CN115801344A - Multi-instance networking method and device based on block chain and electronic equipment - Google Patents

Multi-instance networking method and device based on block chain and electronic equipment Download PDF

Info

Publication number
CN115801344A
CN115801344A CN202211352499.3A CN202211352499A CN115801344A CN 115801344 A CN115801344 A CN 115801344A CN 202211352499 A CN202211352499 A CN 202211352499A CN 115801344 A CN115801344 A CN 115801344A
Authority
CN
China
Prior art keywords
data
service
program instance
service program
instance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211352499.3A
Other languages
Chinese (zh)
Inventor
于源
孙善禄
王天雨
方唯振
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ant Blockchain Technology Shanghai Co Ltd
Original Assignee
Ant Blockchain Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ant Blockchain Technology Shanghai Co Ltd filed Critical Ant Blockchain Technology Shanghai Co Ltd
Priority to CN202211352499.3A priority Critical patent/CN115801344A/en
Priority to PCT/CN2022/135245 priority patent/WO2024092928A1/en
Publication of CN115801344A publication Critical patent/CN115801344A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the specification provides a block chain-based multi-instance networking method and device and an electronic device. The method comprises the following steps: receiving an access request initiated by a first data cooperative party; the access request comprises a device identifier of at least one service device corresponding to the first data collaborator; responding to the access request, adding the at least one service device into a data security blockchain as a blockchain node, and creating a first service program instance associated with the at least one service device corresponding to the first data collaborator; and determining whether a second service program instance associated with at least one service device corresponding to a second data collaborator other than the first data collaborator is created; and if so, creating a data synchronization channel between the first service program instance and the second service program instance.

Description

Multi-instance networking method and device based on block chain and electronic equipment
Technical Field
The embodiment of the specification relates to the technical field of block chains, in particular to a block chain-based multi-instance networking method and device and electronic equipment.
Background
When an enterprise or an individual uses user data required by a service in a cross-domain manner, on one hand, a strict application approval process needs to be executed to control and authorize the use authority of the user data, and on the other hand, the secure transfer of the user data needs to be ensured through technical means.
The data security block chain (abbreviated as a digital security chain) is a solution that is widely applied at present and is implemented based on a block chain technology to ensure the secure transfer of user data. With this solution, user data can be transferred as ciphertext across domains between multiple cross-domain data collaborators (data sources), but the control right of the user data is not transferred.
However, due to the existing data collaboration platform based on the data security blockchain, a centralized network service architecture is generally adopted, and as the use scenes of user data are increasingly rich, the use requirements cannot be met gradually.
Disclosure of Invention
The embodiment of the specification provides a multi-instance networking method and device based on a block chain and an electronic device.
According to a first aspect of embodiments of the present specification, a blockchain-based multi-instance networking method is provided, which is applied to a data collaboration platform based on a data security blockchain; the block link points in the data security block chain comprise service equipment respectively corresponding to a plurality of data collaborators; the method comprises the following steps:
receiving an access request initiated by a first data cooperative party; the access request comprises a device identifier of at least one service device corresponding to the first data collaborator;
responding to the access request, adding the at least one service device into the data security blockchain as a blockchain node, and creating a first service program instance associated with the at least one service device corresponding to the first data collaborator; and the number of the first and second groups,
determining whether a second service program instance associated with at least one service device corresponding to a second data collaborator other than the first data collaborator is created; if yes, a data synchronization channel between the first service program instance and the second service program instance is created;
the data collaborators respectively correspond to different data fields; the data synchronization channel is used for performing cross-domain data synchronization between the first service program instance and the second service program instance; the service program instance is used for performing authorization management on cross-chain transfer of ciphertext data corresponding to user data stored on the service device associated with the service program instance.
According to a second aspect of embodiments of the present specification, there is provided a blockchain-based multi-instance networking apparatus, which is applied to a data collaboration platform based on a data security blockchain; the block chain link points in the data safety block chain comprise service equipment respectively corresponding to a plurality of data collaborators; the device comprises:
the receiving unit is used for receiving an access request initiated by a first data cooperative party; wherein the access request comprises a device identifier of at least one service device corresponding to the first data cooperator;
a response unit, configured to, in response to the access request, add the at least one service device to the data security blockchain as a blockchain node, and create a first service program instance associated with the at least one service device corresponding to the first data collaborator;
a determining unit that determines whether a second service program instance associated with at least one service device corresponding to a second data collaborator other than the first data collaborator among the plurality of data collaborators is created;
a networking unit, configured to create a data synchronization channel between a first service program instance and a second service program instance when the second service program instance associated with at least one service device corresponding to a second data collaborator other than the first data collaborator is created; the data collaborators respectively correspond to different data fields; the data synchronization channel is used for performing cross-domain data synchronization between the first service program instance and the second service program instance; the service program instance is used for performing authorization management on cross-chain transfer of ciphertext data corresponding to user data stored on the service device associated with the service program instance.
According to a third aspect of embodiments herein, there is provided an electronic apparatus including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to any one of the above multi-instance block chain based networking methods.
In the embodiment of the description, an independent service program instance is respectively created on the data collaboration platform for each data collaboration party accessing the data collaboration platform, and a data synchronization channel is created among the service program instances created for each data collaboration party, so that each data collaboration party accessing the data collaboration platform can perform data synchronization with other data collaboration parties in real time based on the data synchronization channel when the requirement for transferring the ciphertext data of the maintained user data to other data collaboration parties across domains is met.
Drawings
FIG. 1 is a diagram of a network service architecture employing multi-instance networking in a data collaboration platform according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a block chain-based multi-instance networking method according to an embodiment of the present specification;
FIG. 3 is a diagram illustrating a device registration process in a service instance provided by an embodiment of the present specification;
FIG. 4 is a schematic diagram illustrating a device update flow in an example service routine provided in an embodiment of the present disclosure;
FIG. 5 is a diagram illustrating a data registration process in an example service program provided in an embodiment of the present disclosure;
FIG. 6 is a diagram illustrating a data update flow in an example service program provided in an embodiment of the present specification;
FIG. 7 is a diagram illustrating a data downlink flow in an example service program provided by an embodiment of the present specification;
FIG. 8 is a flowchart of a data cross-domain authorization method provided by an embodiment of the present specification;
FIG. 9 is a schematic diagram of cross-domain authorization of data provided by an embodiment of the present description;
FIG. 10 is a schematic diagram of a data cross-domain migration provided by an embodiment of the present description;
fig. 11 is a hardware structure diagram of a block chain-based multi-instance networking or data cross-domain authorization apparatus provided in an embodiment of the present specification;
fig. 12 is a block chain-based module of a multi-instance networking device provided by an embodiment of the present specification;
fig. 13 is a block diagram of a data cross-domain authorization apparatus provided in an embodiment of the present specification.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present description. The word "if" as used herein may be interpreted as "at" \8230; "or" when 8230; \8230; "or" in response to a determination ", depending on the context.
A data security block chain (abbreviated as digital security chain) is a network service architecture using a block chain as a bottom layer service. In the network service architecture, a blockchain node on a blockchain serving as an underlying service may generally include service devices corresponding to a plurality of data collaborators.
Wherein the data collaborators generally correspond to different data domains respectively. It should be noted that the multiple data collaborators respectively correspond to different data domains, and specifically, data transmission communication needs to be performed between the service devices corresponding to the multiple data collaborators across domains. In practical applications, user data stored in the local database of other service devices can be accessed between different service devices through a domain name access address (i.e. url address). When a service device accesses another service device through a url address, if the url address of the accessed service device is different from the url address of the service device initiating the access, the data transmission communication between the two service devices is called cross-domain. In practical application, if each data collaborator corresponds to a plurality of service devices, the plurality of service devices can share the same domain name access address.
In the data security blockchain, in order to ensure the use security of the user data maintained by each data collaborator, the user data maintained by each data collaborator is generally stored in the local database of the service device corresponding to each data collaborator. The block chain is used as an open storage platform, and only data attribute information (also referred to as a data directory) corresponding to the user data maintained by each data collaborator can be stored on the block chain.
In this way, for any data collaborator, user data published by other data collaborators joining the data security blockchain can be discovered by acquiring data attribute information on the blockchain. When finding out the interested user data issued by other data collaborators, the data collaborators can also initiate data authorization application to the other data collaborators, the owner of the user data requesting authorization can carry out authorization approval, and after the authorization approval is passed, the ciphertext data of the user data can be transferred to the data collaborators in a cross-domain mode by using a data synchronization channel between the data collaborators.
In the whole process, only the ciphertext data of the user data is subjected to cross-domain transfer, and the plaintext data of the user data does not exist in the domain all the time, so that the control right of the user data is not transferred on the basis of the existing solution of the data security block chain on the basis of carrying out the cross-domain data transfer on the user data in the form of the ciphertext.
However, although the data security blockchain greatly improves the use security of user data, in the existing data collaboration platform based on the data security blockchain, a centralized network service architecture based on a single service program instance is generally adopted.
After the service devices corresponding to the multiple data collaborators serving as the data source are respectively accessed to the data security blockchain as blockchain nodes, in order to perform cross-domain transfer management on the ciphertext data of the user data stored in the local database of the service device corresponding to the multiple data collaborators, the data collaboration platform may use resources on the blockchain service platform to jointly create a centralized service program instance for the multiple data collaborators on the data collaboration platform, and perform authorization management on cross-domain transfer of the ciphertext data of the user data maintained by the multiple data collaborators through the centralized service program instance.
The service program instance may be a software service unit created on the blockchain service platform by using resources on the blockchain service platform to provide services for the plurality of data collaborators. In practical applications, the centralized service program instance may be specifically associated with all service devices that are block link points and join the data security block chain, and performs authorization management on cross-chain transfer of ciphertext data of user data stored in local databases on all the service devices associated with the centralized service program instance.
For example, when any data agreement party of the multiple data collaborators finds out interested user data issued by other data collaborators, the data agreement party can initiate a data authorization application to the centralized service program instance, and the service program instance performs authorization approval.
In practical application, as the use scenarios of mutual data collaboration among a plurality of data protocol parties are becoming richer, different data protocol parties may have a need to form a data collaboration alliance by establishing a data collaboration relationship. Under the demand, the different data collaborators need to frequently synchronize data with each other.
However, the existing data collaboration platform based on the data security chain still adopts a centralized network service architecture of a single service program instance, and data synchronization channels naturally lack among data collaborators, so that the requirement obviously cannot be met.
In view of this, the present specification provides a distributed network service architecture that employs multiple service program instances for networking on a data collaboration platform based on a data security block chain.
In implementation, in the data collaboration platform, a centralized network service architecture based on a single service program instance may not be used, and for each data collaboration party accessing the data collaboration platform, resources on the data collaboration platform may be used to respectively create a service program instance associated with at least one service device corresponding to each data collaboration party for each data collaboration party, and create a data synchronization channel for the service program instances corresponding to each data collaboration party, and perform data synchronization between each data collaboration party through the data synchronization channel.
In the above technical solution, in the data collaboration platform, a centralized network service architecture based on a single service program instance is no longer used, but a network service architecture based on a multi-service program instance for networking is used, and the data collaboration platform creates an independent service program instance for each data collaboration party accessing the data collaboration platform, and creates a data synchronization channel between the service program instances created for each data collaboration party, so that each data collaboration party accessing the data collaboration platform can perform data synchronization with other data collaboration parties in real time based on the data synchronization channel when there is a need to transfer ciphertext data of maintained user data to other data collaboration parties across domains, and thus, a data synchronization requirement in a data collaboration alliance can be satisfied.
For example, based on the existing centralized network service architecture with a single service program instance, since each data collaborator accessing the data collaboration platform shares the same service program instance and lacks a data synchronization channel, for each data collaborator, it is only possible to discover data sets published by other data collaborators by regularly acquiring data attribute information corresponding to data sets published by other data collaborators from a data security chain, which obviously has hysteresis. For a data collaborator serving as a data user, the latest data issued by other data collaborators cannot be perceived at the first time; similarly, it is impossible for a data collaborator as a data provider to notify other data collaborators of the latest data released by itself in time.
If the network service architecture based on the multi-service program instances for networking in the technical scheme is adopted, an independent service program instance is respectively created for each data collaborator on the data collaborator platform, and a data synchronization channel is opened between the service instances corresponding to each data collaborator. Therefore, after the data collaborator serving as the data provider issues the latest data on the data security block chain, the issued data can be synchronized to the corresponding service program instance of other data collaborators in time through the data synchronization channel and the evidence storage identifier of the issued data on the data security block chain.
Referring to fig. 1, fig. 1 is a diagram illustrating a network service architecture using multi-instance networking in a data collaboration platform according to the present specification.
In this specification, the data collaboration platform may not adopt a centralized network service architecture based on a single service program instance, but adopt a distributed network service architecture in which multiple service program instances are networked.
As shown in fig. 1, the first service program instance shown in fig. 1 may be a service program instance that is created by the data collaboration platform for a first data collaboration party accessing the data collaboration platform and is associated with a service device corresponding to the first data collaboration party. The second service program instance shown in fig. 1 may be a service program instance created by the data collaboration platform for a second data collaboration party accessing the data collaboration platform and associated with a service device corresponding to the second data collaboration party.
It should be noted that each data collaboration party accessing the data collaboration platform may correspond to one service device, or may correspond to multiple service devices. When a certain data collaboration party accesses the data collaboration platform, the service equipment corresponding to the data collaboration party can be used as a block link point to be added into a digital security block chain; for example, as shown in fig. 1, the service devices corresponding to the first data collaborator include a plurality of service devices 1 to 4; the service device corresponding to the second data collaboration platform includes one, which is the service device 5.
The service program example may specifically adopt a three-layer service architecture as shown in fig. 1, and each service architecture includes a first service layer, a second service layer, and a third service layer.
The first service layer may be an application service layer corresponding to the digital security block chain.
The second service layer may be an authorized service layer corresponding to the digital security blockchain.
A third service layer, which may be a basic service layer corresponding to the digital security blockchain
Wherein, no matter which service layer of the above three service layers, some basic service components provided on the data collaboration platform can be included;
for example, as shown in fig. 1, if the data collaboration platform is a cloud Service platform, the above three Service layers may each include Service components such as an SLB (Server Load Balancer) and an ECS (electronic computer Service).
The application service layer may specifically include a cross-domain transfer component for implementing a cross-domain transfer function of ciphertext data, an encryption/decryption component for implementing an encryption/decryption function for the ciphertext data, and the like;
for example, as shown in fig. 1, if the data collaboration platform is a cloud service platform, the cross-domain transfer component and the encryption and decryption component may be cloud components implemented based on cloud computing resources related to an ECS service on the cloud service platform.
The authorization Service layer may specifically include a dataAuth component for implementing a function of performing authorization management on cross-domain transfer of ciphertext data, a DIS (distributed Identity Service) component for implementing management on a block chain digital Identity of user data on a digital security block chain, a transfer Service component for implementing a function of performing data transfer on data stored in the digital security block chain and acquiring data from the digital security block chain at regular time, and the like.
For example, as shown in fig. 1, if the data collaboration platform is a cloud service platform, the dataAuth component, the DIS component, and the transit service may be cloud components implemented based on cloud computing resources related to an ECS service on the cloud service platform.
The basic service layer can be specifically used for realizing basic service functions related to the digital security block chain; such as a service function such as data uplink certificate storage.
For example, as shown in fig. 1, if the data collaboration platform is a cloud service platform, each blockchain node on the data security blockchain (i.e., a service device corresponding to each data collaborator) may be a virtual service device (such as a virtual machine) created based on cloud computing resources related to an ECS service on the cloud service platform.
With continued reference to fig. 1, the application service layer and the authorization service layer may include a plurality of databases in addition to a plurality of service components.
The types of databases included in the application service layer and the authorization service layer are not particularly limited in this specification. For example, as shown in fig. 1, the database types may specifically include MySQL, redis, OSS, sqlllite, and the like.
It should be noted that the database on the application service layer may be used as a local database on the service device corresponding to the data collaborator, and may be used to store user data that needs to be transferred across domains. The database on the authorization service layer may include databases corresponding to the service components on the authorization service layer, respectively; for example, as shown in fig. 1, the authorization service layer may include a database corresponding to the dataAuth component and DIS component, and may further include a database corresponding to the transit service component.
The databases corresponding to the dataAuth component and the DIS component may be specifically configured to store data related to data authorization for cross-domain transfer of user data. The database corresponding to the transit service component may be specifically configured to store data that is obtained by the component from the digital secure block chain at regular time.
In addition, a data synchronization channel can be created between the first service program instance and the second service program instance, and the data synchronization channel is used for real-time data synchronization between the service program instances. For example, the data synchronization channel may specifically be a service call channel created between service program instances based on a call address of the service program instance (such as a domain name access address of a service device associated with the service program instance).
It should be emphasized that the example of the network service architecture in which the service program instance shown in fig. 1 employs three layers is merely an exemplary description, and in practical applications, the number of service layers of the service program instance and the components included in each service layer may be flexibly adjusted based on actual requirements;
for example, in practical application, on the basis of the three-layer network service architecture disclosed in fig. 1, multiple service layers shown in fig. 1 may be merged into one service layer, or a certain service layer shown in fig. 1 may be further split into multiple service layers, or multiple components shown in fig. 1 may also be merged into one component according to functions, or a certain component shown in fig. 1 may be further split into multiple components according to functions, and so on, which are not given in this specification by way of example.
For another example, in practical applications, when the second data collaborator shown in fig. 1 does not allow the ciphertext data of the user data stored on the service device corresponding to the second data collaborator to be transferred to another data collaborator across domains, the second data collaborator can only serve as a data consumer and cannot serve as a data provider. In this case, since the second data collaborator does not allow the authority of transferring the ciphertext data of the user data stored on the service device corresponding to the second data collaborator to other data collaborators across domains to be authorized to other data collaborators, the dataAuth component and the DIS component shown in fig. 1 may not be included in the second service program instance corresponding to the second data collaborator.
Referring to fig. 2, fig. 2 is a flowchart illustrating a blockchain-based multi-instance networking method according to an exemplary embodiment, which may be applied to a data collaboration platform based on a data security blockchain using the network service architecture illustrated in fig. 1; the block link points in the data security block chain comprise service equipment respectively corresponding to a plurality of data collaborators; user data maintained by each data collaborator is respectively stored in a local database of the service equipment corresponding to each data collaborator; the data security block chain stores data attribute information corresponding to the user data maintained by each data collaborator; the method comprises the following steps:
step 210, receiving a needle access request initiated by a first data collaborator; wherein the access request includes a device identifier of at least one service device corresponding to the first data collaborator.
The data collaboration platform may be specifically a cloud service platform; for example, in an example, the data collaboration platform may specifically be a blockchain cloud service platform. For example, the block chain cloud Service platform may be a BaaS platform (also referred to as BaaS cloud) for providing a block chain as a Service (BaaS). The BaaS platform can provide a pre-compiled software mode for activities occurring on a block chain, provides a block chain service which is simple and easy to use, is deployed by one key, is quickly verified, is flexible and customizable and is oriented to service equipment coupled with the BaaS platform, and further can accelerate the application development, test and online of the block chain service and help the landing of block chain business application scenes in various industries.
The service device may be a local service device deployed by a data collaborator, or may be a virtual service device created for the data collaborator on a cloud service platform by using cloud computing resources.
For example, the service device corresponding to the data collaboration party may specifically be a VM virtual machine created by the data collaboration party by the cloud service platform by paying for the cloud service platform and using cloud computing resources such as computing resources, storage resources, and transmission resources on the cloud service platform.
When the first data cooperation party has the function of transferring the ciphertext data of the user data to other data cooperation parties in a cross-domain manner or wants to acquire the ciphertext data of the user data maintained by other data cooperation parties accessing the data cooperation platform in a cross-domain manner, the first data cooperation party can specifically initiate an access request to the data cooperation platform; the access request may specifically include a device identifier of at least one service device corresponding to the first data cooperator.
Step 220, in response to the access request, adding the at least one service device as a blockchain node to the data security blockchain, and creating a first service program instance associated with the at least one service device corresponding to the first data collaborator.
After receiving an access request initiated by a first data collaboration party, the data collaboration platform may respond to the access request, and add at least one service device corresponding to at least one device identifier included in the access request as a blockchain node to the digital secure blockchain network.
The specific process of adding the at least one service device to the digital secure blockchain network is not detailed in the present specification
After at least one service device corresponding to the first data collaboration party is successfully added into the digital secure blockchain network as a blockchain node, the blockchain collaboration platform may also create, on the data collaboration platform, a first service program instance associated with the at least one service device corresponding to the first data collaboration party by using resources on the data collaboration platform.
Step 230, determining whether a second service program instance associated with at least one service device corresponding to a second data collaborator other than the first data collaborator is created.
After the data collaboration platform creates the first service program instance for the first data collaboration party, at this time, the data collaboration platform may further determine whether a second service program instance associated with at least one service device corresponding to a second data collaboration party accessing the data collaboration platform is created for the second data collaboration party in the same manner.
Step 240, if yes, a data synchronization channel between the first service program instance and the second service program instance is created; the data collaborators respectively correspond to different data fields; the data synchronization channel is used for performing cross-domain data synchronization between the first service program instance and the second service program instance; the service program instance is used for performing authorization management on cross-chain transfer of ciphertext data corresponding to user data stored on the service device associated with the service program instance.
In an instance in which the data collaboration platform determines that a second service program instance associated with at least one service device corresponding to a second data collaborator other than the first data collaborator has been created, the data collaboration platform may further create a data synchronization channel between the first service program instance and the second service program instance. The data synchronization channel may be specifically used to perform cross-domain data synchronization between the first service program instance and the second service program instance.
After the data synchronization channel between the first service program instance and the second service program instance is created, the subsequent cross-domain data synchronization between the first service program instance and the second service program instance can be performed based on the data synchronization channel for the completion of the networking between the first data collaborator and the second data collaborator.
It should be noted that, here, the second data collaborator may refer to another data collaborator besides the first data collaborator, and the another data collaborator may be one or more. Similarly, the second service program instance may also refer to another service program instance that is created by the data collaboration platform for another data collaboration party than the first data collaboration party, and the another service program instance may be one or multiple.
For example, when the second data collaborator refers to a plurality of other data collaborators other than the first data collaborator, the data collaboration platform may respectively create data synchronization channels between the first service program instance and a plurality of service program instances created for the plurality of other data collaborators, so as to complete networking between the first data collaborator and the plurality of other data collaborators.
It should be noted that, in practical application, the service program instances created by the data collaboration platform for each accessed data collaboration party may be divided into roles according to the master service program instance and the slave service program instance.
For example, in one example, it is assumed that a data collaboration federation is initiated by an operator of a data security blockchain, where the operator may serve as a first data collaboration party of the data collaboration federation, in which case, a service program instance created for the operator and associated with at least one service device of the operator may serve as a master service program instance in the data collaboration federation, and a service program instance created for another data collaboration party (e.g., an enterprise) subsequently joining the data collaboration federation may serve as a slave service program instance in the data collaboration federation.
In addition, in practical applications, the master service program instance and the slave service program instance are functionally two completely equivalent and independent service instances.
In an exemplary embodiment, the data collaboration platform is a data synchronization channel between service program instances created by respective data collaborators, and specifically may be a service call channel created between the service program instances based on a call address of the service program instance.
The type of the call address is not particularly limited in this specification;
in an exemplary embodiment, a domain name access address (i.e., a url address) shared by at least one service device corresponding to each service program instance may be specifically adopted as a call address corresponding to each service program instance.
In this case, the service call channel between the service program instances may be an http call channel constructed between the service program instances based on the domain name access address shared by at least one service device corresponding to each service program instance.
Of course, in practical applications, the call address may specifically be other forms such as an interface call address, and a service call channel between service program instances, and may specifically be an interface call channel, which are not listed in this specification.
It should be noted that, because the call channels formed based on the call addresses are generally unidirectional call channels, the service call channel between the first service program instance and the second service program may generally include a call address of the second service program instance maintained based on the first service program instance, where the first service program instance serves as a call initiator, and the second service program instance serves as a first service call channel of a called party; and the second service program instance is used as a calling initiator based on the calling address of the first service program instance maintained by the second service program instance, and the first service program instance is used as a second service calling channel of the called party.
For example, in one example, please continue to refer to fig. 1, since for a service program instance, the dataAuth component located in the authorized service layer is functionally differentiated, and is usually the core component in a service program instance; therefore, in this case, when creating the data synchronization channel between the first service program instance and the second service program instance, the url address of the second service program instance may be specifically added to the dataAuth component of the first service program instance for maintenance, so as to form the first http call channel between the dataAuth component of the first service program instance and the second service program instance. Accordingly, the url address of the first service program instance may be added to the dataAuth component of the second service program instance for maintenance, so as to form a second http call channel between the dataAuth component of the second service program instance and the first service program instance, so as to complete the creation of the data synchronization channel between the first service program instance and the second service program instance.
After the data synchronization channel is established between the first service program instance and the second service program instance, real-time data synchronization between the first service program instance and the second service program instance can be carried out based on the data synchronization channel. The following describes in detail a data synchronization process between the first service program instance and the second service program instance in conjunction with a specific data synchronization scenario.
Data synchronization scenario one:
in an exemplary embodiment, when a first data collaborator needs to add a new service device, the first data collaborator may initiate device registration with a first service program instance, associate the added service device with the first service program instance, and after the association is completed, synchronize device information of the added service device with a second service program instance through a data synchronization channel between the first service program instance and the second service program instance.
In this scenario, the data synchronized between the first service program instance and the second service program instance through the data synchronization channel is the device information of the newly added service device in the first service program instance.
Referring to fig. 3, a schematic diagram of a device registration flow in a service program example is shown, and based on the embodiment shown in fig. 2, the method may further include:
the first service program instance receiving a device registration request; the device registration request comprises device information of a newly added service device of the first data collaboration party;
responding to the device registration request, the first service program instance establishes an association relationship between the newly added service device and the first service program instance, and stores the device information of the newly added service device and the association relationship in a database corresponding to the first service program instance;
then, further invoking a DataAuth component in the first service program instance, further invoking a DIS component in the first service program instance by the DataAuth component, creating digital identity information on a data security block chain for the newly added service device by the DIS component, and returning the created digital identity information to the DataAuth component.
Further initiating, by the DataAuth component, a service call (i.e., a callback call in fig. 3) for the first service program instance based on the maintained call address of the first service program instance, so as to return the digital identity information of the newly added service device to the first service program instance, and storing the digital identity information in a database corresponding to the first service program instance, that is, storing the digital identity information;
in addition, the DataAuth component may further initiate a service call for the second service program instance based on the maintained call address of the second service program instance, so as to synchronize the digital identity information and the device information of the newly added service device to the second service program instance through a data synchronization channel between the first service program instance and the second service program instance, and perform synchronous storage in a database corresponding to the second service program instance, that is, store the digital identity information and the device information.
It should be noted that, an intelligent contract for creating a digital identity is deployed on the data security blockchain;
the DIS component creates digital identity information on the data security block chain for the newly added service device, and may include:
and the DIS component calls the intelligent contract deployed on the data security blockchain to create digital identity information on the data security blockchain for the newly-added service equipment.
Data synchronization scenario two:
in an exemplary embodiment, when a first data collaborator needs to update any target service device associated with a first service program instance, the first data collaborator may initiate block chain device update to the first service program instance, update device information of the target service device in a database corresponding to the first service program instance, and synchronize the updated device information of the target service device to a second service program instance through a data synchronization channel between the first data collaborator and the second service program instance.
In this scenario, the data synchronized between the first service program instance and the second service program instance through the data synchronization channel is updated device information of the target service device in the first service program instance.
Referring to fig. 4, a schematic diagram of a device update flow in a service program example may further include, based on the embodiment shown in fig. 2:
the first service program instance receiving a blockchain device update request; wherein the blockchain device update request comprises device information to be updated of any target service device associated with the first service program instance;
in response to the blockchain device update request, the first service program instance updates the device information of the target service device stored in a database corresponding to the first service program instance based on the device information to be updated;
then, a DataAuth component in the first service program instance is further called, a DIS component in the first service program instance is further called by the DataAuth component, the digital identity information of the target service device is updated on a data security block chain by the DIS component, and the updated digital identity information is returned to the DataAuth component.
Initiating, by the DataAuth component, a service call for the first service program instance based on the maintained call address of the first service program instance, so as to return the updated digital identity information to the first service program instance, and storing the updated digital identity information of the target service device in a database corresponding to the first service program instance;
in addition, the DataAuth component may further initiate a service call for the second service program instance based on the maintained call address of the second service program instance, so as to synchronize the updated device information and the updated digital identity information of the target service device to the second service program instance through a data synchronization channel between the first service program instance and the second service program instance, and perform a synchronous update on the device information of the target service device stored in a database corresponding to the second service program instance, that is, store the updated device information and the updated digital identity information of the target service device.
Similar to the aforementioned device registration, the updating, by the DIS component, the digital identity information of the target service device on the data security block chain may include:
the DIS component calls the intelligent contract deployed on the data security block chain, creates new digital identity information on the data security block chain for the target service equipment, and associates the new digital identity information with old digital identity information of the target service equipment. The created new digital identity information is the updated digital identity information of the target service device.
A third data synchronization scene:
in an exemplary embodiment, when a first data collaborator needs to publish a data set formed by user data stored in a local database, at this time, the first data collaborator may initiate data registration to a first service program instance, generate data attribute information corresponding to the data set, and after storing the data attribute information in a data security block chain (a block chain storage identity corresponding to the data attribute information may be obtained), synchronize the block chain storage identity to a second service program instance through a data synchronization channel between the first service program instance and the second service program instance, so that the second service program instance obtains the data attribute information from the data security block chain based on the block chain storage identity.
In this scenario, the data synchronized between the first service program instance and the second service program instance through the data synchronization channel is the blockchain evidence storing identification corresponding to the data attribute information.
Referring to fig. 5, a schematic diagram of a data registration flow in a service program instance may further include, based on the embodiment shown in fig. 2:
the first service program instance receives a data registration request sent by any target service equipment associated with the first service program instance; wherein the data registration request comprises a data set requested to be registered by the target service device;
responding to the data registration request, the first service program instance generates data attribute information corresponding to the data set, and stores the data set and the data attribute information to a local database of the target service equipment;
then, a DataAuth component in the first service program instance is further invoked, and the DataAuth component issues data attribute information corresponding to the data set to the data security block chain for evidence storage, so as to obtain a block chain evidence storage identifier used for querying the uplink data attribute information from the data security block chain.
And further initiating, by the DataAuth component, a service call for the first service program instance based on the maintained call address of the first service program instance, so as to return the block chain evidence storing identifier and the data attribute information to the first service program instance, and store the block chain evidence storing identifier and the data attribute information in a database corresponding to the first service program instance, that is, store the block chain evidence storing identifier and the data attribute information in an associated manner.
Then, the first service program instance calls a DataAuth component in the first service program instance, the DataAuth component calls a DIS component in the first service program instance, the DIS component further creates digital identity information containing a corresponding block chain storage card identification for data attribute information corresponding to the data set on a data security block chain, and the created digital identity information is returned to the DataAuth component. The DIS component may create, for the data attribute information, digital identity information including a block chain credit identification on the data security block chain by calling the intelligent contract deployed on the data security block chain.
Further, initiating, by the DataAuth component, a service call for the first service program instance based on the maintained call address of the first service program instance, so as to return the digital identity information of the data attribute information to the first service program instance, and store the digital identity information in a database corresponding to the first service program instance, that is, store the digital identity information of the data attribute information;
in addition, the DataAuth component may further initiate a service call for the second service program instance based on the maintained call address of the second service program instance, so as to synchronize the digital identity information of the data attribute information to the second service program instance through a data synchronization channel between the first service program instance and the second service program instance; and the second service program instance acquires the data attribute information from the data security blockchain based on the blockchain certificate storage identifier contained in the digital identity information, and synchronously stores the acquired data attribute information in a database corresponding to the second service program instance.
A fourth data synchronization scenario:
in an exemplary embodiment, when a first data collaboration party needs to update a published data set, at this time, the first data collaboration party may initiate data update to a first service program instance, generate updated data attribute information corresponding to the updated data set, and after storing the updated data attribute information in a data security block chain (a block chain storage identity corresponding to the updated data attribute information may be obtained), synchronize, by the first service program instance, a block chain storage identity corresponding to the updated data attribute information to a second service program instance through a data synchronization channel between the first service program instance and the second service program instance, so that the second service program instance obtains the updated data attribute information from the data security block chain based on the block chain storage identity.
In this scenario, the data synchronized between the first service program instance and the second service program instance through the data synchronization channel is the block chain certificate storage identifier corresponding to the updated data attribute information.
Referring to fig. 6, a schematic diagram of a data updating flow in a service program instance may further include, based on the embodiment shown in fig. 2:
the first service program instance receives a data updating request of any target service equipment associated with the first service program instance; wherein the data update request comprises a data set requested to be updated by the target serving device;
responding to the data updating request, the first service program instance regenerates the updated data attribute information corresponding to the data set and updates the data set and the data attribute information of the data set stored in a local database of the target service device;
then, a DataAuth component in the first service program instance is further invoked, and the DataAuth component issues the updated data attribute information corresponding to the data set to the data security block chain for evidence storage, so as to obtain a block chain evidence storage identifier for querying the updated data attribute information from the data security block chain.
And further initiating, by the DataAuth component, a service call for the first service program instance based on the maintained call address of the first service program instance, so as to return the block chain evidence storing identifier and the updated data attribute information to the first service program instance, and store the block chain evidence storing identifier and the updated data attribute information in a database corresponding to the first service program instance, that is, perform associated storage on the block chain evidence storing identifier and the updated data attribute information.
Then, the first service program instance calls a DataAuth component in the first service program instance, the DataAuth component calls a DIS component in the first service program instance, the DIS component further updates data identity information of updated data attribute information corresponding to the data set on a data security block chain, and returns the updated digital identity information to the DataAuth component. The DIS component may call the intelligent contract deployed on the data security blockchain, create new digital identity information on the data security blockchain for the updated data attribute information, and associate the new digital identity information with old digital identity information of the data attribute information before updating. The created new digital identity information is the updated digital identity information of the data set.
Further, initiating, by the DataAuth component, a service call for the first service program instance based on the maintained call address of the first service program instance, so as to return the updated digital identity information to the first service program instance, and storing the updated digital identity information in a database corresponding to the first service program instance, that is, storing the updated digital identity information;
in addition, the DataAuth component may further initiate a service call for the second service program instance based on the maintained call address of the second service program instance, so as to synchronize the updated digital identity information to the second service program instance through a data synchronization channel between the first service program instance and the second service program instance; and the second service program instance acquires the updated data attribute information from the data security blockchain based on the blockchain certificate identification contained in the updated digital identity information, and synchronously updates the acquired updated data attribute information in a database corresponding to the second service program instance.
Data synchronization scenario five:
in an exemplary embodiment, when a first data collaborator needs to delete a published target data set, the first data collaborator may initiate a data downlink to a first service program instance to delete the target data set and data attribute information of the target data set stored in a local database, and the first service program instance synchronizes a deletion notification of the target data set to a second service program instance through a data synchronization channel between the first service program instance and the second service program instance, so that the second service program instance deletes the target data set synchronously.
In this scenario, the data attribute information of the target data set is synchronized between the first service program instance and the second service program instance through the data synchronization channel.
Referring to fig. 7, a schematic diagram of a data registration flow in a service program example is shown, on the basis of the embodiment shown in fig. 2, the method may further include:
the first service program instance receives a data deletion request sent by any target service equipment associated with the first service program instance; wherein the data deletion request comprises a data set identifier of a target data set requested to be deleted by the target service device;
in response to the data deletion request, the first service program instance deletes the target data set and the data attribute information of the target data set stored in a local database of the target service device;
then, a DataAuth component in the first service program instance is further invoked, and the DataAuth component sets the data identity information created by the data attribute information of the data set to an invalid state on a data security chain, so as to obtain a setting result.
Initiating, by the DataAuth component, a service call for the first service program instance based on the maintained call address of the first service program instance, so as to return the setting result to the first service program instance, and switching the state of the data set and the data attribute information to a third state in a database corresponding to the first service program instance;
in addition, the DataAuth component may further initiate a service call for the second service program instance based on the maintained call address of the second service program instance, so as to synchronize the deletion notification of the target data set to the second service program instance through a data synchronization channel between the first service program instance and the second service program instance, so as to trigger the second service program instance to perform deletion processing on the data attribute information of the target data set stored in the database corresponding to the second service program instance in a manner that the second service program instance synchronizes based on the deletion notification, and set the data identity information maintained in the database to an invalid state.
In summary, in the multi-instance networking embodiment based on a block chain provided in this specification, an independent service program instance is created on a data collaboration platform for each data collaboration party accessing the data collaboration platform, and a data synchronization channel is created between the service program instances created for each data collaboration party, so that each data collaboration party accessing the data collaboration platform can perform data synchronization with other data collaboration parties in real time based on the data synchronization channel when there is a need to transfer ciphertext data of maintained user data to other data collaboration parties across domains.
Having described blockchain based multi-instance networking, embodiments relating to cross-domain authorization of data in such multi-instance networking will be further described below,
referring to fig. 8, fig. 8 is a flowchart illustrating a cross-domain data authorization method according to an exemplary embodiment, which may be applied to a data collaboration platform based on a data security blockchain using the network service architecture illustrated in fig. 1; the block link points in the data security block chain comprise service equipment respectively corresponding to a plurality of data collaborators; creating a first service program instance associated with at least one service device corresponding to a first data collaborator in the plurality of data collaborators on the blockchain collaboration platform; and a second service program instance associated with at least one service device corresponding to a second data collaborator from the plurality of data collaborators; the service program instance is used for performing authorization management on cross-domain transfer of ciphertext data of user data stored on the service equipment associated with the service program instance; the data collaboration platform creates a data synchronization channel between the first service program instance and the second service program instance; the data collaborators respectively correspond to different data domains; the data synchronization channel is used for performing cross-domain data synchronization between the first service program instance and the second service program instance; the method comprises the following steps:
step 310: the first service program instance receives a data authorization request which is initiated by the second data collaboration party through the data synchronization channel and aims at user data maintained by the first data collaboration party; wherein the data authorization request comprises a data identifier of target user data which is requested to be authorized by the second data collaborator.
The data synchronization channel is created among the service program instances created by the data collaborators, so that the data collaborators accessing the data collaboration platform can perform cross-domain data authorization in real time with other data collaborators based on the data synchronization channel when the data collaborators have data authorization requirements for cross-domain transfer of ciphertext data of user data.
As in the previous embodiment, the blockchain collaboration platform includes a blockchain cloud service platform; the service equipment corresponding to each data collaborator comprises virtual service equipment which is created for each data collaborator on the cloud service platform.
The data collaboration platform is a data synchronization channel between the data collaboration platform and the service program instances created by each data collaboration party, and specifically may be a service call channel created between the service program instances based on the call address of the service program instance.
The type of the call address is not particularly limited in this specification;
in an exemplary embodiment, a domain name access address (i.e., a url address) shared by at least one service device corresponding to each service program instance may be specifically adopted as the call address corresponding to each service program instance.
In this case, the service invocation channel between the service program instances may be an http invocation channel constructed between the service program instances based on the domain name access address shared by at least one service device corresponding to each service program instance.
Of course, in practical applications, the call address may specifically be other forms such as an interface call address, and a service call channel between service program instances, and specifically may also be an interface call channel, which are not listed in this specification.
In an exemplary embodiment, the step 310 may include:
responding to the service call initiated by the second service program instance aiming at the first service program instance based on the maintained first call address of the first service program instance, and acquiring a data authorization request aiming at the user data maintained by the first data collaborator and carried in a call parameter corresponding to the service call.
It should be noted that, because the call channels formed based on the call addresses are generally unidirectional call channels, the service call channel between the first service program instance and the second service program may generally include a call address formed based on the second service program instance maintained by the first service program instance, where the first service program instance serves as a call initiator, and the second service program instance serves as a first service call channel of a called party; and the second service program instance is used as a calling initiator based on the calling address of the first service program instance maintained by the second service program instance, and the first service program instance is used as a second service calling channel of the called party.
When a second data collaborator has a data authorization requirement for cross-domain transfer of ciphertext data of user data issued by a first data collaborator, a data authorization request for the user data maintained by the first data collaborator can be initiated to a first service program instance corresponding to the first data collaborator through a data synchronization channel; wherein the data authorization request comprises a data identifier of target user data which is requested to be authorized by the second data collaborator.
Step 320: and the first service program instance responds to the data authorization request, authorizes the cross-domain transfer authority of the ciphertext data of the target user data to the second data collaborator, and returns an authorization result to the second service program instance through the data synchronization channel.
After receiving the data authorization request, the first service program instance invokes a DataAuth component in the first service program instance in response to the data authorization request, and the DataAuth component authorizes the cross-domain transfer right of the ciphertext data of the target user data to the second data collaborator, and returns an authorization result (e.g., the authorization credential in fig. 9) to the second service program instance through a data synchronization channel between the first service program instance and the second service program instance.
In an exemplary embodiment, the first data collaborator configures an authorization approval process for the maintained user data; wherein the approval process comprises at least one approver designated by the first data collaborator;
in the step 320, in response to the data authorization request, the first service program instance authorizes the cross-domain transfer right of the ciphertext data of the target user data to the second data collaborator, and includes:
and the first service program instance responds to the data authorization request, acquires an authorization approval process configured by the first data collaborator for the target user data, triggers the execution of the authorization approval process, responds to the approval passing of each approver contained in the authorization approval process, and generates an authorization certificate for the second data collaborator so as to authorize the cross-domain transfer authority of the ciphertext data of the target user data to the second data collaborator.
For example, each approver may generate 5 approval states: the method comprises the following steps of waiting for approval, passing approval, refusing, canceling and avoiding approval; the revocation may be initiated by an application party (e.g., a second data collaboration party) of the authorized approval process at any time before the authorized approval process is ended, the revoked authorized approval process is immediately terminated, and the approval result is revocation approval.
When in authorization and approval, according to the sequence in the authorization and approval process, if the state of the authorization and approval process acquired by the current approval party is the state to be approved, the authorization and approval process is suspended for execution, and the execution is continued after the current approval party uploads an approval result (one of approval pass, rejection and approval exemption); and if the uploading is refusal, the authorization approval process is immediately terminated, and the approval result refusing the approval is notified to the applicant. If the uploaded result is that the examination and approval is passed or not, determining whether a next examining and approving party exists according to the sequence of the authorized examination and approval process, and if so, the next examining and approving party becomes a new current examining and approving party and is switched to a state to be examined and approved; if not, ending the authorization approval process, and allowing each approving party to pass the approval according to the approval result.
The first data collaborator can specify an authorized approval process, and the application approval process can comprise a default process, a self-defined process, an approval-free process and the like; the default process can be that the second data cooperation party is used as an approval party to approve, and then the first data cooperation party is used as an approval party to approve; the custom process may be an approval process customized by the first data collaborator.
As shown in fig. 9, the first service program instance invokes the DataAuth component in the first service program instance, and the DataAuth component performs an authorization process to generate an authorization credential for the second data collaborator, so as to authorize the cross-domain transfer right of the ciphertext data of the target user data to the second data collaborator.
Wherein the returning the authorization result to the second service program instance through the data synchronization channel may include:
and initiating a service call aiming at the second service program instance based on the maintained second call address of the second service program instance, and synchronizing the authorization voucher serving as a call parameter to the second service program instance.
In an exemplary embodiment, before synchronizing the authorization ticket to the second service program instance, further comprising:
issuing the authorization certificate to the data security block chain for storing the certificate;
correspondingly, the synchronizing the authorization credential as a call parameter to the second service program instance includes:
synchronizing a certificate storing identification of the authorization certificate on the data security block chain to the second service program instance as a calling parameter, so that the second service program instance obtains the authorization certificate from the data security block chain based on the certificate storing identification.
As shown in fig. 9, the authorization credential may be issued to the data security block chain for storage by calling a DataAuth component; by storing the authorization credential to the data security blockchain, it is ensured that the authorization credential is not tampered.
Since the data stored in the data security blockchain has a unique storage identity, the synchronizing the authorization credential to the second service program instance may include:
synchronizing a certificate storing identifier of the authorization certificate on the data security block chain to the second service program instance, so that the second service program instance obtains the authorization certificate from the data security block chain based on the certificate storing identifier.
In an exemplary embodiment, before synchronizing the authorization credential to the second service program instance as shown in fig. 9, the method may further include:
and generating an authorization record of cross-domain transfer authority of the ciphertext data of the target user data by the DataAuth component, and issuing the generated authorization record to the data security block chain for evidence storage.
In an exemplary embodiment, the first data collaborator configures data usage rules for the maintained user data; wherein the data usage rules define restriction rules for usage of the user data;
the method further comprises the following steps:
in response to a triggered transfer task for transferring ciphertext data of the target user data to the second data collaborator in a cross-domain manner, a using program used for the target user data is generated based on the data use rule, the ciphertext data of the using program and the target user data are transferred to the second service program instance through the data synchronization channel, the using program is run by the second service program instance, and ciphertext calculation is carried out on the ciphertext data of the target user data based on the data use rule contained in the using program.
Wherein the transferring cipher text data of the user program and the target user data to the second service program instance through the data synchronization channel comprises:
and initiating a service call aiming at the second service program instance based on the maintained second call address of the second service program instance, and transferring the ciphertext data of the using program and the target user data to the second service program instance as call parameters.
As shown in fig. 9, the foregoing transfer task may be triggered immediately when the DataAuth component in the first service program instance listens to an authorization record or a cross-domain transfer record for the target user data on the data security chain.
In this specification, the transfer task may be triggered when the DataAuth component in the first service program instance monitors an authorization record certified on the data security chain; it may also be that the DataAuth component monitors that a transfer record for chain credentialing is triggered.
As for the foregoing authorization record type, here, the DataAuth component may generate a cross-domain transfer record corresponding to ciphertext data of the target user data, and issue the generated cross-domain transfer record to the data security chain for storage. The ciphertext data transfer may be performed after the transfer record is successfully linked up, or the ciphertext data transfer may be performed first and then the chain storage certificate transfer record is linked up; generally, the former approach is relatively safer.
In this specification, the data usage rule may include any one or a combination of more of the following:
using pattern restriction rules; wherein the usage pattern restriction rule defines an operation type that restricts usage when operating on ciphertext data of the target user data; the operation type may include allowable calculation modes and processing modes. Such as allowing congruent queries, allowing ambiguous queries, allowing string concatenation, allowing string length sizes, allowing truncation of substrings, allowing string to lowercase, allowing string to uppercase, and so forth.
A usage number limiting rule; wherein the usage number limiting rule defines a usage number that limits usage when operating on ciphertext data of the target user data.
A desensitization restriction rule; and the desensitization limiting rule defines a desensitization strategy of plaintext content corresponding to a ciphertext result obtained by performing ciphertext calculation on ciphertext data of the target user data. Such as hash desensitization, shame desensitization, pseudonym desensitization, and the like.
Wherein the usage program comprises an SDK package.
In this specification, the SDK package includes some functions related to the data usage rules. These functions restrict the use of ciphertext data of the target user data. For example, it is specified that only the a operation can be performed on the ciphertext data, and that the SDK package contains only the computation function (operator) associated with the a operation.
In an exemplary embodiment, the method may further include:
the first service program instance receives a decryption request initiated by the second service program instance through the data synchronization channel; the decryption request comprises a ciphertext calculation result obtained by performing ciphertext calculation on ciphertext data of the target user data and the authorization certificate;
the first service program instance responds to the decryption request, verifies the authorization voucher, responds to the verification of the authorization voucher, decrypts the ciphertext calculation result to obtain a plaintext calculation result, carries out desensitization processing on the plaintext calculation result based on a desensitization strategy defined in a desensitization limit rule contained in the data use rule, and synchronizes the desensitized plaintext calculation result to the second service program instance through the data synchronization channel.
With further reference to the schematic diagram of data cross-domain transfer shown in fig. 10, after the first service program instance sends the ciphertext data corresponding to the user data and the application program to the second service program instance through the data synchronization channel, the second service program instance may perform ciphertext calculation of the related service on the ciphertext data under the limitation of the data usage rule specified by the application program. Because the ciphertext calculation is carried out on the ciphertext data, the calculation result which is also the ciphertext is obtained; because the calculation result is a ciphertext, the second service program instance also needs to call a DataAuth component in the second service program instance, and the DataAuth component sends the calculation result of the ciphertext and the authorization certificate to the first service program instance through a data synchronization channel; and then the DataAuth component in the first service program instance verifies the authorization certificate, the DataAuth component decrypts the calculation result of the ciphertext after the verification is passed, and the calculation result of the decrypted plaintext is returned to the second service program instance through the data synchronization channel.
Wherein the receiving, by the first service program instance, the decryption request initiated by the second service program instance through the data synchronization channel includes:
responding to a service call initiated by the second service program instance aiming at the first service program instance based on the maintained first call address of the first service program instance, and acquiring a decryption request carried in a call parameter corresponding to the service call;
synchronizing the desensitized plaintext calculation result to the second service program instance through the data synchronization channel, including:
and initiating service calling aiming at the second service program instance based on the maintained second calling address of the second service program instance, and synchronizing the desensitized plaintext calculation result serving as a calling parameter to the second service program instance.
In summary, in the data cross-domain authorization embodiment provided by the present specification, an independent service program instance is created on the data collaboration platform for each data collaboration party accessing the data collaboration platform, and a data synchronization channel is created between the service program instances created for each data collaboration party, so that each data collaboration party accessing the data collaboration platform can perform data synchronization with other data collaboration parties in real time based on the data synchronization channel when there is a need to transfer ciphertext data of maintained user data to other data collaboration parties in a cross-domain manner.
In correspondence with the foregoing embodiments of the block chain based multi-instance networking method, the present specification also provides embodiments of a block chain based multi-instance networking device. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. In the case of software implementation, as a logical device, a corresponding computer program in the nonvolatile memory is read into the memory by a processor of the device where the device is located and executed. From a hardware aspect, as shown in fig. 11, the hardware structure diagram of the apparatus in which the multi-instance networking device based on the block chain is located in this specification is shown, except for the processor, the network interface, the memory, and the nonvolatile memory shown in fig. 11, the apparatus in which the device is located in the embodiment may also include other hardware according to the actual data synchronization function, which is not described again.
Referring to fig. 12, a block diagram of a block chain-based multi-instance networking apparatus according to an embodiment of the present disclosure is provided, where the apparatus corresponds to the embodiment shown in fig. 2. The device is applied to a data collaboration platform based on a data security block chain; the block chain link points in the data safety block chain comprise service equipment respectively corresponding to a plurality of data collaborators; the device comprises:
a receiving unit 410, which receives an access request initiated by a first data collaborator; wherein the access request comprises a device identifier of at least one service device corresponding to the first data cooperator;
a response unit 420, configured to, in response to the access request, add the at least one service device to the data security blockchain as a blockchain node, and create a first service program instance associated with the at least one service device corresponding to the first data collaborator;
a determining unit 430, configured to determine whether a second service program instance associated with at least one service device corresponding to a second data collaborator other than the first data collaborator is created;
a networking unit 440 configured to create a data synchronization channel between a first service program instance and a second service program instance when the second service program instance associated with at least one service device corresponding to a second data collaborator other than the first data collaborator is created; the data collaborators respectively correspond to different data fields; the data synchronization channel is used for performing cross-domain data synchronization between the first service program instance and the second service program instance; the service program instance is used for performing authorization management on cross-chain transfer of ciphertext data corresponding to user data stored on the service device associated with the service program instance.
In an exemplary embodiment, the data synchronization channel includes a service call channel created between the service program instances based on the call addresses of the service program instances.
In an exemplary embodiment, the calling address corresponding to the service program instance comprises a domain name access address of a service device associated with the service program instance; the calling channel comprises an http calling channel.
In an exemplary embodiment, the apparatus further comprises:
a first receiving subunit, wherein the first service program instance receives a device registration request; the device registration request comprises device information of a newly added service device of the first data collaboration party;
the first response subunit responds to the device registration request, and the first service program instance establishes an association relationship between the newly added service device and the first service program instance and stores the device information of the newly added service device and the association relationship in a database corresponding to the first service program instance; and (c) a second step of,
and the first synchronization subunit initiates service call aiming at the second service program instance based on the maintained call address corresponding to the second service program instance, synchronizes the device information of the newly added service device to the second service program instance, and synchronously stores the device information in a database corresponding to the second service program instance.
In an exemplary embodiment, the apparatus further comprises:
a second receiving subunit, where the first service program instance receives a block chain device update request; wherein the blockchain device update request comprises device information to be updated of any target service device associated with the first service program instance;
a second response subunit, configured to, in response to the block chain device update request, update, by the first service program instance, device information of the target service device stored in a database corresponding to the first service program instance based on device information to be updated; and the number of the first and second groups,
and the second synchronization subunit initiates service call aiming at the second service program instance based on the maintained call address corresponding to the second service program instance, synchronizes the updated device information of the target service device to the second service program instance, and synchronously updates the device information of the target service device stored in the database corresponding to the second service program instance.
In an exemplary embodiment, the apparatus further comprises:
a third receiving subunit, where the first service program instance receives a data registration request sent by any target service device associated with the first service program instance; wherein the data registration request comprises a data set requested to be registered by the target service device;
a third response subunit, configured to, in response to the data registration request, generate, by the first service program instance, data attribute information corresponding to the data set, and store the data set and the data attribute information in a local database of the target service device; and (c) a second step of,
and the third synchronization subunit issues the data attribute information corresponding to the data set to the data security block chain for evidence storage, initiates service call for the second service program instance based on the maintained call address of the second service program instance, synchronizes a block chain evidence storage identifier corresponding to the data attribute information to the second service program instance, so that the second service program instance acquires the data attribute information from the data security block chain based on the block chain evidence storage identifier, and synchronously stores the acquired data attribute information in a database corresponding to the second service program instance.
In an exemplary embodiment, the apparatus further comprises:
a fourth receiving subunit, where the first service program instance receives a data update request of any target service device associated with the first service program instance; wherein the data update request comprises a data set requested to be updated by the target serving device;
a fourth response subunit, configured to, in response to the data update request, regenerate, by the first service program instance, updated data attribute information corresponding to the data set, and update the data set and the data attribute information of the data set stored in a local database of the target service device; and the number of the first and second groups,
a fourth synchronization subunit, where the first service program instance issues updated data attribute information corresponding to the data set to the data security block chain for storage, initiates a service call for the second service program instance based on a maintained call address of the second service program instance, synchronizes a block chain storage identity of the updated data attribute information to the second service program instance, so that the second service program instance obtains the updated data attribute information from the data security block chain based on the block chain storage identity, and synchronously updates the data attribute information corresponding to the data set stored in the database corresponding to the second service program instance based on the obtained updated data attribute information.
In an exemplary embodiment, the apparatus further comprises:
a fifth receiving subunit, where the first service program instance receives a data deletion request sent by any target service device associated with the first service program instance; wherein the data deletion request comprises a data set identifier of a target data set requested to be deleted by the target service device;
a fifth response subunit, configured to, in response to the data deletion request, delete, by the first service program instance, the target data set and the data attribute information of the target data set stored in the local database of the target service device;
and the fifth synchronization subunit initiates a service call for the second service program instance based on the maintained call address of the second service program instance to synchronize the deletion notification of the target data set to the second service program instance, so as to trigger the second service program instance to synchronize the data attribute information of the target data set stored in the database corresponding to the second service program instance for deletion processing based on the deletion notification.
In an exemplary embodiment, the apparatus further comprises:
the data cooperation platform comprises a block chain cloud service platform; the service equipment corresponding to each data collaborator comprises virtual service equipment which is created for each data collaborator on the cloud service platform.
Referring to fig. 13, a block diagram of a data cross-domain authorization apparatus according to an embodiment of the present disclosure is provided, where the apparatus corresponds to the embodiment shown in fig. 8. The device is applied to a data collaboration platform based on a data security block chain; the block link points in the data security block chain comprise service equipment respectively corresponding to a plurality of data collaborators; creating a first service program instance associated with at least one service device corresponding to a first data collaborator in the plurality of data collaborators on the blockchain collaboration platform; and a second service instance associated with at least one service device corresponding to a second data collaborator of the plurality of data collaborators; the service program instance is used for performing authorization management on cross-domain transfer of ciphertext data of user data stored on the service equipment associated with the service program instance; the data collaboration platform creates a data synchronization channel between the first service program instance and the second service program instance; the data collaborators respectively correspond to different data domains; the data synchronization channel is used for performing cross-domain data synchronization between the first service program instance and the second service program instance; the device comprises:
a receiving unit 510, where the first service program instance receives a data authorization request, initiated by the second data collaborator through the data synchronization channel, for user data maintained by the first data collaborator; the data authorization request comprises a data identifier of target user data which is requested to be authorized by the second data collaborator;
and the authorization unit 520, where the first service program instance performs authorization processing on the cross-domain transfer permission of the ciphertext data of the target user data for the second data cooperator in response to the data authorization request, and returns an authorization result to the second service program instance through the data synchronization channel.
In an exemplary embodiment, the data synchronization channel includes a service call channel created between the service program instances based on the call addresses of the service program instances.
In an exemplary embodiment, the calling address corresponding to the service program instance comprises a domain name access address of a service device associated with the service program instance; the calling channel comprises an http calling channel.
In an exemplary embodiment, the receiving unit 510 includes:
responding to the service call initiated by the second service program instance aiming at the first service program instance based on the maintained first call address of the first service program instance, and acquiring a data authorization request aiming at the user data maintained by the first data collaboration party, wherein the data authorization request is carried in a call parameter corresponding to the service call.
In an exemplary embodiment, the first data collaborator configures an authorization approval process for the maintained user data; wherein the approval process comprises at least one approver designated by the first data collaborator;
the first service program instance in the authorization unit 520, in response to the data authorization request, authorizes the cross-domain transfer authority of the ciphertext data of the target user data to the second data collaborator, and includes:
and the first service program instance responds to the data authorization request, acquires an authorization approval process configured by the first data collaborator for the target user data, triggers execution of the authorization approval process, responds to approval passing of each approver contained in the authorization approval process, and generates an authorization certificate for the second data collaborator so as to authorize the cross-domain transfer authority of the ciphertext data of the target user data to the second data collaborator.
In an exemplary embodiment, the returning the authorization result to the second service program instance through the data synchronization channel in the authorization unit 520 includes:
and initiating a service call aiming at the second service program instance based on the maintained second call address of the second service program instance, and synchronizing the authorization certificate to the second service program instance as a call parameter.
In an exemplary embodiment, in the returning the authorization result to the second service program instance through the data synchronization channel, the authorization unit 520 further includes:
issuing the authorization certificate to the data security block chain for storing the certificate;
the synchronizing of the authorization credential to the second service program instance in the authorization unit 520 includes:
synchronizing a certificate storing identification of the authorization certificate on the data security block chain to the second service program instance as a calling parameter, so that the second service program instance obtains the authorization certificate from the data security block chain based on the certificate storing identification.
In an exemplary embodiment, before synchronizing the authorization ticket to the second service program instance, the authorization unit 520 further comprises:
and generating an authorization record of cross-domain transfer authority of the ciphertext data of the target user data, and issuing the generated authorization record to the data security block chain for evidence storage.
In an exemplary embodiment, the first data collaborator configures data usage rules for the maintained user data; wherein the data usage rules define restriction rules for usage of the user data;
the device further comprises:
and the computing unit responds to a triggered transfer task for transferring the ciphertext data of the target user data to the second data collaborator in a cross-domain manner, generates a using program for using the target user data based on the data usage rule, transfers the using program and the ciphertext data of the target user data to the second service program instance through the data synchronization channel, runs the using program by the second service program instance, and performs ciphertext computation on the ciphertext data of the target user data based on the data usage rule contained in the using program.
In an exemplary embodiment, transferring, in the computing unit, the ciphertext data of the user program and the target user data to the second service program instance through the data synchronization channel includes:
and initiating a service call aiming at the second service program instance based on the maintained second call address of the second service program instance, and transferring the ciphertext data of the using program and the target user data to the second service program instance as call parameters.
In an exemplary embodiment, the method further comprises:
and the evidence storage subunit generates a cross-domain transfer record corresponding to the ciphertext data of the target user data, and issues the generated cross-domain transfer record to the data security block chain for evidence storage.
In an exemplary embodiment, the data usage rules include any one or a combination of more of the following:
using pattern restriction rules; wherein the usage pattern restriction rule defines an operation type that restricts usage when operating on ciphertext data of the target user data;
a usage number limiting rule; wherein the usage number limiting rule defines a usage number for limiting usage when ciphertext data of the target user data is operated;
a desensitization restriction rule; and the desensitization limiting rule defines a desensitization strategy of plaintext content corresponding to a ciphertext result obtained by performing ciphertext calculation on ciphertext data of the target user data.
In an exemplary embodiment, the usage program includes an SDK package.
In an exemplary embodiment, the apparatus further comprises:
a receiving subunit, where the first service program instance receives a decryption request initiated by the second service program instance through the data synchronization channel; the decryption request comprises a ciphertext calculation result obtained by performing ciphertext calculation on ciphertext data of the target user data and the authorization certificate;
and the first service program instance responds to the decryption request, verifies the authorization certificate, responds to the verification of the authorization certificate, decrypts the ciphertext calculation result to obtain a plaintext calculation result, desensitizes the plaintext calculation result on the basis of a desensitization strategy defined in a desensitization limit rule contained in the data use rule, and synchronizes the desensitized plaintext calculation result to the second service program instance through the data synchronization channel.
In an exemplary embodiment, the receiving subunit includes:
responding to a service call initiated by the second service program instance aiming at the first service program instance based on the maintained first call address of the first service program instance, and acquiring a decryption request carried in a call parameter corresponding to the service call;
synchronizing the desensitized plaintext calculation result to the second service program instance through the data synchronization channel, including:
and initiating a service call aiming at the second service program instance based on the maintained second call address of the second service program instance, and synchronizing the desensitized plaintext calculation result serving as a call parameter to the second service program instance.
In an exemplary embodiment, the blockchain collaboration platform comprises a blockchain cloud service platform; the service equipment corresponding to each data collaborator comprises virtual service equipment which is created for each data collaborator on the cloud service platform.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiment, since it basically corresponds to the method embodiment, reference may be made to the partial description of the method embodiment for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement without inventive effort.
The internal functional modules and structural schematic of the block chain-based multi-instance networking apparatus described in fig. 12 and the data cross-domain authorization described in fig. 13 above may be an electronic device, which includes:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform any of the above embodiments of blockchain-based multi-instance networking methods.
The internal functional modules and structural schematic of data cross-domain authorization described in the above fig. 13, the substantial execution subject may be an electronic device, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform any of the above-described embodiments of the data cross-domain authorization method.
In the above embodiments of the electronic device, it should be understood that the Processor may be a CPU, and may also be other general-purpose processors, digital Signal Processors (DSP), application Specific Integrated Circuits (ASIC), and so on. The general-purpose processor may be a microprocessor, or the processor may be any conventional processor, and the aforementioned memory may be a read-only memory (ROM), a Random Access Memory (RAM), a flash memory, a hard disk, or a solid state disk. The steps of a method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in the processor.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiment of the electronic device, since it is substantially similar to the embodiment of the method, the description is simple, and for the relevant points, reference may be made to part of the description of the embodiment of the method.
Other embodiments of the present disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the description is limited only by the appended claims.

Claims (12)

1. A multi-instance networking method based on a block chain is applied to a data cooperation platform based on a data safety block chain; the block link points in the data security block chain comprise service equipment respectively corresponding to a plurality of data collaborators; the method comprises the following steps:
receiving an access request initiated by a first data cooperative party; the access request comprises a device identifier of at least one service device corresponding to the first data collaborator;
responding to the access request, adding the at least one service device into the data security blockchain as a blockchain node, and creating a first service program instance associated with the at least one service device corresponding to the first data collaboration party; and the number of the first and second groups,
determining whether a second service program instance associated with at least one service device corresponding to a second data collaborator other than the first data collaborator is created; if yes, a data synchronization channel between the first service program instance and the second service program instance is created;
the data collaborators respectively correspond to different data fields; the data synchronization channel is used for performing cross-domain data synchronization between the first service program instance and the second service program instance; the service program instance is used for performing authorization management on cross-chain transfer of ciphertext data corresponding to user data stored on the service device associated with the service program instance.
2. The method of claim 1, the data synchronization channel comprising a service call channel created between the service program instances based on a call address of the service program instances.
3. The method of claim 2, the calling address corresponding to the service program instance comprising a domain name access address of a service device associated with the service program instance; the calling channel comprises an http calling channel.
4. The method of claim 2, further comprising:
the first service program instance receives a device registration request; the device registration request comprises device information of newly added service devices of the first data collaborator;
responding to the device registration request, the first service program instance establishes an association relationship between the newly added service device and the first service program instance, and stores the device information of the newly added service device and the association relationship in a database corresponding to the first service program instance; and the number of the first and second groups,
and initiating service call aiming at the second service program instance based on the maintained call address corresponding to the second service program instance, synchronizing the equipment information of the newly added service equipment to the second service program instance, and synchronously storing the equipment information in a database corresponding to the second service program instance.
5. The method of claim 4, further comprising:
the first service program instance receives a blockchain device update request; wherein the blockchain device update request comprises device information to be updated of any target service device associated with the first service program instance;
in response to the blockchain device update request, the first service program instance updates the device information of the target service device stored in a database corresponding to the first service program instance based on the device information to be updated; and (c) a second step of,
initiating service call aiming at the second service program instance based on the maintained call address corresponding to the second service program instance, synchronizing the updated device information of the target service device to the second service program instance, and synchronously updating the device information of the target service device stored in a database corresponding to the second service program instance.
6. The method of claim 2, further comprising:
the first service program instance receives a data registration request sent by any target service equipment associated with the first service program instance; wherein the data registration request comprises a data set requested to be registered by the target service equipment;
responding to the data registration request, the first service program instance generating data attribute information corresponding to the data set, and storing the data set and the data attribute information to a local database of the target service equipment; and the number of the first and second groups,
and issuing data attribute information corresponding to the data set to the data security block chain for evidence storage, initiating service call for the second service program instance based on the maintained call address of the second service program instance, synchronizing a block chain evidence storage identifier corresponding to the data attribute information to the second service program instance so that the second service program instance acquires the data attribute information from the data security block chain based on the block chain evidence storage identifier, and synchronously storing the acquired data attribute information in a database corresponding to the second service program instance.
7. The method of claim 6, further comprising:
the first service program instance receives a data updating request of any target service equipment associated with the first service program instance; wherein the data update request comprises a data set requested to be updated by the target serving device;
responding to the data updating request, the first service program instance regenerates the updated data attribute information corresponding to the data set and updates the data set and the data attribute information of the data set stored in a local database of the target service device; and the number of the first and second groups,
the first service program instance issues updated data attribute information corresponding to the data set to the data security block chain for evidence storage, initiates service calling for the second service program instance based on a maintained calling address of the second service program instance, synchronizes a block chain evidence storage identifier of the updated data attribute information to the second service program instance so that the second service program instance acquires the updated data attribute information from the data security block chain based on the block chain evidence storage identifier, and synchronously updates the data attribute information corresponding to the data set and stored in a database corresponding to the second service program instance based on the acquired updated data attribute information.
8. The method of claim 7, further comprising:
the first service program instance receives a data deletion request sent by any target service equipment associated with the first service program instance; wherein the data deletion request comprises a data set identifier of a target data set requested to be deleted by the target service equipment;
in response to the data deletion request, the first service program instance deletes the target data set and the data attribute information of the target data set stored in a local database of the target service device, and initiates a service call for the second service program instance based on the maintained call address of the second service program instance, so as to synchronize a deletion notification of the target data set to the second service program instance, so as to trigger the second service program instance to synchronize the data attribute information of the target data set stored in the database corresponding to the second service program instance for deletion processing based on the deletion notification.
9. The method of claim 1, the data collaboration platform comprising a blockchain cloud service platform; the service devices corresponding to the data collaborators comprise virtual service devices which are created for the data collaborators on the cloud service platform.
10. A block chain-based multi-instance networking device is applied to a data cooperation platform based on a data safety block chain; the block chain link points in the data safety block chain comprise service equipment respectively corresponding to a plurality of data collaborators; the device comprises:
the receiving unit is used for receiving an access request initiated by a first data cooperative party; the access request comprises a device identifier of at least one service device corresponding to the first data collaborator;
a response unit, configured to, in response to the access request, add the at least one service device to the data security blockchain as a blockchain node, and create a first service program instance associated with the at least one service device corresponding to the first data collaborator;
a determining unit that determines whether a second service program instance associated with at least one service device corresponding to a second data collaborator other than the first data collaborator among the plurality of data collaborators is created;
a networking unit, configured to create a data synchronization channel between a first service program instance and a second service program instance when the second service program instance associated with at least one service device corresponding to a second data collaborator other than the first data collaborator is created; the data collaborators respectively correspond to different data fields; the data synchronization channel is used for performing cross-domain data synchronization between the first service program instance and the second service program instance; the service program instance is used for performing authorization management on cross-chain transfer of ciphertext data corresponding to user data stored on the service device associated with the service program instance.
11. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform the method of any of the preceding claims 1-9.
12. A computer-readable storage medium whose instructions, when executed by a processor of an electronic device, enable the electronic device to perform the method of any of claims 1-9.
CN202211352499.3A 2022-10-31 2022-10-31 Multi-instance networking method and device based on block chain and electronic equipment Pending CN115801344A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202211352499.3A CN115801344A (en) 2022-10-31 2022-10-31 Multi-instance networking method and device based on block chain and electronic equipment
PCT/CN2022/135245 WO2024092928A1 (en) 2022-10-31 2022-11-30 Blockchain-based multi-instance networking method and apparatus, and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211352499.3A CN115801344A (en) 2022-10-31 2022-10-31 Multi-instance networking method and device based on block chain and electronic equipment

Publications (1)

Publication Number Publication Date
CN115801344A true CN115801344A (en) 2023-03-14

Family

ID=85434706

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211352499.3A Pending CN115801344A (en) 2022-10-31 2022-10-31 Multi-instance networking method and device based on block chain and electronic equipment

Country Status (2)

Country Link
CN (1) CN115801344A (en)
WO (1) WO2024092928A1 (en)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110046998B (en) * 2019-01-31 2020-04-14 阿里巴巴集团控股有限公司 Cross-chain right using system, method, device, electronic equipment and storage medium
CN114827135A (en) * 2021-01-12 2022-07-29 腾讯科技(深圳)有限公司 Cross-chain cooperative treatment system, method, equipment and storage medium
CN113986865A (en) * 2021-08-17 2022-01-28 哈尔滨海邻科信息技术有限公司 Cross-department service collaboration system and method based on block chain
CN115766123A (en) * 2022-10-31 2023-03-07 蚂蚁区块链科技(上海)有限公司 Data cross-domain authorization method and device and electronic equipment

Also Published As

Publication number Publication date
WO2024092928A1 (en) 2024-05-10

Similar Documents

Publication Publication Date Title
US10708060B2 (en) System and method for blockchain-based notification
CN110032865B (en) Authority management method, device and storage medium
CN109522735B (en) Data permission verification method and device based on intelligent contract
CN111144881A (en) Selective access to asset transfer data
CN111461723A (en) Data processing system, method and device based on block chain
US10148637B2 (en) Secure authentication to provide mobile access to shared network resources
CN109379336A (en) A kind of uniform authentication method, distributed system and computer readable storage medium
CN108259413B (en) Method for obtaining certificate and authenticating and network equipment
CN113271311B (en) Digital identity management method and system in cross-link network
WO2020001162A1 (en) Container management method, apparatus, and device
WO2016131171A1 (en) Operation method and device for vnf package
WO2023124746A1 (en) Cross-subnet interaction permission control
CN115328645A (en) Computing task scheduling method, computing task scheduling device and electronic equipment
JP2022552110A (en) Blockchain-based workflow node authentication method and device
WO2024092929A1 (en) Cross-domain data authorization method and apparatus, and electronic device
CN113259464B (en) Method for building block chain sub-network and block chain system
CN113271366B (en) Data sharing system based on block chain and safety calculation
US11481515B2 (en) Confidential computing workflows
US10326833B1 (en) Systems and method for processing request for network resources
Nagy et al. Peershare: A system secure distribution of sensitive data among social contacts
US20150242501A1 (en) Social network address book
CN115801344A (en) Multi-instance networking method and device based on block chain and electronic equipment
CN112436946B (en) Block chain-based communication authorization method, device, equipment and storage medium
CN113590711A (en) High-elasticity extensible multi-chain data hierarchical shared storage system and method
CN117118640A (en) Data processing method, device, computer equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination