CN113239372A - Database access control method and system - Google Patents
Database access control method and system Download PDFInfo
- Publication number
- CN113239372A CN113239372A CN202110481101.5A CN202110481101A CN113239372A CN 113239372 A CN113239372 A CN 113239372A CN 202110481101 A CN202110481101 A CN 202110481101A CN 113239372 A CN113239372 A CN 113239372A
- Authority
- CN
- China
- Prior art keywords
- user
- authority
- database
- access control
- sql statement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000004590 computer program Methods 0.000 claims description 18
- 238000010586 diagram Methods 0.000 description 14
- 238000004891 communication Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000012795 verification Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
- G06F16/211—Schema design and management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2282—Tablespace storage structures; Management thereof
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Automation & Control Theory (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a database access control method and a system, which can be used in the technical field of big data, and the method comprises the following steps: intercepting SQL sentences and token values sent by a user; analyzing a user name from the token value, and analyzing a table name and an operation of the table from an SQL statement; inquiring an authority configuration table according to a user name, a table name and table-setting operation, and judging whether the user has authority, wherein the authority configuration table is configured with the authority of different users for different operations of different tables in a database; and when the judgment result is that the SQL statement has the authority, sending the SQL statement to a database, obtaining the database operation result and sending the database operation result to a user. The invention can realize flexible control of the database operation authority.
Description
Technical Field
The invention relates to the technical field of big data, in particular to a database access control method and a database access control system.
Background
In the current database access, all the operations of increasing, deleting, checking and modifying can be carried out as long as a user has the operation authority of a certain database. This approach is neither secure nor flexible. In practical application, sometimes only a part of rights of a certain user are required to achieve the purpose of safety control, for example, the user can inquire and add the data, but can not delete and modify the existing data; for example, only a user is required to have access to a part of tables in a database and add additional tables. Conventional database authority control cannot do this.
Disclosure of Invention
The embodiment of the invention provides a database access control method, which is used for realizing flexible control of database operation authority and comprises the following steps:
intercepting SQL sentences and token values sent by a user;
analyzing a user name from the token value, and analyzing a table name and an operation of the table from an SQL statement;
inquiring an authority configuration table according to a user name, a table name and table-setting operation, and judging whether the user has authority, wherein the authority configuration table is configured with the authority of different users for different operations of different tables in a database;
and when the judgment result is that the SQL statement has the authority, sending the SQL statement to a database, obtaining the database operation result and sending the database operation result to a user.
The embodiment of the invention provides a database access control system, which is used for realizing flexible control of database operation authority and comprises the following components:
the interception module is used for intercepting SQL sentences and token values sent by a user;
the analysis module is used for analyzing a user name from the token value and analyzing a table name and table operation from an SQL statement;
the judging module is used for inquiring an authority configuration table according to the user name, the table name and the table setting operation, and judging whether the user has authority, wherein the authority configuration table is configured with the authority of different users for different operations of different tables in the database; and when the judgment result is that the SQL statement has the authority, sending the SQL statement to a database, obtaining the database operation result and sending the database operation result to a user.
The embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, and when the processor executes the computer program, the database access control method is implemented.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program for executing the database access control method is stored in the computer-readable storage medium.
In the embodiment of the invention, an SQL statement and a token value sent by a user are intercepted; analyzing a user name from the token value, and analyzing a table name and an operation of the table from an SQL statement; inquiring an authority configuration table according to a user name, a table name and table-setting operation, and judging whether the user has authority, wherein the authority configuration table is configured with the authority of different users for different operations of different tables in a database; and when the judgment result is that the SQL statement has the authority, sending the SQL statement to a database, obtaining the database operation result and sending the database operation result to a user. In the process, the permission configuration table configures the permissions of different users for different operations of different tables in the database, and the permission control is fine to each type of operation of each table of each user by intercepting and analyzing SQL statements, so that the method is very flexible, simple and easy to use, and can ensure that the database access is safer.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. In the drawings:
FIG. 1 is a flow chart of a database access control method in an embodiment of the present invention;
FIG. 2 is a detailed flowchart of a database access control method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a database access control system in an embodiment of the invention;
FIG. 4 is another diagram of a database access control system according to an embodiment of the present invention;
FIG. 5 is a diagram of a computer device in an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
In the description of the present specification, the terms "comprising," "including," "having," "containing," and the like are used in an open-ended fashion, i.e., to mean including, but not limited to. Reference to the description of the terms "one embodiment," "a particular embodiment," "some embodiments," "for example," etc., means that a particular feature, structure, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. The sequence of steps involved in the embodiments is for illustrative purposes to illustrate the implementation of the present application, and the sequence of steps is not limited and can be adjusted as needed.
Fig. 1 is a flowchart of a database access control method in an embodiment of the present invention, and as shown in fig. 1, the method includes:
102, analyzing a user name from the token value, and analyzing a table name and table operation from an SQL statement;
103, inquiring an authority configuration table according to a user name, a table name and table-setting operation, and judging whether the user has authority, wherein the authority configuration table is configured with the authority of different users for different operations of different tables in a database;
and 104, when the judgment result is that the SQL statement has the authority, sending the SQL statement to a database, obtaining the database operation result and sending the database operation result to a user.
In the embodiment of the invention, the authority control is fine to each type of operation of each table of each user, the operation is very flexible, simple and easy to use, and the database access can be safer.
In one embodiment, the operations include insert (insert), delete (delete), query (select), and update (update).
In specific implementation, the authority configuration table may be stored in a database or other file storage, where table 1 is an example of the authority control table in the embodiment of the present invention, and each column stores a table name of a data table in which all the row users can insert, delete, query, and update.
TABLE 1
In an embodiment, before intercepting the SQL statement sent by the user, the method further includes:
receiving a login request sent by a user;
authenticating the user based on the login request;
and after the user identity verification is passed, returning a token value to the user.
In the above embodiments, the authentication is mainly performed on the user of the intercepted SQL statement.
In an embodiment, the method further comprises:
and when the judgment result is that no authority exists, returning no-authority prompt information to the user.
The no-permission prompt information can be prompted in an alarm mode.
Based on the above embodiment, the present invention provides the following embodiment to explain a detailed flow of the database access control method, and fig. 2 is a detailed flow chart of the database access control method in the embodiment of the present invention, as shown in fig. 2, including:
1. user login: receiving a login request sent by a user;
token value returns: the user is authenticated based on the login request, and after the user passes the authentication, a token value is returned to the user;
3. sending an SQL statement + token value: receiving a token value and an SQL statement sent by a user;
4. and (3) analysis: analyzing a user name from the token value, and analyzing a table name and an operation of the table from an SQL statement;
5. and (4) checking the authority: inquiring an authority configuration table according to a user name, a table name and table setting operation, and judging whether the user has authority; turning to 7 and 8;
6. when the judgment result is that no authority exists, returning no-authority prompt information to the user;
7. when the judgment result is that the SQL statement has the authority, the SQL statement is sent to a database, and the SQL statement is executed;
8. and returning an operation result: and obtaining a database operation result and sending the database operation result to a user.
Of course, it is understood that other variations of the above detailed flow can be made, and all such variations are intended to fall within the scope of the present invention.
In summary, in the method provided by the embodiment of the present invention, an SQL statement and a token value sent by a user are intercepted; analyzing a user name from the token value, and analyzing a table name and an operation of the table from an SQL statement; inquiring an authority configuration table according to a user name, a table name and table-setting operation, and judging whether the user has authority, wherein the authority configuration table is configured with the authority of different users for different operations of different tables in a database; and when the judgment result is that the SQL statement has the authority, sending the SQL statement to a database, obtaining the database operation result and sending the database operation result to a user. In the process, the authority control is fine to each type of operation of each table of each user, the operation is very flexible, simple and easy to use, and the database access can be safer.
The embodiment of the invention also provides a database access control system, the principle of which is similar to that of the database access control method, and the details are not repeated here.
Fig. 3 is a schematic diagram of a database access control system in an embodiment of the present invention, as shown in fig. 3, the system includes:
the intercepting module 301 is configured to intercept an SQL statement and a token value sent by a user;
the parsing module 302 is configured to parse a user name from the token value, and parse a table name and a table operation from an SQL statement;
a judging module 303, configured to query an authority configuration table according to a user name, a table name, and a table-checking operation, and judge whether the user has authority, where the authority configuration table configures authority of different users for different operations on different tables in a database; and when the judgment result is that the SQL statement has the authority, sending the SQL statement to a database, obtaining the database operation result and sending the database operation result to a user.
In one embodiment, the operations include insert, delete, query, and update.
The operations include insert, delete, query, and update.
Fig. 4 is another schematic diagram of the database access control system in an embodiment of the present invention, and in an embodiment, the system further includes an identity verification module 304, configured to:
before intercepting SQL statements sent by a user, receiving a login request sent by the user;
authenticating the user based on the login request;
and after the user identity authentication is passed, returning the token value to the user.
In an embodiment, the parsing module is specifically configured to:
and when the judgment result is that no authority exists, returning no-authority prompt information to the user.
In summary, in the system provided in the embodiment of the present invention, an SQL statement and a token value sent by a user are intercepted; analyzing a user name from the token value, and analyzing a table name and an operation of the table from an SQL statement; inquiring an authority configuration table according to a user name, a table name and table-setting operation, and judging whether the user has authority, wherein the authority configuration table is configured with the authority of different users for different operations of different tables in a database; and when the judgment result is that the SQL statement has the authority, sending the SQL statement to a database, obtaining the database operation result and sending the database operation result to a user. In the process, the authority control is fine to each type of operation of each table of each user, the operation is very flexible, simple and easy to use, and the database access can be safer.
An embodiment of the present application further provides a computer device, and fig. 5 is a schematic diagram of a computer device in an embodiment of the present invention, where the computer device is capable of implementing all steps in the database access control method in the foregoing embodiment, and the computer device specifically includes the following contents:
a processor (processor)501, a memory (memory)502, a communication Interface (Communications Interface) 503, and a communication bus 504;
the processor 501, the memory 502 and the communication interface 503 complete mutual communication through the communication bus 504; the communication interface 503 is used for implementing information transmission between related devices such as server-side devices, detection devices, and user-side devices;
the processor 501 is configured to call the computer program in the memory 502, and when the processor executes the computer program, the processor implements all the steps in the database access control method in the above embodiments.
An embodiment of the present application further provides a computer-readable storage medium, which can implement all the steps in the database access control method in the foregoing embodiment, and the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the computer program implements all the steps of the database access control method in the foregoing embodiment.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A database access control method, comprising:
intercepting SQL sentences and token values sent by a user;
analyzing a user name from the token value, and analyzing a table name and an operation of the table from an SQL statement;
inquiring an authority configuration table according to a user name, a table name and table-setting operation, and judging whether the user has authority, wherein the authority configuration table is configured with the authority of different users for different operations of different tables in a database;
and when the judgment result is that the SQL statement has the authority, sending the SQL statement to a database, obtaining the database operation result and sending the database operation result to a user.
2. The database access control method of claim 1, wherein the operations include insert, delete, query, and update.
3. The database access control method according to claim 1, further comprising, before intercepting the SQL statement and token value sent by the user:
receiving a login request sent by a user;
authenticating the user based on the login request;
and after the user identity authentication is passed, returning the token value to the user.
4. The database access control method of claim 1, further comprising:
and when the judgment result is that no authority exists, returning no-authority prompt information to the user.
5. A database access control system, comprising:
the interception module is used for intercepting SQL sentences and token values sent by a user;
the analysis module is used for analyzing a user name from the token value and analyzing a table name and table operation from an SQL statement;
the judging module is used for inquiring an authority configuration table according to the user name, the table name and the table setting operation, and judging whether the user has authority, wherein the authority configuration table is configured with the authority of different users for different operations of different tables in the database; and when the judgment result is that the SQL statement has the authority, sending the SQL statement to a database, obtaining the database operation result and sending the database operation result to a user.
6. The database access control system of claim 5, wherein the operations comprise insert, delete, query, and update.
7. The database access control system of claim 5, further comprising an authentication module to:
before intercepting SQL statements sent by a user, receiving a login request sent by the user;
authenticating the user based on the login request;
and after the user identity authentication is passed, returning the token value to the user.
8. The database access control system of claim 5, wherein the parsing module is specifically configured to:
and when the judgment result is that no authority exists, returning no-authority prompt information to the user.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 4 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110481101.5A CN113239372A (en) | 2021-04-30 | 2021-04-30 | Database access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110481101.5A CN113239372A (en) | 2021-04-30 | 2021-04-30 | Database access control method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113239372A true CN113239372A (en) | 2021-08-10 |
Family
ID=77131763
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110481101.5A Pending CN113239372A (en) | 2021-04-30 | 2021-04-30 | Database access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113239372A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113591126A (en) * | 2021-08-12 | 2021-11-02 | 北京滴普科技有限公司 | Data authority processing method and computer readable storage medium |
| CN113961542A (en) * | 2021-10-19 | 2022-01-21 | 平安普惠企业管理有限公司 | Database operation method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110334545A (en) * | 2019-06-28 | 2019-10-15 | 北京淇瑀信息科技有限公司 | A kind of authority control method based on SQL, device and electronic equipment |
| CN111767572A (en) * | 2020-06-28 | 2020-10-13 | 北京天融信网络安全技术有限公司 | Method and device for safely accessing database |
| CN112380236A (en) * | 2020-11-11 | 2021-02-19 | 浪潮商用机器有限公司 | DB2/400 database access method, device and equipment |
-
2021
- 2021-04-30 CN CN202110481101.5A patent/CN113239372A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110334545A (en) * | 2019-06-28 | 2019-10-15 | 北京淇瑀信息科技有限公司 | A kind of authority control method based on SQL, device and electronic equipment |
| CN111767572A (en) * | 2020-06-28 | 2020-10-13 | 北京天融信网络安全技术有限公司 | Method and device for safely accessing database |
| CN112380236A (en) * | 2020-11-11 | 2021-02-19 | 浪潮商用机器有限公司 | DB2/400 database access method, device and equipment |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113591126A (en) * | 2021-08-12 | 2021-11-02 | 北京滴普科技有限公司 | Data authority processing method and computer readable storage medium |
| CN113961542A (en) * | 2021-10-19 | 2022-01-21 | 平安普惠企业管理有限公司 | Database operation method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111935094B (en) | Database access method, device, system and computer readable storage medium | |
| US11716357B2 (en) | Data access policies | |
| US10484385B2 (en) | Accessing an application through application clients and web browsers | |
| US9736131B2 (en) | Secure login for subscriber devices | |
| US11509658B1 (en) | Adaptive access control policies | |
| KR101795592B1 (en) | Control method of access to cloud service for business | |
| CN113239372A (en) | Database access control method and system | |
| CN109831435B (en) | Database operation method, system, proxy server and storage medium | |
| WO2020025056A1 (en) | Method, device, system, and mobile terminal for security authorization | |
| CN110795174A (en) | Application program interface calling method, device, equipment and readable storage medium | |
| CN115987696B (en) | Zero trust security gateway implementation method and device based on block chain structure | |
| CN113364800A (en) | Resource access control method, device, electronic equipment and medium | |
| CN107846676A (en) | Safety communicating method and system based on network section security architecture | |
| US20210218734A1 (en) | Two factor authentication using a digital one-time pad | |
| CN111090616B (en) | File management method, corresponding device, equipment and storage medium | |
| CN106295384B (en) | Big data platform access control method and device and authentication server | |
| CN113946816A (en) | Cloud service-based authentication method and device, electronic equipment and storage medium | |
| CN107766743B (en) | Method and device for setting file access authority, terminal equipment and storage medium | |
| CN111935194B (en) | Data interception method and device | |
| US20140007197A1 (en) | Delegation within a computing environment | |
| CN113051035A (en) | Remote control method, device and system and host machine | |
| JP2019523465A (en) | Application login control method, service terminal, and computer-readable storage medium | |
| CN111752964A (en) | Data processing method and device based on data interface | |
| CN113204776B (en) | Method, device, equipment and storage medium for realizing column encryption | |
| CN107203594B (en) | Data processing device, method and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |