CN110414211A - A kind of resource-based IOSS right management method - Google Patents
A kind of resource-based IOSS right management method Download PDFInfo
- Publication number
- CN110414211A CN110414211A CN201910689051.2A CN201910689051A CN110414211A CN 110414211 A CN110414211 A CN 110414211A CN 201910689051 A CN201910689051 A CN 201910689051A CN 110414211 A CN110414211 A CN 110414211A
- Authority
- CN
- China
- Prior art keywords
- user
- bucket
- resource
- permission
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 74
- 238000012217 deletion Methods 0.000 claims abstract description 8
- 230000037430 deletion Effects 0.000 claims abstract description 8
- 238000013475 authorization Methods 0.000 claims description 11
- 238000000034 method Methods 0.000 claims description 4
- 241000406668 Loxodonta cyclotis Species 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of resource-based IOSS right management methods, belong to object storage technology field.Resource-based IOSS right management method of the invention includes the rights management of user management and resource: user management provides user base for the rights management of resource, provides the creation, deletion and change of secret code of user;The rights management of resource is as unit of resource, including two class resource of Bucket and Object, the permission that management resources accessing control list accesses resource with management user.The resource-based IOSS right management method of the invention can support rights management function, have good application value.
Description
Technical field
The present invention relates to object storage technology fields, specifically provide a kind of resource-based IOSS right management method.
Background technique
IOSS, that is, inspur object storge serveice, is tide object storage system, and support target data are high
Upload, downloading, update, the deletion of effect.
IOSS includes three classes service node: OSLN service node, OS storage service node and metadata management service node.
OSLN service node mainly includes OSLN service, mainly as the management node of OS service node.OS storage service node includes
OS storage service, OSSN and OSRN service, it is mainly the actual storage for carrying out object data, pipe that wherein OS, which deposits store-service,
Reason;OSSN service and OSRN service are mainly that the backup of object data provides basic data transfer function.OSSN service mainly mentions
For object data sending function;OSRN service is mainly to provide object data copy function.Metadata management service includes
OSMetadata service, mainly progress object storage metadata management and abnormality processing, are mentioned by Apache kudu cluster
For.
IOSS provides the operation to Bucket and object.Bucket is the container for storage object (Object), institute
There is object that must all be under the jurisdiction of some Bucket.The name of Bucket is globally unique, and the object in Bucket can not bear the same name, no
Object with Bucket can bear the same name, in principle in a certain Bucket object number without limitation.
Operation to Bucket includes increasing Bucket, deleting Bucket, renaming.Operation to Object includes uploading
Object, downloading Object, it deletes Object, renaming Object, update Object.
In actual scene application, user except need it is most according to be managed outside also need to the data in object storage into
Row divides the rights management of user, and IOSS system does not support relevant rights management function at present.
Summary of the invention
Technical assignment of the invention is in view of the above problems, to provide a kind of base that can support rights management function
In the IOSS right management method of resource.
To achieve the above object, the present invention provides the following technical scheme that
A kind of resource-based IOSS right management method, this method include the rights management of user management and resource;
User management provides user base for the rights management of resource, provides the creation, deletion and change of secret code of user;
The rights management of resource is as unit of resource, including two class resource of Bucket and Object, management resource access control
The permission that list processed and management user access resource.
Preferably, user is divided into administrator and ordinary user in the user management, administrator is responsible for wound
It builds, delete ordinary user, ordinary user is administrator's creation, is responsible for management and the Authorized operation of specific object data.
Preferably, managing resources accessing control list in the rights management of resource is the visit for controlling user and carrying out to resource
It asks, including public read-write, public reading, privately owned and default, wherein access of the user to the resources accessing control list of Bucket
Including public read-write, public reading, privately owned, it is defaulted as privately owned;User includes to the access of the resources accessing control list of Object
Public read-write, public reading, privately owned and default.
The access of the resources accessing control list of Bucket can be specified when creating Bucket or be completed in creation
After modify, which only has the founder i.e. owner of Bucket just to have permission progress, is defaulted as privately owned.Only Bucket's gathers around
The person of having i.e. founder, which just has permission, to carry out the setting of BucketACL, reads.
Preferably, the user is all users to the public read-write of the access of the resources accessing control list of Bucket
To in Bucket object and Bucket all have reading and writing permission;The user is to the resources accessing control list of Bucket
The public reading of access is that all users have a read right to the Bucket and object therein, only Bucket owner or is awarded
The user of power has write permission;The user is only Bucket to the privately owned of access of the resources accessing control list of Bucket
Owner or the user of authorization, which have Bucket, reads or writes permission.
Preferably, the user is all users to the public read-write of the access of the resources accessing control list of Object
Access limit is all had to the Object;The user is public affairs to the public reading of the access of the resources accessing control list of Object
It reads to refer to that all users have read right to the object altogether, the only user of Object owner or authorization has the Object
Write permission;The user is only Object owner or authorization to the privately owned of access of the resources accessing control list of Object
User to the Object have read or write permission;The user is to the access of the resources accessing control list of Object
Default is access authority of the user to the permission inheritance of Object to Bucket.If being not provided with the permission of Object, i.e.,
The resources accessing control list of Object is default, and the permission of Object is consistent with Bucket permission, if be provided with
The permission of the permission of Object, Object is greater than Bucket permission.
Resources accessing control list can be arranged in establishing resource or be arranged after the completion of asset creation, only
The owner of Object or owner, that is, founder of Bucket can just carry out setting for the resources accessing control list of Object
It sets, read.
Preferably, managing user in the rights management of resource is to the resource in object storage to the permission that resource accesses
Authorize or delete user's associated rights, the permission authorized include read, read and write, writing, whole permission and denied access.
Preferably, being to obtain the metadata of the Bucket, the object oriented in Bucket, read to the read operation of Bucket
Take the data and metadata of all objects;Write operation to Bucket is upload object, upgating object, first number in Bucket
According to, renaming and delete Object Operations;Read-write operation to Bucket is to operate to the specific reading and writing of Bucket;To Bucket
Whole permissions be that designated user has permission as owner;Denied access to Bucket is without any power
Limit.
The API operation that read operation to Bucket includes has:
list_objects、get_object_metadata、get_object、get_object_to_file、list_
buckets。
The API operation that write operation to Bucket includes has:
put_object_from_file,put_object_from_file_auto,put_object,update_
object_from_file、update_object、rename_object、set_object_custom_metadata、
Delete_object, delete_all_object (bucket owner).
The owner of Bucket has all permissions to objects all under it.
Owner, that is, founder of only Bucket can just carry out the setting of BucketACL, read i.e. set_bucket_
acl、get_bucket_acl。
Preferably, being to enumerate the data and metadata of object to the read operation of Object;Behaviour is write to Object
As upgating object, metadata and delete Object Operations;Read-write operation to Object is to grasp to the specific reading and writing of Object
Make;Whole permissions to Object are designated user with the permission as owner;Denied access to Object is not
With any permission.
The API operation that read operation to Object includes has:
get_object_metadata、get_object、get_object_to_file。
The API operation that write operation to Object includes has:
update_object_from_file,update_object,rename_object,set_object_
custom_metadata、delete_object。
Object owner has all permissions to Obeject.
Only owner, that is, founder of the owner of Object or Bucket can just carry out ObjectACL setting,
It reads.
Compared with prior art, resource-based IOSS right management method of the invention has beneficial effect following prominent
Fruit: the permission pipe that resource access list carries out coarseness to user may be implemented in the resource-based IOSS right management method
It manages and fine-grained rights management is carried out to resource by permission grant, meet the needs of different scenes, furthermore pass through user
The rights management of management and resource, can support rights management function, have good application value.
Specific embodiment
Below in conjunction with embodiment, resource-based IOSS right management method of the invention is made further specifically
It is bright.
Embodiment
Resource-based IOSS right management method of the invention includes the rights management of user management and resource.
User management provides user base for the rights management of resource, provides the creation, deletion and change of secret code of user.
User is divided into administrator and ordinary user in user management, and administrator is responsible for creation, deletes common use
Family, ordinary user are administrator's creation, are responsible for management and the Authorized operation of specific object data.
The rights management of resource is as unit of resource, including two class resource of Bucket and Object, management resource access control
The permission that list processed and management user access resource.
It is the access for controlling user and carrying out to resource, including public affairs that resources accessing control list is managed in the rights management of resource
Total read-write, public reading, privately owned and default.Wherein user includes public to the access of the resources accessing control list of Bucket
It is read-write, public reading, privately owned, it is defaulted as privately owned.User to the access of the resources accessing control list of Object include public read-write,
Public reading, privately owned and default.
The access of the resources accessing control list of Bucket can be specified when creating Bucket or be completed in creation
After modify, which only has the founder i.e. owner of Bucket just to have permission progress, is defaulted as privately owned.Only Bucket's gathers around
The person of having i.e. founder, which just has permission, to carry out the setting of BucketACL, reads.
Wherein, user is all users to Bucket to the public read-write of the access of the resources accessing control list of Bucket
In object and Bucket all have reading and writing permission;Public affairs of the user to the access of the resources accessing control list of Bucket
It reads to be that all users have read right, the only user of Bucket owner or authorization to the Bucket and object therein altogether
With write permission;The user to the access of the resources accessing control list of Bucket it is privately owned for only Bucket owner or
The user of authorization, which has Bucket, reads or writes permission.
User is that all users are equal to the Object to the public read-write of the access of the resources accessing control list of Object
With access limit;The user refers to the public reading of the access of the resources accessing control list of Object for public reading useful
Family all has read right to the object, and the only user of Object owner or authorization has write permission to the Object;It is described
User is only Object owner or the user of authorization to this to the privately owned of access of the resources accessing control list of Object
Object, which has, reads or writes permission;The user is user to the default of the access of the resources accessing control list of Object
To the permission inheritance of Object to the access authority of Bucket.If being not provided with the permission of Object, i.e. the resource of Object
Accesses control list is default, and the permission of Object is consistent with Bucket permission, if being provided with the permission of Object,
The permission of Object is greater than Bucket permission.
Resources accessing control list can be arranged in establishing resource or be arranged after the completion of asset creation, only
The owner of Object or owner, that is, founder of Bucket can just carry out setting for the resources accessing control list of Object
It sets, read.
It is that the resource in object storage is authorized or deleted to the permission that resource accesses that user is managed in the rights management of resource
Except user's associated rights, the permission authorized include read, read and write, writing, whole permission and denied access.
Read operation to Bucket be obtain the metadata of the Bucket, the object oriented in Bucket, read it is all right
The data and metadata of elephant;To the write operation of Bucket be in Bucket upload object, upgating object, metadata, again order
Name and deletion Object Operations;Read-write operation to Bucket is to operate to the specific reading and writing of Bucket;To the whole power of Bucket
Designated user is limited to the permission as owner;Denied access to Bucket is without any permission.
The API operation that read operation to Bucket includes has:
list_objects、get_object_metadata、get_object、get_object_to_file、list_
buckets。
The API operation that write operation to Bucket includes has:
put_object_from_file,put_object_from_file_auto,put_object,update_
object_from_file、update_object、rename_object、set_object_custom_metadata、
Delete_object, delete_all_object (bucket owner).
The owner of Bucket has all permissions to objects all under it.
Owner, that is, founder of only Bucket can just carry out the setting of BucketACL, read i.e. set_bucket_
acl、get_bucket_acl。
Read operation to Object is to enumerate the data and metadata of object;Write operation to Object is update pair
As, metadata and delete Object Operations;Read-write operation to Object is to operate to the specific reading and writing of Object;To Object
Whole permissions be that designated user has permission as owner;Denied access to Object is without any power
Limit.
The API operation that read operation to Object includes has:
get_object_metadata、get_object、get_object_to_file。
The API operation that write operation to Object includes has:
update_object_from_file,update_object,rename_object,set_object_
custom_metadata、delete_object。
Object owner has all permissions to Obeject.
Only owner, that is, founder of the owner of Object or Bucket can just carry out ObjectACL setting,
It reads.
Embodiment described above, the only present invention more preferably specific embodiment, those skilled in the art is at this
The usual variations and alternatives carried out within the scope of inventive technique scheme should be all included within the scope of the present invention.
Claims (8)
1. a kind of resource-based IOSS right management method, it is characterised in that: this method includes the power of user management and resource
Limit management:
User management provides user base for the rights management of resource, provides the creation, deletion and change of secret code of user;
The rights management of resource is as unit of resource, including two class resource of Bucket and Object, management resources accessing control column
The permission that table and management user access resource.
2. resource-based IOSS right management method according to claim 1, it is characterised in that: in the user management
User is divided into administrator and ordinary user, and administrator is responsible for creation, deletes ordinary user, and ordinary user is administrator
User's creation, is responsible for management and the Authorized operation of specific object data.
3. resource-based IOSS right management method according to claim 2, it is characterised in that: the rights management of resource
Middle management resources accessing control list be the access that carries out to resource of control user, including public read-write, public reading, it is privately owned and
Default, wherein user includes public read-write, public reading, privately owned, default to the access of the resources accessing control list of Bucket
It is privately owned;User includes public read-write, public reading, privately owned and default to the access of the resources accessing control list of Object.
4. resource-based IOSS right management method according to claim 3, it is characterised in that: the user couple
The public read-write of the access of the resources accessing control list of Bucket be all users in Bucket object and Bucket it is equal
With reading and writing permission;The user is all users to this to the public reading of the access of the resources accessing control list of Bucket
Bucket and object therein all have read right, and the only user of Bucket owner or authorization has write permission;The use
Family is the user couple for there was only Bucket owner or authorization to the privately owned of access of the resources accessing control list of Bucket
Bucket, which has, reads or writes permission.
5. resource-based IOSS right management method according to claim 4, it is characterised in that: the user couple
The public read-write of the access of the resources accessing control list of Object is that all users all have access limit to the Object;Institute
The public reading for stating the access of resources accessing control list of the user to Object is that public reading refers to that all users have the object
There is read right, the only user of Object owner or authorization has write permission to the Object;The user is to Object's
The privately owned user for only Object owner or authorization of the access of resources accessing control list have to the Object read or
Write permission;The user is permission of the user to Object to the default of the access of the resources accessing control list of Object
After the access authority for honouring Bucket.
6. resource-based IOSS right management method according to claim 5, it is characterised in that: the rights management of resource
Middle management user is to authorize or delete user's associated rights to the resource in object storage to the permission that resource accesses, the power authorized
Limit include read, read and write, writing, whole permission and denied access.
7. resource-based IOSS right management method according to claim 6, it is characterised in that: grasped to the reading of Bucket
As obtain the metadata of the Bucket, the object oriented in Bucket, the data and metadata for reading all objects;It is right
The write operation of Bucket is upload object, upgating object, metadata, renaming and deletion Object Operations in Bucket;It is right
The read-write operation of Bucket is to operate to the specific reading and writing of Bucket;Whole permissions to Bucket are that designated user has with gathering around
The same permission of the person of having;Denied access to Bucket is without any permission.
8. resource-based IOSS right management method according to claim 7, it is characterised in that: grasped to the reading of Object
As the data and metadata for enumerating object;Write operation to Object is upgating object, metadata and deletion object
Operation;Read-write operation to Object is to operate to the specific reading and writing of Object;Whole permissions to Object are designated user's tool
There is the permission as owner;Denied access to Object is without any permission.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910689051.2A CN110414211A (en) | 2019-07-29 | 2019-07-29 | A kind of resource-based IOSS right management method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910689051.2A CN110414211A (en) | 2019-07-29 | 2019-07-29 | A kind of resource-based IOSS right management method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110414211A true CN110414211A (en) | 2019-11-05 |
Family
ID=68363729
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910689051.2A Pending CN110414211A (en) | 2019-07-29 | 2019-07-29 | A kind of resource-based IOSS right management method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110414211A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102129539A (en) * | 2011-03-11 | 2011-07-20 | 清华大学 | Data resource authority management method based on access control list |
| JP2011258126A (en) * | 2010-06-11 | 2011-12-22 | Ntt Data Corp | Access authority change device, access authority change method and program |
| CN104504343A (en) * | 2014-12-05 | 2015-04-08 | 国云科技股份有限公司 | Authority control method base on resource granularity |
| CN107688753A (en) * | 2017-09-01 | 2018-02-13 | 郑州云海信息技术有限公司 | A kind of method and apparatus of ACL controls of authority |
| CN108243175A (en) * | 2016-12-27 | 2018-07-03 | 北京金山云网络技术有限公司 | A kind of access control method and device based on bucket strategy |
-
2019
- 2019-07-29 CN CN201910689051.2A patent/CN110414211A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011258126A (en) * | 2010-06-11 | 2011-12-22 | Ntt Data Corp | Access authority change device, access authority change method and program |
| CN102129539A (en) * | 2011-03-11 | 2011-07-20 | 清华大学 | Data resource authority management method based on access control list |
| CN104504343A (en) * | 2014-12-05 | 2015-04-08 | 国云科技股份有限公司 | Authority control method base on resource granularity |
| CN108243175A (en) * | 2016-12-27 | 2018-07-03 | 北京金山云网络技术有限公司 | A kind of access control method and device based on bucket strategy |
| CN107688753A (en) * | 2017-09-01 | 2018-02-13 | 郑州云海信息技术有限公司 | A kind of method and apparatus of ACL controls of authority |
Non-Patent Citations (1)
| Title |
|---|
| 昝风彪: "在ASP.NET中基于角色的权限控制设计与实现", 《科技信息(科学教研)》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7792301B2 (en) | Access control and encryption in multi-user systems | |
| US8069269B2 (en) | Methods and apparatus for accessing content in a virtual pool on a content addressable storage system | |
| RU2373571C2 (en) | Systems and methods for control realised by means of access at level of minor structural units over data stored in relational databases | |
| US10645165B2 (en) | Hybrid cloud | |
| US8429191B2 (en) | Domain based isolation of objects | |
| US8832389B2 (en) | Domain based access control of physical memory space | |
| US8402514B1 (en) | Hierarchy-aware role-based access control | |
| US8745095B2 (en) | Systems and methods for scalable object storage | |
| WO2020081240A1 (en) | Multi-tenant authorization | |
| CN102377827A (en) | Multilevel cloud storage system and storage method thereof | |
| JPH04232544A (en) | Access controlling method for accumulated document | |
| CN107688753A (en) | A kind of method and apparatus of ACL controls of authority | |
| CN103562926B (en) | The proxied item access of isolation applications | |
| CN108132775A (en) | A kind of tenant manages system and method | |
| CN107180102A (en) | The storage method and system of a kind of target characteristic data | |
| CN108804936A (en) | A kind of right management method and system based on distributed memory system ACL | |
| EP2725513A1 (en) | Managing permission settings applied to applications | |
| US7539813B1 (en) | Methods and apparatus for segregating a content addressable computer system | |
| CN107566405B (en) | Storage resource pooling method for quick access and copy | |
| CN113407626A (en) | Planning control method based on block chain, storage medium and terminal equipment | |
| CN103294794A (en) | On-line archiving and file access system | |
| CN112084162B (en) | Traceability authority management system based on blockchain and IPFS | |
| CN110414211A (en) | A kind of resource-based IOSS right management method | |
| Calas | Distributed file system over a multilevel secure architecture problems and solutions | |
| CN108255435B (en) | Data storage system for controlling access by using hierarchical tree structure |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191105 |