administrator to configure authentication rules for each user, which effectively improves the efficiency of configuring authentication rules, thereby improving the efficiency of data management.
- the technical solutions provided by this application are as follows:
- this application provides a data management method.
- the method includes: receiving a target access request sent by the first client.
- the target access request is used to request access to a data set.
- the data set has multiple attributes.
- the data subset in the data set includes attribute values corresponding to the multiple attributes.
- the target The access type of the access request includes writing data and/or reading data; the authentication rules for obtaining the data set, the authentication rules indicate: for any access request requesting access to the data set, when the first attribute value of any access request matches any When the second attribute value of any data subset involved in an access request satisfies the preset rules, any access request is given the permission to access any data subset, and the first attribute value is the corresponding authentication of the user information of any access request.
- the attribute value of the right keyword is indicating: for any access request requesting access to the data set, when the first attribute value of any access request matches any
- the second attribute value of any data subset involved in an access request satisfies the preset rules, any access request
- the second attribute value is the attribute value of any data subset corresponding to the authentication keyword.
- the authentication keyword is used to indicate one or more of multiple attributes; based on the user information of the target access request , obtain the first attribute value of the target access request; based on the authentication rules, the target data subset involved in the target access request, and the first attribute value, authenticate the target access request, and return a response to the target access request.
- the data subset involved in the access request is the data subset written by the write data request.
- the data subset involved in the access request is the data subset in the data set read by the read data request.
- Authentication rules indicate the rules to be followed to authenticate access requests requesting access to the data set.
- the preset rule is the condition that the first attribute value and the second attribute value need to meet when the access request has access permission.
- the pre- The rule may be that the first attribute value and the second attribute value are equal.
- the user's access behavior can be based on the preset rules.
- the authentication rules in this solution are general rules applicable to all data subsets in the data set.
- the authentication rules include authentication keywords and corresponding preset rules instead of each data subset. Set specific permission rules. Therefore, this solution does not require the security administrator to configure access rights rules for each data subset, which effectively improves the efficiency of configuring authentication rules, thereby improving the efficiency of data management.
- the process of authenticating a target access request is a process of determining whether the second attribute value corresponding to the authentication keyword of the target data subset involved in the target access request and the first attribute value of the target access request satisfy the preset rules.
- the target access request is authenticated based on the authentication rules, the target data subset involved in the target access request, and the first attribute value, including: obtaining the target data subset from the target data subset.
- the second attribute value of the target access request when the first attribute value of the target access request and the second attribute value of the target data subset meet the preset rules, grant the target access request the permission to access the target data subset; in the third attribute value of the target access request When the first attribute value and the second attribute value of the target data subset do not satisfy the preset rules, the target access request is not granted the permission to access the target data subset.
- the authentication key includes at least one of a user name, a user group name, and a role of the user.
- the authentication key can be the default one on the server side.
- the authentication key may be specified by the user.
- the server can specify the authentication content, the user can specify the attribute keyword used to represent the authentication content, and the server can use the attribute keyword used to represent the authentication content. Identified as the authentication key.
- obtaining the first attribute value of the target access request based on the user information of the target access request includes: querying the pre-stored relationship information based on the user information of the target access request, and obtaining the user information in the relationship information related to the target access request.
- the third attribute value corresponding to the authentication keyword determine the third attribute value as the first attribute value of the target access request.
- the pre-stored relationship information may include relevant information of all users who may initiate access to the data set in the server.
- the relationship information records the standard attribute values of each user corresponding to the multiple attributes.
- the server can query the relationship information according to the access request and obtain the third attribute value that belongs to the user who sent the target access request and is used to indicate the authentication keyword.
- the implementation process can be implemented by authenticating the access request.
- the user can specify the attribute keyword used to represent the authentication content in the maintenance request.
- the data management method further includes: receiving a maintenance request sent by the second client, where the maintenance request is used to request maintenance of the data set, and the maintenance request carries authentication content.
- the attribute keyword determine the attribute keyword as the authentication keyword.
- the maintenance request includes a creation request and a modification request.
- the attribute keyword indicating the authentication content is indicated in the creation request or the modification request.
- the creation request is used to request the creation of the data set
- the modification request is used to request the modification of the attributes of the data set.
- the creation request may be a table creation request that requests the creation of a data table in the database.
- the modification request may be a table modification request used to request modification of attributes of the data table.
- the data set is a data table
- the data subset is a data row in the data table
- this application provides a data management device.
- the data management device includes: a receiving module, used to receive a target access request sent by the first client, the target access request is used to request access to a data set, and the data set has Multiple attributes.
- the data subset in the data set includes attribute values corresponding to multiple attributes.
- the access type of the target access request includes writing data and/or reading data; the acquisition module is used to obtain the authentication rules and authentication rules of the data set.
- the first attribute value is the attribute value corresponding to the authentication keyword of the user information of any access request.
- the second attribute value is the attribute value corresponding to the authentication keyword of any data subset.
- the authentication keyword is used to indicate one or more of multiple attributes;
- the acquisition module is also used to obtain the first attribute value of the target access request based on the user information of the target access request;
- the processing module is used to obtain the first attribute value of the target access request based on the authentication
- the rules, the target data subset and the first attribute value involved in the target access request are used to authenticate the target access request and return a response to the target access request.
- the processing module is specifically configured to: obtain the second attribute value of the target data subset from the target data subset; when the first attribute value of the target access request and the second attribute value of the target data subset satisfy a preset Rules grant a target access request permission to access a subset of the target data.
- the authentication key includes at least one of a user name, a user group name, and a role of the user.
- the acquisition module is specifically configured to: query pre-stored relationship information based on the user information of the target access request, and obtain the third attribute value corresponding to the user information and authentication keyword of the target access request in the relationship information;
- the third attribute value is determined as the first attribute value of the target access request.
- the receiving module is also configured to: receive a maintenance request sent by the second client, the maintenance request is used to request maintenance of the data set, the maintenance request carries an attribute keyword indicating the authentication content; determine the attribute keyword as Authentication keyword.
- the maintenance request includes a creation request and a modification request.
- the attribute keyword indicating the authentication content is indicated in the creation request or the modification request.
- the creation request is used to request the creation of the data set, and the modification request is used to request the modification of attributes of the data set.
- the data set is a data table
- the data subset is the data rows in the data table.
- this application provides a computer device, including a memory and a processor.
- the memory stores program instructions
- the processor runs the program instructions to execute the method provided in the first aspect of this application and any possible implementation thereof. .
- this application provides a computer cluster, including multiple computer devices.
- the multiple computer devices include multiple processors and multiple memories.
- Program instructions are stored in the multiple memories, and the multiple processors run the program instructions.
- the computer cluster is caused to execute the method provided in the first aspect of this application and any possible implementation manner thereof.
- the application provides a computer-readable storage medium.
- the computer-readable storage medium is a non-volatile computer-readable storage medium.
- the computer-readable storage medium includes program instructions. When the program instructions are stored on a computer device, When running, the computer device is caused to execute the method provided in the first aspect of the application and any possible implementation manner thereof.
- this application provides a computer program product containing instructions.
- the computer program product When the computer program product is run on a computer, it causes the computer to execute the method provided in the first aspect of this application and any possible implementation thereof.
- Figure 1 is a schematic diagram of an application scenario involved in a data management method provided by an embodiment of the present application
- Figure 2 is a schematic diagram of an application scenario involved in another data management method provided by an embodiment of the present application.
- Figure 3 is a schematic diagram of a data management method provided by an embodiment of the present application implemented through multiple functional modules deployed on the server;
- Figure 4 is a flow chart of a data management method for reading data requests provided by an embodiment of the present application
- Figure 5 is a flow chart of a method for obtaining authentication keywords of a data set provided by an embodiment of the present application
- Figure 6 is a flow chart of a method for obtaining the first attribute value of a target read data request provided by an embodiment of the present application
- Figure 7 is a flow chart of a data management method for writing data requests provided by an embodiment of the present application.
- Figure 8 is a flow chart of a method for obtaining the first attribute value of a target write data request provided by an embodiment of the present application
- Figure 9 is a schematic structural diagram of a data management device provided by an embodiment of the present application.
- Figure 10 is a schematic structural diagram of a computer device provided by an embodiment of the present application.
- Databases usually store data from multiple users or multiple user groups, and data from different users or different user groups are stored in different data subsets of the database. In order to ensure the security of data, it is necessary to control the permissions of users' access requests to the database.
- the database when the database includes multiple data tables, the data tables include multiple data rows, and the data of different users or different user groups are stored in different data rows, access requests need to be processed according to the data rows.
- Permission control refers to row-level data permission control to control that each user or user group can only write and read its own data rows.
- an audit log table in the background can contain data records belonging to different users.
- each user can only write and read his or her own data records.
- rows 1 and 3 record the data of user 1
- rows 2, 5 and 7 record the data of user 2
- rows 4, 6 and 8 record the data of user 3, then By performing row-level data permission control on the audit log table, only user 1 is allowed to read and write data recorded in rows 1 and 3, user 2 is allowed to read and write data recorded in rows 2, 5, and 7, and user 3 is allowed to read and write data recorded in rows 4 and 7. Data recorded in rows 6 and 8.
- rows 1 and 3 record the data of department 1
- rows 2 and 5 record the data of department 2
- rows 4 and 6 record the data of department 3
- rows 7 and 8 The data recorded is the data of department 4.
- the security administrator needs to configure authentication rules for each access object (such as a user or user group) that needs to access the data set, so that the data rows in the data set can be authorized according to the authentication rules. control.
- the database can accommodate many data rows, and there are many access objects that require access. It takes a lot of time for security administrators to configure authentication rules and is error-prone. The configuration efficiency of authentication rules is low, resulting in data management. The efficiency is lower.
- the authentication rules configured by the security administrator are usually represented by specific expressions. When authenticating access requests according to the authentication rules, they need to match the authentication rules of all data rows in the database. The authentication rules that need to match Excessive number leads to poor read and write performance of the database.
- the embodiment of this application provides a data management method. By obtaining the authentication rules of the data set requested by the target access request, based on the user information of the target access request, obtain the first attribute value of the target access request, and control the authentication that is too narrow, the target data subset involved in the target access request, and The first attribute value authenticates the target access request and regulates the response to the target access request.
- the data set has multiple attributes, the data subset in the data set includes attribute values corresponding to the multiple attributes, and the access type of the target access request includes writing data and/or reading data.
- the access request is a write data request
- the data subset involved in the access request is the data subset written by the write data request.
- the access request is a read data request
- the data subset involved in the access request is the data subset in the data set read by the read data request.
- Authentication rules indicate the rules to be followed to authenticate access requests requesting access to the data set.
- the authentication rule indicates: for any access request requesting access to a data set, when the first attribute value of any access request is the same as the second attribute value of any data subset involved in any access request, When preset rules are met, any access request is granted access to any subset of data.
- the first attribute value is the attribute value of the authentication keyword corresponding to the user information of any access request.
- the second attribute value is the attribute value corresponding to the authentication key of any data subset.
- the authentication key is used to indicate one or more of multiple attributes of the data set.
- the preset rule is the condition that the first attribute value and the second attribute value need to meet when the access request has access permission. For example, the preset rule may be that the first attribute value and the second attribute value are equal.
- the authentication rules are general rules applicable to all data subsets in the data set, rather than rules bound to the user. Therefore, there is no need for the security administrator to configure authentication rules for each user, which effectively improves the efficiency of configuring authentication rules, thereby improving the efficiency of data management.
- authentication is based on the authentication rules of the data set requested by the target access request. There is no need to match a large number of authentication rules, which reduces the complexity of data management and helps improve data reading. Write performance.
- Figure 1 is a schematic diagram of an application scenario involved in a data management method provided by an embodiment of the present application.
- the application scenario includes: a first client 10 and a server 20.
- a communication connection is established between the first client 10 and the server 20 .
- the first client 10 is used to send an access request to the server 20 .
- the server 20 is configured to use the data management method provided by the embodiment of the present application to authenticate the received access request, and respond to the access request according to the authentication result.
- the process of the server 20 authenticating the access request may include: obtaining the authentication rules of the data set, obtaining the first attribute value of the target access request based on the user information of the target access request; based on the authentication rules, the target access request The target data subset and the first attribute value are involved, the target access request is authenticated, and a response to the target access request is returned.
- the authentication keyword in the embodiment of this application may be defaulted by the server 20 .
- the authentication key can be user-specified.
- the server can specify the authentication content
- the user can specify the attribute keyword used to represent the authentication content
- the server can determine the attribute keyword used to represent the authentication content as the authentication keyword.
- This application implements The example does not specifically limit it.
- the administrator of the server can specify an authentication keyword and require a subset of data stored in the server to be authenticated using this authentication keyword.
- the authentication keyword is the server's default.
- the user can instruct to create a data set in the server, and the user can specify an authentication key used to authenticate the data subset in the data set. At this time, the authentication key is specified by the user.
- the administrator of the server can specify the authentication content and require a subset of data stored in the server to use the authentication content for authentication.
- the user can specify the attribute keyword used to represent the authentication content, and the server can determine the authentication keyword based on it.
- the server specifies the authentication content, and the user specifies the attribute keyword used to represent the authentication content.
- the application scenario may also include a second client 30 .
- the second client 30 has established a communication connection with the server 20 .
- the second client 30 has the authority to maintain the data set on the server 20 .
- the second client 30 has the authority to create a data set on the server 20 and/or modify the attributes of the data set.
- the server 20 can specify the authentication content, and the second client 30 can send a maintenance request to the server 20 and indicate in the maintenance request an attribute keyword used to represent the authentication content. After the server 20 obtains the maintenance request, it can identify the attribute keyword representing the authentication content in the maintenance request according to the authentication content, and determine the attribute keyword as the authentication keyword.
- the maintenance request may be a creation request requesting to create a data set in the server 20 .
- the maintenance request may be a modification request requesting modifications to an attribute of the data set.
- the first client that sends the access request and the second client that sends the maintenance request may also be the same client, which is not specifically limited in the embodiment of this application.
- the first client 10, the second client 30 and the server 20 can be implemented by a physical machine, a physical machine cluster including multiple physical machines, a bare metal server, a cloud server, a virtual machine or a container, etc.
- the server 20 can be implemented through software.
- the server 20 can be independently deployed on a physical machine, a physical machine cluster, a bare metal server, a cloud server, a virtual machine or a container, or the server 20 can be deployed in a distributed manner on multiple physical machines or multiple physical machines.
- a cluster multiple bare metal servers, multiple cloud servers, multiple virtual machines, and multiple containers. It should be understood that the server 20 can also be deployed on the same physical device as the first client 10 or the second client 30 .
- the server 20 may be deployed on one or more of a physical machine, a physical machine cluster, a bare metal server, a cloud server, a virtual machine, and a container on a cloud platform.
- a large number of basic resources owned by cloud service providers are deployed in the cloud platform.
- computing resources, storage resources, network resources, etc. are deployed in the cloud platform, and the computing resources can be a large number of computer devices (such as servers).
- the server 20 can utilize the basic resources deployed in the cloud platform to implement the data management method provided by the embodiment of the present application to authenticate the access request from the first client 10 and respond to the access request according to the authentication result.
- the data management method provided by the embodiment of the present application can be abstracted by the cloud service provider on the cloud platform into a cloud service for managing data and provided to the user.
- the cloud platform can use the server 20 to provide the user with cloud services for data management.
- the user can write data to the server 20 and read data from the server 20 .
- the server 20 uses the data management method provided by the embodiment of the present application to authenticate the access request, and responds to the access request according to the authentication result.
- the cloud service can serve as an add-on feature to other services. For example, users may offer services to save data and provide data to other users.
- users can purchase this cloud service.
- the cloud service can use the data management method provided by the embodiment of the present application to authenticate the access request, and feed back the authentication result to the user, so that the user can respond to the access request based on the authentication result.
- the cloud platform may be a cloud platform of a central cloud, an edge cloud, or a cloud platform including a central cloud and an edge cloud, which is not specifically limited in the embodiment of the present application.
- the server 20 may be partially deployed in the cloud platform of the edge cloud and partially deployed in the cloud platform of the central cloud.
- the data management method provided by the embodiments of this application can be applied to scenarios such as databases, big data SQL engines, or business intelligence (BI) that require permission control on data subsets.
- the big data SQL engine can be an engine such as Hive or Spark.
- the server 20 may be the server 20 of the engine.
- the data management method provided by the embodiment of the present application can be implemented through a functional module deployed on the server 20 .
- the functional module can be specifically implemented by a computer device executing a computer program.
- the data management method provided by the embodiment of the present application can be implemented through multiple functional modules deployed on the server 20 .
- the multiple functional modules can be deployed in a centralized manner or in a distributed manner.
- the plurality of functional modules can be specifically implemented by one or more computer devices executing computer programs. Each computer device in the one or more computer devices can implement part or all of the functions in the data management method provided by the embodiments of the present application.
- FIG. 3 is a schematic diagram of a data management method provided by an embodiment of the present application implemented through multiple functional modules deployed on the server 20 .
- the server 20 includes: a data reading and writing module 201, a metadata module 202, an authentication module 203 and a data storage module 204.
- the metadata module 202 is used to store description information of the data set.
- the authentication module 203 is used to authenticate the user based on the access request sent by the first client, and feed back the authentication result to the data reading and writing module 201, so that the data reading and writing module 201 determines the first attribute value according to the authentication result.
- the data storage module 204 is used to store data written into the data set.
- the data reading and writing module 201 is used to receive the access request, obtain the description information of the data set requested by the access request from the metadata module 202 based on the access request, obtain the authentication result of the access request through the authentication module 203, and obtain the authentication result of the access request according to the description information. and the authentication result, execute the data management method provided by the embodiment of this application, authenticate the access request, and respond to the access request based on the authentication result.
- the implementation process of each module in Figure 3 to realize its function Please refer to the relevant descriptions in the method embodiments below.
- the access request can be a read data request or a write data request
- the process of implementing the data management method is different for read data requests and write data requests, so the following is respectively for read data requests and write data requests.
- the implementation process of this data management method is explained. As shown in Figure 4, for a read data request, the implementation process of the data management method includes the following steps:
- Step 401 Obtain the authentication keyword of the data set.
- a dataset is a collection of data that includes one or more subsets of data.
- the dataset has several properties. All data subsets that can be recorded in the data set include attribute values corresponding to the multiple attributes.
- the data set can be a data table.
- a data table has one or more data rows and multiple data columns. At this time, the data subset can be the data rows in the data table. Different data rows are used to record information about different objects. Data columns are used to represent attributes of a data table. The content located in different columns in the data row is the attribute value of the attribute represented by the corresponding column. When the data table includes multiple data columns, the multiple data columns respectively represent multiple attributes of the data table.
- the data subset is the data column in the data table, and the data row is used to represent the attribute of the data table.
- the data set is a data table for a company that counts employee attendance.
- the data table includes multiple rows and columns, and the data rows record the attendance information of different employees.
- Data columns are used to represent attributes of a data table.
- the attributes of this data table include: user name, user number, user group name, date, working time and off work time.
- the contents in different columns in a data row respectively represent the attribute values of user name, user number, user group name, date, working time and off-duty time.
- the contents represented by the data in this data row are: the content of the first column indicates that the attribute value of the user name is Zhang **, and the content of the second column indicates the user number.
- the attribute value of is 010001
- the attribute value of the third column indicating the user group name is Development Department
- the attribute value of the fourth column indicating the date is 2022/5/10
- the attribute value of the fifth column indicating working hours is 08: 56.
- the sixth column indicates that the attribute value of off-duty time is 20:56.
- the authentication key is used to indicate one or more of multiple attributes of the data set. And the multiple attributes indicated by the authentication keyword can be part or all of the multiple attributes of the data set.
- the server is used to perform authentication based on an attribute indicated by the authentication keyword. For example, for the data set shown in Table 3, the authentication keyword can indicate the user group name in multiple attributes of the data set, and the server can perform authentication based on the user group name.
- the server is configured to perform authentication based on the multiple attributes indicated by the authentication keyword.
- the authentication keyword can indicate the user group name and user name in multiple attributes of the data set, and the server can perform authentication based on the user group name and user name.
- all data subsets in the data set use the same authentication keyword. For example, when the authentication key indicates that the data set has multiple When one of the attributes is specified, all data subsets in the data set are authenticated using the authentication key indicating an attribute. For example, when the authentication key indicates more than one of multiple attributes of the data set, all data subsets in the data set are authenticated using the authentication key indicating the multiple attributes, and all data subsets use the authentication Multiple attributes indicated by keywords all correspond to the same.
- the authentication keywords may be determined in various ways.
- the embodiments of this application take the following examples as examples to illustrate:
- the authentication keyword can be the server's default one.
- the administrator of the server can specify an authentication keyword and require a subset of data stored in the server to use the authentication keyword for authentication.
- administrators can specify that all data subsets stored in the server be authenticated using this authentication keyword.
- administrators can instruct different types of data subsets to be authenticated using different authentication keys.
- the authentication key may be specified by the user.
- a user can instruct a data set to be created in the server, and the user can specify an authentication key used to authenticate a data subset in the data set.
- the authentication keywords specified by the user can be the same or different.
- the server can specify the authentication content
- the user can specify the attribute keyword used to represent the authentication content
- the server can determine the attribute keyword used to represent the authentication content as the authentication key.
- Character For example, the administrator of the server can specify the authentication content and require a subset of data stored in the server to use the authentication content for authentication. Moreover, the administrator can specify that all data subsets stored in the server use this authentication content for authentication, or can instruct different types of data subsets to use different authentication content for authentication. Furthermore, different data may be represented in different ways, so the attribute keywords used by different data to represent the same authentication content may be different. Then the user can specify the attribute keyword used to represent the authentication content, and the server can determine the authentication keyword based on it.
- step 401 may include: step 4011, receiving a maintenance request sent by the second client.
- the maintenance request is used to request maintenance of the data set, and the maintenance request carries attributes used to represent the authentication content.
- Keyword is used to represent the authentication content.
- maintenance requests may include build requests and modification requests.
- the attribute keyword may be indicated in a create request or modify request.
- the create request is used to request the creation of a data set.
- Modify requests are used to request modifications to attributes of a dataset. Modifying the attributes of the data set may include: adding attributes to the data set and/or modifying the original attributes of the data set to other attributes.
- the creation request may request to create a data table.
- the table creation request indicates multiple attributes that the data table needs to have, and one of the multiple attributes is used to represent the authentication content.
- the server can determine the attribute keyword used to represent the attribute of the authentication content, and determine the attribute keyword as the authentication keyword.
- the creation request only requests the establishment of a data table in the server, without specifying the attributes that the data table needs to have, or it specifies the attributes that the data table needs to have, but does not specify which attribute is used to represent the authentication content. Then the user can specify content not specified in the creation request by modifying the request. At this time, the server can determine the authentication keyword according to the instruction of the modification request.
- the table creation request can be a data definition language (DDL) statement.
- a table creation request can be:
- the table creation request can be:
- the server can authenticate the data read request based on the user information of the access request. Then, after the server determines the attribute keyword used to represent the user information based on the establishment request or modification request, the server can determine the attribute keyword as Authentication keyword.
- the authentication key may include at least one of a user name, a user group name, and a role of the user. Among them, the user's role can be root user, etc.
- the server can determine the attribute keyword used to represent the authentication content based on the establishment request and the authentication content that is authenticated based on the user information. is the "user group name", then the "user group name" can be determined as the authentication key.
- authentication based on user information is an example and is not used to limit the implementation of authentication.
- authentication can also be performed based on information such as the Internet protocol address (IP) address of the request to access the data set, which is not specifically limited in the embodiments of this application.
- IP Internet protocol address
- the data reading and writing module is used to receive a creation request or a modification request, and determine metadata such as the data set name of the data set, the attribute keywords of multiple attributes of the data set, and the owner of the data set according to the creation request or modification request. information and transmit metadata information to the metadata module.
- the data reading and writing module is also used to determine the authentication keyword based on the establishment request or modification request, and transmit the authentication keyword to the metadata module.
- the metadata module is used to store the above metadata information and authentication keywords.
- Step 402 Receive a target read data request sent by the first client, where the target read data request is used to request to read a data set.
- the target read data request needs to indicate the data set it requests to read, so that after receiving the target read data request, the server can authenticate the target read data request according to the instruction, and authenticate the target read data based on the authentication result. Request a response.
- step 402 is executed by the data reading and writing module.
- Step 403 Obtain the authentication rules of the data set.
- the authentication rules indicate: for any read data request requesting to read the data set, when the first attribute value of any read data request matches the value of any data subset in the data set, When the second attribute value satisfies the preset rule, any data read request is given the permission to read any data subset.
- the process of obtaining authentication rules for a data set is the process of determining common rules that apply to all data subsets in the data set. For example, when the authentication rules of a data set indicate authentication based on the authentication keyword "user group name", then all data subsets in the data set need to be authenticated based on the authentication keyword "user group name” .
- the server configures authentication rules for each data set managed by the server based on the authentication keyword of the data set. After determining the data set requested by the target read data request, the server can query based on the data set to obtain the authentication rules configured by the server for the data set. It should be noted that for multiple data sets managed by the server, the authentication rules of different data sets may be the same or different, which is not specifically limited in the embodiments of this application.
- Authentication rules are used to authenticate read data requests.
- the authentication rules can perform authentication based on the user information of the read data request and the data subset involved in the read data request.
- the authentication rules may indicate that when the user information of the read data request and the data subset involved in the read data request satisfy the preset rules, the read data request shall be given the right to read the corresponding data subset. limit.
- the authentication rule may indicate: for any read data request requesting to read the data set, when the first attribute value of any read data request is consistent with any data sub-item involved in any read data request, When the second attribute value of the set meets the preset rules, any read data request is given the permission to read any data subset.
- the first attribute value is the attribute value of the authentication keyword corresponding to the user information of any data read request.
- the second attribute value is the attribute value corresponding to the authentication key of any data subset in the data set.
- the authentication key is used to indicate one or more of multiple attributes of the data set.
- the preset rule is the condition that the first attribute value and the second attribute value need to meet when the read data request has read permission.
- the preset rule may be that the first attribute value and the second attribute value are equal.
- the authentication rules can also limit different control permissions for access requests.
- the control permissions for access requests include: write permission, read permission, and read-write permission.
- Authentication rules can limit different control rights of access requests through different authentication keywords.
- the authentication rule may indicate: for a read data request, when the first attribute value A of the read data request is the same as the second attribute value A of any data subset in the data set requested by the read data request, When the preset rules are met, the read data request is given permission to read any data subset.
- the write data request is given the ability to write the data subset into the data set. permissions.
- the access request is given the permission to read and write the data subset.
- the authentication rules can also limit different control rights of access requests through preset rules.
- the preset rule includes a first preset rule and a second preset rule
- the read data request is given permission to read a subset of the data.
- the write data request is given the permission to write the data subset into the data set.
- the access request is given permission to read and write the data subset.
- step 403 is executed by the data reading and writing module.
- Step 404 Obtain the first attribute value of the target data read request based on the user information of the target data read request.
- the authentication rules of a data set are general rules that apply to all data subsets in the data set. However, for different data subsets in the data set, the attribute values corresponding to the authentication keywords they carry are different. Therefore, after determining the general rules of the data set, the general rules need to be instantiated to obtain the information involved in the access request. Instantiation rules that apply to subsets of data.
- the implementation process of instantiating general rules based on user information includes:
- Step 4041 Query the pre-stored relationship information based on the user information requested by the target data read, and obtain the third attribute value in the relationship information corresponding to the user information requested by the target data read and the authentication keyword.
- the pre-stored relationship information includes information about all users who may initiate access to the data set in the server.
- the relationship information records the standard attribute values corresponding to the multiple attributes for each user.
- the server can query the relationship information according to the user information of the target read data request, and obtain the third attribute value that belongs to the user who sent the target read data request and is used to indicate the authentication keyword.
- the correspondence recorded in the relationship information includes: the relationship between the user's user name, user number, user group name of the user group to which the user belongs, and other standard attribute values of attribute keywords.
- the server After receiving the target data read request sent by the client, the server can query the relationship information according to the user information of the target data read request, and obtain the third attribute value of the "user group name” corresponding to the user.
- the fact that the relationship information records standard attribute values means that the attribute values recorded in the relationship information are all accurate attribute values corresponding to the user.
- the second attribute value of the data subset requested by the user to read matches the first attribute value, it can be considered that the user has the permission to read the data subset, otherwise The user does not have permission to read this subset of data.
- the content recorded in the relationship information can be obtained through pre-collection (such as filing), and its content has high credibility.
- the implementation process of step 4041 can be implemented by authenticating the target read data request. After the target read data request is authenticated according to the user information of the target read data request, the relationship information corresponding to the user information can be obtained, and then the third attribute value corresponding to the user information is determined based on the relationship information, and then the first attribute value is obtained.
- the server when the data management method provided by the embodiment of this application is applied to a big data engine such as Hive or Spark, the server can be the corresponding engine server.
- this step 4041 can be implemented by the engine server through user authentication modules such as lightweight directory access protocol (lightweight directory access protocol, LDAP) and Kerberos.
- LDAP lightweight directory access protocol
- Kerberos Kerberos
- step 4041 requires collaborative implementation of the data reading and writing module and the user authentication module.
- the user authentication module is used to authenticate the target data read request, obtain the third attribute value, and transmit the third attribute value to the data reading and writing module.
- Step 4042 Determine the third attribute value as the first attribute value of the target read data request.
- the relationship information records the standard attribute values corresponding to multiple attributes of the user and the data set, after the third attribute value is obtained based on the relationship information, the third attribute value can be determined as the first attribute value.
- Table 3 is part of the data table read by the target read data request
- Table 4 is the relationship information corresponding to the data table
- the authentication key is "user group name”.
- the server After receiving the target read data request sent by the user "Zhang**”, the server queries the relationship information shown in Table 4 based on the user information used to indicate the user "Zhang**", and obtains the corresponding data for the user "Zhang**” If the third attribute value of "User Group Name" is "Development Department", then "Development Department" can be determined as the first attribute value.
- the data reading and writing module performs step 4042.
- Step 405 Obtain the second attribute value of the target data subset from the target data subset of the data set read by the target read data request.
- the instantiation rule applicable to the data subset involved in the target read data request is obtained. Then the target read data request can be authenticated according to the instantiation rule, that is, based on the authentication rules, the target data subset of the data set read by the target read data request request, and the first attribute value, the target read data request can be authenticated. Authentication. When authenticating the target read data request, you can first obtain the second attribute value of each target data subset in the data set read by the target read data request request, and then authenticate the target read data request based on the second attribute value. .
- the attribute value of each target data subset of the data set corresponding to the authentication keyword can be determined, and the attribute value can be determined as the corresponding target data subset.
- Two attribute values For example, assuming that the authentication keyword is "user group name” and the data table requested by the target read data request is Table 3, then you can obtain based on the authentication keyword: The number of the data row corresponding to the user name "Zhang**" The second attribute value is "Development Department", the second attribute value of the data row corresponding to the user name "Li**" is "Process Department”, and the second attribute value of the data row corresponding to the user name "Wang**" is "Personnel” department”.
- step 405 requires collaborative implementation of the data reading and writing module, the metadata module and the data storage module.
- the data reading and writing module needs to obtain the metadata information of the data set from the metadata module.
- the metadata information read the data set requested by the target read data request from the data storage module, and obtain each target in the data set.
- the second attribute value of the data subset is the metadata information of the data set from the metadata module.
- the data reading and writing module can obtain the metadata information of the data set from the table AUDIT_LOG of the metadata module, And the data storage module can be implemented through Hadoop distributed file system (hadoop distributed file system, HDFS).
- hadoop distributed file system Hadoop distributed file system
- Step 406 Authenticate the target read data request based on the first attribute value of the target data read request and the second attribute value of the target data subset, and return a response to the target read data request.
- the authentication results include two types: the second attribute value of the target data subset and the first attribute value of the target read data request satisfy the preset rules; and the second attribute value of the target data subset matches the first attribute value of the target read data request.
- the attribute value does not meet the preset rules.
- responding to the read data request includes: when the second attribute value of the target data subset and the first attribute value of the target read data request satisfy the preset rules, determining that the target read data request has the ability to read the target data subset. Permission: When the second attribute value of the target data subset and the first attribute value of the target data read request do not meet the preset rules, it is determined that the target data read request does not have the permission to read the target data subset.
- the server needs to authenticate all target data in the data set during the process of authenticating the target read data request. subset for authentication. And when the target read data request has the permission to read any target data subset, the target data subset is loaded into the memory. When the target read data request does not have permission to read any target data subset, the target data subset is prohibited from being loaded into memory. Then, after completing the authentication process for all target data subsets in the data set, all target data subsets loaded in the memory and belonging to the data set are fed back to the first client to complete the target read data request. The process of responding.
- the data reading and writing module performs step 406.
- the implementation process of the data management method includes the following steps:
- Step 701 Obtain the authentication keyword of the data set.
- step 401 Please refer to the corresponding content in step 401 for the implementation process of step 701, which will not be described again here.
- Step 702 Receive a target write data request sent by the first client.
- the target write data request is used to request to write a target data subset into the data set.
- step 702 is executed by the data reading and writing module.
- Step 703 Obtain the authentication rules of the data set.
- the authentication rules indicate: for any write data request requesting to write data to the data set, when the first attribute value of any write data request matches any data requested to be written, When the second attribute value of the subset satisfies the preset rule, any write data request is given the permission to write any data subset to the data set.
- the first attribute value is the attribute value of the authentication keyword corresponding to the user information of any write data request.
- the second attribute value is the attribute value corresponding to the authentication key of any data subset requested to be written.
- An authentication key is used to indicate one or more of multiple attributes.
- step 403 is executed by the data reading and writing module. Moreover, please refer to the corresponding content in step 403 for the implementation process of step 703, which will not be described again here.
- Step 704 Based on the target write data request, obtain the first attribute value of the target write data request.
- step 704 includes: Step 7041: Based on the user information of the target write data request, query the pre-stored relationship information, and obtain the user information and authentication keywords in the relationship information related to the target write data request. The corresponding third attribute value.
- Step 7042 Determine the third attribute value as the first attribute value of the target write data request.
- Step 705 Obtain the second attribute value of the target data subset from the target data subset written by the target write data request.
- step 705 requires collaborative implementation of the data reading and writing module, the metadata module and the data storage module. Please refer to the corresponding content in step 405 for the implementation process of step 705, which will not be described again here.
- Step 706 Authenticate the target write data request based on the first attribute value of the target data write request and the second attribute value of the target data subset, and return a response to the target write data request.
- responding to the target write data request includes: writing the target data subset into the data set.
- the response to the target write data request includes: refusing to write the target data subset into the data set.
- the server after obtaining the authentication rules of the data set, the server also needs to obtain the first attribute value of the target access request based on the user information of the target access request. And authenticate the target access request based on the authentication rules and the first attribute value.
- the authentication rules are applicable to all data subsets in the data set. Use general rules rather than user-bound rules. Therefore, there is no need for the security administrator to configure authentication rules for each user, which effectively improves the efficiency of configuring authentication rules, thereby improving the efficiency of data management.
- this data management method when this data management method is applied to scenarios such as databases, big data SQL engines, or business intelligence, it can effectively improve the user experience of the corresponding scenarios, such as improving the ease of use of the SQL engine.
- authentication is based on the authentication rules of the data set requested by the target access request. There is no need to match a large number of authentication rules, which reduces the complexity of data management and helps improve data reading. Write performance.
- the data management device 90 includes:
- the receiving module 901 is used to receive a target access request sent by the first client.
- the target access request is used to request access to a data set.
- the data set has multiple attributes.
- the data subset in the data set includes attribute values corresponding to the multiple attributes.
- the access type of the target access request includes writing data and/or reading data.
- the acquisition module 902 is used to obtain the authentication rules of the data set.
- the authentication rules indicate: for any access request requesting access to the data set, when the first attribute value of any access request matches any data involved in any access request When the second attribute value of the subset meets the preset rules, any access request is given the permission to access any data subset.
- the first attribute value is the attribute value of the authentication keyword corresponding to the user information of any access request.
- the second attribute value is the attribute value corresponding to the authentication key of any data subset, and the authentication key is used to indicate one or more of multiple attributes.
- the obtaining module 902 is also configured to obtain the first attribute value of the target access request based on the user information of the target access request.
- the processing module 903 is configured to authenticate the target access request based on the authentication rules, the target data subset involved in the target access request, and the first attribute value, and return a response to the target access request.
- the processing module 903 is specifically configured to: obtain the second attribute value of the target data subset from the target data subset; when the first attribute value of the target access request and the second attribute value of the target data subset satisfy a predetermined When setting up a rule, grant the target access request permission to access a subset of the target data.
- the authentication key includes at least one of a user name, a user group name, and a role of the user.
- the acquisition module 902 is specifically configured to: query pre-stored relationship information based on the user information of the target access request, and obtain the third attribute value corresponding to the user information and authentication keyword of the target access request in the relationship information; The third attribute value is determined as the first attribute value of the target access request.
- the receiving module 901 is also configured to: receive a maintenance request sent by the second client, the maintenance request is used to request maintenance of the data set, the maintenance request carries an attribute keyword indicating the authentication content; determine the attribute keyword is the authentication key.
- the maintenance request includes a creation request and a modification request.
- the attribute keyword indicating the authentication content is indicated in the creation request or the modification request.
- the creation request is used to request the creation of the data set, and the modification request is used to request the modification of attributes of the data set.
- the data set is a data table
- the data subset is the data rows in the data table.
- the acquisition module after obtaining the authentication rules of the data set, the acquisition module also needs to obtain the first attribute value of the target access request based on the user information of the target access request.
- the authentication rule is a general rule applicable to all data subsets in the data set, rather than a rule bound to the user. Therefore, there is no need for a security administrator to User configuration of authentication rules effectively improves the efficiency of configuration of authentication rules, thereby improving the efficiency of data management.
- the data management device when the data management device is applied to scenarios such as databases, big data SQL engines, or business intelligence, it can effectively improve the user experience of the corresponding scenarios, such as improving the ease of use of the SQL engine.
- authentication is based on the authentication rules of the data set requested by the target access request. There is no need to match a large number of authentication rules, which reduces the complexity of data management and helps improve data reading. Write performance.
- FIG. 10 is a schematic structural diagram of a computer device provided by an embodiment of the present application.
- the computer device 1000 includes a processor 1001, a memory 1002, a communication interface 1003 and a bus 1004. Among them, the processor 1001, the memory 1002, and the communication interface 1003 implement communication connections between each other through the bus 1004.
- Processor 1001 may include a general-purpose processor and/or a special-purpose hardware chip.
- General-purpose processors can include: central processing unit (CPU), microprocessor or graphics processing unit (GPU).
- the CPU is, for example, a single-core processor (single-CPU) or a multi-core processor (multi-CPU).
- a dedicated hardware chip is a high-performance processing hardware module.
- Specialized hardware chips include at least one of a digital signal processor, an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a network processor (NP) One item.
- the processor 1001 may also be an integrated circuit chip with signal processing capabilities. During the implementation process, part or all of the functions of the data management method of the present application can be completed by instructions in the form of hardware integrated logic circuits or software in the processor 1001 .
- the memory 1002 is used to store computer programs, which include an operating system 1002a and executable codes (ie, program instructions) 1002b.
- the memory 1002 is, for example, a read-only memory or other type of static storage device that can store static information and instructions, or a random access memory or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable memory device.
- the memory 1002 is used to store outbound port queues, etc.
- the memory 1002 exists independently, for example, and is connected to the processor 1001 through a bus 1004. Or the memory 1002 and the processor 1001 are integrated together.
- the memory 1002 can store executable code. When the executable code stored in the memory 1002 is executed by the processor 1001, the processor 1001 is used to perform part or all of the functions of the data management method provided by the embodiment of the present application.
- the processor 1001 performs the following process: receives a target access request sent by the first client, the target access request is used to request access to the data set; obtains the authentication rule of the data set, and the authentication rule indicates: for requesting access to the data set For any access request, when the first attribute value of any access request and the second attribute value of any data subset involved in any access request satisfy the preset rules, any access request is granted access to any data subset. set of permissions; based on the user information of the target access request, obtain the first attribute value of the target access request; based on the authentication rules, the target data subset involved in the target access request, and the first attribute value, authenticate the target access request, and returns a response to the target access request. Please refer to the relevant descriptions in the foregoing method embodiments for how the processor 1001 executes this process.
- the memory 1002 may also include operating systems and other software modules and data required for running processes.
- the communication interface 1003 uses a transceiver module such as but not limited to a transceiver to implement communication with other devices or communication networks.
- the communication interface 1003 may be any one or any combination of the following devices: a network interface (such as an Ethernet interface), a wireless network card, and other devices with network access functions.
- Bus 1004 is any type of communication bus used to interconnect internal components of a computer device (eg, memory 1002, processor 1001, communication interface 1003).
- a computer device eg, memory 1002, processor 1001, communication interface 1003
- system bus e.g., system bus.
- the embodiment of the present application takes the interconnection of the above-mentioned devices inside the computer device through the bus 1004 as an example.
- the above-mentioned devices inside the computer device 1000 may also communicate with each other using other connection methods besides the bus 1004.
- the above-mentioned devices inside the computer device 1000 are interconnected through internal logical interfaces.
- the above-mentioned plurality of devices can be respectively arranged on independent chips, or at least part or all of them can be arranged on the same chip. Whether each device is independently installed on different chips or integrated on one or more chips often depends on the needs of product design.
- the embodiments of this application do not limit the specific implementation forms of the above devices.
- the descriptions of the processes corresponding to each of the above drawings have different emphases. For parts that are not detailed in a certain process, you can refer to the relevant descriptions of other processes.
- the above embodiments it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
- software it may be implemented in whole or in part in the form of a computer program product.
- the computer program product that provides a program development platform includes one or more computer instructions. When these computer program instructions are loaded and executed on a computer device, the processes or functions of the data management method provided by the embodiments of the present application are fully or partially implemented.
- computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another.
- computer instructions may be transmitted over a wired connection from a website, computer, server or data center. (such as coaxial cable, optical fiber, digital subscriber line or wireless (such as infrared, wireless, microwave, etc.) to transmit to another website, computer, server or data center.
- the computer-readable storage medium stores information that provides a program development platform Computer program instructions.
- An embodiment of the present application also provides a computer cluster.
- the computer cluster includes multiple computer devices.
- the multiple computer devices include multiple processors and multiple memories.
- Program instructions are stored in the multiple memories.
- the multiple processors run the program instructions, so that the computer cluster executes as provided in the embodiments of the present application. data management methods.
- For the implementation method of each computer device in the computer cluster please refer to the implementation method of the aforementioned computer equipment accordingly, which will not be described again here.
- Embodiments of the present application also provide a computer-readable storage medium.
- the computer-readable storage medium is a non-volatile computer-readable storage medium.
- the computer-readable storage medium includes program instructions. When the program instructions are run on a computer device When, the computer device is caused to execute the data management method provided by the embodiment of the present application.
- Embodiments of the present application also provide a computer program product containing instructions.
- the computer program product When the computer program product is run on a computer, it causes the computer to execute the data management method provided by the embodiments of the present application.
- the terms “first”, “second” and “third” are only used for description purposes and cannot be understood as indicating or implying relative importance.
- the term “at least one” refers to one or more, and the term “plurality” refers to two or more, unless expressly limited otherwise.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Storage Device Security (AREA)
Abstract
La présente demande, qui relève du domaine technique de la gestion de données, concerne un procédé et un dispositif de gestion de données. Le procédé comprend : la réception d'une demande d'accès cible envoyée par un premier client, la demande d'accès cible étant utilisée pour demander l'accès à un ensemble de données ; l'obtention d'une règle d'authentification de l'ensemble de données, la règle d'authentification indiquant que pour n'importe quelle demande d'accès demandant l'accès à l'ensemble de données, lorsqu'une première valeur d'attribut de n'importe quelle demande d'accès et une seconde valeur d'attribut de n'importe quel sous-ensemble de données impliquées dans n'importe quelle demande d'accès satisfont une règle prédéfinie, l'octroi à n'importe quelle demande d'accès de la permission d'accéder à n'importe quel sous-ensemble de données ; l'obtention d'une première valeur d'attribut de la demande d'accès cible sur la base d'informations d'utilisateur de la demande d'accès cible ; et sur la base de la règle d'authentification, et d'un sous-ensemble de données cible et de la première valeur d'attribut impliqués dans la demande d'accès cible, l'authentification de la demande d'accès cible et le renvoi d'une réponse à la demande d'accès cible. Selon la présente demande, un administrateur de sécurité n'a pas besoin de configurer la règle d'authentification pour chaque utilisateur, de sorte que l'efficacité de configuration de la règle d'authentification est efficacement améliorée.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210643182.9A CN117235092A (zh) | 2022-06-08 | 2022-06-08 | 数据管理方法及装置 |
| CN202210643182.9 | 2022-06-08 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2023236637A1 true WO2023236637A1 (fr) | 2023-12-14 |
Family
ID=89081359
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2023/085907 WO2023236637A1 (fr) | 2022-06-08 | 2023-04-03 | Procédé et dispositif de gestion de données |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN117235092A (fr) |
| WO (1) | WO2023236637A1 (fr) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101673375A (zh) * | 2009-09-25 | 2010-03-17 | 金蝶软件(中国)有限公司 | 一种工资系统数据授权的方法及系统 |
| US20170132401A1 (en) * | 2015-11-06 | 2017-05-11 | Sap Se | Data access rules in a database layer |
| US20180025174A1 (en) * | 2016-07-21 | 2018-01-25 | Salesforce.Com, Inc. | Access controlled queries against user data in a datastore |
| CN109889517A (zh) * | 2019-02-14 | 2019-06-14 | 广州小鹏汽车科技有限公司 | 数据处理方法、权限数据集创建方法、装置及电子设备 |
| CN111488598A (zh) * | 2020-04-09 | 2020-08-04 | 腾讯科技(深圳)有限公司 | 访问控制方法、装置、计算机设备和存储介质 |
-
2022
- 2022-06-08 CN CN202210643182.9A patent/CN117235092A/zh active Pending
-
2023
- 2023-04-03 WO PCT/CN2023/085907 patent/WO2023236637A1/fr unknown
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101673375A (zh) * | 2009-09-25 | 2010-03-17 | 金蝶软件(中国)有限公司 | 一种工资系统数据授权的方法及系统 |
| US20170132401A1 (en) * | 2015-11-06 | 2017-05-11 | Sap Se | Data access rules in a database layer |
| US20180025174A1 (en) * | 2016-07-21 | 2018-01-25 | Salesforce.Com, Inc. | Access controlled queries against user data in a datastore |
| CN109889517A (zh) * | 2019-02-14 | 2019-06-14 | 广州小鹏汽车科技有限公司 | 数据处理方法、权限数据集创建方法、装置及电子设备 |
| CN111488598A (zh) * | 2020-04-09 | 2020-08-04 | 腾讯科技(深圳)有限公司 | 访问控制方法、装置、计算机设备和存储介质 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117235092A (zh) | 2023-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11716357B2 (en) | Data access policies | |
| US20210385087A1 (en) | Zero-knowledge identity verification in a distributed computing system | |
| US20220021711A1 (en) | Security Platform and Method for Efficient Access and Discovery | |
| US9053302B2 (en) | Obligation system for enterprise environments | |
| US10404757B1 (en) | Privacy enforcement in the storage and access of data in computer systems | |
| US10454975B1 (en) | Conditional comptuing resource policies | |
| US20200287718A1 (en) | Zero-knowledge identity verification in a distributed computing system | |
| US10594737B1 (en) | Distributed storage processing statement interception and modification | |
| WO2020168692A1 (fr) | Procédé de partage de données de masse, plateforme de partage ouverte et dispositif électronique | |
| US10771468B1 (en) | Request filtering and data redaction for access control | |
| US8051168B1 (en) | Method and system for security and user account integration by reporting systems with remote repositories | |
| TW202025020A (zh) | 基於區塊鏈的內容管理系統及方法、裝置、電子設備 | |
| WO2020000716A1 (fr) | Système d'analyse de mégadonnées, serveur, procédé de traitement de données, programme et support de stockage | |
| US10013449B1 (en) | Validating and non-validating secondary indexes for a table in a non-relational data store | |
| CN107315950B (zh) | 一种云计算平台管理员权限最小化的自动化划分方法及访问控制方法 | |
| US11019073B2 (en) | Application-agnostic resource access control | |
| US11595445B2 (en) | Unified authorization with data control language for cloud platforms | |
| WO2024027328A1 (fr) | Procédé de traitement de données fondé sur un système de commande d'accès aux données à confiance nulle | |
| CN115758459A (zh) | 数据权限管理方法及装置 | |
| US11425132B2 (en) | Cross-domain authentication in a multi-entity database system | |
| US11425126B1 (en) | Sharing of computing resource policies | |
| WO2023236637A1 (fr) | Procédé et dispositif de gestion de données | |
| RU2656739C1 (ru) | Способ и система хранения данных | |
| US11669527B1 (en) | Optimized policy data structure for distributed authorization systems | |
| US11651287B1 (en) | Privacy-preserving multi-party machine learning using a database cleanroom |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 23818805 Country of ref document: EP Kind code of ref document: A1 |