CN111797424A - Method and device for processing request - Google Patents

Method and device for processing request Download PDF

Info

Publication number
CN111797424A
CN111797424A CN201911176643.0A CN201911176643A CN111797424A CN 111797424 A CN111797424 A CN 111797424A CN 201911176643 A CN201911176643 A CN 201911176643A CN 111797424 A CN111797424 A CN 111797424A
Authority
CN
China
Prior art keywords
user
identification
project
item
target item
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911176643.0A
Other languages
Chinese (zh)
Inventor
马赛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Jingdong Shangke Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN201911176643.0A priority Critical patent/CN111797424A/en
Publication of CN111797424A publication Critical patent/CN111797424A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a device for processing a request, and relates to the technical field of cloud. One embodiment of the method comprises: receiving a request sent by a user terminal, wherein the request carries the user identifier and the identifier of a target item; the target item is any one item selected by the user from at least one item to which the user belongs; determining the authority of the user in the target item according to the user identification and the identification of the target item; and acquiring response data matched with the request and the authority of the user in the target item from a data warehouse, and returning the response data to the user terminal. This embodiment really enables the user to use the part of the data repository corresponding to the item in terms of items.

Description

Method and device for processing request
Technical Field
The present invention relates to the field of cloud technologies, and in particular, to a method and an apparatus for processing a request.
Background
With the development of public clouds, users are now required to use the parts of the data warehouse corresponding to the projects according to the projects.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
in the prior art, all response data matched with a request sent by a user terminal are acquired from a data warehouse, that is, a user uses a part corresponding to each item in the data warehouse instead of a part corresponding to the item in the data warehouse through one item, so that the user cannot use the part corresponding to the item in the data warehouse according to the item.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for processing a request, which can actually enable a user to use a portion corresponding to an item in a data warehouse according to the item.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a method of processing a request.
The method for processing the request of the embodiment of the invention comprises the following steps:
receiving a request sent by a user terminal, wherein the request carries the user identifier and the identifier of a target item; the target item is any one item selected by the user from at least one item to which the user belongs;
determining the authority of the user in the target item according to the user identification and the identification of the target item;
and acquiring response data matched with the request and the authority of the user in the target item from a data warehouse, and returning the response data to the user terminal.
In one embodiment, determining the user's rights in the target item according to the user identification and the identification of the target item includes:
acquiring an authority parameter according to the user identifier and the identifier of the target item;
and acquiring the authority of the user in the target item according to the authority parameter.
In one embodiment, acquiring the right parameter according to the user identifier and the identifier of the target item includes:
according to the user identification and the identification of the target project, respectively acquiring the identification of the role of the user in the target project and the identification of the group of the user in the target project from a pre-established first mapping relation;
generating a control instruction according to the user identification;
the authority parameters comprise the identification of the role of the user in the target item, the identification of the group of the user in the target item and the control instruction;
the first mapping relation comprises a matching relation of the user identification, the identification of the target item, the identification of the role of the user in the target item and the identification of the group of the user in the target item.
In one embodiment, acquiring the authority of the user in the target item according to the authority parameter includes:
cutting off the direct relation between the user and all authorities according to the control instruction;
acquiring the authority matched with both the role identifier and the group identifier from a pre-established second mapping relation according to the role identifier of the user in the target project and the group identifier of the user in the target project, and taking the authority as the authority of the user in the target project;
the second mapping relation comprises the identification of the role of the user in the target item, the identification of the group of the user in the target item and the matching relation of the authority.
In one embodiment, obtaining response data from a data repository that matches both the request and the user's rights in the target item includes:
acquiring metadata matched with the request from a metadata base of a data warehouse;
filtering the metadata by adopting the authority of the user in the target project to obtain the filtered metadata;
and acquiring response data matched with the request and the authority of the user in the target item from the data warehouse according to the filtered metadata.
In one embodiment, before receiving the request sent by the user terminal, the method comprises:
for each item in at least one item, creating a matching relationship between the owner identification of the item and the identification of the role of the owner of the item in the item; creating, by an owner of the project, a matching relationship of a tenant identity of the project and an identity of a role of the tenant of the project in the project; the user includes an owner of the project or a tenant of the project.
In one embodiment, before receiving the request sent by the user terminal, the method comprises:
and forbidding the user to perform authorization operation on the group.
To achieve the above object, according to another aspect of the embodiments of the present invention, there is provided an apparatus for processing a request.
The device for processing the request of the embodiment of the invention comprises:
a receiving unit, configured to receive a request sent by a user terminal, where the request carries the user identifier and an identifier of a target item; the target item is any one item selected by the user from at least one item to which the user belongs;
the first processing unit is used for determining the authority of the user in the target item according to the user identification and the identification of the target item;
and the second processing unit is used for acquiring response data matched with the request and the authority of the user in the target item from a data warehouse and returning the response data to the user terminal.
In one embodiment, the first processing unit is to:
acquiring an authority parameter according to the user identifier and the identifier of the target item;
and acquiring the authority of the user in the target item according to the authority parameter.
In one embodiment, the first processing unit is to:
according to the user identification and the identification of the target project, respectively acquiring the identification of the role of the user in the target project and the identification of the group of the user in the target project from a pre-established first mapping relation;
generating a control instruction according to the user identification;
the authority parameters comprise the identification of the role of the user in the target item, the identification of the group of the user in the target item and the control instruction;
the first mapping relation comprises a matching relation of the user identification, the identification of the target item, the identification of the role of the user in the target item and the identification of the group of the user in the target item.
In one embodiment, the first processing unit is to:
cutting off the direct relation between the user and all authorities according to the control instruction;
acquiring the authority matched with both the role identifier and the group identifier from a pre-established second mapping relation according to the role identifier of the user in the target project and the group identifier of the user in the target project, and taking the authority as the authority of the user in the target project;
the second mapping relation comprises the identification of the role of the user in the target item, the identification of the group of the user in the target item and the matching relation of the authority.
In one embodiment, the second processing unit is to:
acquiring metadata matched with the request from a metadata base of a data warehouse;
filtering the metadata by adopting the authority of the user in the target project to obtain the filtered metadata;
and acquiring response data matched with the request and the authority of the user in the target item from the data warehouse according to the filtered metadata.
In one embodiment, the first processing unit is to:
before receiving a request sent by a user terminal, for each item in at least one item, creating a matching relation between an owner identification of the item and an identification of a role of the owner of the item in the item; creating, by an owner of the project, a matching relationship of a tenant identity of the project and an identity of a role of the tenant of the project in the project; the user includes an owner of the project or a tenant of the project.
In one embodiment, the first processing unit is to:
and before receiving a request sent by a user terminal, forbidding the user to carry out authorization operation on the group.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided an electronic apparatus.
An electronic device of an embodiment of the present invention includes: one or more processors; the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are enabled to realize the method for processing the request provided by the embodiment of the invention.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided a computer-readable medium.
A computer-readable medium of an embodiment of the present invention stores thereon a computer program, which when executed by a processor implements the method for processing a request provided by an embodiment of the present invention.
One embodiment of the above invention has the following advantages or benefits: the authority of the user in the target item is determined through the user identification carried by the request and the identification of the target item, response data matched with the request and the authority of the user in the target item are returned to the user terminal, and the response data are matched with the authority of the user in the target item, so that the user can only use the part corresponding to the target item in the data warehouse through the target item, and cannot use the part corresponding to other items in the data warehouse, and other items refer to the items except the target item in at least two items to which the user belongs, and the part corresponding to the items in the data warehouse is really used by the user according to the items.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of a main flow of a method of processing a request according to an embodiment of the invention;
FIG. 2 is an application scenario of a method of processing a request according to an embodiment of the present invention;
FIG. 3 is a prior art example of a relationship of users, items, and data warehouses;
FIG. 4 is an example of Hive rights in the prior art;
FIG. 5 is an example of Hive rights in an embodiment of the invention;
FIG. 6 is an example of the processing flow of the rights topic parameter in the embodiment of the present invention;
FIG. 7 is an example of the relationship of users, items and data warehouses in an embodiment of the present invention;
FIG. 8 is another example of the relationship of users, items, and data warehouses in an embodiment of the present invention;
FIG. 9 is an example of roles in the prior art;
FIG. 10 is an example of a relationship between a user and a role in an embodiment of the present invention;
FIG. 11 is a schematic diagram of the main elements of an apparatus for processing requests according to an embodiment of the present invention;
FIG. 12 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 13 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
In the prior art, a rights system of a data warehouse has three subject (topic) dimensions, which are USER (USER), GROUP (GROUP), and ROLE (ROLE). The data warehouse is used for carrying out authority verification by taking the union of three dimensional authorities. This results in a too coarse granularity of rights, which does not enable the user to use the part of the data store corresponding to the item in terms of the item.
The HDFS rights of the data warehouse are controlled by groups, the concept of which comes from groups in the LINUX system. When a group in the LINUX system changes, the authority will be affected, and thus, the security of using the data warehouse is not high.
In order to solve the problems in the prior art, an embodiment of the present invention provides a method for processing a request, as shown in fig. 1, where the method includes:
step S101, receiving a request sent by a user terminal, wherein the request carries the user identification and the identification of a target item; the target item is any one item selected by the user from at least one item to which the user belongs.
And S102, determining the authority of the user in the target item according to the user identification and the identification of the target item.
And step S103, acquiring response data matched with the request and the authority of the user in the target item from a data warehouse, and returning the response data to the user terminal.
In this embodiment, as shown in fig. 2, the following describes the embodiment with a specific example: and the user logs in the public cloud through the user terminal and selects the item A. And the user terminal sends the request to the cloud server through the WEB interface. The request carries the user identification and the identification of item a (item a is the target item), which is the item the user selects from the three items to which the user belongs (three items include item a, item B and item C).
The cloud server receives the request, acquires the authority parameters (namely the authority subject parameters in the graph) according to the user identification and the identification of the item A, and sends the request and the authority parameters to the MetaStore service through RAS-API.
The MetaStore service acquires the authority of the user in the project A according to the authority parameters; acquiring metadata matched with the request from a metadata base (namely a Hive metadata base in the graph) of the data warehouse; filtering the metadata by using the authority of the user in the project A to obtain filtered metadata; and acquiring response data matched with the request and the authority of the user in the item A from the data warehouse according to the filtered metadata, and sending the response data to the cloud server.
And the cloud server sends the response data to the user terminal.
As shown in fig. 2, the embodiment is described below as another specific example: and the user terminal sends the request to the cloud server through the WEB interface. The request carries the user identification and the identification of item a (item a is the target item), which is the item the user selects from the three items to which the user belongs (three items include item a, item B and item C).
The cloud server receives the request, acquires the permission parameters (namely permission subject parameters in the graph) according to the user identification and the identification of the item A, and sends the request and the permission parameters to the Beeline service through the RAS-API.
The Beeline service sends the request and the permission parameters to the HiveServer service.
The HiveServer service sends the request and the permission parameters to the MetaStore service.
Specifically, the Beeline service stores the permission parameter in Session, and the Beeline service only sends the request to the HiveServer service. And when the HiveServer service runs SQL, acquiring the permission parameters from the Session.
The MetaStore service acquires the authority of the user in the project A according to the authority parameters; acquiring metadata matched with the request from a metadata base (namely a Hive metadata base in the graph) of the data warehouse; filtering the metadata by using the authority of the user in the project A to obtain filtered metadata; and sending the filtered metadata to a HiveServer service.
And the HiveServer service acquires response data matched with both the request and the authority of the user in the item A from the data warehouse according to the filtered metadata, and sends the response data to the Beeline service.
The Beeline service sends the response data to the cloud server.
And the cloud server sends the response data to the user terminal.
RAS-API service: the self-built API service can directly call the MetaStore service or the HiveServer service, and can also call the HiveServer service through the Beeline service.
The Beeline service: one service built in Hive can connect with a hiveServer service to connect Hive remotely.
MetaStore service: the Hive built-in service enables a user to access metadata through the MetaStore service without knowing a user name and a password of the relational database.
HiveServer service: a service built in Hive allows a user to connect Hive remotely through a client.
Hive: the data warehouse based on the HDFS is the most widely used data warehouse at present, provides a HiveSQL function, and is simple and easy to use.
Role: basic units of the HIVE rights topic.
Group (2): the basic unit of the HIVE privilege theme is the same as the group in the LINUX system.
It should be noted that the functionality provided by the data warehouse to each item is the same.
In this embodiment of the present invention, step S102 may include:
acquiring an authority parameter according to the user identifier and the identifier of the target item;
and acquiring the authority of the user in the target item according to the authority parameter.
It should be noted that the detailed description of the embodiment is provided below, and is not repeated herein.
In the embodiment, the authority is divided in a fine-grained manner through the authority parameters, so that the fact that a user uses a part corresponding to the item in the data warehouse according to the item is really realized.
In the embodiment of the present invention, acquiring the right parameter according to the user identifier and the identifier of the target item includes:
according to the user identification and the identification of the target project, respectively acquiring the identification of the role of the user in the target project and the identification of the group of the user in the target project from a pre-established first mapping relation;
generating a control instruction according to the user identification;
the authority parameters comprise the identification of the role of the user in the target item, the identification of the group of the user in the target item and the control instruction;
the first mapping relation comprises a matching relation of the user identification, the identification of the target item, the identification of the role of the user in the target item and the identification of the group of the user in the target item.
In this embodiment, it should be noted that the permission parameter may further include a user identifier, and the identifier of the role of the user in the target item is verified through the user identifier, and whether the identifier of the group of the user in the target item really exists or not is verified through the user identifier.
The first mapping relationship may be stored in a MetaStore service.
The user identification may be a user name, the identification of the target item may be a target item name, the identification of the user's role in the target item may be a user's role name in the target item, and the identification of the user's group in the target item may be a user's group name in the target item. The name of any one role and the name of any one group have uniqueness.
Generating the control instruction according to the user identifier comprises: and taking the user with the same identification as the user identification as a target user, wherein the control instruction comprises setting the target user permission switch to false.
In the embodiment, the control instruction is generated according to the user identifier, and the identifier of the role of the user in the target item and the identifier of the group of the user in the target item are respectively obtained according to the user identifier and the identifier of the target item. Therefore, the authority of the user in the target project is related to the role in the target project, related to the group in the target project and unrelated to the user, the authority of the user in each project is isolated, and the part, corresponding to the project, of the data warehouse is used by the user according to the project.
In the embodiment of the present invention, acquiring the authority of the user in the target item according to the authority parameter includes:
cutting off the direct relation between the user and all authorities according to the control instruction;
acquiring the authority matched with both the role identifier and the group identifier from a pre-established second mapping relation according to the role identifier of the user in the target project and the group identifier of the user in the target project, and taking the authority as the authority of the user in the target project;
the second mapping relation comprises the identification of the role of the user in the target item, the identification of the group of the user in the target item and the matching relation of the authority.
In this embodiment, the second mapping relationship may also be stored in the MetaStore service.
If the direct relation between the user and all the authorities is cut off, the authority of the user in the target item is irrelevant to the user. In addition, the user's rights in the target item may include read and write rights to a portion of the data store corresponding to the target item.
In the embodiment, the direct relation between the user and all the authorities is cut off through the control instruction, and the authorities matched with the role identifications and the group identifications are obtained according to the role identifications of the user in the target item and the group identifications of the user in the target item. Therefore, the authority of the user in the target project is related to the role in the target project, related to the group in the target project and unrelated to the user, the authority of the user in each project is isolated, and the part, corresponding to the project, of the data warehouse is used by the user according to the project.
In this embodiment of the present invention, obtaining response data matching both the request and the user's right in the target item from a data repository includes:
acquiring metadata matched with the request from a metadata base of a data warehouse;
filtering the metadata by adopting the authority of the user in the target project to obtain the filtered metadata;
and acquiring response data matched with the request and the authority of the user in the target item from the data warehouse according to the filtered metadata.
In this embodiment, the following describes, by way of a specific example, filtering metadata by using the authority of the user in the target item, to obtain filtered metadata: the metadata includes metadata 1, metadata 2, and metadata 3. The items to which the user belongs include item 1, item 2, and item 3. Item 3 is a target item. The user's rights in item 1 match metadata 1, the user's rights in item 2 match metadata 2, and the user's rights in item 3 match metadata 3. Thus, the filtered metadata includes metadata 3. Metadata 1 and metadata 2 are filtered out.
In this embodiment, the metadata matched with the request is filtered by using the authority of the user in the target item to obtain the filtered metadata, so as to obtain the response data, where the response data is not all the response data matched with the request, but part of the response data is stored in the data warehouse in a part corresponding to the target item, so that the user can actually use the part corresponding to the item in the data warehouse according to the item.
In the embodiment of the present invention, before receiving a request sent by a user terminal, the method includes:
for each item in at least one item, creating a matching relationship between the owner identification of the item and the identification of the role of the owner of the item in the item; creating, by an owner of the project, a matching relationship of a tenant identity of the project and an identity of a role of the tenant of the project in the project; the user includes an owner of the project or a tenant of the project.
In this embodiment, it should be understood that in one project, there may be multiple roles in the project, but only one in the group of projects. In addition, a group is a group that a program creates from a project, and the owner of the project cannot create in the project. Still further, the roles of the tenant of the project in the project can include all roles in the project. The role of the tenant of the project in the project may be determined according to an agreement that the owner of the project has signed with the tenant of the project.
Both the owner of the project and the tenant of the project may use the portion of the data store corresponding to the project per project.
The owner of the project is used as the owner of the role and is stored in a metadata base of a data warehouse, and only the owner of the project has the right to carry out operations such as authorization and the like on the role.
In the embodiment, the matching relationship between the tenant identification of the created project and the identification of the role of the tenant of the project in the project is established through the owner of the project, not through the administrator, so that the situation that the tenant of a non-project uses the part corresponding to the project in the data warehouse through the administrator is reduced, and the safety of using the data warehouse is improved.
In the embodiment of the present invention, before receiving a request sent by a user terminal, the method includes:
and forbidding the user to perform authorization operation on the group.
It should be noted that the specific implementation manner of this embodiment is described in detail below, and is not described herein again.
In this embodiment, by prohibiting the group authorization operation by the user, the problem that the user cannot use the part corresponding to the item in the data warehouse through the item due to the group change in the LINUX system is reduced, and the security of using the data warehouse is improved.
The idea of the embodiment of the present invention is described below with reference to the prior art:
the prior art is to obtain response data according to the user's rights in all items to which the user belongs. As shown in fig. 3, in the prior art, no matter which project space a user is under, data in other authorized project spaces can be accessed, and data of a portion corresponding to each project in a data warehouse is not isolated.
The Hive authority consists of a user authority, a role authority and a group authority. Therefore, the HIVE permission theme needs to be modified and HIVE permissions are decoupled.
As shown in fig. 4, in the prior art, the HIVE authority is based on a USER (USER). And the use permission of one user to the data warehouse is the permission of all groups to which the user belongs, the permission of all roles to which the user belongs, and the user permission are combined. The specific rule is as follows:
privilege
=privilege(group(user))∪privilege(role(user))∪privilaege(user)
with the increasing roles and groups to which users belong, the mode of taking the maximum union to carry out authority verification has security holes.
As shown in FIG. 5, the relationship between the user and the group and the relationship between the user and the role in the present invention are strong, and the relationship between the subject of the authority (user, group, role) and the authority is changed from strong relationship to weak relationship. Namely, the user can specify the group and the role, the self authority of the user is eliminated, and the authority is divided into more detail.
The user uses the data warehouse through the Beeline service and needs to give the Beeline service the permission theme parameters.
Specifically, -n is used as the user name, other rights topics (groups and roles) and rights topic switch, and is reconstructed as shown in the following table:
Figure BDA0002290138630000121
TABLE 1
Assume that the group to which the user U belongs includes G1, G2, and the roles to which the user belongs include R1, R2.
Example 1: using the HIVE default permission rule, the connection mode is as follows:
beeline-u″jdbc:hive2://*.*.*.*:*/default″-n U
the user's usage right of the data warehouse:
privilege
=privilege(G1)∪privilege(G2)∪privilaege(R1)∪privilaege(R2)∪privilaege(U)
example 2: using group G1 and role R2 while closing user permissions, the connection is as follows:
beeline-u″jdbc:hive2://*.*.*.*:*/default?user.group=G1;user.role=R2;user.privlege=false;″-n U
the user's usage right of the data warehouse:
privilege=privilege(G1)∪privilaege(R2)
example 3: the rights topic parameter may also be set manually, as follows:
using role R1 and role R2:
set user.role=R1,R2;
closing the user right:
set user.privilege=false;
the HIVE acquires the right through a get _ privilege _ set method, and the HIVE still takes the maximum union right as the use right of the user to the data warehouse, so that the right subject parameter is used as the access to the get _ privilege _ set method to filter the right.
The specific process of obtaining the authority by the HIVE comprises the following steps:
1, when the Beeline service is started, the authority theme parameters are transmitted, if the illegal parameters are transmitted, the errors are reported, otherwise, the operation is normally started.
2 after the Beeline service is started, the permission theme parameters can be set by a set method, if the set is illegal, the setting is failed, otherwise, the setting is successful.
3 passing the rights topic parameter into get _ privilege _ set method.
As shown in fig. 6, a rights topic parameter is set or a rights topic parameter is specified; performing permission subject parameter verification to verify whether the permission subject parameter exists; the request is processed according to another specific example shown in fig. 2.
After the HIVE permission is modified, the permission can be controlled according to different permission subjects, and then permission requirements in a multi-tenant scene are seen, as shown in FIG. 7, a tenant only has the permission to an item and can access data stored in a part corresponding to the item in a data warehouse; the partially stored data of the data warehouse of different projects is isolated.
And decoupling the authority of the item and the user authority, giving the authority of the item to roles in the item and groups in the item, and closing the user authority. Therefore, the data warehouse is used to realize data isolation. As shown in fig. 8, a tenant may access its own authorized items; and the authority of the group in the project and the authority of the role in the project are used for authority verification, data are isolated, and the fact that the user uses the part corresponding to the project in the data warehouse according to the project is really realized.
After the permission is decoupled, the user uses the data warehouse through the project, and needs to specify the role name and the group name, so that the project has an association relationship with the group and the role. When a project is created, groups in the project and roles in the project are automatically created.
A project authority theme table is constructed, and the project authority theme table is used for storing the mapping relation between the project and the authority theme, and comprises the following steps:
Figure BDA0002290138630000141
TABLE 2
And after the roles in the project and the groups in the project are established, authorization operation is carried out, and the authority of the roles in the project and the groups in the project to the data warehouse is ensured.
Assigning all rights to roles in the project and groups in the project;
the project creator, i.e. the owner of the project, is attributed to a group in the project.
Through the process, the roles in the project and the groups in the project have the authority of the project.
In order to isolate data, when a user uses a data warehouse through a project, the user authority needs to be closed, and meanwhile, the role and the group are appointed to carry out authority verification, and the following changes are carried out:
MetaStore service:
obtaining roles of the users in the project and groups of the users in the project through the project authority theme table; the permission theme parameters comprise user names, the names of the roles, the names of the groups and the setting of a user permission switch to false; and giving the authority theme parameters to the MetaStore service.
The Beeline service:
obtaining roles of the users in the project and groups of the users in the project through the project authority theme table; the permission theme parameters comprise user names, the names of the roles, the names of the groups and the setting of a user permission switch to false; and giving the theme parameters of the permission to the Beeline service.
Through the process, the user really uses the part corresponding to the project in the data warehouse according to the project.
If the tenant wants to use the data warehouse through the project, authorization operations need to be performed, including: the owner of the project authorizes roles in the project to the tenant; the owner of the project calls the interface to attribute the tenant to a group in the project.
If the category of the project mainly prohibits the tenant from using the part corresponding to the project through the project use data warehouse, authorization operation is also required to be performed, and the authorization operation includes: the owner of the project withdraws the role in the project from the tenant; the owner of the project calls the interface, removing the tenant from the group in the project.
After the tenant of the project passes the authorization, the authority of each project can be isolated by using the part corresponding to the project in the data warehouse.
As shown in fig. 9, in the prior art, the owner of the item can grant the authority of the item to the role, but the role has no real owner and is shared by the administrator, and the administrator can give the authority matching with the role to the tenant other than the item, and in some cases, the tenant other than the item uses the part corresponding to the item in the data warehouse, and the security of using the data warehouse is not high.
As shown in fig. 10, in the present invention, the role in the project is created by the owner of the project, only the owner of the project can perform the authorization operation, and the administrator cannot perform the authorization operation, thereby improving the security.
Roles can be created through a MetaStore service or a bean service:
and in the MetaStore service, creating a matching relation between the owner identification of the project and the identification of the role of the owner of the project in the project by a create _ role method. Judging whether an indication sender is the owner of the project, if so, creating a matching relation between the tenant identification of the project and the identification of the role of the tenant of the project in the project through a grant _ role method according to the indication (including the tenant identification of the project and the role in the project), and if not, reporting an error.
In the Beeline service, modifying a DDLTask code roleDDL method, changing an adminGrantor parameter from a null to an owner identifier of an item, and creating a matching relation between the owner identifier of the item and the identifier of a role of the owner of the item in the item. Judging whether an indication sender is the owner of the project, if so, creating a matching relation between the tenant identification of the project and the identification of the role of the tenant of the project in the project according to the indication (including the tenant identification of the project and the role in the project), and if not, reporting an error.
The group of the data warehouse and the group in the LINUX system are the same concept, a user does not have the authority to edit the group in the LINUX system, but the user can authorize the group of the data warehouse through SQL, although a tenant of a project cannot belong to the group in other projects, the owner of the project can grant the authority to the group in other projects, and therefore security holes exist. To avoid such a security hole, the following processing is performed:
MetaStore service:
when the MetaStore service is called to carry out authorization operation, if the authorization object is a group, directly reporting an error, and if the authorization object is a user or a role, normally authorizing.
The Beeline service:
and the user executes SQL through the Beeline service to perform authorization operation, modifies the grantOrRevokePrivileges method of the DDLTask code, and judges the attribute of the authorization object. If the authorized object is a group, directly reporting an error; and if the authorization object is a user or a role, normally authorizing.
In order to solve the problems in the prior art, an embodiment of the present invention provides an apparatus for processing a request, as shown in fig. 11, the apparatus including:
a receiving unit 1101, configured to receive a request sent by a user terminal, where the request carries the user identifier and an identifier of a target item; the target item is any one item selected by the user from at least one item to which the user belongs.
A first processing unit 1102, configured to determine, according to the user identifier and the identifier of the target item, a right of the user in the target item.
A second processing unit 1103, configured to obtain, from a data store, response data that matches both the request and the authority of the user in the target item, and return the response data to the user terminal.
In this embodiment of the present invention, the first processing unit 1102 is configured to:
acquiring an authority parameter according to the user identifier and the identifier of the target item;
and acquiring the authority of the user in the target item according to the authority parameter.
In this embodiment of the present invention, the first processing unit 1102 is configured to:
according to the user identification and the identification of the target project, respectively acquiring the identification of the role of the user in the target project and the identification of the group of the user in the target project from a pre-established first mapping relation;
generating a control instruction according to the user identification;
the authority parameters comprise the identification of the role of the user in the target item, the identification of the group of the user in the target item and the control instruction;
the first mapping relation comprises a matching relation of the user identification, the identification of the target item, the identification of the role of the user in the target item and the identification of the group of the user in the target item.
In this embodiment of the present invention, the first processing unit 1102 is configured to:
cutting off the direct relation between the user and all authorities according to the control instruction;
acquiring the authority matched with both the role identifier and the group identifier from a pre-established second mapping relation according to the role identifier of the user in the target project and the group identifier of the user in the target project, and taking the authority as the authority of the user in the target project;
the second mapping relation comprises the identification of the role of the user in the target item, the identification of the group of the user in the target item and the matching relation of the authority.
In this embodiment of the present invention, the second processing unit 1103 is configured to:
acquiring metadata matched with the request from a metadata base of a data warehouse;
filtering the metadata by adopting the authority of the user in the target project to obtain the filtered metadata;
and acquiring response data matched with the request and the authority of the user in the target item from the data warehouse according to the filtered metadata.
In this embodiment of the present invention, the first processing unit 1102 is configured to:
before receiving a request sent by a user terminal, for each item in at least one item, creating a matching relation between an owner identification of the item and an identification of a role of the owner of the item in the item; creating, by an owner of the project, a matching relationship of a tenant identity of the project and an identity of a role of the tenant of the project in the project; the user includes an owner of the project or a tenant of the project.
In this embodiment of the present invention, the first processing unit 1102 is configured to:
and before receiving a request sent by a user terminal, forbidding the user to carry out authorization operation on the group.
It should be understood that the functions performed by the components of the apparatus for processing a request according to the embodiments of the present invention have been described in detail in the method for processing a request according to the above embodiments, and are not described herein again.
Fig. 12 illustrates an exemplary system architecture 1200 to which the method of processing a request or the apparatus of processing a request of an embodiment of the present invention may be applied.
As shown in fig. 12, the system architecture 1200 may include terminal devices 1201, 1202, 1203, a network 1204 and a server 1205. Network 1204 is the medium used to provide communication links between terminal devices 1201, 1202, 1203 and server 1205. Network 1204 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal devices 1201, 1202, 1203 to interact with a server 1205 through a network 1204 to receive or send messages, etc. The terminal devices 1201, 1202, 1203 may have installed thereon various messenger client applications such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 1201, 1202, 1203 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 1205 may be a server that provides various services, such as a background management server (for example only) that supports shopping websites browsed by users using the terminal devices 1201, 1202, 1203. The backend management server may analyze and perform other processing on the received data such as the product information query request, and feed back a processing result (for example, target push information, product information — just an example) to the terminal device.
It should be noted that the method for processing the request provided by the embodiment of the present invention is generally executed by the server 1205, and accordingly, a device for processing the request is generally disposed in the server 1205.
It should be understood that the number of terminal devices, networks, and servers in fig. 12 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 13, shown is a block diagram of a computer system 1300 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 13 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 13, the computer system 1300 includes a Central Processing Unit (CPU)1301 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1302 or a program loaded from a storage section 1308 into a Random Access Memory (RAM) 1303. In the RAM 1303, various programs and data necessary for the operation of the system 1300 are also stored. The CPU 1301, the ROM 1302, and the RAM 1303 are connected to each other via a bus 1304. An input/output (I/O) interface 1305 is also connected to bus 1304.
The following components are connected to the I/O interface 1305: an input portion 1306 including a keyboard, a mouse, and the like; an output section 1307 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 1308 including a hard disk and the like; and a communication section 1309 including a network interface card such as a LAN card, a modem, or the like. The communication section 1309 performs communication processing via a network such as the internet. A drive 1310 is also connected to the I/O interface 1305 as needed. A removable medium 1311 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1310 as necessary, so that a computer program read out therefrom is mounted into the storage portion 1308 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via communications component 1309 and/or installed from removable media 1311. The computer program executes the above-described functions defined in the system of the present invention when executed by a Central Processing Unit (CPU) 1301.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a unit, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present invention may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes a receiving unit, a first processing unit, and a second processing unit. Where the names of these units do not in some cases constitute a limitation of the unit itself, for example, the first processing unit may also be described as a "unit for determining the user's rights in the target item from the user identification and the identification of the target item".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: receiving a request sent by a user terminal, wherein the request carries the user identifier and the identifier of a target item; the target item is any one item selected by the user from at least one item to which the user belongs; determining the authority of the user in the target item according to the user identification and the identification of the target item; and acquiring response data matched with the request and the authority of the user in the target item from a data warehouse, and returning the response data to the user terminal.
According to the technical scheme of the embodiment of the invention, the authority of the user in the target item is determined through the user identification carried by the request and the identification of the target item, the response data matched with both the request and the authority of the user in the target item is returned to the user terminal, and because the response data is matched with the authority of the user in the target item, the user can only use the part corresponding to the target item in the data warehouse through the target item, and cannot use the part corresponding to other items in the data warehouse, and the other items refer to the items except the target item in at least two items to which the user belongs, so that the user really uses the part corresponding to the item in the data warehouse according to the items.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A method of processing a request, comprising:
receiving a request sent by a user terminal, wherein the request carries the user identifier and the identifier of a target item; the target item is any one item selected by the user from at least one item to which the user belongs;
determining the authority of the user in the target item according to the user identification and the identification of the target item;
and acquiring response data matched with the request and the authority of the user in the target item from a data warehouse, and returning the response data to the user terminal.
2. The method of claim 1, wherein determining the user's rights in the target item based on the user identification and the identification of the target item comprises:
acquiring an authority parameter according to the user identifier and the identifier of the target item;
and acquiring the authority of the user in the target item according to the authority parameter.
3. The method of claim 2, wherein obtaining the permission parameter according to the user identifier and the identifier of the target item comprises:
according to the user identification and the identification of the target project, respectively acquiring the identification of the role of the user in the target project and the identification of the group of the user in the target project from a pre-established first mapping relation;
generating a control instruction according to the user identification;
the authority parameters comprise the identification of the role of the user in the target item, the identification of the group of the user in the target item and the control instruction;
the first mapping relation comprises a matching relation of the user identification, the identification of the target item, the identification of the role of the user in the target item and the identification of the group of the user in the target item.
4. The method of claim 3, wherein obtaining the user's rights in the target item according to the rights parameter comprises:
cutting off the direct relation between the user and all authorities according to the control instruction;
acquiring the authority matched with both the role identifier and the group identifier from a pre-established second mapping relation according to the role identifier of the user in the target project and the group identifier of the user in the target project, and taking the authority as the authority of the user in the target project;
the second mapping relation comprises the identification of the role of the user in the target item, the identification of the group of the user in the target item and the matching relation of the authority.
5. The method of claim 1, wherein obtaining response data from a data repository that matches both the request and the user's rights in the target item comprises:
acquiring metadata matched with the request from a metadata base of a data warehouse;
filtering the metadata by adopting the authority of the user in the target project to obtain the filtered metadata;
and acquiring response data matched with the request and the authority of the user in the target item from the data warehouse according to the filtered metadata.
6. The method of claim 1, prior to receiving the request sent by the user terminal, comprising:
for each item in at least one item, creating a matching relationship between the owner identification of the item and the identification of the role of the owner of the item in the item; creating, by an owner of the project, a matching relationship of a tenant identity of the project and an identity of a role of the tenant of the project in the project; the user includes an owner of the project or a tenant of the project.
7. The method of claim 1, prior to receiving the request sent by the user terminal, comprising:
and forbidding the user to perform authorization operation on the group.
8. An apparatus for processing a request, comprising:
a receiving unit, configured to receive a request sent by a user terminal, where the request carries the user identifier and an identifier of a target item; the target item is any one item selected by the user from at least one item to which the user belongs;
the first processing unit is used for determining the authority of the user in the target item according to the user identification and the identification of the target item;
and the second processing unit is used for acquiring response data matched with the request and the authority of the user in the target item from a data warehouse and returning the response data to the user terminal.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7.
10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-7.
CN201911176643.0A 2019-11-26 2019-11-26 Method and device for processing request Pending CN111797424A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911176643.0A CN111797424A (en) 2019-11-26 2019-11-26 Method and device for processing request

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911176643.0A CN111797424A (en) 2019-11-26 2019-11-26 Method and device for processing request

Publications (1)

Publication Number Publication Date
CN111797424A true CN111797424A (en) 2020-10-20

Family

ID=72805584

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911176643.0A Pending CN111797424A (en) 2019-11-26 2019-11-26 Method and device for processing request

Country Status (1)

Country Link
CN (1) CN111797424A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112434818A (en) * 2020-11-19 2021-03-02 脸萌有限公司 Model construction method, device, medium and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080052291A1 (en) * 2006-08-22 2008-02-28 Michael Bender Database entitlement
CN106485101A (en) * 2015-08-24 2017-03-08 阿里巴巴集团控股有限公司 The access method of data and device under a kind of cloud computing environment
CN108229206A (en) * 2018-01-09 2018-06-29 上海中畅数据技术有限公司 A kind of right management method and system based on tag library
CN108280367A (en) * 2018-01-22 2018-07-13 腾讯科技(深圳)有限公司 Management method, device, computing device and the storage medium of data manipulation permission
CN110188573A (en) * 2019-05-27 2019-08-30 深圳前海微众银行股份有限公司 Subregion authorization method, device, equipment and computer readable storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080052291A1 (en) * 2006-08-22 2008-02-28 Michael Bender Database entitlement
CN106485101A (en) * 2015-08-24 2017-03-08 阿里巴巴集团控股有限公司 The access method of data and device under a kind of cloud computing environment
CN108229206A (en) * 2018-01-09 2018-06-29 上海中畅数据技术有限公司 A kind of right management method and system based on tag library
CN108280367A (en) * 2018-01-22 2018-07-13 腾讯科技(深圳)有限公司 Management method, device, computing device and the storage medium of data manipulation permission
CN110188573A (en) * 2019-05-27 2019-08-30 深圳前海微众银行股份有限公司 Subregion authorization method, device, equipment and computer readable storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112434818A (en) * 2020-11-19 2021-03-02 脸萌有限公司 Model construction method, device, medium and electronic equipment
CN112434818B (en) * 2020-11-19 2023-09-26 脸萌有限公司 Model construction method, device, medium and electronic equipment

Similar Documents

Publication Publication Date Title
US9961053B2 (en) Detecting compromised credentials
CN113239344B (en) Access right control method and device
US10013568B2 (en) Identifying and blocking prohibited content items in a content management system
AU2014290721B2 (en) Light installer
US9571499B2 (en) Apparatus and method of providing security to cloud data to prevent unauthorized access
US10594490B2 (en) Filtering encrypted data using indexes
CN108289098B (en) Authority management method and device of distributed file system, server and medium
US10637805B2 (en) Instant messaging method, server, and storage medium
CN109831435B (en) Database operation method, system, proxy server and storage medium
US9930063B2 (en) Random identifier generation for offline database
CN110895603B (en) Multi-system account information integration method and device
US20130312068A1 (en) Systems and methods for administrating access in an on-demand computing environment
WO2024027328A1 (en) Data processing method based on zero-trust data access control system
US20140007197A1 (en) Delegation within a computing environment
US10491635B2 (en) Access policies based on HDFS extended attributes
CN111324799B (en) Search request processing method and device
CN111797424A (en) Method and device for processing request
CN112835863A (en) Processing method and processing device of operation log
WO2023272419A1 (en) Virtual machine provisioning and directory service management
CN108537621B (en) Data operation method and device
WO2018126380A1 (en) Database access control system
US9961132B2 (en) Placing a user account in escrow
CN110602074B (en) Service identity using method, device and system based on master-slave association
CN114884718A (en) Data processing method, device, equipment and storage medium
CN117193940A (en) Data access method, device, electronic equipment and computer readable medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination