[go: up one dir, main page]

CN114692126A - Big data unified authorization access method, device, electronic equipment and medium - Google Patents

Big data unified authorization access method, device, electronic equipment and medium Download PDF

Info

Publication number
CN114692126A
CN114692126A CN202210324345.7A CN202210324345A CN114692126A CN 114692126 A CN114692126 A CN 114692126A CN 202210324345 A CN202210324345 A CN 202210324345A CN 114692126 A CN114692126 A CN 114692126A
Authority
CN
China
Prior art keywords
access
user
data
authority
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210324345.7A
Other languages
Chinese (zh)
Inventor
李林
胡泉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Liaoning Huadun Safety Technology Co ltd
Original Assignee
Liaoning Huadun Safety Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Liaoning Huadun Safety Technology Co ltd filed Critical Liaoning Huadun Safety Technology Co ltd
Priority to CN202210324345.7A priority Critical patent/CN114692126A/en
Publication of CN114692126A publication Critical patent/CN114692126A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

本发明涉及大数据技术领域,揭露了一种大数据统一授权访问方法,包括:获取大数据资源及组件类别,创建组件的资源权限范围,确定用户组及用户,在资源权限范围中的访问权限,根据访问权限构建访问决策树,根据访问请求,利用访问决策树,对访问用户的访问权限进行鉴权,得到鉴权结果,判断鉴权结果,是否为通过,若鉴权结果为通过,则允许访问用户进行访问,若鉴权结果为不通过,则拒绝访问用户进行访问。本发明还提出一种大数据统一授权访问装置、电子设备以及计算机可读存储介质。本发明可以解决用户登录大数据集群时,认证过程繁琐,访问控制效果不佳的问题。

Figure 202210324345

The invention relates to the technical field of big data, and discloses a method for uniformly authorizing access to big data. , build an access decision tree according to the access authority, according to the access request, use the access decision tree to authenticate the access authority of the visiting user, obtain the authentication result, and judge whether the authentication result is passed, if the authentication result is passed, then The access user is allowed to access, and if the authentication result is unsuccessful, the access user is denied access. The present invention also provides a unified authorized access device for big data, an electronic device and a computer-readable storage medium. The invention can solve the problems of cumbersome authentication process and poor access control effect when a user logs in to a big data cluster.

Figure 202210324345

Description

Big data unified authorization access method, device, electronic equipment and medium
Technical Field
The invention relates to the technical field of big data, in particular to a method and a device for unified authorized access of big data, electronic equipment and a computer readable storage medium.
Background
The main functions of the big data cluster are to store mass data and calculate the big data, and the big data cluster gradually becomes a new generation of information technology tool by the correlation analysis capability of the big data cluster in the mass data.
The data security problem of current big data cluster is especially outstanding, only log in linux machine can carry out relevant operation to big data cluster, mainly regard as independent third party through Kerberos authentication protocol at present, provide the authentication service, but Kerberos authentication protocol uses interim ticket, need re-authentication when leading to the user to log in once more, and only can control access a service, can not realize more meticulous access right control, when leading to the user to log in big data cluster, the authentication process is loaded down with trivial details, phenomenon such as access control effect is not good.
Disclosure of Invention
The invention provides a method and a device for uniformly authorizing access to big data and a computer readable storage medium, and mainly aims to solve the problems of complicated authentication process and poor access control effect when a user logs in a big data cluster.
In order to achieve the above object, the present invention provides a big data unified authorization access method, which includes:
acquiring big data resources and component categories, and creating each component in the component categories and a resource authority range in the big data resources;
acquiring a user group set, determining each user group and user in the user group set, determining access rights in the resource right ranges corresponding to different components, and constructing an access decision tree according to the access rights;
receiving an access request of an access user, and authenticating the access authority of the access user by using the access decision tree according to the access request to obtain an authentication result;
judging whether the authentication result is passed or not;
if the authentication result is passed, allowing the access user to access;
and if the authentication result is that the user does not pass, the access user is refused to access.
Optionally, the creating of each component in the component category, the resource authority range in the big data resource, includes:
acquiring a data processing structure and a data processing function of each component in the component category;
determining the service resource range of each component in the component category according to the data processing structure;
determining the data processing authority of each component in the component category according to the data processing function;
and constructing the resource authority range of each component in the component category according to the service resource range and the data processing authority.
Optionally, the determining the access right of each user group and the user in the resource right range corresponding to different components in the user group set includes:
giving the user group set user group authority of each user group;
determining the access authority of each user group in the resource authority range corresponding to the different components according to the user group authority;
giving each user right of each user in each user group;
and determining the access authority of each user in the resource authority range corresponding to the different components according to the user authority.
Optionally, the establishing a communication connection between the mobile device and the smart device according to the mobile communication protocol and the device communication protocol includes:
constructing an access decision tree according to the access authority, comprising:
in the resource authority range, dividing the data in the resource authority range into different resource project data according to the classification of the data;
determining an allowed access user group and a refused access user group of the resource project data according to the access authority of the user group;
determining an allowed access user in a denial access user group of the resource project data according to the access authority of the user to obtain a denial exclusion user;
determining a user refusing to access in the user group allowing to access the resource project data according to the access authority of the user to obtain a user allowing to be excluded;
and constructing the access decision tree according to the sequence of the priority levels of the users refused to be excluded, the users refused to be accessed, the users allowed to be excluded and the users allowed to be accessed from large to small.
Optionally, the receiving an access request of an access user includes:
constructing an application program for accessing the resource project data;
constructing a data access authority system according to the resource authority ranges of different components;
calling a data access interface of the data access authority system by using the application program to obtain a data access channel;
and inputting the access request into the data access authority system by using the application program and the data access channel to obtain the access request.
Optionally, the authenticating the access right of the access user by using the access decision tree according to the access request to obtain an authentication result includes:
determining target resource project data according to the access request;
extracting exclusion refusing users, access user refusing groups, exclusion allowing users and access user allowing groups of the target resource project data;
judging whether the user group to which the access user belongs to the access user refusing group of the target resource project data;
if the user group to which the access user belongs to the access-refusing user group of the target resource project data, judging whether the access user belongs to an exclusion-refusing user of the target resource project data;
if the access user does not belong to the rejection user of the target resource project data, the authentication result is not passed;
if the access user belongs to the exclusion refusing user of the target resource project data or the user group to which the access user belongs does not belong to the access user refusing group of the target resource project data, judging whether the access user belongs to an access user allowing group of the target resource project data;
if the access user does not belong to the allowed access user group of the target resource project data, the authentication result is not passed;
if the access user belongs to the allowed access user group of the target resource project data, judging whether the access user belongs to an allowed exclusion user of the target resource project data;
if the access user belongs to the allowable exclusion user of the target resource project data, the authentication result is not passed;
and if the access user does not belong to the allowable exclusion user of the target resource project data, the authentication result is passed.
Optionally, after the access decision tree is utilized to authenticate the access right of the access user according to the access request and an authentication result is obtained, the method further includes:
creating an access time stamp according to the receiving time of the access request;
and constructing an access log according to the access time stamp, the access user of the access request and the target resource project data.
In order to solve the above problem, the present invention further provides a big data unified authorization access device, where the device includes:
the component resource authority range creating module is used for acquiring big data resources and component types, creating each component in the component types and creating a resource authority range in the big data resources;
the access decision tree building module is used for acquiring a user group set, determining each user group and user in the user group set, building access decision trees according to the access permissions in the resource permission ranges corresponding to different components;
the access authority authentication module is used for receiving an access request of an access user, and authenticating the access authority of the access user by using the access decision tree according to the access request to obtain an authentication result; judging whether the authentication result is passed or not; if the authentication result is passed, allowing the access user to access; and if the authentication result is that the user does not pass, the access user is refused to access.
In order to solve the above problem, the present invention also provides an electronic device, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a big data unified grant access method as claimed in any one of claims 1 to 7.
In order to solve the above problem, the present invention further provides a computer-readable storage medium, which stores at least one instruction, where the at least one instruction is executed by a processor in an electronic device to implement the big data unified authorization access method described above.
Compared with the background art: the Kerberos identity authentication protocol uses a temporary token, so that the user needs to be authenticated again when logging in again, only one service can be controlled to access, more precise access authority control cannot be realized, and the phenomena that the authentication process is complicated and the access control effect is poor when the user logs in a big data cluster are caused. Therefore, the big data unified authorization access method, the big data unified authorization access device, the electronic equipment and the computer readable storage medium can solve the problems of complicated authentication process and poor access control effect when a user logs in a big data cluster.
Drawings
Fig. 1 is a schematic flowchart of a big data unified authorization access method according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart showing a detailed implementation of one of the steps in FIG. 1;
FIG. 3 is a schematic flow chart showing another step of FIG. 1;
FIG. 4 is a functional block diagram of a big data unified authorization access device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device for implementing the big data unified authorization access method according to an embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The embodiment of the application provides a big data unified authorization access method. The execution subject of the big data unified authorization access method includes, but is not limited to, at least one of electronic devices such as a server and a terminal that can be configured to execute the method provided by the embodiments of the present application. In other words, the big data unified authorization access method may be performed by software or hardware installed in the terminal device or the server device, and the software may be a blockchain platform. The server includes but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like.
Referring to fig. 1, a schematic flow chart of a big data unified authorization access method according to an embodiment of the present invention is shown. In this embodiment, the method for accessing big data by unified authorization includes:
s1, acquiring big data resources and component types, and creating each component in the component types and the resource authority range in the big data resources.
Illustratively, the big data resource refers to a data resource for computation in a big data cluster. The component categories refer to the major components that support the company technology stack, such as: HDFS, HBASE, HIVE, YARN, STORM, and KAFKA.
It should be understood that the resource privilege scope refers to the business resource scope and data processing privilege of each component in the component category, such as: the service resource range of the HDFS is FilePath; the service resource range of HBASE is Table, Column-fault and Column; the service resource range of HIVE is Datebase, Table and Column; the service resource range of the YARN is Queue; the service resource range of STORM is Topology; the business resource range of KAFKA is Topic.
The data processing authority refers to the data operation authority of each component, such as: the data processing authority of the HDFS is Read, Write and Execute; the data processing authority of HBASE is Read, Write, Create and Admin; the data processing authority of HIVE is Select, Create, Update, Drop, Alter, Index, Lock, Read, Write and All; the data processing authority of YARN is Submit-app and Admin-queue.
In detail, referring to fig. 2, the creating of the resource right range of each component in the component category in the big data resource includes:
s11, acquiring the data processing structure and the data processing function of each component in the component category;
s12, determining the service resource range of each component in the component category according to the data processing structure;
s13, determining the data processing authority of each component in the component category according to the data processing function;
s14, according to the service resource range and the data processing authority, establishing the resource authority range of each component in the component category.
By way of explanation, the data processing structure refers to structural features of the assembly, such as: HBASE is a Hadoop database, is a sparse, distributed and persistent multidimensional ordered mapping, and establishes indexes based on row keys, column keys and time stamps. The data processing function refers to a functional feature of the component, such as: HBASE is a platform which can store and retrieve data by random access, is not limited by the type of the stored data, allows a dynamic and flexible data model to be used, does not use SQL language, does not emphasize the relationship between data, and is a component which runs on a server cluster and can be correspondingly and transversely expanded.
S2, obtaining a user group set, determining each user group and user in the user group set, establishing access authority in the resource authority range corresponding to different components, and constructing an access decision tree according to the access authority.
Understandably, the user group set refers to a set composed of different user groups. The user Group may be denoted as Group, which denotes the user Group to which the user belongs. The User may be denoted User, which denotes a User accessing a data resource.
Illustratively, the access rights may be expressed by allowacs, which describe allowing user or user group access, and denyclics, which describe denycling user or user group access, similar to the black and white list mechanism.
In detail, as shown in fig. 3, the determining the access right of each user group and the user in the resource right range corresponding to different components in the user group set includes:
s21, giving the user group set and the user group authority of each user group;
s22, determining the access authority of each user group in the resource authority range corresponding to the different components according to the user group authority;
s23, giving the user right of each user in each user group;
s24, determining the access authority of each user in the resource authority range corresponding to the different components according to the user authority;
in the embodiment of the present invention, the constructing an access decision tree according to the access right includes:
in the resource authority range, dividing the data in the resource authority range into different resource project data according to the classification of the data;
determining an allowed access user group and a refused access user group of the resource project data according to the access authority of the user group;
determining an allowed access user in a denial access user group of the resource project data according to the access authority of the user to obtain a denial exclusion user;
determining a user refusing to access in the user group allowing to access the resource project data according to the access authority of the user to obtain a user allowing to be excluded;
and constructing the access decision tree according to the sequence of the priority levels of the users refused to be excluded, the users refused to be accessed, the users allowed to be excluded and the users allowed to be accessed from large to small.
By way of explanation, the resource item data refers to different categories of data within the scope of the resource privilege, such as: columns for HIVE, directories for HDFS, columns for HBASE, queues for YARN, topology for STORM, TOPIC for KAKFA, etc.
It should be understood that the set of allowed access users may be denoted as low access item and the set of denied access users may be denoted as Deny access item. The rejection exclusion user may be denoted as DenyException AccessItem. The allowable exclusion user may be denoted as allowException Access item.
It can be understood that, in order to distinguish the access rights of the user or the user group, the allowACL and the denyACL respectively correspond to the two groups of accessItems. For example: when the access right is allowwacl, we need to grant some resource item data to a User Group1, but the User1 in the User Group1 is not granted, at this time, it needs to add an access item containing the User Group1 to the allowwececess item, and at the same time, add an access item containing the User1 to the allowwecence access item.
It should be understood that the priority levels of the rejection user, the rejection user group, the permission user and the permission user group are in order of rejection user > rejection user group > permission user group, that is, DenyException access item > Deny access item > allowoxeceinfecessanteme > allowoccessfeitem.
S3, receiving an access request of an access user, and authenticating the access authority of the access user by using the access decision tree according to the access request to obtain an authentication result.
Explainably, the access decision tree refers to a decision tree which is constructed according to the sequence of the priorities of the user refusal to exclude, the user group refusal to access, the user allowed to exclude and the user group allowed to access from large to small.
In this embodiment of the present invention, the receiving an access request of an access user includes:
constructing an application program for accessing the resource project data;
constructing a data access authority system according to the resource authority ranges of different components;
calling a data access interface of the data access authority system by using the application program to obtain a data access channel;
and inputting the access request into the data access authority system by using the application program and the data access channel to obtain the access request.
Explicably, the data access permission system refers to a Ranger architecture, comprising: RangerAdmin, AgentPlugin and UserSync. Wherein, RangerAdmin provides an interface for increasing, deleting, modifying and checking the large data resource in a RESTFUL form, and a Web management page is built in the interface. AgentPlugin is a diverse group of components embedded into the execution flow of the system, periodically pulls policies from RangerAdmin, executes the access decision tree according to the policies, and records access audits. The UserSync loads users from LDAP/Unix/File periodically and reports the users to RangerAdmin, and the UserSync can be constructed by utilizing an SDK (software Development kit) interface.
Explainably, the module initiatively pulls the strategy in Ranger radmin, when the strategy is changed, the new strategy is pulled and updated to the authentication engine in the memory DB, meanwhile, a backup file is stored in the local, when the Ranger radmin is hung, the local backup can be used for continuing authentication, and the service in the Ranger radmin is deleted, so that the module authentication can not be used.
It should be understood that the rights management process of the data access rights system includes: RangerAdmin creates a Service; RangerAdmin creates Policy; a component pull policy; the component authenticates the access request of the user; the component records an audit log; and viewing the audit log.
Understandably, the installation node of the HDFS component is NameNode; the installation node of HBASE is Master + Region Server; the mounting node of HIVE is HiverServer 2; the installation node of YARN is Resource Manager.
In the embodiment of the present invention, the authenticating the access right of the access user by using the access decision tree according to the access request to obtain an authentication result includes:
determining target resource project data according to the access request;
extracting exclusion refusing users, access user refusing groups, exclusion allowing users and access user allowing groups of the target resource project data;
judging whether the user group to which the access user belongs to the access user refusing group of the target resource project data;
if the user group to which the access user belongs to the access-refusing user group of the target resource project data, judging whether the access user belongs to an exclusion-refusing user of the target resource project data;
if the access user does not belong to the rejection user of the target resource project data, the authentication result is not passed;
if the access user belongs to the exclusion refusing user of the target resource project data or the user group to which the access user belongs does not belong to the access user refusing group of the target resource project data, judging whether the access user belongs to an access user allowing group of the target resource project data;
if the access user does not belong to the allowed access user group of the target resource project data, the authentication result is not passed;
if the access user belongs to the allowed access user group of the target resource project data, judging whether the access user belongs to an allowed exclusion user of the target resource project data;
if the access user belongs to the allowable exclusion user of the target resource project data, the authentication result is not passed;
and if the access user does not belong to the allowable exclusion user of the target resource project data, the authentication result is passed.
Explainably, if the user or user group still cannot be authenticated according to the access decision tree, it is generally default that the user or user group has no right to access, and the right of authentication can be put down to the access control layer of the system itself, for example, the ACL of the HDFS.
It can be understood that authentication is achieved by reading a configuration file generated when a component is installed and a jar package carried by the component, and calling each component service in a hook mode. In the process of installing the service component, when executing enable xxx plugin. Updating the conf of the plug-in to the conf of the system installation service; updating the lib of the plug-in to a service lib of system installation; and generating an xml file by install.
In this embodiment of the present invention, after authenticating the access right of the access user by using the access decision tree according to the access request to obtain an authentication result, the method further includes:
creating an access time stamp according to the receiving time of the access request;
and constructing an audit log according to the access time stamp, the access user of the access request and the target resource project data.
It should be clear that through the audit log, can be fine search which user submits the detailed task on which machine, the convenience is checked and is fed back to the problem.
S4, judging whether the authentication result is passed or not.
If the authentication result is pass, executing S5 and allowing the access user to access;
and if the authentication result is that the user does not pass the authentication result, executing S6 and refusing the access of the access user.
Compared with the background art, the method comprises the following steps: the Kerberos identity authentication protocol uses a temporary token, so that the user needs to be authenticated again when logging in again, only one service can be controlled to access, more precise access authority control cannot be realized, and the phenomena that the authentication process is complicated and the access control effect is poor when the user logs in a big data cluster are caused. Therefore, the big data unified authorization access method, the big data unified authorization access device, the electronic equipment and the computer readable storage medium can solve the problems of complicated authentication process and poor access control effect when a user logs in a big data cluster.
Fig. 4 is a functional block diagram of a big data unified authorization access apparatus according to an embodiment of the present invention.
The big data unified authorization access device 100 of the present invention can be installed in an electronic device. According to the realized functions, the big data unified authorization access device 100 may include a component resource authority range creation module 101, an access decision tree construction module 102, and an access authority authentication module 103. The module of the present invention, which may also be referred to as a unit, refers to a series of computer program segments that can be executed by a processor of an electronic device and that can perform a fixed function, and that are stored in a memory of the electronic device.
The component resource authority range creating module 101 is configured to obtain big data resources and component categories, create each component in the component categories, and create a resource authority range in the big data resources;
illustratively, the big data resource refers to a data resource for computation in a big data cluster. The component categories refer to the major components that support the company technology stack, such as: HDFS, HBASE, HIVE, YARN, STORM, KAFKA, etc.
It should be understood that the resource privilege scope refers to the business resource scope and data processing privilege of each component in the component category, such as: the service resource range of the HDFS is FilePath; the service resource range of HBASE is Table, Column-fault and Column; the service resource range of HIVE is Datebase, Table and Column; the service resource range of the YARN is Queue; the service resource range of STORM is Topology; the business resource range of KAFKA is Topic.
The data processing authority refers to the data operation authority of each component, such as: the data processing authority of the HDFS is Read, Write and Execute; the data processing authority of HBASE is Read, Write, Create and Admin; the data processing authority of HIVE is Select, Create, Update, Drop, Alter, Index, Lock, Read, Write and All; the data processing authority of YARN is Submit-app and Admin-queue.
In this embodiment of the present invention, the creating of each component in the component category, the resource authority range in the big data resource, includes:
acquiring a data processing structure and a data processing function of each component in the component category;
determining the service resource range of each component in the component category according to the data processing structure;
determining the data processing authority of each component in the component category according to the data processing function;
and constructing the resource authority range of each component in the component category according to the service resource range and the data processing authority.
By way of explanation, the data processing structure refers to structural features of the assembly, such as: HBASE is a Hadoop database, is a sparse, distributed, persistent, multidimensional ordered mapping, and builds indexes based on row keys, column keys, and timestamps. The data processing function refers to a functional feature of the component, such as: HBASE is a platform which can store and retrieve data by random access, is not limited by the type of the stored data, allows a dynamic and flexible data model to be used, does not use SQL language, does not emphasize the relationship between data, and is a component which runs on a server cluster and can be correspondingly and transversely expanded.
The access decision tree building module 102 is configured to obtain a user group set, determine each user group and user in the user group set, determine access permissions in the resource permission ranges corresponding to different components, and build an access decision tree according to the access permissions;
understandably, the user group set refers to a set composed of different user groups. The user Group may be denoted as Group, which denotes the user Group to which the user belongs. The User may be denoted User, which denotes a User accessing a data resource.
Illustratively, the access rights may be expressed by allowacs, which describe allowing user or user group access, and denyclics, which describe denycling user or user group access, similar to the black and white list mechanism.
In the embodiment of the present invention, the determining the access right of each user group and the user in the user group set in the resource right range corresponding to different components includes:
giving the user group set user group authority of each user group;
determining the access authority of each user group in the resource authority range corresponding to the different components according to the user group authority;
giving each user right of each user in each user group;
determining the access authority of each user in the resource authority range corresponding to the different components according to the user authority;
in the embodiment of the present invention, the constructing an access decision tree according to the access right includes:
in the resource authority range, dividing the data in the resource authority range into different resource project data according to the classification of the data;
determining an allowed access user group and a refused access user group of the resource project data according to the access authority of the user group;
determining an allowed access user in a denial access user group of the resource project data according to the access authority of the user to obtain a denial exclusion user;
determining a user refusing to access in the user group allowing to access the resource project data according to the access authority of the user to obtain a user allowing to be excluded;
and constructing the access decision tree according to the sequence of the priority levels of the users refused to be excluded, the users refused to be accessed, the users allowed to be excluded and the users allowed to be accessed from large to small.
By way of explanation, the resource item data refers to different categories of data within the scope of the resource privilege, such as: columns for HIVE, directories for HDFS, columns for HBASE, queues for YARN, topology for STORM, TOPIC for KAKFA, etc.
It should be understood that the set of allowed access users may be denoted as low access item and the set of denied access users may be denoted as Deny access item. The rejection exclusion user may be denoted as DenyException AccessItem. The allowable exclusion user may be denoted as allowException Access item.
It can be understood that, in order to distinguish the access rights of the user or the user group, the allowACL and the denyACL respectively correspond to the two groups of accessItems. For example: when the access right is allowwacl, we need to grant some resource item data to a User Group1, but the User1 in the User Group1 is not granted, at this time, it needs to add an access item containing the User Group1 to the allowwececess item, and at the same time, add an access item containing the User1 to the allowwecence access item.
It should be understood that the priority levels of the rejection user, the rejection user group, the permission user and the permission user group are in order of rejection user > rejection user group > permission user group, that is, DenyException access item > Deny access item > allowoxeceinfecessanteme > allowoccessfeitem.
The access right authentication module 103 is configured to receive an access request of an access user, and authenticate the access right of the access user according to the access request by using the access decision tree to obtain an authentication result;
explainably, the access decision tree refers to a decision tree which is constructed according to the sequence of the priorities of the user refusal to exclude, the user group refusal to access, the user allowed to exclude and the user group allowed to access from large to small.
In this embodiment of the present invention, the receiving an access request of an access user includes:
constructing an application program for accessing the resource project data;
constructing a data access authority system according to the resource authority ranges of different components;
calling a data access interface of the data access authority system by using the application program to obtain a data access channel;
and inputting the access request into the data access authority system by using the application program and the data access channel to obtain the access request.
Illustratively, the data access permission system refers to a Ranger architecture, comprising: RangerAdmin, AgentPlugin and UserSync. Wherein, RangerAdmin provides an interface for increasing, deleting, modifying and checking the big data resource in a RESTFUL form, and a Web management page is built in the RangerAdmin. AgentPlugin is a diverse group of components embedded into the execution flow of the system, periodically pulls policies from RangerAdmin, executes the access decision tree according to the policies, and records access audits. The UserSync loads users from LDAP/Unix/File periodically and reports to RangerAdmin, and the UserSync can use SDK (software Development kit) to carry out interface construction.
Explainably, the module initiatively pulls the strategy in Ranger radmin, when the strategy is changed, the new strategy is pulled and updated to the authentication engine in the memory DB, meanwhile, a backup file is stored in the local, when the Ranger radmin is hung, the local backup can be used for continuing authentication, and the service in the Ranger radmin is deleted, so that the module authentication can not be used.
It should be understood that the rights management process of the data access rights system includes: RangerAdmin creates a Service; RangerAdmin creates Policy; a component pull policy; the component authenticates the access request of the user; the component records an audit log; and viewing the audit log.
Understandably, the installation node of the HDFS component is NameNode; the HBASE installation node is Master + Region Server; the mounting node of HIVE is HiverServer 2; the installation node of YARN is Resource Manager.
In the embodiment of the present invention, the authenticating the access right of the access user by using the access decision tree according to the access request to obtain an authentication result includes:
determining target resource project data according to the access request;
extracting exclusion refusing users, access user refusing groups, exclusion allowing users and access user allowing groups of the target resource project data;
judging whether the user group to which the access user belongs to the access user refusing group of the target resource project data;
if the user group to which the access user belongs to the access-refusing user group of the target resource project data, judging whether the access user belongs to an exclusion-refusing user of the target resource project data;
if the access user does not belong to the rejection user of the target resource project data, the authentication result is not passed;
if the access user belongs to the exclusion refusing user of the target resource project data or the user group to which the access user belongs does not belong to the access user refusing group of the target resource project data, judging whether the access user belongs to an access user allowing group of the target resource project data;
if the access user does not belong to the allowed access user group of the target resource project data, the authentication result is not passed;
if the access user belongs to the allowed access user group of the target resource project data, judging whether the access user belongs to an allowed exclusion user of the target resource project data;
if the access user belongs to the allowable exclusion user of the target resource project data, the authentication result is not passed;
and if the access user does not belong to the allowable exclusion user of the target resource project data, the authentication result is passed.
Explainably, if the user or user group still cannot be authenticated according to the access decision tree, it is generally default that the user or user group has no right to access, and the right of authentication can be put down to the access control layer of the system itself, for example, the ACL of the HDFS.
It can be understood that authentication is achieved by reading a configuration file generated when a component is installed and a jar package carried by the component, and calling each component service in a hook mode. In the process of installing the service component, when executing enable xxx plugin. Updating the conf of the plug-in to the conf of the system installation service; updating the lib of the plug-in to a service lib of system installation; and generating an xml file by using install.
In this embodiment of the present invention, after authenticating the access right of the access user by using the access decision tree according to the access request to obtain an authentication result, the method further includes:
creating an access time stamp according to the receiving time of the access request;
and constructing an audit log according to the access time stamp, the access user of the access request and the target resource project data.
It should be clear that through the audit log, can be fine search which user submits the detailed task on which machine, the convenience is checked and is fed back to the problem.
Judging whether the authentication result is passed or not; if the authentication result is passed, allowing the access user to access; and if the authentication result is that the user does not pass, the access user is refused to access.
In detail, the big data unified authorization access device 100 in the embodiment of the present invention can produce the following technical effects:
compared with the background art: the Kerberos identity authentication protocol uses a temporary token, so that the user needs to be authenticated again when logging in again, only one service can be controlled to access, more precise access authority control cannot be realized, and the phenomena that the authentication process is complicated and the access control effect is poor when the user logs in a big data cluster are caused. Therefore, the big data unified authorization access method, the big data unified authorization access device, the electronic equipment and the computer readable storage medium can solve the problems of complicated authentication process and poor access control effect when a user logs in a big data cluster.
Fig. 5 is a schematic structural diagram of an electronic device implementing a big data unified authorization access method according to an embodiment of the present invention.
The electronic device 1 may include a processor 10, a memory 11, a bus 12, and a communication interface 13, and may further include a computer program, such as a big data unified authorization access program, stored in the memory 11 and executable on the processor 10.
The memory 11 includes at least one type of readable storage medium, which includes flash memory, removable hard disk, multimedia card, card-type memory (e.g., SD or DX memory, etc.), magnetic memory, magnetic disk, optical disk, etc. The memory 11 may in some embodiments be an internal storage unit of the electronic device 1, e.g. a removable hard disk of the electronic device 1. The memory 11 may also be an external storage device of the electronic device 1 in other embodiments, such as a plug-in mobile hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the electronic device 1. Further, the memory 11 may also include both an internal storage unit and an external storage device of the electronic device 1. The memory 11 may be used to store not only application software installed in the electronic device 1 and various types of data, such as codes of big data unified authorization access programs, but also temporarily store data that has been output or will be output.
The processor 10 may be composed of an integrated circuit in some embodiments, for example, a single packaged integrated circuit, or may be composed of a plurality of integrated circuits packaged with the same or different functions, including one or more Central Processing Units (CPUs), microprocessors, digital Processing chips, graphics processors, and combinations of various control chips. The processor 10 is a Control Unit (Control Unit) of the electronic device, connects various components of the whole electronic device by using various interfaces and lines, and executes various functions and processes data of the electronic device 1 by running or executing programs or modules (such as big data unified authorization access programs) stored in the memory 11 and calling data stored in the memory 11.
The bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. The bus is arranged to enable connection communication between the memory 11 and at least one processor 10 or the like.
Fig. 5 only shows an electronic device with components, and it will be understood by a person skilled in the art that the structure shown in fig. 5 does not constitute a limitation of the electronic device 1, and may comprise fewer or more components than shown, or a combination of certain components, or a different arrangement of components.
For example, although not shown, the electronic device 1 may further include a power supply (such as a battery) for supplying power to each component, and preferably, the power supply may be logically connected to the at least one processor 10 through a power management device, so as to implement functions of charge management, discharge management, power consumption management, and the like through the power management device. The power supply may also include any component of one or more dc or ac power sources, recharging devices, power failure detection circuitry, power converters or inverters, power status indicators, and the like. The electronic device 1 may further include various sensors, a bluetooth module, a Wi-Fi module, and the like, which are not described herein again.
Further, the electronic device 1 may further include a network interface, and optionally, the network interface may include a wired interface and/or a wireless interface (such as a WI-FI interface, a bluetooth interface, etc.), which are generally used for establishing a communication connection between the electronic device 1 and other electronic devices.
Optionally, the electronic device 1 may further comprise a user interface, which may be a Display (Display), an input unit (such as a Keyboard), and optionally a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable for displaying information processed in the electronic device 1 and for displaying a visualized user interface, among other things.
It is to be understood that the described embodiments are for purposes of illustration only and that the scope of the appended claims is not limited to such structures.
The big data unified authorization access program stored in the memory 11 of the electronic device 1 is a combination of a plurality of instructions, and when running in the processor 10, can realize:
acquiring big data resources and component types, and creating each component in the component types and a resource authority range in the big data resources;
acquiring a user group set, determining each user group and user in the user group set, determining access rights in the resource right ranges corresponding to different components, and constructing an access decision tree according to the access rights;
receiving an access request of an access user, and authenticating the access authority of the access user by using the access decision tree according to the access request to obtain an authentication result;
judging whether the authentication result is passed or not;
if the authentication result is passed, allowing the access user to access;
and if the authentication result is that the user does not pass, the access user is refused to access.
Specifically, the specific implementation method of the processor 10 for the instruction may refer to the description of the relevant steps in the embodiments corresponding to fig. 1 to fig. 4, which is not repeated herein.
Further, the integrated modules/units of the electronic device 1, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. The computer readable storage medium may be volatile or non-volatile. For example, the computer-readable medium may include: any entity or device capable of carrying said computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM).
The present invention also provides a computer-readable storage medium, storing a computer program which, when executed by a processor of an electronic device, may implement:
acquiring big data resources and component types, and creating each component in the component types and a resource authority range in the big data resources;
acquiring a user group set, determining each user group and user in the user group set, determining access rights in the resource right ranges corresponding to different components, and constructing an access decision tree according to the access rights;
receiving an access request of an access user, and authenticating the access authority of the access user by using the access decision tree according to the access request to obtain an authentication result;
judging whether the authentication result is passed or not;
if the authentication result is passed, allowing the access user to access;
and if the authentication result is that the user does not pass, the access user is refused to access.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus, device and method can be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof.
The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the system claims may also be implemented by one unit or means in software or hardware. The terms second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.

Claims (10)

1. A big data uniform authorization access method is characterized by comprising the following steps:
acquiring big data resources and component types, and creating each component in the component types and a resource authority range in the big data resources;
acquiring a user group set, determining each user group and user in the user group set, determining access rights in the resource right ranges corresponding to different components, and constructing an access decision tree according to the access rights;
receiving an access request of an access user, and authenticating the access authority of the access user by using the access decision tree according to the access request to obtain an authentication result;
judging whether the authentication result is passed or not;
if the authentication result is passed, allowing the access user to access;
and if the authentication result is that the user does not pass, the access user is refused to access.
2. The big data unified authorization access method according to claim 1, wherein the creating of the resource right scope of each component in the component category in the big data resource comprises:
acquiring a data processing structure and a data processing function of each component in the component category;
determining the service resource range of each component in the component category according to the data processing structure;
determining the data processing authority of each component in the component category according to the data processing function;
and constructing the resource authority range of each component in the component category according to the service resource range and the data processing authority.
3. The big data uniform authorization access method according to claim 2, wherein the determining the access right of each user group and user in the user group set in the resource right range corresponding to different components comprises:
giving the user group set user group authority of each user group;
determining the access authority of each user group in the resource authority range corresponding to the different components according to the user group authority;
giving each user right of each user in each user group;
and determining the access authority of each user in the resource authority range corresponding to the different components according to the user authority.
4. The big data uniform authorization access method according to claim 3, wherein the building an access decision tree according to the access authority comprises:
in the resource authority range, dividing the data in the resource authority range into different resource project data according to the classification of the data;
determining an allowed access user group and a refused access user group of the resource project data according to the access authority of the user group;
determining an allowed access user in a denial access user group of the resource project data according to the access authority of the user to obtain a denial exclusion user;
determining a user refusing to access in the user group allowing to access the resource project data according to the access authority of the user to obtain a user allowing to be excluded;
and constructing the access decision tree according to the sequence of the priority levels of the users refused to be excluded, the users refused to be accessed, the users allowed to be excluded and the users allowed to be accessed from large to small.
5. The big data uniform authorization access method according to claim 1, wherein the receiving of the access request of the access user comprises:
constructing an application program for accessing the resource project data;
constructing a data access authority system according to the resource authority ranges of different components;
calling a data access interface of the data access authority system by using the application program to obtain a data access channel;
and inputting the access request into the data access authority system by using the application program and the data access channel to obtain the access request.
6. The big data uniform authorization access method according to claim 5, wherein the authenticating the access right of the access user by using the access decision tree according to the access request to obtain an authentication result comprises:
determining target resource project data according to the access request;
extracting exclusion refusing users, access user refusing groups, exclusion allowing users and access user allowing groups of the target resource project data;
judging whether the user group to which the access user belongs to the access user refusing group of the target resource project data;
if the user group to which the access user belongs to the access-refusing user group of the target resource project data, judging whether the access user belongs to an exclusion-refusing user of the target resource project data;
if the access user does not belong to the rejection user of the target resource project data, the authentication result is not passed;
if the access user belongs to the exclusion refusing user of the target resource project data or the user group to which the access user belongs does not belong to the access user refusing group of the target resource project data, judging whether the access user belongs to an access user allowing group of the target resource project data;
if the access user does not belong to the allowed access user group of the target resource project data, the authentication result is not passed;
if the access user belongs to the allowed access user group of the target resource project data, judging whether the access user belongs to an allowed exclusion user of the target resource project data;
if the access user belongs to the allowable exclusion user of the target resource project data, the authentication result is not passed;
and if the access user does not belong to the allowable exclusion user of the target resource project data, the authentication result is passed.
7. The big data uniform authorization access method according to claim 6, wherein the method further comprises, after authenticating the access right of the access user by using the access decision tree according to the access request and obtaining an authentication result:
creating an access time stamp according to the receiving time of the access request;
and constructing an access log according to the access time stamp, the access user of the access request and the target resource project data.
8. A big data unified authorization access device, the device comprising:
the component resource authority range creating module is used for acquiring big data resources and component categories, creating each component in the component categories and creating a resource authority range in the big data resources;
the access decision tree building module is used for acquiring a user group set, determining each user group and user in the user group set, building an access decision tree according to the access authority in the resource authority range corresponding to different components;
the access authority authentication module is used for receiving an access request of an access user, and authenticating the access authority of the access user by using the access decision tree according to the access request to obtain an authentication result; judging whether the authentication result is passed or not; if the authentication result is passed, allowing the access user to access; and if the authentication result is that the user does not pass, the access user is refused to access.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a big data unified grant access method as claimed in any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the big data unified authorization access method according to any of claims 1 to 7.
CN202210324345.7A 2022-03-30 2022-03-30 Big data unified authorization access method, device, electronic equipment and medium Pending CN114692126A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210324345.7A CN114692126A (en) 2022-03-30 2022-03-30 Big data unified authorization access method, device, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210324345.7A CN114692126A (en) 2022-03-30 2022-03-30 Big data unified authorization access method, device, electronic equipment and medium

Publications (1)

Publication Number Publication Date
CN114692126A true CN114692126A (en) 2022-07-01

Family

ID=82141711

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210324345.7A Pending CN114692126A (en) 2022-03-30 2022-03-30 Big data unified authorization access method, device, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN114692126A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118133340A (en) * 2024-02-08 2024-06-04 中电云计算技术有限公司 HDFS authority convergence gray scale online implementation method based on Ranger strategy

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060075469A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Integrated access authorization
CN106301791A (en) * 2016-08-23 2017-01-04 浪潮电子信息产业股份有限公司 Method and system for realizing unified user authentication authorization based on big data platform
CN109902497A (en) * 2019-02-26 2019-06-18 南威软件股份有限公司 A kind of access authority management method and system towards big data cluster
WO2021115231A1 (en) * 2019-12-10 2021-06-17 华为技术有限公司 Authentication method and related device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060075469A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Integrated access authorization
CN106301791A (en) * 2016-08-23 2017-01-04 浪潮电子信息产业股份有限公司 Method and system for realizing unified user authentication authorization based on big data platform
CN109902497A (en) * 2019-02-26 2019-06-18 南威软件股份有限公司 A kind of access authority management method and system towards big data cluster
WO2021115231A1 (en) * 2019-12-10 2021-06-17 华为技术有限公司 Authentication method and related device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118133340A (en) * 2024-02-08 2024-06-04 中电云计算技术有限公司 HDFS authority convergence gray scale online implementation method based on Ranger strategy
CN118133340B (en) * 2024-02-08 2024-08-30 中电云计算技术有限公司 HDFS authority convergence gray scale online implementation method based on Ranger strategy

Similar Documents

Publication Publication Date Title
US11599668B2 (en) Securing access to confidential data using a blockchain ledger
US20240013210A1 (en) Data Processing System Utilising Distributed Ledger Technology
CN109643242B (en) Security design and architecture for multi-tenant HADOOP clusters
US20230370265A1 (en) Method, Apparatus and Device for Constructing Token for Cloud Platform Resource Access Control
US9569634B1 (en) Fine-grained structured data store access using federated identity management
US11102189B2 (en) Techniques for delegation of access privileges
US20230121372A1 (en) Secure resource authorization for external identities using remote principal objects
CN108259422B (en) A multi-tenant access control method and device
US20240104229A1 (en) Verifiable attribute maps
CN111680310A (en) Authority control method and device, electronic equipment and storage medium
US20230370473A1 (en) Policy scope management
CN115422526B (en) Role authority management method, device and storage medium
CN118337437A (en) A Kubernetes cluster management method, device, equipment, medium and program product
CN116975893A (en) Access request processing method and device, storage medium and computer equipment
US10257263B1 (en) Secure remote execution of infrastructure management
CN114692126A (en) Big data unified authorization access method, device, electronic equipment and medium
CN107194239A (en) A kind of right management method and device
Shetty et al. Policy-based access control scheme for securing hadoop ecosystem
KR20070076342A (en) User Group Role / Permission Management System and Access Control Methods in a Grid Environment
CN115296901B (en) Rights management method based on artificial intelligence and related equipment
EP2107488A1 (en) Improvements in policy driven computer systems
US10708253B2 (en) Identity information including a schemaless portion
Dai et al. Blockchain-Based Social Network Access Control Mechanism
US10924286B2 (en) Signing key log management
Guo et al. A Data Security Exchange and Sharing System Construction Method and Perfomance Evaluation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20220701

WD01 Invention patent application deemed withdrawn after publication