CN112019495A - Dynamic mapping mechanism and data security control method for wide-area virtual data space account - Google Patents

Dynamic mapping mechanism and data security control method for wide-area virtual data space account Download PDF

Info

Publication number
CN112019495A
CN112019495A CN202010469080.0A CN202010469080A CN112019495A CN 112019495 A CN112019495 A CN 112019495A CN 202010469080 A CN202010469080 A CN 202010469080A CN 112019495 A CN112019495 A CN 112019495A
Authority
CN
China
Prior art keywords
account
space
data space
virtual data
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010469080.0A
Other languages
Chinese (zh)
Other versions
CN112019495B (en
Inventor
肖利民
苗冠秦
秦广军
霍志胜
宋尧
周汉杰
徐耀文
王超波
常佳辉
张晨浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN202010469080.0A priority Critical patent/CN112019495B/en
Publication of CN112019495A publication Critical patent/CN112019495A/en
Application granted granted Critical
Publication of CN112019495B publication Critical patent/CN112019495B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • G06F16/2246Trees, e.g. B+trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a dynamic mapping mechanism of a wide area virtual data space account and a data security control method, which realize a set of dynamic mapping mechanism of the account based on a global unified account and a local account diversified mapping mechanism of a super-computation center, and realize the isolation and the security access of the account data space by the isolation and the authority control of the account data space based on the dynamic mapping mechanism of the account. Firstly, by researching the mapping relation between the global unified account and the local account, a set of dynamic account mapping mechanism is realized, the problem of balanced mapping between the virtual account and the local account is solved, and unified management and access of the global account are supported; secondly, based on an account dynamic mapping mechanism, isolation is carried out through a data space, and space authority management is carried out, so that safety management and control of a user space are achieved. The method solves the problem of unbalanced distribution of the virtual data space account and the local account of the super-computation center, and realizes the safe access of the user space through the isolation and the authority management of the user space.

Description

Dynamic mapping mechanism and data security control method for wide-area virtual data space account
Technical Field
The invention discloses a dynamic mapping mechanism and a data security control method for a wide area virtual data space account, relates to a mapping mechanism and account data security control for a cross-domain virtual account, and belongs to the technical field of computers.
Background
Currently, in a national high-performance computing environment, each super computing center has an independent account management system, forms cover various forms such as a token, a virtual private network and an access key, and the super computing centers are mutually independent and use respective management modes, so that challenges are brought to the unified account security management and control of multiple super computing centers in a wide area environment. In order to uniformly manage the storage resources of a plurality of supercomputing centers, a set of reasonable cross-domain virtual data space needs to be designed to uniformly manage and schedule the computing resources and the storage resources of each supercomputing center. In order to meet the requirements of the cross-domain virtual data space on uniform scheduling and safety management of global resources, the account dynamic mapping mechanism in the wide-area virtual data space and the account safety management and control method based on the account mapping mechanism are realized aiming at the problems of uniform account management and account data safety management in the wide-area high-performance computing environment.
The current relatively representative account mapping mechanism is: SAMBA account mapping mechanism and china national grid account mapping mechanism.
Samba is a Windows interoperability suite facing Linux and Unix environments, and is software based on SMB protocol. The file sharing method can realize file sharing among different operating systems (Windows, Linux and UNIX), is suitable for file sharing work under heterogeneous environments including Linux, Unix, Windows, macOS and other operating systems, and consists of a client and a server program. The method can realize cross-system file sharing, but Samba does not provide a complex account management mechanism, and mainly converts Windows accounts and Linux accounts one to one, but the problem of unbalanced distribution of the account pool of the supercomputing center and the account pool of the virtual data space in the current wide area virtual data space is difficult to solve.
The Chinese national grid is supported by the great special project of the national 863 plan, and a new generation of information infrastructure with high-performance computing and transaction processing capabilities is aggregated. Grids provide computing resource sharing services for geographically widely distributed users. The computing node of the user does not distinguish a local account from a grid account, and is realized by providing accounts of a batch of local operating systems such as Linux/unix and converting the grid account and the local account when the user accesses resources, and the computing node is centered on the account. Therefore, at least one suitable local account number must be mapped for the grid account number. However, the grid system is often a fixed account mapping relationship, that is, a mapping relationship between a grid account and a fixed local account, and often provides a mapping between a grid account and a local account in one-to-one or one-to-many manner, and there is no many-to-many account mapping mechanism, which is also difficult to satisfy the problem of unbalanced allocation of a virtual account pool and a super-computation center local account pool in the current wide-area virtual data space.
In summary, at present, for the problem of unbalanced distribution of the virtual account pool and the local account pool of the super-computation center in the wide-area virtual data space, a set of reasonable dynamic mapping mechanism needs to be provided to solve the many-to-many mapping mechanism between the virtual data space accounts and the local accounts. And based on an account dynamic mapping mechanism, the method realizes the safety control of the account data space by isolating the account data space.
For the isolation and security control of user space, there is currently a mainstream software architecture called SAAS (multi-tenant technology, or multi-lease technology). The method aims to realize sharing of the same storage resource under a multi-user environment and still ensure the isolation of data among users. In the multi-tenant technology, a tenant includes all data that can be identified as a designated user in a system, including an account, various data of the user in the system, and a customized application environment of the user. The application system can accommodate a plurality of users to access the storage resources in the same environment, and in order to enable the plurality of users to access the data in the same environment, the data space of the user needs to be designed in a customized manner. The SAAS technique can achieve isolation of user space by dividing a form of a database division table. The method mainly comprises the following three points: (1) the service provider isolates the tenant's data by using a cut database, a cut storage area, a cut structure description or a table, and symmetric or asymmetric encryption is required to protect sensitive data when necessary, but different isolation methods have different implementation complexity and different security risks. (2) The supplier can use the application mounting environment to cut the application running environment of different tenants on the process, and protect the application running environment of each tenant under the condition that the communication can not be carried out across the process, but the supplier needs to provide a reasonable computing environment. (3) The supplier can cut the physical operation unit into different virtual machines by using virtualization technology, and each tenant can use one or more virtual machines as storage environment of application programs and data, which has higher requirement on the operation capability of the service provider. The multi-tenant technology is mainly realized by isolating application program environments among different tenants and isolating account data spaces, so that the application programs and storage resources among different tenants cannot interfere with each other, and meanwhile, private data of a user also needs to be encrypted. The method for isolating user space in the database mainly comprises the following three points: (1) the independent database has the highest security level of user space in the mode, but has the lowest sharing performance of data among users; (2) the method comprises the steps of sharing a database and isolating a data structure, wherein in the mode, the safety of user space is reduced to some extent, but the data sharing performance among users is improved to some extent; (3) shared database, shared data structure. The corresponding security level of the user space is lowest, but the account data sharing is highest. The SAAS technology mainly aims at the isolation of user space under a one-to-one account mapping mechanism, but lacks consideration on the isolation and secure access of data under a many-to-many account dynamic mapping mechanism.
Directory services can also be referred to for user space isolation, and currently, there are two common Directory services, namely x.500 (a Protocol for connecting local Directory services to form a global distributed Directory service system) and LDAP (Lightweight Directory Access Protocol). LDAP is a lightweight directory access protocol based on the X.500 standard, and can be customized according to use requirements. The account information in the LDAP is organized in a tree-like manner, so that the positions of the resources can be conveniently and quickly located and searched, and the requests can be responded in time. A typical directory tree starts with a root directory, divided into countries, regions, organizations, sub-organizations and individuals. The data of the directory service is distributed on a plurality of servers, each server retains a branch graph of an overall structure, and the data are synchronized regularly. The directory is composed of entries (entries) as a basic storage unit, which is equivalent to a record in the database. An entry is actually a set of a unique partition Name (DN) that is equivalent to a key in the key-value type database and a set of attributes by which the entry is identified. The DN is composed of a plurality of domain components (dc, domain components), organization units (ou), and common names (cn), where dc is a company name, ou is a company department name, and cn is an employee name, for example, in an information organization of a company. A typical entry has DN "DN ═ zhangsan, ou ═ HR, dc ═ Company, dc ═ com". Isolation of the account data space may be achieved by customizing the user directory tree.
In combination with the above problems, a many-to-many account mapping mechanism is required for a wide area virtual data space at present to solve the problem of unbalanced allocation of a virtual data space account pool and a super-computation center local account pool, and on this basis, a user directory tree is constructed through LDAP directory service to realize data isolation of virtual data space accounts, and secure access of the account data space is realized through an authority access control list of the user space.
Disclosure of Invention
The invention aims to provide a dynamic mapping mechanism and a data security control method for a wide-area virtual data space account. Aiming at the problem of unbalanced distribution of the virtual account pool and the local account pool, a many-to-many dynamic account mapping mechanism is provided. Because the virtual data space accounts and the local accounts have a many-to-many mapping relationship, a situation that a plurality of virtual data space accounts map the same local account exists, the linux system accesses files based on local account permissions, when the plurality of virtual data space accounts are mapped to one local account, a situation that data spaces among the virtual data space accounts are overlapped exists, and potential safety hazards exist. Therefore, based on an account dynamic mapping mechanism, aiming at the problem of coincidence of an account data space, a user directory tree is customized based on LDAP directory service, and a security management and control method of account data is realized through the authority management of the account data space. Therefore, a set of account dynamic mapping mechanism is required for a diversified mapping mechanism in the wide area virtual data space, and for the security problem of the account space caused by the account mapping mechanism, the account data space in the wide area virtual data space needs to be separated and subjected to authority control, so that the secure access of the account data is realized.
The method and the device are mainly suitable for safety control of the account data under the scene that the virtual accounts and the local accounts are not distributed equally. The invention mainly has the following two aspects: firstly, a set of dynamic account mapping mechanism is provided for the problem of unbalanced distribution of wide area virtual data space users and cluster local accounts; secondly, based on an account dynamic mapping mechanism, a user directory tree is customized through LDAP directory service, isolation of an account data space is achieved, and safe access of the account data space is completed through permission setting of the account data space.
Firstly, a set of dynamic account mapping mechanism is realized by researching the mapping relation between the global unified account and the local account, the problem of balanced mapping between the virtual account and the local account is solved, and the unified management and access of the global account are supported; secondly, based on an account dynamic mapping mechanism, the safety control of the user space is realized through the division of the data space and the space authority control.
The invention comprises the following steps:
step 1, a client registers a wide area virtual data space account;
step 2, logging in a wide area virtual data space and generating account data;
step 3, accessing wide area virtual data space account data;
step 4, logging off the data space of the current account;
step 5, based on the virtual data space account dynamic mapping mechanism, customizing a directory tree through LDAP directory service, and isolating the account data space;
and 6, realizing the safety management of the account data space through the authority setting of the account data space.
Wherein, step 1 includes the following steps:
step 1.1, obtaining user registration account information, wherein the account information comprises the following items: account name, account ID, account password, account address;
and step 1.2, encrypting the account password, and storing the generated hash value into a database.
Wherein, step 2 includes the following steps:
step 2.1, a user logs in a virtual data space through a client, queries a database to check whether account information exists, and if so, successfully logs in the virtual data space;
step 2.2, establishing a local account mapping table in a supercomputing center where the client is located, and recording the mapping relation between the virtual data space account and the supercomputing center local account;
step 2.3, inquiring a remote space local account pool in a database, selecting any account for mapping, establishing a local account mapping table of the remote space local account in a supercomputing center where the remote is located, and recording the mapping relation between a virtual data space account and a center local account where a remote file is located;
and 2.4, recording the user space file information in the database, and encrypting.
Wherein, step 3 comprises the following steps:
step 3.1, a user logs in a virtual data space, inquires user space information, accesses a local account mapping table in a super computing center where a corresponding space is located, inquires whether a mapping relation between a virtual data space account and a local account exists or not, and if yes, the user successfully accesses the virtual data space;
and 3.2, accessing a local account mapping table in the supercomputing center where the corresponding space is located, inquiring whether a mapping relation between the virtual data space account and the local account exists, and if so, successfully accessing.
Wherein, step 4 comprises the following steps:
step 4.1, inquiring user space information, and representing that a space flag position corresponding to the virtual data space account is in a logout state to indicate that the space is unavailable;
and 4.2, when the account data space needs to be restored again, only the flag bit needs to be restored.
Wherein, step 5 comprises the following steps:
step 5.1, based on the potential safety hazard existing in the account dynamic mapping mechanism, establishing a user directory tree through LDAP directory service to realize the isolation processing of the account data space, wherein the directory is composed of a plurality of entries, each entry is composed of a unique partition name DN and a group of attributes, and the DN is divided into three parts as a unique identifier: domain components dc, organization units ou, and common names cn, which have the following structure: domain component dc is defined as HVS, representing the virtual data space; defining a plurality of organization units ou, wherein each ou represents a super calculation center in the virtual data space, and each super calculation center corresponds to a plurality of virtual data space accounts and is set to be cn to represent the virtual data space accounts; identifying each virtual data space account user space in this manner to achieve isolation of account data spaces;
and 5.2, when the user accesses the account data, checking the account data through the directory tree, and solving the problem of data space superposition of a plurality of virtual data space accounts corresponding to the same local account of the super-computation center in this way.
Wherein, step 6 comprises the following steps:
step 6.1, dividing the account data area into a plurality of spaces, and introducing a space authority access control list into each space, wherein the access control list comprises the following items: recording user space ID, space owner authority, space group authority, other user access authority and space sharing authority addition and deletion authority;
step 6.2, a user logs in the virtual data space to check account data through the directory tree;
and 6.3, accessing the account data space by inquiring the user space information in the database and inquiring the space authority access control list.
The advantages of the invention include: the invention provides a cross-domain virtual data space account dynamic mapping mechanism, and realizes the safety management of account data by dividing the account data space and managing the authority based on the mapping mechanism. Compared with the prior method, the method has the main advantages that: the problem of unbalanced allocation of virtual data space accounts and local accounts of the super-computation center is solved, and a dynamic account mapping mechanism is realized without considering the allocation problem of an account pool. Based on a dynamic mapping mechanism, the account data space is isolated by customizing the directory tree, and space authority information is given, so that the isolation and safety management of the account data are realized, the problem of the coincidence of the user space under the account dynamic mapping mechanism is solved, and the safety of the user space is improved.
Drawings
FIG. 1 is a flowchart illustrating an embodiment of a dynamic mapping mechanism for a wide area virtual data space account and a method for data security management.
FIG. 2 is a diagram of a dynamic account mapping mechanism.
FIG. 3 is an account mapping addition flow diagram.
FIG. 4 a user space deregistration flow diagram.
FIG. 5 is a diagram of a user directory tree structure.
Detailed Description
The present invention is described in further detail below with reference to the accompanying drawings (fig. 1-5).
Fig. 1 shows a flow chart of the present invention according to an embodiment of the present invention according to fig. 1. The method comprises the following steps:
1) the client registers a wide area virtual data space account;
2) logging in a wide area virtual data space and generating account data;
3) accessing wide area virtual data space account data;
4) logging off the account data space;
5) customizing a directory tree through LDAP directory service based on a virtual data space account dynamic mapping mechanism, and isolating an account data space;
6) and the safety management of the account data space is realized through the division and the permission setting of the account data space.
The mechanism of virtual data space dynamic account mapping is shown in fig. 2, a local account mapping table is generated on each super-computation center, and is used for recording the mapping relationship between a virtual data space account and a local account of the super-computation center, and simultaneously recording a user space state in a database, so as to identify whether a user space is logged out or in use, when the user space is in a logged-out state, the user space is invisible, when the user space is recovered, only the state bit of the user space needs to be modified, at this time, the user space is in a visible state, and the user can continue to access the space.
As shown in fig. 3, a flow chart is added to the account mapping, which includes the following steps:
1) and the user logs in at the client, inquires whether current account information is recorded in the database, and if so, successfully logs in the virtual data space.
2) And if the super computing center is not designated, the user space is established in the corresponding super computing center through a space node selection strategy.
3) And establishing a local account mapping table on the corresponding super-computation center for recording the mapping relation between the virtual data space account and the local account.
4) And selecting any local account for mapping and recording the mapping table in the local account.
Through the steps, the dynamic mapping relation between the virtual data space account and the cluster account is realized, a user does not need to care about a login position during login every time, only needs to log in through the virtual data space account, does not need to care about the problem of allocation of the virtual data space account and the cluster account pool, and a dynamic account mapping mechanism is realized.
As shown in fig. 4, a flowchart of user space logout is shown, which includes the following steps:
1) and the user logs in at the client, inquires whether current account information is recorded in the database, and if so, successfully logs in the virtual data space.
2) The user is logging out the account data space.
3) And searching the space information corresponding to all the current virtual data space accounts.
4) And setting the flag position of the corresponding space information as a logout state to indicate that the current space is unavailable, and only modifying the space state when recovery is required.
Through the steps, the logout operation of the user space can be realized, the logout and the recovery of the user space are realized through the operation on the zone bit of the user space, and the safety of the account data can be improved.
As shown in fig. 5, for the user directory tree structure diagram, isolated access to account data is realized by customizing the user directory tree, where a domain component dc is defined as HVS, represents a virtual data space, and defines a plurality of organization units ou, each of which represents a super computation center in the virtual data space, and each of which corresponds to a plurality of virtual data space accounts, and is set as cn, and represents a virtual data space account. In this way, each virtual data space account user space is identified, and isolation of account data spaces is achieved.
Based on an account dynamic mapping mechanism, the safe access of an account data space is realized by dividing a user space and setting space authority, when a user needs to access the account data or the group data or the global data, the current space information needs to be inquired through a database, the group authority information of a space owner or the space is checked, and the user space is accessed through a user space authority access control list.
Those skilled in the art will appreciate that the invention may be practiced without these specific details. What should be finally explained is: the present invention may be used in other applications without departing from the spirit and the spirit of the present invention, and it is intended that those skilled in the art make various changes and modifications to the present invention without departing from the spirit and scope of the present invention.

Claims (8)

1. The dynamic mapping mechanism and the data security control method for the wide area virtual data space account are characterized by comprising the following steps of: firstly, establishing a dynamic account mapping mechanism based on the mapping relation between the global unified account and the local account so as to enable the virtual account and the local account to be mapped in a balanced manner and support the unified management and access of the global account; secondly, based on an account dynamic mapping mechanism, isolation is carried out through a data space, and space authority management is carried out, so that safety management and control of a user space are achieved.
2. The dynamic mapping mechanism and the data security control method for the wide area virtual data space account are characterized by comprising the following steps of:
step 1, a client registers a wide area virtual data space account;
step 2, logging in a wide area virtual data space and generating account data;
step 3, accessing wide area virtual data space account data;
step 4, logging off the data space of the current account;
step 5, based on the dynamic mapping mechanism of the virtual data space account, customizing a directory tree through LDAP directory service, and isolating the account data space;
and 6, realizing the safety management of the account data space through the authority setting of the account data space.
3. The wide-area virtual data space account dynamic mapping mechanism and data security management and control method according to claim 2, wherein step 1 comprises the following steps:
step 1.1, obtaining user registration account information, wherein the account information comprises the following items: account name, account ID, account password, account address.
And step 1.2, encrypting the account password, and storing the generated hash value into a database.
4. The wide area virtual data space account dynamic mapping mechanism and data security management and control method of claim 2, wherein step 2 comprises the steps of:
step 2.1, a user logs in a virtual data space through a client, queries a database to check whether account information exists, and if so, successfully logs in the virtual data space;
step 2.2, establishing a local account mapping table in a supercomputing center where the client is located, and recording the mapping relation between the virtual data space account and the supercomputing center local account;
step 2.3, inquiring a remote space local account pool in a database, selecting any account for mapping, establishing a local account mapping table of a supercomputing center where a remote is located, and recording the mapping relation between a virtual data space account and a local account of a center where a remote file is located;
and 2.4, recording the user space file information in the database, and encrypting.
5. The wide area virtual data space account dynamic mapping mechanism and data security management and control method of claim 2, wherein step 3 comprises the steps of:
step 3.1, a user logs in a virtual data space, inquires user space information, accesses a local account mapping table in a super computing center where a corresponding space is located, inquires whether a mapping relation between a virtual data space account and a local account exists or not, and if yes, the user successfully accesses the virtual data space;
and 3.2, accessing a local account mapping table in the hypercalculation center where the corresponding space is located, inquiring whether a mapping relation between the virtual data space account and the local account exists, and if so, successfully accessing.
6. The wide area virtual data space account dynamic mapping mechanism and data security management and control method of claim 2, wherein step 4 comprises the steps of:
step 4.1, inquiring user space information, and representing that the space mark position corresponding to the virtual data space account is a logout state, which represents that the space is unavailable;
and 4.2, when the account data space needs to be restored again, only the flag bit needs to be restored.
7. The wide area virtual data space account dynamic mapping mechanism and data security management and control method of claim 2, wherein step 5 comprises the steps of:
step 5.1, based on the potential safety hazard existing in the account dynamic mapping mechanism, establishing a user directory tree through LDAP directory service to realize the isolation processing of the account data space, wherein the directory is composed of a plurality of entries, each entry is composed of a unique partition name DN and a group of attributes, and the DN is divided into three parts as a unique identifier: domain components dc, organization units ou, and common names cn, which have the following structure: the domain component dc is defined as HVS, represents a virtual data space, and defines a plurality of organization units ou, wherein each ou represents a super calculation center in the virtual data space, and each super calculation center corresponds to a plurality of virtual data space accounts and is set as cn to represent the virtual data space accounts; identifying each virtual data space account user space in this manner to achieve isolation of account data spaces;
and 5.2, when the user accesses the account data, checking the account data through the directory tree, and solving the problem of data space superposition of a plurality of virtual data space accounts corresponding to the same local account of the super-computation center in this way.
8. The wide area virtual data space account dynamic mapping mechanism and data security management and control method of claim 2, wherein step 6 comprises the steps of:
step 6.1, dividing the account data area into a plurality of spaces, and introducing a space authority access control list into each space, wherein the access control list comprises the following items: recording user space ID, space owner authority, space group authority, other user access authority and space sharing authority addition and deletion authority;
step 6.2, a user logs in the virtual data space to check account data through the directory tree;
and 6.3, accessing the account data space by inquiring the user space information in the database and inquiring the space authority access control list.
CN202010469080.0A 2020-05-28 2020-05-28 Dynamic mapping mechanism and data security control method for wide-area virtual data space account Active CN112019495B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010469080.0A CN112019495B (en) 2020-05-28 2020-05-28 Dynamic mapping mechanism and data security control method for wide-area virtual data space account

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010469080.0A CN112019495B (en) 2020-05-28 2020-05-28 Dynamic mapping mechanism and data security control method for wide-area virtual data space account

Publications (2)

Publication Number Publication Date
CN112019495A true CN112019495A (en) 2020-12-01
CN112019495B CN112019495B (en) 2021-11-19

Family

ID=73506216

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010469080.0A Active CN112019495B (en) 2020-05-28 2020-05-28 Dynamic mapping mechanism and data security control method for wide-area virtual data space account

Country Status (1)

Country Link
CN (1) CN112019495B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113032833A (en) * 2021-04-14 2021-06-25 同盾控股有限公司 User query method and device, storage medium and electronic equipment
CN113157775A (en) * 2021-05-06 2021-07-23 湖北经济学院 Drainage basin case characteristic information mining system and equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101901265A (en) * 2010-07-29 2010-12-01 中国运载火箭技术研究院 Objectification management system of virtual test data
US20160085533A1 (en) * 2014-09-24 2016-03-24 Oracle International Corporation Compartmentalizing application distribution for disparate electronic devices
CN110209602A (en) * 2019-05-17 2019-09-06 北京航空航天大学 Region division and space allocation method in cross-domain virtual data space
CN110830512A (en) * 2019-12-10 2020-02-21 宝付网络科技(上海)有限公司 Multi-platform unified authentication system based on domain account

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101901265A (en) * 2010-07-29 2010-12-01 中国运载火箭技术研究院 Objectification management system of virtual test data
US20160085533A1 (en) * 2014-09-24 2016-03-24 Oracle International Corporation Compartmentalizing application distribution for disparate electronic devices
CN110209602A (en) * 2019-05-17 2019-09-06 北京航空航天大学 Region division and space allocation method in cross-domain virtual data space
CN110830512A (en) * 2019-12-10 2020-02-21 宝付网络科技(上海)有限公司 Multi-platform unified authentication system based on domain account

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113032833A (en) * 2021-04-14 2021-06-25 同盾控股有限公司 User query method and device, storage medium and electronic equipment
CN113032833B (en) * 2021-04-14 2023-02-17 同盾控股有限公司 User query method and device, storage medium and electronic equipment
CN113157775A (en) * 2021-05-06 2021-07-23 湖北经济学院 Drainage basin case characteristic information mining system and equipment

Also Published As

Publication number Publication date
CN112019495B (en) 2021-11-19

Similar Documents

Publication Publication Date Title
WO2022126968A1 (en) Micro-service access method, apparatus and device, and storage medium
CN107181808B (en) Private cloud system and operation method
JP6754809B2 (en) Use credentials stored in different directories to access a common endpoint
US10505929B2 (en) Management and authentication in hosted directory service
CN109643242B (en) Security design and architecture for multi-tenant HADOOP clusters
CN111159134B (en) Multi-tenant oriented distributed file system security access control method and system
US6058426A (en) System and method for automatically managing computing resources in a distributed computing environment
US8813225B1 (en) Provider-arbitrated mandatory access control policies in cloud computing environments
US7360034B1 (en) Architecture for creating and maintaining virtual filers on a filer
US7171411B1 (en) Method and system for implementing shared schemas for users in a distributed computing system
US11102214B2 (en) Directory access sharing across web services accounts
CA2251150A1 (en) Distributed system and method for providing sql access to management information in a secure distributed network
SG186137A1 (en) Online service access controls using scale out directory features
CN107315950B (en) Automatic division method for minimizing authority of cloud computing platform administrator and access control method
CN115865502B (en) Authority management and control method, device, equipment and storage medium
CN112019495B (en) Dynamic mapping mechanism and data security control method for wide-area virtual data space account
CN111695108A (en) Unified account identification system for multi-source accounts in heterogeneous computing environment
US20220108031A1 (en) Cloud Core Architecture for Managing Data Privacy
GB2378349A (en) A system for managing a computer network
KR20070076342A (en) User Group Role / Permission Management System and Access Control Methods in a Grid Environment
CN114661763A (en) Multi-tenant system and scheme realized based on cache technology
US8893269B1 (en) Import authorities for backup system
US20230138622A1 (en) Emergency Access Control for Cross-Platform Computing Environment
CN116055082B (en) User management method and system based on OpenStack
Ramey Pro Oracle Identity and Access Management Suite

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant