CN114826724B

CN114826724B - Data processing method, device, electronic equipment and storage medium

Info

Publication number: CN114826724B
Application number: CN202210417640.7A
Authority: CN
Inventors: 郭峰
Original assignee: Netease Hangzhou Network Co Ltd
Current assignee: Netease Hangzhou Network Co Ltd
Priority date: 2022-04-20
Filing date: 2022-04-20
Publication date: 2024-04-09
Anticipated expiration: 2042-04-20
Also published as: CN114826724A

Abstract

The embodiment of the application discloses a data processing method, a data processing device, electronic equipment and a storage medium; the method comprises the following steps: acquiring and analyzing a data request sent by a user terminal to obtain an Internet protocol address of the user terminal; if the Internet protocol address meets the Internet protocol limiting condition, determining the current operable times of the target data object; and if the current operable times are greater than a preset operation threshold, responding to the data request, and executing target operation on the target data object. The IP address is used for carrying out identity authentication, operation authorization can be carried out aiming at a specific IP address, more flexible data operation control is realized, specific authority control requirements are met, unlimited times of operation on data can be avoided by limiting the operable times of target data objects, the risk of data leakage is further reduced, and therefore the safety of the data stored in an object storage mode is improved.

Description

Data processing method, device, electronic equipment and storage medium

Technical Field

The present application relates to the field of database technologies, and in particular, to a data processing method, an apparatus, an electronic device, and a storage medium.

Background

The object storage is the mainstream internet data storage mode at present, generally all the reading, writing and other operations of the object storage are data interaction in an HTTP or HTTPS protocol mode, the object storage system provides a set of independent RESTful-API interfaces outwards, and a developer can store some unstructured data such as pictures, audios, videos and the like in the object storage by calling the RESTful-API interfaces provided by the object storage.

When a user needs to operate the data stored in the object storage, the user can successfully operate the data in the object storage only through identity authentication and authentication of the server side. However, the existing identity authentication and authentication methods have more limitations, so that the method cannot be adapted to specific permission control requirements, and data leakage is easy to occur, so that the data security is low.

Disclosure of Invention

The embodiment of the application provides a data processing method, a data processing device, electronic equipment and a storage medium, which can meet specific authority control requirements and improve the safety of data.

The embodiment of the application provides a data processing method, which comprises the following steps:

acquiring a data request sent by a user terminal and analyzing the data request to obtain an Internet protocol address of the user terminal;

If the Internet protocol address meets the Internet protocol limiting condition, determining the current operable times of a target data object, wherein the target data object is an object indicated by the data request;

and if the current operable times are greater than a preset operation threshold, responding to the data request, and executing target operation on the target data object, wherein the target operation is indicated by the data request.

The embodiment of the application also provides a data processing device, which comprises:

the request acquisition module is used for acquiring a data request sent by a user terminal and analyzing the data request to obtain an Internet protocol address of the user terminal;

a determining module, configured to determine a current operable number of times of a target data object, where the target data object is an object indicated by the data request, if the internet protocol address meets an internet protocol constraint condition;

and the response model is used for responding to the data request and executing target operation on the target data object if the current operable times are larger than a preset operation threshold, wherein the target operation is indicated by the data request.

In some embodiments, before the internet protocol address meets a preset requirement and the current operable number of the target data object is determined, the determining module further includes:

The parameter acquisition unit is used for acquiring an identity authentication parameter and a request authentication parameter which are obtained by analyzing the data request;

the identity verification unit is used for verifying the identity compliance of the user terminal based on the identity authentication parameters;

an operation verification unit, configured to verify compliance of the target operation based on the request authentication parameter;

and the address judging unit is used for determining whether the Internet protocol address meets the Internet protocol limiting condition if the identity of the user terminal is compliant and the target operation is compliant.

In some embodiments, the authentication parameter comprises an access key, the authentication unit further being for:

determining a private key corresponding to the access key;

decrypting the data request by using the private key to obtain a first digital digest;

carrying out hash processing on the identity authentication parameter and the request authentication parameter to obtain a second digital digest;

and if the first digital abstract is consistent with the second digital abstract, determining the identity compliance of the user terminal.

In some embodiments, the authentication unit is further configured to:

acquiring a user white list corresponding to the target data object;

And if the first digital digest and the second digital digest are consistent and the access key is in the user white list, determining that the identity of the user terminal is compliant.

In some embodiments, the request authentication parameter comprises a valid time range, the operation verification unit further being for:

acquiring the current time;

and if the current time is in the effective time range, determining the target operation compliance.

In some embodiments, the operation verification unit is further configured to:

determining a time at which the data request was received as a first time;

determining the time of the user terminal sending the data request as a second time;

calculating the difference between the first time and the second time to obtain a time difference;

if the time difference is smaller than or equal to a first preset difference value, determining the second time as the current time;

if the time difference is larger than the first preset difference value and smaller than the second preset difference value, determining the current time according to the first time and the second time;

and if the time difference is larger than or equal to the second preset difference value, taking the first time as the current time.

In some embodiments, the data processing apparatus further includes a generating unit, and before acquiring the data request sent by the user terminal and parsing the data request, the generating unit is configured to:

Acquiring basic data, wherein the basic data comprises an access key and target data object information;

acquiring operation constraint parameters, wherein the operation constraint parameters comprise an effective time range, target operation times and Internet protocol limiting conditions;

carrying out hash processing on the basic data and the operation constraint parameters to obtain a first digital abstract;

encrypting the first digital digest by using a private key corresponding to the access key to obtain signature data;

and generating the data request according to the signature data, the basic data and the operation constraint parameters.

The embodiment of the application also provides electronic equipment, which comprises a memory, wherein the memory stores a plurality of instructions; the processor loads instructions from the memory to perform steps in any of the data processing methods provided by the embodiments of the present application.

Embodiments of the present application also provide a computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform steps in any of the data processing methods provided by the embodiments of the present application.

According to the embodiment of the application, the IP address can be used for carrying out identity authentication, the operation authorization can be carried out aiming at the specific IP address, more flexible data operation control is realized, the specific authority control requirement is met, the unlimited times of operation on data can be avoided by limiting the operable times of the target data object, the data leakage risk is further reduced, and therefore the safety of the data stored in the object storage mode is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a system schematic diagram of a data processing method according to an embodiment of the present application;

FIG. 2 is a schematic flow chart of a data processing method according to an embodiment of the present application;

FIG. 3 is a schematic diagram of an object storage system provided by an embodiment of the present application;

FIG. 4 is a schematic diagram of generating a pre-signed URL provided by an embodiment of the present application;

FIG. 5 is a flow chart of a data processing method according to another embodiment of the present application;

FIG. 6 is a schematic diagram of validating a data access request provided by an embodiment of the present application;

FIG. 7 is a schematic diagram of a process when compliance is provided for a data access request according to an embodiment of the present application;

FIG. 8 is a schematic diagram of a process for providing data access request non-compliance in accordance with an embodiment of the present application;

FIG. 9 is a schematic diagram of a data processing apparatus according to an embodiment of the present application;

Fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.

The embodiment of the application provides a data processing method, a data processing device, electronic equipment and a storage medium.

The data processing device may be integrated in an electronic device, which may be a terminal, a server, or other devices. The terminal can be a mobile phone, a tablet computer, an intelligent Bluetooth device, a notebook computer, a personal computer (Personal Computer, PC) or the like; the server may be a single server or a server cluster composed of a plurality of servers.

In some embodiments, the data processing apparatus may also be integrated in a plurality of electronic devices, for example, the data processing apparatus may be integrated in a plurality of servers, and the data processing method of the present application is implemented by the plurality of servers.

In some embodiments, the server may also be implemented in the form of a terminal.

For example, referring to fig. 1, a system schematic diagram of a data processing method provided in an embodiment of the present application is shown. The system may include at least one user terminal 1000, at least one server 2000, at least one database 3000, and a network 4000. User terminal 1000 held by a user can be connected to server 2000 through network 4000. Wherein user terminal 1000 is any device having computing hardware capable of supporting and executing software products corresponding to a page display; the server 2000 may be a single server, or may be a server cluster; the network 4000 may be a wireless network or a wired network, such as a Wireless Local Area Network (WLAN), a Local Area Network (LAN), a cellular network, a 2G network, a 3G network, a 4G network, a 5G network, etc. In addition, different user terminals 1000 may be connected to other terminals or to the server 2000 using their own bluetooth network or hotspot network. In addition, the system may further include at least one database 3000, where the database 3000 is configured to store data using object storage, and when access to the data in the database 3000 is required, the authority of the database 3000 is controlled by the server 2000.

The server 2000 may receive a data request from the user terminal 1000 and parse the data request to obtain an internet protocol address of the user terminal 1000; when the internet protocol address is determined to meet the internet protocol constraint, the current operable number of the target data object may be determined. Wherein the target data object refers to an object specified by the data request. If the server 2000 determines that the number of current operations is greater than the preset threshold, a target operation may be performed on the target data object, where the target operation is an operation indicated by the data request.

The following will describe in detail. The numbers of the following examples are not intended to limit the preferred order of the examples.

In this embodiment, a data processing method is provided, as shown in fig. 2, and a specific flow of the data processing method may be as follows:

s110, acquiring a data request sent by a user terminal and analyzing the data request to obtain an Internet protocol address of the user terminal.

A data request refers to a request sent by a user terminal for performing a certain process on a certain data object, for example, accessing, downloading, deleting, modifying, etc. a certain data object is accessed. The presentation form of the data request may be an instruction, a uniform resource identifier (Uniform Resource Locator, URL), or the like.

The data object indicated in the data request is a target data object, and the storage mode of the target data object is object storage. Referring to FIG. 3, a schematic diagram of an object storage system is shown. Where an Object (Object) refers to data actually stored in an Object store by a user, including file content stored by the user and related metadata content, is grouped into a group called a container (Bucket), and the Object is grouped into a user, which may be called a resource Owner (Owner), and typically, a default resource Owner of the Object is a user who uploads the data Object.

At the same time, this resource owner also corresponds to a set of access key (AccessKey) that can be considered as a user name (globally unique) and a private key (SecretKey) that serves as a user password (requiring confidentiality). Since the data in the object is generally private and not externally disclosed, when the resource owner wants to share the data object with other people, a final pre-signed URL can be generated by calling the signature algorithm module, and other users can realize operations on the data object, such as access, addition or deletion operations, through the pre-signed URL. Then the data request may be generated based on the pre-signed URL. In order to ensure the security of data, when generating the pre-signed URL, a corresponding internet protocol restriction condition, a target operation number, and the like may be set for the data object.

The server may respond to the data request to perform the corresponding operation. After receiving the data request, the server may parse the data request to obtain content carried in the data request, for example, an internet protocol (Internet Protocol, IP) address of the user terminal. The IP address is a unified address format provided by the IP protocol, and may be used to allocate a logical address to each network and each host on the internet, so as to mask the difference of physical addresses. The IP protocol is a protocol designed for communication with the interconnection of computer networks, and the IP address is a unique address defined by the IP protocol for each host on the internet.

When the data request is received, the server can acquire the IP address of the user terminal corresponding to the data request.

It will be appreciated that if the data request is based on a pre-signed URL, other content in the pre-signed URL may also be parsed.

And S120, if the Internet protocol address meets the Internet protocol limiting condition, determining the current operable times of a target data object, wherein the target data object is the object indicated by the data request.

After the IP address of the user terminal is obtained, in order to ensure the security of the data request, it may be determined whether the IP address of the user terminal satisfies an Internet Protocol (IP) constraint, and if the IP protocol constraint is satisfied, the data request may be considered to be secure.

Wherein the IP restriction condition is for restriction of an IP address for operating on the target object data. The IP constraint may be obtained by parsing the data request or may be stored in advance in the server. For example, the IP restriction condition may be to determine whether an IP address exists in an IP whitelist, where the target data object may be operated on.

In some embodiments, an IP address allowing manipulation of the target object data may be recorded in the IP whitelist. Then, when determining whether the IP address of the user terminal satisfies the internet protocol restriction condition, it may be determined whether the IP address of the user terminal is in the IP whitelist; if the IP address of the user terminal is in the IP white list, the IP address of the user terminal can be considered to meet the internet protocol limiting condition; if the IP address of the user terminal is not in the IP white list, the IP address of the user terminal can be considered to not meet the internet protocol limit condition.

In some embodiments, within the IP whitelist may be an IP segment in which operation target object data is recorded. Wherein each IP address includes two identification codes (IDs), namely a network ID and a host ID, all hosts on the same physical network use the same network ID, and one host on the network (including workstations, servers, routers, etc. on the network) has one host ID corresponding to it. The IP addresses are classified into 5 types according to the difference of network IDs, a class a address, a class B address, a class C address, a class D address, and a class E address, wherein the class C address is suitable for a small network, such as a small-scale park or office building lan, so that the IP whitelist can be set to a certain IP segment, for example, the class C address segment is "192.168.0.0-192.168.255.255", i.e., all IP addresses in the IP segment can operate on the target object data.

Then, when determining whether the IP address of the user terminal satisfies the internet protocol restriction condition, it may be determined whether the IP address of the user terminal is within an IP segment set in the IP whitelist; if the IP address of the user terminal is in the IP section, the IP address of the user terminal can be considered to meet the internet protocol limiting condition; if the IP address of the user terminal is not in the IP section, the IP address of the user terminal can be considered to not meet the internet protocol limit condition. The internet limiting conditions are set, and the authorization can be performed for users in a certain area or a certain range, so that the permission control requirement can be better met, and the data can be shared more flexibly.

If the internet protocol address meets the internet protocol constraint, the current operable number of times of the target data object can be continuously acquired. Wherein the target number of operations may be preset for the target data object, and in some embodiments, the target number of operations refers to the total number of times the target data object is allowed to be operated. For example, the target number of operations is 6 and the operation is access, then the target data object can only be accessed 6 times.

Various operations, such as access, addition, deletion, etc., can be performed on the target data object, and different numbers of operations can be set for different operations. In some embodiments, the target operation number may be set by the pointer for a fixed operation, for example, an access operation 5 times and a new operation 2 times, which indicates that the target data object may be accessed 5 times and a new operation 2 times.

Thus, the server can determine the target operation number from the target operation indicated by the data request. For example, the total number of times the target data object is accessed is preset to be 8, and the total number of times the target data object is newly added is 6, and if the target operation pointed to by the data request is access, the target operation number is 8. Thus, the server can acquire the target number of operations.

In some implementations, the server may record the number of times the target data object has been manipulated, e.g., when the target data object is successfully manipulated once, the number of times the target data object has been manipulated may be incremented by 1. Then, when determining the current operable number of times of the target data object, it may be to acquire the operated number of times of the target data object; and calculating the difference value between the target operation times and the operated times to obtain the current operable times of the target data object. For example, a first counter may be set in the server, for counting the number of times that has been operated, that is, the initial value of the first counter is 0, and the value of the first counter is increased by 1 each time the target data object is operated, if the server analyzes the data request to obtain the target number of times that is 6, by reading the value of the first counter to be 1, the difference is 5, that is, the current number of times that can be operated is 5.

In some embodiments, the server may decrease the target operation number by 1 after the target data object is successfully operated once, resulting in an updated target operation number. Then, when the current operable number of times of the target data object is determined, the updated target operable number of times may be obtained, so as to obtain the current operable number of times. For example, a second counter may be disposed in the server and used to count the current operable number, that is, the initial value of the second counter may be the target operable number, and the value of the second counter is decremented by 1 each time the target data object is operated, so that the server may obtain the value of the second counter to obtain the current operable number.

S130, if the current operable times are greater than a preset operation threshold, responding to the data request, and executing target operation on the target data object, wherein the target operation is indicated by the data request.

After the server obtains the current operable times, the size relation between the current operable times and a preset operation threshold value can be determined, and if the current operable times are smaller than or equal to the preset operation threshold value, the data request is refused; if the current operable number is greater than the preset operation threshold, the target operation may be performed on the target data object in response to the data request.

The preset operation threshold may be a value set according to actual needs, in this embodiment of the present application, the preset operation threshold may be 0, that is, when the current operable number of times is less than or equal to 0, it may be considered that the target data object cannot be operated any more, and the data request is not compliant, so that the data request may be directly rejected; if the current operable number is greater than 0, the target data object can be further operated, and the data request is compliant, so that the target operation can be performed on the target data object in response to the data request.

In some embodiments, in order to further improve the security of the data, the server may further use other data obtained by parsing the data request to perform verification. For example, the identity authentication parameter and the request authentication parameter obtained by analyzing the data request can be obtained; verifying the identity compliance of the user terminal based on the identity authentication parameters; verifying compliance of the target operation based on the request authentication parameters; and if the identity of the user terminal is compliant and the target operation is compliant, determining whether the Internet protocol address meets the Internet protocol limiting condition.

As described above, the data request may be generated based on the pre-signed URL, and when the pre-signed URL is generated, some operation restrictions on the target data object may be added, so as to enrich the identity authentication and authentication manners, and further improve the data security. In some embodiments, the server may obtain base data including the access key and the target data object information prior to obtaining the data request; acquiring operation constraint parameters, wherein the operation constraint parameters comprise an effective time range, target operation times and Internet protocol limiting conditions; carrying out hash processing on the basic data and the operation constraint parameters to obtain a first digital abstract; encrypting the first digital digest by using a private key corresponding to the access key to obtain signature data; and generating the data request according to the signature data, the basic data and the operation constraint parameters.

The base data refers to base information of the target data object and may include an access key and target data object information. Wherein the access key may refer to an account name of an owner of the target data Object, and the target data Object information may include a name of an Object (Object) storing the data, and a name of a Bucket (Bucket) storing the Object.

To ensure the security of the stored data, operation constraint parameters may also be obtained for constraints on the operation performed on the target data object, which may include, for example, a valid time frame, a target number of operations, internet protocol constraints, and so on.

The valid time range may refer to a time range in which operations on the target data object are allowed. For example, the valid time range is set to 2022, 3, 20, to 2022, 3, 22, and then only within the valid time range, the target data object can be manipulated.

The target operation number may refer to a total number of times that the target data object may be operated, as described above, and the target operation number may refer to a total number of times that a specific operation is performed on the target data object, or may refer to a total number of times that any operation is performed on the target data object, which may be specifically set according to actual needs, and is not specifically limited herein.

The pre-signed URL may be generated based on the underlying data and the operating constraint parameters, and the data request is typically initiated based on the pre-signed URL, so that after the pre-signed URL is obtained, if a user requests data using the pre-signed URL, the data request may be considered to be obtained. For example, referring to FIG. 4, a schematic diagram of generating a pre-signed URL is shown. The basic data includes an access key, i.e. AccessKey, object name, a socket name, and the operation constraint parameters include a valid time range, a target operation frequency and an IP constraint condition, and of course, a private key corresponding to the access key, i.e. SecretKey, may also be obtained, so as to generate a pre-signed URL.

Wherein the base data and the operation constraint parameters may be submitted to the server by the data owner based on the user terminal, and the signing algorithm may include a hash process and an encryption process, and the pre-signed URL is generated by the server based on the base data and the operation constraint parameters. In some embodiments, the hash processing may be performed on the base data and the operation constraint parameter to obtain a first digital digest; encrypting the first digital abstract by using a private key corresponding to the access key to obtain signature data; a data request is generated based on the signature data, the base data, and the operational constraint parameters.

Where the base data and the operating constraint parameters are hashed, the data may be processed using a hashing algorithm, such as MD5 algorithm, SHA1 algorithm, SHA256 algorithm, or the like. After hash processing is performed according to the basic data and the operation constraint parameters, a first digital digest can be obtained, the first digital digest cannot be recovered to obtain the basic data and the operation constraint parameters, and when the basic data or the operation constraint parameters are changed, the change of the first digital digest is caused.

After the first digital digest is obtained, the first digital digest may be encrypted using a private key to obtain the signature data. The encryption mode may be symmetric encryption, that is, the same key is needed for encryption and decryption, and if the access key is the name of the user account, the private key is the corresponding password of the user account, and the private key is used for encryption and decryption as described above.

After the signature data is obtained, the signature data, the basic data and the operation constraint parameters can be converted into the form of a URL to obtain a pre-signed URL, so that a user can initiate a data request based on the pre-signed URL.

When the server receives the data request, the data request may be parsed, and as described above, the data request may include signature data, basic data and operation constraint parameters, so that after the data request is parsed, the data may also be obtained.

It should be noted that, the basic data and the operation constraint parameters are used to generate the pre-signed URL, the basic data includes a AccessKey, object name and a socket name, and the operation constraint parameters include a valid time range, a target operation number, and an IP constraint. The analysis data request is obtained by an identity authentication parameter and a request authentication parameter, wherein the identity authentication parameter comprises a AccessKey, object name, a socket name and signature data, and the request authentication parameter comprises a valid time range.

After resolving to obtain the identity authentication parameter and the request authentication parameter, verifying the identity compliance of the user terminal based on the identity authentication parameter; verifying compliance of the target operation based on the request authentication parameters; and if the identity is compliant and the target operation is compliant, determining whether the Internet protocol address meets the Internet protocol limiting condition. Before judging the internet protocol limiting condition, the identity authentication and the operation authentication are added, so that illegal operation on data can be further avoided, and the safety of the data is improved.

In some embodiments, when verifying the identity compliance of the user terminal based on the identity authentication parameter, the private key corresponding to the access key may be determined; decrypting the data request by using the private key to obtain a first digital abstract; carrying out hash processing on the identity authentication parameter and the request authentication parameter to obtain a second digital digest; and if the first digital abstract is consistent with the second digital abstract, determining the identity compliance of the user terminal.

The identity authentication parameter may include an access key obtained by analyzing the data request, and the server may find a private key corresponding to the access key according to the access key, and decrypt the data request using the private key. The signature data can be obtained after the data request is analyzed, the signature data is obtained after the first digital digest is encrypted by using the private key, and the encryption mode is symmetric encryption, so that the server can decrypt the first digital digest by using the obtained private key, and the first digital digest can be obtained.

If decryption fails at this time, the first digital digest is not encrypted by the private key in the data request, so that the access key in the data request and the private key used for encryption can be considered as unmatched, and identity verification can be considered as not passing, namely identity is not compliant.

If the first digital digest is obtained through decryption, the server can use the same hash processing mode to perform hash processing on other data obtained through analysis to obtain a second digital digest. That is, the first digital digest is carried in the data request, the second digital digest is calculated by the server, and the server can compare whether the first digital digest and the second digital digest are consistent, if so, the data in the data request can be considered to be real and not tampered, and can be considered to pass the authentication, that is, the identity compliance.

If the server compares the first digital digest with the second digital digest, the server can consider that the data in the data request is possibly tampered illegally, and can consider that the identity verification is not passed, namely the identity is not compliant.

In some embodiments, when the identity of the user terminal is determined to be compliant, a user white list corresponding to the target data object is acquired; and if the first digital abstract is consistent with the second digital abstract and the access key is in the user white list, determining the identity compliance of the user terminal.

The user white list may be pre-stored in the server, and the access key with the operation authority to the target data object may be recorded in the user white list. When the server analyzes the access key to obtain the access key, the server can determine whether the access key exists in the user white list, and if the access key exists in the user white list, the user can be considered to have the operation authority on the target data object.

In some embodiments, the user whitelist may be determined for the target data object, i.e. one target data object may correspond to one user whitelist, so that the server may obtain the user whitelist directly from the target data object in the data request.

In some embodiments, the user whitelist may be determined for different operations of the target data object, i.e. one target data object may correspond to a plurality of user whitelists. That is, when different operations are performed on the target data object, the corresponding user whitelists are different. For example, the access operation may be performed on the target data object in correspondence with the user white list a, and the new access operation may be performed on the target data object in correspondence with the user white list B. The server may then determine the user whitelist for authentication based on the target data object and the target operation in the data request.

If the first digital digest and the second digital digest are consistent and the access key is in the user white list, the identity of the user terminal can be considered to be compliant.

In some embodiments, verifying compliance with the target operation based on the request authentication parameters may be to obtain a current time; and if the current time is in the effective time range, determining the target operation compliance. The current time may refer to a time when the server receives the data request, or may refer to a time when the user terminal sends the data request to the server.

The time when the server receives the data request is hereinafter referred to as a first time, and the time when the user terminal transmits the data request is hereinafter referred to as a second time. The communication between the server and the user terminal depends on the network, and when the network environment is poor, the first time may be later than the second time, i.e. the first time and the second time are inconsistent.

If the current time is the first time, the server may record the time of receiving the data request when receiving the data request, and store the time in the designated location, and the server may obtain the first time from the designated location as the current time. When the first time is used as the current time, the server can be considered to judge the compliance of the target operation only based on the time of receiving the data request without considering the transmission delay caused by network fluctuation, and the safety of the data can be further improved.

If the current time is the second time, the user terminal may carry a time stamp when sending the data request, where the time stamp is the second time, so that the server may determine the time stamp carried in the data request as the current time. When the second time is used as the current time, the server can be considered to fully consider the transmission delay caused by network fluctuation, the situation that the user cannot normally operate the target data due to the transmission delay is avoided, and the user experience is improved.

Of course, in some embodiments, the server may obtain the first time and the second time, and determine a time difference between the first time and the second time; if the time difference is smaller than or equal to the first preset difference value, determining the second time as the current time; if the time difference is larger than the first preset difference value and smaller than the second preset difference value, determining the current time according to the first time and the second time; and if the time difference is greater than or equal to the second preset difference value, taking the first time as the current time.

When determining the current time according to the first time and the second time, the average time of the first time and the second time may be calculated, and the average time may be used as the current time, or different weight parameters may be given to the first time and the second time, and the current time may be calculated based on the weight parameters, the first time and the second time, which may be specifically set according to actual needs.

The first preset difference value and the second preset difference value may be preset, for example, the first preset difference value may be set according to a normal network transmission delay, for example, may be set to 3s, the second preset difference value may be set according to a maximum delay of network transmission, may be obtained according to data statistics, and assuming that the maximum delay of network transmission obtained through statistics is 60s, the second preset difference value may be 60s.

If the time difference is smaller than or equal to the first preset difference, the time difference may be considered as a time difference caused by a normal network transmission delay, so that the second time may be used as the current time. If the time difference is greater than the first preset difference and less than the second preset difference, the time delay of the network transmission can be considered to be higher, and in order to improve the safety of the data, the current time can be determined according to the first time and the second time. If the time difference is greater than or equal to the second preset difference, the time difference caused by the network delay is not normal, and in order to ensure the safety of the data, the first time can be directly used as the current time.

The data processing scheme provided by the embodiment of the application can be applied to various data operation authentication scenes. For example, taking data access as an example, when a data access request is received, an IP address may be used to perform identity authentication, and the access operation may be authenticated according to the current operable number. By adopting the scheme provided by the embodiment of the application, the IP address can be used for carrying out identity authentication, the operation authorization can be carried out aiming at the specific IP address, more flexible data operation control is realized, the specific authority control requirement is met, the unlimited times of operation on data can be avoided by limiting the operable times of the target data object, the risk of data leakage is further reduced, and the safety of the data stored in the object storage mode is further improved. And identity compliance verification and target operation compliance verification are further carried out on the basis, verification modes of data requests are enriched, and multiple verification can further improve the safety of the data.

The method described in the above embodiments will be described in further detail below.

In this embodiment, a method of the embodiment will be described in detail by taking an example of accessing a target data object, storing the target data object in a storage manner, and storing a server in an object storage server gateway.

As shown in fig. 5, a specific flow of a data processing method is as follows:

s210, acquiring basic data and operation constraint parameters.

S220, generating a pre-signed URL based on the basic data and the operation constraint parameters.

The base data includes access keys and target data object information, and the operation constraint parameters include a valid time range, a target operation number, and an IP constraint. The target data object information includes an object name and a bucket name where the target data object is located. The data may be submitted by the owner of the target data object, where the access key and the private key are a pair of keys, and the private key may be obtained at the same time as the access key is obtained.

It can be seen that the data currently required to generate a pre-signed URL is: access key, private key, object name, bucket name, valid time range, number of target operations, IP restrictions. When the pre-signed URL is generated based on the data, hash processing may be performed on the base data and the operation constraint parameters to obtain a first digital digest; encrypting the first digital abstract by using a private key corresponding to the access key to obtain signature data; and generating the data access request according to the signature data, the basic data and the operation constraint parameters. The detailed process of generating the pre-signed URL may refer to the corresponding parts of the foregoing embodiments, and will not be described herein.

S230, receiving a data access request sent by a user terminal, and verifying compliance of the data access request, wherein the data access request comprises a pre-signed URL.

The user can initiate a data access request based on the pre-signed URL, the object storage service gateway can obtain the pre-signed URL in the data access request, and the pre-signed URL can be utilized to perform compliance judgment on the data access request.

Referring to fig. 6, a schematic diagram of validating a data access request is shown. In fig. 6, the data access request may be parsed to obtain an access key, an object name, a bucket name, a valid time range, a target operation number, an IP constraint, and signature data, and when the compliance determination is performed on the data access request, the method includes the following 5 steps:

a. and judging whether the user signature is compliant.

When judging whether the user signature is compliant, the user signature can be an access key obtained by analyzing the data access request. Determining a private key corresponding to the access key, decrypting the signature data by using the private key to obtain a first digital digest, and carrying out hash processing on the access key, the object name, the bucket name, the effective time range, the target operation times and the IP limiting condition to obtain a second digital digest; if the first digital abstract is consistent with the second digital abstract, executing the step b; if the first digital digest and the second digital digest are inconsistent, the authentication fails.

b. And judging whether the user authority is compliant.

The target data object is determined based on the object name and the bucket name, so that it can be continuously determined whether the user has the right to access the target data object.

C, if the access key exists in the user white list, the user white list can be considered to have authority, and the step c is continuously executed; if the access key does not exist in the user white list, the access key is considered to have no authority, and authentication fails.

c. And judging whether the time is within the effective time range.

Specifically, the current time is acquired, and whether the current time is within the valid time range is determined. The current time obtaining manner may refer to the corresponding portion of the foregoing embodiment, and will not be described herein. If the current time is within the effective time range, the step d can be continuously executed; if the current time is not in the valid time range, the authentication fails.

d. And judging whether the IP limit condition is met.

When a data access request is received, an IP address for sending the data access request may be obtained, and an IP constraint condition may be preset, where the IP constraint condition may be to determine whether the IP address is in an IP whitelist. If the IP address is in the IP white list, the step e can be continuously executed; if the IP address is not in the IP white list, the authentication fails.

e. Whether the operation time is within the target operation times or not is judged.

The target operation times can be recorded by a counter, the initial value of the counter is the target operation times, the value of the counter can be directly obtained, and if the value of the counter is greater than 0, the value of the counter can be controlled to be reduced by 1, so that authentication passing is determined. If the value of the counter is less than or equal to 0, authentication fails.

It may be understood that the order of judging the conditions in the above-mentioned judging process may not be limited, or the priority may be set according to the importance of the conditions, and the judgment may be performed according to the order of the priority from high to low, which is not particularly limited in the embodiment of the present application.

And S240, if the data access request is compliant, the target data object is sent to the user terminal.

If the authentication is passed, the data access request is considered to be compliant, and the target data object can be sent to the user terminal. Referring to fig. 7, a schematic diagram of a processing procedure when a data access request is compliant is shown, in which a resource visitor (user terminal) requests access to data using a pre-signed URL, an object storage service gateway may process the request through an identity authentication and authorization (Auth) module therein, the identity authentication and authorization module analyzes the pre-signed URL content, determines compliance of the data access request, and if it is confirmed that the compliance rule authentication is successful, the object storage service gateway reads a target data object from the distributed storage, and returns the read target data object to the resource visitor through the object storage gateway.

S250, if the data access request is not compliant, rejecting the data request.

If the authentication fails, the data access request may be considered to be non-compliant and may be denied. Referring to fig. 8, a process for processing when a data access request is not compliant is shown, in which a resource visitor (user terminal) requests access to data using a pre-signed URL, an object storage service gateway may process the request by using an identity authentication and authorization (Auth) module in the request, the identity authentication and authorization module analyzes the pre-signed URL content, determines compliance of the data access request, and if it is confirmed that the irregular authentication fails, the object storage service gateway returns an authentication failure, and denies the data access request.

From the above, when the scheme provided by the embodiment of the application is adopted to verify the data request, multiple judgments can be used, when a plurality of conditions are met, the data can be considered to pass through the authentication, and if one of the conditions is not met, the authentication can be considered to fail, so that the verification mode of the data request is enriched, and the security of the data can be further improved through multiple verifications. In addition, the IP address is introduced to carry out identity authentication, the operation authorization can be carried out aiming at a specific IP address, more flexible data operation control is realized, the specific authority control requirement is met, and the unlimited operation on the data can be avoided by limiting the operable times of the target data object, so that the risk of data leakage is further reduced, and the safety of the data stored in an object storage mode is improved.

In order to better implement the method, the embodiment of the application also provides a data processing device, which can be integrated in an electronic device, and the electronic device can be a terminal, a server and other devices. The terminal can be a mobile phone, a tablet personal computer, an intelligent Bluetooth device, a notebook computer, a personal computer and other devices; the server may be a single server or a server cluster composed of a plurality of servers.

For example, in the present embodiment, a method of the embodiment of the present application will be described in detail by taking a specific integration of a data processing apparatus in a server as an example.

For example, as shown in fig. 9, the data processing apparatus 300 may include a request acquisition module 310, a determined module 320, and a response module 330.

A request acquisition module 310, configured to acquire a data request sent by a user terminal and parse the data request to obtain an internet protocol address of the user terminal;

a determining module 320, configured to determine a current operable number of times of a target data object, where the target data object is an object indicated by the data request, if the internet protocol address meets an internet protocol constraint condition;

And a response module 330, configured to respond to the data request by executing a target operation on the target data object if the current operable number is greater than a preset operation threshold, where the target operation is an operation indicated by the data request.

In some embodiments, before the internet protocol address meets the preset requirement and the current operable number of the target data object is determined, the determining module 320 further includes:

determining a private key corresponding to the access key;

In some embodiments, the authentication unit is further configured to:

acquiring a user white list corresponding to the target data object;

acquiring the current time;

In some embodiments, the operation verification unit is further configured to:

determining a time at which the data request was received as a first time;

In some embodiments, the data processing apparatus 300 further includes a generating unit, before acquiring the data request sent by the user terminal and parsing the data request, the generating unit is configured to:

In the implementation, each module or unit may be implemented as an independent entity, or may be implemented as the same entity or several entities in any combination, and the implementation of each module or unit may be referred to the foregoing method embodiments and will not be repeated herein.

As can be seen from the above, the data processing apparatus of this embodiment may use an IP address to perform identity authentication, may perform operation authorization with respect to a specific IP address, implement more flexible data operation control, and adapt to a specific permission control requirement.

Correspondingly, the embodiment of the application also provides electronic equipment which can be a terminal or a server, wherein the terminal can be terminal equipment such as a smart phone, a tablet personal computer, a notebook computer, a touch screen, a game machine, a personal computer, a personal digital assistant (Personal Digital Assistant, PDA) and the like.

As shown in fig. 10, fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application, where the electronic device 400 includes a processor 401 having one or more processing cores, a memory 402 having one or more computer readable storage media, and a computer program stored in the memory 402 and executable on the processor. The processor 401 is electrically connected to the memory 402. It will be appreciated by those skilled in the art that the electronic device structure shown in the figures is not limiting of the electronic device and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.

The processor 401 is a control center of the electronic device 400, connects various parts of the entire electronic device 400 using various interfaces and lines, and performs various functions of the electronic device 400 and processes data by running or loading software programs and/or modules stored in the memory 402, and calling data stored in the memory 402.

In the embodiment of the present application, the processor 401 in the electronic device 400 loads the instructions corresponding to the processes of one or more application programs into the memory 402 according to the following steps, and the processor 401 executes the application programs stored in the memory 402, so as to implement various functions:

acquiring a data request sent by a user terminal and analyzing the data request to obtain an Internet protocol address of the user terminal; if the Internet protocol address meets the Internet protocol limiting condition, determining the current operable times of a target data object, wherein the target data object is an object indicated by the data request; and if the current operable times are greater than a preset operation threshold, responding to the data request, and executing target operation on the target data object, wherein the target operation is indicated by the data request.

The IP address is used for carrying out identity authentication, operation authorization can be carried out aiming at a specific IP address, more flexible data operation control is realized, specific authority control requirements are met, unlimited times of operation on data can be avoided by limiting the operable times of target data objects, the risk of data leakage is further reduced, and therefore the safety of the data stored in an object storage mode is improved.

Acquiring an identity authentication parameter and a request authentication parameter which are obtained by analyzing the data request; verifying the identity compliance of the user terminal based on the identity authentication parameters; verifying compliance of the target operation based on the request authentication parameters; and if the identity of the user terminal is compliant and the target operation is compliant, determining whether the Internet protocol address meets the Internet protocol limiting condition.

Additional identity compliance verification and target operation compliance verification are added, authentication modes can be further enriched, and multiple verification improves the safety of data.

Determining a private key corresponding to the access key; decrypting the data request by using the private key to obtain a first digital digest; carrying out hash processing on the identity authentication parameter and the request authentication parameter to obtain a second digital digest; and if the first digital abstract is consistent with the second digital abstract, determining the identity compliance of the user terminal.

And verifying the digital abstract to ensure that the request is not illegally tampered, avoid illegally requesting data and improve the safety of the data.

Acquiring a user white list corresponding to the target data object; and if the first digital digest and the second digital digest are consistent and the access key is in the user white list, determining that the identity of the user terminal is compliant.

The identity of the user is further verified based on the user white list, illegal operation data can be avoided, and the safety of the data is improved.

Acquiring the current time; and if the current time is in the effective time range, determining the target operation compliance.

The operation of the data is limited, the operation of the data can be realized only in the effective time range, and illegal access outside the effective time range is avoided, so that the safety of the data is improved.

Determining a time at which the data request was received as a first time; determining the time of the user terminal sending the data request as a second time; calculating the difference between the first time and the second time to obtain a time difference; if the time difference is smaller than or equal to a first preset difference value, determining the second time as the current time; if the time difference is larger than the first preset difference value and smaller than the second preset difference value, determining the current time according to the first time and the second time; and if the time difference is larger than or equal to the second preset difference value, taking the first time as the current time.

The time for sending the data request and the time for receiving the data request are comprehensively considered, the current time is determined, the effective time range is judged, illegal access to data by modifying the time for sending the data request or the time for receiving the data request is avoided, and the safety of the data is improved.

Acquiring basic data, wherein the basic data comprises an access key and target data object information; acquiring operation constraint parameters, wherein the operation constraint parameters comprise an effective time range, target operation times and Internet protocol limiting conditions; carrying out hash processing on the basic data and the operation constraint parameters to obtain a first digital abstract; encrypting the first digital digest by using a private key corresponding to the access key to obtain signature data; and generating the data request according to the signature data, the basic data and the operation constraint parameters.

The abstract is generated based on the basic data and the constraint operation parameters, and the data request is generated together with the basic data and the constraint operation parameters after the abstract is encrypted by using the private key, so that the data request can be prevented from being tampered, and the safety of the data is improved.

The specific implementation of each operation above may be referred to the previous embodiments, and will not be described herein.

Optionally, as shown in fig. 10, the electronic device 400 further includes: a touch display 403, a radio frequency circuit 404, an audio circuit 405, an input unit 406, and a power supply 407. The processor 401 is electrically connected to the touch display 403, the radio frequency circuit 404, the audio circuit 405, the input unit 406, and the power supply 407, respectively. It will be appreciated by those skilled in the art that the electronic device structure shown in fig. 10 is not limiting of the electronic device and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.

The touch display 403 may be used to display a graphical user interface and receive operation instructions generated by a user acting on the graphical user interface. The touch display screen 403 may include a display panel and a touch panel. Wherein the display panel may be used to display information entered by a user or provided to a user as well as various graphical user interfaces of the electronic device, which may be composed of graphics, text, icons, video, and any combination thereof. Alternatively, the display panel may be configured in the form of a liquid crystal display (LCD, liquid Crystal Display), an Organic Light-Emitting Diode (OLED), or the like. The touch panel may be used to collect touch operations on or near the user (such as operations on or near the touch panel by the user using any suitable object or accessory such as a finger, stylus, etc.), and generate corresponding operation instructions, and the operation instructions execute corresponding programs. Alternatively, the touch panel may include two parts, a touch detection device and a touch controller. The touch detection device detects the touch azimuth of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch detection device, converts it into touch point coordinates, and sends the touch point coordinates to the processor 401, and can receive and execute commands sent from the processor 401. The touch panel may overlay the display panel, and upon detection of a touch operation thereon or thereabout, the touch panel is passed to the processor 401 to determine the type of touch event, and the processor 401 then provides a corresponding visual output on the display panel in accordance with the type of touch event. In the embodiment of the present application, the touch panel and the display panel may be integrated into the touch display screen 403 to implement the input and output functions. In some embodiments, however, the touch panel and the touch panel may be implemented as two separate components to perform the input and output functions. I.e. the touch-sensitive display 403 may also implement an input function as part of the input unit 406.

The radio frequency circuitry 404 may be used to transceive radio frequency signals to establish wireless communication with a network device or other electronic device via wireless communication.

The audio circuitry 405 may be used to provide an audio interface between a user and an electronic device through a speaker, microphone. The audio circuit 405 may transmit the received electrical signal after audio data conversion to a speaker, where the electrical signal is converted into a sound signal for output; on the other hand, the microphone converts the collected sound signals into electrical signals, which are received by the audio circuit 405 and converted into audio data, which are processed by the audio data output processor 401 and sent via the radio frequency circuit 404 to e.g. another electronic device, or which are output to the memory 402 for further processing. The audio circuit 405 may also include an ear bud jack to provide communication of the peripheral headphones with the electronic device.

The input unit 406 may be used to receive input numbers, character information, or user characteristic information (e.g., fingerprint, iris, facial information, etc.), and to generate keyboard, mouse, joystick, optical, or trackball signal inputs related to user settings and function control.

The power supply 407 is used to power the various components of the electronic device 400. Alternatively, the power supply 407 may be logically connected to the processor 401 through a power management system, so as to implement functions of managing charging, discharging, and power consumption management through the power management system. The power supply 407 may also include one or more of any of a direct current or alternating current power supply, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.

Although not shown in fig. 10, the electronic device 400 may further include a camera, a sensor, a wireless fidelity module, a bluetooth module, etc., which are not described herein.

In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.

As can be seen from the above, the electronic device provided in this embodiment may use the IP address to perform identity authentication, perform operation authorization with respect to a specific IP address, implement more flexible data operation control, adapt to a specific permission control requirement, and by limiting the number of times of operable on a target data object, avoid infinite operations on the data, further reduce the risk of data leakage, thereby improving the security of the data stored in the object storage manner.

Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.

To this end, embodiments of the present application provide a computer readable storage medium having stored therein a plurality of computer programs that can be loaded by a processor to perform steps in any of the data processing methods provided by the embodiments of the present application. For example, the computer program may perform the steps of:

Wherein the storage medium may include: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.

The steps in any data processing method provided in the embodiments of the present application may be executed by the computer program stored in the storage medium, so that the beneficial effects that any data processing method provided in the embodiments of the present application may be achieved, which are detailed in the previous embodiments and are not repeated herein.

The foregoing has described in detail a data processing method, apparatus, electronic device and storage medium provided in the embodiments of the present application, where specific examples are applied to illustrate the principles and implementations of the present application, and the description of the foregoing examples is only used to help understand the method and core idea of the present application; meanwhile, those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present application, and the present description should not be construed as limiting the present application in view of the above.

Claims

1. A method of data processing, the method comprising:

Acquiring an identity authentication parameter and a request authentication parameter which are obtained by analyzing the data request, wherein the request authentication parameter comprises an effective time range; verifying the identity compliance of the user terminal based on the identity authentication parameters; acquiring the current time; if the current time is in the effective time range, determining target operation compliance; if the identity of the user terminal is compliant and the target operation is compliant, determining that the internet protocol address meets the internet protocol limiting condition, wherein the identity authentication parameter comprises an access key;

if the internet protocol address meets the internet protocol limiting condition, determining the current operable times of a target data object, wherein the target data object is an object indicated by the data request, and the current operable times of the target data object are determined according to the preset target operation times corresponding to the target data object and the times of successful operation of the target data object;

2. The method according to claim 1, wherein verifying identity compliance of the user terminal based on the identity authentication parameters comprises:

determining a private key corresponding to the access key;

3. The method of claim 2, wherein the determining identity compliance of the user terminal if the first digital digest and the second digital digest are identical comprises:

acquiring a user white list corresponding to the target data object;

4. The method of claim 1, wherein the obtaining the current time comprises:

determining a time at which the data request was received as a first time;

5. The method of claim 1, wherein before the step of obtaining the data request sent by the user terminal and parsing the data request, further comprises:

6. A data processing apparatus, the apparatus comprising:

the judging module is used for acquiring an identity authentication parameter and a request authentication parameter which are obtained by analyzing the data request, wherein the request authentication parameter comprises an effective time range; verifying the identity compliance of the user terminal based on the identity authentication parameters; acquiring the current time; if the current time is in the effective time range, determining target operation compliance; if the identity of the user terminal is compliant and the target operation is compliant, determining that the internet protocol address meets the internet protocol limiting condition; if the internet protocol address meets internet protocol limiting conditions, determining the current operable times of a target data object, wherein the target data object is an object indicated by the data request, the current operable times of the target data object are determined according to the preset target operation times corresponding to the target data object and the times of successful operation of the target data object, and the identity authentication parameters comprise an access key;

7. An electronic device comprising a processor and a memory, the memory storing a plurality of instructions; the processor loads instructions from the memory to perform the steps of the data processing method according to any one of claims 1 to 5.

8. A computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor for performing the steps of the data processing method according to any one of claims 1 to 5.