WO2025102725A1

WO2025102725A1 - File access method and apparatus, file access permission determination method and apparatus, and related devices

Info

Publication number: WO2025102725A1
Application number: PCT/CN2024/099581
Authority: WO
Inventors: 蒋武; 张钊; 杨辉
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2023-11-16
Filing date: 2024-06-17
Publication date: 2025-05-22
Anticipated expiration: 2026-05-16
Also published as: CN120012121A

Abstract

Provided in the embodiments of the present application are a file access method and apparatus, and a related device, which are applied in the technical field of data security. In the method, a first device acquires a file access request which is triggered by a request object for a target file, acquires permission policy information of the request object, and executes access control on the access of the request object to the target file according to the permission policy information of the request object. The permission policy information of the request object is determined on the basis of file label policy information of the target file and the file access request of the request object. In this way, a policy corresponding to a file label, i.e., file label policy information, can be used, so as to realize fine-grained data protection with a file as the granularity. Further provided in the present application are a file access permission determination method and apparatus, and a related device, which are applied to a second device. The second device decrypts the file label policy information, and determines the permission policy information, such that the degree of security of the file label policy information can be improved, thereby improving the degree of security of the target file.

Description

File access method, file access permission determination method, device and related equipment

本申请要求于2023年11月16日提交国家知识产权局、申请号为202311534765.9、发明名称为“文件访问方法、文件访问权限确定方法、装置及相关设备”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the State Intellectual Property Office on November 16, 2023, with application number 202311534765.9 and invention name “File access method, file access permission determination method, device and related equipment”, the entire contents of which are incorporated by reference in this application.

Technical Field

本申请涉及数据安全技术领域，特别是涉及文件访问方法、文件访问权限确定方法、装置及相关设备。The present application relates to the field of data security technology, and in particular to a file access method, a file access permission determination method, a device, and related equipment.

Background Art

在数据的使用过程中经常出现泄露、篡改以及勒索等恶意的攻击，存在安全隐患。需要采用一定的安全防护方法保护数据，避免数据遭到攻击。In the process of using data, malicious attacks such as leakage, tampering and extortion often occur, which poses a security risk. It is necessary to adopt certain security protection methods to protect data and prevent data from being attacked.

目前，通常是采用检测攻击的方式，及时发现并处理攻击，提高数据的安全程度。但是，攻击的种类较多，通过检测的方式难以发现各类攻击，防御攻击的效果难以满足数据安全的需要。At present, the attack detection method is usually adopted to timely discover and deal with attacks to improve the security of data. However, there are many types of attacks, and it is difficult to discover various attacks through detection methods, and the effect of defending against attacks cannot meet the needs of data security.

发明内容Summary of the invention

本申请提供了一种文件访问方法以及文件访问权限确定方法，旨在实现在用户访问文件时，以文件为粒度的对于文件的数据保护。此外，本申请还提供了对应的装置、计算设备、计算机可读存储介质以及计算机程序产品。The present application provides a file access method and a file access permission determination method, aiming to achieve data protection of files at the file granularity when users access files. In addition, the present application also provides corresponding devices, computing devices, computer-readable storage media and computer program products.

第一方面，本申请提供了一种文件访问方法。该方法应用于第一设备。第一设备获取由请求对象触发的针对目标文件的文件访问请求。文件访问请求包括访问操作信息，访问操作信息用于描述请求对象需要对目标文件执行的访问操作。请求对象为请求访问目标文件的用户。请求对象为第一设备的操作系统程序的系统用户，或者为应用程序的应用用户。第一设备获取请求对象的权限策略信息。权限策略信息是基于目标文件的文件标签策略信息以及文件访问请求确定的，用于指示请求对象具有的操作目标文件的权限。文件标签策略信息与目标文件的文件标签对应，用于描述针对目标文件的访问操作的控制策略。文件标签包括一种或者多种安全维度的标签。文件标签由目标文件的管理者设置或者基于目标文件的文件属性生成。第一设备按照权限策略信息执行对请求对象访问目标文件的访问控制。基于文件标签，能够实现以文件为粒度的数据保护，提高文件访问的安全程度。以文件为中心的数据安全防护，能够在一定程度上减少文件被篡改以及泄露等安全问题，提高文件完整性和机密性的保护。In a first aspect, the present application provides a file access method. The method is applied to a first device. The first device obtains a file access request for a target file triggered by a request object. The file access request includes access operation information, and the access operation information is used to describe the access operation that the request object needs to perform on the target file. The request object is a user who requests to access the target file. The request object is a system user of an operating system program of the first device, or an application user of an application program. The first device obtains permission policy information of the request object. The permission policy information is determined based on the file tag policy information of the target file and the file access request, and is used to indicate the permission of the request object to operate the target file. The file tag policy information corresponds to the file tag of the target file, and is used to describe the control policy for the access operation on the target file. The file tag includes one or more security dimension tags. The file tag is set by the manager of the target file or generated based on the file attributes of the target file. The first device performs access control on the request object to access the target file according to the permission policy information. Based on the file tag, data protection with file granularity can be realized, and the security of file access can be improved. File-centric data security protection can reduce security issues such as file tampering and leakage to a certain extent, and improve the protection of file integrity and confidentiality.

在一种可能的实现方式中，由第一设备生成请求对象的权限策略信息。第一设备根据目标文件的文件标签策略信息以及请求对象的文件访问请求，生成请求对象的权限策略信息。In a possible implementation, the first device generates the permission policy information of the request object according to the file tag policy information of the target file and the file access request of the request object.

在一种可能的实现方式中，由第二设备生成请求对象的权限策略信息。第一设备向第二设备发送针对目标文件的权限请求。权限请求包括目标文件的文件标签策略信息、访问操作信息以及请求对象的公钥。目标文件的文件标签策略信息由目标文件的公钥加密。第一设备获取第二设备反馈的权限信息。权限信息包括第一密文。第一密文包括利用请求对象的公钥对请求对象的权限策略信息加密得到的密文。请求对象的权限策略信息是第二设备利用目标文件的私钥、目标文件的文件标签策略信息以及访问操作信息处理得到的。第一设备利用请求对象的私钥对第一密文进行解密，得到请求对象的权限策略信息。由第二设备利用目标文件的私钥对目标文件的文件标签策略信息进行解密，并确定权限策略信息，无需第一设备具有目标文件的私钥，减少第一设备具有的目标文件的私钥泄露后所导致的文件标签策略信息被篡改的安全问题，提高文件标签策略信息的安全程度，进而提高目标文件的安全程度。并且，第一设备与第二设备交互的文件标签策略信息和权限策略信息均是加密后的信息，减少第一设备和第二设备在交互过程中信息泄露的风险。In a possible implementation, the second device generates permission policy information of the request object. The first device sends a permission request for the target file to the second device. The permission request includes the file label policy information of the target file, the access operation information and the public key of the request object. The file label policy information of the target file is encrypted by the public key of the target file. The first device obtains the permission information fed back by the second device. The permission information includes a first ciphertext. The first ciphertext includes a ciphertext obtained by encrypting the permission policy information of the request object using the public key of the request object. The permission policy information of the request object is obtained by the second device using the private key of the target file, the file label policy information of the target file and the access operation information. The first device decrypts the first ciphertext using the private key of the request object to obtain the permission policy information of the request object. The second device decrypts the file label policy information of the target file using the private key of the target file and determines the permission policy information. The first device does not need to have the private key of the target file, thereby reducing the security problem of the file label policy information being tampered with after the private key of the target file possessed by the first device is leaked, improving the security level of the file label policy information, and thereby improving the security level of the target file. Furthermore, the file tag policy information and permission policy information exchanged between the first device and the second device are both encrypted information, thereby reducing the risk of information leakage during the interaction between the first device and the second device.

在一种可能的实现方式中，目标文件利用文件加密密钥加密。文件加密密钥封装在目标文件的文件标签策略信息中。第一设备获取的权限信息还包括利用请求对象的公钥对文件加密密钥加密得到的第二密文。在按照请求对象的权限策略信息，执行对请求对象访问目标文件的访问控制之前，若基于权限策略信息，确定请求对象具有访问权限，第一设备利用文件加密密钥对目标文件进行解密。文件加密密钥为第一设备利用请求对象的私钥对第二密文进行解密得到的。如此针对每个文件进行加密，提高文件的安全程度。利用文件独有的密钥，也能够有效减少利用统一的密钥进行加密所导致的密钥泄露后对多个文件的安全威胁。In one possible implementation, the target file is encrypted using a file encryption key. The file encryption key is encapsulated in the file tag policy information of the target file. The permission information obtained by the first device also includes a second ciphertext obtained by encrypting the file encryption key using the public key of the requesting object. Before executing access control on the requesting object's access to the target file according to the permission policy information of the requesting object, if it is determined based on the permission policy information that the requesting object has access rights, the first device uses the file encryption key to decrypt the target file. The file encryption key is obtained by the first device decrypting the second ciphertext using the private key of the requesting object. Encrypting each file in this way improves the file's security. Security level. Using a file's unique key can also effectively reduce the security threat to multiple files caused by key leakage when encrypting with a unified key.

在一种可能的实现方式中，第一设备还获取目标文件的文件标签，基于文件标签以及标签策略模板，生成目标文件的文件标签策略信息。如此能够根据目标文件的文件标签，利用标签策略模板，自动生成文件标签策略信息。In a possible implementation, the first device further obtains the file tag of the target file, and generates the file tag policy information of the target file based on the file tag and the tag policy template. In this way, the file tag policy information can be automatically generated according to the file tag of the target file and using the tag policy template.

在一种可能的实现方式中，标签策略模板是从第二设备获取的。In one possible implementation, the tag policy template is obtained from the second device.

在一种可能的实现方式中，设置文件标签策略信息的用户还能够对文件标签策略信息进行自定义更新。第一设备获取针对目标文件的自定义标签策略信息；并利用自定义标签策略信息更新目标文件的文件标签策略信息。如此能够实现文件标签策略信息的自定义调整，提高配置文件标签策略信息的灵活度，便于为文件配置符合文件保护需要的文件标签策略信息。In a possible implementation, the user who sets the file label policy information can also customize and update the file label policy information. The first device obtains the customized label policy information for the target file; and uses the customized label policy information to update the file label policy information of the target file. In this way, the customized adjustment of the file label policy information can be achieved, the flexibility of configuring the file label policy information is improved, and it is convenient to configure the file label policy information that meets the file protection requirements for the file.

在一种可能的实现方式中，第一设备为主机。In a possible implementation manner, the first device is a host.

在一种可能的实现方式中，方法应用于第一设备的应用层，或者应用于第一设备的系统层，或者应用于第一设备应用层和系统层。In a possible implementation manner, the method is applied to an application layer of the first device, or to a system layer of the first device, or to an application layer and a system layer of the first device.

在一种可能的实现方式中，第一设备为存储设备。请求对象通过与第一设备连接的第三设备触发文件访问请求。第一设备获取第三设备发送的由请求对象触发的针对目标文件的文件访问请求。文件访问请求由第三设备利用安全协议封装。第一设备利用安全协议解封文件访问请求。如此能够利用安全协议保护文件访问请求的安全，进而提高文件的安全性。In a possible implementation, the first device is a storage device. The request object triggers a file access request through a third device connected to the first device. The first device obtains a file access request for a target file sent by the third device and triggered by the request object. The file access request is encapsulated by the third device using a security protocol. The first device unpacks the file access request using the security protocol. In this way, the security protocol can be used to protect the security of the file access request, thereby improving the security of the file.

在一种可能的实现方式中，第一设备按照请求对象的权限策略信息以及请求对象的访问操作信息，生成反馈文件信息，向第三设备发送利用安全协议封装后的反馈文件信息。利用安全协议提高第一设备与第三设备之间传输的信息的安全程度。In a possible implementation, the first device generates feedback file information according to the permission policy information of the request object and the access operation information of the request object, and sends the feedback file information encapsulated by the security protocol to the third device. The security protocol is used to improve the security of information transmitted between the first device and the third device.

在一种可能的实现方式中，方法应用于第一设备的系统层，应用程序为预设安全应用程序。In a possible implementation, the method is applied to a system layer of a first device, and the application is a preset security application.

第二方面，本申请提供了一种文件访问权限确定方法。方法应用于第二设备。第二设备获取第一设备发送的针对目标文件的权限请求。权限请求包括目标文件的文件标签策略信息、访问操作信息以及请求对象的公钥，文件标签策略信息由目标文件的公钥加密，用于描述针对目标文件的访问操作的控制策略，文件标签策略信息与目标文件的文件标签对应。文件标签由目标文件的管理者设置或者基于目标文件的文件属性生成。文件标签包括一种或者多种安全维度的标签。请求对象为第一设备的操作系统程序的系统用户，或者为应用程序的应用用户。第二设备利用目标文件的私钥对文件标签策略信息解密，基于目标文件的文件标签策略信息和访问操作信息确定请求对象的权限策略信息。权限策略信息用于描述请求对象针对目标文件的访问操作的权限策略。第二设备利用请求对象的公钥对请求对象的权限策略信息加密，得到第一密文，向第一设备发送包括第一密文的权限信息。由第二设备利用目标文件的私钥对目标文件的文件标签策略信息进行解密，并确定权限策略信息，能够避免第一设备拥有目标文件的私钥，减少第一设备具有的目标文件的私钥泄露后所产生的安全问题，提高文件标签策略信息的安全性，进而提高目标文件的安全程度。并且，第一设备与第二设备交互的文件标签策略信息和权限策略信息均是加密后的信息，提高第一设备与第二设备交互过程中信息的安全程度，减少第一设备和第二设备在交互过程中信息泄露的风险。In a second aspect, the present application provides a method for determining file access rights. The method is applied to a second device. The second device obtains a permission request for a target file sent by the first device. The permission request includes file label policy information of the target file, access operation information, and the public key of the request object. The file label policy information is encrypted by the public key of the target file and is used to describe the control policy for the access operation on the target file. The file label policy information corresponds to the file label of the target file. The file label is set by the manager of the target file or generated based on the file attributes of the target file. The file label includes one or more labels of security dimensions. The request object is the system user of the operating system program of the first device, or the application user of the application program. The second device decrypts the file label policy information using the private key of the target file, and determines the permission policy information of the request object based on the file label policy information and the access operation information of the target file. The permission policy information is used to describe the permission policy of the request object for the access operation of the target file. The second device encrypts the permission policy information of the request object using the public key of the request object to obtain the first ciphertext, and sends the permission information including the first ciphertext to the first device. The second device uses the private key of the target file to decrypt the file label policy information of the target file and determine the permission policy information, which can avoid the first device having the private key of the target file, reduce the security issues caused by the leakage of the private key of the target file possessed by the first device, improve the security of the file label policy information, and thus improve the security of the target file. In addition, the file label policy information and permission policy information exchanged between the first device and the second device are both encrypted information, which improves the security of the information in the interaction process between the first device and the second device and reduces the risk of information leakage during the interaction process between the first device and the second device.

在一种可能的实现方式中，目标文件利用文件加密密钥加密。文件加密密钥封装在目标文件的文件标签策略信息中。第二设备还利用请求对象的公钥对文件加密密钥加密得到第二密文。第二设备向第一设备发送的权限信息还包括第二密文。第二设备向第一设备发送加密后的文件加密密钥，便于第一设备基于文件加密密钥对目标文件进行解密，并且控制请求对象访问。利用针对目标文件独有的密钥，也能够有效避免利用统一的密钥进行加密所导致的密钥泄露后对多个文件的安全威胁，提高目标文件的数据安全。In one possible implementation, the target file is encrypted using a file encryption key. The file encryption key is encapsulated in the file tag policy information of the target file. The second device also uses the public key of the request object to encrypt the file encryption key to obtain a second ciphertext. The permission information sent by the second device to the first device also includes the second ciphertext. The second device sends the encrypted file encryption key to the first device, so that the first device can decrypt the target file based on the file encryption key and control the access of the request object. Using a key unique to the target file can also effectively avoid security threats to multiple files caused by key leakage caused by encryption using a unified key, thereby improving the data security of the target file.

在一种可能的实现方式中，第二设备还向第一设备提供标签策略模板。第二设备响应于获取第一设备发送的标签策略模板获取请求，向第一设备发送标签策略模板。In a possible implementation, the second device further provides the first device with a label policy template. In response to obtaining the label policy template acquisition request sent by the first device, the second device sends the label policy template to the first device.

在一种可能的实现方式中，第二设备为服务器，或者管理设备。In a possible implementation manner, the second device is a server or a management device.

第三方面，本申请提供了一种文件访问装置，装置应用于第一设备，装置包括：获取模块，用于获取由请求对象触发的针对目标文件的文件访问请求，文件访问请求包括访问操作信息，访问操作信息用于描述请求对象需要对目标文件执行的访问操作；请求对象为第一设备的操作系统程序的系统用户，或者为应用程序的应用用户；处理模块，用于获取请求对象的权限策略信息，权限策略信息是基于目标文件的文件标签策略信息以及文件访问请求确定的；文件标签策略信息与目标文件的文件标签对应，文件标签策略信息用于描述针对目标文件的访问操作的控制策略，权限策略信息用于指示请求对象具有的操作目标文件的权限；文件标签包括一种或者多种安全维度的标签，文件标签由目标文件的管理者设置或者基于目标文件的文件属性生成；控制模块，用于按照权限策略信息执行对请求对象访问目标文件的访问控制。In a third aspect, the present application provides a file access device, which is applied to a first device, and includes: an acquisition module for acquiring a file access request for a target file triggered by a request object, the file access request including access operation information, and the access operation information is used to obtain a file access request for a target file triggered by a request object. The method comprises the following steps: a first device for describing an access operation that a requesting object needs to perform on a target file; the requesting object is a system user of an operating system program of a first device, or an application user of an application program; a processing module for obtaining permission policy information of the requesting object, the permission policy information being determined based on file tag policy information of the target file and a file access request; the file tag policy information corresponds to a file tag of the target file, the file tag policy information is used to describe a control policy for access operations to the target file, and the permission policy information is used to indicate the permission of the requesting object to operate the target file; the file tag includes one or more security dimension tags, the file tag is set by the administrator of the target file or generated based on the file attributes of the target file; and a control module for executing access control on the requesting object's access to the target file according to the permission policy information.

在一种可能的实现方式中，处理模块，具体用于根据目标文件的文件标签策略信息以及请求对象的文件访问请求，生成请求对象的权限策略信息。In a possible implementation, the processing module is specifically configured to generate permission policy information of the request object according to the file tag policy information of the target file and the file access request of the request object.

在一种可能的实现方式中，处理模块，具体用于向第二设备发送针对目标文件的权限请求，权限请求包括目标文件的文件标签策略信息、访问操作信息以及请求对象的公钥，目标文件的文件标签策略信息由目标文件的公钥加密；获取第二设备反馈的权限信息，权限信息包括第一密文，第一密文包括利用请求对象的公钥对请求对象的权限策略信息加密得到的密文，请求对象的权限策略信息是第二设备利用目标文件的私钥、目标文件的文件标签策略信息以及访问操作信息处理得到的；利用请求对象的私钥对第一密文进行解密，得到请求对象的权限策略信息。In one possible implementation, the processing module is specifically used to send a permission request for a target file to a second device, where the permission request includes file label policy information of the target file, access operation information, and a public key of a requesting object, where the file label policy information of the target file is encrypted by the public key of the target file; obtaining permission information fed back by the second device, where the permission information includes a first ciphertext, where the first ciphertext includes a ciphertext obtained by encrypting the permission policy information of the requesting object using the public key of the requesting object, where the permission policy information of the requesting object is processed by the second device using a private key of the target file, the file label policy information of the target file, and the access operation information; decrypting the first ciphertext using the private key of the requesting object to obtain the permission policy information of the requesting object.

在一种可能的实现方式中，目标文件利用文件加密密钥加密，文件加密密钥封装在目标文件的文件标签策略信息中，权限信息还包括利用请求对象的公钥对文件加密密钥加密得到的第二密文，处理模块还用于若基于权限策略信息，确定请求对象具有访问权限，利用文件加密密钥对目标文件进行解密，文件加密密钥为利用请求对象的私钥对第二密文进行解密得到的。In one possible implementation, the target file is encrypted using a file encryption key, which is encapsulated in the file tag policy information of the target file. The permission information also includes a second ciphertext encrypted by the file encryption key using the public key of the requesting object. The processing module is also used to decrypt the target file using the file encryption key if it is determined, based on the permission policy information, that the requesting object has access rights. The file encryption key is obtained by decrypting the second ciphertext using the private key of the requesting object.

在一种可能的实现方式中，获取模块，还用于获取目标文件的文件标签；生成模块，用于基于文件标签以及标签策略模板，生成目标文件的文件标签策略信息。In a possible implementation, the acquisition module is further used to acquire the file tag of the target file; the generation module is used to generate the file tag policy information of the target file based on the file tag and the tag policy template.

在一种可能的实现方式中，获取模块，还用于获取针对目标文件的自定义标签策略信息；生成模块，还用于利用自定义标签策略信息更新目标文件的文件标签策略信息。In a possible implementation, the acquisition module is further used to acquire custom label policy information for the target file; the generation module is further used to update the file label policy information of the target file using the custom label policy information.

在一种可能的实现方式中，装置应用于第一设备的应用层。In a possible implementation manner, the apparatus is applied to an application layer of the first device.

在一种可能的实现方式中，装置应用于第一设备的系统层。In a possible implementation manner, the apparatus is applied to a system layer of a first device.

在一种可能的实现方式中，应用程序为预设安全应用程序。In a possible implementation manner, the application is a preset security application.

在一种可能的实现方式中，第一设备为存储设备，获取模块，具体用于获取第三设备发送的由请求对象触发的针对目标文件的文件访问请求，文件访问请求由第三设备利用安全协议封装；利用安全协议解封文件访问请求。In one possible implementation, the first device is a storage device, and the acquisition module is specifically used to obtain a file access request for a target file sent by a third device and triggered by a request object, and the file access request is encapsulated by the third device using a security protocol; and the file access request is unpacked using the security protocol.

在一种可能的实现方式中，控制模块，具体用于按照请求对象的权限策略信息以及请求对象的访问操作信息，生成反馈文件信息，向第三设备发送利用安全协议封装后的反馈文件信息。In a possible implementation, the control module is specifically used to generate feedback file information according to the permission policy information of the request object and the access operation information of the request object, and send the feedback file information encapsulated by the security protocol to the third device.

第四方面，本申请提供了一种文件访问权限确定装置，装置应用于第二设备，装置包括：获取模块，用于获取第一设备发送的针对目标文件的权限请求，权限请求包括目标文件的文件标签策略信息、访问操作信息以及请求对象的公钥，文件标签策略信息由目标文件的公钥加密，文件标签策略信息与目标文件的文件标签对应，文件标签策略信息用于描述针对目标文件的访问操作的控制策略，文件标签包括一种或者多种安全维度的标签，文件标签由目标文件的管理者设置或者基于目标文件的文件属性生成，请求对象为第一设备的操作系统程序的系统用户，或者为应用程序的应用用户；解密模块，用于利用目标文件的私钥对文件标签策略信息解密；确定模块，用于基于目标文件的文件标签策略信息和访问操作信息确定请求对象的权限策略信息，权限策略信息用于描述请求对象针对目标文件的访问操作的权限策略；加密模块，用于利用请求对象的公钥对请求对象的权限策略信息加密，得到第一密文；发送模块，用于向第一设备发送权限信息，权限信息包括第一密文。In a fourth aspect, the present application provides a device for determining file access rights, which is applied to a second device, and the device includes: an acquisition module, which is used to obtain a permission request for a target file sent by a first device, the permission request includes file label policy information of the target file, access operation information and a public key of the request object, the file label policy information is encrypted by the public key of the target file, the file label policy information corresponds to the file label of the target file, the file label policy information is used to describe the control policy for the access operation on the target file, the file label includes one or more security dimension labels, the file label is set by the administrator of the target file or generated based on the file attributes of the target file, the request object is the system user of the operating system program of the first device, or the application user of the application program; a decryption module, which is used to decrypt the file label policy information using the private key of the target file; a determination module, which is used to determine the permission policy information of the request object based on the file label policy information and the access operation information of the target file, the permission policy information is used to describe the permission policy of the request object for the access operation of the target file; an encryption module, which is used to encrypt the permission policy information of the request object using the public key of the request object to obtain a first ciphertext; a sending module, which is used to send the permission information to the first device, the permission information including the first ciphertext.

在一种可能的实现方式中，目标文件利用文件加密密钥加密，文件加密密钥封装在目标文件的文件标签策略信息中，加密模块，还用于利用请求对象的公钥对文件加密密钥加密得到第二密文，权限信息还包括第二密文。 In one possible implementation, the target file is encrypted using a file encryption key, and the file encryption key is encapsulated in the file tag policy information of the target file. The encryption module is also used to encrypt the file encryption key using the public key of the request object to obtain a second ciphertext, and the permission information also includes the second ciphertext.

在一种可能的实现方式中，发送模块，还用于响应于获取第一设备发送的标签策略模板获取请求，向第一设备发送标签策略模板。In a possible implementation, the sending module is further configured to send the label policy template to the first device in response to obtaining a label policy template acquisition request sent by the first device.

第五方面，本申请提供一种计算设备集群，计算设备集群包括至少一个计算设备，每个计算设备包括处理器和存储器；该存储器用于存储指令，当该计算设备集群运行时，每个计算设备中的处理器执行存储器存储的指令，以使该计算设备集群执行上述第一方面或第一方面任一种可能实现方式中的文件访问方法，或者执行上述第二方面或第二方面任一种可能实现方式中的文件访问权限确定方法。需要说明的是，该存储器可以集成于处理器中，也可以是独立于处理器之外。每个计算设备还可以包括总线。其中，处理器通过总线连接存储器。其中，存储器可以包括可读存储器以及随机存取存储器。In a fifth aspect, the present application provides a computing device cluster, the computing device cluster includes at least one computing device, each computing device includes a processor and a memory; the memory is used to store instructions, and when the computing device cluster is running, the processor in each computing device executes the instructions stored in the memory, so that the computing device cluster executes the file access method in the above-mentioned first aspect or any possible implementation of the first aspect, or executes the file access permission determination method in the above-mentioned second aspect or any possible implementation of the second aspect. It should be noted that the memory can be integrated into the processor or can be independent of the processor. Each computing device may also include a bus. The processor is connected to the memory via a bus. The memory may include a readable memory and a random access memory.

第六方面，本申请提供一种计算机可读存储介质，计算机可读存储介质中存储有指令，当其在计算设备集群(该计算设备集群包括至少一个计算设备)上运行时，使得计算设备集群执行上述第一方面或第一方面任一种可能实现方式中的文件访问方法，或者执行上述第二方面或第二方面任一种可能实现方式中的文件访问权限确定方法。In a sixth aspect, the present application provides a computer-readable storage medium, which stores instructions. When the computer-readable storage medium is run on a computing device cluster (the computing device cluster includes at least one computing device), the computing device cluster executes the file access method in the above-mentioned first aspect or any possible implementation of the first aspect, or executes the file access permission determination method in the above-mentioned second aspect or any possible implementation of the second aspect.

第七方面，本申请提供了一种包含指令的计算机程序产品，当其在计算设备集群(该计算设备集群包括至少一个计算设备)上运行时，使得计算设备集群执行上述第一方面或第一方面任一种可能实现方式中的文件访问方法，或者执行上述第二方面或第二方面任一种可能实现方式中的文件访问权限确定方法。In the seventh aspect, the present application provides a computer program product comprising instructions, which, when running on a computing device cluster (the computing device cluster includes at least one computing device), enables the computing device cluster to execute the file access method in the above-mentioned first aspect or any possible implementation of the first aspect, or execute the file access permission determination method in the above-mentioned second aspect or any possible implementation of the second aspect.

本申请在上述各方面提供的实现方式的基础上，还可以进行进一步组合以提供更多实现方式。Based on the implementations provided in the above aspects, this application can also be further combined to provide more implementations.

BRIEF DESCRIPTION OF THE DRAWINGS

图1a为本申请实施例提供的一种场景示意图；FIG. 1a is a schematic diagram of a scenario provided in an embodiment of the present application;

图1b为本申请实施例提供的另一种场景示意图；FIG1b is a schematic diagram of another scenario provided in an embodiment of the present application;

图1c为本申请实施例提供的一种第一设备与第二设备交互的示意图；FIG1c is a schematic diagram of an interaction between a first device and a second device provided in an embodiment of the present application;

图2a为本申请实施例提供的再一种场景示意图；FIG2a is a schematic diagram of another scenario provided in an embodiment of the present application;

图2b为本申请实施例提供的又一种场景示意图；FIG2b is a schematic diagram of another scenario provided in an embodiment of the present application;

图2c为本申请实施例提供的另一种第一设备与第二设备交互的示意图；FIG2c is a schematic diagram of another interaction between a first device and a second device provided in an embodiment of the present application;

图3a为本申请实施例提供的一种场景示意图；FIG3a is a schematic diagram of a scenario provided in an embodiment of the present application;

图3b为本申请实施例提供的另一种场景示意图；FIG3b is a schematic diagram of another scenario provided in an embodiment of the present application;

图3c本申请实施例提供的又一种第一设备与第二设备交互的示意图；FIG3c is a schematic diagram of another interaction between a first device and a second device provided in an embodiment of the present application;

图4a为本申请实施例提供的再一种场景示意图；FIG4a is a schematic diagram of another scenario provided in an embodiment of the present application;

图4b为本申请实施例提供的又一种场景示意图；FIG4b is a schematic diagram of another scenario provided in an embodiment of the present application;

图4c为本申请实施例提供的再一种第一设备与第二设备交互的示意图；FIG4c is a schematic diagram of another interaction between a first device and a second device provided in an embodiment of the present application;

图5为本申请实施例提供的一种文件访问方法的流程示意图；FIG5 is a schematic diagram of a flow chart of a file access method provided in an embodiment of the present application;

图6为本申请实施例提供的另一种文件访问方法的流程示意图；FIG6 is a flow chart of another file access method provided in an embodiment of the present application;

图7为本申请实施例提供的一种生成目标文件的文件标签策略信息的流程示意图；FIG. 7 is a schematic diagram of a process for generating file tag strategy information for a target file provided by an embodiment of the present application;

图8为本申请实施例提供的一种文件标签策略示意图；FIG8 is a schematic diagram of a file tag strategy provided by an embodiment of the present application;

图9为本申请实施例提供的另一种生成目标文件的文件标签策略信息的流程示意图；FIG9 is a schematic diagram of another process of generating file tag strategy information of a target file provided by an embodiment of the present application;

图10为本申请实施例提供的一种文件访问装置的结构示意图；FIG10 is a schematic diagram of the structure of a file access device provided in an embodiment of the present application;

图11为本申请实施例提供的一种文件访问权限确定装置的结构示意图；FIG11 is a schematic diagram of the structure of a device for determining file access rights provided in an embodiment of the present application;

图12为本申请实施例提供的一种计算设备的结构示意图；FIG12 is a schematic diagram of the structure of a computing device provided in an embodiment of the present application;

图13为本申请实施例提供的一种计算设备集群的结构示意图；FIG13 is a schematic diagram of the structure of a computing device cluster provided in an embodiment of the present application;

图14为本申请实施例提供的另一种计算设备集群的结构示意图。FIG. 14 is a schematic diagram of the structure of another computing device cluster provided in an embodiment of the present application.

DETAILED DESCRIPTION

下面将结合本申请中的附图，对本申请提供的实施例中的方案进行描述。The scheme in the embodiments provided in this application will be described below in conjunction with the drawings in this application.

本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象，而不必用于描述特定的顺序或先后次序。应该理解这样使用的术语在适当情况下可以互换，这仅仅是描述本申请的实施例中对相同属性的对象在描述时所采用的区分方式。 The terms "first", "second", etc. in the specification and claims of this application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the terms used in this way can be interchangeable under appropriate circumstances. This is just a way of distinguishing objects with the same attributes when describing the embodiments of this application.

数据作为较为重要的资产，包含个人或者企业的重要信息。在使用数据的过程中，需要防止数据遭到攻击，避免出现数据泄露、数据被篡改或者数据不可用的问题。目前，通常在网络、主机以及存储等维度构建攻击的检测算法。利用检测算法及时发现攻击行为，并且对攻击行为进行处理，维护数据安全。但是，检测算法所能检测发现的攻击行为有限，仅能针对当前已知的攻击行为进行识别，难以发现未知的攻击，仍然存在安全隐患。并且，检测算法存在检测误差，可能会影响处理数据的业务的正常运行。利用检测算法检测攻击的方式难以满足数据安全的需求。Data is a relatively important asset, containing important information of individuals or enterprises. In the process of using data, it is necessary to prevent data from being attacked to avoid data leakage, data tampering or data unavailability. At present, attack detection algorithms are usually built in dimensions such as network, host and storage. Detection algorithms are used to detect attack behaviors in a timely manner and process them to maintain data security. However, the attack behaviors that can be detected by the detection algorithm are limited. It can only identify currently known attack behaviors and it is difficult to detect unknown attacks. There are still security risks. In addition, the detection algorithm has detection errors, which may affect the normal operation of the business that processes data. The method of using detection algorithms to detect attacks is difficult to meet the needs of data security.

基于此，本申请实施例提供应用于第一设备的文件访问方法。第一设备获取由请求对象触发的针对目标文件的包括访问操作信息的文件访问请求。第一设备获取请求对象的权限策略信息。其中，请求对象的权限策略信息是基于目标文件的文件标签策略信息以及请求对象的文件访问请求确定的。文件标签策略信息与目标文件的文件标签对应。文件标签策略信息用于描述针对目标文件的访问操作的控制策略。第一设备按照权限策略信息执行对请求对象访问目标文件的访问控制。利用文件标签策略信息能够实现以文件为粒度的针对数据的安全保护。如此，实现以数据为中心的安全防护，在一定程度上能够减少文件面临的被篡改、泄露以及勒索的安全风险。并且，能够基于文件的安全保护需求配置文件标签，进而实现灵活的文件标签策略信息的配置，满足不同文件的安全需求。Based on this, an embodiment of the present application provides a file access method applied to a first device. The first device obtains a file access request including access operation information for a target file triggered by a request object. The first device obtains permission policy information of the request object. Among them, the permission policy information of the request object is determined based on the file tag policy information of the target file and the file access request of the request object. The file tag policy information corresponds to the file tag of the target file. The file tag policy information is used to describe the control policy for the access operation on the target file. The first device performs access control on the request object's access to the target file according to the permission policy information. The use of file tag policy information can achieve security protection for data with file as the granularity. In this way, data-centric security protection is achieved, which can reduce the security risks of tampering, leakage and extortion faced by files to a certain extent. In addition, the file tag can be configured based on the security protection requirements of the file, thereby achieving flexible configuration of file tag policy information to meet the security requirements of different files.

本申请实施例不限定文件访问方法以及文件访问权限确定方法的部署方式。作为一些示例，参见图1a-图4c所示，本申请实施例提供四种应用场景示意图。The embodiments of the present application do not limit the deployment mode of the file access method and the file access permission determination method. As some examples, referring to Figures 1a to 4c, the embodiments of the present application provide four application scenario schematic diagrams.

作为一种示例，参见图1a所示，本申请实施例提供的文件访问方法能够应用于标签策略客户端或者标签策略软件开发工具包(Software Development Kit，SDK)，部署在第一设备的应用程序中，也就是部署在第一设备的应用层中。第一设备例如为主机。请求访问目标文件的请求对象能够是第一设备的应用程序的应用用户，或者为第一设备的操作系统程序的系统用户。图1a所示的场景能例如为应用程序具有独立的用户体系的场景。第一设备的应用层实现对第一设备的应用程序的应用用户或者操作系统程序的系统用户，访问文件的控制。As an example, referring to FIG1a, the file access method provided in the embodiment of the present application can be applied to a tag policy client or a tag policy software development kit (Software Development Kit, SDK), and deployed in the application of the first device, that is, deployed in the application layer of the first device. The first device is, for example, a host. The request object requesting access to the target file can be an application user of the application of the first device, or a system user of the operating system program of the first device. The scenario shown in FIG1a can be, for example, a scenario in which the application has an independent user system. The application layer of the first device implements control over access to files by the application user of the application of the first device or the system user of the operating system program.

在一种可能的实现方式中，第一设备的应用层包括的标签策略客户端或者标签策略软件开发工具包，获取由请求对象触发的针对目标文件的文件访问请求，根据目标文件的文件标签策略信息以及请求对象的文件访问请求，生成请求对象的权限策略信息，按照权限策略信息执行对请求对象访问目标文件的访问控制。In one possible implementation, the application layer of the first device includes a tag policy client or a tag policy software development kit, which obtains a file access request for a target file triggered by a request object, generates permission policy information of the request object based on the file tag policy information of the target file and the file access request of the request object, and performs access control on the request object's access to the target file according to the permission policy information.

在另一种可能的实现方式中，参见图1b所示，第一设备与第二设备交互实现对目标文件的访问控制。本申请实施例提供文件访问权限确定方法。文件访问权限确定方法能够应用于标签策略服务，或者标签策略管理组件，部署在第二设备。第二设备例如为服务器。参见图1c所示，该图为本申请实施例提供的一种第一设备与第二设备交互的示意图。第一设备的应用层包括的标签策略客户端或者标签策略软件开发工具包，包括初始化模块、文件标签生成模块、文件标签策略信息生成模块、访问请求处理模块以及访问操作控制模块。第二设备的标签策略服务，或者标签策略管理组件，包括初始化模块以及权限信息确定模块。第一设备的初始化模块与第二设备的初始化模块交互，以便实现初始化认证，也就是身份认证以及证书颁发。第一设备的文件标签生成模块用于基于用户触发生成文件标签，或者自动生成文件标签，并向第二设备发送标签策略模板获取请求，获取第二设备反馈的标签策略模板。第一设备的文件标签策略信息生成模块，基于文件标签和标签策略模板，生成目标文件的文件标签策略信息。第一设备的访问请求处理模块，用于基于获取的由请求对象触发的文件访问请求，向第二设备的权限信息确定模块发送权限请求。第二设备的权限信息确定模块基于权限请求，解析文件标签策略信息，确定请求对象的权限策略信息，并向第一设备发送包括利用请求对象的公钥加密的请求对象的权限策略信息的权限信息。第一设备的访问操作控制模块用于基于权限信息包括的请求对象的权限策略信息，控制请求对象的访问操作。In another possible implementation, as shown in FIG1b, the first device interacts with the second device to implement access control to the target file. An embodiment of the present application provides a method for determining file access rights. The method for determining file access rights can be applied to a tag policy service, or a tag policy management component, and deployed on a second device. The second device is, for example, a server. Referring to FIG1c, this figure is a schematic diagram of the interaction between a first device and a second device provided in an embodiment of the present application. The application layer of the first device includes a tag policy client or a tag policy software development kit, including an initialization module, a file tag generation module, a file tag policy information generation module, an access request processing module, and an access operation control module. The tag policy service of the second device, or the tag policy management component, includes an initialization module and a permission information determination module. The initialization module of the first device interacts with the initialization module of the second device to implement initialization authentication, that is, identity authentication and certificate issuance. The file tag generation module of the first device is used to generate a file tag based on a user trigger, or automatically generate a file tag, and send a tag policy template acquisition request to the second device to obtain the tag policy template fed back by the second device. The file tag policy information generation module of the first device generates file tag policy information of the target file based on the file tag and the tag policy template. The access request processing module of the first device is used to send a permission request to the permission information determination module of the second device based on the acquired file access request triggered by the request object. The permission information determination module of the second device parses the file tag policy information based on the permission request, determines the permission policy information of the request object, and sends permission information including the permission policy information of the request object encrypted using the public key of the request object to the first device. The access operation control module of the first device is used to control the access operation of the request object based on the permission policy information of the request object included in the permission information.

作为另一种示例，参见图2a所示，本申请实施例提供的文件访问方法能够应用于标签内核模块，部署在第一设备的操作系统程序(Operating System，OS)中，也就是部署在第一设备的系统层中。第一设备例如为主机。其中，请求访问目标文件的请求对象能够是第一设备的操作系统程序的系统用户，或者是应用程序的应用用户。图2a所示的场景例如为应用程序与OS具有统一的用户体系，或者应用程序的用户体系能够同步到OS的用户体系，或者应用程序不具有独立的用户体系的场景。第一设备的系统层实现对应用程序的应用用户，或者操作系统程序的系统用户访问文件的控制。As another example, referring to FIG2a, the file access method provided in the embodiment of the present application can be applied to a tag kernel module and deployed in the operating system program (OS) of the first device, that is, deployed in the system layer of the first device. The first device is, for example, a host. Among them, the request object requesting access to the target file can be the system user of the operating system program of the first device, or the application user of the application. The scenario shown in FIG2a is, for example, a scenario in which the application and the OS have a unified user system, or the user system of the application can be synchronized to the user system of the OS, or the application does not have an independent user system. The system of the first device The system layer implements the control of application users of application programs or system users of operating system programs accessing files.

在一种可能的实现方式中，第一设备的系统层包括的标签内核模块，获取由请求对象触发的针对目标文件的文件访问请求，根据目标文件的文件标签策略信息以及请求对象的文件访问请求，生成请求对象的权限策略信息，按照权限策略信息执行对请求对象访问目标文件的访问控制。In one possible implementation, the system layer of the first device includes a tag kernel module that obtains a file access request for a target file triggered by a request object, generates permission policy information of the request object based on the file tag policy information of the target file and the file access request of the request object, and performs access control on the request object's access to the target file according to the permission policy information.

在另一种可能的实现方式中，参见图2b所示，第一设备与第二设备交互实现对目标文件的访问控制。本申请实施例提供的文件访问权限确定方法能够应用于标签策略服务，或者标签策略管理组件，部署在第二设备。第二设备例如为服务器。参见图2c所示，该图为本申请实施例提供的另一种第一设备与第二设备交互的示意图。第一设备的系统层包括的标签策略客户端或者标签策略软件开发工具包，包括初始化模块、文件标签生成模块、文件标签策略信息生成模块、访问请求处理模块以及访问操作控制模块。第二设备的标签策略服务，或者标签策略管理组件，包括初始化模块以及权限信息确定模块。第一设备与第二设备之间的交互过程与上述图1c对应的示例类似，在此不再赘述。In another possible implementation, as shown in FIG2b, the first device interacts with the second device to implement access control on the target file. The file access permission determination method provided in the embodiment of the present application can be applied to a tag policy service, or a tag policy management component, deployed on a second device. The second device is, for example, a server. As shown in FIG2c, this figure is a schematic diagram of another interaction between a first device and a second device provided in an embodiment of the present application. The system layer of the first device includes a tag policy client or a tag policy software development kit, including an initialization module, a file tag generation module, a file tag policy information generation module, an access request processing module, and an access operation control module. The tag policy service of the second device, or the tag policy management component, includes an initialization module and a permission information determination module. The interaction process between the first device and the second device is similar to the example corresponding to FIG1c above, and will not be repeated here.

作为再一种示例，参见图3a所示，本申请实施例提供的文件访问方法能够应用于标签内核模块，以及标签策略客户端或者标签策略SDK中，部署在第一设备的OS和应用程序中，也就是部署在第一设备的系统层和应用层中。第一设备例如为主机。其中，请求访问目标文件的请求对象能够是第一设备的操作系统程序的系统用户，或者是应用程序的应用用户。图3a所示的场景例如为安全性要求较高的业务场景。第一设备的系统层和应用层协同实现对应用程序的应用用户，或者操作系统程序的系统用户，访问文件的控制。As another example, referring to FIG3a, the file access method provided in the embodiment of the present application can be applied to the label kernel module, and the label policy client or the label policy SDK, and deployed in the OS and application of the first device, that is, deployed in the system layer and application layer of the first device. The first device is, for example, a host. Among them, the request object requesting access to the target file can be the system user of the operating system program of the first device, or the application user of the application. The scenario shown in FIG3a is, for example, a business scenario with high security requirements. The system layer and the application layer of the first device collaborate to implement control over access to files by the application user of the application, or the system user of the operating system program.

在一种可能的实现方式中，第一设备的标签内核模块，以及标签策略客户端或者标签策略SDK，获取由请求对象触发的针对目标文件的文件访问请求，根据目标文件的文件标签策略信息以及请求对象的文件访问请求，生成请求对象的权限策略信息，按照权限策略信息执行对请求对象访问目标文件的访问控制。In one possible implementation, the tag kernel module of the first device, and the tag policy client or tag policy SDK, obtain a file access request for a target file triggered by a request object, generate permission policy information of the request object based on the file tag policy information of the target file and the file access request of the request object, and perform access control on the request object's access to the target file according to the permission policy information.

在另一种可能的实现方式中，参见图3b所示，第一设备与第二设备交互实现对目标文件的访问控制。本申请实施例提供的文件访问权限确定方法能够应用于标签策略服务，或者标签策略管理组件，部署在第二设备。第二设备例如为服务器。In another possible implementation, as shown in FIG. 3b, the first device interacts with the second device to implement access control to the target file. The file access permission determination method provided in the embodiment of the present application can be applied to a tag policy service or a tag policy management component deployed on the second device. The second device is, for example, a server.

参见图3c所示，该图为本申请实施例提供的又一种第一设备与第二设备交互的示意图。第一设备的系统层和应用层包括的标签策略客户端或者标签策略软件开发工具包，包括初始化模块、文件标签生成模块、文件标签策略信息生成模块、访问请求处理模块以及访问操作控制模块。第二设备的标签策略服务，或者标签策略管理组件，包括初始化模块以及权限信息确定模块。第一设备与第二设备之间的交互过程与上述图1c对应的示例类似，在此不再赘述。Refer to Figure 3c, which is a schematic diagram of another interaction between a first device and a second device provided in an embodiment of the present application. The system layer and application layer of the first device include a label policy client or a label policy software development kit, including an initialization module, a file label generation module, a file label policy information generation module, an access request processing module, and an access operation control module. The label policy service of the second device, or the label policy management component, includes an initialization module and a permission information determination module. The interaction process between the first device and the second device is similar to the example corresponding to Figure 1c above, and will not be repeated here.

作为又一种示例，参见图4a所示，图4a所示的场景适用于存储场景中。本申请实施例提供的文件访问方法能够应用于标签内核模块，部署在第一设备中。第一设备例如为存储设备。第一设备还与第三设备连接。第三设备例如为生产主机。请求访问目标文件的请求对象通过第三设备访问第一设备存储的目标文件。第一设备与第三设备之间通过安全协议通信。第一设备还包括安全协议服务端。第三设备包括安全协议客户端。安全协议服务端和安全协议客户端用于利用安全协议对传输信息进行封装或者解封，实现第一设备与第三设备之间的通信。如此请求对象能够在第三设备上完成对第一设备存储的目标文件的访问操作。As another example, referring to FIG. 4a , the scenario shown in FIG. 4a is applicable to a storage scenario. The file access method provided in an embodiment of the present application can be applied to a tag kernel module and deployed in a first device. The first device is, for example, a storage device. The first device is also connected to a third device. The third device is, for example, a production host. A requesting object requesting access to a target file accesses the target file stored in the first device through a third device. The first device and the third device communicate via a security protocol. The first device also includes a security protocol server. The third device includes a security protocol client. The security protocol server and the security protocol client are used to encapsulate or unpack transmission information using a security protocol to achieve communication between the first device and the third device. In this way, the requesting object can complete the access operation to the target file stored in the first device on the third device.

在一种可能的实现方式中，第一设备的标签内核模块，获取由请求对象触发的针对目标文件的文件访问请求，根据目标文件的文件标签策略信息以及请求对象的文件访问请求，生成请求对象的权限策略信息，按照权限策略信息执行对请求对象访问目标文件的访问控制。In one possible implementation, the tag kernel module of the first device obtains a file access request for a target file triggered by a request object, generates permission policy information of the request object based on the file tag policy information of the target file and the file access request of the request object, and performs access control on the request object's access to the target file according to the permission policy information.

在另一种可能的实现方式中，参见图4b所示，第一设备与第二设备交互实现对目标文件的访问控制。本申请实施例提供的文件访问权限确定方法能够应用于标签策略服务，或者标签策略管理组件，部署在第二设备。第二设备例如为存储设备的管理设备。参见图4c所示，该图为本申请实施例提供的再一种第一设备与第二设备交互的示意图。第一设备包括的标签策略客户端或者标签策略软件开发工具包，包括初始化模块、文件标签生成模块、文件标签策略信息生成模块、访问请求处理模块以及访问操作控制模块。第一设备还包括安全协议服务端。第二设备的标签策略服务，或者标签策略管理组件，包括初始化模块以及权限信息确定模块。第三设备A和第三设备B包括安全协议客户端。第一设备与第二设备之间的交互过程与上述图1c对应的示例类似，在此不再赘述。第三设备A的安全协议客户端用于获取用户选择的文件标签，并利用安全协议将文件标签封装后向第一设备发送。第一设备的安全协议服务端利用安全协议解封得到文件标签，并向文件标签生成模块发送文件标签。第三设备A的安全协议客户端用于获取请求对象触发的文件访问请求，并利用安全协议将文件访问请求封装后向第一设备发送。第一设备的安全协议服务端利用安全协议解封得到文件访问请求，并向访问请求处理模块发送文件访问请求。如此能够实现对请求对象，也就是第三设备的应用程序的应用用户，或者操作系统程序的系统用户访问文件的控制。In another possible implementation, as shown in FIG4b, the first device interacts with the second device to implement access control on the target file. The file access permission determination method provided in the embodiment of the present application can be applied to a tag policy service, or a tag policy management component, deployed on the second device. The second device is, for example, a management device for a storage device. Referring to FIG4c, this figure is a schematic diagram of another interaction between a first device and a second device provided in an embodiment of the present application. The first device includes a tag policy client or a tag policy software development kit, including an initialization module, a file tag generation module, a file tag policy information generation module, an access request processing module, and an access operation control module. The first device also includes a security protocol server. The tag policy service of the second device, or the tag policy management component, includes an initialization module and a permission information determination module. The third device A and the third device B include a security protocol client. The first device and the second device The interaction process between the devices is similar to the example corresponding to Figure 1c above, and will not be repeated here. The security protocol client of the third device A is used to obtain the file tag selected by the user, and uses the security protocol to encapsulate the file tag and send it to the first device. The security protocol server of the first device uses the security protocol to decapsulate the file tag, and sends the file tag to the file tag generation module. The security protocol client of the third device A is used to obtain the file access request triggered by the request object, and uses the security protocol to encapsulate the file access request and send it to the first device. The security protocol server of the first device uses the security protocol to decapsulate the file access request and sends the file access request to the access request processing module. In this way, it is possible to control the access to files by the request object, that is, the application user of the application of the third device, or the system user of the operating system program.

需要说明的是，以上图1a-图4c所示的应用场景仅作为示例，本申请提供的文件访问方法以及文件访问权限确定方法的应用场景不受图1a-图4c所示的应用场景的限制。It should be noted that the application scenarios shown in the above Figures 1a to 4c are only examples, and the application scenarios of the file access method and the file access permission determination method provided in this application are not limited to the application scenarios shown in Figures 1a to 4c.

接下来，对本申请提供的文件访问方法以及文件访问权限确定方法的各种非限定性的具体实施方式进行详细描述。Next, various non-limiting specific implementations of the file access method and the file access permission determination method provided by the present application are described in detail.

参见图5所示，该图为本申请实施例提供的一种文件访问方法的流程示意图。该方法应用于第一设备，包括S501-S503。Referring to Fig. 5, this figure is a schematic flow chart of a file access method provided in an embodiment of the present application. The method is applied to a first device and includes S501-S503.

S501：第一设备获取由请求对象触发的针对目标文件的文件访问请求。S501: The first device obtains a file access request for a target file triggered by a request object.

请求对象为通过第一设备，请求访问第一设备储存的目标文件的对象。本申请实施例不限定请求对象的身份。请求对象例如为用户。作为示例，用户为第一设备的应用程序的应用用户，或者为第一设备的操作系统程序的系统用户。另外，请求对象例如为用户和程序进程。程序进程为用户触发文件访问请求的进程。The request object is an object that requests access to a target file stored in the first device through the first device. The embodiment of the present application does not limit the identity of the request object. The request object is, for example, a user. As an example, the user is an application user of an application program of the first device, or a system user of an operating system program of the first device. In addition, the request object is, for example, a user and a program process. The program process is a process in which a user triggers a file access request.

需要说明的是，在一些可能的实现方式中，作为请求对象的用户需要通过安全认证。It should be noted that in some possible implementations, the user who is the object of the request needs to pass security authentication.

在一种可能的实现方式中，第一设备与第二设备建立连接。第一设备在初始化阶段，与第二设备交互用户信息，完成对用户的认证。认证过程包括身份认证和第二设备向第一设备颁发证书两个过程。其中，身份认证过程中，第一设备发送涉及文件访问的对象的对象信息。作为一些示例，第一设备发送在该应用程序登录的用户的用户信息，或者在第一设备的操作系统程序登录的用户的用户信息。In a possible implementation, a first device establishes a connection with a second device. During the initialization phase, the first device exchanges user information with the second device to complete authentication of the user. The authentication process includes two processes: identity authentication and the second device issuing a certificate to the first device. During the identity authentication process, the first device sends object information of an object involved in file access. As some examples, the first device sends user information of a user logged in to the application, or user information of a user logged in to the operating system program of the first device.

第二设备基于获取的对象信息，对对象进行认证，并向第一设备发送认证结果。第一设备基于认证结果确定通过安全认证的对象。若请求对象已经为认证的对象，则第一设备基于认证结果能够确定请求对象是否通过安全认证。在请求对象为通过安全认证的情况下，第一设备处理请求对象触发的针对目标文件的文件访问请求。若请求对象未通过安全认证，则第一设备不处理请求对象触发的针对目标文件的文件访问请求。若请求对象为未认证的对象，例如首次在第一设备登录的用户，则第一设备向第二设备发送请求对象的用户信息。第二设备基于获取的请求对象的用户信息，对请求对象进行认证，并向第一设备发送请求对象的认证结果。第一设备基于请求对象的认证结果能够确定请求对象是否通过安全认证。在请求对象为通过安全认证的情况下，第一设备处理请求对象触发的针对目标文件的文件访问请求。若请求对象未通过安全认证，则第一设备不处理请求对象触发的针对目标文件的文件访问请求。The second device authenticates the object based on the acquired object information and sends the authentication result to the first device. The first device determines the object that has passed the security authentication based on the authentication result. If the request object is already an authenticated object, the first device can determine whether the request object has passed the security authentication based on the authentication result. In the case where the request object has passed the security authentication, the first device processes the file access request for the target file triggered by the request object. If the request object has not passed the security authentication, the first device does not process the file access request for the target file triggered by the request object. If the request object is an unauthenticated object, such as a user who logs in to the first device for the first time, the first device sends the user information of the request object to the second device. The second device authenticates the request object based on the acquired user information of the request object and sends the authentication result of the request object to the first device. The first device can determine whether the request object has passed the security authentication based on the authentication result of the request object. In the case where the request object has passed the security authentication, the first device processes the file access request for the target file triggered by the request object. If the request object has not passed the security authentication, the first device does not process the file access request for the target file triggered by the request object.

在另一种实现方式中，以图2a和图3a所示的应用场景为例，本申请实施例提供的文件访问方法应用于第一设备的系统层。也就是由第一设备的操作系统程序执行文件访问方法。请求对象能够是第一设备部署的应用程序的应用用户。第一设备的系统层在获取应用用户触发的文件访问请求后，先验证应用用户所属的应用程序是否为安全的应用程序。例如，基于预先建立的应用程序白名单。应用程序白名单包括安全的应用程序的信息。判断应用用户是否为应用程序白名单包括的应用程序的应用用户。如果应用用户是应用程序白名单包括的应用程序的应用用户，则第一设备处理应用用户触发的针对目标文件的文件访问请求。如果应用用户不是应用程序白名单包括的应用程序的应用用户，则第一设备不处理请求对象触发的针对目标文件的文件访问请求。如此够实现对应用用户所属的应用程序的安全认证，限制访问文件的应用程序，防止出现应用程序恶意处理文件，例如删除文件，提高文件的安全程度。In another implementation, taking the application scenarios shown in FIG. 2a and FIG. 3a as an example, the file access method provided by the embodiment of the present application is applied to the system layer of the first device. That is, the file access method is executed by the operating system program of the first device. The request object can be an application user of an application deployed by the first device. After obtaining the file access request triggered by the application user, the system layer of the first device first verifies whether the application to which the application user belongs is a safe application. For example, based on a pre-established application whitelist. The application whitelist includes information about safe applications. Determine whether the application user is an application user of an application included in the application whitelist. If the application user is an application user of an application included in the application whitelist, the first device processes the file access request for the target file triggered by the application user. If the application user is not an application user of an application included in the application whitelist, the first device does not process the file access request for the target file triggered by the request object. In this way, it is possible to implement security authentication of the application to which the application user belongs, limit applications that access files, prevent malicious processing of files by applications, such as deleting files, and improve the security of files.

第一设备存储的目标文件是预先配置文件标签策略信息的文件。文件标签策略信息与目标文件的文件标签对应。文件标签能够基于文件的属性以及文件保护需要设置。文件标签策略信息用于描述针对目标文件的访问操作的控制策略。文件标签策略信息用于指示访问目标文件需要遵守的权限策略。目标文件受到文件标签策略信息的保护。The target file stored in the first device is a file that pre-configures the file label policy information. The file label policy information corresponds to the file label of the target file. The file label can be set based on the attributes of the file and the need for file protection. The file label policy information is used to describe the control policy for access operations on the target file. The file label policy information is used to indicate the permission policy that needs to be followed to access the target file. The target file is protected by the file label policy information.

本申请实施例不限定目标文件的文件标签策略信息的配置方式。在一种可能的实现方式中，能够由目标文件的所有者或者管理者直接进行配置。在另一种可能的实现方式中，由目标文件的所有者或者管理者编辑生成。本申请实施例提供一种生成目标文件的文件标签策略信息的具体实现方式，具体请参见下文。The present application embodiment does not limit the configuration method of the file tag policy information of the target file. In a possible implementation method, it can be The owner or manager of the target file directly configures it. In another possible implementation, the owner or manager of the target file edits and generates it. The embodiment of the present application provides a specific implementation method for generating file tag policy information of a target file, please refer to the following for details.

文件访问请求包括访问操作信息。访问操作信息包括请求对象的对象信息以及请求对象请求对目标文件进行访问操作的操作信息。作为一种示例，请求对象的对象信息例如为请求对象的账号信息以及对象类型。例如，请求对象为用户，账号信息为用户的账号。对象类型比如为系统用户或者应用用户。区分不同的请求对象的类型，便于确定不同类型的请求对象的权限策略信息，实现对不同类型的请求对象的访问控制，提高数据的安全程度。在一些可能的实现方式中，请求对象的对象信息还包括触发文件访问请求的程序进程的进程信息，例如进程号。操作信息例如包括访问操作的类型。The file access request includes access operation information. The access operation information includes the object information of the request object and the operation information of the request object requesting to perform an access operation on the target file. As an example, the object information of the request object may be, for example, the account information and object type of the request object. For example, the request object is a user, and the account information is the user's account. The object type may be, for example, a system user or an application user. Different types of request objects are distinguished to facilitate determining the permission policy information of different types of request objects, implement access control on different types of request objects, and improve the security of data. In some possible implementations, the object information of the request object also includes the process information of the program process that triggers the file access request, such as the process number. The operation information may include, for example, the type of access operation.

S502：第一设备获取请求对象的权限策略信息。S502: The first device obtains permission policy information of the request object.

请求对象的权限策略信息用于指示请求对象具有的操作目标文件的权限。请求对象的权限策略信息是基于目标文件的文件标签策略信息以及请求对象的文件访问请求确定的。The permission policy information of the request object is used to indicate the permission of the request object to operate the target file. The permission policy information of the request object is determined based on the file tag policy information of the target file and the file access request of the request object.

本申请实施例不限定第一设备获取权限策略信息的可能的实现方式。The embodiments of the present application do not limit possible implementation methods for the first device to obtain permission policy information.

在一种可能的实现方式中，第一设备根据目标文件的文件标签策略信息以及请求对象的文件访问请求，生成请求对象的权限策略信息。In a possible implementation, the first device generates permission policy information of the request object according to the file tag policy information of the target file and the file access request of the request object.

第一设备基于获取的访问操作信息，从目标文件的文件标签策略信息中，确定与访问操作信息相关的权限策略信息，得到请求对象的权限策略信息。请求对象的权限策略信息用于指示请求对象具有的操作目标文件的权限。Based on the acquired access operation information, the first device determines the permission policy information related to the access operation information from the file tag policy information of the target file, and obtains the permission policy information of the request object. The permission policy information of the request object is used to indicate the permission of the request object to operate the target file.

作为一种示例，目标文件的文件标签策略信息包括针对不同的安全维度，所能够针对目标文件执行的操作。作为一种示例，目标文件的文件标签策略信息包括文件的敏感度、访问用户、访问进程以及文件所属的业务类型四个安全维度的策略信息。其中，文件的敏感度的策略信息包括绝密文件执行加密保护。访问用户的策略信息包括属于U1类型的用户具有所有操作权限，属于非U1类型的用户拒绝访问，属于U2类型的用户具有读取操作和写入操作的权限，属于U3类型的用户具有打印操作的权限。访问进程的策略信息包括P1类型的进程具有所有权限，非P1类型的进程拒绝访问。文件所属的业务类型的策略信息为包括财务数据的文件限制向非财务人员发送。As an example, the file label policy information of the target file includes the operations that can be performed on the target file for different security dimensions. As an example, the file label policy information of the target file includes policy information of four security dimensions: file sensitivity, access user, access process, and the business type to which the file belongs. Among them, the policy information of the sensitivity of the file includes encryption protection for top-secret files. The policy information of the access user includes that users of type U1 have all operation permissions, users of type non-U1 are denied access, users of type U2 have read and write permissions, and users of type U3 have print permissions. The policy information of the access process includes that processes of type P1 have all permissions, and processes of type non-P1 are denied access. The policy information of the business type to which the file belongs restricts the sending of files including financial data to non-financial personnel.

访问操作信息包括请求对象所属的用户类型为U1类型，以及访问操作的类型为读取操作。以上述目标文件的文件标签策略信息为例，第一设备基于访问操作信息和文件标签策略信息确定，U1类型的请求对象具有所有操作权限。请求对象的权限策略信息为具有所有操作权限。作为另一种示例，访问操作信息包括请求对象所属的用户类型为U3类型，以及访问操作的类型为读取操作。以上述目标文件的文件标签策略信息为例，第一设备基于访问操作信息和文件标签策略信息确定，U3类型的请求对象具有打印操作的权限。请求对象的权限策略信息为具有打印操作的权限。The access operation information includes that the user type to which the request object belongs is U1 type, and the type of access operation is a read operation. Taking the file label policy information of the above-mentioned target file as an example, the first device determines based on the access operation information and the file label policy information that the request object of type U1 has all operation permissions. The permission policy information of the request object is to have all operation permissions. As another example, the access operation information includes that the user type to which the request object belongs is U3 type, and the type of access operation is a read operation. Taking the file label policy information of the above-mentioned target file as an example, the first device determines based on the access operation information and the file label policy information that the request object of type U3 has the permission for printing operations. The permission policy information of the request object is to have the permission for printing operations.

在另一种可能的实现方式中，第一设备通过与第二设备进行交互，获取第二设备发送的请求对象的权限策略信息。参见图6所示，上述S502具体包括以下步骤：In another possible implementation, the first device interacts with the second device to obtain the permission policy information of the request object sent by the second device. Referring to FIG. 6 , the above S502 specifically includes the following steps:

S5021：第一设备向第二设备发送针对目标文件的权限请求，权限请求包括访问操作信息，请求对象的公钥，以及由目标文件的公钥加密的目标文件的文件标签策略信息。S5021: The first device sends a permission request for the target file to the second device, where the permission request includes access operation information, a public key of the request object, and file tag policy information of the target file encrypted by the public key of the target file.

第一设备在获取针对目标文件的文件访问请求后，向第二设备发送针对目标文件的权限请求。第二设备能够基于目标文件的文件标签策略信息和访问操作信息确定请求对象访问目标文件的权限信息。After obtaining the file access request for the target file, the first device sends a permission request for the target file to the second device. The second device can determine permission information for the request object to access the target file based on the file tag policy information and access operation information of the target file.

权限请求包括目标文件的文件标签策略信息、文件访问请求包括的访问操作信息，以及请求对象的公钥。其中，目标文件的文件标签策略信息由目标文件的公钥加密。The permission request includes the file tag policy information of the target file, the access operation information included in the file access request, and the public key of the request object. The file tag policy information of the target file is encrypted by the public key of the target file.

目标文件的文件标签策略信息预先基于目标文件的数据保护需要确定。目标文件的文件标签策略信息由第一设备生成，并利用目标文件的公钥加密进行保护。第一设备不具有目标文件的公钥对应的私钥，避免在第一设备的本地实现对目标文件的文件标签策略信息的解密处理，防止第一设备被攻击后，攻击者利用目标文件的私钥解密得到文件标签策略信息，并进行篡改。如此能够提高文件标签策略信息的安全程度，进而提高目标文件的安全性。The file label policy information of the target file is determined in advance based on the data protection needs of the target file. The file label policy information of the target file is generated by the first device and protected by encrypting the public key of the target file. The first device does not have the private key corresponding to the public key of the target file, thereby avoiding the decryption of the file label policy information of the target file locally on the first device, and preventing the attacker from using the private key of the target file to decrypt and tamper with the file label policy information after the first device is attacked. This can improve the security of the file label policy information, thereby improving the security of the target file.

目标文件的公钥能够是预先由目标文件的所有者设置，或者基于目标文件的所有者的信息生成的密钥。作为示例，目标文件的公钥例如为目标文件的所有者所属的组织，例如公司、团体，的公钥，实现属于组织对文件的管理和访问。The public key of the target file can be a key set in advance by the owner of the target file, or generated based on the information of the owner of the target file. As an example, the public key of the target file is the public key of the organization to which the owner of the target file belongs, such as a company or a group. Pertains to an organization's management and access to files.

另外，请求对象的公钥能够是请求对象预先设置的公钥。本申请实施例不限定请求对象的公钥的生成方式。作为示例，请求对象的公钥基于请求对象的相关信息生成。In addition, the public key of the request object can be a public key preset by the request object. The embodiment of the present application does not limit the generation method of the public key of the request object. As an example, the public key of the request object is generated based on the relevant information of the request object.

S5022：第二设备获取第一设备发送的针对目标文件的权限请求，权限请求包括访问操作信息，请求对象的公钥，以及由第一公钥加密的目标文件的文件标签策略信息。S5022: The second device obtains a permission request for the target file sent by the first device, where the permission request includes access operation information, a public key of the request object, and file tag policy information of the target file encrypted by the first public key.

S5023：第二设备利用目标文件的私钥对文件标签策略信息解密。S5023: The second device decrypts the file tag policy information using the private key of the target file.

目标文件的私钥为目标文件的公钥的解密密钥。目标文件的私钥，例如是预先由目标文件的所有者设置的密钥，或者例如为基于目标文件的所有者的信息生成的密钥。作为示例，目标文件的私钥例如为目标文件的所有者所属的组织或者机构的私钥。如此便于组织和机构对文件进行统一的管理。由第二设备利用目标文件的私钥对第一设备生成的文件标签策略信息解密，第一设备不具有解密密钥，能够避免第一设备被攻击所导致的解密密钥泄露的问题，提高文件标签策略信息的安全程度，进而提高目标文件的安全程度。The private key of the target file is the decryption key of the public key of the target file. The private key of the target file is, for example, a key pre-set by the owner of the target file, or is, for example, a key generated based on the information of the owner of the target file. As an example, the private key of the target file is, for example, the private key of the organization or institution to which the owner of the target file belongs. This makes it easy for organizations and institutions to manage files in a unified manner. The second device uses the private key of the target file to decrypt the file label policy information generated by the first device. The first device does not have the decryption key, which can avoid the problem of decryption key leakage caused by the attack on the first device, thereby improving the security of the file label policy information and thereby improving the security of the target file.

S5024：第二设备基于目标文件的文件标签策略信息和访问操作信息确定请求对象的权限策略信息。S5024: The second device determines the permission policy information of the request object based on the file tag policy information and access operation information of the target file.

第二设备基于获取的针对目标文件的权限请求，获取目标文件的文件标签策略信息以及访问操作信息。第二设备能够基于访问操作信息，从目标文件的文件标签策略信息中，确定与访问操作信息相关的权限策略信息，得到请求对象的权限策略信息。请求对象的权限策略信息用于指示请求对象具有的操作目标文件的权限。The second device obtains the file tag policy information and access operation information of the target file based on the obtained permission request for the target file. The second device can determine the permission policy information related to the access operation information from the file tag policy information of the target file based on the access operation information, and obtain the permission policy information of the request object. The permission policy information of the request object is used to indicate the permission of the request object to operate the target file.

S5025：第二设备利用请求对象的公钥对请求对象的权限策略信息加密，得到第一密文。S5025: The second device encrypts the permission policy information of the request object using the public key of the request object to obtain a first ciphertext.

第二设备在确定请求对象的权限策略信息后，利用请求对象的公钥对请求对象的权限策略信息进行加密，得到第一密文。加密后的请求对象的权限策略信息的安全程度较高，能够在一定程度上防止在第二设备与第一设备交互过程中权限策略信息被恶意获取。After determining the permission policy information of the request object, the second device uses the public key of the request object to encrypt the permission policy information of the request object to obtain the first ciphertext. The encrypted permission policy information of the request object has a high security level and can prevent the permission policy information from being maliciously obtained during the interaction between the second device and the first device to a certain extent.

S5026：第二设备向第一设备发送包括第一密文的权限信息。S5026: The second device sends permission information including the first ciphertext to the first device.

S5027：第一设备获取第二设备反馈的权限信息。S5027: The first device obtains the permission information fed back by the second device.

S5028：第一设备利用请求对象的私钥对第一密文进行解密，得到请求对象的权限策略信息。S5028: The first device decrypts the first ciphertext using the private key of the request object to obtain the permission policy information of the request object.

本申请实施例不限定请求对象的公钥和请求对象的私钥的生成方式。第一设备在获取权限信息后，利用请求对象的私钥对权限信息包括的第一密文解密，得到请求对象的权限策略信息。请求对象的权限策略信息指示请求对象具有的操作目标文件的权限。The embodiment of the present application does not limit the generation method of the public key of the request object and the private key of the request object. After obtaining the permission information, the first device uses the private key of the request object to decrypt the first ciphertext included in the permission information to obtain the permission policy information of the request object. The permission policy information of the request object indicates the permission of the request object to operate the target file.

利用目标文件的公钥对文件标签策略信息进行加密，能够提高文件标签策略信息在第一设备内存储的安全程度。由第二设备对文件标签策略信息进行解密，并分析得到权限策略信息，无需由第一设备在本地对文件标签策略信息解密，能够避免攻击者利用从第一设备获取的解密密钥恶意篡改文件标签策略信息的风险，提高文件标签策略信息的安全程度，进而提高目标文件的安全性。By using the public key of the target file to encrypt the file label policy information, the security of the file label policy information stored in the first device can be improved. The second device decrypts the file label policy information and analyzes it to obtain the permission policy information. The first device does not need to decrypt the file label policy information locally, which can avoid the risk of an attacker using the decryption key obtained from the first device to maliciously tamper with the file label policy information, thereby improving the security of the file label policy information and further improving the security of the target file.

S503：第一设备按照请求对象的权限策略信息，执行对请求对象访问目标文件的访问控制。S503: The first device performs access control on the request object's access to the target file according to the permission policy information of the request object.

第一设备基于请求对象的权限策略信息，能够确定请求对象访问目标文件的权限。第一设备按照请求对象的权限策略信息，执行对请求对象访问目标文件的访问控制。The first device can determine the permission of the request object to access the target file based on the permission policy information of the request object. The first device performs access control on the request object to access the target file according to the permission policy information of the request object.

基于上述S501-S503的相关内容可知，以文件为粒度的细粒度的文件标签策略信息以及权限策略信息，能够实现针对目标文件的保护，实现以数据为中心的安全防护，提高对数据完整性和机密性的保护，在一定程度上能够减少文件面临的被篡改、泄露以及勒索的安全风险。Based on the above S501-S503 related contents, it can be known that fine-grained file label policy information and permission policy information based on files can achieve protection for target files, realize data-centric security protection, improve the protection of data integrity and confidentiality, and to a certain extent reduce the security risks of files being tampered with, leaked and blackmailed.

在一些场景中，目标文件具有保密需求。目标文件的保密需求能够通过目标文件的文件标签策略信息配置。第一设备基于生成的目标文件的文件标签策略信息确定目标文件具有保密的需求。第一设备利用文件加密密钥对目标文件进行加密。本申请实施例不限定文件加密密钥的生成方式。作为一种示例，文件加密密钥是随机生成的对称密钥。文件加密密钥与需要加密的文件一一对应。如此能够提高各个需要加密的文件的安全程度，也能够保证在部分文件的文件加密秘钥被破解的情况下，其他文件的安全。在一种可能的实现方式中，文件加密密钥封装在目标文件的文件标签策略信息中，并利用目标文件的公钥对目标文件的文件标签策略信息进行加密，实现对文件加密密钥和文件标签策略信息的保护。In some scenarios, the target file has a confidentiality requirement. The confidentiality requirement of the target file can be configured through the file label policy information of the target file. The first device determines that the target file has a confidentiality requirement based on the file label policy information generated for the target file. The first device encrypts the target file using a file encryption key. The embodiment of the present application does not limit the method for generating the file encryption key. As an example, the file encryption key is a randomly generated symmetric key. The file encryption key corresponds one-to-one to the file to be encrypted. This can improve the security of each file that needs to be encrypted, and can also ensure the security of other files when the file encryption keys of some files are cracked. In one possible implementation method, the file encryption key is encapsulated in the file label policy information of the target file, and the file label policy information of the target file is encrypted using the public key of the target file to protect the file encryption key and the file label policy information.

在由第二设备确定请求对象的权限策略信息的实现方式中，第二设备在获取利用目标文件的公钥加密的文件标签策略信息后，利用目标文件的私钥对文件标签策略信息解密，得到文件标签策略信息以及文件加密密钥。第二设备还利用请求对象的公钥对文件加密密钥加密得到第二密文。第二设备向第一设备发送包括第一密文和第二密文的权限信息。第一设备基于获取的权限信息的第二密文，能够利用请求对象的私钥对第二密文解密得到文件加密密钥。如果第一设备基于权限策略信息，确定请求对象具有目标文件的访问权限，则利用对第二密文解密得到的文件加密密钥对目标文件进行解密，以便请求对象对目标文件进行操作。如此能够实现对目标文件的进一步加密处理，提高目标文件的数据安全程度。In the implementation method in which the second device determines the permission policy information of the request object, after obtaining the file label policy information encrypted by the public key of the target file, the second device uses the private key of the target file to decrypt the file label policy information to obtain the file label policy information and File encryption key. The second device also uses the public key of the requesting object to encrypt the file encryption key to obtain a second ciphertext. The second device sends permission information including the first ciphertext and the second ciphertext to the first device. Based on the second ciphertext of the obtained permission information, the first device can use the private key of the requesting object to decrypt the second ciphertext to obtain the file encryption key. If the first device determines that the requesting object has access rights to the target file based on the permission policy information, the target file is decrypted using the file encryption key obtained by decrypting the second ciphertext so that the requesting object can operate on the target file. In this way, further encryption processing of the target file can be achieved, thereby improving the data security of the target file.

以上为利用目标文件的文件标签策略信息实现目标文件访问的方法，下面提供一种可能的生成目标文件的文件标签策略信息的具体实现方式。The above is a method for implementing target file access using the file tag policy information of the target file. The following provides a possible specific implementation method for generating the file tag policy information of the target file.

参见图7所示，该图为本申请实施例提供的一种生成目标文件的文件标签策略信息的流程示意图。该方法包括S701-S703：See FIG. 7 , which is a schematic diagram of a process for generating file tag strategy information of a target file provided by an embodiment of the present application. The method includes S701-S703:

S701：第一设备获取目标文件的文件标签。S701: The first device obtains a file tag of a target file.

目标文件的文件标签为针对目标文件设置的标签。文件标签包括一种或者多种安全维度的标签。需要说明的是，目标文件的文件标签基于标签模板确定。标签模板为预先设置的配置文件标签的模板。作为一种示例，标签模板包括多个可选择的文件标签。从标签模板中选择目标文件的文件标签。The file tag of the target file is a tag set for the target file. The file tag includes one or more security dimension tags. It should be noted that the file tag of the target file is determined based on a tag template. The tag template is a template of a pre-set configuration file tag. As an example, the tag template includes multiple selectable file tags. The file tag of the target file is selected from the tag template.

本申请实施例不限定生成目标文件的文件标签的方式。在一种可能的实现方式中，由目标文件的管理者触发生成目标文件的文件标签。目标文件的管理者为具有管理目标文件权限的用户。目标文件的管理者例如为目标文件的所有者。用户能够通过选择或者输入的方式生成文件标签。在另一种可能的实现方式中，第一设备基于目标文件的文件属性自动生成文件标签。文件属性例如为文件类型、文件生成时间以及文件优先级等属性。作为示例，根据预先设置的标签生成规则以及目标文件的文件属性，自动生成目标文件的文件标签。标签生成规则例如包括文件属性与文件标签之间的对应关系。The embodiments of the present application do not limit the manner of generating a file tag for a target file. In one possible implementation, the generation of a file tag for a target file is triggered by the manager of the target file. The manager of the target file is a user with authority to manage the target file. The manager of the target file is, for example, the owner of the target file. The user can generate a file tag by selection or input. In another possible implementation, the first device automatically generates a file tag based on the file attributes of the target file. File attributes include, for example, file type, file generation time, and file priority. As an example, a file tag for a target file is automatically generated based on a pre-set tag generation rule and the file attributes of the target file. The tag generation rule includes, for example, a correspondence between file attributes and file tags.

作为一种示例，参见图8所示，该图为本申请实施例提供的一种文件标签策略示意图。标签模板包括四个安全维度的标签，分别是敏感度标签、所属用户标签、访问进程标签以及外发权限标签。敏感度标签例如包括绝密、机密、内部、公开和个人。所属用户标签例如包括U1类型。访问进程标签包括P1类型。外发权限标签包括财务数据和销售数据。As an example, see Figure 8, which is a schematic diagram of a file labeling strategy provided in an embodiment of the present application. The label template includes labels of four security dimensions, namely sensitivity labels, user labels, access process labels, and outbound permission labels. Sensitivity labels include, for example, top secret, confidential, internal, public, and personal. User labels include, for example, U1 type. Access process labels include P1 type. Outbound permission labels include financial data and sales data.

基于用户对文件标签的选择指令，从标签模板包括的标签中确定文件标签，或者基于标签模板包括的标签自动生成文件标签。例如，参见图8所示，从标签模板中选择绝密标签、U1类型标签、P1类型标签以及财务数据标签。Based on the user's selection instruction for the file tag, the file tag is determined from the tags included in the tag template, or the file tag is automatically generated based on the tags included in the tag template. For example, as shown in FIG8 , a top secret tag, a U1 type tag, a P1 type tag, and a financial data tag are selected from the tag template.

S703：第一设备基于文件标签以及标签策略模板，生成目标文件的文件标签策略信息。S703: The first device generates file tag policy information of the target file based on the file tag and the tag policy template.

标签策略模板为标签策略管理用户预先配置的策略模板。本申请实施例不限定标签策略模板包括的具体内容。作为示例，标签策略模板包括敏感度、所属用户、访问进程以及外发权限四个安全维度的标签对应的策略。The tag policy template is a policy template pre-configured by the tag policy management user. The present application embodiment does not limit the specific content of the tag policy template. As an example, the tag policy template includes policies corresponding to tags of four security dimensions: sensitivity, user, access process, and outbound permissions.

标签策略模板与标签模板对应。标签策略模板包括标签模板包括的各个标签对应的标签策略信息。The tag policy template corresponds to the tag template. The tag policy template includes tag policy information corresponding to each tag included in the tag template.

参见图8为例，标签策略模板包括四个安全维度的标签策略信息，包括标签模板包括的各个标签对应的标签策略信息。敏感度策略信息包括：1、针对绝密文件或者机密文件加密；2、针对公开文件不做加密；3、绝密文件拒绝打印和复制；4、个人文件只有所属用户有权限使用。所属用户策略信息包括：1、U1类型的用户具有所有权限；2、对于绝密文件和机密文件，其他类型的用户拒绝访问；对于公开文件，所有类型的用户具有所有全部权限。访问进程策略信息包括：1、P1类型进程具有所有权限；2、对于绝密文件或者机密文件，其他进程拒绝访问；对于公开文件，所有类型的进程具有所有全部权限。外发权限策略信息包括：1、财务数据仅能在财务人员内部发送；2、公开数据不限制外发权限。Referring to Figure 8 as an example, the label policy template includes label policy information of four security dimensions, including label policy information corresponding to each label included in the label template. Sensitivity policy information includes: 1. Encryption for top secret or confidential files; 2. No encryption for public files; 3. Top secret files are not allowed to be printed or copied; 4. Only the user to whom they belong has the right to use personal files. User policy information includes: 1. U1 type users have all permissions; 2. Other types of users are denied access to top secret and confidential files; for public files, all types of users have all permissions. Access process policy information includes: 1. P1 type processes have all permissions; 2. Other processes are denied access to top secret or confidential files; for public files, all types of processes have all permissions. Outbound permission policy information includes: 1. Financial data can only be sent internally by financial personnel; 2. Public data does not restrict outbound permissions.

第一设备从标签策略模板中获取目标文件的文件标签的标签策略信息，整合文件标签的标签策略信息，得到目标文件的文件标签策略信息。The first device obtains the tag policy information of the file tag of the target file from the tag policy template, integrates the tag policy information of the file tag, and obtains the file tag policy information of the target file.

作为一种示例，将目标文件的文件标签与标签策略模板包括的标签模板匹配。将与目标文件的文件标签一致的标签模板的文件标签策略信息，作为目标文件的文件标签对应的文件标签策略信息。As an example, the file tag of the target file is matched with the tag template included in the tag policy template, and the file tag policy information of the tag template consistent with the file tag of the target file is used as the file tag policy information corresponding to the file tag of the target file.

参见图8所示，第一设备从标签策略模板中，能够确定目标文件的文件标签对应的文件标签策略信息，也就是目标文件的文件标签策略信息，包括：1、敏感度策略信息：绝密文件加密；2、访问用户策略信息：U1类型的用户具有所有权限，其他类型的用户拒绝访问；3、访问进程策略信息：P1类型进程具有所有权限，其他进程拒绝访问；4、外发权限策略信息：限制向非财务人员外发。 As shown in Figure 8, the first device can determine the file label policy information corresponding to the file label of the target file from the label policy template, that is, the file label policy information of the target file, including: 1. Sensitivity policy information: top secret file encryption; 2. Access user policy information: U1 type users have all permissions, and other types of users are denied access; 3. Access process policy information: P1 type processes have all permissions, and other processes are denied access; 4. Outbound permission policy information: limit outbound sending to non-financial personnel.

第一设备在得到目标文件的文件标签策略信息后，能够将目标文件的文件内容、目标文件的文件标签以及目标文件的文件标签策略信息封装为受保护的文件。本申请实施例不限定封装文件的实现方式。作为一种示例，将目标文件的文件内容、目标文件的文件标签以及目标文件的文件标签策略信息封装为一个文件。作为另一种示例，分别将目标文件的文件内容、目标文件的文件标签以及目标文件的文件标签策略信息封装为三个相互关联的文件。目标文件的文件标签策略信息能够由第一公钥加密。After obtaining the file label policy information of the target file, the first device can encapsulate the file content of the target file, the file label of the target file, and the file label policy information of the target file into a protected file. The embodiment of the present application does not limit the implementation method of encapsulating files. As an example, the file content of the target file, the file label of the target file, and the file label policy information of the target file are encapsulated into one file. As another example, the file content of the target file, the file label of the target file, and the file label policy information of the target file are respectively encapsulated into three interrelated files. The file label policy information of the target file can be encrypted by the first public key.

基于上述S701和S703的相关内容可知，能够较为灵活地配置符合目标文件的数据安全需求的文件标签以及文件标签策略信息，实现对文件的细粒度的安全防护，满足不同文件，以及针对不同对象类型访问文件的安全需求。并且，利用文件标签以及标签策略模板配置文件标签策略信息，能够提高配置文件标签策略信息的效率。Based on the above S701 and S703, it can be known that the file label and file label policy information that meet the data security requirements of the target file can be configured more flexibly to achieve fine-grained security protection for the file and meet the security requirements of different files and access files for different object types. In addition, the file label policy information can be configured using file labels and label policy templates to improve the efficiency of configuring the file label policy information.

本申请实施例不限定标签策略模板的来源。The embodiment of the present application does not limit the source of the label policy template.

在一种可能的实现方式中，标签策略模板预先配置在第一设备中。In a possible implementation, the tag policy template is pre-configured in the first device.

在另一种可能的实现方式中，标签策略模板是第一设备从第二设备获取得到的。参见图7所示，该方法还能够包括S7021-S7023。In another possible implementation, the label policy template is obtained by the first device from the second device. Referring to FIG. 7 , the method may further include S7021 to S7023.

S7021：第一设备向第二设备发送标签策略模板获取请求。S7021: The first device sends a label policy template acquisition request to the second device.

标签策略模板获取请求用于获取标签策略模板。标签策略模板为标签策略管理用户预先配置的策略模板。本申请实施例不限定标签策略模板包括的具体内容。作为示例，标签策略模板包括敏感度、访问用户、访问进程以及外发权限四个安全维度的标签对应的策略。The tag policy template acquisition request is used to obtain the tag policy template. The tag policy template is a policy template pre-configured by the tag policy management user. The embodiment of the present application does not limit the specific content included in the tag policy template. As an example, the tag policy template includes policies corresponding to tags of four security dimensions: sensitivity, access user, access process, and outbound permissions.

S7022：第二设备响应于获取第一设备发送的标签策略模板获取请求，向第一设备发送标签策略模板。S7022: In response to obtaining the label policy template acquisition request sent by the first device, the second device sends the label policy template to the first device.

第二设备存储标签策略模板。The second device stores the tag policy template.

S7023：第一设备获取第二设备发送的标签策略模板。S7023: The first device obtains the label policy template sent by the second device.

进一步的，在基于标签策略模板生成的文件标签策略信息的基础上，还能够对文件标签策略信息进行自定义地调整。Furthermore, based on the file tag policy information generated based on the tag policy template, the file tag policy information can also be customized and adjusted.

参见图9所示，该图为本申请实施例提供的另一种生成目标文件的文件标签策略信息的流程示意图。该方法应用于第一设备和第二设备，除上述S701-S703，还包括S704和S705。See Figure 9, which is a schematic diagram of another process for generating file tag policy information of a target file provided by an embodiment of the present application. The method is applied to a first device and a second device, and in addition to the above S701-S703, further includes S704 and S705.

S704：第一设备获取针对目标文件的自定义标签策略信息。S704: The first device obtains custom tag policy information for the target file.

在一种可能的实现方式中，第一设备显示用于编辑文件标签策略信息的编辑控件。用户能够通过编辑控件输入针对目标文件的自定义标签策略信息。自定义标签策略信息例如包括增加的附加标签策略信息。作为示例，以图8所示的目标文件的文件标签策略信息为例，附加标签策略信息包括新增的访问用户策略信息：U2类型用户具有读取权限和写入权限，U3类型用户具有读取权限、写入权限和打印权限，P2类型进程具有只读权限，P3类型进程具有读取权限和写入权限。自定义标签策略信息又例如包括修正标签策略信息。修正标签策略信息包括目标文件的文件标签策略信息需要修改的标签策略信息，以及包括修改后的标签策略信息。In one possible implementation, the first device displays an editing control for editing file label policy information. The user can input custom label policy information for the target file through the editing control. Custom label policy information, for example, includes added additional label policy information. As an example, taking the file label policy information of the target file shown in Figure 8 as an example, the additional label policy information includes newly added access user policy information: U2 type users have read permission and write permission, U3 type users have read permission, write permission and print permission, P2 type processes have read-only permission, and P3 type processes have read permission and write permission. Custom label policy information, for example, includes revised label policy information. The revised label policy information includes the label policy information that needs to be modified for the file label policy information of the target file, as well as the modified label policy information.

S705：第一设备利用自定义标签策略信息更新目标文件的文件标签策略信息。S705: The first device updates the file label policy information of the target file using the custom label policy information.

如此能够在快速配置目标文件的文件标签策略信息的基础上，实现对目标文件的灵活调整，使得生成的目标文件的文件标签策略信息更为符合目标文件的数据安全需求。In this way, the target file can be flexibly adjusted based on the rapid configuration of the file label policy information of the target file, so that the generated file label policy information of the target file is more in line with the data security requirements of the target file.

此外，在存储场景中，参见图4a所示，第一设备为存储设备。存储设备与第三设备连接。第三设备例如生产主机。生产主机为与存储设备连接的能够访问存储设备内存储的数据的主机。存储设备与生产主机之间通过安全协议交互。本申请实施例不限定安全协议的类型。作为一种示例，安全协议为网络附属存储(Network Attached Storage，NAS)协议，或者为对象存储服务(Object Storage Service，OBS)协议。In addition, in a storage scenario, as shown in FIG4a, the first device is a storage device. The storage device is connected to a third device. The third device is, for example, a production host. The production host is a host connected to the storage device and capable of accessing data stored in the storage device. The storage device and the production host interact through a security protocol. The embodiments of the present application do not limit the type of security protocol. As an example, the security protocol is a Network Attached Storage (NAS) protocol, or an Object Storage Service (OBS) protocol.

在一种可能的实现方式中，请求对象利用与第一设备连接的第三设备实现文件的访问。请求对象在第三设备触发针对目标文件的文件访问请求。第三设备利用安全协议封装文件访问请求。第三设备向第一设备发送封装后的文件访问请求。第一设备利用安全协议解封获取的文件访问请求。In a possible implementation, the request object uses a third device connected to the first device to access the file. The request object triggers a file access request for the target file on the third device. The third device encapsulates the file access request using a security protocol. The third device sends the encapsulated file access request to the first device. The first device unpacks the obtained file access request using the security protocol.

此外，在按照请求对象的权限策略信息，执行对请求对象访问目标文件的访问控制时，第一设备按照请求对象的权限策略信息以及请求对象的访问操作信息，生成反馈文件信息。第一设备向第三设备发送利用安全协议封装后的反馈文件信息。第三设备在获取反馈文件信息，利用安全协议解封反馈文件信息。In addition, when performing access control on the target file accessed by the request object according to the permission policy information of the request object, the first device generates feedback file information according to the permission policy information of the request object and the access operation information of the request object. The third device obtains the feedback file information and decapsulates the feedback file information using the security protocol.

如此利用安全协议封装和解封第一设备与第三设备之间交互的信息，能够提高第一设备与第三设备之间交互的安全性，满足访问文件的安全需求。By using the security protocol to encapsulate and decapsulate the information exchanged between the first device and the third device, the security of the interaction between the first device and the third device can be improved, and the security requirements for accessing files can be met.

在针对存储设备的文件配置目标文件的文件标签策略信息的过程中，能够由第三设备的用户或者，由第三设备自动触发生成目标文件的文件标签。第三设备利用安全协议，封装目标文件的文件标签，向第一设备发送封装后的目标文件的文件标签。第一设备获取利用安全协议封装的目标文件的文件标签。In the process of configuring the file tag policy information of the target file for the file of the storage device, the file tag of the target file can be generated by the user of the third device or automatically triggered by the third device. The third device uses the security protocol to encapsulate the file tag of the target file and sends the encapsulated file tag of the target file to the first device. The first device obtains the file tag of the target file encapsulated by the security protocol.

第一设备利用安全协议解封封装后的目标文件的文件标签，得到目标文件的文件标签。The first device decapsulates the file tag of the encapsulated target file using the security protocol to obtain the file tag of the target file.

本申请还提供一种文件访问装置1000，该装置应用于第一设备，如图10所示，包括：The present application also provides a file access device 1000, which is applied to a first device, as shown in FIG10 , and includes:

获取模块，用于获取由请求对象触发的针对目标文件的文件访问请求，所述文件访问请求包括访问操作信息，所述访问操作信息用于描述所述请求对象需要对所述目标文件执行的访问操作；所述请求对象为所述第一设备的操作系统程序的系统用户，或者为应用程序的应用用户；an acquisition module, configured to acquire a file access request for a target file triggered by a request object, wherein the file access request includes access operation information, and the access operation information is used to describe the access operation that the request object needs to perform on the target file; the request object is a system user of an operating system program of the first device, or an application user of an application program;

处理模块，用于获取所述请求对象的权限策略信息，所述权限策略信息是基于所述目标文件的文件标签策略信息以及所述文件访问请求确定的；所述文件标签策略信息与所述目标文件的文件标签对应，所述文件标签策略信息用于描述针对所述目标文件的访问操作的控制策略，所述权限策略信息用于指示所述请求对象具有的操作目标文件的权限；所述文件标签包括一种或者多种安全维度的标签，所述文件标签由所述目标文件的管理者设置或者基于所述目标文件的文件属性生成；A processing module is used to obtain the permission policy information of the request object, the permission policy information is determined based on the file label policy information of the target file and the file access request; the file label policy information corresponds to the file label of the target file, the file label policy information is used to describe the control policy for the access operation on the target file, and the permission policy information is used to indicate the permission of the request object to operate the target file; the file label includes one or more security dimension labels, and the file label is set by the administrator of the target file or generated based on the file attributes of the target file;

控制模块，用于按照所述权限策略信息执行对所述请求对象访问所述目标文件的访问控制。A control module is used to perform access control on the request object's access to the target file according to the permission policy information.

在一种可能的实现方式中，所述处理模块，具体用于根据所述目标文件的文件标签策略信息以及所述请求对象的所述文件访问请求，生成所述请求对象的权限策略信息。In a possible implementation, the processing module is specifically configured to generate permission policy information of the request object according to the file tag policy information of the target file and the file access request of the request object.

在一种可能的实现方式中，所述处理模块，具体用于向第二设备发送针对所述目标文件的权限请求，所述权限请求包括所述目标文件的文件标签策略信息、所述访问操作信息以及所述请求对象的公钥，所述目标文件的文件标签策略信息由所述目标文件的公钥加密；获取所述第二设备反馈的权限信息，所述权限信息包括第一密文，所述第一密文包括利用所述请求对象的公钥对请求对象的权限策略信息加密得到的密文，所述请求对象的权限策略信息是所述第二设备利用所述目标文件的私钥、所述目标文件的文件标签策略信息以及所述访问操作信息处理得到的；利用所述请求对象的私钥对所述第一密文进行解密，得到所述请求对象的权限策略信息。In one possible implementation, the processing module is specifically used to send a permission request for the target file to a second device, the permission request including file label policy information of the target file, the access operation information and the public key of the request object, the file label policy information of the target file being encrypted by the public key of the target file; obtaining permission information fed back by the second device, the permission information including a first ciphertext, the first ciphertext including a ciphertext obtained by encrypting the permission policy information of the request object using the public key of the request object, the permission policy information of the request object being processed by the second device using the private key of the target file, the file label policy information of the target file and the access operation information; decrypting the first ciphertext using the private key of the request object to obtain the permission policy information of the request object.

在一种可能的实现方式中，所述目标文件利用文件加密密钥加密，所述文件加密密钥封装在所述目标文件的文件标签策略信息中，所述权限信息还包括利用所述请求对象的公钥对所述文件加密密钥加密得到的第二密文，所述处理模块还用于若基于所述权限策略信息，确定所述请求对象具有访问权限，利用所述文件加密密钥对所述目标文件进行解密，所述文件加密密钥为利用所述请求对象的私钥对所述第二密文进行解密得到的。In one possible implementation, the target file is encrypted using a file encryption key, and the file encryption key is encapsulated in the file tag policy information of the target file. The permission information also includes a second ciphertext encrypted by using the public key of the request object. The processing module is also used to decrypt the target file using the file encryption key if it is determined that the request object has access rights based on the permission policy information. The file encryption key is obtained by decrypting the second ciphertext using the private key of the request object.

在一种可能的实现方式中，所述获取模块，还用于获取目标文件的文件标签；In a possible implementation, the acquisition module is further used to acquire a file tag of the target file;

生成模块，用于基于所述文件标签以及标签策略模板，生成所述目标文件的文件标签策略信息。A generating module is used to generate file tag policy information of the target file based on the file tag and the tag policy template.

在一种可能的实现方式中，所述标签策略模板是从第二设备获取的。In a possible implementation, the tag policy template is obtained from the second device.

在一种可能的实现方式中，所述获取模块，还用于获取针对所述目标文件的自定义标签策略信息；In a possible implementation, the acquisition module is further used to acquire custom tag policy information for the target file;

所述生成模块，还用于利用所述自定义标签策略信息更新所述目标文件的文件标签策略信息。The generating module is further used to update the file label policy information of the target file by using the custom label policy information.

在一种可能的实现方式中，所述第一设备为主机。In a possible implementation manner, the first device is a host.

在一种可能的实现方式中，所述装置应用于所述第一设备的应用层。In a possible implementation manner, the apparatus is applied to an application layer of the first device.

在一种可能的实现方式中，所述装置应用于所述第一设备的系统层。In a possible implementation manner, the apparatus is applied to a system layer of the first device.

在一种可能的实现方式中，所述应用程序为预设安全应用程序。In a possible implementation manner, the application is a preset security application.

在一种可能的实现方式中，所述第一设备为存储设备，所述获取模块，具体用于获取第三设备发送的由请求对象触发的针对目标文件的文件访问请求，所述文件访问请求由所述第三设备利用安全协议封装；利用所述安全协议解封所述文件访问请求。In a possible implementation, the first device is a storage device, and the acquisition module is specifically used to obtain a file access request for a target file sent by a third device and triggered by a request object, and the file access request is encapsulated by the third device using a security protocol; and the file access request is unpacked using the security protocol.

在一种可能的实现方式中，所述控制模块，具体用于按照所述请求对象的权限策略信息以及所述请求对象的访问操作信息，生成反馈文件信息，向所述第三设备发送利用安全协议封装后的所述反馈文件信息。In a possible implementation, the control module is specifically configured to generate feedback file information according to the permission policy information of the request object and the access operation information of the request object, and send the feedback file encapsulated by the security protocol to the third device. information.

其中，获取模块、处理模块和控制模块均可以通过软件实现，或者可以通过硬件实现。示例性的，接下来以获取模块为例，介绍获取模块的实现方式。类似的，处理模块和控制模块的实现方式可以参考获取模块的实现方式。Among them, the acquisition module, the processing module and the control module can all be implemented by software, or can be implemented by hardware. Exemplarily, the implementation of the acquisition module is introduced below by taking the acquisition module as an example. Similarly, the implementation of the processing module and the control module can refer to the implementation of the acquisition module.

模块作为软件功能单元的一种举例，获取模块可以包括运行在计算实例上的代码。其中，计算实例可以包括物理主机(计算设备)、虚拟机、容器中的至少一种。进一步地，上述计算实例可以是一台或者多台。例如，获取模块可以包括运行在多个主机/虚拟机/容器上的代码。需要说明的是，用于运行该代码的多个主机/虚拟机/容器可以分布在相同的区域(region)中，也可以分布在不同的region中。进一步地，用于运行该代码的多个主机/虚拟机/容器可以分布在相同的可用区(availability zone，AZ)中，也可以分布在不同的AZ中，每个AZ包括一个数据中心或多个地理位置相近的数据中心。其中，通常一个region可以包括多个AZ。As an example of a software functional unit, the acquisition module may include code running on a computing instance. The computing instance may include at least one of a physical host (computing device), a virtual machine, and a container. Furthermore, the computing instance may be one or more. For example, the acquisition module may include code running on multiple hosts/virtual machines/containers. It should be noted that the multiple hosts/virtual machines/containers used to run the code may be distributed in the same region or in different regions. Furthermore, the multiple hosts/virtual machines/containers used to run the code may be distributed in the same availability zone (AZ) or in different AZs, each AZ including one data center or multiple data centers with similar geographical locations. Generally, a region may include multiple AZs.

同样，用于运行该代码的多个主机/虚拟机/容器可以分布在同一个虚拟私有云(virtual private cloud，VPC)中，也可以分布在多个VPC中。其中，通常一个VPC设置在一个region内，同一region内两个VPC之间，以及不同region的VPC之间跨区通信需在每个VPC内设置通信网关，经通信网关实现VPC之间的互连。Similarly, multiple hosts/virtual machines/containers used to run the code can be distributed in the same virtual private cloud (VPC) or in multiple VPCs. Usually, a VPC is set up in a region. For cross-region communication between two VPCs in the same region and between VPCs in different regions, a communication gateway needs to be set up in each VPC to achieve interconnection between VPCs through the communication gateway.

模块作为硬件功能单元的一种举例，获取模块可以包括至少一个计算设备，如服务器等。或者，获取模块也可以是利用专用集成电路(application-specific integrated circuit，ASIC)实现、或可编程逻辑器件(programmable logic device，PLD)实现的设备等。其中，上述PLD可以是复杂程序逻辑器件(complex programmable logical device，CPLD)、现场可编程门阵列(field-programmable gate array，FPGA)、通用阵列逻辑(generic array logic，GAL)或其任意组合实现。As an example of a hardware functional unit, the acquisition module may include at least one computing device, such as a server, etc. Alternatively, the acquisition module may also be a device implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD). The PLD may be a complex programmable logical device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof.

获取模块包括的多个计算设备可以分布在相同的region中，也可以分布在不同的region中。获取模块包括的多个计算设备可以分布在相同的AZ中，也可以分布在不同的AZ中。同样，获取模块包括的多个计算设备可以分布在同一个VPC中，也可以分布在多个VPC中。其中，所述多个计算设备可以是服务器、ASIC、PLD、CPLD、FPGA和GAL等计算设备的任意组合。The multiple computing devices included in the acquisition module can be distributed in the same region or in different regions. The multiple computing devices included in the acquisition module can be distributed in the same AZ or in different AZs. Similarly, the multiple computing devices included in the acquisition module can be distributed in the same VPC or in multiple VPCs. The multiple computing devices can be any combination of computing devices such as servers, ASICs, PLDs, CPLDs, FPGAs, and GALs.

需要说明的是，在其他实施例中，获取模块可以用于执行文件访问方法中的任意步骤，处理模块可以用于执行文件访问方法中的任意步骤,控制模块可以用于执行文件访问方法中的任意步骤,获取模块、处理模块和控制模块负责实现的步骤可根据需要指定，通过获取模块、处理模块和控制模块分别实现文件访问方法中不同的步骤来实现文件访问装置的全部功能。It should be noted that, in other embodiments, the acquisition module can be used to execute any step in the file access method, the processing module can be used to execute any step in the file access method, and the control module can be used to execute any step in the file access method. The steps that the acquisition module, the processing module, and the control module are responsible for implementing can be specified as needed. The full functions of the file access device are realized by respectively implementing different steps in the file access method through the acquisition module, the processing module, and the control module.

本申请还提供一种文件访问权限确定装置1100，所述装置应用于第二设备，如图11所示，所述装置包括：The present application also provides a device 1100 for determining file access rights, which is applied to a second device. As shown in FIG11 , the device includes:

获取模块，用于获取第一设备发送的针对所述目标文件的权限请求，所述权限请求包括所述目标文件的文件标签策略信息、访问操作信息以及请求对象的公钥，所述文件标签策略信息由所述目标文件的公钥加密，所述文件标签策略信息与所述目标文件的文件标签对应，所述文件标签策略信息用于描述针对所述目标文件的访问操作的控制策略，所述文件标签包括一种或者多种安全维度的标签，所述文件标签由所述目标文件的管理者设置或者基于所述目标文件的文件属性生成，所述请求对象为所述第一设备的操作系统程序的系统用户，或者为应用程序的应用用户；an acquisition module, configured to acquire a permission request for the target file sent by the first device, the permission request including file label policy information of the target file, access operation information, and a public key of a request object, the file label policy information being encrypted by the public key of the target file, the file label policy information corresponding to a file label of the target file, the file label policy information being used to describe a control policy for access operations on the target file, the file label including labels of one or more security dimensions, the file label being set by an administrator of the target file or generated based on a file attribute of the target file, and the request object being a system user of an operating system program of the first device, or an application user of an application program;

解密模块，用于利用所述目标文件的私钥对所述文件标签策略信息解密；A decryption module, used to decrypt the file tag policy information using the private key of the target file;

确定模块，用于基于所述目标文件的文件标签策略信息和所述访问操作信息确定请求对象的权限策略信息，所述权限策略信息用于描述所述请求对象针对所述目标文件的访问操作的权限策略；A determination module, used to determine the permission policy information of the request object based on the file tag policy information of the target file and the access operation information, wherein the permission policy information is used to describe the permission policy of the request object for the access operation of the target file;

加密模块，用于利用所述请求对象的公钥对所述请求对象的权限策略信息加密，得到第一密文；An encryption module, used to encrypt the permission policy information of the request object using the public key of the request object to obtain a first ciphertext;

发送模块，用于向所述第一设备发送权限信息，所述权限信息包括所述第一密文。A sending module is used to send permission information to the first device, where the permission information includes the first ciphertext.

在一种可能的实现方式中，所述目标文件利用文件加密密钥加密，所述文件加密密钥封装在所述目标文件的文件标签策略信息中，所述加密模块，还用于利用所述请求对象的公钥对所述文件加密密钥加密得到第二密文，所述权限信息还包括所述第二密文。In one possible implementation, the target file is encrypted using a file encryption key, and the file encryption key is encapsulated in the file tag policy information of the target file. The encryption module is also used to encrypt the file encryption key using the public key of the request object to obtain a second ciphertext, and the permission information also includes the second ciphertext.

在一种可能的实现方式中，所述发送模块，还用于响应于获取所述第一设备发送的标签策略模板获取请求，向所述第一设备发送标签策略模板。 In a possible implementation, the sending module is further configured to send the label policy template to the first device in response to obtaining a label policy template acquisition request sent by the first device.

其中，获取模块、解密模块、确定模块、加密模块和发送模块均可以通过软件实现，或者可以通过硬件实现。示例性的，接下来以获取模块为例，介绍获取模块的实现方式。类似的，解密模块、确定模块、加密模块和发送模块的实现方式可以参考获取模块的实现方式。Among them, the acquisition module, decryption module, determination module, encryption module and sending module can be implemented by software, or can be implemented by hardware. Exemplarily, the implementation of the acquisition module is introduced below by taking the acquisition module as an example. Similarly, the implementation of the decryption module, determination module, encryption module and sending module can refer to the implementation of the acquisition module.

需要说明的是，在其他实施例中，获取模块可以用于执行文件访问权限确定方法中的任意步骤，解密模块可以用于执行文件访问权限确定方法中的任意步骤,确定模块可以用于执行文件访问权限确定方法中的任意步骤，加密模块可以用于执行文件访问权限确定方法中的任意步骤,发送模块可以用于执行文件访问权限确定方法中的任意步骤,获取模块、解密模块、确定模块、加密模块和发送模块负责实现的步骤可根据需要指定，通过获取模块、解密模块、确定模块、加密模块和发送模块分别实现文件访问权限确定方法中不同的步骤来实现文件访问权限确定装置的全部功能。It should be noted that, in other embodiments, the acquisition module can be used to execute any step in the method for determining file access permissions, the decryption module can be used to execute any step in the method for determining file access permissions, the determination module can be used to execute any step in the method for determining file access permissions, the encryption module can be used to execute any step in the method for determining file access permissions, and the sending module can be used to execute any step in the method for determining file access permissions. The steps that the acquisition module, decryption module, determination module, encryption module and sending module are responsible for implementing can be specified as needed. The full functions of the file access permission determination device are realized by respectively implementing different steps in the method for determining file access permissions through the acquisition module, decryption module, determination module, encryption module and sending module.

本申请还提供一种计算设备1200。如图12所示，计算设备1200包括：总线1202、处理器1204、存储器1206和通信接口1208。处理器1204、存储器1206和通信接口1208之间通过总线1202通信。计算设备1200可以是服务器或终端设备。应理解，本申请不限定计算设备1200中的处理器、存储器的个数。The present application also provides a computing device 1200. As shown in FIG. 12 , the computing device 1200 includes: a bus 1202, a processor 1204, a memory 1206, and a communication interface 1208. The processor 1204, the memory 1206, and the communication interface 1208 communicate with each other through the bus 1202. The computing device 1200 may be a server or a terminal device. It should be understood that the present application does not limit the number of processors and memories in the computing device 1200.

总线1202可以是外设部件互连标准(peripheral component interconnect，PCI)总线或扩展工业标准结构(extended industry standard architecture，EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示，图12中仅用一条线表示，但并不表示仅有一根总线或一种类型的总线。总线1202可包括在计算设备1200各个部件(例如，存储器1206、处理器1204、通信接口1208)之间传送信息的通路。The bus 1202 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of representation, FIG. 12 is represented by only one line, but does not mean that there is only one bus or one type of bus. The bus 1202 may include a path for transmitting information between various components of the computing device 1200 (e.g., the memory 1206, the processor 1204, and the communication interface 1208).

处理器1204可以包括中央处理器(central processing unit，CPU)、图形处理器(graphics processing unit，GPU)、微处理器(micro processor，MP)或者数字信号处理器(digital signal processor，DSP)等处理器中的任意一种或多种。Processor 1204 may include any one or more processors such as a central processing unit (CPU), a graphics processing unit (GPU), a microprocessor (MP) or a digital signal processor (DSP).

存储器1206可以包括易失性存储器(volatile memory)，例如随机存取存储器(random access memory，RAM)。处理器1204还可以包括非易失性存储器(non-volatile memory)，例如只读存储器(read-only memory，ROM)，快闪存储器，机械硬盘(hard disk drive，HDD)或固态硬盘(solid state drive，SSD)。The memory 1206 may include a volatile memory, such as a random access memory (RAM). The processor 1204 may also include a non-volatile memory, such as a read-only memory (ROM), a flash memory, a hard disk drive (HDD), or a solid state drive (SSD).

存储器1206中存储有可执行的程序代码，处理器1204执行该可执行的程序代码以分别实现前述获取模块、处理模块和控制模块的功能，从而实现文件访问方法。也即，存储器1206上存有用于执行文件访问方法的指令。The memory 1206 stores executable program codes, and the processor 1204 executes the executable program codes to respectively implement the aforementioned The functions of the acquisition module, the processing module and the control module are implemented to realize the file access method. That is, the memory 1206 stores instructions for executing the file access method.

或者，存储器1206中存储有可执行的代码，处理器1204执行该可执行的代码以分别实现前述获取模块、解密模块、确定模块、加密模块和发送模块的功能，从而实现文件访问方法。也即，存储器1206上存有用于执行文件访问权限确定方法的指令。Alternatively, the memory 1206 stores executable codes, and the processor 1204 executes the executable codes to respectively implement the functions of the aforementioned acquisition module, decryption module, determination module, encryption module, and sending module, thereby implementing the file access method. That is, the memory 1206 stores instructions for executing the file access permission determination method.

通信接口1208使用例如但不限于网络接口卡、收发器一类的收发模块，来实现计算设备1200与其他设备或通信网络之间的通信。The communication interface 1208 uses a transceiver module such as, but not limited to, a network interface card or a transceiver to implement communication between the computing device 1200 and other devices or communication networks.

本申请实施例还提供了一种计算设备集群。该计算设备集群包括至少一台计算设备。该计算设备可以是服务器，例如是中心服务器、边缘服务器，或者是本地数据中心中的本地服务器。在一些实施例中，计算设备也可以是台式机、笔记本电脑或者智能手机等终端设备。The embodiment of the present application also provides a computing device cluster. The computing device cluster includes at least one computing device. The computing device can be a server, such as a central server, an edge server, or a local server in a local data center. In some embodiments, the computing device can also be a terminal device such as a desktop computer, a laptop computer, or a smart phone.

如图13所示，所述计算设备集群包括至少一个计算设备1200。计算设备集群中的一个或多个计算设备1200中的存储器1206中可以存有相同的用于执行文件访问方法的指令。As shown in Fig. 13, the computing device cluster includes at least one computing device 1200. The memory 1206 in one or more computing devices 1200 in the computing device cluster may store the same instructions for executing the file access method.

在一些可能的实现方式中，该计算设备集群中的一个或多个计算设备1200的存储器1206中也可以分别存有用于执行文件访问方法的部分指令。换言之，一个或多个计算设备1200的组合可以共同执行用于执行文件访问方法的指令。In some possible implementations, the memory 1206 of one or more computing devices 1200 in the computing device cluster may also store partial instructions for executing the file access method. In other words, the combination of one or more computing devices 1200 may jointly execute instructions for executing the file access method.

需要说明的是，计算设备集群中的不同的计算设备1200中的存储器1206可以存储不同的指令，分别用于执行文件访问装置的部分功能。也即，不同的计算设备1200中的存储器1206存储的指令可以实现获取模块、处理模块和控制模块中的一个或多个模块的功能。It should be noted that the memory 1206 in different computing devices 1200 in the computing device cluster can store different instructions, which are respectively used to execute part of the functions of the file access device. That is, the instructions stored in the memory 1206 in different computing devices 1200 can implement the functions of one or more modules among the acquisition module, the processing module and the control module.

在一些可能的实现方式中，计算设备集群中的一个或多个计算设备可以通过网络连接。其中，所述网络可以是广域网或局域网等等。图14示出了一种可能的实现方式。如图14所示，两个计算设备1200A和1200B之间通过网络进行连接。具体地，通过各个计算设备中的通信接口与所述网络进行连接。在这一类可能的实现方式中，计算设备1200A中的存储器1206中存有执行获取模块的功能的指令。同时，计算设备1200B中的存储器1206中存有执行处理模块和控制模块的功能的指令。In some possible implementations, one or more computing devices in the computing device cluster can be connected via a network. The network can be a wide area network or a local area network, etc. FIG. 14 shows a possible implementation. As shown in FIG. 14 , two computing devices 1200A and 1200B are connected via a network. Specifically, the network is connected via a communication interface in each computing device. In this type of possible implementation, the memory 1206 in the computing device 1200A stores instructions for executing the functions of the acquisition module. At the same time, the memory 1206 in the computing device 1200B stores instructions for executing the functions of the processing module and the control module.

图14所示的计算设备集群之间的连接方式可以是考虑到本申请提供的文件访问方法需要例如处理大量数据，因此考虑将处理模块和控制模块实现的功能交由计算设备1200B执行。The connection method between the computing device clusters shown in Figure 14 can be considered to be that the file access method provided in this application needs to process a large amount of data, so the functions implemented by the processing module and the control module are considered to be executed by the computing device 1200B.

应理解，图14中示出的计算设备1200A的功能也可以由多个计算设备1200完成。同样，计算设备1200B的功能也可以由多个计算设备1200完成。It should be understood that the functionality of the computing device 1200A shown in FIG14 may also be accomplished by multiple computing devices 1200. Similarly, the functionality of the computing device 1200B may also be accomplished by multiple computing devices 1200.

本申请实施例还提供了另一种计算设备集群。该计算设备集群中各计算设备之间的连接关系可以类似的参考图13和图14所述计算设备集群的连接方式。不同的是，该计算设备集群中的一个或多个计算设备1200中的存储器1206中可以存有相同的用于执行文件访问权限确定方法的指令。The embodiment of the present application also provides another computing device cluster. The connection relationship between the computing devices in the computing device cluster can be similar to the connection mode of the computing device cluster described in Figures 13 and 14. The difference is that the memory 1206 in one or more computing devices 1200 in the computing device cluster can store the same instructions for executing the file access permission determination method.

在一些可能的实现方式中，该计算设备集群中的一个或多个计算设备1200的存储器1206中也可以分别存有用于执行文件访问权限确定方法的部分指令。换言之，一个或多个计算设备1200的组合可以共同执行用于执行文件访问权限确定方法的指令。In some possible implementations, the memory 1206 of one or more computing devices 1200 in the computing device cluster may also store some instructions for executing the method for determining file access permissions. In other words, the combination of one or more computing devices 1200 may jointly execute instructions for executing the method for determining file access permissions.

需要说明的是，计算设备集群中的不同的计算设备1200中的存储器1206可以存储不同的指令，用于执行文件访问权限确定的部分功能。也即，不同的计算设备1200中的存储器1206存储的指令可以实现获取模块、解密模块、确定模块、加密模块和发送模块中的一个或多个装置的功能。It should be noted that the memory 1206 in different computing devices 1200 in the computing device cluster may store different instructions for executing part of the functions of determining the file access rights. That is, the instructions stored in the memory 1206 in different computing devices 1200 may implement the functions of one or more of the acquisition module, the decryption module, the determination module, the encryption module, and the sending module.

本申请实施例还提供了一种包含指令的计算机程序产品。所述计算机程序产品可以是包含指令的，能够运行在计算设备上或被储存在任何可用介质中的软件或程序产品。当所述计算机程序产品在至少一个计算设备上运行时，使得至少一个计算设备执行文件访问方法，或文件访问权限确定方法。The embodiment of the present application also provides a computer program product including instructions. The computer program product may be software or a program product including instructions that can be run on a computing device or stored in any available medium. When the computer program product is run on at least one computing device, the at least one computing device executes a file access method or a file access permission determination method.

本申请实施例还提供了一种计算机可读存储介质。所述计算机可读存储介质可以是计算设备能够存储的任何可用介质或者是包含一个或多个可用介质的数据中心等数据存储设备。所述可用介质可以是磁性介质，(例如，软盘、硬盘、磁带)、光介质(例如，DVD)、或者半导体介质(例如固态硬盘)等。该计算机可读存储介质包括指令，所述指令指示计算设备执行文件访问方法，或指示计算设备执行文件访问权限确定方法。The embodiment of the present application also provides a computer-readable storage medium. The computer-readable storage medium can be any available medium that can be stored by a computing device or a data storage device such as a data center that contains one or more available media. The available medium can be a magnetic medium (e.g., a floppy disk, a hard disk, a tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a solid-state hard disk). The computer-readable storage medium includes instructions that instruct the computing device to execute a file access method, or instruct the computing device to execute a file access permission determination method.

最后应说明的是：以上实施例仅用以说明本发明的技术方案，而非对其限制；尽管参照前述实施例对本发明进行了详细的说明，本领域的普通技术人员应当理解：其依然可以对前述各实施例所记载的技术方案进行修改，或者对其中部分技术特征进行等同替换；而这些修改或者替换，并不使相应技术方案的本质脱离本发明各实施例技术方案的保护范围。 Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit the present invention. Although the present invention has been described in detail with reference to the above embodiments, those skilled in the art should understand that the technical solutions described in the above embodiments can still be applied to the present invention. The technical solution may be modified, or some of the technical features may be replaced by equivalent ones; however, these modifications or replacements do not make the essence of the corresponding technical solution deviate from the protection scope of the technical solutions of the embodiments of the present invention.

Claims

A file access method, characterized in that the method is applied to a first device, and the method comprises:

Acquire a file access request for a target file triggered by a request object, the file access request including access operation information, the access operation information being used to describe an access operation that the request object needs to perform on the target file; the request object is a system user of an operating system program of the first device, or an application user of an application program;

Acquire the permission policy information of the request object, the permission policy information is determined based on the file tag policy information of the target file and the file access request; the file tag policy information corresponds to the file tag of the target file, the file tag policy information is used to describe the control policy for the access operation on the target file, and the permission policy information is used to indicate the permission of the request object to operate the target file; the file tag includes one or more security dimension tags, and the file tag is set by the administrator of the target file or generated based on the file attributes of the target file;

Access control of the request object to the target file is performed according to the authority policy information.

The method according to claim 1, characterized in that the obtaining the permission policy information of the request object comprises:

The permission policy information of the request object is generated according to the file tag policy information of the target file and the file access request of the request object.

Sending a permission request for the target file to the second device, the permission request including the file tag policy information of the target file, the access operation information, and the public key of the request object, wherein the file tag policy information of the target file is encrypted by the public key of the target file;

Acquire permission information fed back by the second device, the permission information including a first ciphertext, the first ciphertext including a ciphertext obtained by encrypting permission policy information of the request object using the public key of the request object, the permission policy information of the request object being obtained by the second device using the private key of the target file, the file tag policy information of the target file, and the access operation information;

The first ciphertext is decrypted using the private key of the request object to obtain the permission policy information of the request object.

The method according to claim 3 is characterized in that the target file is encrypted using a file encryption key, the file encryption key is encapsulated in the file tag policy information of the target file, the permission information also includes a second ciphertext obtained by encrypting the file encryption key using the public key of the request object, and before performing access control on the request object's access to the target file according to the permission policy information of the request object, the method also includes:

If it is determined based on the permission policy information that the request object has access rights, the target file is decrypted using the file encryption key, where the file encryption key is obtained by decrypting the second ciphertext using the private key of the request object.

The method according to claim 1, characterized in that the method further comprises:

Get the file tag of the target file;

Based on the file tag and the tag policy template, file tag policy information of the target file is generated.

The method according to claim 5 is characterized in that the label policy template is obtained from the second device.

The method according to claim 5, characterized in that the method further comprises:

Obtaining custom tag policy information for the target file;

The file label policy information of the target file is updated using the custom label policy information.

The method according to claim 1, characterized in that the first device is a host.

The method according to claim 8 is characterized in that the method is applied to the application layer of the first device.

The method according to claim 8 or 9 is characterized in that the method is applied to the system layer of the first device.

The method according to claim 10, characterized in that the application is a preset security application.

The method according to claim 1, wherein the first device is a storage device, and obtaining a file access request for a target file triggered by a request object comprises:

Acquire a file access request for a target file that is triggered by a request object and sent by a third device, wherein the file access request is encapsulated by the third device using a security protocol;

The file access request is unsealed using the security protocol.

The method according to claim 12, characterized in that the access to the requested object is performed according to the permission policy information. The access control of the target file is as follows:

Feedback file information is generated according to the permission policy information of the request object and the access operation information of the request object, and the feedback file information encapsulated by using a security protocol is sent to the third device.

A method for determining file access rights, characterized in that the method is applied to a second device, and the method comprises:

Obtaining a permission request for the target file sent by the first device, the permission request including file label policy information of the target file, access operation information, and a public key of a request object, the file label policy information being encrypted by the public key of the target file, the file label policy information corresponding to a file label of the target file, the file label policy information being used to describe a control policy for access operations on the target file, the file label including labels of one or more security dimensions, the file label being set by an administrator of the target file or generated based on file attributes of the target file, and the request object being a system user of an operating system program of the first device, or an application user of an application program;

Decrypting the file tag policy information using the private key of the target file;

Determine the permission policy information of the request object based on the file tag policy information of the target file and the access operation information, wherein the permission policy information is used to describe the permission policy of the request object for the access operation of the target file;

Encrypting the permission policy information of the request object by using the public key of the request object to obtain a first ciphertext;

Sending permission information to the first device, where the permission information includes the first ciphertext.

The method according to claim 14, characterized in that the target file is encrypted using a file encryption key, and the file encryption key is encapsulated in the file tag policy information of the target file, and the method further comprises:

The file encryption key is encrypted using the public key of the request object to obtain a second ciphertext, and the permission information also includes the second ciphertext.

The method according to claim 14, characterized in that the method further comprises:

In response to obtaining the label policy template acquisition request sent by the first device, a label policy template is sent to the first device.

The method according to any one of claims 14 to 16 is characterized in that the second device is a server or a management device.

A file access device, characterized in that the device is applied to a first device, and the device comprises:

an acquisition module, configured to acquire a file access request for a target file triggered by a request object, wherein the file access request includes access operation information, and the access operation information is used to describe the access operation that the request object needs to perform on the target file; the request object is a system user of an operating system program of the first device, or an application user of an application program;

A processing module is used to obtain the permission policy information of the request object, the permission policy information is determined based on the file label policy information of the target file and the file access request; the file label policy information corresponds to the file label of the target file, the file label policy information is used to describe the control policy for the access operation on the target file, and the permission policy information is used to indicate the permission of the request object to operate the target file; the file label includes one or more security dimension labels, and the file label is set by the administrator of the target file or generated based on the file attributes of the target file;

A control module is used to perform access control on the request object's access to the target file according to the permission policy information.

A device for determining file access rights, characterized in that the device is applied to a second device, and the device comprises:

an acquisition module, configured to acquire a permission request for the target file sent by the first device, the permission request including file label policy information of the target file, access operation information, and a public key of a request object, the file label policy information being encrypted by the public key of the target file, the file label policy information corresponding to a file label of the target file, the file label policy information being used to describe a control policy for access operations on the target file, the file label including labels of one or more security dimensions, the file label being set by an administrator of the target file or generated based on a file attribute of the target file, and the request object being a system user of an operating system program of the first device, or an application user of an application program;

A decryption module, used to decrypt the file tag policy information using the private key of the target file;

A determination module, used to determine the permission policy information of the request object based on the file tag policy information of the target file and the access operation information, wherein the permission policy information is used to describe the permission policy of the request object for the access operation of the target file;

An encryption module, used to encrypt the permission policy information of the request object using the public key of the request object to obtain a first ciphertext;

A sending module is used to send permission information to the first device, where the permission information includes the first ciphertext.

A computing device cluster, characterized in that it includes at least one computing device, each computing device includes a processor and a memory;

The processor of the at least one computing device is used to execute instructions stored in the memory of the at least one computing device so that The computing device cluster executes the method according to any one of claims 1-13, or executes the method according to any one of claims 14-17.

A computer program product comprising instructions, characterized in that when the instructions are executed by a computing device cluster, the computing device cluster executes the method described in any one of claims 1 to 13, or executes the method described in any one of claims 14 to 17.

A computer-readable storage medium, characterized in that it includes computer program instructions. When the computer program instructions are executed by a computing device cluster, the computing device cluster executes the method according to any one of claims 1 to 13, or executes the method according to any one of claims 14 to 17.