[go: up one dir, main page]

CN114139119A - User right management method, device, electronic equipment, medium and program product - Google Patents

User right management method, device, electronic equipment, medium and program product Download PDF

Info

Publication number
CN114139119A
CN114139119A CN202111216083.4A CN202111216083A CN114139119A CN 114139119 A CN114139119 A CN 114139119A CN 202111216083 A CN202111216083 A CN 202111216083A CN 114139119 A CN114139119 A CN 114139119A
Authority
CN
China
Prior art keywords
identifier
user
data
specified data
metadata
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111216083.4A
Other languages
Chinese (zh)
Other versions
CN114139119B (en
Inventor
游成毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Alibaba Cloud Computing Ltd
Original Assignee
Alibaba China Co Ltd
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd, Alibaba Cloud Computing Ltd filed Critical Alibaba China Co Ltd
Priority to CN202111216083.4A priority Critical patent/CN114139119B/en
Publication of CN114139119A publication Critical patent/CN114139119A/en
Application granted granted Critical
Publication of CN114139119B publication Critical patent/CN114139119B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the disclosure discloses a user authority management method, a user authority management device, electronic equipment, a medium and a program product, wherein the method comprises the following steps: storing metadata specifying data, the metadata including a first identifier; establishing an association relationship between the first identifier and user authority management data of the specified data; when receiving an access request of a user to the specified data, acquiring user authority management data of the specified data according to a first identifier in metadata of the specified data; and determining the access authority of the user to the specified data according to the user authority management data.

Description

User right management method, device, electronic equipment, medium and program product
Technical Field
The present disclosure relates to the field of data storage technologies, and in particular, to a method, an apparatus, an electronic device, a medium, and a program product for managing user rights.
Background
In a distributed file System compatible with the POSIX (Portable Operating System Interface) standard, the authority management mode is to associate each file and directory with an owner user and an access group list. Files or directories may be configured with different rights for their owner user (user), access group (group), and other users (other), respectively. User authority management needs to record owner users, access groups and access authorities in metadata of files and directories, which can be realized by adding corresponding fields of the records in a data structure of the metadata, but this may cause that the data structure of the metadata is too different from the original data structure, and a file system needs to deal with compatibility problems such as conversion between metadata versions. In addition, adding a field for recording access rights in the data structure of the metadata may cause coupling between the metadata and the user rights management data, which is not favorable for realizing flexible user rights management.
Disclosure of Invention
In order to solve the problems in the related art, embodiments of the present disclosure provide a user right management method, apparatus, electronic device, medium, and program product.
In a first aspect, an embodiment of the present disclosure provides a user right management method.
Specifically, the user right management method includes:
storing metadata specifying data, the metadata including a first identifier;
establishing an association relationship between the first identifier and user authority management data of the specified data;
when receiving an access request of a user to the specified data, acquiring user authority management data of the specified data according to a first identifier in metadata of the specified data;
and determining the access authority of the user to the specified data according to the user authority management data.
With reference to the first aspect, in a first implementation manner of the first aspect, the establishing an association relationship between the first identifier and the user right management data of the specific data includes:
user right management data of the first identifier and the specified data is stored in a first storage area correspondingly.
With reference to the first aspect, in a second implementation manner of the first aspect, the establishing an association relationship between the first identifier and the user right management data of the specific data includes:
correspondingly storing the first identifier and the second identifier in a second storage area;
user right management data of the second identifier and the specified data is stored in the first storage area correspondingly.
With reference to the second implementation manner of the first aspect, in a third implementation manner of the first aspect, the storing the first identifier and the second identifier in the second storage area correspondingly includes:
storing an extended metadata attribute of the specified data in the second storage area, a key of the extended metadata attribute including the first identifier, a value of the extended metadata attribute including the second identifier.
With reference to the first aspect, in a fourth implementation manner of the first aspect, the obtaining, by the metadata, user right management data of the specified data according to a first identifier in the metadata of the specified data includes:
when the mark field is a first value, acquiring user authority management data of the specified data in a first storage area according to the first identifier;
and when the flag field is a second value, acquiring a second identifier in a second storage area according to the first identifier, and acquiring user authority management data of the specified data in the first storage area according to the second identifier.
With reference to the first aspect, in a fifth implementation manner of the first aspect, the user right management data includes a right bitmap field and a mask field, the right bitmap field indicates a maximum right range of a user for the specified data, and the mask field is used to select a specified right in the right bitmap field as an access right of the user for the specified data.
In a second aspect, an embodiment of the present disclosure provides a user right management apparatus.
Specifically, the user right management device includes:
a first storage module configured to store metadata specifying data, the metadata including a first identifier;
a second storage module configured to establish an association relationship between the first identifier and user right management data of the specified data;
the acquisition module is configured to acquire user authority management data of the specified data according to a first identifier in metadata of the specified data when receiving an access request of a user to the specified data;
a determining module configured to determine the access authority of the user to the specified data according to the user authority management data.
With reference to the second aspect, in a first implementation manner of the second aspect, the second storage module includes:
a first storage unit configured to store the first identifier and the user right management data of the specified data in correspondence in a first storage area.
With reference to the second aspect, in a second implementation manner of the second aspect, the second storage module includes:
a second storage unit configured to store the first identifier and the second identifier in a second storage area, respectively;
a third storage unit configured to store the second identifier and the user right management data of the specified data in correspondence in the first storage area.
With reference to the second implementation manner of the second aspect, in a third implementation manner of the second aspect, the second storage unit includes:
a storage subunit configured to store an extended metadata attribute of the specified data in the second storage area, a key of the extended metadata attribute including the first identifier, and a value of the extended metadata attribute including the second identifier.
With reference to the second aspect, in a fourth implementation manner of the second aspect, the metadata includes a flag field, and the obtaining module obtains, according to a first identifier in the metadata of the specified data, a portion of the user right management data of the specified data, and is configured to:
when the mark field is a first value, acquiring user authority management data of the specified data in a first storage area according to the first identifier;
and when the flag field is a second value, acquiring a second identifier in a second storage area according to the first identifier, and acquiring user authority management data of the specified data in the first storage area according to the second identifier.
With reference to the second aspect, in a fifth implementation manner of the second aspect, the user right management data includes a right bitmap field and a mask field, the right bitmap field indicates a maximum right range of a user for the specified data, and the mask field is used to select a specified right in the right bitmap field as an access right of the user for the specified data.
In a third aspect, the disclosed embodiments provide an electronic device comprising a memory and a processor, wherein the memory is configured to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement the method according to any one of the first aspect.
In a fourth aspect, the disclosed embodiments provide a computer-readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the method according to any one of the first aspect.
In a fifth aspect, the disclosed embodiments provide a computer program product comprising computer instructions which, when executed by a processor, implement the method steps according to any of the first aspect.
According to the technical scheme provided by the embodiment of the disclosure, metadata of specified data is stored, the metadata comprises a first identifier, an association relation between the first identifier and user authority management data of the specified data is established, when an access request of a user to the specified data is received, the user authority management data of the specified data is obtained according to the first identifier in the metadata of the specified data, and the access authority of the user to the specified data is determined according to the user authority management data. According to the technical scheme, the authority of the designated data is managed, corresponding fields of user authority management data are not added to metadata, the user authority management data and the first identifier are stored in an associated mode, the first identifier serves as metadata of the designated data to be stored, when an access request of a user to the designated data is received, the user authority management data of the designated data can be obtained according to the first identifier, the access authority of the user to the designated data is further determined, the compatibility problem caused by the change of the data structure of the metadata is avoided, the metadata and the user authority management data are decoupled, and flexible user authority management is facilitated.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
Other features, objects, and advantages of the present disclosure will become more apparent from the following detailed description of non-limiting embodiments when taken in conjunction with the accompanying drawings. In the drawings:
FIG. 1 shows a flow diagram of a user rights management method according to an embodiment of the present disclosure;
FIG. 2 illustrates a scenario diagram of a user rights management method according to an embodiment of the present disclosure;
fig. 3 illustrates a block diagram of a user authority management apparatus according to an embodiment of the present disclosure;
FIG. 4 shows a block diagram of an electronic device according to an embodiment of the present disclosure;
FIG. 5 shows a schematic block diagram of a computer system suitable for use in implementing a method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily implement them. Also, for the sake of clarity, parts not relevant to the description of the exemplary embodiments are omitted in the drawings.
In the present disclosure, it is to be understood that terms such as "including" or "having," etc., are intended to indicate the presence of the disclosed features, numbers, steps, behaviors, components, parts, or combinations thereof, and are not intended to preclude the possibility that one or more other features, numbers, steps, behaviors, components, parts, or combinations thereof may be present or added.
It should be further noted that the embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In the present disclosure, the acquisition of the user information or the user data is an operation that is authorized, confirmed, or actively selected by the user.
As mentioned above, in a distributed file System compatible with the POSIX (Portable Operating System Interface) standard, the rights management mode is to associate each file and directory with an owner user and an access group list. Files or directories may be configured with different rights for their owner user (user), access group (group), and other users (other), respectively. User authority management needs to record owner users, access groups and access authorities in metadata of files and directories, which can be realized by adding corresponding fields of the records in a data structure of the metadata, but this may cause that the data structure of the metadata is too different from the original data structure, and a file system needs to deal with compatibility problems such as conversion between metadata versions. In addition, adding a field for recording access rights in the data structure of the metadata may cause coupling between the metadata and the user rights management data, which is not favorable for realizing flexible user rights management.
According to the technical scheme provided by the embodiment of the disclosure, the authority of the designated data is managed, a corresponding field of the user authority management data is not added on the metadata, the user authority management data and the first identifier are stored in a correlation mode, the first identifier is used as the metadata of the designated data to be stored, when an access request of a user to the designated data is received, the user authority management data of the designated data can be obtained according to the first identifier, the access authority of the user to the designated data is further determined, the compatibility problem caused by the change of the data structure of the metadata is avoided, the decoupling of the metadata and the user authority management data is realized, and the flexible user authority management is convenient to realize.
Fig. 1 illustrates a flowchart of a user rights management method according to an embodiment of the present disclosure. As shown in fig. 1, the user right management method includes the following steps S101 to S104:
in step S101, metadata specifying data is stored, the metadata including a first identifier;
in step S102, establishing an association relationship between the first identifier and the user right management data of the specified data;
in step S103, when receiving an access request of a user to the specified data, acquiring user right management data of the specified data according to a first identifier in metadata of the specified data;
in step S104, the access right of the user to the specified data is determined according to the user right management data.
According to an embodiment of the present disclosure, the specified data may be data that a user requests to access, and for a distributed file system, the specified data may be a file or a directory, for example.
According to an embodiment of the present disclosure, the metadata of the specified data may be data describing the specified data, for example, the metadata may include a name, storage location information, a size, a modification time, and the like of the specified data. According to an embodiment of the present disclosure, the metadata further includes a first identifier, the first identifier is associated with user right management data specifying the data, and the user right management data can be acquired according to the first identifier. According to an embodiment of the present disclosure, the first identifier may have a preset length, for example, one 4-byte field. According to the embodiment of the disclosure, the length of the first identifier is much smaller than that of the user authority management data, the inclusion of the first identifier in the metadata does not cause the data structure of the metadata to be too different from the original data structure, and when the existing metadata structure includes a field allowing customization, the first identifier can be stored by using the customized field in the data structure of the existing metadata, so as to avoid compatibility problems caused by the change of the data structure of the metadata.
According to an embodiment of the present disclosure, the user authority management data is recorded with authority information specifying data for a user. Taking the distributed file system as an example, the user right management data of the designated data includes: the file access method comprises an owner user identification (userID), an access group identification (groupID), a permission bitmap field, a mask field and the like, wherein the owner user identification is the identification of an owner of specified data, the access group identification is the identification of other users who have the right to access the file, the permission bitmap field represents the maximum permission range of the specified data by the user, and the mask field is used for selecting specified permission from the permission bitmap field as the access permission of the specified data by the user.
According to the embodiment of the disclosure, the format of the permission bitmap field may be { r1 w1 x1 r2 w2 x2 r3 w3 x3}, where r1, w1, and x1 respectively represent the read, write, and executable permissions of the owner user on the specified data, r2, w2, and x2 respectively represent the read, write, and executable permissions of the access group user on the specified data, and r3, w3, and x3 respectively represent the read, write, and executable permissions of the other users on the specified data. For a file, read and write are used to control whether the file can be read and written, respectively. For a directory, read is used to control whether the contents of the directory can be traversed, write is used to control whether subfiles and directories can be created/deleted under the directory, and executable rights are used to control whether subfiles and directories of the directory can be accessed.
For example, when the designated data is directory and the permission bitmap field is 111101100, it indicates that the owner user has read, write and executable permissions for the directory, the access group user has read and executable permissions for the directory, and the other users have read permissions for the directory. When the designated data is a file and the permission bitmap field is 110100100, the designated data indicates that the owner user has read and write permission to the file, the access group user has read permission to the file, and other users have read permission to the file.
Besides the permission bitmap field, a mask field can be set for selecting the designated permission in the permission bitmap field as the access permission of the user to the designated data. For example, user permissions may be determined from the bitwise AND result of the permission bitmap field and the mask field. For example, when the designated data is a directory and the permission bitmap field is 111101100, if the mask field is 110110110, the bitwise and result of the permission bitmap field and the mask field is 110100100, that is, the owner user has read and write permissions to the directory, the access group user has read permissions to the directory, and the other users have read permissions to the directory. When the designated data is a file and the permission bitmap field is 110100000, if the mask field is 110100000, the result of bitwise and of the permission bitmap field and the mask field is 110100000, which indicates that the owner user has read and write permission to the file, the access group user has read permission to the file, and the other users have no read, write and executable permission to the file.
It can be seen that the authority determined by the bitwise and result of the permission bitmap field and the mask field does not exceed the authority range defined by the permission bitmap field, which makes it possible to flexibly modify the user authority through the mask field after setting the permission bitmap field, and at the same time, ensures that the modified authority does not exceed the authority range defined by the permission bitmap field.
According to the embodiment of the disclosure, the user right management data does not include a mask field, and the access right of the user is directly determined according to the right bitmap field.
According to the embodiment of the present disclosure, the user types other than the owner user, the access group user, and the other users and the corresponding access rights thereof may be specified according to actual needs, which is not particularly limited by the present disclosure.
When an access request of a user for specified data is received, user authority management data can be obtained according to the first identifier, the user is determined to belong to an owner user, an access group user or other users according to user identity information contained in the access request, and then the access authority of the user is determined according to the user authority management data.
According to an embodiment of the present disclosure, the establishing an association relationship between the first identifier and the user right management data of the specific data in step S102 includes:
user right management data of the first identifier and the specified data is stored in a first storage area correspondingly.
According to an embodiment of the present disclosure, the first storage area may be a designated storage area located in the memory, and is used for correspondingly storing the first identifier and the user right management data of the designated data, and the data stored in the first storage area may be periodically persisted to the hard disk to ensure reliability and security. When receiving an access request of a user to the specified data, the user authority management data of the specified data can be acquired from the first storage area according to the first identifier in the metadata of the specified data, and then the access authority of the user to the specified data is determined.
According to an embodiment of the present disclosure, the establishing an association relationship between the first identifier and the user right management data of the specific data in step S102 includes:
correspondingly storing the first identifier and the second identifier in a second storage area;
user right management data of the second identifier and the specified data is stored in the first storage area correspondingly.
According to an embodiment of the present disclosure, the second storage area may be another designated storage area located in the memory different from the first storage area, for storing the first identifier and the second identifier correspondingly. The data stored in the second storage area may be persisted to the hard disk periodically to ensure reliability and security.
According to the embodiment of the disclosure, the second identifier and the user right management data of the designated data can be stored in the first storage area, and when an access request of a user to the designated data is received, the second identifier can be obtained from the second storage area according to the first identifier in the metadata of the designated data, and then the user right management data of the designated data can be obtained from the first storage area according to the second identifier, so as to determine the access right of the user to the designated data.
According to an embodiment of the present disclosure, the correspondingly storing the first identifier and the second identifier in the second storage area includes:
storing an extended metadata attribute of the specified data in the second storage area, a key of the extended metadata attribute including the first identifier, a value of the extended metadata attribute including the second identifier.
According to an embodiment of the present disclosure, the second storage area may be used to store an extended metadata attribute of the specified data, and the extended metadata attribute of the specified data may be acquired by the first identifier in the metadata of the specified data. The extended metadata attribute may include other information specifying data in addition to the second identifier for acquiring the user right management data. According to an embodiment of the present disclosure, the second identifier may have a preset length, for example, may be a 4-byte field.
When a user access request for the specified data is received, a second identifier stored in the extended metadata attribute is determined through a first identifier in metadata of the specified data, and then user authority management data of the specified data is obtained through the second identifier. Because the verification frequency of the user authority is higher, the second identifier is stored in the extended metadata attribute instead of directly storing the user authority management data, so that the data volume needing to be processed when the extended metadata attribute is serialized and deserialized can be reduced, the processing time delay is further reduced, the user authority management efficiency is improved, and the throughput performance of data access is improved.
According to an embodiment of the present disclosure, the metadata includes a flag field, and the obtaining of the user right management data of the specified data according to the first identifier in the metadata of the specified data includes:
when the mark field is a first value, acquiring user authority management data of the specified data in a first storage area according to the first identifier;
and when the flag field is a second value, acquiring a second identifier in a second storage area according to the first identifier, and acquiring user authority management data of the specified data in the first storage area according to the second identifier.
According to an embodiment of the present disclosure, metadata of an existing distributed file system having extended metadata attributes includes a designated field for storing an identifier pointing to an extended metadata attribute and a flag field for indicating whether the designated field is valid. An extended metadata attribute may be obtained from an identifier stored in the specified field if a flag field takes a first value indicating that the specified field is valid. If the flag field takes a second value that indicates that the specified field is invalid, the contents of the specified field store cannot be used to obtain extended metadata attributes. In this embodiment, a first identifier may be stored in the designated field, where the first identifier may point to the user right management data stored in the first storage area, or may point to the extended metadata attribute stored in the second storage area, and the flag field distinguishes that the first identifier points to the user right management data or the extended metadata attribute. For example, when the flag field takes a first value, the first identifier points to user rights management data stored in the first storage area, and when the flag field takes a second value, the first identifier points to an extended metadata attribute stored in the second storage area. When the first identifier points to an extended metadata attribute stored in the second storage area, a second identifier pointing to user rights management data stored in the first storage area may be stored in the extended metadata attribute, and other information specifying the data may also be stored in the extended metadata attribute. In this way, the metadata structure of an existing distributed file system with extended metadata attributes may not be changed, thereby achieving good compatibility with the existing distributed file system.
Fig. 2 illustrates a scene diagram of a user right management method according to an embodiment of the present disclosure.
As shown in fig. 2, when the flag field takes on a first value (e.g., 1), the corresponding user right management data is acquired in the first storage area through the first identifier. And when the flag field takes a second value (for example, 0), acquiring a corresponding second identifier in the second storage area according to the first identifier, and acquiring corresponding user right management data in the first storage area according to the second identifier. According to an embodiment of the present disclosure, the second storage area is for storing an extended metadata attribute of the specified data, a key of the extended metadata attribute includes the first identifier, and a value of the extended metadata attribute includes the second identifier.
According to the embodiment of the disclosure, the first identifier is stored in the metadata of the designated data, and the user authority management data of the designated data is stored in the first storage area, so that the metadata of the designated data and the user authority management data are decoupled, and when the user authority management data is operated, the metadata is not influenced or the attribute of the metadata is not expanded, so that the operation process is simplified, the operation efficiency is improved, the flexible user authority management is realized, and the more flexible memory management and disk persistence performance are realized.
In addition, according to the embodiment of the disclosure, the user right management and the metadata extended attribute can be organically combined, so that the compatibility problem of the user right management is effectively solved, and the related processing logic of other information related to the specified data in the extended metadata attribute can be correspondingly opened according to the use requirement of the user on the metadata extended attribute.
Fig. 3 illustrates a block diagram of a user right management apparatus according to an embodiment of the present disclosure. The apparatus may be implemented as part or all of an electronic device through software, hardware, or a combination of both.
As shown in fig. 3, the user right management apparatus 300 includes a first storage module 310, a second storage module 320, an acquisition module 330, and a determination module 340.
The first storage module 310 is configured to store metadata specifying data, the metadata including a first identifier;
the second storage module 320 is configured to establish an association relationship between the first identifier and user right management data of the specified data;
the obtaining module 330 is configured to, when receiving a user access request for the specified data, obtain user right management data of the specified data according to a first identifier in metadata of the specified data;
the determining module 340 is configured to determine the access right of the user to the specified data according to the user right management data.
According to the technical scheme provided by the embodiment of the disclosure, the authority management of the designated data is realized, the corresponding field of the user authority management data is not added on the metadata, the user authority management data and the first identifier are stored in a correlation mode, the first identifier is used as the metadata of the designated data to be stored, when the access request of the user to the designated data is received, the user authority management data of the designated data can be obtained according to the first identifier, the access authority of the user to the designated data is further determined, the decoupling of the metadata and the user authority management data is realized, and the flexible user authority management is convenient to realize.
According to an embodiment of the present disclosure, the second storage module includes:
a first storage unit configured to store the first identifier and the user right management data of the specified data in correspondence in a first storage area.
According to an embodiment of the present disclosure, the second storage module includes:
a second storage unit configured to store the first identifier and the second identifier in a second storage area, respectively;
a third storage unit configured to store the second identifier and the user right management data of the specified data in correspondence in the first storage area.
According to an embodiment of the present disclosure, the second storage unit includes:
a storage subunit configured to store an extended metadata attribute of the specified data in the second storage area, a key of the extended metadata attribute including the first identifier, and a value of the extended metadata attribute including the second identifier.
According to an embodiment of the present disclosure, the metadata includes a flag field, and the obtaining module obtains a portion of the user right management data of the specified data according to a first identifier in the metadata of the specified data, and is configured to:
when the mark field is a first value, acquiring user authority management data of the specified data in a first storage area according to the first identifier;
and when the flag field is a second value, acquiring a second identifier in a second storage area according to the first identifier, and acquiring user authority management data of the specified data in the first storage area according to the second identifier.
According to the embodiment of the disclosure, the user authority management data comprises an authority bitmap field and a mask field, wherein the authority bitmap field represents the maximum authority range of the user on the specified data, and the mask field is used for selecting specified authority in the authority bitmap field as the access authority of the user on the specified data.
The present disclosure also discloses an electronic device, and fig. 4 shows a block diagram of the electronic device according to an embodiment of the present disclosure.
As shown in fig. 4, the electronic device 400 includes a memory 401 and a processor 402, wherein the memory 401 is configured to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor 402 to implement a method according to an embodiment of the disclosure:
storing metadata specifying data, the metadata including a first identifier;
establishing an association relationship between the first identifier and user authority management data of the specified data;
when receiving an access request of a user to the specified data, acquiring user authority management data of the specified data according to a first identifier in metadata of the specified data;
and determining the access authority of the user to the specified data according to the user authority management data.
According to an embodiment of the present disclosure, the establishing an association relationship between the first identifier and the user right management data of the specific data includes:
user right management data of the first identifier and the specified data is stored in a first storage area correspondingly.
According to an embodiment of the present disclosure, the establishing an association relationship between the first identifier and the user right management data of the specific data includes:
correspondingly storing the first identifier and the second identifier in a second storage area;
user right management data of the second identifier and the specified data is stored in the first storage area correspondingly.
According to an embodiment of the present disclosure, the correspondingly storing the first identifier and the second identifier in the second storage area includes:
storing an extended metadata attribute of the specified data in the second storage area, a key of the extended metadata attribute including the first identifier, a value of the extended metadata attribute including the second identifier.
According to an embodiment of the present disclosure, the metadata includes a flag field, and the obtaining of the user right management data of the specified data according to the first identifier in the metadata of the specified data includes:
when the mark field is a first value, acquiring user authority management data of the specified data in a first storage area according to the first identifier;
and when the flag field is a second value, acquiring a second identifier in a second storage area according to the first identifier, and acquiring user authority management data of the specified data in the first storage area according to the second identifier.
According to the embodiment of the disclosure, the user authority management data comprises an authority bitmap field and a mask field, wherein the authority bitmap field represents the maximum authority range of the user on the specified data, and the mask field is used for selecting specified authority in the authority bitmap field as the access authority of the user on the specified data.
FIG. 5 shows a schematic block diagram of a computer system suitable for use in implementing a method according to an embodiment of the present disclosure.
As shown in fig. 5, the computer system 500 includes a processing unit 501 that can execute various processes in the above-described embodiments according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data necessary for the operation of the system 500 are also stored. The processing unit 501, the ROM 502, and the RAM 503 are connected to each other by a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary. The processing unit 501 may be implemented as a CPU, a GPU, a TPU, an FPGA, an NPU, or other processing units.
In particular, the above described methods may be implemented as computer software programs according to embodiments of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising computer instructions that, when executed by a processor, implement the method steps described above. In such an embodiment, the computer program product may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units or modules described in the embodiments of the present disclosure may be implemented by software or by programmable hardware. The units or modules described may also be provided in a processor, and the names of the units or modules do not in some cases constitute a limitation of the units or modules themselves.
As another aspect, the present disclosure also provides a computer-readable storage medium, which may be a computer-readable storage medium included in the electronic device or the computer system in the above embodiments; or it may be a separate computer readable storage medium not incorporated into the device. The computer readable storage medium stores one or more programs for use by one or more processors in performing the methods described in the present disclosure.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the present disclosure is not limited to the specific combination of the above-mentioned features, but also encompasses other embodiments in which any combination of the above-mentioned features or their equivalents is possible without departing from the inventive concept. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.

Claims (14)

1. A user rights management method, comprising:
storing metadata specifying data, the metadata including a first identifier;
establishing an association relationship between the first identifier and user authority management data of the specified data;
when receiving an access request of a user to the specified data, acquiring user authority management data of the specified data according to a first identifier in metadata of the specified data;
and determining the access authority of the user to the specified data according to the user authority management data.
2. The method of claim 1, wherein said establishing an association of the first identifier with user rights management data of the specified data comprises:
user right management data of the first identifier and the specified data is stored in a first storage area correspondingly.
3. The method of claim 1, wherein said establishing an association of the first identifier with user rights management data of the specified data comprises:
correspondingly storing the first identifier and the second identifier in a second storage area;
user right management data of the second identifier and the specified data is stored in the first storage area correspondingly.
4. The method of claim 3, wherein the storing the first and second identifiers in correspondence in a second storage area comprises:
storing an extended metadata attribute of the specified data in the second storage area, a key of the extended metadata attribute including the first identifier, a value of the extended metadata attribute including the second identifier.
5. The method of claim 1, wherein the metadata includes a flag field, and the obtaining the user right management data of the specified data according to the first identifier in the metadata of the specified data includes:
when the mark field is a first value, acquiring user authority management data of the specified data in a first storage area according to the first identifier;
and when the flag field is a second value, acquiring a second identifier in a second storage area according to the first identifier, and acquiring user authority management data of the specified data in the first storage area according to the second identifier.
6. The method of claim 1, wherein the user rights management data includes a rights bitmap field representing a user's maximum range of rights to the specified data and a mask field for selecting a specified right in the rights bitmap field as the user's access right to the specified data.
7. A user right management apparatus comprising:
a first storage module configured to store metadata specifying data, the metadata including a first identifier;
a second storage module configured to establish an association relationship between the first identifier and user right management data of the specified data;
the acquisition module is configured to acquire user authority management data of the specified data according to a first identifier in metadata of the specified data when receiving an access request of a user to the specified data;
a determining module configured to determine the access authority of the user to the specified data according to the user authority management data.
8. The apparatus of claim 7, the second storage module, comprising:
a first storage unit configured to store the first identifier and the user right management data of the specified data in correspondence in a first storage area.
9. The apparatus of claim 7, the second storage module, comprising:
a second storage unit configured to store the first identifier and the second identifier in a second storage area, respectively;
a third storage unit configured to store the second identifier and the user right management data of the specified data in correspondence in the first storage area.
10. The apparatus of claim 9, the second storage unit, comprising:
a storage subunit configured to store an extended metadata attribute of the specified data in the second storage area, a key of the extended metadata attribute including the first identifier, and a value of the extended metadata attribute including the second identifier.
11. The apparatus of claim 7, wherein the metadata includes a flag field, and the obtaining module obtains the portion of the user rights management data of the specified data according to a first identifier in the metadata of the specified data and is configured to:
when the mark field is a first value, acquiring user authority management data of the specified data in a first storage area according to the first identifier;
and when the flag field is a second value, acquiring a second identifier in a second storage area according to the first identifier, and acquiring user authority management data of the specified data in the first storage area according to the second identifier.
12. An electronic device comprising a memory and a processor; wherein the memory is to store one or more computer instructions, wherein the one or more computer instructions are to be executed by the processor to implement the method steps of any of claims 1-6.
13. A readable storage medium having stored thereon computer instructions which, when executed by a processor, carry out the method steps of any of claims 1-6.
14. A computer program product comprising computer instructions which, when executed by a processor, carry out the method steps of any of claims 1 to 6.
CN202111216083.4A 2021-10-19 2021-10-19 User authority management method, device, electronic equipment, medium and program product Active CN114139119B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111216083.4A CN114139119B (en) 2021-10-19 2021-10-19 User authority management method, device, electronic equipment, medium and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111216083.4A CN114139119B (en) 2021-10-19 2021-10-19 User authority management method, device, electronic equipment, medium and program product

Publications (2)

Publication Number Publication Date
CN114139119A true CN114139119A (en) 2022-03-04
CN114139119B CN114139119B (en) 2024-09-24

Family

ID=80394398

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111216083.4A Active CN114139119B (en) 2021-10-19 2021-10-19 User authority management method, device, electronic equipment, medium and program product

Country Status (1)

Country Link
CN (1) CN114139119B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115941424A (en) * 2022-12-30 2023-04-07 北京天融信网络安全技术有限公司 A processing method, management control method and device for node information

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130218919A1 (en) * 2012-02-20 2013-08-22 Aleksey Solonchev Method and apparatus for managing content
CN108280365A (en) * 2017-09-19 2018-07-13 平安科技(深圳)有限公司 Data access authority management method, device, terminal device and storage medium
US20190356493A1 (en) * 2018-05-21 2019-11-21 Integra, Inc. Blockchain-anchored smart documents
CN112364110A (en) * 2020-11-17 2021-02-12 深圳前海微众银行股份有限公司 Metadata management method, device and equipment and computer storage medium
CN112989313A (en) * 2021-01-14 2021-06-18 国网上海市电力公司 Identification registration method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130218919A1 (en) * 2012-02-20 2013-08-22 Aleksey Solonchev Method and apparatus for managing content
CN108280365A (en) * 2017-09-19 2018-07-13 平安科技(深圳)有限公司 Data access authority management method, device, terminal device and storage medium
US20190356493A1 (en) * 2018-05-21 2019-11-21 Integra, Inc. Blockchain-anchored smart documents
CN112364110A (en) * 2020-11-17 2021-02-12 深圳前海微众银行股份有限公司 Metadata management method, device and equipment and computer storage medium
CN112989313A (en) * 2021-01-14 2021-06-18 国网上海市电力公司 Identification registration method and device, electronic equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115941424A (en) * 2022-12-30 2023-04-07 北京天融信网络安全技术有限公司 A processing method, management control method and device for node information

Also Published As

Publication number Publication date
CN114139119B (en) 2024-09-24

Similar Documents

Publication Publication Date Title
CN111611784B (en) Report generation method, device, terminal equipment and storage medium
US7461095B2 (en) Image server store system and method using combined image views
US7181628B2 (en) Information terminal device and content backup method
US6205466B1 (en) Infrastructure for an open digital services marketplace
US9864736B2 (en) Information processing apparatus, control method, and recording medium
US6449607B1 (en) Disk storage with modifiable data management function
CN106843978B (en) SDK access method and system
CN102804133B (en) A method and device for managing system scalability
US11360966B2 (en) Information processing system and method of controlling information processing system
CN111753141B (en) A data management method and related equipment
US20020032664A1 (en) Accounting system, accounting method, content executing device, accounting monitoring device, accounting control device and recording medium
CN114139119B (en) User authority management method, device, electronic equipment, medium and program product
US20060112083A1 (en) Object relation information management program, method, and apparatus
JPH11312154A (en) Cooperative work aiding system and recording medium thereof
CN113536342A (en) Block chain-based evidence storage management method, system, program product and storage medium
CN115955511B (en) Microservice calling method, device, terminal device and readable storage medium
CN114518844B (en) Data processing method
JP2006134041A (en) Data management device
US20090132603A1 (en) Data processing apparatus
CN112115122A (en) Data access method and device and electronic equipment
US20080262861A1 (en) User identification management system and method
CN116074111B (en) Data access method, device, computer equipment and storage medium
JP2002297597A (en) Method, program, recording medium and apparatus for contents management
CN115659406B (en) Data access method
CN116009901B (en) Software function management method, device, equipment and medium based on sharing script

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant