CN118194355A - Distributed file system access method, apparatus, device, medium and program product - Google Patents
Distributed file system access method, apparatus, device, medium and program product Download PDFInfo
- Publication number
- CN118194355A CN118194355A CN202410480229.3A CN202410480229A CN118194355A CN 118194355 A CN118194355 A CN 118194355A CN 202410480229 A CN202410480229 A CN 202410480229A CN 118194355 A CN118194355 A CN 118194355A
- Authority
- CN
- China
- Prior art keywords
- file
- service system
- request
- token
- file service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 72
- 238000012795 verification Methods 0.000 claims description 32
- 238000004590 computer program Methods 0.000 claims description 24
- 230000004044 response Effects 0.000 claims description 13
- 238000013507 mapping Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 16
- 230000015654 memory Effects 0.000 description 10
- 230000007246 mechanism Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 230000000977 initiatory effect Effects 0.000 description 8
- 238000011161 development Methods 0.000 description 6
- 230000001419 dependent effect Effects 0.000 description 5
- 101100364301 Schizosaccharomyces pombe (strain 972 / ATCC 24843) rsv1 gene Proteins 0.000 description 4
- 101100364302 Schizosaccharomyces pombe (strain 972 / ATCC 24843) rsv2 gene Proteins 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The disclosure provides a distributed file system access method, which can be applied to the technical field of big data and the technical field of financial science and technology. The method comprises the following steps: responding to a request initiated by a user to a first file service system, and streaming the request to a second file service system, wherein the second file service system is used for acting the user to initiate the request to the first file service system; responding to the second file service system to receive the request, and carrying out validity check on the Token carried by the request, wherein the Token is generated in the first file service system in advance; responding to the pass of the validity check of Token, and inquiring a database according to the file identification carried by the request to acquire a real file path corresponding to the request; and accessing the first file service system according to the real file path, and returning the access result to the user. The present disclosure also provides a distributed file system access apparatus, device, medium, and program product.
Description
Technical Field
The present disclosure relates to the field of big data technology and the field of financial technology, and more particularly, to a distributed file system access method, apparatus, device, medium, and program product.
Background
File services are a technique for storing files on a server, thereby enabling users to access and manage files from a network, and are available in enterprises, households, and various network environments. The method can enable users to realize sharing and synchronization of files, protect the safety of the files, realize backup of network files, improve the working efficiency of the users, improve the management level of the files, and enable the file access to be more convenient and effective.
The token of the existing file service system depends on a token checking mechanism of the FastDFS framework, when the token is started, all files need to be checked, the configuration is inflexible, granularity cannot meet the requirement, specific authority control cannot be performed for a certain application, meanwhile FastDFS can be accessed through the Internet, after a caller uploads the files, the file service system returns a real file address of the caller, and a real ip address of FastDFS is exposed.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a method, apparatus, device, medium, and program product for distributed file system access by a file service system instead of a request FastDFS server.
According to a first aspect of the present disclosure, there is provided a distributed file system access method, including: responding to a request initiated by a user to a first file service system, and streaming the request to a second file service system, wherein the second file service system is used for acting the user to initiate the request to the first file service system; responding to the second file service system to receive the request, and carrying out validity check on the Token carried by the request, wherein the Token is generated in the second file service system in advance; responding to the pass of the validity check of Token, and inquiring a database according to the file identification carried by the request to acquire a real file path corresponding to the request; and accessing the first file service system according to the real file path, and returning the access result to the user.
According to an embodiment of the present disclosure, token pre-generation at the second file service system includes: acquiring a file path and the current time of the system of the second file service system; splicing the file path and the current time of the system with a predefined character string, and encrypting; defining a time stamp of the Token, wherein the time stamp characterizes the validity period time of the Token; and generating a character string corresponding to the Token according to the encrypted character string and the time stamp.
According to an embodiment of the present disclosure, in response to the second file service system receiving the request, performing validity check on the Token carried by the request includes: analyzing the character string corresponding to the Token to obtain a time stamp of the Token and a file virtual address; comparing the time stamp with the current time of the second file service system, and acquiring a file real address according to the file virtual address in response to the Token not being expired; calculating a pre-estimated Token according to the real address and the timestamp of the file; and responding to the Token carried by the request to be consistent with the estimated Token, and passing the verification.
According to an embodiment of the present disclosure, the method further includes, before querying a database according to a file identifier carried by a request and obtaining a real file path corresponding to the request: responding to the pass of the validity check of Token, and acquiring the identity information of the user and the file identification corresponding to the request; and verifying the authority of the request according to the identity information and the file identification.
According to an embodiment of the present disclosure, returning the access result to the user includes: sending the access result to a second file service system; responsive to the second file service system receiving the access result, mapping the real file path to a virtual file path; the virtual file path is returned to the user.
According to an embodiment of the present disclosure, mapping a real file path to a virtual file path includes: newly adding fields for storing virtual file paths into a database table of a second file service system, wherein the fields correspond to the real file paths one by one; and splicing the real file path with a predefined fixed character string and carrying out encryption processing to obtain a virtual file path.
A second aspect of the present disclosure provides a distributed file system access apparatus, comprising: the system comprises a streaming module, a first file service system and a second file service system, wherein the streaming module is used for responding to a request initiated by a user to the first file service system and streaming the request to the second file service system, and the second file service system is used for acting the user to initiate the request to the first file service system; the verification module is used for responding to the request received by the second file service system and verifying the validity of the Token carried by the request, wherein the Token is generated in the first file service system in advance; the query module is used for responding to the pass of the validity check of the Token, querying a database according to the file identifier carried by the request and acquiring a real file path corresponding to the request; and the access module is used for accessing the first file service system according to the real file path and returning the access result to the user.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described method.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above method.
The distributed file system access method, device, equipment, medium and program product provided by the present disclosure are implemented by streaming a user request to a second file service system (new file service system) for proxy user initiation of the request to a first file service system (FastDFS server), then transferring a token verification mode from a FastDFS server to the new file service system for verification, when an application requests access to a file, requesting access to the new file service system first, and when token and authority verification pass, replacing the request by the new file service system as a FastDFS server. Because the application no longer directly interacts with FastDFS servers, but is instead operated by the file service system proxy, the mechanism of token check which is completely dependent on FastDFS framework in the existing file service system is improved, so that fine granularity check control can be carried out for different applications, and service development is facilitated.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of a distributed file system access method according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a distributed file system access method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flowchart of generating a Token in a distributed file system access method according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flowchart of verifying Token in a distributed file system access method according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow diagram for performing rights verification in a distributed file system access method according to an embodiment of the disclosure;
FIG. 6 schematically illustrates a flow diagram for mapping virtual file paths in a distributed file system access method according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates a flow diagram for mapping a real file path to a virtual file path in a distributed file system access method according to an embodiment of the present disclosure;
FIG. 8 schematically illustrates a schematic diagram of a distributed file system access method according to an embodiment of the present disclosure;
FIG. 9 schematically illustrates a block diagram of a distributed file system access apparatus according to an embodiment of the present disclosure; and
Fig. 10 schematically illustrates a block diagram of an electronic device of a distributed file system access method according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
It should be noted that the method and the device for accessing the distributed file system disclosed in the present disclosure may be used for accessing the distributed file system in the financial field, and may also be used for accessing the distributed file system in any field other than the financial field, and the application field of the method and the device for accessing the distributed file system disclosed in the present disclosure is not limited.
In the technical scheme of the invention, the related user information (including but not limited to user personal information, user image information, user equipment information, such as position information and the like) and data (including but not limited to data for analysis, stored data, displayed data and the like) are information and data authorized by a user or fully authorized by all parties, and the related data are collected, stored, used, processed, transmitted, provided, disclosed, applied and the like, all comply with related laws and regulations and standards, necessary security measures are adopted, no prejudice to the public order is provided, and corresponding operation entries are provided for the user to select authorization or rejection.
In the scenario of using personal information to make an automated decision, the method, the device and the system provided by the embodiment of the invention provide corresponding operation inlets for users, so that the users can choose to agree or reject the automated decision result; if the user selects refusal, the expert decision flow is entered. The expression "automated decision" here refers to an activity of automatically analyzing, assessing the behavioral habits, hobbies or economic, health, credit status of an individual, etc. by means of a computer program, and making a decision. The expression "expert decision" here refers to an activity of making a decision by a person who is specializing in a certain field of work, has specialized experience, knowledge and skills and reaches a certain level of expertise.
The embodiment of the disclosure provides a distributed file system access method, which comprises the following steps: responding to a request initiated by a user to a first file service system, and streaming the request to a second file service system, wherein the second file service system is used for acting the user to initiate the request to the first file service system; responding to the second file service system to receive the request, and carrying out validity check on the Token carried by the request, wherein the Token is generated in the first file service system in advance; responding to the pass of the validity check of Token, and inquiring a database according to the file identification carried by the request to acquire a real file path corresponding to the request; and accessing the first file service system according to the real file path, and returning the access result to the user.
According to the distributed file system access method provided by the embodiment of the disclosure, a user request is led to a second file service system (a new file service system) for initiating a request to a first file service system (FastDFS server) by an agent user, then a check mode of a token is transferred from a FastDFS server to the new file service system for verification, when an application requests to access a file, the request is firstly made to access the new file service system, and when the token and the authority are verified, the new file service system is replaced by the request FastDFS server. Because the application no longer directly interacts with FastDFS servers, but is instead operated by the file service system proxy, the mechanism of token check which is completely dependent on FastDFS framework in the existing file service system is improved, so that fine granularity check control can be carried out for different applications, and service development is facilitated.
Keyword introduction:
Distributed database (distributed data base): distributed database systems typically use smaller computer systems, each of which may be placed separately in a place where each computer may have a full copy or partial copy of the DBMS (database management system) and have its own local database, and many computers at different locations are interconnected by a network to form a complete, global, logically centralized, physically distributed large database.
File service: file services are a technique for storing files on a server, thereby enabling users to access and manage files from a network, and are available in enterprises, households, and various network environments. The method can enable users to realize sharing and synchronization of files, protect the safety of the files, realize backup of network files, improve the working efficiency of the users, improve the management level of the files, and enable the file access to be more convenient and effective.
And (3) authority control: rights control refers to a process of restricting and managing operations of users or characters in one system or application. It is used to ensure that only authorized users and roles can perform certain operations or access certain resources. Rights control is an important component of information security and access control. In implementing rights control, some technical means, such as role management, access Control List (ACL), access Control Matrix (ACM), etc., are generally used.
FastDFS: fastDFS is an open source distributed file system based on internet application, which is mainly used for storing resource files such as pictures, documents, audio, video and the like in large and medium-sized websites. The system adopts a structure similar to GFS, is realized by using pure C language, and supports Linux, freeBSD, AIX and other UNIX systems. FastDFS comprises three parts, namely a client, TRACKER SERVER and a Storage server, wherein the client can only access files through a special API and does not support a POSIX interface mode.
Token: token is an authentication mechanism used to authenticate between a client and a server. It is a string that is produced by the server and sent to the client, which will store and send each request to the server for authentication. Token typically contains information about the identity of the user, such as a user name and role. The use of Token may raise the security of an application because it may prevent unauthorized users from accessing protected resources.
Fig. 1 schematically illustrates an application scenario diagram of a distributed file system access method according to an embodiment of the present disclosure.
As shown in fig. 1, an application scenario 100 according to this embodiment may include terminal devices 101, 102, 103. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that, the distributed file system access method provided in the embodiments of the present disclosure may be generally performed by the server 105. Accordingly, the distributed file system access apparatus provided by the embodiments of the present disclosure may be generally provided in the server 105. The distributed file system access method provided by the embodiments of the present disclosure may also be performed by a server or server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the distributed file system access apparatus provided by the embodiments of the present disclosure may also be provided in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The distributed file system access method of the disclosed embodiment will be described in detail below with reference to fig. 2 to 8 based on the scenario described in fig. 1.
FIG. 2 schematically illustrates a flow chart of a distributed file system access method according to an embodiment of the present disclosure.
As shown in fig. 2, the distributed file system access method of this embodiment includes operations S210 to S240, which may be performed by a server.
In response to the user initiating a request to the first file service system, the request is streamed to a second file service system for proxy user initiation of the request to the first file service system in operation S210.
In this embodiment, the first file service system may be FastDFS, for example, and the second file service system may be a new file service system that is added to the original FastDFS, for example.
The new file service system is technically built by using DSF (Distributed Service Framework) frames and FastDFS as basic components, the database stores some basic information and FastDFS addresses of files, and the in-line application can realize the uploading and downloading functions of the files only through the new file service system and avoid directly accessing FastDFS servers.
In operation S220, in response to the second file service system receiving the request, the Token carried by the request is checked for validity, where the Token is generated in advance in the first file service system.
In this embodiment, the token verification method is transferred from FastDFS to the new file service system for verification, and when the application requests access to the file, access to the new file service system is first requested.
In operation S230, in response to the Token passing the validity check, the database is queried according to the file identifier carried by the request, and the real file path corresponding to the request is obtained.
In this embodiment, after Token verification passes, the Token string is parsed to obtain a file identifier, and then a database is queried according to the file identifier to obtain a real file path corresponding to the request.
In operation S240, the first file service system is accessed according to the real file path, and the access result is returned to the user.
In this embodiment, the request FastDFS server is replaced by the new file serving system after token verification passes. According to the real file path, the target file required by the user is queried in FastDFS server, then the target file is sent to the new file service system, and then the new file service system is sent to the user.
According to an embodiment of the present disclosure, a token verification mode is transferred from a FastDFS server to a new file service system for verification by streaming a user request to a second file service system (new file service system) for proxy user initiation of the request to the first file service system (FastDFS server), when an application requests access to a file, access to the new file service system is first requested, and when token and authority verification pass, the new file service system is substituted for the request FastDFS server. Because the application no longer directly interacts with FastDFS servers, but is instead operated by the file service system proxy, the mechanism of token check which is completely dependent on FastDFS framework in the existing file service system is improved, so that fine granularity check control can be carried out for different applications, and service development is facilitated.
FIG. 3 schematically illustrates a flowchart of Token generation in a distributed file system access method according to an embodiment of the present disclosure.
As shown in fig. 3, the distributed file system access method of this embodiment includes operations S310 to S340.
In operation S310, a file path of the second file service system and a current time of the system are acquired.
In operation S320, the file path and the current time of the system are spliced together with a predefined character string, and encrypted.
In operation S330, a time stamp of the Token is defined, wherein the time stamp characterizes a validity period time of the Token.
In operation S340, a character string corresponding to Token is generated according to the encrypted character string and the time stamp.
In this embodiment, the Token generation mechanism is as follows:
md5 (fastdfs _url+key+ts) & ts=system current time+token validity period, wherein fastdfs _url is a real file path and token validity period unit defaults to seconds.
MD5 is a cryptographic technique, namely MD5 Message-Digest Algorithm (english), which is a widely used cryptographic hash function that generates a 128-bit (16-byte) hash value to ensure that the information transfer is completely consistent.
In this embodiment, if the current time of the system is 2020-07-02 12:15:30,token and the validity period is 30 seconds, then:
fastdfs_url=group2/M00/00/01/bQYtu16Bmn2AOXK7AABQGH7_j1w42.docx。
key is a string defined in the configuration file, and is used as a part of the token after md5 encryption with fastdfs _url and ts concatenation, for example key= FASTDFS123456789.
ts=(20200702121530+30)=20200702121600.
token=md5(group2/M00/00/01/bQYtu16Bmn2AOXK7AABQGH7_j1w42.docx+FASTDFS1234567890+20200702121600)&ts=20200702121600.
According to the embodiment of the disclosure, by combining the file path, the key and the timestamp to perform md5 encryption, a unique token which is not easy to crack can be generated, so that the security of the system is improved, and only a request with the correct key and the generation time can pass verification. In addition, since the Token contains the file path and the time stamp, any tampering with the file path or the time stamp can cause the generated Token to be mismatched, thereby effectively preventing tampering with the file path or the time stamp.
FIG. 4 schematically illustrates a flowchart of verifying Token in a distributed file system access method according to an embodiment of the present disclosure.
As shown in fig. 4, the distributed file system access method of this embodiment includes operations S410 to S440.
In operation S410, the character string corresponding to the Token is parsed to obtain the timestamp of the Token and the virtual address of the file.
In operation S420, the time stamp is compared with the current time of the second file service system, and in response to the Token not expiring, the file real address is obtained from the file virtual address.
In operation S430, a predicted Token is calculated based on the file real address and the timestamp.
In operation S440, in response to the Token carried by the request being consistent with the predicted Token, the verification is passed.
In this embodiment, token check rules are as follows:
when the caller requests a file, the request url may be, for example:
http://ip:port/file/fileserver/pathappid=erp&fileid=vm_file_url&token=XXXXXXX
And acquiring the ts value sent by the calling party, comparing the ts value with the current time of the system, and judging whether the token is expired.
The value of fileid is obtained and the corresponding remote_file_id is queried in the database table according to fileid.
And acquiring a token value sent by the calling party.
And calculating a corresponding md5 (remote_file_id+ts) value according to the remote_file_id and the transmitted ts value, and comparing the corresponding md5 (remote_file_id+ts) value with the transmitted token value, if the remote_file_id and the transmitted ts value are consistent, indicating that the verification is passed.
According to the embodiment of the disclosure, the expired Token can be effectively prevented from being used for access by checking the expiration time of the Token, so that the security of the system is enhanced. Inquiring the corresponding remote_file_id in the database according to fileid, and then calculating the Token by combining the timestamp, the falsification request of a malicious user can be prevented, because only the legal fileid can obtain the correct remote_file_id. The estimated Token calculated after combining the remote_file_id and the timestamp is compared with the Token carried in the request, so that the integrity of the file data can be effectively verified, and the transmitted file is ensured not to be tampered.
Fig. 5 schematically illustrates a flowchart of performing rights verification in a distributed file system access method according to an embodiment of the present disclosure.
As shown in fig. 5, the distributed file system access method of this embodiment includes operations S510 to S520.
In operation S510, in response to the Token passing the validity check, the identity information of the user and the file identifier corresponding to the request are obtained.
In operation S520, the request is validated according to the identity information and the file identification.
In this embodiment, before the database is queried according to the file identifier carried by the request to obtain the real file path corresponding to the request, the authority of the request needs to be verified.
To increase granularity control over the token for the entitlement control rules, the following f_access_tbl and f_authority_tbl database tables are involved.
The field id in the table is the primary key number, CREATETIME is the creation time, lastUpdateTime is the latest update time, rsv1, rsv2, rsv3 are reserved extension fields, appid and business_code represent the application number and the business number respectively, and the corresponding application number and business number are fixed when the file is uploaded. appid and business_code are one-to-many, i.e., an application can have multiple sub-services. The relation between the business_code and the files is one-to-many, and one sub-business comprises a plurality of files.
The f_access_tbl table structure (table 1) may be, for example:
| Name of name | Type(s) | Length of | Decimal point | Not null |
| id | bigint | 20 | 0 | √ |
| appld | varchar | 32 | 0 | |
| business code | int | 30 | 0 | |
| createTime | tinvint | 0 | 0 | |
| lastUpdateTime | int | 0 | 0 | |
| rsv1 | varchar | 30 | 0 | |
| rsv2 | varchar | 100 | 0 | |
| rsv3 | varchar | 252 | 0 |
The f_access_tbl table structure is shown in table 1 above:
Because appid and business_code are in one-to-many relationship, the table should be used as a relationship table, rather than a permission table, i.e. business_code is a sub-service under appid and not another sub-service under appid. And simultaneously, a permission table is newly added for permission distribution among different application services.
The rights table f_authority_tbl structure (table 2) may be, for example:
| Name of name | Type(s) | Length of | Decimal point | Not null |
| id | bigint | 10 | 0 | √ |
| appld | varchar | 16 | 0 | |
| business code | int | 16 | 0 | |
| createTime | tinyint | 1 | 0 | |
| lastUpdateTime | int | 11 | 0 | |
| rsv1 | varchar | 16 | 0 | |
| rsv2 | varchar | 64 | 0 | |
| rsv3 | varchar | 256 | 0 | |
| createtime | datetime | 0 | 0 | |
| lastupdatetime | datetime | 0 | 0 |
The rights table f_authority_tbl structure is shown in table 2 above:
wherein the authority_business_code type is int, corresponding to the id field in the f_access_tbl table.
Is_token: 0-accessible+no token; 1-accessible+token (token is also required for this appid access); 2-inaccessible (inaccessible is prohibited from accessing other appid, but this appid is still accessible)
Token_time: token expiration date, defaults in seconds.
The meaning of one record in the rights table f_authority_tbl is: the application appid-A may access all files under the corresponding sub-service business_code-B of the application appid-B.
Token control for a single file:
The is_token and token_time fields are set up for the database table f_upload_tbl structure, in the same manner as described above.
When checking, the token on the single file is set to have the highest priority, and then the configuration in the f_authority_tbl table is set.
According to the embodiment of the disclosure, the permission verification mechanism is adopted for the request of the user, so that only authorized users can execute specific file operations, such as uploading, downloading and the like, and service development is facilitated by carrying out fine-grained verification control for different applications.
FIG. 6 schematically illustrates a flow diagram for mapping virtual file paths in a distributed file system access method according to an embodiment of the disclosure.
As shown in fig. 6, the database multi-slice scheduling method of this embodiment includes operations S610 to S630.
The access result is transmitted to the second file service system in operation S610.
In operation S620, in response to the second file service system receiving the access result, the real file path is mapped to a virtual file path.
In operation S630, the virtual file path is returned to the user.
Since FastDFS in the prior art can access through internet, after the caller uploads the file, the file service system returns the real file address of the caller, and the real ip address of FastDFS is exposed, so in this embodiment, the real file path is mapped as a virtual file path and returned to the caller.
According to the embodiment of the disclosure, the new file service system returns a virtual file path to the caller, and the returned ip address is the new file server address instead of the ip address of FastDFS servers, so that the real path of FastDFS is shielded, the file leakage risk is reduced, and the system safety is enhanced.
Fig. 7 schematically illustrates a flowchart of mapping a real file path to a virtual file path in a distributed file system access method according to an embodiment of the present disclosure.
As shown in fig. 7, the database multi-slice scheduling method of this embodiment includes operations S710 to S720.
In operation S710, fields for storing virtual file paths are newly added in a database table of the second file service system, wherein the fields correspond to real file paths one by one.
In operation S720, the real file path is spliced with the predefined fixed character string and encrypted to obtain a virtual file path.
In this embodiment, the mapping rule may be, for example:
The database table f_upload_tbl is newly added with a vm_file_url field, which stores a file virtual address, and the field corresponds to the remote_file_id (i.e., fastdfs _url) one by one.
Vm_file_url=md5 (fastdfs _url+fixed string), wherein fastdfs _url is as described above, fixed string= "FASTDFS123456789".
vm_file_url=md5(group2/M00/00/01/bQYtu16Bmn2AOXK7AABQGH7_j1w42.docx+FASTDFS123456789)。
According to the embodiment of the disclosure, the real path (fastdfs _url) of the file is combined with a fixed character string and then encrypted by using md5 to generate the virtual path (vm_file_url), so that the real path of the file can be protected from being exposed, potential safety risks are avoided, and the flexibility and maintainability of the system are enhanced.
FIG. 8 schematically illustrates a schematic diagram of a distributed file system access method according to an embodiment of the present disclosure.
As shown in fig. 8, the principle of the distributed file system access method provided in this embodiment is:
When a user initiates a request, the user request is led to a second file service system (new file service system) for proxy user to initiate the request to a first file service system (FastDFS server), then the verification mode of the token is transferred from the FastDFS server to the new file service system for verification, when the application requests to access a file, the new file service system is requested to be accessed first, and when the token and the authority verification are passed, the new file service system is substituted as a request FastDFS server. Because the application no longer directly interacts with FastDFS servers, but is instead operated by the file service system proxy, the mechanism of token check which is completely dependent on FastDFS framework in the existing file service system is improved, so that fine granularity check control can be carried out for different applications, and service development is facilitated.
In this embodiment, the database table structure of the new file service system may be configured as follows:
f_access_tbl table (table 3):
| Sequence number | Fields | Field name | Type(s) | Remarks |
| 1. | id | Main key | bigint(20) | Main key |
| 2. | appid | Application numbering | varchar(32) | |
| 3. | business__code | Service numbering | varchar(30) | |
| 4. | rsv1 | Reserved field 1 | varchar(30) | |
| 5. | rsv2 | Reserved field 2 | varchar(100) | |
| 6. | rsv3 | Reserved field 3 | varchar(255) | |
| 7. | createTime | Creation time | datetime | |
| 8. | 1astUpdateTime | Last update time | timestamp |
The f_access_tbl table is shown in Table 3 above
F_authority_tbl table (table 4):
f_authority_tbl is shown in Table 4 above
F_upper_tbl table (table 5):
the f_upper_tbl table is shown in Table 5 above
Fig. 9 schematically illustrates a block diagram of a distributed file system access apparatus according to an embodiment of the present disclosure.
As shown in fig. 9, the distributed file system access apparatus 900 of this embodiment includes a streaming module 910, a verification module 920, a query module 930, and an access module 940.
The streaming module 910 is configured to, in response to a user initiating a request to a first file service system, stream the request to a second file service system, where the second file service system is configured to proxy the user initiating the request to the first file service system. In an embodiment, the drainage module 910 may be configured to perform the operation S210 described above, which is not described herein.
The verification module 920 is configured to perform validity verification on a Token carried by the request in response to the second file service system receiving the request, where the Token is generated in the second file service system in advance. In an embodiment, the verification module 920 may be used to perform the operation S220 described above, which is not described herein.
The query module 930 is configured to query a database according to the file identifier carried by the request in response to the pass of the validity check of the Token, and obtain a real file path corresponding to the request. In an embodiment, the query module 930 may be configured to perform the operation S230 described above, which is not described herein.
The access module 940 is configured to access the first file service system according to the real file path, and return an access result to the user. In an embodiment, the access module 940 may be configured to perform the operation S240 described above, which is not described herein.
The distributed file system access device provided by the disclosure is characterized in that a user request is led to a second file service system (new file service system) for initiating a request to a first file service system (FastDFS server) by an agent user, then a checking mode of a token is transferred from a FastDFS server to the new file service system for verification, when an application requests to access a file, the request is firstly made to access the new file service system, and when the token and the authority are verified, the new file service system is replaced by the request FastDFS server. Because the application no longer directly interacts with FastDFS servers, but is instead operated by the file service system proxy, the mechanism of token check which is completely dependent on FastDFS framework in the existing file service system is improved, so that fine granularity check control can be carried out for different applications, and service development is facilitated.
Any of the flow-directing module 910, the verification module 920, the query module 930, and the access module 940 may be combined in one module to be implemented, or any of them may be split into multiple modules, according to embodiments of the present disclosure. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. At least one of the flow directing module 910, the verification module 920, the query module 930, and the access module 940 may be implemented, at least in part, as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware, such as any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of any of the three. Or at least one of the flow-directing module 910, the verification module 920, the query module 930, and the access module 940 may be at least partially implemented as computer program modules that, when executed, perform the corresponding functions.
Fig. 10 schematically illustrates a block diagram of an electronic device of a distributed file system access method according to an embodiment of the disclosure.
As shown in fig. 10, the electronic device 110 according to the embodiment of the present disclosure includes a processor 111 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 112 or a program loaded from a storage section 118 into a Random Access Memory (RAM) 113. Processor 111 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 111 may also include on-board memory for caching purposes. Processor 111 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the disclosure.
In the RAM113, various programs and data required for the operation of the electronic device 110 are stored. The processor 111, the ROM112, and the RAM113 are connected to each other through a bus 114. The processor 111 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM112 and/or the RAM 113. Note that the program may be stored in one or more memories other than the ROM112 and the RAM 113. The processor 111 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in one or more memories.
According to embodiments of the present disclosure, the electronic device 110 may also include an input/output (I/O) interface 115, the input/output (I/O) interface 115 also being connected to the bus 114. The electronic device 110 may also include one or more of the following components connected to the I/O interface 115: an input section 116 including a keyboard, a mouse, and the like; an output portion 117 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker, and the like; a storage section 118 including a hard disk or the like; and a communication section 119 including a network interface card such as a LAN card, a modem, and the like. The communication section 119 performs communication processing via a network such as the internet. The drive 120 is also connected to the I/O interface 115 as needed. A removable medium 121 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 120 so that a computer program read out therefrom is installed as needed into the storage section 118.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 112 and/or RAM 113 described above and/or one or more memories other than ROM 112 and RAM 113.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to perform the methods provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 111. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of signals over a network medium, and downloaded and installed via the communication part 119, and/or from the removable medium 121. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 119, and/or installed from the removable medium 121. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 111. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (10)
1. A method of distributed file system access, the method comprising:
Responding to a request initiated by a user to a first file service system, and streaming the request to a second file service system, wherein the second file service system is used for acting the user to initiate the request to the first file service system;
Responding to the second file service system to receive the request, and carrying out validity check on Token carried by the request, wherein the Token is generated in the second file service system in advance;
responding to the pass of the validity check of the Token, and inquiring a database according to the file identifier carried by the request to acquire a real file path corresponding to the request;
and accessing the first file service system according to the real file path, and returning an access result to the user.
2. The method of claim 1, wherein the Token is pre-generated at the second file service system comprising:
acquiring a file path and the current time of the system of the second file service system;
Splicing the file path and the current time of the system with a predefined character string, and encrypting;
Defining a timestamp of the Token, wherein the timestamp characterizes the validity period time of the Token;
and generating a character string corresponding to the Token according to the encrypted character string and the time stamp.
3. The method according to claim 2, wherein said responding to said second file service system receiving said request, and performing validity check on Token carried by said request comprises:
Analyzing the character string corresponding to the Token to obtain a timestamp of the Token and a file virtual address;
comparing the time stamp with the current time of the second file service system, and acquiring a file real address according to the file virtual address in response to the Token not being expired;
Calculating a pre-estimated Token according to the file real address and the time stamp;
And responding to the Token carried by the request to be consistent with the estimated Token, and if the Token is consistent with the estimated Token, verifying to pass.
4. The method for accessing a distributed file system according to claim 1, wherein the querying a database according to the file identifier carried by the request, before obtaining the real file path corresponding to the request, further comprises:
responding to the pass of the validity check of the Token, and acquiring the identity information of the user and the file identification corresponding to the request;
and verifying the authority of the request according to the identity information and the file identifier.
5. The method according to any one of claims 1 to 4, wherein the returning the access result to the user includes:
Sending the access result to the second file service system;
Responsive to the second file service system receiving the access result, mapping the real file path to a virtual file path;
And returning the virtual file path to the user.
6. The method of claim 5, wherein mapping the real file path to a virtual file path comprises:
Newly adding a field for storing a virtual file path in a database table of the second file service system, wherein the field corresponds to the real file path one by one;
and splicing the real file path with a predefined fixed character string and carrying out encryption processing to obtain a virtual file path.
7. A distributed file system access apparatus, the apparatus comprising:
The system comprises a streaming module, a first file service system and a second file service system, wherein the streaming module is used for responding to a request initiated by a user to the first file service system and streaming the request to the second file service system, and the second file service system is used for acting the user to initiate the request to the first file service system;
The verification module is used for responding to the second file service system to receive the request and verifying the validity of the Token carried by the request, wherein the Token is generated in the second file service system in advance;
The query module is used for responding to the pass of the validity check of the Token, querying a database according to the file identifier carried by the request and obtaining a real file path corresponding to the request;
and the access module is used for accessing the first file service system according to the real file path and returning an access result to the user.
8. An electronic device, comprising:
one or more processors;
Storage means for storing one or more computer programs,
Characterized in that the one or more processors execute the one or more computer programs to implement the steps of the method according to any one of claims 1-6.
9. A computer-readable storage medium, on which a computer program/instruction is stored, characterized in that the computer program/instruction, when executed by a processor, implements the steps of the method according to any one of claims 1-6.
10. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410480229.3A CN118194355A (en) | 2024-04-19 | 2024-04-19 | Distributed file system access method, apparatus, device, medium and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410480229.3A CN118194355A (en) | 2024-04-19 | 2024-04-19 | Distributed file system access method, apparatus, device, medium and program product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118194355A true CN118194355A (en) | 2024-06-14 |
Family
ID=91394946
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410480229.3A Pending CN118194355A (en) | 2024-04-19 | 2024-04-19 | Distributed file system access method, apparatus, device, medium and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118194355A (en) |
-
2024
- 2024-04-19 CN CN202410480229.3A patent/CN118194355A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11451392B2 (en) | Token-based secure data management | |
| US10884825B2 (en) | Application programming interface (API) service apparatus and application programming interface (API) service system | |
| KR102514325B1 (en) | Model training system and method, storage medium | |
| US10021108B2 (en) | Anomaly detection for access control events | |
| US10091230B1 (en) | Aggregating identity data from multiple sources for user controlled distribution to trusted risk engines | |
| Bates et al. | Towards secure provenance-based access control in cloud environments | |
| US20130215126A1 (en) | Managing Font Distribution | |
| US10250723B2 (en) | Protocol-level identity mapping | |
| WO2023030450A1 (en) | Data sharing method and electronic device | |
| US20210352077A1 (en) | Low trust privileged access management | |
| US11095705B2 (en) | Content distributed over secure channels | |
| US9407654B2 (en) | Providing multi-level password and phishing protection | |
| CN113486122A (en) | Data sharing method and electronic equipment | |
| US20160004850A1 (en) | Secure download from internet marketplace | |
| US10990584B1 (en) | Establishing decentralized identifiers for algorithms, data schemas, data sets, and algorithm execution requests | |
| US11797701B1 (en) | Secure data collaboration | |
| CN118194355A (en) | Distributed file system access method, apparatus, device, medium and program product | |
| Zheng et al. | A framework for protecting personal information and privacy | |
| CN111125734B (en) | Data processing method and system | |
| CN114491489A (en) | Request response method and device, electronic equipment and storage medium | |
| JP2022536565A (en) | Using crowdsourcing to combat disinformation | |
| CN114553570B (en) | Method, device, electronic equipment and storage medium for generating token | |
| US20240086549A1 (en) | Systems and methods for user characteristic determination through cryptographic tokenized data | |
| US20240089105A1 (en) | Systems and methods for user control and exclusion of cryptographic tokenized data | |
| CN116186678A (en) | Verification method and device for object sharing request, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |