[go: up one dir, main page]

CN120216477A - Data management method, device, equipment and storage medium - Google Patents

Data management method, device, equipment and storage medium Download PDF

Info

Publication number
CN120216477A
CN120216477A CN202510396833.2A CN202510396833A CN120216477A CN 120216477 A CN120216477 A CN 120216477A CN 202510396833 A CN202510396833 A CN 202510396833A CN 120216477 A CN120216477 A CN 120216477A
Authority
CN
China
Prior art keywords
data
data request
verification
directory
interceptor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510396833.2A
Other languages
Chinese (zh)
Inventor
和思扬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Jinan data Technology Co ltd
Original Assignee
Inspur Jinan data Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Jinan data Technology Co ltd filed Critical Inspur Jinan data Technology Co ltd
Priority to CN202510396833.2A priority Critical patent/CN120216477A/en
Publication of CN120216477A publication Critical patent/CN120216477A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/16File or folder operations, e.g. details of user interfaces specifically adapted to file systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Human Computer Interaction (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a data management method, a device, equipment and a storage medium, which are applied to a distributed file system and relate to the technical field of data processing, and the method comprises the steps of intercepting a data request issued by an upper client through an interceptor and analyzing to obtain a data directory to be accessed corresponding to the data request; and carrying out authority verification on the data request according to the tag file corresponding to the data directory to be accessed to obtain a corresponding verification result, wherein a mapping relation exists between the tag file and the local data directory and comprises a verification rule of related parameters of the data request, and responding to the data request based on the verification result. In this way, in the distributed file system, the data is managed by using the authority verification with finer granularity, the more accurate access control is realized on part of the data by accessing the data catalogue, the flexibility of data protection is improved, and the authority verification can be performed by combining more data request related parameters, so that the data security is further improved.

Description

Data management method, device, equipment and storage medium
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a data management method, apparatus, device, and storage medium.
Background
HDFS (Hadoop Distributed FILE SYSTEM) is a distributed file storage system that supports secure mode functionality in which all stored data is protected from write modifications and deletions while being in a read-only state. The security mode cannot protect data in a certain path, and the coverage range of the security mode is the whole service level, namely the HDFS data is in an unavailable state, and other services in an upper layer are further paralyzed to block the service of the whole large data platform. Therefore, the function is only applicable to cluster maintenance requirements at present and cannot be used for data security management in daily operation and maintenance processes. On the other hand, the existing security management components of big data comprise kerberos (a computer network authorization protocol), ranger (an open source project focusing on access control and data desensitization), etc., and authority users take some unknown operations on different client nodes, which may interfere with or destroy the path on which important data is located. Although HDFS supports IP (Internet Protocol, internet protocol, broadly referred to as network address) whitelist functionality, it is global to the cluster data and cannot be fine-tuned to a particular data directory.
It follows that how to achieve accurate management of data is a problem to be solved in the art.
Disclosure of Invention
The embodiment of the invention aims to provide a data management method, a device, equipment and a storage medium, which can solve the problem of accurate management of data in a distributed file storage system.
In order to solve the above technical problems, in one aspect, an embodiment of the present invention provides a data management method, applied to a distributed file system, including:
Intercepting a data request issued by an upper client through an interceptor, and analyzing to obtain a data directory to be accessed corresponding to the data request;
performing authority verification on the data request according to the tag file corresponding to the data directory to be accessed to obtain a corresponding verification result, wherein a mapping relation exists between the tag file and the local data directory and comprises a verification rule of related parameters of the data request;
and responding to the data request based on the verification result.
In some embodiments, the intercepting, by an interceptor, the data request issued by the upper layer client includes:
when a data request issued by an upper client is acquired, judging whether an interception function of an interceptor of a current client interface is in an on state or not;
And if the interception function is in the on state, intercepting the data request through the interceptor so as to acquire the data request.
In some embodiments, the parsing obtains a data directory to be accessed corresponding to the data request, including:
Analyzing the data request to obtain corresponding analyzed parameters, and determining a data directory to be accessed corresponding to the data request from the analyzed parameters;
the analyzed parameters comprise an access data directory, access time, a network address of an upper client and a target operation type of the data request.
In some embodiments, the performing authority verification on the data request according to the tag file corresponding to the data directory to be accessed, before obtaining the corresponding verification result, further includes:
Acquiring an interception rule operation instruction aiming at the interceptor through a preset visual interaction interface;
Generating corresponding tag files according to the current time stamp and the interception rule operation instruction, and maintaining each tag file by using metadata service, wherein each tag file comprises a data directory, a network address, authority effective time and an operation type;
and pushing the tag file to the interceptor so as to carry out authority verification on the data request according to the tag file corresponding to the data directory to be accessed, thereby obtaining a corresponding verification result.
In some embodiments, the pushing the tag file to the interceptor includes:
and pushing the latest stored tag file to the interceptor through a metadata service when the interceptor is opened or the tag file is changed.
In some embodiments, the performing authority verification on the data request according to the tag file corresponding to the data directory to be accessed, to obtain a corresponding verification result, includes:
Determining a target tag file corresponding to the data request according to the matching condition between the data directory to be accessed and the data directory in the plurality of tag files corresponding to the interceptor;
If the access time of the data request is not in the authority effective time period in the target tag file, generating a first verification result representing verification passing aiming at the data request;
If the access time is in the authority effective time period, judging whether the client address of the data request is matched with the network address in the target tag file;
if the client address is not matched with the network address, generating a second check result for the data request, wherein the characterization check is not passed;
if the client address is matched with the network address, performing validity judgment on a target operation type corresponding to the data request according to the target tag file to obtain a corresponding judgment result;
and if the judging result shows that the target operation type is legal, generating a third check result of the characteristic check passing the data request, otherwise, generating a fourth check result of the characteristic check failing the data request.
In some embodiments, the responding to the data request based on the check result includes:
Aiming at the first check result and the third check result, performing corresponding data operation based on the data request, and responding to the data request by utilizing a corresponding operation result;
and generating prompt information representing that the data request has abnormality according to the second check result and the third check result, and responding to the data request by utilizing the prompt information.
In a second aspect, an embodiment of the present invention provides a data management apparatus, applied to a distributed file system, including:
the data request analysis module is used for intercepting a data request issued by an upper client through an interceptor and analyzing to obtain a data directory to be accessed corresponding to the data request;
the permission verification module is used for performing permission verification on the data request according to the tag file corresponding to the data directory to be accessed to obtain a corresponding verification result, wherein a mapping relationship exists between the tag file and the local data directory and comprises a verification rule of related parameters of the data request;
And the response module is used for responding to the data request based on the verification result.
In a third aspect, an embodiment of the present invention provides an electronic device, including:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the data management method as described above.
In a fourth aspect, embodiments of the present invention provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a data management method as described above.
According to the technical scheme, in the distributed file system, the data request issued by the upper client can be intercepted through the interceptor, the data directory to be accessed corresponding to the data request is obtained through analysis, then the authority of the data request is checked according to the tag file corresponding to the data directory to be accessed, a corresponding check result is obtained, a mapping relation exists between the tag file and the local data directory and comprises a check rule of relevant parameters of the data request, and then the data request is responded based on the check result. The scheme has the effects that in the distributed file system, the data is managed by using the authority verification with finer granularity, the access control on part of the data is realized by accessing the data directory, the flexibility of data protection is improved, the authority verification can be performed by combining more data request related parameters, and the data security is further improved.
Drawings
For a clearer description of embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described, it being apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.
FIG. 1 is a flow chart of a data management method disclosed in the present application;
FIG. 2 is a flow chart of a specific data management method disclosed in the present application;
FIG. 3 is a flowchart of another specific data management method disclosed in the present application;
FIG. 4 is a flowchart of another exemplary data management method disclosed herein;
FIG. 5 is a schematic diagram of a data management device according to the present application;
Fig. 6 is a block diagram of an electronic device according to the present disclosure.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without making any inventive effort are within the scope of the present invention.
The terms "comprising" and "having" in the description of the invention and in the above-described figures, as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may include other steps or elements not expressly listed.
In order to better understand the aspects of the present invention, the present invention will be described in further detail with reference to the accompanying drawings and detailed description.
As shown in fig. 1, an embodiment of the present application discloses a data management method, which is applied to a distributed file system, and includes:
and S11, intercepting a data request issued by an upper client through an interceptor, and analyzing to obtain a data directory to be accessed corresponding to the data request.
According to the application, the interceptor can be embedded in the distributed file system to intercept the data request issued by the upper client, so that part of the data request can be filtered through the interceptor, and the execution flow of the distributed file system is not influenced. After the data request issued by the upper client is intercepted by the interceptor, the data request can be analyzed to obtain the corresponding data directory to be accessed.
In a specific embodiment, the intercepting the data request issued by the upper client through the interceptor may include determining whether an intercepting function of the interceptor of the current client interface is in an on state when the data request issued by the upper client is acquired, and if the intercepting function is in the on state, intercepting the data request through the interceptor to acquire the data request. Specifically, the interceptor in the distributed file system can be selectively opened or closed, namely, when the data request of the upper client is acquired, the state of the interceptor corresponding to the current client interface can be judged, and if the intercepting function of the interceptor is in an opened state, the interceptor can be utilized to intercept the current data request to acquire the data request.
In another embodiment, the parsing to obtain the data directory to be accessed corresponding to the data request may include parsing the data request to obtain a corresponding parsed parameter, and determining the data directory to be accessed corresponding to the data request from the parsed parameter, where the parsed parameter includes an access data directory, an access time, a network address of an upper client, and a target operation type of the data request. Specifically, after the distributed file system obtains the data request issued by the upper client through the interceptor, the data request can be parsed to parse relevant parameters, such as access data directory, access time, network address of the upper client and operation type of the data request, wherein the operation type can include any operations such as enumeration, reading, writing, deleting, etc. Further, the data directory to be accessed corresponding to the data request is determined from the analyzed parameters.
And step S12, performing authority verification on the data request according to the tag file corresponding to the data directory to be accessed to obtain a corresponding verification result, wherein a mapping relationship exists between the tag file and the local data directory and the mapping relationship comprises a verification rule of related parameters of the data request.
In the embodiment of the application, the data catalog to be accessed corresponding to the data request can be determined through the steps, then, the tag file corresponding to the data request can be further determined, the tag file is a preset file with a mapping relation with the local data catalog, and contains a verification rule for relevant parameters of the data request, and it can be understood that the verification rule can comprise a limiting condition on a network address, a limiting condition on time and a limiting condition on an operation type. The tag file can be used for inquiring the data request to be accessed corresponding to the data request, and then the validity of the data request can be checked based on the tag file to obtain a corresponding check result.
It can be understood that in order to verify a data request by using a tag file, a plurality of tag files may be preset to verify the data request directly, in a specific embodiment, before the data request is subjected to authority verification according to the tag file corresponding to the data directory to be accessed to obtain a corresponding verification result, the method may further include obtaining an interception rule operation instruction for the interceptor through a preset visual interaction interface, generating a corresponding tag file according to a current timestamp and the interception rule operation instruction, and maintaining each tag file by using metadata service, where the tag file includes a data directory, a network address, an authority time and an operation type, and pushing the tag file to the interceptor to verify the authority of the data request according to the tag file corresponding to the data directory to be accessed to obtain a corresponding verification result. In the process of setting the tag file, related staff can input an operation instruction for configuring the interception rules through a visual interaction interface, a corresponding tag file can be generated based on a current time stamp and each interception rule operation instruction in a distributed file system, and the tag file comprises a mapping relation with a data directory, a plurality of network addresses for checking a client network address, authority effective time of the interception rules and related strategy information for checking operation types. And each tag file is maintained through the metadata service, for example, when the tag file is updated, the previously stored tag file can be replaced according to the timestamp. Further, the distributed file system can push the saved tag file to the interceptor so that the interceptor intercepts and verifies the data request based on the corresponding tag file.
In a specific embodiment, each configuration maps a set of interception rules including four basic dimensions of IP, data path, operation type, time. The IP is a client IP which sends out requests, the operation types comprise a series of operations supported by native protocols such as enumeration (ls), reading (cat, get, etc.), writing (put, etc.), deleting (rm), attribute setting (such as chmod, setfacl, etc.), and the like, the time is authority effective time and expiration time, support delay is effective, a visual interaction interface can be communicated with a metadata service in real time, and related personnel can carry out submission of each configuration, and a data structure such as { IP: xxx, path: xxx, option: xxx, authtimes: xxx, timestamp: xxx } is encapsulated, namely, the latest timestamp is contained besides the authority effective time, and the latest timestamp is issued to each node of the metadata service to support real-time addition of verification rules. And based on the former two, more convenient configuration operation is further provided, such as supporting a certain IP section, supporting fuzzy regularization of path paths, supporting forward and backward filtering of operation types and the like. In a specific embodiment, the metadata service maintains verification rules submitted by related personnel from an interactive interface, and simultaneously serves as an interactive bridge to communicate with an upstream management page and a downstream interceptor in real time, and the metadata service can perform multi-node deployment in a centerless mode, perform real-time communication between nodes through heartbeat, automatically arouse service process interruption, each node of the metadata service can receive a request issued by a visual interface, store the verification rules configured by a user in a configuration file of a local node for persistent maintenance, automatically load the local configuration file to acquire the current verification rules when the service node is disconnected and restarted, and simultaneously perform verification of latest data based on a timestamp in the real-time communication process by each node, automatically update the following nodes, perform real-time interaction between the metadata service and the request interceptor, and perform downstream transmission on the latest verification rules.
In another specific embodiment, the pushing the tag file to the interceptor may include pushing the latest tag file currently stored to the interceptor through a metadata service when the interceptor is opened or the tag file is changed. Specifically, in order to save resources, the distributed file system may choose to push the latest tag file to the interceptor when the interceptor is opened or when the tag file changes (updates, deletes, etc.), and in this process, the laggard tag file is automatically updated based on the timestamp corresponding to each tag file.
In yet another specific embodiment, the performing authority verification on the data request according to the tag file corresponding to the data directory to be accessed to obtain a corresponding verification result may include determining, according to a matching condition between the data directory to be accessed and the data directory in the plurality of tag files corresponding to the interceptor, a target tag file corresponding to the data request, if an access time of the data request is not in an authority effective time period in the target tag file, generating a first verification result indicating that verification is passed for the data request, if the access time is in the authority effective time period, judging whether a client address of the data request is matched with a network address in the target tag file, if the client address is not matched with the network address, generating a second verification result indicating that verification is not passed for the data request, if the client address is matched with the network address, performing validity judgment on a target operation type corresponding to the data request according to the target tag file, obtaining a corresponding judgment result, if the access time is not in the authority effective time period in the target tag file, judging that the data request passes, and if the client address is not matched with the network address, generating a third verification result indicating that the data request is not passed for the data request. Specifically, in the process of verifying the data request based on the tag file, firstly, determining a target tag file corresponding to a data directory to be accessed of the data request, and determining one tag file matched with the data directory to be accessed according to the mapping relation between each tag file and the data path, and marking the tag file as the target tag file. And then, according to the limiting strategy of each parameter in the target tag file, checking the access time, the network address and the operation type of the data request respectively.
Furthermore, as the permission effective time in the tag file indicates whether the data request needs to be checked, if the current time is not matched with the permission effective time, the data request can be directly released, and a check result indicating that the check is passed can be generated. Correspondingly, if the authority effective time represents that verification is needed currently, further verifying the upper-layer client network address of the data request, if the authority effective time is not matched with the network address stored in the tag file, indicating that the client network address is illegal, and generating a verification result representing that verification is not passed. Further, if the network address passes the verification, the operation type of the data request can be further verified, and the permission or prohibition of the restriction strategy characterization of the operation type in the tag file is judged.
In a specific embodiment, as shown in fig. 2, a user configures a verification rule through a visual interface, the configured verification rule is subjected to persistence through metadata service, namely, the verification rule is converted into a tag file by combining with a timestamp, each tag file is maintained, the tag file is pushed to a request interceptor when required subsequently, so that the interceptor can verify data requests issued by different clients, the legal requests after the verification pass can be processed continuously, and a distributed file system server can respond to the corresponding legal data requests by combining with data storage.
And step S13, responding to the data request based on the verification result.
In the embodiment of the application, the data request can be intercepted by the interceptor through the steps, and the validity of the data request is checked based on the tag file to obtain the corresponding check result, and further, whether the data request is executed or not can be determined based on the check result. In a specific embodiment, the responding to the data request based on the verification results may include performing corresponding data operation based on the data request and responding to the data request by using corresponding operation results for the first verification result and the third verification result, generating prompt information indicating that an abnormality exists in the data request for the second verification result and the third verification result, and responding to the data request by using the prompt information. And correspondingly, if the checking result is the second checking result or the third checking result which is characterized by not passing the checking, the data request is illegal, the data request does not need to be executed, prompt information which is characterized by that the data request has abnormality can be generated, and the data request is responded by using the prompt information.
In another specific embodiment, as shown in fig. 3, the server side of the distributed file system may embed the interceptor in the form of a code segment, and may introduce the code module of the interceptor before processing each interface of the original data request initiated by the client, and provide a new configuration item to globally switch the interceptor, and if the interceptor is closed, the execution flow may automatically skip the code module of the interceptor. It can be understood that the interceptor needs to analyze the data request of the client, and verify the parameters obtained by analysis, that is, the client IP, the operation field, the authority effective time and the data directory path, the request which does not conform to the verification will be returned by reporting an exception, and the conforming request will be continuously executed by the verification. It should be noted that the interceptor may acquire the interception policy (i.e., the tag file containing the interception rules) by proactive pushing of the metadata service. Meanwhile, in order to avoid the extra performance loss caused by frequent interaction, the pushing is triggered only when the service is started for the first time or the interception policy is changed, and the interceptor stores the data in the distributed file system service process variable for verification and judgment.
Therefore, in the distributed file system, the data is managed by using the finer-granularity authority verification, the data directory is accessed to realize more accurate access control on part of the data, the flexibility of data protection is improved, the authority verification can be performed by combining more data request related parameters, the damage of some unknown businesses to important data can be prevented, the access behavior of general data is not influenced, the data security is further improved, and the operation cost of operation and maintenance personnel is also reduced by visual configuration.
As shown in fig. 4, an embodiment of the present application discloses a data management method, which specifically includes:
In this embodiment, the upper layer client service may issue a data request to an HDFS (distributed file system), where the data request is acquired by an interceptor, and necessary parameters including a directory to be accessed, a current access time, a source IP of the upper layer service, and an operation type are parsed from the data request, and at the same time, a corresponding tag file may be acquired according to a directory path to be accessed by the data request. The tag file is a data structure formed by a user when the visual page is configured, has a logical mapping relation with a data directory, and is actually stored in a metadata service module as metadata, and in a specific embodiment, the tag data structure is exemplified by a directory path/xxx/dir 1, an IP or IP section xx.xx.xx.xx.xx, an IP authority policy, an operation type, such as reading/writing, an operation authority policy, an authority time, such as effective time and expiration time, and a directory can bind a plurality of tags which are not in conflict with each other. It will be appreciated that the client may configure the rights for each data directory at the front end, and may form a data structure including the path of the directory, the IP or IP segment (including whether the matching policy is enabled or disabled, i.e., black and white list), the type of operation (including whether the matching policy is enabled or disabled), the rights validation time and expiration time, etc. for metadata storage.
Further, after the related data of the tag file is obtained, authority verification can be carried out with the parameters of the data request of the upper layer, in the authority verification process, whether the current time is matched with the authority effective time in the tag is firstly compared, if the effective time is not started or is expired, the data request is directly released to allow access, if the current time is the authority effective time of the directory, the IP source of the data request is verified according to the IP configuration in the tag file, if the current time is the authority effective time of the directory, the operation types are checked to be passed, the permission access is checked to be completed, and if the operation types are not passed, the abnormality is returned to the client.
Therefore, the method and the device are mainly applied to protecting data in a distributed file system with finer granularity, can intercept data requests of a client through the interceptor arranged on the distributed file system to filter illegal services, the filtering principle comprises IP of a request end, an accessed data directory path and operation types, and can be deployed at each node in a cluster mode by combining with non-centralized metadata service, maintenance of access limiting rules configured by related personnel for the data requests and synchronization of the rules to the request interceptor, and the interceptor can intercept request access according to the rules.
As shown in fig. 5, an embodiment of the present application discloses a data management device, which is applied to a distributed file system, and includes:
the data request analysis module 11 is configured to intercept, by using an interceptor, a data request issued by an upper client, and analyze the data request to obtain a data directory to be accessed corresponding to the data request;
The permission verification module 12 is used for performing permission verification on the data request according to the tag file corresponding to the data directory to be accessed to obtain a corresponding verification result, wherein a mapping relationship exists between the tag file and the local data directory and comprises a verification rule of relevant parameters of the data request;
And the response module 13 is used for responding to the data request based on the verification result.
Therefore, in the distributed file system, the data is managed by using the authority verification with finer granularity, the data directory is accessed to realize more accurate access control on part of the data, the flexibility of data protection is improved, and the authority verification can be performed by combining more data request related parameters, so that the data security is further improved.
In a specific embodiment, the data request parsing module 11 may include:
The interception function judging unit is used for judging whether the interception function of the interceptor of the current client interface is in an on state or not when the data request issued by the upper client is acquired;
And the data request interception unit is used for intercepting the data request through the interceptor when the interception function is in the starting state so as to acquire the data request.
In another specific embodiment, the data request parsing module 11 may include:
the data request analysis unit is used for analyzing the data request to obtain corresponding analyzed parameters, and determining a data directory to be accessed corresponding to the data request from the analyzed parameters;
the analyzed parameters comprise an access data directory, access time, a network address of an upper client and a target operation type of the data request.
In a specific embodiment, the apparatus may further include:
The instruction acquisition module is used for acquiring an interception rule operation instruction aiming at the interceptor through a preset visual interaction interface;
The system comprises a tag file maintenance module, a metadata service, a data directory, a network address, a permission validation time and an operation type, wherein the tag file maintenance module is used for generating corresponding tag files according to a current time stamp and the interception rule operation instruction and maintaining each tag file by utilizing the metadata service;
And the tag file pushing module is used for pushing the tag file to the interceptor so as to carry out authority verification on the data request according to the tag file corresponding to the data directory to be accessed, and a corresponding verification result is obtained.
In another specific embodiment, the tag file pushing module may include:
and the tag file pushing unit is used for pushing the latest tag file stored currently to the interceptor through the metadata service when the interceptor is started or the tag file is changed.
In a specific embodiment, the rights verification module 12 may include:
The tag file determining unit is used for determining a target tag file corresponding to the data request according to the matching condition between the data directory to be accessed and the data directory in the plurality of tag files corresponding to the interceptor;
The time verification unit is used for generating a first verification result representing verification passing aiming at the data request when the access time of the data request is not in the authority effective time period in the target tag file;
the time checking unit is used for judging whether the client address of the data request is matched with the network address in the target tag file or not when the access time is in the authority effective time period;
An address verification unit, configured to generate a second verification result that indicates that verification is not passed for the data request when the client address does not match the network address;
An operation type checking unit, configured to perform validity judgment on a target operation type corresponding to the data request according to the target tag file when the client address is matched with the network address, so as to obtain a corresponding judgment result;
and the check result generating unit is used for generating a third check result for representing that the check is passed for the data request when the judging result represents that the target operation type is legal, and generating a fourth check result for representing that the check is not passed for the data request otherwise.
In a specific embodiment, the response module 13 may include:
the first response unit is used for carrying out corresponding data operation on the basis of the data request aiming at the first check result and the third check result and responding to the data request by utilizing the corresponding operation result;
The second response unit is used for generating prompt information representing that the data request has abnormality aiming at the second check result and the third check result, and responding to the data request by utilizing the prompt information.
Further, the embodiment of the present application further discloses an electronic device, and fig. 6 is a block diagram of an electronic device according to an exemplary embodiment, where the content of the diagram is not to be considered as any limitation on the scope of use of the present application. The electronic device may comprise, in particular, at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input-output interface 25 and a communication bus 26. Wherein the memory 22 is configured to store a computer program that is loaded and executed by the processor 21 to implement the relevant steps of the data management method disclosed in any of the foregoing embodiments. In addition, the electronic device in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide working voltages for each hardware device on the electronic device, the communication interface 24 is configured to create a data transmission channel with an external device for the electronic device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein, and the input/output interface 25 is configured to obtain external input data or output data to the outside, where the specific interface type may be selected according to the needs of the specific application, which is not specifically limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, and the like, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device and the computer program 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the data management method performed by the electronic device as disclosed in any of the previous embodiments.
Further, the application also discloses a computer readable storage medium for storing a computer program, wherein the computer program realizes the data management method disclosed in the previous description when being executed by a processor. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
Further, the application also discloses a computer program product comprising a computer program/instruction which, when executed by a processor, implements the data management method disclosed above.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
While the foregoing has been provided to illustrate the principles and embodiments of the present application, specific examples have been provided herein to assist in understanding the principles and embodiments of the present application, and are intended to be in no way limiting, for those of ordinary skill in the art will, in light of the above teachings, appreciate that the principles and embodiments of the present application may be varied in any way.

Claims (10)

1.一种数据管理方法,其特征在于,应用于分布式文件系统,包括:1. A data management method, characterized in that it is applied to a distributed file system, comprising: 通过拦截器拦截上层客户端下发的数据请求,并解析得到所述数据请求对应的待访问数据目录;The data request sent by the upper-layer client is intercepted by the interceptor, and the directory of data to be accessed corresponding to the data request is obtained by parsing; 根据所述待访问数据目录对应的标签文件对所述数据请求进行权限校验,得到相应的校验结果;所述标签文件与本地数据目录之间存在映射关系,且包含对数据请求的相关参数的校验规则;Performing permission verification on the data request according to the label file corresponding to the data directory to be accessed, and obtaining a corresponding verification result; there is a mapping relationship between the label file and the local data directory, and contains verification rules for relevant parameters of the data request; 基于所述校验结果对所述数据请求进行响应。The data request is responded to based on the verification result. 2.根据权利要求1所述的数据管理方法,其特征在于,所述通过拦截器拦截上层客户端下发的数据请求,包括:2. The data management method according to claim 1, characterized in that the intercepting of the data request sent by the upper-layer client by the interceptor comprises: 获取到上层客户端下发的数据请求时,判断当前客户端接口的拦截器的拦截功能是否处于开启状态;When obtaining the data request sent by the upper-layer client, determine whether the interception function of the interceptor of the current client interface is turned on; 若所述拦截功能处于所述开启状态,则通过所述拦截器对所述数据请求进行拦截操作,以获取到所述数据请求。If the interception function is in the on state, the data request is intercepted by the interceptor to obtain the data request. 3.根据权利要求1所述的数据管理方法,其特征在于,所述解析得到所述数据请求对应的待访问数据目录,包括:3. The data management method according to claim 1, wherein the step of parsing to obtain a directory of data to be accessed corresponding to the data request comprises: 对所述数据请求进行解析,得到相应的解析后参数,并从所述解析后参数中确定所述数据请求对应的待访问数据目录;Parsing the data request to obtain corresponding parsed parameters, and determining the to-be-accessed data directory corresponding to the data request from the parsed parameters; 其中,所述解析后参数包含访问数据目录、访问时间、上层客户端的网络地址以及所述数据请求的目标操作类型。The parsed parameters include the access data directory, the access time, the network address of the upper-layer client, and the target operation type of the data request. 4.根据权利要求1所述的数据管理方法,其特征在于,所述根据所述待访问数据目录对应的标签文件对所述数据请求进行权限校验,得到相应的校验结果之前,还包括:4. The data management method according to claim 1, characterized in that before performing permission verification on the data request according to the tag file corresponding to the data directory to be accessed and obtaining the corresponding verification result, it also includes: 通过预设可视化交互界面获取针对所述拦截器的拦截规则操作指令;Obtaining interception rule operation instructions for the interceptor through a preset visual interactive interface; 根据当前时间戳以及所述拦截规则操作指令生成相应的标签文件,并利用元数据服务维护各所述标签文件;所述标签文件包含数据目录、网络地址、权限生效时间以及操作类型;Generate a corresponding label file according to the current timestamp and the interception rule operation instruction, and use the metadata service to maintain each label file; the label file contains the data directory, network address, permission effective time and operation type; 将所述标签文件推送至所述拦截器,以便根据所述待访问数据目录对应的标签文件对所述数据请求进行权限校验,得到相应的校验结果。The label file is pushed to the interceptor so as to perform permission verification on the data request according to the label file corresponding to the data directory to be accessed to obtain a corresponding verification result. 5.根据权利要求4所述的数据管理方法,其特征在于,所述将所述标签文件推送至所述拦截器,包括:5. The data management method according to claim 4, characterized in that the step of pushing the tag file to the interceptor comprises: 在所述拦截器被开启或所述标签文件发生变动时,通过元数据服务将当前存储的最新标签文件推送至所述拦截器。When the interceptor is turned on or the tag file changes, the latest tag file currently stored is pushed to the interceptor through the metadata service. 6.根据权利要求1至5任一项所述的数据管理方法,其特征在于,所述根据所述待访问数据目录对应的标签文件对所述数据请求进行权限校验,得到相应的校验结果,包括:6. The data management method according to any one of claims 1 to 5, characterized in that the step of performing permission verification on the data request according to the tag file corresponding to the data directory to be accessed to obtain a corresponding verification result comprises: 根据所述待访问数据目录与所述拦截器对应的若干标签文件中的数据目录之间的匹配情况,确定与所述数据请求对应的目标标签文件;Determine the target label file corresponding to the data request according to the matching between the data directory to be accessed and the data directories in the several label files corresponding to the interceptor; 若所述数据请求的访问时间不位于所述目标标签文件中的权限生效时间段,则针对所述数据请求生成表征校验通过的第一校验结果;If the access time of the data request is not within the permission effective time period in the target tag file, generating a first verification result indicating that the verification has passed for the data request; 若所述访问时间位于所述权限生效时间段,则判断所述数据请求的客户端地址与所述目标标签文件中的网络地址是否匹配;If the access time is within the permission effective time period, determining whether the client address of the data request matches the network address in the target tag file; 若所述客户端地址与所述网络地址不匹配,则针对所述数据请求生成表征校验不通过的第二校验结果;If the client address does not match the network address, generating a second verification result indicating a verification failure for the data request; 若所述客户端地址与所述网络地址相匹配,则根据所述目标标签文件,对所述数据请求对应的目标操作类型进行合法性判断,得到相应的判断结果;If the client address matches the network address, the legality of the target operation type corresponding to the data request is judged according to the target tag file to obtain a corresponding judgment result; 若所述判断结果表征所述目标操作类型合法,则针对所述数据请求生成表征校验通过的第三校验结果,否则针对所述数据请求生成表征校验不通过的第四校验结果。If the judgment result indicates that the target operation type is legal, a third verification result indicating that the verification has passed is generated for the data request; otherwise, a fourth verification result indicating that the verification has failed is generated for the data request. 7.根据权利要求6所述的数据管理方法,其特征在于,所述基于所述校验结果对所述数据请求进行响应,包括:7. The data management method according to claim 6, wherein responding to the data request based on the verification result comprises: 针对所述第一校验结果和所述第三校验结果,基于所述数据请求进行相应的数据操作,并利用相应操作结果对所述数据请求进行响应;performing corresponding data operations based on the data request for the first verification result and the third verification result, and responding to the data request using the corresponding operation results; 针对所述第二校验结果和所述第三校验结果,生成表征所述数据请求存在异常的提示信息,并利用所述提示信息对所述数据请求进行响应。Based on the second verification result and the third verification result, prompt information indicating that an abnormality exists in the data request is generated, and the prompt information is used to respond to the data request. 8.一种数据管理装置,其特征在于,应用于分布式文件系统,包括:8. A data management device, characterized in that it is applied to a distributed file system, comprising: 数据请求解析模块,用于通过拦截器拦截上层客户端下发的数据请求,并解析得到所述数据请求对应的待访问数据目录;A data request parsing module is used to intercept the data request sent by the upper-layer client through an interceptor, and parse to obtain the to-be-accessed data directory corresponding to the data request; 权限校验模块,用于根据所述待访问数据目录对应的标签文件对所述数据请求进行权限校验,得到相应的校验结果;所述标签文件与本地数据目录之间存在映射关系,且包含对数据请求的相关参数的校验规则;A permission verification module is used to perform permission verification on the data request according to the label file corresponding to the data directory to be accessed, and obtain a corresponding verification result; there is a mapping relationship between the label file and the local data directory, and contains verification rules for relevant parameters of the data request; 响应模块,用于基于所述校验结果对所述数据请求进行响应。A response module is used to respond to the data request based on the verification result. 9.一种电子设备,其特征在于,包括:9. An electronic device, comprising: 存储器,用于存储计算机程序;Memory for storing computer programs; 处理器,用于执行所述计算机程序以实现如权利要求1至7任意一项所述数据管理方法的步骤。A processor, configured to execute the computer program to implement the steps of the data management method according to any one of claims 1 to 7. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1至7任意一项所述数据管理方法的步骤。10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the data management method according to any one of claims 1 to 7 are implemented.
CN202510396833.2A 2025-03-31 2025-03-31 Data management method, device, equipment and storage medium Pending CN120216477A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510396833.2A CN120216477A (en) 2025-03-31 2025-03-31 Data management method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510396833.2A CN120216477A (en) 2025-03-31 2025-03-31 Data management method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN120216477A true CN120216477A (en) 2025-06-27

Family

ID=96102558

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510396833.2A Pending CN120216477A (en) 2025-03-31 2025-03-31 Data management method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN120216477A (en)

Similar Documents

Publication Publication Date Title
US11496387B2 (en) Auto re-segmentation to assign new applications in a microsegmented network
Pfaff et al. The open vswitch database management protocol
US11792194B2 (en) Microsegmentation for serverless computing
CN109479062B (en) Usage tracking in hybrid cloud computing systems
US8527978B1 (en) System, method, and computer program product for populating a list of known wanted data
US8082316B2 (en) Resolving conflicts while synchronizing configuration information among multiple clients
US8813225B1 (en) Provider-arbitrated mandatory access control policies in cloud computing environments
US11588859B2 (en) Identity-based enforcement of network communication in serverless workloads
CN108289098B (en) Authority management method and device of distributed file system, server and medium
US20060248577A1 (en) Using SSO processes to manage security credentials in a provisioning management system
US20220201041A1 (en) Administrative policy override in microsegmentation
JP2006520975A (en) Non-intrusive automatic off-site patch fingerprinting and updating system and method
US8099588B2 (en) Method, system and computer program for configuring firewalls
US20230239325A1 (en) Software security agent updates via microcode
US20230239270A1 (en) Synthetic audit events in workload segmentation
US12255923B2 (en) Stream processing of telemetry for a network topology
US8127033B1 (en) Method and apparatus for accessing local computer system resources from a browser
US11381446B2 (en) Automatic segment naming in microsegmentation
US20210141648A1 (en) Configuration manager data structures
US7231377B2 (en) Method and apparatus for configuring a server using a knowledge base that defines multiple server roles
Pfaff Rfc 7047: The open vswitch database management protocol
CN119557055A (en) Cross-Kubernetes cluster service access method, device, computer equipment and storage medium
WO2025035982A1 (en) Cloud container multi-level access method, apparatus, storage medium, and chip
JP7735645B2 (en) Data processing method, device, electronic device, and computer program
La Lau Web Server Part 1: Apache/Nginx Basics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination