CN106778327A - A kind of safety certifying method of distributed file system - Google Patents
A kind of safety certifying method of distributed file system Download PDFInfo
- Publication number
- CN106778327A CN106778327A CN201611063962.7A CN201611063962A CN106778327A CN 106778327 A CN106778327 A CN 106778327A CN 201611063962 A CN201611063962 A CN 201611063962A CN 106778327 A CN106778327 A CN 106778327A
- Authority
- CN
- China
- Prior art keywords
- file system
- feature
- application program
- metadata
- distributed file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Present invention is disclosed a kind of safety certifying method of distributed file system, realized based on process characteristic matching, in one security procedure feature banked cache of file system client local maintenance, and periodically from metadata node renewal, when any user accesses distributed file system by application program, file system client inquires about the relevant information feature of process where application program in security procedure feature banked cache, and send metadata request to metadata node after matching is completed, perform follow-up metadata operation and data manipulation, failure is returned after matching has no resolution, denied access.Using safety certifying method of the invention, independently of the access rights of file system, and the security of file system access is further lifted based on process characteristic matching, and security procedure feature banked cache is easily updated, simple operation is strong.The method need not change the application program of user and need not increase new operating system interface, it is easy to which mass introduces distributed file system.
Description
Technical field
The present invention relates to a kind of file system access mechanism, more particularly to a kind of distributed field system based on process feature
System security authentication mechanism.
Background technology
Generally by file system client, metadata node, back end is constituted distributed file system.Wherein first number
It is responsible for the metadata information of storage file according to node, metadata information generally includes the title of file, the owner of file, file
The information such as access rights, the data distribution of file.Back end is responsible for the True Data of storage file, and back end can also the cycle
Property ground to metadata node report its store data block information.File system client is arranged on application node, user's
Application program accesses the metadata information and data message of file by client.
File operation is generally divided into metadata operation and data manipulation.Wherein metadata operation includes lookup(Inquiry text
Part metadata information)、create(Establishment file)、mkdir(Create directory)、rename(Rename file)、unlink(Delete
File)、rmdir(Deltree)、setattr(Modification file metadata information)Deng.And data manipulation is relatively easy, main bag
Include read(Read file content)、write(Written document content).
In distributed file system, traditional application program, can be by application node when metadata associative operation is performed
On file system client metadata request is sent to Metadata Service node, perform data manipulation be reading and writing file
When need to arrive first in metadata node obtain file metadata information, then could read the actual content of file, its flow
As shown in Figure 1.
Whether traditional file system carrys out control operation system user and has permission to make file typically by access rights
Some operations.These control methods are generally divided into two classes, and a class is traditional based on user, group, other and r(Read)、w
(Write)、x(Perform)Various combination realize that an also class is based on accesses control list(Access Control List)
To realize.These mechanism can be controlled well when application program accesses file with domestic consumer's identity, but super use
The access of family such as root, administrator to file is not limited but by these mechanism.Once the super use in operating system
Family password is cracked, and any data tend to compromised or destroyed, and consequence is very serious.
The content of the invention
In view of above-mentioned the deficiencies in the prior art, the purpose of the present invention is directed to a kind of safety of distributed file system and recognizes
Card method, solves the anti-problem of mistake that supervisor password is broken rear distributed file system.
The technical solution of above-mentioned purpose of the present invention is:A kind of safety certifying method of distributed file system, it is described
Distributed file system is made up of file system client, metadata node, back end, it is characterised in that the safety is recognized
Card method is realized based on process characteristic matching, slow in one security procedure feature database of the file system client local maintenance
Deposit, and periodically from the metadata node renewal security procedure feature banked cache, any user is accessed by application program and is distributed
During formula file system, file system client delays the relevant information feature of process where application program in security procedure feature database
Middle inquiry is deposited, and sent metadata request to metadata node after matching is completed, performed follow-up metadata operation and data
Operation, failure is returned after matching has no resolution, forbids accessing data, wherein the security procedure of the security procedure feature banked cache is special
Levying at least includes process ID, Parent process ID, the path of process executable file, the MD5 values of process executable file, the matching
The relevant information feature of process where application program is identical with security procedure feature more than one described or contains wherein.
Further, the path that the application program accesses distributed file system be from User space enter kernel state and
File system client is reached by Virtual File System.
Further, the relevant information feature of process is at least process ID, Parent process ID, application where the application program
One or more of the path of program, the parameter of application program are combined.
Further, the metadata node is provided with a management interface, and operable equipment is accessed into the management interface,
And nationality updates the security procedure feature in the metadata node by the security feature of each process of operable equipment addition correspondence
Storehouse.
Further, after the security procedure feature database in the metadata node updates, the metadata section
Point sends buffer update and notifies to file system client, and response buffer updates automatically or passively by file system client
Notify.
Further, the security feature of each process of the addition correspondence includes increasing characteristic parameter, reduces feature ginseng
The value volume and range of product of number, optimization characteristic parameter.
Application of the safety certifying method of the present invention in distributed file system access, its advantage is:The safety is recognized
Card method independently of file system access rights, and based on process characteristic matching lifted file system access security, and
Security procedure feature banked cache is easily updated, and simple operation is strong.The method need not change the application program of user and without increasing
Plus new operating system interface, it is easy to mass introduces distributed file system.
Brief description of the drawings
Fig. 1 is the schematic flow sheet that application program accesses distributed file system.
Fig. 2 is the path schematic diagram that application program accesses distributed file system.
Fig. 3 is embodiment schematic diagram of the safety certifying method of the present invention in distributed file system.
Specific embodiment
Unrestricted access distributed file system is easily caused by password cracking for current generally existing power user
Low-security present situation, creator of the present invention is through innovation research, it is proposed that a kind of safety certification of brand-new distributed file system
Method, takes this to lift the interviewed security performance of this document system, and lifting ease for use.
Based on foregoing existing distributed file system by file system client, metadata node, back end institute group
Into, safety certifying method of the present invention is tentatively first introduced with the description summarized below, from for the design starting point of innovation,
The safety certifying method is realized based on process characteristic matching, in one security procedure spy of the file system client local maintenance
Banked cache is levied, and periodically from metadata node renewal security procedure feature banked cache, any user is accessed by application program and divided
During cloth file system, file system client is by the relevant information feature of process where application program in security procedure feature database
Inquired about in caching, and send metadata request to metadata node after matching is completed, perform follow-up metadata operation sum
According to operation;And failure is returned after matching has no resolution, forbids accessing data.The security procedure of wherein security procedure feature banked cache is special
Levying at least includes process ID, Parent process ID, the path of process executable file, MD5 values of process executable file etc., and so-called
Matching refer to process where application program relevant information feature is identical with security procedure feature more than one described or containing
Wherein.
From the point of view of application program accesses the path of distributed file system, application program be typically to call open, read,
The systems such as write, close are called to access file, as shown in Fig. 2 the system calls meeting to enter kernel state from User space and pass through
Cross VFS layers of Virtual File System and reach file system client.In present design, client is responsible for leading to metadata node
Letter, and shared check application program whether safety task.
And the relevant information feature of process where above-mentioned application program is at least process ID, Parent process ID, application program
One or more of path, the parameter of application program are combined.Delayed as in security feature storehouse using the intrinsic key element of these application programs
The object matched in depositing, is capable of the limitation of escape power user and domestic consumer, and form a kind of brand-new safety certification
Mechanism.
For how the safety certification for more fully understanding technical solution of the present invention is realized.Below in conjunction with excellent shown in Fig. 3
Choosing implementation schematic diagram is visible, and the safety certification process relates generally to client and metadata node two parts, naturally it is also possible to relate to
And necessity is set up and as the operable equipment of management node.
From the point of view of metadata node, in addition to the metadata handling process that regular file is accessed, the node is also independently safeguarded
A security procedure feature database, and the source of security procedure feature database buffer update is carried out as client.The metadata section
Point is additionally provided with a management interface, by operable equipment(The management node of diagram)The management interface, and nationality are accessed by operable
The security feature of corresponding each process of equipment addition, updates the security procedure feature database in the metadata node.When the unit
After security procedure feature database on back end updates, the metadata node sends buffer update to file system client
Notify, and by file system client is automatic or passively response buffer update notification.
It is to be understood that the security feature for adding corresponding each process herein includes increasing characteristic parameter, reduces feature
The value volume and range of product of parameter, optimization characteristic parameter.Feature selecting increase and decrease i.e. related to process or the value model of change attribute
Enclose.
From the point of view of client, the main part of safety certification of the present invention is responsible for.The part have local maintenance and periodically
The security procedure feature banked cache of renewal, and work as any user(Power user or Guest User)Performing application program carries out file
When system is accessed, the related process of application program can trigger certain request of data, the correlation comprising place process in the request
Information characteristics, inquiry comparison is carried out by it in the caching, when the ID in feature, parameter or path it is identical or it is inclusive wherein when
It is judged to matching, is otherwise judged to mismatch, and takes different matching results transmission metadata request and return to failure
Two kinds of responses.
As can be seen here, the safety certifying method independently of traditional file systemses access rights, and based on process feature
Security with lifting file system access, and security procedure feature banked cache is easily updated, simple operation is strong.The method without
The application program of user need to be changed and new operating system interface need not be increased, it is easy to which mass introduces distributed file system.
Feature of the invention and advantage highly significant, and above-mentioned preferred embodiment not constitutes to creating core and limits,
Any equivalence replacement for the embodiment all should be classified as in the protection domain of present patent application.
Claims (6)
1. a kind of safety certifying method of distributed file system, the distributed file system is by file system client, unit
Back end, back end are constituted, it is characterised in that the safety certifying method is realized based on process characteristic matching, described
One security procedure feature banked cache of file system client local maintenance, and periodically update the safety from metadata node and enter
Cheng Tezheng banked caches, when any user accesses distributed file system by application program, file system client will be using journey
The relevant information feature of process is inquired about in security procedure feature banked cache where sequence, and to metadata node after matching is completed
Send metadata request, perform follow-up metadata operation and data manipulation, failure is returned after matching has no resolution, forbids accessing number
According to wherein the security procedure feature of the security procedure feature banked cache at least includes process ID, Parent process ID, process can perform
The path of file, the MD5 values of process executable file, the relevant information feature and of matching process where application program
Individual the above security procedure feature is identical or contains wherein.
2. the safety certifying method of distributed file system according to claim 1, it is characterised in that:The application program is visited
The path for asking distributed file system is to enter kernel state and by Virtual File System arrival file system client from User space
End.
3. the safety certifying method of distributed file system according to claim 1, it is characterised in that:The application program institute
The relevant information feature of process be at least one of process ID, Parent process ID, the path of application program, the parameter of application program or
Multiple combination.
4. the safety certifying method of distributed file system according to claim 1, it is characterised in that:The metadata node
A management interface is provided with, operable equipment is accessed into the management interface, and nationality corresponds to each and enters by the addition of operable equipment
The security feature of journey, updates the security procedure feature database in the metadata node.
5. the safety certifying method of distributed file system according to claim 4, it is characterised in that:When the metadata section
After security procedure feature database on point updates, the metadata node sends buffer update and leads to file system client
Know, and by file system client is automatic or passively response buffer update notification.
6. the safety certifying method of distributed file system according to claim 4, it is characterised in that:The addition correspondence is every
The security feature of individual process includes increasing characteristic parameter, reduces characteristic parameter, the value volume and range of product of optimization characteristic parameter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611063962.7A CN106778327A (en) | 2016-11-28 | 2016-11-28 | A kind of safety certifying method of distributed file system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611063962.7A CN106778327A (en) | 2016-11-28 | 2016-11-28 | A kind of safety certifying method of distributed file system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106778327A true CN106778327A (en) | 2017-05-31 |
Family
ID=58901920
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611063962.7A Pending CN106778327A (en) | 2016-11-28 | 2016-11-28 | A kind of safety certifying method of distributed file system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106778327A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107798236A (en) * | 2017-11-30 | 2018-03-13 | 广州优视网络科技有限公司 | It is a kind of that the method and apparatus installed safely are realized to application program installation kit |
| CN109376193A (en) * | 2018-09-29 | 2019-02-22 | 北京友友天宇***技术有限公司 | Data exchange system based on adaptation rule |
| CN112073400A (en) * | 2020-08-28 | 2020-12-11 | 腾讯科技(深圳)有限公司 | Access control method, system and device and computing equipment |
| CN112153032A (en) * | 2020-09-15 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Information processing method, device, computer readable storage medium and system |
| CN115033550A (en) * | 2022-08-10 | 2022-09-09 | 宁波均联智行科技股份有限公司 | Vehicle machine system file access method and vehicle machine system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090044010A1 (en) * | 2007-08-08 | 2009-02-12 | Sun Microsystems, Inc. | System and Methiod for Storing Data Using a Virtual Worm File System |
| CN101901313A (en) * | 2010-06-10 | 2010-12-01 | 中科方德软件有限公司 | Linux file protection system and method |
| CN102341809A (en) * | 2009-03-12 | 2012-02-01 | 国际商业机器公司 | Distributed filesystem access |
| CN104866778A (en) * | 2015-01-30 | 2015-08-26 | 武汉华工安鼎信息技术有限责任公司 | Document safety access control method and device based on Linux kernel |
| CN105389521A (en) * | 2015-12-18 | 2016-03-09 | 北京金山安全管理***技术有限公司 | Method for safely protecting file in computer system |
| CN105447397A (en) * | 2016-01-07 | 2016-03-30 | 成都卫士通信息产业股份有限公司 | File security level identification method based on kernel module |
| CN105656949A (en) * | 2016-04-01 | 2016-06-08 | 浪潮(北京)电子信息产业有限公司 | Access control method and system of network file system |
| CN106161517A (en) * | 2015-03-31 | 2016-11-23 | 阿里巴巴集团控股有限公司 | The method and apparatus that cloud storage accesses is realized by cloud file system |
-
2016
- 2016-11-28 CN CN201611063962.7A patent/CN106778327A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090044010A1 (en) * | 2007-08-08 | 2009-02-12 | Sun Microsystems, Inc. | System and Methiod for Storing Data Using a Virtual Worm File System |
| CN102341809A (en) * | 2009-03-12 | 2012-02-01 | 国际商业机器公司 | Distributed filesystem access |
| CN101901313A (en) * | 2010-06-10 | 2010-12-01 | 中科方德软件有限公司 | Linux file protection system and method |
| CN104866778A (en) * | 2015-01-30 | 2015-08-26 | 武汉华工安鼎信息技术有限责任公司 | Document safety access control method and device based on Linux kernel |
| CN106161517A (en) * | 2015-03-31 | 2016-11-23 | 阿里巴巴集团控股有限公司 | The method and apparatus that cloud storage accesses is realized by cloud file system |
| CN105389521A (en) * | 2015-12-18 | 2016-03-09 | 北京金山安全管理***技术有限公司 | Method for safely protecting file in computer system |
| CN105447397A (en) * | 2016-01-07 | 2016-03-30 | 成都卫士通信息产业股份有限公司 | File security level identification method based on kernel module |
| CN105656949A (en) * | 2016-04-01 | 2016-06-08 | 浪潮(北京)电子信息产业有限公司 | Access control method and system of network file system |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107798236A (en) * | 2017-11-30 | 2018-03-13 | 广州优视网络科技有限公司 | It is a kind of that the method and apparatus installed safely are realized to application program installation kit |
| CN109376193A (en) * | 2018-09-29 | 2019-02-22 | 北京友友天宇***技术有限公司 | Data exchange system based on adaptation rule |
| CN109376193B (en) * | 2018-09-29 | 2023-04-28 | 北京友友天宇***技术有限公司 | Data exchange system based on self-adaptive rule |
| CN112073400A (en) * | 2020-08-28 | 2020-12-11 | 腾讯科技(深圳)有限公司 | Access control method, system and device and computing equipment |
| CN112073400B (en) * | 2020-08-28 | 2024-06-14 | 腾讯云计算(北京)有限责任公司 | Access control method, system, device and computing equipment |
| CN112153032A (en) * | 2020-09-15 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Information processing method, device, computer readable storage medium and system |
| CN112153032B (en) * | 2020-09-15 | 2024-06-14 | 腾讯云计算(北京)有限责任公司 | Information processing method, device, computer readable storage medium and system |
| CN115033550A (en) * | 2022-08-10 | 2022-09-09 | 宁波均联智行科技股份有限公司 | Vehicle machine system file access method and vehicle machine system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106778327A (en) | A kind of safety certifying method of distributed file system | |
| CN104573478B (en) | A kind of user authority management system of Web applications | |
| CN104660578B (en) | A kind of system and method for realizing data safety storage and data access control | |
| CN106713347B (en) | A kind of electric power mobile application unauthorized access leak detection method | |
| TWI691861B (en) | Resource permission management method and device | |
| CN104301301B (en) | A kind of Data Migration encryption method based between cloud storage system | |
| WO2014004412A1 (en) | Identity risk score generation and implementation | |
| CN102546664A (en) | User and authority management method and system for distributed file system | |
| CN104735091A (en) | Linux system-based user access control method and device | |
| CN102654864A (en) | Independent transparent security audit protection method facing real-time database | |
| CN101674334A (en) | Access control method of network storage equipment | |
| CN105373726A (en) | User authority management system | |
| CN103198361B (en) | Based on the XACML strategy evaluation engine system of multiple Optimization Mechanism | |
| CN107612929A (en) | A kind of multilevel security access control model based on information flow | |
| CN106372266A (en) | Cache and accessing method of cloud operation system based on aspects and configuration documents | |
| CN103729582B (en) | A kind of secure storage management method and system based on separation of the three powers | |
| CN108846755A (en) | A kind of right management method and device based on intelligent contract | |
| CN104866774B (en) | The method and system of account rights management | |
| CN105022939A (en) | Information verification method and device | |
| CN101493872A (en) | Fine grain authority management method based on classification method | |
| CN110765192A (en) | GIS data management and processing method based on cloud platform | |
| JP5687989B2 (en) | Access authority management apparatus, access authority management method, and access authority management program | |
| CN101334795B (en) | Data storage method and device | |
| CN100561516C (en) | Network gridding service system of national geolopy spatial data | |
| CN107124429B (en) | Network service safety protection method and system based on double data table design |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170531 |
|
| RJ01 | Rejection of invention patent application after publication |