WO2017024956A1 - Database access right processing method, device, and system - Google Patents

Database access right processing method, device, and system Download PDF

Info

Publication number
WO2017024956A1
WO2017024956A1 PCT/CN2016/092672 CN2016092672W WO2017024956A1 WO 2017024956 A1 WO2017024956 A1 WO 2017024956A1 CN 2016092672 W CN2016092672 W CN 2016092672W WO 2017024956 A1 WO2017024956 A1 WO 2017024956A1
Authority
WO
WIPO (PCT)
Prior art keywords
data table
reconstructed
user
database
deleted
Prior art date
Application number
PCT/CN2016/092672
Other languages
French (fr)
Chinese (zh)
Inventor
胡南杰
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2017024956A1 publication Critical patent/WO2017024956A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Definitions

  • the present application relates to the field of data processing, and in particular, to a method, device, and system for processing access rights of a database.
  • the user's access to the data table is controlled by the user access authority.
  • the user access authority In order to secure the data table stored in the database, the user's access to the data table is controlled by the user access authority.
  • the data table in the database is rebuilt or deleted, the user rights of the data table are lost, resulting in abnormal access of the user to the data table.
  • the collected data is stored in the data warehouse according to a preset model.
  • the previous model design will change the data tables in the data warehouse continuously due to the continuous changes of various services.
  • Peripheral systems rely on the loss of permissions on the account to affect the normal operation of the peripheral system.
  • the following two solutions can be used to solve the problem that the data table is deleted after the data table is deleted and reconstructed.
  • One is to wait until the user finds that he has lost the permission, and then the user initiates another application for the data table again, and takes a preset.
  • the application process; the second is to query the user rights of the data table to be reconstructed or deleted from the metadata before rebuilding the data table, and then perform the authorization again in batches;
  • the embodiment of the present application provides a method, a device, and a system for processing access rights of a database, so as to at least solve the problem that the authorization process for re-authorizing the user is cumbersome and inefficient due to loss of user rights after the table in the data warehouse is deleted or rebuilt.
  • a method for processing access rights of a database including: receiving a rights inheritance request for automatically inheriting access rights, wherein the rights inheritance request is any data table in the database being reconstructed or After the deletion, the generated request is triggered; the permission inheritance request is parsed, and the table information of the reconstructed or deleted data table is obtained; and the user authority corresponding to the reconstructed or deleted data table is obtained according to the table information of the reconstructed or deleted data table; Reassign user rights to the rebuilt or deleted data tables in the database.
  • an access authority processing apparatus for a database comprising: a receiving module, configured to receive a rights inheritance request for automatically inheriting access rights, where the rights inheritance request is in a database The generated request is triggered after any data table is reconstructed or deleted; the parsing module is configured to parse the permission inheritance request, obtain the table information of the reconstructed or deleted data table; and the query module is configured to be used according to the reconstructed or deleted data table.
  • the table information query obtains the user rights corresponding to the reconstructed or deleted data table; the weighting module is used to re-authorize the user rights to the data table reconstructed or deleted in the database.
  • a database access authority processing system including: a database server, configured to save a database, and after any data table in the database is reconstructed or deleted, trigger generation is used for generating A permission inheritance request that automatically inherits the access authority; the permission processing system is configured to receive and parse the permission inheritance request, obtain the table information of the reconstructed or deleted data table, and rebuild the table according to the table information of the reconstructed or deleted data table After the user rights corresponding to the deleted data table, the user rights are re-granted to the data table in the database that is reconstructed or deleted.
  • the permission inheritance request for automatically inheriting the access right is adopted, wherein the permission inheritance request is a method for triggering the generated request after any data table in the database is reconstructed or deleted, and the request for inheriting the request is resolved by Obtaining the table information of the reconstructed or deleted data table, and achieving the purpose of obtaining the user right corresponding to the reconstructed or deleted data table according to the table information of the reconstructed or deleted data table, thereby realizing the user right
  • the technical effect of empowering the reconstructed or deleted data table in the database thereby solving the technical problem of re-authorizing the user's authorization process due to the loss of user rights after the table in the data warehouse is deleted or reconstructed.
  • FIG. 1 is a block diagram showing the hardware structure of a computer terminal for processing access rights of a database according to an embodiment of the present application
  • FIG. 2 is a schematic flowchart of a method for processing access rights of a database according to Embodiment 1 of the present application;
  • FIG. 3 is a schematic diagram of interaction of an optional access processing method of a database according to Embodiment 1 of the present application;
  • FIG. 5 is a schematic structural diagram of an access authority processing apparatus of a database according to Embodiment 2 of the present application.
  • FIG. 6 is a schematic structural diagram of an optional parsing module according to Embodiment 2 of the present application.
  • FIG. 7 is a schematic structural diagram of an optional query module according to Embodiment 2 of the present application.
  • FIG. 8 is a schematic structural diagram of an access authority processing apparatus of an optional database according to Embodiment 2 of the present application.
  • FIG. 9 is a schematic structural diagram of an optional weighting module according to Embodiment 2 of the present application.
  • FIG. 10 is a schematic structural diagram of another optional access right processing device of a database according to Embodiment 2 of the present application.
  • FIG. 11 is a schematic structural diagram of an access authority processing system of a database according to Embodiment 3 of the present application.
  • FIG. 12 is a structural block diagram of a computer terminal according to an embodiment of the present application.
  • Open Data Processing Service is a self-developed Facebook Cloud that provides distributed processing capabilities for TB/PB-level data. It is suitable for connection data processing, data analysis, data mining, and business intelligence. .
  • a method embodiment of a method for processing access rights of a database is also provided.
  • the steps shown in the flowchart of the accompanying drawings may be in a computer system such as a set of computer executable instructions. The steps shown and described may be performed in a different order than the ones described herein, although the logical order is shown in the flowchart.
  • FIG. 1 is a hardware structural block diagram of a computer terminal for processing access rights of a database according to an embodiment of the present application.
  • computer terminal 10 may include one or more (only one shown) processor 102 (processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA)
  • processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA)
  • a memory 104 for storing data
  • a transmission module 106 for communication functions.
  • computer terminal 10 may also include more or fewer components than those shown in FIG. 1, or have a different configuration than that shown in FIG.
  • the memory 104 can be used to store software programs and modules of the application software, such as program instructions/modules corresponding to the access permission processing method of the database in the embodiment of the present application, and the processor 102 runs the software program and the module stored in the memory 104, thereby Perform various functional applications and data processing, that is, implement the vulnerability detection method of the above application.
  • Memory 104 may include high speed random access memory, and may also include non-volatile memory such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory.
  • memory 104 may further include memory remotely located relative to processor 102, which may be coupled to computer terminal 10 via a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
  • Transmission device 106 is for receiving or transmitting data via a network.
  • the network specific examples described above may include a wireless network provided by a communication provider of the computer terminal 10.
  • the transmission device 106 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet.
  • the transmission device 106 can be a radio frequency (RF).
  • RF radio frequency
  • the present application provides a method for processing access rights of a database as shown in FIG. 2 .
  • 2 is a flowchart of a method for processing access rights of a database according to Embodiment 1 of the present application.
  • the computer terminal 10 shown in FIG. 1 may be a rights server.
  • an optional database access permission processing method includes the following implementation steps;
  • Step S202 The rights inheritance request for automatically inheriting the access right may be received by the rights server, where the rights inheritance request is a request that is triggered after any data table in the database is reconstructed or deleted;
  • the database may be any one of the database servers.
  • Any data table in the database may have a preset access permission attribute, wherein the attribute of the access right may include any one or more of the following rights: read permission, write permission, delete permission, or modify permission.
  • Reconstruction and deletion are performed on the data table contained in the database. After the data table is reconstructed or deleted, the access rights set in the database before the data table may be lost, so that the user may be modified or deleted next time. Access to the data table is denied, affecting the normal use of the user.
  • the permission inheritance request is designed to automatically initiate the function of obtaining the access rights of the reconstructed or deleted data table, in order to obtain the reconstructed or deleted data by using the access rights of the data table before or after being deleted.
  • the permission of the data table enables the user to access the reconstructed or deleted data table without revisiting the application permission. That is, the permission inheritance request is used to start the reconstructed or deleted data table after the automatic inheritance is reconstructed or deleted. Access to the data table.
  • the rights inheritance request may be issued by a database server for storing a database, and the database server has a communication relationship with the computer terminal 10 shown in FIG. 1, and may trigger the database when operating the data table in the database.
  • the trigger in the trigger causes the trigger to emit information carrying the specific operational content.
  • the database in the embodiment of the present application may include a transactional database in a general sense, such as Oracle, SQL Server, or a subject-type data warehouse; and may include a local storage database. It can also contain a cloud database.
  • a possible application scenario is illustrated: Suppose that every transaction data in the July Taobao website is obtained from the Taobao database, and then the transaction data is processed and processed to obtain the sales fact. Table, including order number, product key, seller key and buyer key, sales volume and sales time; The product dimension table, the seller dimension table and the buyer dimension table are respectively associated with the sales fact table through the product key, the seller key and the buyer key; the above fact table and the dimension table are uploaded to the ODPS storage, assuming that the product is reconstructed or deleted Dimension table (hereinafter referred to as data table A). After the user opens the ODPS service, the owner of the data table A is requested to access the data table A.
  • the user After the user applies for the data table A, the user is allowed to access the data table A by setting the content of the data table A.
  • the user can initiate a query request through the ODPS client to access the data table A in the database.
  • the reconstructed data table A (hereinafter referred to as the new data table A') is obtained, and the access authority information about all users (including the above users) in the new data table A' may also be obtained. Lost with the rebuild operation.
  • the reconstruction operation of the data table A can be triggered to generate a rights inheritance request to trigger the operation of the new data table A' to inherit the access authority information of all users in the data table A.
  • Step S204 The rights inheritance request may be parsed by the rights server to obtain the table information of the reconstructed or deleted data table;
  • the rights inheritance request may be sent by the database server according to a predetermined format, carrying specific operation content for the data table A, and when the operation content carried in the confirmation permission inheritance request is a reconstructed data table or a deleted data table, Then, the table information of the reconstructed or deleted data table is read from the permission inheritance request; when the operation content carried in the permission inheritance request is not reconstructed or deleted, the step of inheriting the access permission of the data table is not performed.
  • the foregoing table information may include: a name of the data table, a creation time of the data table, and a creator of the data table, etc., after the data table is reconstructed or deleted, ensuring that at least one of the table information does not change.
  • the data access request carries the table information of the new data table A', for example, the name of the new data table A'.
  • the rights server parses the rights inheritance request and obtains the table name of the new data table A' included in the rights inheritance request.
  • Step S206 The user authority corresponding to the reconstructed or deleted data table according to the table information of the reconstructed or deleted data table may be implemented by the rights server;
  • the pre-stored access right database may be accessed in the rights server, and the access right database is used to save the user rights preset in the data table of the triggered application in the database server, that is, any data in the database server.
  • the table information of the data table and the corresponding user rights are saved to the access authority database.
  • the manner in which the user rights corresponding to the data table are created and updated in the access permission database may be: the table information of the data table to be applied after the user applies to access the data table in the database server. And the access rights that have been set in the data table are packaged and sent to the access rights database for storage.
  • the rights information that has been saved in the database is collected based on the foregoing collection.
  • the rights server receives the table information of the reconstructed or deleted data table
  • the traversal query is performed from the access rights database based on the table information, and the corresponding information of the table information is obtained. User rights.
  • the table A is stored in the cloud database, and the user rights of each user set are recorded in the access authority database, that is, after the user applies the table A in the ODPS, the user pair is The user rights for Table A are stored in the access rights database.
  • the table information of the reconstructed or deleted data table for example, the table name of the new data table A', is parsed from the rights inheritance request.
  • the access rights database can be stored locally on the rights server or in the Facebook Cloud.
  • Step S208 The user authority can be re-weighted to the data table reconstructed or deleted in the database by the rights server.
  • the re-established or deleted data table continues to be re-weighted, that is, the rights server returns the user rights of the reconstructed or deleted data table obtained from the access right database to the database server.
  • the data table that is reconstructed or deleted has the same user rights record as the original data table before being reconstructed or deleted.
  • the user permission of each data table in the database is pre-stored or backed up, so that the data table in the database is reconstructed or deleted, even after being reconstructed or deleted. If the user access right of the data table is lost, the method of generating the permission inheritance request after the rebuilding or deleting may be implemented, and after parsing the permission inheritance request and obtaining the table information of the reconstructed or deleted data table, each data stored from the pre-stored data is obtained.
  • the query obtains the purpose of the user right corresponding to the reconstructed or deleted data table; so that the user right is re-weighted to the reconstructed or deleted data table in the database, and the data that is reconstructed or deleted is reached.
  • the technical effect of synchronous recovery of user rights in the table further solves the technical problem that the authorization process of re-authorizing the user is cumbersome and inefficient due to the loss of user rights after the table in the data warehouse is deleted or rebuilt.
  • the privilege inheritance request includes a DDL event
  • the step S204: parsing the privilege inheritance request, and obtaining the table information of the reconstructed or deleted data table may further include the following specific Implementation steps:
  • Step S2042 The DDL event can be parsed by the rights server, and the table information of the data table reconstructed or deleted in the database is obtained.
  • a trigger may be created in the database, and an event triggering the trigger is specified when the trigger is created.
  • trigger events for triggers are generally divided into three categories, data manipulation language (DML) events, data definition language (DDL) events, and database events.
  • DML data manipulation language
  • DDL data definition language
  • the DDL event corresponds to a DDL trigger, which is used to trigger when modifying a data object in the database. Specifically, when a data table is created in the database, a data table is reconstructed, and a data table is deleted, a DDL event is triggered.
  • the rights server Based on the operation of triggering the DDL event, after the rights server receives the permission inheritance request including the DDL event, it is determined whether the operation of triggering the DDL event is an operation of reconstructing the data table or deleting the data table, and if the determination is yes, from the DDL
  • the table information of the data table that was reconstructed or deleted is read in the event.
  • the rights server subscribes to the DDL event in the ODPS and receives the DDL event in the ODPS through the HTTP interface provided by the rights server.
  • the ODPS execution rebuilds or deletes the data table A
  • the ODPS issues a rights inheritance request for automatically inheriting the user rights including the DDL event to the rights server, and the rights server resolves the rights inheritance request and parses the DDL event to obtain the DDL event.
  • the specific operation of the data table A is included, it is further determined that the specific operation is the reconstruction or deletion operation of the data table A, and the table information of the data table A is read from the authority inheritance request. It should be noted here that when the data table A is a newly created dimension table, the user rights for the table A have not been set, and the table A does not need to automatically inherit the user rights.
  • the above step S2042 of the present application provides an alternative to obtaining table information of the reconstructed or deleted data table.
  • the table information of the data table reconstructed or deleted is read from the permission inheritance request by parsing the permission inheritance request including the DDL event.
  • step S206 querying, according to the table information of the reconstructed or deleted data table, the user right corresponding to the reconstructed or deleted data table, and may further include the following specific Steps:
  • Step S2062 The permission server is used to determine whether the data table is a data table previously applied by the user according to the table information of the reconstructed or deleted data table;
  • the application identifier may be added to the data table previously applied by the user to indicate that the data table has been applied by the user; and the table information of all the data tables applied by the user may be collected. It can be judged by means of querying the table information.
  • Step S2064 The permission server may be used to implement the historical user authority set by the user for the data table before the data table that is reconstructed or deleted is the data table that the user has applied before;
  • the historical user authority is the historically set user access right to the data table.
  • the local relational database can be an access authority database and stored locally on the rights server. Through the corresponding settings, the user can apply for the operation of the data table to trigger the set user's authority on the data table to be stored in the access right database, that is, the access right database records all the permission records previously applied by the user.
  • Step S2066 The historical user authority set by the user for the data table may be assigned to the reconstructed or deleted data table by using the rights server, and the user authority for re-authorizing the reconstructed or deleted data table is obtained.
  • step S2066 of the present application after the historical user authority is obtained from the access right database, the authority server assigns the historical user authority to the data table, that is, the authority server associates the historical user authority of the queried data table with the data table. Get the user rights you need to re-enforce the rebuilt or deleted data table.
  • the above steps S2062 to S2066 of the present application provide a user right corresponding to obtaining the reconstructed or deleted data table, and firstly determine whether the reconstructed or deleted data table is the data table previously applied by the user.
  • the operation of inheriting the rights is not performed; when it is determined that the user has applied for the data table, the historical user right query is performed from the pre-stored access right database, and the query is performed.
  • the obtained historical user authority is assigned to the reconstructed or deleted data table, and the user right corresponding to the reconstructed or deleted data table is obtained.
  • the access permission processing method of the database in the embodiment of the present application is performed before the step S206 is performed to determine whether the data table is the data table that the user has applied before, according to the table information of the data table.
  • Step S2052 If any data table that has been saved in the database is applied by the user, and the application is successful, generating and storing a table information set of the data table applied by the user;
  • the data table that is reconstructed or deleted is determined to be the data table that the user has applied for before.
  • the user may store the access authority, the user identifier, and the table information that the user has, and at least once, the user successfully applies the operation.
  • the set of table information of the data table applied by the user may be stored in the access authority database.
  • an optional manner of determining whether the data table is a data table that the user has previously applied includes: obtaining, according to the obtained table information of the reconstructed or deleted data table. From the table information of the data table applied by the user, by traversing the query, it is determined whether there is information that matches the table information of the reconstructed or deleted data table, and if the determination is yes, the The data table that was reconstructed or deleted is a data table that has been previously requested by the user.
  • the table information of the data table A, the user identifier, and the access authority of the user to the data table A are stored in the access right database.
  • the rights server receives the permission inheritance request that receives the DDL event by receiving the event in the ODPS subscription event, and the rights server parses the table information of the new data table A' and records it from the access rights database.
  • the table information traverses the query.
  • step S2052 of the present application provides a scheme for pre-storing the table information of the data table applied by the user, so that it can be determined by querying the comparison whether the reconstructed or deleted data table is previously applied by the user. In order to facilitate the reading of historical user rights of data tables that have been previously rebuilt or deleted by users.
  • step S208: re-granting the user right to the reconstructed or deleted data table in the database may further include the following specific implementation steps:
  • Step S2082 The permission information may be used to encapsulate the table information of the reconstructed or deleted data table and the obtained user rights corresponding to the reconstructed or deleted data table, and obtain a permission reset statement that allows the database to be recognized;
  • the permission reset statement may be a grant permission statement, and the user permission statement is granted.
  • Different types of permission reset statements may be supported based on different databases. Take SQL as an example, you can use the grant statement to implement permission reset.
  • the rights server generates a rights reset statement according to the obtained user rights and table information corresponding to the reconstructed or deleted data table.
  • Step S2084 The permission resetting statement can be returned to the server where the database is located by the rights server, so that the user rights are re-granted to the data table in the database that is reconstructed or deleted.
  • the role of the rights reset statement is the reconstructed or deleted data table, so the rights server needs to first send the rights reset statement to the database server where the reconstructed or deleted data table is located; After receiving the permission reset statement, the execution permission reset statement is implemented to implement the re-weighting operation on the reconstructed or deleted data table.
  • the above steps S2082 to S2084 of the present application provide a scheme for re-weighting the reconstructed or deleted data table, and the rights server can use the rights server to identify the obtained table information of the data table according to the database.
  • the permission reset statement is generated, and the permission reset statement is sent to the database server, and after the function corresponding to the permission reset statement is executed, the re-weighting of the reconstructed or deleted data table is implemented.
  • the access permission processing method of the database in the embodiment of the present application may further perform the following implementation steps:
  • Step S201 After the database server is used to realize that any one of the data tables in the database is reconstructed or deleted, the trigger system automatically generates a permission inheritance request.
  • step S201 of the present application when the data table in the database is operated, the trigger in the database may be triggered, so that the trigger sends the information carrying the specific operation content.
  • the database server for storing the database is issued for starting the reconstruction or deletion. The request for access to the data table is inherited.
  • step S201 of the present application provides an optional solution for generating a permission inheritance request by the database server, and uses the operation of the data table in the database to monitor, so that when the data table is reconstructed or deleted, the trigger system automatically generates. Permission inheritance request.
  • FIG. 3 is a schematic diagram of interaction of an access method for processing an optional database according to Embodiment 1 of the present application; and the functions implemented by applying the solution of the present application in a specific system are described in detail below with reference to FIG. 3:
  • the database server 301 includes a plurality of databases, such as the database 3011, the database 3012, and the database 3013 shown in FIG. 3, and the data tables in any one of the database servers 301 are possible. Rebuild or delete occurred.
  • the rights server 302 is configured to parse the time after receiving the permission inheritance request, and after querying the corresponding user rights in the local database, reassemble the empowerment statement, obtain the permission reset statement, and then return to the database server for execution.
  • the local database 303 can be the above-mentioned access rights database for storing user rights of all data tables that the user has previously applied for.
  • FIG. 4 is a flowchart of an optional access processing method of a database according to Embodiment 1 of the present application; and the method flow in the optional application scenario of the present application, in particular, with reference to FIG. 3 and FIG. Taking the reconstruction data table as an example, the method flow executed by the rights server 302 is described in detail:
  • the privilege server When the privilege server receives the privilege inheritance request through the external HTTP protocol interface, taking ODPS as an example, as long as the ODPS subscribes to the event, when the ODPS performs the DDL change, the event notification permission server is sent; and the privilege inheritance request is included in the judgment authority inheritance request.
  • the following process begins:
  • Step A analyzing an event carried in the received permission inheritance request
  • step A after receiving the request, first determining the event carried in the request for analysis, and determining whether it is a DDL event,
  • Step B parsing the event and determining whether it is a DDL event of the reconstructed table
  • the DDL event is parsed, and it is determined whether the event triggering the DDL is an event of data table reconstruction. If the determination is yes, the DDL event is determined to be the DDL of the reconstruction table. Further, after determining that the DDL event is a DDL event of the reconstruction table, extracting table information of the reconstructed data table from the DDL event;
  • Step C querying related information of the table weight item from the local database
  • step C all the records requested by the previous user are recorded in the local database.
  • the user may authorize the user authorization before the table from the local relational database, and obtain the user authority corresponding to the table;
  • Step D re-execute the empowerment statement
  • step D the user rights set in the table are encapsulated according to the statement that the database server can recognize, the permission reset statement is obtained, and the permission reset statement is returned to the database server, so that the database server performs the permission reset.
  • the statement is re-empowered.
  • step B When the DDL event of the non-reconstructed table is determined in step B, and the execution of step D is completed, an authorization process ends.
  • the embodiment of the present application receives the DDL change event through the externally provided http interface, and realizes that the permission of the previously applied table can be inherited after the data warehouse table is reconstructed, and does not affect the user and the production, and reaches the table.
  • the default user will restore the previous table permissions, be transparent to the user, and do not need to re-apply the technical effect; at the same time, the table owner can no longer pay attention to the downstream dependent jobs of the table, reducing the owner workload.
  • the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation.
  • the technical solution of the present application which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk,
  • the optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present application.
  • an access right processing device for a database for implementing the access authority processing method of the above database, and the device provided by the above embodiment of the present application can be run on a computer terminal.
  • the access authority processing apparatus of the database includes: a receiving module 502, a parsing module 504, a query module 506, and an empowering module. 508, where:
  • the receiving module 502 is configured to receive a permission inheritance request for automatically inheriting the access right, where the permission inheritance request triggers the generated request after any data table in the database is reconstructed or deleted;
  • the parsing module 504 is configured to parse the permission inheritance request, and obtain table information of the reconstructed or deleted data table;
  • the querying module 506 is configured to query, according to the table information of the reconstructed or deleted data table, the user rights corresponding to the reconstructed or deleted data table;
  • the weighting module 508 is configured to re-authorize the user rights to the data table in the database that is reconstructed or deleted.
  • the data table in the database is reconstructed by pre-storing or backing up the user rights of each data table in the database.
  • delete even if the user access rights of the reconstructed or deleted data table are lost, you can pass
  • the method for generating the permission inheritance request is triggered. After the permission inheritance request is resolved, and the table information of the reconstructed or deleted data table is obtained, the query is reconstructed or deleted from the user rights of each pre-stored data table.
  • the purpose of the user rights corresponding to the data table the user rights are re-weighted to the reconstructed or deleted data table in the database, and the technical effect of synchronously restoring the user rights in the reconstructed or deleted data table is achieved, thereby solving Due to the loss of user rights after the table in the data warehouse is deleted or rebuilt, the technical process of re-authorizing the user is cumbersome and inefficient.
  • the liberation of the owner of the data table from the re-emphasis of the data table being reconstructed and deleted is greatly reduced, which greatly reduces the workload of the data table owner;
  • the user accesses a rebuilt or deleted data table, the user does not need to repeatedly apply for permission to ensure a good user experience; in another aspect, the timely and efficient re-establishment or deletion of the data table is inherited.
  • the foregoing receiving module 502, the parsing module 504, the querying module 506, and the weighting module 508 correspond to the steps S202 to S208 in the first embodiment, and the four modules and the corresponding steps are implemented by the examples and The application scenario is the same, but is not limited to the content disclosed in the first embodiment. It should be noted that the foregoing module may be implemented in the computer terminal 10 provided in the first embodiment as a part of the device, and may be implemented by software or by hardware.
  • FIG. 6 is a schematic structural diagram of an optional parsing module according to Embodiment 2 of the present application; as shown in FIG. 6, when the DDL event is included in the privilege inheritance request, the parsing module 504 according to the embodiment of the present application.
  • the method includes: a parsing unit 602, wherein:
  • the parsing unit 602 is configured to parse the DDL event to obtain table information of the data table reconstructed or deleted in the database.
  • the parsing unit 602 of the present application provides an alternative to obtaining table information of the reconstructed or deleted data table.
  • the table information of the data table reconstructed or deleted is read from the permission inheritance request by parsing the permission inheritance request including the DDL event.
  • the parsing unit 602 corresponds to the step S2042 in the first embodiment, and the module is the same as the example and the application scenario implemented by the corresponding steps, but is not limited to the content disclosed in the first embodiment. It should be noted that the foregoing module may be implemented in the computer terminal 10 provided in the first embodiment as a part of the device, and may be implemented by software or by hardware.
  • FIG. 7 is a schematic structural diagram of an optional query module according to the second embodiment of the present application; as shown in FIG. 7, the query module 506 according to the embodiment of the present application includes: a determining unit 702, a querying unit 704, and An assignment unit 706, wherein:
  • the determining unit 702 is configured to determine, according to the table information of the reconstructed or deleted data table, whether the data table is a data table that the user has previously applied for;
  • the querying unit 704 is configured to: if the data table that is reconstructed or deleted is a data table that the user has applied for before, query the local relational database to obtain the historical user authority set by the user for the data table;
  • the assignment unit 706 is configured to assign the historical user authority set by the user for the data table to the reconstructed or deleted data table, and obtain the user authority for re-giving the reconstructed or deleted data table.
  • the foregoing determining unit 702, the querying unit 704, and the assigning unit 706 of the present application provide a user right corresponding to obtaining the reconstructed or deleted data table, and first determining whether the reconstructed or deleted data table is the user before
  • the method of applying the data table does not perform the operation of privilege inheritance when it is judged that no user has applied for the data table; when it is determined that the user has applied for the data table, the history is performed from the pre-stored access authority database.
  • the user permission query assigns the queried historical user authority to the reconstructed or deleted data table, and realizes the user right corresponding to the reconstructed or deleted data table.
  • the foregoing determining unit 702, the querying unit 704, and the assigning unit 706 correspond to steps S2062 to S2066 in the first embodiment, and the three modules are the same as the examples and application scenarios implemented by the corresponding steps, but It is not limited to the contents disclosed in the above embodiment 1. It should be noted that the foregoing module may be implemented in the computer terminal 10 provided in the first embodiment as a part of the device, and may be implemented by software or by hardware.
  • FIG. 8 is a schematic structural diagram of an access permission processing apparatus of an optional database according to Embodiment 2 of the present application; as shown in FIG. 8, the access authority processing apparatus of the database according to the embodiment of the present application further includes: The storage module 802, wherein:
  • the storage module 802 is configured to generate and store a table information set of a data table applied by the user if any data table has been saved in the database and the application is successful; wherein, if the data table is reconstructed or deleted If the table information is successfully matched in the table information set of the data table that has been stored by the user, the data table that is reconstructed or deleted is determined to be the data table that the user has applied for before.
  • the foregoing storage module 802 of the present application provides a scheme for pre-storing table information of a data table applied by a user, so that whether the reconstructed or deleted data table is previously used by the user can be determined by querying the comparison manner. It has been applied to facilitate the reading of historical user rights of data tables that have been previously rebuilt or deleted by users.
  • the foregoing storage module 802 corresponds to the step S2052 in the first embodiment, and the module is the same as the example and the application scenario implemented by the corresponding steps, but is not limited to the content disclosed in the first embodiment. It should be noted that the foregoing module may be implemented in the computer terminal 10 provided in the first embodiment as a part of the device, and may be implemented by software or by hardware.
  • FIG. 9 is a schematic structural diagram of an optional weighting module according to the second embodiment of the present application; as shown in FIG. 9, the weighting module 508 according to the embodiment of the present application includes: a packaging unit 902 and an empowerment Unit 904, wherein:
  • the encapsulating unit 902 is configured to encapsulate the table information of the reconstructed or deleted data table and the obtained user rights corresponding to the reconstructed or deleted data table, to obtain a permission reset statement that allows the database to be recognized;
  • the weighting unit 904 is configured to return the permission reset statement to the server where the database is located, so that the user rights are re-granted to the data table in the database that is reconstructed or deleted.
  • the foregoing encapsulating unit 902 and the entitlement unit 904 of the present application provide a scheme for re-emphasizing the reconstructed or deleted data table, and using the permission server to obtain the obtained permission information and the table information of the data table according to the database.
  • the identifiable way the privilege reset statement is generated, and the privilege reset statement is sent to the database server, and then the re-empowerment of the reconstructed or deleted data table is implemented after the function corresponding to the privilege reset statement is executed. .
  • the foregoing encapsulation unit 902 and the entitlement unit 904 correspond to steps S2082 to S2084 in the first embodiment, and the two modules are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the above.
  • the foregoing module may be implemented in the computer terminal 10 provided in the first embodiment as a part of the device, and may be implemented by software or by hardware.
  • FIG. 10 is a schematic structural diagram of an access permission processing apparatus of another optional database according to Embodiment 2 of the present application; as shown in FIG. 10, the access authority processing apparatus of the database according to the embodiment of the present application further includes : Trigger module 1002, wherein:
  • the triggering module 1002 is configured to trigger the system to automatically generate a permission inheritance request after any data table in the database is reconstructed or deleted.
  • the trigger module 1002 of the present application provides an optional solution for generating a permission inheritance request by the database server, and uses the operation of the data table in the database to monitor, so that when the data table is reconstructed or deleted, the trigger system automatically Generate a permission inheritance request.
  • the triggering module 1002 corresponds to the step S201 in the first embodiment, and the module is the same as the example and the application scenario implemented by the corresponding steps, but is not limited to the content disclosed in the first embodiment. It should be noted that the foregoing module may be implemented in the computer terminal 10 provided in the first embodiment as a part of the device, and may be implemented by software or by hardware.
  • the preferred embodiment provided by the foregoing embodiment 2 of the present application is the same as the implementation of the method embodiment and the application scenario provided by the first embodiment, but is not limited to the solution provided by the first embodiment.
  • FIG. 11 is a schematic structural diagram of a database access authority processing system according to Embodiment 3 of the present application.
  • the access authority processing system of the database includes: a database server 111 and a rights processing system 113, wherein:
  • the database server 111 is configured to save the database, and after any data table in the database is reconstructed or deleted, triggering a permission inheritance request for automatically inheriting the access right;
  • the privilege processing system 113 is configured to receive and parse the privilege inheritance request, obtain the table information of the reconstructed or deleted data table, and obtain the data table corresponding to the reconstructed or deleted data table according to the table information of the reconstructed or deleted data table. After the user rights, the user rights are re-assigned to the data tables in the database that are reconstructed or deleted.
  • any data table in the database may have a preset access permission attribute, where the access permission attribute may include any one or more of the following rights: read permission, write permission, delete permission, or modify permission.
  • Reconstruction and deletion are performed on the data table contained in the database. After the data table is reconstructed or deleted, the access rights set in the database before the data table may be lost, so that the user may be modified or deleted next time. Access to the data table is denied, affecting the normal use of the user.
  • the database server 111 has a communication relationship with the computer terminal 10 shown in FIG. 1.
  • the trigger in the database may be triggered, so that the trigger sends the information carrying the specific operation content.
  • the access permission inheritance for starting the reconstructed or deleted data table is automatically generated. Request.
  • the rights processing system 113 when the rights processing system 113 confirms that the operation content carried in the rights inheritance request is a reconstructed data table or a deleted data table, the table information of the reconstructed or deleted data table is read from the rights inheritance request; If the operation content carried in is not rebuilt or deleted, the steps of inheriting the access rights of the data table are not performed.
  • the privilege processing system 113 accesses the pre-stored user privilege data, and performs traversal query from the pre-stored user privilege data based on the table information of the reconstructed or deleted data table to obtain the corresponding user privilege of the table information.
  • the rights processing system 113 encapsulates the table information of the reconstructed or deleted data table and the obtained user rights corresponding to the reconstructed or deleted data table, and obtains a permission reset statement that allows the database to be recognized; The statement is returned to the server where the database is located, so that the user rights are re-granted to the data table in the database that is reconstructed or deleted.
  • the rights processing system 113 shown in FIG. 11 in the embodiment of the present application may include the rights server 302 and the local device shown in FIG. Database 303.
  • the user rights of each data table in the database are pre-stored or backed up, so that the data table in the database is reconstructed or deleted, even after being reconstructed or deleted.
  • the user access right of the data table is lost.
  • the query obtains the purpose of the user right corresponding to the reconstructed or deleted data table; so that the user right is re-weighted to the reconstructed or deleted data table in the database, and the data table that is reconstructed or deleted is reached.
  • the technical effect of synchronous recovery of user rights in the user solves the technical problem that the authorization process of re-authorizing the user is cumbersome and inefficient due to the loss of user rights after the table in the data warehouse is deleted or rebuilt.
  • the liberation of the owner of the data table from the re-emphasis of the data table being reconstructed and deleted is greatly reduced, which greatly reduces the workload of the data table owner;
  • the user accesses a rebuilt or deleted data table, the user does not need to repeatedly apply for permission to ensure a good user experience; in another aspect, the timely and efficient re-establishment or deletion of the data table is inherited.
  • Embodiments of the present application may provide a computer terminal, which may be any one of computer terminal groups.
  • the foregoing computer terminal may also be replaced with a terminal device such as a mobile terminal.
  • the computer terminal may be located in at least one network device of the plurality of network devices of the computer network.
  • the computer terminal may execute the program code of the following steps in the vulnerability detection method of the application: receiving a permission inheritance request for automatically inheriting the access right, wherein the permission inheritance request is any data table in the database is retrieve or delete the generated request; resolve the permission inheritance request, obtain the table information of the reconstructed or deleted data table; query the user corresponding to the reconstructed or deleted data table according to the table information of the reconstructed or deleted data table Permissions; reassign user rights to a rebuilt or deleted data table in the database.
  • FIG. 12 is a structural block diagram of a computer terminal according to an embodiment of the present application.
  • the computer terminal A may include one or more (only one shown in the figure) processor, memory, and transmission means.
  • the memory can be used to store the software program and the module, such as the security vulnerability detection method and the program instruction/module corresponding to the device in the embodiment of the present application, and the processor runs the software program and the module stored in the memory. Thereby performing various functional applications and data processing, that is, the detection method for implementing the above system vulnerability attack.
  • the memory may include a high speed random access memory, and may also include non-volatile memory such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory.
  • the memory can further include memory remotely located relative to the processor, which can be connected to terminal A via a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
  • the processor may invoke the memory stored information and the application by the transmission device to perform the following steps: receiving a permission inheritance request for automatically inheriting the access right, wherein the permission inheritance request is reconstructed or deleted for any data table in the database. After triggering the generated request; parsing the permission inheritance request, obtaining the table information of the reconstructed or deleted data table; and querying the user authority corresponding to the reconstructed or deleted data table according to the table information of the reconstructed or deleted data table; User rights are re-assigned to the data tables in the database that are reconstructed or deleted.
  • the foregoing processor may further execute the following program code: parse the DDL event, and obtain table information of the data table that is reconstructed or deleted in the database.
  • the foregoing processor may further execute the following program code: determining, according to the table information of the reconstructed or deleted data table, whether the data table is a data table previously requested by the user; if the reconstructed or deleted data table is a user The previously applied data table is obtained from the local relational database to obtain the historical user authority set by the user for the data table; the historical user authority set by the user for the data table is assigned to the reconstructed or deleted data table, and the data table is obtained. Reauthorized or deleted data table re-authorized user rights. .
  • the foregoing processor may further execute the following program code: if any data table has been saved in the database and is applied by the user, and the application is successful, generating and storing a table information set of the data table applied by the user; If the table information of the reconstructed or deleted data table matches successfully in the table information set of the data table that has been stored by the user, the data table that is reconstructed or deleted is determined to be the data table that the user has previously applied for.
  • the foregoing processor may further execute the following program code: encapsulating the table information of the reconstructed or deleted data table and the obtained user rights corresponding to the reconstructed or deleted data table to obtain the database identification.
  • the permission reset statement returns the permission reset statement to the server where the database is located, so that the user rights are re-granted to the data table in the database that is reconstructed or deleted.
  • the foregoing processor may further execute the following program code: after any data table in the database is reconstructed or deleted, the trigger system automatically generates a permission inheritance request.
  • the user rights of each data table in the database are pre-stored or backed up, so that after the data table in the database is reconstructed or deleted, even if the user access rights of the reconstructed or deleted data table are lost, Can be used to resolve the permission inheritance request by triggering the permission to inherit the request after rebuilding or deleting.
  • the data table reconstructed or deleted in the database achieves the technical effect of synchronously restoring user rights in the reconstructed or deleted data table, thereby solving the problem that the user rights are lost after the table in the data warehouse is deleted or reconstructed.
  • FIG. 12 is merely illustrative, and the computer terminal can also be a smart phone (such as an Android mobile phone, an iOS mobile phone, etc.), a tablet computer, an applause computer, and a mobile Internet device (Mobile Internet Devices, MID). ), PAD and other terminal devices.
  • FIG. 12 does not limit the structure of the above electronic device.
  • computer terminal A may also include more or fewer components (such as a network interface, display device, etc.) than shown in FIG. 12, or have a different configuration than that shown in FIG.
  • Embodiments of the present application also provide a storage medium.
  • the foregoing storage medium may be used to save the program code executed by the access permission processing method of the database provided in the first embodiment.
  • the foregoing storage medium may be located in any one of the computer terminal groups in the computer network, or in any one of the mobile terminal groups.
  • the storage medium is configured to store program code for performing the following steps: receiving a permission inheritance request for automatically inheriting access rights, wherein the rights inheritance request is any one of the data tables in the database
  • the generated request is triggered after being reconstructed or deleted; the permission inheritance request is parsed, and the table information of the reconstructed or deleted data table is obtained; and the data table corresponding to the reconstructed or deleted data table is obtained according to the table information of the reconstructed or deleted data table.
  • User rights reassign user rights to data tables that are reconstructed or deleted in the database.
  • the storage medium is further configured to store program code for performing the steps of parsing the DDL event to obtain table information of the reconstructed or deleted data table in the database.
  • the storage medium is further configured to store program code for performing the following steps: determining, according to the table information of the reconstructed or deleted data table, whether the data table is a data table previously requested by the user; if reconstructed or deleted The data table is the data table that the user has applied for before, and the historical user authority set by the user for the data table is obtained from the local relational database; the historical user authority set by the user for the data table is assigned to the reconstructed or deleted data table. , get the user rights re-empowered for the rebuilt or deleted data table. .
  • the storage medium is further configured to store program code for performing the following steps: if any of the data tables in the database have been saved by the user and the application is successful, generating and storing a table of data tables requested by the user a set of information; wherein, if the table information of the reconstructed or deleted data table is successfully matched in the table information set of the data table that has been stored by the user, determining that the reconstructed or deleted data table is the data previously requested by the user table.
  • the storage medium is further configured to store program code for performing the following steps: encapsulating the table information of the reconstructed or deleted data table and the obtained user rights corresponding to the reconstructed or deleted data table, Obtain a permission reset statement that allows the database to be recognized; return the permission reset statement to the server where the database is located, so that the user rights are re-granted to the data table in the database that is reconstructed or deleted.
  • the storage medium is further arranged to store program code for performing the following steps: after any one of the data tables in the database is reconstructed or deleted, the triggering system automatically generates a rights inheritance request.
  • the disclosed technical contents may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, unit or module, and may be electrical or otherwise.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or may be Each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • a computer readable storage medium A number of instructions are included to cause a computer device (which may be a personal computer, server or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes: a U disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and the like. .

Abstract

The application discloses a database access right processing method, device, and system. The method comprises: receiving a permission inherence request for automatically inheriting an access right, wherein generation of the permission inherence request is triggered by reconstruction or deletion of any table; parsing the permission inherence request and obtaining table information of the reconstructed or deleted table; querying and obtaining, according to the table information of the reconstructed or deleted table, a user permission corresponding to the reconstructed or deleted table; and re-issuing the user permission to the reconstructed or deleted table in a database. The application resolves a technical problem of a complicated and low-efficiency user authorization procedure dealing with a user permission loss owing to a reconstructed or deleted table in a database.

Description

数据库的访问权限处理方法、装置及系统Database access authority processing method, device and system
本申请要求2015年08月10日递交的申请号为201510486696.8、发明名称为“数据库的访问权限处理方法、装置及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims the priority of the Chinese Patent Application No. 201510486696.8, filed on Aug. 10, 2015, entitled,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
技术领域Technical field
本申请涉及数据处理领域,具体而言,涉及一种数据库的访问权限处理方法、装置及系统。The present application relates to the field of data processing, and in particular, to a method, device, and system for processing access rights of a database.
背景技术Background technique
为了存储于数据库中的数据表的安全,会通过用户访问权限来实现对用户访问数据表的控制。然而,当数据库中的数据表发生重建或删除后,数据表的用户权限发生丢失,导致用户对数据表的访问异常。In order to secure the data table stored in the database, the user's access to the data table is controlled by the user access authority. However, when the data table in the database is rebuilt or deleted, the user rights of the data table are lost, resulting in abnormal access of the user to the data table.
以数据仓库为例,按照预先设置的模型,将汇集整理后的数据存储于数据仓库中。然而,随着数据仓库数据量越来越庞大,业务越来越复杂,之前的模型设计会因为各种业务不断的发生变化,而使得需要对数据仓库中的数据表不断的进行重构,导致外围系统依赖账号失去权限影响外围系统正常工作。Taking the data warehouse as an example, the collected data is stored in the data warehouse according to a preset model. However, as the data warehouse data volume becomes larger and larger, and the business becomes more and more complex, the previous model design will change the data tables in the data warehouse continuously due to the continuous changes of various services. Peripheral systems rely on the loss of permissions on the account to affect the normal operation of the peripheral system.
相关技术中,可以通过如下两种方案来解决数据表被删除重建后权限丢失的问题,其一是等待直到用户发现自己失去权限,然后由用户再次发起一遍对数据表的申请,走一次预设申请流程;其二是在数据表重建之前,先从元数据中查询待重建或删除的数据表的用户权限情况,然后再重新批量的执行一次授权;In the related art, the following two solutions can be used to solve the problem that the data table is deleted after the data table is deleted and reconstructed. One is to wait until the user finds that he has lost the permission, and then the user initiates another application for the data table again, and takes a preset. The application process; the second is to query the user rights of the data table to be reconstructed or deleted from the metadata before rebuilding the data table, and then perform the authorization again in batches;
然而,在相关技术的解决方案中,如果等待直到用户自己发现失去权限,而被动等待用户自主重新申请,可能会导致依赖该数据表的所有作业执行出错,重复的申请也导致资源浪费耗时、耗力;另一方面,如果采用从元数据中获取待重建或删除的数据表的用户权限的方案,在数据表已经重建后将无法正确获取到原始数据表的用户权限,而且,根据每个用户所对应的用户权限去赋权,会增加数据表拥有者的工作量。However, in the related art solution, if the user waits until the user finds that the right is lost, and passively waits for the user to re-apply autonomously, it may cause all the jobs that depend on the data table to execute incorrectly, and the repeated application also causes the resource to be wasteful and time-consuming. Power consumption; on the other hand, if the scheme of obtaining user rights of the data table to be reconstructed or deleted from the metadata is adopted, the user authority of the original data table cannot be correctly obtained after the data table has been reconstructed, and, according to each The user rights corresponding to the user are empowered, which increases the workload of the data table owner.
针对上述由于数据仓库中的表被删除或重建后用户权限丢失,而造成的重新对用户进行授权流程繁琐且效率低的问题,目前尚未提出有效的解决方案。In view of the above-mentioned problem that the user authorization process is cumbersome and inefficient due to the loss of user rights after the table in the data warehouse is deleted or reconstructed, an effective solution has not been proposed yet.
发明内容Summary of the invention
本申请实施例提供了一种数据库的访问权限处理方法、装置及系统,以至少解决由于数据仓库中的表被删除或重建后用户权限丢失,而造成的重新对用户进行授权流程繁琐且效率低的技术问题。The embodiment of the present application provides a method, a device, and a system for processing access rights of a database, so as to at least solve the problem that the authorization process for re-authorizing the user is cumbersome and inefficient due to loss of user rights after the table in the data warehouse is deleted or rebuilt. Technical problem.
根据本申请实施例的一个方面,提供了一种数据库的访问权限处理方法,包括:接收用于自动继承访问权限的权限继承请求,其中,权限继承请求为数据库中的任意一个数据表被重建或删除后触发生成的请求;解析权限继承请求,获取被重建或删除的数据表的表信息;根据被重建或删除的数据表的表信息查询得到被重建或删除的数据表所对应的用户权限;将用户权限重新赋权给数据库中被重建或删除的数据表。According to an aspect of the embodiments of the present application, a method for processing access rights of a database is provided, including: receiving a rights inheritance request for automatically inheriting access rights, wherein the rights inheritance request is any data table in the database being reconstructed or After the deletion, the generated request is triggered; the permission inheritance request is parsed, and the table information of the reconstructed or deleted data table is obtained; and the user authority corresponding to the reconstructed or deleted data table is obtained according to the table information of the reconstructed or deleted data table; Reassign user rights to the rebuilt or deleted data tables in the database.
根据本申请实施例的另一个方面,还提供了一种数据库的访问权限处理装置,包括:接收模块,用于接收用于自动继承访问权限的权限继承请求,其中,权限继承请求为数据库中的任意一个数据表被重建或删除后触发生成的请求;解析模块,用于解析权限继承请求,获取被重建或删除的数据表的表信息;查询模块,用于根据被重建或删除的数据表的表信息查询得到被重建或删除的数据表所对应的用户权限;赋权模块,用于将用户权限重新赋权给数据库中被重建或删除的数据表。According to another aspect of the embodiments of the present application, an access authority processing apparatus for a database is further provided, comprising: a receiving module, configured to receive a rights inheritance request for automatically inheriting access rights, where the rights inheritance request is in a database The generated request is triggered after any data table is reconstructed or deleted; the parsing module is configured to parse the permission inheritance request, obtain the table information of the reconstructed or deleted data table; and the query module is configured to be used according to the reconstructed or deleted data table. The table information query obtains the user rights corresponding to the reconstructed or deleted data table; the weighting module is used to re-authorize the user rights to the data table reconstructed or deleted in the database.
根据本申请实施例的又一个方面,还提供了一种数据库的访问权限处理系统,包括:数据库服务器,用于保存数据库,在数据库中的任意一个数据表被重建或删除后,触发生成用于自动继承访问权限的权限继承请求;权限处理系统,用于接收并解析权限继承请求,获取被重建或删除的数据表的表信息,在根据被重建或删除的数据表的表信息查询得到被重建或删除的数据表所对应的用户权限之后,将用户权限重新赋权给数据库中被重建或删除的数据表。According to still another aspect of the embodiments of the present application, a database access authority processing system is further provided, including: a database server, configured to save a database, and after any data table in the database is reconstructed or deleted, trigger generation is used for generating A permission inheritance request that automatically inherits the access authority; the permission processing system is configured to receive and parse the permission inheritance request, obtain the table information of the reconstructed or deleted data table, and rebuild the table according to the table information of the reconstructed or deleted data table After the user rights corresponding to the deleted data table, the user rights are re-granted to the data table in the database that is reconstructed or deleted.
在本申请实施例中,采用接收用于自动继承访问权限的权限继承请求,其中,权限继承请求为数据库中的任意一个数据表被重建或删除后触发生成的请求的方式,通过解析权限继承请求,获取被重建或删除的数据表的表信息,达到了根据被重建或删除的数据表的表信息查询得到被重建或删除的数据表所对应的用户权限的目的,从而实现了将用户权限重新赋权给数据库中被重建或删除的数据表的技术效果,进而解决了由于数据仓库中的表被删除或重建后用户权限丢失,而造成的重新对用户进行授权流程繁琐且效率低的技术问题。In the embodiment of the present application, the permission inheritance request for automatically inheriting the access right is adopted, wherein the permission inheritance request is a method for triggering the generated request after any data table in the database is reconstructed or deleted, and the request for inheriting the request is resolved by Obtaining the table information of the reconstructed or deleted data table, and achieving the purpose of obtaining the user right corresponding to the reconstructed or deleted data table according to the table information of the reconstructed or deleted data table, thereby realizing the user right The technical effect of empowering the reconstructed or deleted data table in the database, thereby solving the technical problem of re-authorizing the user's authorization process due to the loss of user rights after the table in the data warehouse is deleted or reconstructed. .
附图说明DRAWINGS
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请 的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described herein are provided to provide a further understanding of the present application and constitute a part of this application. The illustrative embodiments and the description thereof are for explaining the present application and do not constitute an undue limitation of the present application. In the drawing:
图1是根据本申请实施例的一种数据库的访问权限处理方法的计算机终端的硬件结构框图;1 is a block diagram showing the hardware structure of a computer terminal for processing access rights of a database according to an embodiment of the present application;
图2是根据本申请实施例一的数据库的访问权限处理方法的流程示意图;2 is a schematic flowchart of a method for processing access rights of a database according to Embodiment 1 of the present application;
图3是根据本申请实施例一的一种可选的数据库的访问权限处理方法的交互示意图;3 is a schematic diagram of interaction of an optional access processing method of a database according to Embodiment 1 of the present application;
图4是根据本申请实施例一的一种可选的数据库的访问权限处理方法的流程图;4 is a flowchart of an optional access processing method of a database according to Embodiment 1 of the present application;
图5是根据本申请实施例二的数据库的访问权限处理装置的结构示意图;5 is a schematic structural diagram of an access authority processing apparatus of a database according to Embodiment 2 of the present application;
图6是根据本申请实施例二的一种可选的解析模块的结构示意图;6 is a schematic structural diagram of an optional parsing module according to Embodiment 2 of the present application;
图7是根据本申请实施例二的一种可选的查询模块的结构示意图;7 is a schematic structural diagram of an optional query module according to Embodiment 2 of the present application;
图8是根据本申请实施例二的一种可选的数据库的访问权限处理装置的结构示意图;8 is a schematic structural diagram of an access authority processing apparatus of an optional database according to Embodiment 2 of the present application;
图9是根据本申请实施例二的一种可选的赋权模块的结构示意图;9 is a schematic structural diagram of an optional weighting module according to Embodiment 2 of the present application;
图10是根据本申请实施例二的另一种可选的数据库的访问权限处理装置的结构示意图;FIG. 10 is a schematic structural diagram of another optional access right processing device of a database according to Embodiment 2 of the present application; FIG.
图11是根据本申请实施例三的数据库的访问权限处理系统的结构示意图;以及11 is a schematic structural diagram of an access authority processing system of a database according to Embodiment 3 of the present application;
图12是根据本申请实施例的一种计算机终端的结构框图。FIG. 12 is a structural block diagram of a computer terminal according to an embodiment of the present application.
具体实施方式detailed description
为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分的实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本申请保护的范围。The technical solutions in the embodiments of the present application are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present application. It is an embodiment of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope shall fall within the scope of the application.
需要说明的是,本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对 于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first", "second" and the like in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or order. It is to be understood that the data so used may be interchanged where appropriate, so that the embodiments of the present application described herein can be implemented in a sequence other than those illustrated or described herein. In addition, the terms "comprises" and "comprises" and "the" and "the" are intended to cover a non-exclusive inclusion, for example, a process, method, system, product, or device that comprises a series of steps or units is not necessarily limited to Those steps or units, but may include those that are not clearly listed or Other steps or units inherent to these processes, methods, products or equipment.
下面对本申请涉及到的术语进行解释如下:The terms referred to in this application are explained below:
开放数据处理服务(Open Data Processing Service,简称ODPS),是阿里云自主研发,提供TB/PB级数据的分布式处理能力,适用于连线数据的处理、数据分析、数据挖掘和商业智能等领域。Open Data Processing Service (ODPS) is a self-developed Alibaba Cloud that provides distributed processing capabilities for TB/PB-level data. It is suitable for connection data processing, data analysis, data mining, and business intelligence. .
实施例1Example 1
根据本申请实施例,还提供了一种数据库的访问权限处理方法的方法实施例,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。According to an embodiment of the present application, a method embodiment of a method for processing access rights of a database is also provided. It should be noted that the steps shown in the flowchart of the accompanying drawings may be in a computer system such as a set of computer executable instructions. The steps shown and described may be performed in a different order than the ones described herein, although the logical order is shown in the flowchart.
本申请实施例一所提供的方法实施例可以在移动终端、计算机终端或者类似的运算装置中执行。以运行在计算机终端上为例,图1是本申请实施例的一种数据库的访问权限处理方法的计算机终端的硬件结构框图。如图1所示,计算机终端10可以包括一个或多个(图中仅示出一个)处理器102(处理器102可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)、用于存储数据的存储器104、以及用于通信功能的传输模块106。本领域普通技术人员可以理解,图1所示的结构仅为示意,其并不对上述电子装置的结构造成限定。例如,计算机终端10还可包括比图1中所示更多或者更少的组件,或者具有与图1所示不同的配置。The method embodiment provided in Embodiment 1 of the present application can be executed in a mobile terminal, a computer terminal or the like. Taking a computer terminal as an example, FIG. 1 is a hardware structural block diagram of a computer terminal for processing access rights of a database according to an embodiment of the present application. As shown in FIG. 1, computer terminal 10 may include one or more (only one shown) processor 102 (processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) A memory 104 for storing data, and a transmission module 106 for communication functions. It will be understood by those skilled in the art that the structure shown in FIG. 1 is merely illustrative and does not limit the structure of the above electronic device. For example, computer terminal 10 may also include more or fewer components than those shown in FIG. 1, or have a different configuration than that shown in FIG.
存储器104可用于存储应用软件的软件程序以及模块,如本申请实施例中的数据库的访问权限处理方法对应的程序指令/模块,处理器102通过运行存储在存储器104内的软件程序以及模块,从而执行各种功能应用以及数据处理,即实现上述的应用程序的漏洞检测方法。存储器104可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器104可进一步包括相对于处理器102远程设置的存储器,这些远程存储器可以通过网络连接至计算机终端10。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 104 can be used to store software programs and modules of the application software, such as program instructions/modules corresponding to the access permission processing method of the database in the embodiment of the present application, and the processor 102 runs the software program and the module stored in the memory 104, thereby Perform various functional applications and data processing, that is, implement the vulnerability detection method of the above application. Memory 104 may include high speed random access memory, and may also include non-volatile memory such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, memory 104 may further include memory remotely located relative to processor 102, which may be coupled to computer terminal 10 via a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
传输装置106用于经由一个网络接收或者发送数据。上述的网络具体实例可包括计算机终端10的通信供应商提供的无线网络。在一个实例中,传输装置106包括一个网络适配器(Network Interface Controller,NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置106可以为射频(Radio Frequency,RF) 模块,其用于通过无线方式与互联网进行通讯。 Transmission device 106 is for receiving or transmitting data via a network. The network specific examples described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet. In one example, the transmission device 106 can be a radio frequency (RF). A module for communicating wirelessly with the Internet.
在上述运行环境下,本申请提供了如图2所示的数据库的访问权限处理方法。图2是根据本申请实施例一的数据库的访问权限处理方法的流程图。此处需要说明的是,在本申请实施例中,图1所示的计算机终端10可以为权限服务器。In the above operating environment, the present application provides a method for processing access rights of a database as shown in FIG. 2 . 2 is a flowchart of a method for processing access rights of a database according to Embodiment 1 of the present application. It should be noted that, in the embodiment of the present application, the computer terminal 10 shown in FIG. 1 may be a rights server.
如图2所示,一种可选的数据库的访问权限处理方法包括如下实施步骤;As shown in FIG. 2, an optional database access permission processing method includes the following implementation steps;
步骤S202:可以通过权限服务器来接收用于自动继承访问权限的权限继承请求,其中,权限继承请求为数据库中的任意一个数据表被重建或删除后触发生成的请求;Step S202: The rights inheritance request for automatically inheriting the access right may be received by the rights server, where the rights inheritance request is a request that is triggered after any data table in the database is reconstructed or deleted;
本申请上述步骤S202中,数据库可以为数据库服务器中的任意一个数据库。数据库中的任意一个数据表都可以具有预先设置的访问权限属性,其中,访问权限的属性可以包括如下任意一种或多种权限:读权限、写权限、删除权限或修改权限等。重建、删除为对数据库中包含的数据表进行的修改操作,在进行数据表的重建或删除后,数据库中该数据表之前被设置的访问权限可能丢失,使得用户下一次对被修改或删除的数据表的访问遭到拒绝,影响用户的正常使用。In the above step S202 of the present application, the database may be any one of the database servers. Any data table in the database may have a preset access permission attribute, wherein the attribute of the access right may include any one or more of the following rights: read permission, write permission, delete permission, or modify permission. Reconstruction and deletion are performed on the data table contained in the database. After the data table is reconstructed or deleted, the access rights set in the database before the data table may be lost, so that the user may be modified or deleted next time. Access to the data table is denied, affecting the normal use of the user.
此处需要说明的是,权限继承请求旨在自动发起获取被重建或删除的数据表的访问权限的功能,目的在于利用被重建之前或被删除之前的数据表的访问权限来得到重建或删除的数据表的权限,使得用户不用重新访问申请权限也可以正常访问被重建或删除的数据表,也就是说,权限继承请求用于启动被重建或删除后的数据表自动继承被重建或删除前的数据表的访问权限。It should be noted here that the permission inheritance request is designed to automatically initiate the function of obtaining the access rights of the reconstructed or deleted data table, in order to obtain the reconstructed or deleted data by using the access rights of the data table before or after being deleted. The permission of the data table enables the user to access the reconstructed or deleted data table without revisiting the application permission. That is, the permission inheritance request is used to start the reconstructed or deleted data table after the automatic inheritance is reconstructed or deleted. Access to the data table.
此处还需要说明的是,权限继承请求可以由用于存储数据库的数据库服务器发出,数据库服务器与图1所示的计算机终端10具有通信关系,在对数据库中的数据表进行操作时可以触发数据库中的触发器,使得触发器发出携带有具体操作内容的信息。通过对数据库中针对数据表的创建、修改、或删除等操作进行监听,使得在数据库中的任意一个数据表被重建或删除后,自动生成用于启动被重建或删除的数据表的访问权限继承的请求。It should also be noted here that the rights inheritance request may be issued by a database server for storing a database, and the database server has a communication relationship with the computer terminal 10 shown in FIG. 1, and may trigger the database when operating the data table in the database. The trigger in the trigger causes the trigger to emit information carrying the specific operational content. By listening to the creation, modification, or deletion of the data table in the database, after any data table in the database is reconstructed or deleted, the access permission inheritance for starting the reconstructed or deleted data table is automatically generated. Request.
此处还需要说明的是,本申请实施例中的数据库,既可以包含通常意义上的事务型数据库,如Oracle、SQL Server,也可以包含主题型的数据仓库;既可以包含本地存储型数据库,也可以包含云数据库。It should be noted that the database in the embodiment of the present application may include a transactional database in a general sense, such as Oracle, SQL Server, or a subject-type data warehouse; and may include a local storage database. It can also contain a cloud database.
例如,以阿里云的开放数据处理服务为例,说明如下一种可能的应用场景:假设从淘宝的数据库中获取七月份淘宝网站中每一笔交易数据,然后将交易数据加工整理后得到销售事实表,包括订单号、产品键、卖家键和买家键、销售量和销售时间;还得到产 品维表、卖家维表和买家维表,分别通过产品键、卖家键和买家键与销售事实表关联;将上述事实表和维表上传至ODPS存储,假设被重建或删除的是产品维表(以下记为数据表A)。用户开通ODPS服务后向数据表A的拥有者申请访问数据表A,在用户对数据表A的申请通过后,采用设置数据表A内容的方式允许该用户对数据表A的访问权限。用户可以通过ODPS客户端发起查询请求来访问数据库中的数据表A。当数据库中的原始数据表A被重建后,得到被重建的数据表A(以下记为新数据表A’),新数据表A’中关于所有用户(包括上述用户)的访问权限信息也可能随着重建操作而丢失。此时,可以使数据表A的重建操作触发生成一个权限继承请求,来触发新数据表A’继承数据表A中关于所有用户的访问权限信息的操作。For example, taking Alibaba Cloud's open data processing service as an example, a possible application scenario is illustrated: Suppose that every transaction data in the July Taobao website is obtained from the Taobao database, and then the transaction data is processed and processed to obtain the sales fact. Table, including order number, product key, seller key and buyer key, sales volume and sales time; The product dimension table, the seller dimension table and the buyer dimension table are respectively associated with the sales fact table through the product key, the seller key and the buyer key; the above fact table and the dimension table are uploaded to the ODPS storage, assuming that the product is reconstructed or deleted Dimension table (hereinafter referred to as data table A). After the user opens the ODPS service, the owner of the data table A is requested to access the data table A. After the user applies for the data table A, the user is allowed to access the data table A by setting the content of the data table A. The user can initiate a query request through the ODPS client to access the data table A in the database. When the original data table A in the database is reconstructed, the reconstructed data table A (hereinafter referred to as the new data table A') is obtained, and the access authority information about all users (including the above users) in the new data table A' may also be obtained. Lost with the rebuild operation. At this time, the reconstruction operation of the data table A can be triggered to generate a rights inheritance request to trigger the operation of the new data table A' to inherit the access authority information of all users in the data table A.
步骤S204:可以通过权限服务器来解析权限继承请求,获取被重建或删除的数据表的表信息;Step S204: The rights inheritance request may be parsed by the rights server to obtain the table information of the reconstructed or deleted data table;
本申请上述步骤S204中,权限继承请求可以由数据库服务器按照预定格式发出,携带有针对数据表A的具体操作内容,在确认权限继承请求中携带的操作内容是重建数据表或删除数据表时,则从权限继承请求中读取被重建或删除的数据表的表信息;在权限继承请求中携带的操作内容不是重建也不是删除时,则不执行继承数据表访问权限的步骤。In the above step S204 of the present application, the rights inheritance request may be sent by the database server according to a predetermined format, carrying specific operation content for the data table A, and when the operation content carried in the confirmation permission inheritance request is a reconstructed data table or a deleted data table, Then, the table information of the reconstructed or deleted data table is read from the permission inheritance request; when the operation content carried in the permission inheritance request is not reconstructed or deleted, the step of inheriting the access permission of the data table is not performed.
可选地,上述表信息可以包括:数据表的名称、数据表的创建时间和数据表的创建者等,在数据表被重建或删除后,保证至少有一项表信息不发生变化即可。Optionally, the foregoing table information may include: a name of the data table, a creation time of the data table, and a creator of the data table, etc., after the data table is reconstructed or deleted, ensuring that at least one of the table information does not change.
仍旧以阿里云的开放数据处理服务为例,当重建数据表A得到新数据表A’后,数据访问请求中携带了新数据表A’的表信息,例如新数据表A’的名称。权限服务器对权限继承请求进行解析,获取权限继承请求中包含的新数据表A’的表名称。Still taking Alibaba Cloud's open data processing service as an example, when the data table A is reconstructed to obtain the new data table A', the data access request carries the table information of the new data table A', for example, the name of the new data table A'. The rights server parses the rights inheritance request and obtains the table name of the new data table A' included in the rights inheritance request.
步骤S206:可以通过权限服务器来实现根据被重建或删除的数据表的表信息查询得到被重建或删除的数据表所对应的用户权限;Step S206: The user authority corresponding to the reconstructed or deleted data table according to the table information of the reconstructed or deleted data table may be implemented by the rights server;
本申请上述步骤S206中,权限服务器中可以访问预先存储的访问权限数据库,访问权限数据库用于保存数据库服务器中被触发申请的数据表所预先设置的用户权限,即在数据库服务器中的任意一个数据表被用户申请之后,就会将该数据表的表信息及对应的用户权限保存至访问权限数据库。In the above step S206 of the present application, the pre-stored access right database may be accessed in the rights server, and the access right database is used to save the user rights preset in the data table of the triggered application in the database server, that is, any data in the database server. After the table is applied by the user, the table information of the data table and the corresponding user rights are saved to the access authority database.
由此,一种可选方案中,访问权限数据库中创建并更新数据表所对应的用户权限的方式可以为:在用户申请访问数据库服务器中的数据表之后,将被申请的数据表的表信息及该数据表已经设置的访问权限打包发送至访问权限数据库进行保存。 Therefore, in an optional solution, the manner in which the user rights corresponding to the data table are created and updated in the access permission database may be: the table information of the data table to be applied after the user applies to access the data table in the database server. And the access rights that have been set in the data table are packaged and sent to the access rights database for storage.
基于上述汇集整理数据库已经保存的权限信息,当权限服务器接收到被重建或删除的数据表的表信息之后,会基于表信息从该访问权限数据库中进行遍历查询,得到该表信息的所对应的用户权限。The rights information that has been saved in the database is collected based on the foregoing collection. After the rights server receives the table information of the reconstructed or deleted data table, the traversal query is performed from the access rights database based on the table information, and the corresponding information of the table information is obtained. User rights.
仍旧以阿里云的开放数据处理服务为例,表A存储于云数据库中,将设置的每个用户的用户权限记录在访问权限数据库中,即在ODPS中用户申请表A后,就将用户对表A的用户权限存储在访问权限数据库中。当数据表A被重建得到新数据表A’后,从权限继承请求中解析出被重建或删除的数据表的表信息,例如,新数据表A’的表名称。在一种应用场景中,由于表名称在数据表重建的过程中不发生变化,则可以根据新数据表A’的表名称,从访问权限数据库查询记录的新数据表A’的所有用户权限。可选的,访问权限数据库可以存储于权限服务器本地,也可以存储于阿里云端。Still taking Alibaba Cloud's open data processing service as an example, the table A is stored in the cloud database, and the user rights of each user set are recorded in the access authority database, that is, after the user applies the table A in the ODPS, the user pair is The user rights for Table A are stored in the access rights database. After the data table A is reconstructed to obtain the new data table A', the table information of the reconstructed or deleted data table, for example, the table name of the new data table A', is parsed from the rights inheritance request. In an application scenario, since the table name does not change during the reconstruction of the data table, all user rights of the recorded new data table A' can be queried from the access authority database according to the table name of the new data table A'. Optionally, the access rights database can be stored locally on the rights server or in the Alibaba Cloud.
步骤S208:可以通过权限服务器来实现将用户权限重新赋权给数据库中被重建或删除的数据表。Step S208: The user authority can be re-weighted to the data table reconstructed or deleted in the database by the rights server.
本申请上述步骤S208中,对被重建或删除的数据表继续重新赋权,即,权限服务器将从访问权限数据库中查询得到的被重建或删除的数据表的用户权限,返回至数据库服务器中,使得被重建或删除的数据表具有与被重建或删除前的原始数据表相同的用户权限记录。In the above step S208 of the present application, the re-established or deleted data table continues to be re-weighted, that is, the rights server returns the user rights of the reconstructed or deleted data table obtained from the access right database to the database server. The data table that is reconstructed or deleted has the same user rights record as the original data table before being reconstructed or deleted.
仍旧以阿里云的开放数据处理服务为例,将从访问权限数据库中查询得到的新数据表A’的所有用户权限发送至数据库服务器中,例如阿里云数据库服务器中,来实现利用查询得到的新数据表A’的所有用户权限,对新数据表A’进行重新设置,使新数据表A’具有与数据表A相同的用户权限设置的效果。当用户访问新数据表A’时,由于经过上述操作,新数据表A’中更新或重设了用户权限,则可以根据数据表A中记录的用户权限,对该用户的访问进行控制。Still taking Alibaba Cloud's open data processing service as an example, all user rights of the new data table A' queried from the access rights database are sent to the database server, such as the Alibaba Cloud database server, to realize the new use of the query. All user rights of the data table A' are reset to the new data table A' so that the new data table A' has the same effect as the user table setting of the data table A. When the user accesses the new data table A', since the user authority is updated or reset in the new data table A' after the above operation, the user's access can be controlled according to the user authority recorded in the data table A.
由上可知,本申请上述实施例一提供的方案中,采用预存或备份数据库中每一个数据表的用户权限的方式,使得在数据库中的数据表被重建或删除后,即便被重建或删除的数据表的用户访问权限丢失,也能实现通过在重建或删除后触发生成权限继承请求的方式,在解析权限继承请求,获取被重建或删除的数据表的表信息后,从预存的每一个数据表的用户权限中,查询得到被重建或删除的数据表所对应的用户权限的目的;使得将用户权限重新赋权给数据库中被重建或删除的数据表,达到了使被重建或删除的数据表中的用户权限同步恢复的技术效果,进而解决了由于数据仓库中的表被删除或重建后用户权限丢失,而造成的重新对用户进行授权流程繁琐且效率低的技术问题。最终,一 方面,实现了将数据表的拥有者从数据表被重建、删除操作后重新赋权的繁琐工作中解放出来,极大的减少了数据表拥有者工作量;另一方面,也使得用户在访问被重建或删除的数据表时,不再需要重复申请权限,保证了良好的用户体验;又一方面,也实现了及时、高效的被重建或删除的数据表的权限继承,保证了数据表中数据的安全性。As can be seen from the above, in the solution provided in the foregoing Embodiment 1, the user permission of each data table in the database is pre-stored or backed up, so that the data table in the database is reconstructed or deleted, even after being reconstructed or deleted. If the user access right of the data table is lost, the method of generating the permission inheritance request after the rebuilding or deleting may be implemented, and after parsing the permission inheritance request and obtaining the table information of the reconstructed or deleted data table, each data stored from the pre-stored data is obtained. In the user right of the table, the query obtains the purpose of the user right corresponding to the reconstructed or deleted data table; so that the user right is re-weighted to the reconstructed or deleted data table in the database, and the data that is reconstructed or deleted is reached. The technical effect of synchronous recovery of user rights in the table further solves the technical problem that the authorization process of re-authorizing the user is cumbersome and inefficient due to the loss of user rights after the table in the data warehouse is deleted or rebuilt. Finally, one On the other hand, it liberates the owner of the data table from the tedious work of re-emphasizing the data table after being reconstructed and deleted, greatly reducing the workload of the data table owner; on the other hand, also making the user access When the data table is rebuilt or deleted, it is no longer necessary to repeatedly apply for permission, which guarantees a good user experience; in another aspect, it also realizes the timely and efficient re-establishment or deletion of the data table's permission inheritance, ensuring the data table. The security of the data.
本申请上述实施例提供的一种可选方案中,权限继承请求中包括DDL事件,其中,步骤S204:解析权限继承请求,获取被重建或删除的数据表的表信息的步骤还可以包括如下具体的实施步骤:In an optional solution provided by the foregoing embodiment, the privilege inheritance request includes a DDL event, where the step S204: parsing the privilege inheritance request, and obtaining the table information of the reconstructed or deleted data table may further include the following specific Implementation steps:
步骤S2042:可以通过权限服务器来实现解析DDL事件,得到数据库中被重建或删除的数据表的表信息。Step S2042: The DDL event can be parsed by the rights server, and the table information of the data table reconstructed or deleted in the database is obtained.
本申请上述步骤S2042中,数据库中可能创建有触发器,在创建触发器时指定了触发该触发器的事件。在一种可选方式中,触发器的触发事件通常分为三类,分别是数据操纵语言(DML)事件、数据定义语言(DDL)事件和数据库事件。其中,DDL事件对应DDL触发器,用于在对数据库中的数据对象进行修改时触发。具体的,在数据库中创建数据表、重建数据表和删除数据表时,会触发DDL事件。In the above step S2042 of the present application, a trigger may be created in the database, and an event triggering the trigger is specified when the trigger is created. In an alternative approach, trigger events for triggers are generally divided into three categories, data manipulation language (DML) events, data definition language (DDL) events, and database events. The DDL event corresponds to a DDL trigger, which is used to trigger when modifying a data object in the database. Specifically, when a data table is created in the database, a data table is reconstructed, and a data table is deleted, a DDL event is triggered.
基于上述触发DDL事件的操作,当权限服务器接收到包括DDL事件的权限继承请求后,判断触发DDL事件的操作是否为重建数据表或删除数据表的操作,在判断为是的情况下,从DDL事件中读取被重建或删除的数据表的表信息。Based on the operation of triggering the DDL event, after the rights server receives the permission inheritance request including the DDL event, it is determined whether the operation of triggering the DDL event is an operation of reconstructing the data table or deleting the data table, and if the determination is yes, from the DDL The table information of the data table that was reconstructed or deleted is read in the event.
仍旧以阿里云的开放数据处理服务为例,权限服务器订阅ODPS中的DDL事件,并通过权限服务器对外提供的HTTP接口接收ODPS中的DDL事件。当ODPS执行对数据表A被重建或删除时,ODPS向权限服务器发出包含DDL事件的用于自动继承用户权限的权限继承请求,在权限服务器解析该权限继承请求并解析DDL事件,得到DDL事件中包含的对数据表A的具体操作后,进一步判断出具体操作为对数据表A的重建或删除操作时,从权限继承请求中读取数据表A的表信息。此处需要说明的是,当数据表A为新建的一个维表的情况下,则对于表A的用户权限尚未设置,表A不需要自动继承用户权限。For example, in the case of Alibaba Cloud's open data processing service, the rights server subscribes to the DDL event in the ODPS and receives the DDL event in the ODPS through the HTTP interface provided by the rights server. When the ODPS execution rebuilds or deletes the data table A, the ODPS issues a rights inheritance request for automatically inheriting the user rights including the DDL event to the rights server, and the rights server resolves the rights inheritance request and parses the DDL event to obtain the DDL event. After the specific operation of the data table A is included, it is further determined that the specific operation is the reconstruction or deletion operation of the data table A, and the table information of the data table A is read from the authority inheritance request. It should be noted here that when the data table A is a newly created dimension table, the user rights for the table A have not been set, and the table A does not need to automatically inherit the user rights.
由上可知,本申请上述步骤S2042提供了一种获取被重建或删除的数据表的表信息的可选方案。采用解析包含DDL事件的权限继承请求的方式,实现了从权限继承请求读取被重建或删除的数据表的表信息。As can be seen from the above, the above step S2042 of the present application provides an alternative to obtaining table information of the reconstructed or deleted data table. The table information of the data table reconstructed or deleted is read from the permission inheritance request by parsing the permission inheritance request including the DDL event.
本申请上述实施例提供的一种可选方案中,步骤S206:根据被重建或删除的数据表的表信息查询得到被重建或删除的数据表所对应的用户权限,又可以包括如下具体的实 施步骤:In an optional solution provided by the foregoing embodiment of the present application, step S206: querying, according to the table information of the reconstructed or deleted data table, the user right corresponding to the reconstructed or deleted data table, and may further include the following specific Steps:
步骤S2062:可以通过权限服务器来实现根据被重建或删除的数据表的表信息判断数据表是否为用户之前申请过的数据表;Step S2062: The permission server is used to determine whether the data table is a data table previously applied by the user according to the table information of the reconstructed or deleted data table;
本申请上述步骤S2062中,可以通过给用户之前申请过的数据表添加申请标识,来表征该数据表被用户申请过;还可以通过将所有被用户申请过的数据表的表信息进行汇集,使得可以通过查询表信息的方式来判断。In the above step S2062 of the present application, the application identifier may be added to the data table previously applied by the user to indicate that the data table has been applied by the user; and the table information of all the data tables applied by the user may be collected. It can be judged by means of querying the table information.
步骤S2064:可以通过权限服务器来实现如果被重建或删除的数据表为用户之前申请过的数据表,则从本地关系数据库中查询得到用户之前为数据表设置的历史用户权限;Step S2064: The permission server may be used to implement the historical user authority set by the user for the data table before the data table that is reconstructed or deleted is the data table that the user has applied before;
本申请上述步骤S2064中,历史用户权限为历史设置的用户对数据表的访问权限。本地关系数据库可以为访问权限数据库,存储于权限服务器本地。可以通过相应的设置,使得用户申请数据表的操作去触发将设置的用户对该数据表的权限存储于访问权限数据库中,即访问权限数据库记录了之前用户申请的所有权限记录。In the above step S2064 of the present application, the historical user authority is the historically set user access right to the data table. The local relational database can be an access authority database and stored locally on the rights server. Through the corresponding settings, the user can apply for the operation of the data table to trigger the set user's authority on the data table to be stored in the access right database, that is, the access right database records all the permission records previously applied by the user.
步骤S2066:可以通过权限服务器来实现将用户之前为数据表设置的历史用户权限赋值给被重建或删除的数据表,得到为被重建或删除的数据表重新赋权的用户权限。Step S2066: The historical user authority set by the user for the data table may be assigned to the reconstructed or deleted data table by using the rights server, and the user authority for re-authorizing the reconstructed or deleted data table is obtained.
本申请上述步骤S2066中,在从访问权限数据库中查询得到历史用户权限后,权限服务器将历史用户权限赋值给数据表,即权限服务器将查询到的数据表的历史用户权限与该数据表关联,得到对被重建或删除的数据表进行重新赋权时需要使用的用户权限。In the above step S2066 of the present application, after the historical user authority is obtained from the access right database, the authority server assigns the historical user authority to the data table, that is, the authority server associates the historical user authority of the queried data table with the data table. Get the user rights you need to re-enforce the rebuilt or deleted data table.
由上可知,本申请上述步骤S2062至步骤S2066提供了一种获取被重建或删除的数据表所对应的用户权限,采用首先判断被重建或删除的数据表是否为用户之前申请过的数据表的方式,在判断出没有用户申请过该数据表时则不执行权限继承的操作;在判断出有用户申请过该数据表时,则从预先存储的访问权限数据库中进行历史用户权限查询,将查询到的历史用户权限赋值给被重建或删除的数据表,实现了获得被重建或删除的数据表对应的用户权限。It can be seen from the above that the above steps S2062 to S2066 of the present application provide a user right corresponding to obtaining the reconstructed or deleted data table, and firstly determine whether the reconstructed or deleted data table is the data table previously applied by the user. In the method, when it is determined that no user has applied for the data table, the operation of inheriting the rights is not performed; when it is determined that the user has applied for the data table, the historical user right query is performed from the pre-stored access right database, and the query is performed. The obtained historical user authority is assigned to the reconstructed or deleted data table, and the user right corresponding to the reconstructed or deleted data table is obtained.
本申请上述实施例提供的一种可选方案中,在执行步骤S206:根据数据表的表信息判断数据表是否为用户之前申请过的数据表之前,本申请实施例的数据库的访问权限处理方法还可以执行如下实施步骤:In an optional solution provided by the foregoing embodiment of the present application, the access permission processing method of the database in the embodiment of the present application is performed before the step S206 is performed to determine whether the data table is the data table that the user has applied before, according to the table information of the data table. You can also perform the following implementation steps:
步骤S2052:如果数据库中已经保存的任意一个数据表被用户申请,且申请成功,则生成并存储被用户申请过的数据表的表信息集合;Step S2052: If any data table that has been saved in the database is applied by the user, and the application is successful, generating and storing a table information set of the data table applied by the user;
其中,如果被重建或删除的数据表的表信息在已经存储的用户申请过的数据表的表信息集合中匹配成功,则确定被重建或删除的数据表为用户之前申请过的数据表。 If the table information of the reconstructed or deleted data table is successfully matched in the table information set of the data table that has been stored by the user, the data table that is reconstructed or deleted is determined to be the data table that the user has applied for before.
本申请上述步骤S2052中,在数据库中的任意一个数据表被用户申请成功后,可以将用户对该表所具有的访问权限、用户标识以及表信息进行存储,通过至少一次用户成功申请的操作,得到被用户申请过的数据表的表信息的集合。上述用户申请过的数据表的表信息的集合可以存储于上述访问权限数据库中。In the above step S2052 of the present application, after any data table in the database is successfully applied by the user, the user may store the access authority, the user identifier, and the table information that the user has, and at least once, the user successfully applies the operation. A collection of table information for a data table that has been requested by a user. The set of table information of the data table applied by the user may be stored in the access authority database.
基于得到的用户申请过的数据表的表信息的集合,判断数据表是否为用户之前申请过的数据表的一种可选的方式包括:根据获取到的被重建或删除的数据表的表信息,从用户申请过的数据表的表信息的中,通过遍历查询的方式,判断是否存在与被重建或删除的数据表的表信息相一致的信息,在判断为是的情况下,可以确定该被重建或删除的数据表为被用户之前申请过的数据表。Based on the obtained set of table information of the data table applied by the user, an optional manner of determining whether the data table is a data table that the user has previously applied includes: obtaining, according to the obtained table information of the reconstructed or deleted data table. From the table information of the data table applied by the user, by traversing the query, it is determined whether there is information that matches the table information of the reconstructed or deleted data table, and if the determination is yes, the The data table that was reconstructed or deleted is a data table that has been previously requested by the user.
仍旧以阿里云的开放数据处理服务为例,当用户在ODPS中成功申请数据表A后,将数据表A的表信息、用户标识、以及上述用户对数据表A的访问权限存储至访问权限数据库中。例如,当数据表A被重建后,权限服务器接收通过在ODPS订阅事件而接收到包含DDL事件的权限继承请求,权限服务器解析出新数据表A’的表信息,并从访问权限数据库中记录的表信息中遍历查询,在判断出访问权限数据库中具有与新数据表A’的表信息相匹配的内容时,则可以确定数据表A为用户之前申请过的数据表。Still taking Alibaba Cloud's open data processing service as an example, when the user successfully applies for the data table A in the ODPS, the table information of the data table A, the user identifier, and the access authority of the user to the data table A are stored in the access right database. in. For example, after the data table A is reconstructed, the rights server receives the permission inheritance request that receives the DDL event by receiving the event in the ODPS subscription event, and the rights server parses the table information of the new data table A' and records it from the access rights database. The table information traverses the query. When it is determined that the access authority database has content matching the table information of the new data table A', it can be determined that the data table A is the data table previously requested by the user.
在另一种可能的应用场景中,当数据库中的数据表B被重建,得到新数据表B’时,若用户未申请过数据表B,则访问权限数据库中没有记录数据表B的历史用户权限。此时,即便接收到ODPS发来的包含DDL事件的权限继承请求,并解析出新数据表B’的表信息,也无法从访问权限数据库中记录的表信息中查询到与新数据表B’的表信息相匹配的内容时,则可以确定数据表B之前未被用户申请过。In another possible application scenario, when the data table B in the database is reconstructed to obtain the new data table B', if the user has not applied for the data table B, the historical user who does not record the data table B in the access rights database Permissions. At this time, even if the permission inheritance request including the DDL event sent by the ODPS is received, and the table information of the new data table B' is parsed, the new data table B' cannot be queried from the table information recorded in the access authority database. When the table information matches the content, it can be determined that the data table B has not been applied by the user before.
由上可知,本申请上述步骤S2052提供了一种预先存储用户申请过的数据表的表信息的方案,使得可以通过查询比对的方式,判断被重建或删除的数据表是否在之前被用户申请过,以方便读取之前被用户申请过的、如今被重建或删除的数据表的历史用户权限。It can be seen from the above that the above step S2052 of the present application provides a scheme for pre-storing the table information of the data table applied by the user, so that it can be determined by querying the comparison whether the reconstructed or deleted data table is previously applied by the user. In order to facilitate the reading of historical user rights of data tables that have been previously rebuilt or deleted by users.
本申请上述实施例提供的一种可选方案中,步骤S208:将用户权限重新赋权给数据库中被重建或删除的数据表,又可以包括如下具体的实施步骤:In an optional solution provided by the foregoing embodiment of the present application, step S208: re-granting the user right to the reconstructed or deleted data table in the database may further include the following specific implementation steps:
步骤S2082:可以通过权限服务器来实现将被重建或删除的数据表的表信息及获取到的被重建或删除的数据表所对应的用户权限进行封装,得到允许数据库识别的权限重置语句;Step S2082: The permission information may be used to encapsulate the table information of the reconstructed or deleted data table and the obtained user rights corresponding to the reconstructed or deleted data table, and obtain a permission reset statement that allows the database to be recognized;
本申请上述步骤S2082中,权限重置语句可以为赋予权限语句,授予用户权限语句。 基于不同的数据库,可能支持不同类型的权限重置语句。以SQL为例,可以通过grant语句来实现权限重置。权限服务器根据获取到的被重建或删除的数据表所对应的用户权限和表信息,生成权限重置语句。In the above step S2082 of the present application, the permission reset statement may be a grant permission statement, and the user permission statement is granted. Different types of permission reset statements may be supported based on different databases. Take SQL as an example, you can use the grant statement to implement permission reset. The rights server generates a rights reset statement according to the obtained user rights and table information corresponding to the reconstructed or deleted data table.
步骤S2084:可以通过权限服务器来实现将权限重置语句返回至数据库所在的服务器,使得用户权限重新赋权给数据库中被重建或删除的数据表。Step S2084: The permission resetting statement can be returned to the server where the database is located by the rights server, so that the user rights are re-granted to the data table in the database that is reconstructed or deleted.
本申请上述步骤S2084中,权限重置语句的作用对象为被重建或删除的数据表,因此权限服务器需要首先将权限重置语句发送至被重建或删除的数据表所在的数据库服务器;在数据库服务器接收到权限重置语句后,对应执行权限重置语句,实现对被重建或删除的数据表的重新赋权的操作。In the above step S2084 of the present application, the role of the rights reset statement is the reconstructed or deleted data table, so the rights server needs to first send the rights reset statement to the database server where the reconstructed or deleted data table is located; After receiving the permission reset statement, the execution permission reset statement is implemented to implement the re-weighting operation on the reconstructed or deleted data table.
由上可知,本申请上述步骤S2082至步骤S2084提供了一种对被重建或删除的数据表重新赋权的方案,采用权限服务器将获取到的权限信息、数据表的表信息按照数据库能够识别的方式,生成权限重置语句,并将权限重置语句发送至数据库服务器,进而在执行了权限重置语句所对应的功能后,实现了对被重建或删除的数据表的重新赋权。It can be seen from the above that the above steps S2082 to S2084 of the present application provide a scheme for re-weighting the reconstructed or deleted data table, and the rights server can use the rights server to identify the obtained table information of the data table according to the database. In the manner, the permission reset statement is generated, and the permission reset statement is sent to the database server, and after the function corresponding to the permission reset statement is executed, the re-weighting of the reconstructed or deleted data table is implemented.
本申请上述实施例提供的一种可选方案中,在执行步骤S202:接收用于自动继承访问权限的权限继承请求之前,本申请实施例的数据库的访问权限处理方法还可以执行如下实施步骤:In an optional solution provided by the foregoing embodiment of the present application, before performing the step S202: receiving the permission inheritance request for automatically inheriting the access right, the access permission processing method of the database in the embodiment of the present application may further perform the following implementation steps:
步骤S201:可以通过数据库服务器来实现在数据库中的任意一个数据表被重建或删除之后,触发系统自动生成权限继承请求。Step S201: After the database server is used to realize that any one of the data tables in the database is reconstructed or deleted, the trigger system automatically generates a permission inheritance request.
本申请上述步骤S201中,在对数据库中的数据表进行操作时可以触发数据库中的触发器,使得触发器发出携带有具体操作内容的信息。通过对数据库中针对数据表的创建、修改、或删除等操作进行监听,使得在数据库中的任意一个数据表被重建或删除后,用于存储数据库的数据库服务器发出用于启动被重建或删除的数据表的访问权限继承的请求。In the above step S201 of the present application, when the data table in the database is operated, the trigger in the database may be triggered, so that the trigger sends the information carrying the specific operation content. By monitoring the creation, modification, or deletion of the data table in the database, after any data table in the database is reconstructed or deleted, the database server for storing the database is issued for starting the reconstruction or deletion. The request for access to the data table is inherited.
由上可知,本申请上述步骤S201提供了一种数据库服务器生成权限继承请求的可选方案,采用对数据库中的数据表的操作进行监听,实现在数据表被重建或删除时,触发系统自动生成权限继承请求。As can be seen from the above, the foregoing step S201 of the present application provides an optional solution for generating a permission inheritance request by the database server, and uses the operation of the data table in the database to monitor, so that when the data table is reconstructed or deleted, the trigger system automatically generates. Permission inheritance request.
图3是根据本申请实施例一的一种可选的数据库的访问权限处理方法的交互示意图;下面就结合图3,将本申请的方案应用在具体系统中所实现的功能进行详细描述:FIG. 3 is a schematic diagram of interaction of an access method for processing an optional database according to Embodiment 1 of the present application; and the functions implemented by applying the solution of the present application in a specific system are described in detail below with reference to FIG. 3:
如图3所示,数据库服务器301包含多个数据库,如图3中所示的数据库3011、数据库3012和数据库3013,数据库服务器301中的任意一个数据库中的数据表均有可能 发生重建或删除。As shown in FIG. 3, the database server 301 includes a plurality of databases, such as the database 3011, the database 3012, and the database 3013 shown in FIG. 3, and the data tables in any one of the database servers 301 are possible. Rebuild or delete occurred.
权限服务器302用于在接收到权限继承请求后,解析时间,并在本地数据库中查询到对应的用户权限后,重新组装赋权语句,得到权限重置语句,然后将返回至数据库服务器执行。The rights server 302 is configured to parse the time after receiving the permission inheritance request, and after querying the corresponding user rights in the local database, reassemble the empowerment statement, obtain the permission reset statement, and then return to the database server for execution.
本地数据库303可以为上述的访问权限数据库,用于存储用户之前申请过的所有数据表的用户权限。The local database 303 can be the above-mentioned access rights database for storing user rights of all data tables that the user has previously applied for.
图4是根据本申请实施例一的一种可选的数据库的访问权限处理方法的流程图;下面就结合图3和图4,对本申请在一种可选的应用场景中的方法流程,尤其是以重建数据表为例,权限服务器302所执行的方法流程进行详细描述:FIG. 4 is a flowchart of an optional access processing method of a database according to Embodiment 1 of the present application; and the method flow in the optional application scenario of the present application, in particular, with reference to FIG. 3 and FIG. Taking the reconstruction data table as an example, the method flow executed by the rights server 302 is described in detail:
当权限服务器通过对外提供的HTTP协议接口来接收权限继承请求,以ODPS为例,只要在ODPS中订阅事件,当ODPS执行DDL变更时,就会发送事件通知权限服务器;在判断权限继承请求中包含DDL事件后,开始如下流程:When the privilege server receives the privilege inheritance request through the external HTTP protocol interface, taking ODPS as an example, as long as the ODPS subscribes to the event, when the ODPS performs the DDL change, the event notification permission server is sent; and the privilege inheritance request is included in the judgment authority inheritance request. After the DDL event, the following process begins:
步骤A:对接收到的收权限继承请求中携带的事件进行分析;Step A: analyzing an event carried in the received permission inheritance request;
具体的,在上述步骤A中,在接收到请求后,首先判断请求中携带的事件进行分析,判断是否为DDL事件,Specifically, in the foregoing step A, after receiving the request, first determining the event carried in the request for analysis, and determining whether it is a DDL event,
步骤B:解析事件,并判断是否为重建表的DDL事件;Step B: parsing the event and determining whether it is a DDL event of the reconstructed table;
具体的,在上述步骤B中,对DDL事件进行解析,判断触发DDL的事件是否为数据表重建的事件,在判断为是的情况下,确定该DDL事件为重建表的DDL。进一步的,在确定DDL事件为重建表的DDL事件后,从DDL事件中提取被重建的数据表的表信息;Specifically, in the above step B, the DDL event is parsed, and it is determined whether the event triggering the DDL is an event of data table reconstruction. If the determination is yes, the DDL event is determined to be the DDL of the reconstruction table. Further, after determining that the DDL event is a DDL event of the reconstruction table, extracting table information of the reconstructed data table from the DDL event;
步骤C:从本地数据库中查询表权项相关信息;Step C: querying related information of the table weight item from the local database;
具体的,在上述步骤C中,本地数据库中记录有之前用户申请的所有记录。在解析判断出重建表为之前用户申请过的数据表时,可以从本地关系数据库中查询该表之前用户授权的情况,得到该表对应的用户权限;Specifically, in the above step C, all the records requested by the previous user are recorded in the local database. When parsing and judging that the rebuild table is a data table that the user has applied for before, the user may authorize the user authorization before the table from the local relational database, and obtain the user authority corresponding to the table;
步骤D:重新执行赋权语句;Step D: re-execute the empowerment statement;
具体的,在上述步骤D中,将该表之前设置的用户权限按照数据库服务器能够识别的语句进行封装,得到权限重置语句,并将权限重置语句返回数据库服务器,使得数据库服务器执行权限重置语句进行重新赋权。Specifically, in the above step D, the user rights set in the table are encapsulated according to the statement that the database server can recognize, the permission reset statement is obtained, and the permission reset statement is returned to the database server, so that the database server performs the permission reset. The statement is re-empowered.
在步骤B中判断出非重建表的DDL事件时,以及步骤D执行完成后,一次赋权流程结束。 When the DDL event of the non-reconstructed table is determined in step B, and the execution of step D is completed, an authorization process ends.
综上所述,本申请实施例通过对外提供的http接口,接收DDL变更的事件,实现了保证数据仓库表重建之后之前申请的表的权限能继承下来,不影响用户及生产,达到了当表被重建后,默认之前的用户会恢复之前的表权限,对用户透明,也不需要重新申请的技术效果;同时表owner可以不用再关注该表下游依赖的作业,减少了owner工作量。In summary, the embodiment of the present application receives the DDL change event through the externally provided http interface, and realizes that the permission of the previously applied table can be inherited after the data warehouse table is reconstructed, and does not affect the user and the production, and reaches the table. After being rebuilt, the default user will restore the previous table permissions, be transparent to the user, and do not need to re-apply the technical effect; at the same time, the table owner can no longer pay attention to the downstream dependent jobs of the table, reducing the owner workload.
需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请并不受所描述的动作顺序的限制,因为依据本申请,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本申请所必须的。It should be noted that, for the foregoing method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should understand that the present application is not limited by the described action sequence. Because certain steps may be performed in other sequences or concurrently in accordance with the present application. In the following, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present application.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware, but in many cases, the former is A better implementation. Based on such understanding, the technical solution of the present application, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a storage medium (such as ROM/RAM, disk, The optical disc includes a number of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present application.
实施例2Example 2
根据本申请实施例,还提供了一种用于实施上述数据库的访问权限处理方法的数据库的访问权限处理装置,本申请上述实施例所提供的装置可以在计算机终端上运行。According to the embodiment of the present application, there is also provided an access right processing device for a database for implementing the access authority processing method of the above database, and the device provided by the above embodiment of the present application can be run on a computer terminal.
图5是根据本申请实施例二的数据库的访问权限处理装置的结构示意图;如图5所示,该数据库的访问权限处理装置包括:接收模块502、解析模块504、查询模块506以及赋权模块508,其中:5 is a schematic structural diagram of an access right processing apparatus of a database according to Embodiment 2 of the present application; as shown in FIG. 5, the access authority processing apparatus of the database includes: a receiving module 502, a parsing module 504, a query module 506, and an empowering module. 508, where:
接收模块502,用于接收用于自动继承访问权限的权限继承请求,其中,权限继承请求为数据库中的任意一个数据表被重建或删除后触发生成的请求;The receiving module 502 is configured to receive a permission inheritance request for automatically inheriting the access right, where the permission inheritance request triggers the generated request after any data table in the database is reconstructed or deleted;
解析模块504,用于解析权限继承请求,获取被重建或删除的数据表的表信息;The parsing module 504 is configured to parse the permission inheritance request, and obtain table information of the reconstructed or deleted data table;
查询模块506,用于根据被重建或删除的数据表的表信息查询得到被重建或删除的数据表所对应的用户权限;The querying module 506 is configured to query, according to the table information of the reconstructed or deleted data table, the user rights corresponding to the reconstructed or deleted data table;
赋权模块508,用于将用户权限重新赋权给数据库中被重建或删除的数据表。The weighting module 508 is configured to re-authorize the user rights to the data table in the database that is reconstructed or deleted.
由上可知,本申请上述接收模块502、解析模块504、查询模块506以及赋权模块508中,采用预存或备份数据库中每一个数据表的用户权限的方式,使得在数据库中的数据表被重建或删除后,即便被重建或删除的数据表的用户访问权限丢失,也能通过在 重建或删除后触发生成权限继承请求的方式,在解析权限继承请求,获取被重建或删除的数据表的表信息后,从预存的每一个数据表的用户权限中,查询得到被重建或删除的数据表所对应的用户权限的目的;使得将用户权限重新赋权给数据库中被重建或删除的数据表,达到了使被重建或删除的数据表中的用户权限同步恢复的技术效果,进而解决了由于数据仓库中的表被删除或重建后用户权限丢失,而造成的重新对用户进行授权流程繁琐且效率低的技术问题。最终,一方面,实现了将数据表的拥有者从数据表被重建、删除操作后重新赋权的繁琐工作中解放出来,极大的减少了数据表拥有者工作量;另一方面,也使得用户在访问被重建或删除的数据表时,不再需要重复申请权限,保证了良好的用户体验;又一方面,也实现了及时、高效的被重建或删除的数据表的权限继承。As can be seen from the above, in the foregoing receiving module 502, the parsing module 504, the querying module 506, and the weighting module 508, the data table in the database is reconstructed by pre-storing or backing up the user rights of each data table in the database. Or delete, even if the user access rights of the reconstructed or deleted data table are lost, you can pass After the rebuilding or deleting, the method for generating the permission inheritance request is triggered. After the permission inheritance request is resolved, and the table information of the reconstructed or deleted data table is obtained, the query is reconstructed or deleted from the user rights of each pre-stored data table. The purpose of the user rights corresponding to the data table; the user rights are re-weighted to the reconstructed or deleted data table in the database, and the technical effect of synchronously restoring the user rights in the reconstructed or deleted data table is achieved, thereby solving Due to the loss of user rights after the table in the data warehouse is deleted or rebuilt, the technical process of re-authorizing the user is cumbersome and inefficient. Finally, on the one hand, the liberation of the owner of the data table from the re-emphasis of the data table being reconstructed and deleted is greatly reduced, which greatly reduces the workload of the data table owner; When a user accesses a rebuilt or deleted data table, the user does not need to repeatedly apply for permission to ensure a good user experience; in another aspect, the timely and efficient re-establishment or deletion of the data table is inherited.
此处需要说明的是,上述接收模块502、解析模块504、查询模块506以及赋权模块508,对应于实施例一中的步骤S202至步骤S208,四个模块与对应的步骤所实现的示例和应用场景相同,但不限于上述实施例一所公开的内容。需要说明的是,上述模块作为装置的一部分可以运行在实施例一提供的计算机终端10中,可以通过软件实现,也可以通过硬件实现。It should be noted that the foregoing receiving module 502, the parsing module 504, the querying module 506, and the weighting module 508 correspond to the steps S202 to S208 in the first embodiment, and the four modules and the corresponding steps are implemented by the examples and The application scenario is the same, but is not limited to the content disclosed in the first embodiment. It should be noted that the foregoing module may be implemented in the computer terminal 10 provided in the first embodiment as a part of the device, and may be implemented by software or by hardware.
可选地,图6是根据本申请实施例二的一种可选的解析模块的结构示意图;如图6所示,当权限继承请求中包括DDL事件时,根据本申请实施例的解析模块504包括:解析单元602,其中:Optionally, FIG. 6 is a schematic structural diagram of an optional parsing module according to Embodiment 2 of the present application; as shown in FIG. 6, when the DDL event is included in the privilege inheritance request, the parsing module 504 according to the embodiment of the present application. The method includes: a parsing unit 602, wherein:
解析单元602,用于解析DDL事件,得到数据库中被重建或删除的数据表的表信息。The parsing unit 602 is configured to parse the DDL event to obtain table information of the data table reconstructed or deleted in the database.
由上可知,本申请上述解析单元602提供了一种获取被重建或删除的数据表的表信息的可选方案。采用解析包含DDL事件的权限继承请求的方式,实现了从权限继承请求读取被重建或删除的数据表的表信息。As can be seen from the above, the parsing unit 602 of the present application provides an alternative to obtaining table information of the reconstructed or deleted data table. The table information of the data table reconstructed or deleted is read from the permission inheritance request by parsing the permission inheritance request including the DDL event.
此处需要说明的是,上述解析单元602,对应于实施例一中的步骤S2042,该模块与对应的步骤所实现的示例和应用场景相同,但不限于上述实施例一所公开的内容。需要说明的是,上述模块作为装置的一部分可以运行在实施例一提供的计算机终端10中,可以通过软件实现,也可以通过硬件实现。It should be noted that the parsing unit 602 corresponds to the step S2042 in the first embodiment, and the module is the same as the example and the application scenario implemented by the corresponding steps, but is not limited to the content disclosed in the first embodiment. It should be noted that the foregoing module may be implemented in the computer terminal 10 provided in the first embodiment as a part of the device, and may be implemented by software or by hardware.
可选地,图7是根据本申请实施例二的一种可选的查询模块的结构示意图;如图7所示,根据本申请实施例的查询模块506包括:判断单元702、查询单元704以及赋值单元706,其中:Optionally, FIG. 7 is a schematic structural diagram of an optional query module according to the second embodiment of the present application; as shown in FIG. 7, the query module 506 according to the embodiment of the present application includes: a determining unit 702, a querying unit 704, and An assignment unit 706, wherein:
判断单元702,用于根据被重建或删除的数据表的表信息判断数据表是否为用户之前申请过的数据表; The determining unit 702 is configured to determine, according to the table information of the reconstructed or deleted data table, whether the data table is a data table that the user has previously applied for;
查询单元704,用于如果被重建或删除的数据表为用户之前申请过的数据表,则从本地关系数据库中查询得到用户之前为数据表设置的历史用户权限;The querying unit 704 is configured to: if the data table that is reconstructed or deleted is a data table that the user has applied for before, query the local relational database to obtain the historical user authority set by the user for the data table;
赋值单元706,用于将用户之前为数据表设置的历史用户权限赋值给被重建或删除的数据表,得到为被重建或删除的数据表重新赋权的用户权限。The assignment unit 706 is configured to assign the historical user authority set by the user for the data table to the reconstructed or deleted data table, and obtain the user authority for re-giving the reconstructed or deleted data table.
由上可知,本申请上述判断单元702、查询单元704以及赋值单元706提供了一种获取被重建或删除的数据表所对应的用户权限,采用首先判断被重建或删除的数据表是否为用户之前申请过的数据表的方式,在判断出没有用户申请过该数据表时则不执行权限继承的操作;在判断出有用户申请过该数据表时,则从预先存储的访问权限数据库中进行历史用户权限查询,将查询到的历史用户权限赋值给被重建或删除的数据表,实现了获得被重建或删除的数据表对应的用户权限。As can be seen from the above, the foregoing determining unit 702, the querying unit 704, and the assigning unit 706 of the present application provide a user right corresponding to obtaining the reconstructed or deleted data table, and first determining whether the reconstructed or deleted data table is the user before The method of applying the data table does not perform the operation of privilege inheritance when it is judged that no user has applied for the data table; when it is determined that the user has applied for the data table, the history is performed from the pre-stored access authority database. The user permission query assigns the queried historical user authority to the reconstructed or deleted data table, and realizes the user right corresponding to the reconstructed or deleted data table.
此处需要说明的是,上述判断单元702、查询单元704以及赋值单元706,对应于实施例一中的步骤S2062至步骤S2066,三个模块与对应的步骤所实现的示例和应用场景相同,但不限于上述实施例一所公开的内容。需要说明的是,上述模块作为装置的一部分可以运行在实施例一提供的计算机终端10中,可以通过软件实现,也可以通过硬件实现。It should be noted that the foregoing determining unit 702, the querying unit 704, and the assigning unit 706 correspond to steps S2062 to S2066 in the first embodiment, and the three modules are the same as the examples and application scenarios implemented by the corresponding steps, but It is not limited to the contents disclosed in the above embodiment 1. It should be noted that the foregoing module may be implemented in the computer terminal 10 provided in the first embodiment as a part of the device, and may be implemented by software or by hardware.
可选地,图8是根据本申请实施例二的一种可选的数据库的访问权限处理装置的结构示意图;如图8所示,根据本申请实施例的数据库的访问权限处理装置还包括:存储模块802,其中:Optionally, FIG. 8 is a schematic structural diagram of an access permission processing apparatus of an optional database according to Embodiment 2 of the present application; as shown in FIG. 8, the access authority processing apparatus of the database according to the embodiment of the present application further includes: The storage module 802, wherein:
存储模块802,用于如果数据库中已经保存任意一个数据表被用户申请,且申请成功,则生成并存储被用户申请过的数据表的表信息集合;其中,如果被重建或删除的数据表的表信息在已经存储的用户申请过的数据表的表信息集合中匹配成功,则确定被重建或删除的数据表为用户之前申请过的数据表。The storage module 802 is configured to generate and store a table information set of a data table applied by the user if any data table has been saved in the database and the application is successful; wherein, if the data table is reconstructed or deleted If the table information is successfully matched in the table information set of the data table that has been stored by the user, the data table that is reconstructed or deleted is determined to be the data table that the user has applied for before.
由上可知,本申请上述存储模块802提供了一种预先存储用户申请过的数据表的表信息的方案,使得可以通过查询比对的方式,判断被重建或删除的数据表是否在之前被用户申请过,以方便读取之前被用户申请过的、如今被重建或删除的数据表的历史用户权限。As can be seen from the above, the foregoing storage module 802 of the present application provides a scheme for pre-storing table information of a data table applied by a user, so that whether the reconstructed or deleted data table is previously used by the user can be determined by querying the comparison manner. It has been applied to facilitate the reading of historical user rights of data tables that have been previously rebuilt or deleted by users.
此处需要说明的是,上述存储模块802,对应于实施例一中的步骤S2052,该模块与对应的步骤所实现的示例和应用场景相同,但不限于上述实施例一所公开的内容。需要说明的是,上述模块作为装置的一部分可以运行在实施例一提供的计算机终端10中,可以通过软件实现,也可以通过硬件实现。 It should be noted that the foregoing storage module 802 corresponds to the step S2052 in the first embodiment, and the module is the same as the example and the application scenario implemented by the corresponding steps, but is not limited to the content disclosed in the first embodiment. It should be noted that the foregoing module may be implemented in the computer terminal 10 provided in the first embodiment as a part of the device, and may be implemented by software or by hardware.
可选地,图9是根据本申请实施例二的一种可选的赋权模块的结构示意图;如图9所示,根据本申请实施例的赋权模块508包括:封装单元902以及赋权单元904,其中:Optionally, FIG. 9 is a schematic structural diagram of an optional weighting module according to the second embodiment of the present application; as shown in FIG. 9, the weighting module 508 according to the embodiment of the present application includes: a packaging unit 902 and an empowerment Unit 904, wherein:
封装单元902,用于将被重建或删除的数据表的表信息及获取到的被重建或删除的数据表所对应的用户权限进行封装,得到允许数据库识别的权限重置语句;The encapsulating unit 902 is configured to encapsulate the table information of the reconstructed or deleted data table and the obtained user rights corresponding to the reconstructed or deleted data table, to obtain a permission reset statement that allows the database to be recognized;
赋权单元904,用于将权限重置语句返回至数据库所在的服务器,使得用户权限重新赋权给数据库中被重建或删除的数据表。The weighting unit 904 is configured to return the permission reset statement to the server where the database is located, so that the user rights are re-granted to the data table in the database that is reconstructed or deleted.
由上可知,本申请上述封装单元902以及赋权单元904提供了一种对被重建或删除的数据表重新赋权的方案,采用权限服务器将获取到的权限信息、数据表的表信息按照数据库能够识别的方式,生成权限重置语句,并将权限重置语句发送至数据库服务器,进而在执行了权限重置语句所对应的功能后,实现了对被重建或删除的数据表的重新赋权。As can be seen from the above, the foregoing encapsulating unit 902 and the entitlement unit 904 of the present application provide a scheme for re-emphasizing the reconstructed or deleted data table, and using the permission server to obtain the obtained permission information and the table information of the data table according to the database. The identifiable way, the privilege reset statement is generated, and the privilege reset statement is sent to the database server, and then the re-empowerment of the reconstructed or deleted data table is implemented after the function corresponding to the privilege reset statement is executed. .
此处需要说明的是,上述封装单元902以及赋权单元904,对应于实施例一中的步骤S2082至步骤S2084,两个模块与对应的步骤所实现的示例和应用场景相同,但不限于上述实施例一所公开的内容。需要说明的是,上述模块作为装置的一部分可以运行在实施例一提供的计算机终端10中,可以通过软件实现,也可以通过硬件实现。It should be noted that the foregoing encapsulation unit 902 and the entitlement unit 904 correspond to steps S2082 to S2084 in the first embodiment, and the two modules are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the above. The content disclosed in the first embodiment. It should be noted that the foregoing module may be implemented in the computer terminal 10 provided in the first embodiment as a part of the device, and may be implemented by software or by hardware.
可选地,图10是根据本申请实施例二的另一种可选的数据库的访问权限处理装置的结构示意图;如图10所示,根据本申请实施例的数据库的访问权限处理装置还包括:触发模块1002,其中:Optionally, FIG. 10 is a schematic structural diagram of an access permission processing apparatus of another optional database according to Embodiment 2 of the present application; as shown in FIG. 10, the access authority processing apparatus of the database according to the embodiment of the present application further includes : Trigger module 1002, wherein:
触发模块1002,用于在数据库中的任意一个数据表被重建或删除之后,触发系统自动生成权限继承请求。The triggering module 1002 is configured to trigger the system to automatically generate a permission inheritance request after any data table in the database is reconstructed or deleted.
由上可知,本申请上述触发模块1002提供了一种数据库服务器生成权限继承请求的可选方案,采用对数据库中的数据表的操作进行监听,实现在数据表被重建或删除时,触发系统自动生成权限继承请求。As can be seen from the above, the trigger module 1002 of the present application provides an optional solution for generating a permission inheritance request by the database server, and uses the operation of the data table in the database to monitor, so that when the data table is reconstructed or deleted, the trigger system automatically Generate a permission inheritance request.
此处需要说明的是,上述触发模块1002,对应于实施例一中的步骤S201,该模块与对应的步骤所实现的示例和应用场景相同,但不限于上述实施例一所公开的内容。需要说明的是,上述模块作为装置的一部分可以运行在实施例一提供的计算机终端10中,可以通过软件实现,也可以通过硬件实现。It should be noted that the triggering module 1002 corresponds to the step S201 in the first embodiment, and the module is the same as the example and the application scenario implemented by the corresponding steps, but is not limited to the content disclosed in the first embodiment. It should be noted that the foregoing module may be implemented in the computer terminal 10 provided in the first embodiment as a part of the device, and may be implemented by software or by hardware.
本申请上述实施例二所提供的优选实施方案与实施例一所提供的方法实施例的可选方案以及应用场景实施过程相同,但不限于实施例一所提供的方案。The preferred embodiment provided by the foregoing embodiment 2 of the present application is the same as the implementation of the method embodiment and the application scenario provided by the first embodiment, but is not limited to the solution provided by the first embodiment.
实施例3 Example 3
根据本申请实施例,还提供了一种数据库的访问权限处理系统,图11是根据本申请实施例三的数据库的访问权限处理系统的结构示意图。According to the embodiment of the present application, a database access authority processing system is also provided, and FIG. 11 is a schematic structural diagram of a database access authority processing system according to Embodiment 3 of the present application.
如图11所示,该数据库的访问权限处理系统包括:数据库服务器111以及权限处理系统113,其中:As shown in FIG. 11, the access authority processing system of the database includes: a database server 111 and a rights processing system 113, wherein:
数据库服务器111,用于保存数据库,在数据库中的任意一个数据表被重建或删除后,触发生成用于自动继承访问权限的权限继承请求;The database server 111 is configured to save the database, and after any data table in the database is reconstructed or deleted, triggering a permission inheritance request for automatically inheriting the access right;
权限处理系统113,用于接收并解析权限继承请求,获取被重建或删除的数据表的表信息,在根据被重建或删除的数据表的表信息查询得到被重建或删除的数据表所对应的用户权限之后,将用户权限重新赋权给数据库中被重建或删除的数据表。The privilege processing system 113 is configured to receive and parse the privilege inheritance request, obtain the table information of the reconstructed or deleted data table, and obtain the data table corresponding to the reconstructed or deleted data table according to the table information of the reconstructed or deleted data table. After the user rights, the user rights are re-assigned to the data tables in the database that are reconstructed or deleted.
具体的,数据库中的任意一个数据表都可以具有预先设置的访问权限属性,其中,访问权限属性的可以包括如下任意一种或多种权限:读权限、写权限、删除权限或修改权限等。重建、删除为对数据库中包含的数据表进行的修改操作,在进行数据表的重建或删除后,数据库中该数据表之前被设置的访问权限可能丢失,使得用户下一次对被修改或删除的数据表的访问遭到拒绝,影响用户的正常使用。Specifically, any data table in the database may have a preset access permission attribute, where the access permission attribute may include any one or more of the following rights: read permission, write permission, delete permission, or modify permission. Reconstruction and deletion are performed on the data table contained in the database. After the data table is reconstructed or deleted, the access rights set in the database before the data table may be lost, so that the user may be modified or deleted next time. Access to the data table is denied, affecting the normal use of the user.
具体的,数据库服务器111与图1所示的计算机终端10具有通信关系,在对数据库中的数据表进行操作时可以触发数据库中的触发器,使得触发器发出携带有具体操作内容的信息。通过对数据库中针对数据表的创建、修改、或删除等操作进行监听,使得在数据库中的任意一个数据表被重建或删除后,自动生成用于启动被重建或删除的数据表的访问权限继承的请求。Specifically, the database server 111 has a communication relationship with the computer terminal 10 shown in FIG. 1. When the data table in the database is operated, the trigger in the database may be triggered, so that the trigger sends the information carrying the specific operation content. By listening to the creation, modification, or deletion of the data table in the database, after any data table in the database is reconstructed or deleted, the access permission inheritance for starting the reconstructed or deleted data table is automatically generated. Request.
具体的,在权限处理系统113确认权限继承请求中携带的操作内容是重建数据表或删除数据表时,则从权限继承请求中读取被重建或删除的数据表的表信息;在权限继承请求中携带的操作内容不是重建也不是删除时,则不执行继承数据表访问权限的步骤。权限处理系统113通过访问预先存储的用户权限数据,会基于被重建或删除的数据表的表信息从预先存储的用户权限数据中进行遍历查询,得到该表信息的所对应的用户权限。Specifically, when the rights processing system 113 confirms that the operation content carried in the rights inheritance request is a reconstructed data table or a deleted data table, the table information of the reconstructed or deleted data table is read from the rights inheritance request; If the operation content carried in is not rebuilt or deleted, the steps of inheriting the access rights of the data table are not performed. The privilege processing system 113 accesses the pre-stored user privilege data, and performs traversal query from the pre-stored user privilege data based on the table information of the reconstructed or deleted data table to obtain the corresponding user privilege of the table information.
具体的,权限处理系统113将被重建或删除的数据表的表信息及获取到的被重建或删除的数据表所对应的用户权限进行封装,得到允许数据库识别的权限重置语句;将权限重置语句返回至数据库所在的服务器,使得用户权限重新赋权给数据库中被重建或删除的数据表。Specifically, the rights processing system 113 encapsulates the table information of the reconstructed or deleted data table and the obtained user rights corresponding to the reconstructed or deleted data table, and obtains a permission reset statement that allows the database to be recognized; The statement is returned to the server where the database is located, so that the user rights are re-granted to the data table in the database that is reconstructed or deleted.
此处需要说明的是,在一种可选的应用场景下,结合图3与图11,本申请实施例中图11所示的权限处理系统113可以包括图3所示的权限服务器302和本地数据库303。 It should be noted that, in an optional application scenario, in conjunction with FIG. 3 and FIG. 11, the rights processing system 113 shown in FIG. 11 in the embodiment of the present application may include the rights server 302 and the local device shown in FIG. Database 303.
由上可知,本申请上述实施例三提供的方案中,采用预存或备份数据库中每一个数据表的用户权限的方式,使得在数据库中的数据表被重建或删除后,即便被重建或删除的数据表的用户访问权限丢失,也能通过在重建或删除后触发生成权限继承请求的方式,在解析权限继承请求,获取被重建或删除的数据表的表信息后,从预存的每一个数据表的用户权限中,查询得到被重建或删除的数据表所对应的用户权限的目的;使得将用户权限重新赋权给数据库中被重建或删除的数据表,达到了使被重建或删除的数据表中的用户权限同步恢复的技术效果,进而解决了由于数据仓库中的表被删除或重建后用户权限丢失,而造成的重新对用户进行授权流程繁琐且效率低的技术问题。最终,一方面,实现了将数据表的拥有者从数据表被重建、删除操作后重新赋权的繁琐工作中解放出来,极大的减少了数据表拥有者工作量;另一方面,也使得用户在访问被重建或删除的数据表时,不再需要重复申请权限,保证了良好的用户体验;又一方面,也实现了及时、高效的被重建或删除的数据表的权限继承。As can be seen from the above, in the solution provided in the foregoing Embodiment 3 of the present application, the user rights of each data table in the database are pre-stored or backed up, so that the data table in the database is reconstructed or deleted, even after being reconstructed or deleted. The user access right of the data table is lost. You can also generate a permission inheritance request after rebuilding or deleting. After parsing the permission inheritance request and obtaining the table information of the reconstructed or deleted data table, each data table is stored from the pre-stored data table. In the user right, the query obtains the purpose of the user right corresponding to the reconstructed or deleted data table; so that the user right is re-weighted to the reconstructed or deleted data table in the database, and the data table that is reconstructed or deleted is reached. The technical effect of synchronous recovery of user rights in the user solves the technical problem that the authorization process of re-authorizing the user is cumbersome and inefficient due to the loss of user rights after the table in the data warehouse is deleted or rebuilt. Finally, on the one hand, the liberation of the owner of the data table from the re-emphasis of the data table being reconstructed and deleted is greatly reduced, which greatly reduces the workload of the data table owner; When a user accesses a rebuilt or deleted data table, the user does not need to repeatedly apply for permission to ensure a good user experience; in another aspect, the timely and efficient re-establishment or deletion of the data table is inherited.
本申请上述实施例三所提供的优选实施方案与实施例一所提供的可选方案以及应用场景实施过程相同,但不限于实施例一所提供的方案。The preferred embodiment provided in the foregoing embodiment 3 of the present application is the same as the implementation and the application scenario provided in the first embodiment, but is not limited to the solution provided in the first embodiment.
实施例4Example 4
本申请的实施例可以提供一种计算机终端,该计算机终端可以是计算机终端群中的任意一个计算机终端设备。可选地,在本实施例中,上述计算机终端也可以替换为移动终端等终端设备。Embodiments of the present application may provide a computer terminal, which may be any one of computer terminal groups. Optionally, in this embodiment, the foregoing computer terminal may also be replaced with a terminal device such as a mobile terminal.
可选地,在本实施例中,上述计算机终端可以位于计算机网络的多个网络设备中的至少一个网络设备。Optionally, in this embodiment, the computer terminal may be located in at least one network device of the plurality of network devices of the computer network.
在本实施例中,上述计算机终端可以执行应用程序的漏洞检测方法中以下步骤的程序代码:接收用于自动继承访问权限的权限继承请求,其中,权限继承请求为数据库中的任意一个数据表被重建或删除后触发生成的请求;解析权限继承请求,获取被重建或删除的数据表的表信息;根据被重建或删除的数据表的表信息查询得到被重建或删除的数据表所对应的用户权限;将用户权限重新赋权给数据库中被重建或删除的数据表。In this embodiment, the computer terminal may execute the program code of the following steps in the vulnerability detection method of the application: receiving a permission inheritance request for automatically inheriting the access right, wherein the permission inheritance request is any data table in the database is Retrieve or delete the generated request; resolve the permission inheritance request, obtain the table information of the reconstructed or deleted data table; query the user corresponding to the reconstructed or deleted data table according to the table information of the reconstructed or deleted data table Permissions; reassign user rights to a rebuilt or deleted data table in the database.
可选地,图12是根据本申请实施例的一种计算机终端的结构框图。如图12所示,该计算机终端A可以包括:一个或多个(图中仅示出一个)处理器、存储器、以及传输装置。Optionally, FIG. 12 is a structural block diagram of a computer terminal according to an embodiment of the present application. As shown in FIG. 12, the computer terminal A may include one or more (only one shown in the figure) processor, memory, and transmission means.
其中,存储器可用于存储软件程序以及模块,如本申请实施例中的安全漏洞检测方法和装置对应的程序指令/模块,处理器通过运行存储在存储器内的软件程序以及模块, 从而执行各种功能应用以及数据处理,即实现上述的系统漏洞攻击的检测方法。存储器可包括高速随机存储器,还可以包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器可进一步包括相对于处理器远程设置的存储器,这些远程存储器可以通过网络连接至终端A。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory can be used to store the software program and the module, such as the security vulnerability detection method and the program instruction/module corresponding to the device in the embodiment of the present application, and the processor runs the software program and the module stored in the memory. Thereby performing various functional applications and data processing, that is, the detection method for implementing the above system vulnerability attack. The memory may include a high speed random access memory, and may also include non-volatile memory such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, the memory can further include memory remotely located relative to the processor, which can be connected to terminal A via a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
处理器可以通过传输装置调用存储器存储的信息及应用程序,以执行下述步骤:接收用于自动继承访问权限的权限继承请求,其中,权限继承请求为数据库中的任意一个数据表被重建或删除后触发生成的请求;解析权限继承请求,获取被重建或删除的数据表的表信息;根据被重建或删除的数据表的表信息查询得到被重建或删除的数据表所对应的用户权限;将用户权限重新赋权给数据库中被重建或删除的数据表。The processor may invoke the memory stored information and the application by the transmission device to perform the following steps: receiving a permission inheritance request for automatically inheriting the access right, wherein the permission inheritance request is reconstructed or deleted for any data table in the database. After triggering the generated request; parsing the permission inheritance request, obtaining the table information of the reconstructed or deleted data table; and querying the user authority corresponding to the reconstructed or deleted data table according to the table information of the reconstructed or deleted data table; User rights are re-assigned to the data tables in the database that are reconstructed or deleted.
可选的,上述处理器还可以执行如下步骤的程序代码:解析DDL事件,得到数据库中被重建或删除的数据表的表信息。Optionally, the foregoing processor may further execute the following program code: parse the DDL event, and obtain table information of the data table that is reconstructed or deleted in the database.
可选的,上述处理器还可以执行如下步骤的程序代码:根据被重建或删除的数据表的表信息判断数据表是否为用户之前申请过的数据表;如果被重建或删除的数据表为用户之前申请过的数据表,则从本地关系数据库中查询得到用户之前为数据表设置的历史用户权限;将用户之前为数据表设置的历史用户权限赋值给被重建或删除的数据表,得到为被重建或删除的数据表重新赋权的用户权限。。Optionally, the foregoing processor may further execute the following program code: determining, according to the table information of the reconstructed or deleted data table, whether the data table is a data table previously requested by the user; if the reconstructed or deleted data table is a user The previously applied data table is obtained from the local relational database to obtain the historical user authority set by the user for the data table; the historical user authority set by the user for the data table is assigned to the reconstructed or deleted data table, and the data table is obtained. Reauthorized or deleted data table re-authorized user rights. .
可选的,上述处理器还可以执行如下步骤的程序代码:如果数据库中已经保存任意一个数据表被用户申请,且申请成功,则生成并存储被用户申请过的数据表的表信息集合;其中,如果被重建或删除的数据表的表信息在已经存储的用户申请过的数据表的表信息集合中匹配成功,则确定被重建或删除的数据表为用户之前申请过的数据表。Optionally, the foregoing processor may further execute the following program code: if any data table has been saved in the database and is applied by the user, and the application is successful, generating and storing a table information set of the data table applied by the user; If the table information of the reconstructed or deleted data table matches successfully in the table information set of the data table that has been stored by the user, the data table that is reconstructed or deleted is determined to be the data table that the user has previously applied for.
可选的,上述处理器还可以执行如下步骤的程序代码:将被重建或删除的数据表的表信息及获取到的被重建或删除的数据表所对应的用户权限进行封装,得到允许数据库识别的权限重置语句;将权限重置语句返回至数据库所在的服务器,使得用户权限重新赋权给数据库中被重建或删除的数据表。Optionally, the foregoing processor may further execute the following program code: encapsulating the table information of the reconstructed or deleted data table and the obtained user rights corresponding to the reconstructed or deleted data table to obtain the database identification. The permission reset statement; returns the permission reset statement to the server where the database is located, so that the user rights are re-granted to the data table in the database that is reconstructed or deleted.
可选的,上述处理器还可以执行如下步骤的程序代码:在数据库中的任意一个数据表被重建或删除之后,触发系统自动生成权限继承请求。Optionally, the foregoing processor may further execute the following program code: after any data table in the database is reconstructed or deleted, the trigger system automatically generates a permission inheritance request.
采用本申请实施例,采用预存或备份数据库中每一个数据表的用户权限的方式,使得在数据库中的数据表被重建或删除后,即便被重建或删除的数据表的用户访问权限丢失,也能通过在重建或删除后触发生成权限继承请求的方式,在解析权限继承请求,获 取被重建或删除的数据表的表信息后,从预存的每一个数据表的用户权限中,查询得到被重建或删除的数据表所对应的用户权限的目的;使得将用户权限重新赋权给数据库中被重建或删除的数据表,达到了使被重建或删除的数据表中的用户权限同步恢复的技术效果,进而解决了由于数据仓库中的表被删除或重建后用户权限丢失,而造成的重新对用户进行授权流程繁琐且效率低的技术问题。最终,一方面,实现了将数据表的拥有者从数据表被重建、删除操作后重新赋权的繁琐工作中解放出来,极大的减少了数据表拥有者工作量;另一方面,也使得用户在访问被重建或删除的数据表时,不再需要重复申请权限,保证了良好的用户体验;又一方面,也实现了及时、高效的被重建或删除的数据表的权限继承。In the embodiment of the present application, the user rights of each data table in the database are pre-stored or backed up, so that after the data table in the database is reconstructed or deleted, even if the user access rights of the reconstructed or deleted data table are lost, Can be used to resolve the permission inheritance request by triggering the permission to inherit the request after rebuilding or deleting. After taking the table information of the reconstructed or deleted data table, querying the user rights corresponding to the reconstructed or deleted data table from the user rights of each pre-stored data table; The data table reconstructed or deleted in the database achieves the technical effect of synchronously restoring user rights in the reconstructed or deleted data table, thereby solving the problem that the user rights are lost after the table in the data warehouse is deleted or reconstructed. The technical problem of re-authorizing the user's authorization process is cumbersome and inefficient. Finally, on the one hand, the liberation of the owner of the data table from the re-emphasis of the data table being reconstructed and deleted is greatly reduced, which greatly reduces the workload of the data table owner; When a user accesses a rebuilt or deleted data table, the user does not need to repeatedly apply for permission to ensure a good user experience; in another aspect, the timely and efficient re-establishment or deletion of the data table is inherited.
本领域普通技术人员可以理解,图12所示的结构仅为示意,计算机终端也可以是智能手机(如Android手机、iOS手机等)、平板电脑、掌声电脑以及移动互联网设备(Mobile Internet Devices,MID)、PAD等终端设备。图12其并不对上述电子装置的结构造成限定。例如,计算机终端A还可包括比图12中所示更多或者更少的组件(如网络接口、显示装置等),或者具有与图12所示不同的配置。Those skilled in the art can understand that the structure shown in FIG. 12 is merely illustrative, and the computer terminal can also be a smart phone (such as an Android mobile phone, an iOS mobile phone, etc.), a tablet computer, an applause computer, and a mobile Internet device (Mobile Internet Devices, MID). ), PAD and other terminal devices. FIG. 12 does not limit the structure of the above electronic device. For example, computer terminal A may also include more or fewer components (such as a network interface, display device, etc.) than shown in FIG. 12, or have a different configuration than that shown in FIG.
本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步骤是可以通过程序来指令终端设备相关的硬件来完成,该程序可以存储于一计算机可读存储介质中,存储介质可以包括:闪存盘、只读存储器(Read-Only Memory,ROM)、随机存取器(Random Access Memory,RAM)、磁盘或光盘等。A person of ordinary skill in the art may understand that all or part of the steps of the foregoing embodiments may be completed by a program to instruct terminal device related hardware, and the program may be stored in a computer readable storage medium, and the storage medium may be Including: flash disk, read-only memory (ROM), random access memory (RAM), disk or optical disk.
实施例5Example 5
本申请的实施例还提供了一种存储介质。可选地,在本实施例中,上述存储介质可以用于保存上述实施例一所提供的数据库的访问权限处理方法所执行的程序代码。Embodiments of the present application also provide a storage medium. Optionally, in this embodiment, the foregoing storage medium may be used to save the program code executed by the access permission processing method of the database provided in the first embodiment.
可选地,在本实施例中,上述存储介质可以位于计算机网络中计算机终端群中的任意一个计算机终端中,或者位于移动终端群中的任意一个移动终端中。Optionally, in this embodiment, the foregoing storage medium may be located in any one of the computer terminal groups in the computer network, or in any one of the mobile terminal groups.
可选地,在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:接收用于自动继承访问权限的权限继承请求,其中,权限继承请求为数据库中的任意一个数据表被重建或删除后触发生成的请求;解析权限继承请求,获取被重建或删除的数据表的表信息;根据被重建或删除的数据表的表信息查询得到被重建或删除的数据表所对应的用户权限;将用户权限重新赋权给数据库中被重建或删除的数据表。Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: receiving a permission inheritance request for automatically inheriting access rights, wherein the rights inheritance request is any one of the data tables in the database The generated request is triggered after being reconstructed or deleted; the permission inheritance request is parsed, and the table information of the reconstructed or deleted data table is obtained; and the data table corresponding to the reconstructed or deleted data table is obtained according to the table information of the reconstructed or deleted data table. User rights; reassign user rights to data tables that are reconstructed or deleted in the database.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:解析DDL事件,得到数据库中被重建或删除的数据表的表信息。 Optionally, the storage medium is further configured to store program code for performing the steps of parsing the DDL event to obtain table information of the reconstructed or deleted data table in the database.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:根据被重建或删除的数据表的表信息判断数据表是否为用户之前申请过的数据表;如果被重建或删除的数据表为用户之前申请过的数据表,则从本地关系数据库中查询得到用户之前为数据表设置的历史用户权限;将用户之前为数据表设置的历史用户权限赋值给被重建或删除的数据表,得到为被重建或删除的数据表重新赋权的用户权限。。Optionally, the storage medium is further configured to store program code for performing the following steps: determining, according to the table information of the reconstructed or deleted data table, whether the data table is a data table previously requested by the user; if reconstructed or deleted The data table is the data table that the user has applied for before, and the historical user authority set by the user for the data table is obtained from the local relational database; the historical user authority set by the user for the data table is assigned to the reconstructed or deleted data table. , get the user rights re-empowered for the rebuilt or deleted data table. .
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:如果数据库中已经保存任意一个数据表被用户申请,且申请成功,则生成并存储被用户申请过的数据表的表信息集合;其中,如果被重建或删除的数据表的表信息在已经存储的用户申请过的数据表的表信息集合中匹配成功,则确定被重建或删除的数据表为用户之前申请过的数据表。Optionally, the storage medium is further configured to store program code for performing the following steps: if any of the data tables in the database have been saved by the user and the application is successful, generating and storing a table of data tables requested by the user a set of information; wherein, if the table information of the reconstructed or deleted data table is successfully matched in the table information set of the data table that has been stored by the user, determining that the reconstructed or deleted data table is the data previously requested by the user table.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:将被重建或删除的数据表的表信息及获取到的被重建或删除的数据表所对应的用户权限进行封装,得到允许数据库识别的权限重置语句;将权限重置语句返回至数据库所在的服务器,使得用户权限重新赋权给数据库中被重建或删除的数据表。Optionally, the storage medium is further configured to store program code for performing the following steps: encapsulating the table information of the reconstructed or deleted data table and the obtained user rights corresponding to the reconstructed or deleted data table, Obtain a permission reset statement that allows the database to be recognized; return the permission reset statement to the server where the database is located, so that the user rights are re-granted to the data table in the database that is reconstructed or deleted.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:在数据库中的任意一个数据表被重建或删除之后,触发系统自动生成权限继承请求。Optionally, the storage medium is further arranged to store program code for performing the following steps: after any one of the data tables in the database is reconstructed or deleted, the triggering system automatically generates a rights inheritance request.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the embodiments of the present application are merely for the description, and do not represent the advantages and disadvantages of the embodiments.
在本申请的上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above-mentioned embodiments of the present application, the descriptions of the various embodiments are different, and the parts that are not detailed in a certain embodiment can be referred to the related descriptions of other embodiments.
在本申请所提供的几个实施例中,应该理解到,所揭露的技术内容,可通过其它的方式实现。其中,以上所描述的装置实施例仅仅是示意性的,例如所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,单元或模块的间接耦合或通信连接,可以是电性或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed technical contents may be implemented in other manners. The device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner. For example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, unit or module, and may be electrical or otherwise.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是 各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or may be Each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可为个人计算机、服务器或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application, in essence or the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes: a U disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and the like. .
以上所述仅是本申请的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本申请的保护范围。 The above description is only a preferred embodiment of the present application, and it should be noted that those skilled in the art can also make several improvements and retouchings without departing from the principles of the present application. It should be considered as the scope of protection of this application.

Claims (13)

  1. 一种数据库的访问权限处理方法,其特征在于,包括:A method for processing access rights of a database, comprising:
    接收用于自动继承访问权限的权限继承请求,其中,所述权限继承请求为数据库中的任意一个数据表被重建或删除后触发生成的请求;Receiving a permission inheritance request for automatically inheriting the access right, wherein the permission inheritance request is a request triggered by the reconstruction or deletion of any one of the data tables in the database;
    解析所述权限继承请求,获取被重建或删除的数据表的表信息;Parsing the permission inheritance request, and obtaining table information of the reconstructed or deleted data table;
    根据所述被重建或删除的数据表的表信息查询得到所述被重建或删除的数据表所对应的用户权限;Querying, according to the table information of the reconstructed or deleted data table, the user authority corresponding to the reconstructed or deleted data table;
    将所述用户权限重新赋权给所述数据库中所述被重建或删除的数据表。Reassigning the user rights to the reconstructed or deleted data table in the database.
  2. 根据权利要求1所述的方法,其特征在于,所述权限继承请求中包括DDL事件,其中,解析所述权限继承请求,获取被重建或删除的数据表的表信息的步骤包括:解析所述DDL事件,得到所述数据库中所述被重建或删除的数据表的表信息。The method according to claim 1, wherein the rights inheritance request includes a DDL event, wherein the step of parsing the rights inheritance request to obtain table information of the reconstructed or deleted data table comprises: parsing the The DDL event obtains table information of the reconstructed or deleted data table in the database.
  3. 根据权利要求2所述的方法,其特征在于,根据所述被重建或删除的数据表的表信息查询得到所述被重建或删除的数据表所对应的用户权限,包括:The method according to claim 2, wherein the user rights corresponding to the reconstructed or deleted data table are obtained according to the table information of the reconstructed or deleted data table, including:
    根据所述被重建或删除的数据表的表信息判断所述数据表是否为用户之前申请过的数据表;Determining, according to the table information of the reconstructed or deleted data table, whether the data table is a data table previously requested by the user;
    如果所述被重建或删除的数据表为所述用户之前申请过的数据表,则从本地关系数据库中查询得到所述用户之前为所述数据表设置的历史用户权限;If the reconstructed or deleted data table is a data table that the user has previously applied for, the historical user authority set by the user for the data table is obtained from a local relational database;
    将所述用户之前为所述数据表设置的历史用户权限赋值给所述被重建或删除的数据表,得到为所述被重建或删除的数据表重新赋权的所述用户权限。Assigning the historical user rights previously set by the user for the data table to the reconstructed or deleted data table, and obtaining the user rights re-weighting the reconstructed or deleted data table.
  4. 根据权利要求3所述的方法,其特征在于,在根据所述数据表的表信息判断所述数据表是否为用户之前申请过的数据表之前,所述方法还包括:The method according to claim 3, wherein before the determining whether the data table is a data table previously requested by the user according to the table information of the data table, the method further comprises:
    如果所述数据库中已经保存任意一个数据表被用户申请,且申请成功,则生成并存储被所述用户之前申请过的数据表的表信息集合;If any data table has been saved in the database and is applied by the user, and the application is successful, generating and storing a table information set of the data table previously applied by the user;
    其中,如果所述被重建或删除的数据表的表信息在已经存储的所述用户申请过的数据表的表信息集合中匹配成功,则确定所述被重建或删除的数据表为所述用户之前申请过的数据表。Wherein, if the table information of the reconstructed or deleted data table is successfully matched in the already-stored table information set of the data table applied by the user, determining that the reconstructed or deleted data table is the user The data sheet that was previously applied.
  5. 根据权利要求1所述的方法,其特征在于,将所述用户权限重新赋权给所述数据库中所述被重建或删除的数据表,包括:The method of claim 1 wherein reassigning the user rights to the rebuilt or deleted data table in the database comprises:
    将所述被重建或删除的数据表的表信息及获取到的所述被重建或删除的数据表所对应的用户权限进行封装,得到允许所述数据库识别的权限重置语句; Encapsulating the table information of the reconstructed or deleted data table and the obtained user rights corresponding to the reconstructed or deleted data table to obtain a permission reset statement that allows the database to be recognized;
    将所述权限重置语句返回至所述数据库所在的服务器,使得所述用户权限重新赋权给所述数据库中所述被重建或删除的数据表。Returning the rights reset statement to the server where the database is located, such that the user rights are re-granted to the reconstructed or deleted data table in the database.
  6. 根据权利要求1-5中任意一项所述的方法,其特征在于,在接收用于自动继承访问权限的权限继承请求之前,所述方法还包括:The method according to any one of claims 1 to 5, wherein before receiving the permission inheritance request for automatically inheriting the access right, the method further comprises:
    在所述数据库中的任意一个数据表被重建或删除之后,触发系统自动生成所述权限继承请求。After any one of the data tables in the database is reconstructed or deleted, the triggering system automatically generates the permission inheritance request.
  7. 一种数据库的访问权限处理装置,其特征在于,包括:A database access authority processing device, comprising:
    接收模块,用于接收用于自动继承访问权限的权限继承请求,其中,所述权限继承请求为数据库中的任意一个数据表被重建或删除后触发生成的请求;a receiving module, configured to receive a permission inheritance request for automatically inheriting access rights, where the permission inheritance request is a request triggered by any data table in the database after being reconstructed or deleted;
    解析模块,用于解析所述权限继承请求,获取被重建或删除的数据表的表信息;a parsing module, configured to parse the permission inheritance request, and obtain table information of the reconstructed or deleted data table;
    查询模块,用于根据所述被重建或删除的数据表的表信息查询得到所述被重建或删除的数据表所对应的用户权限;a querying module, configured to query, according to the table information of the reconstructed or deleted data table, the user right corresponding to the reconstructed or deleted data table;
    赋权模块,用于将所述用户权限重新赋权给所述数据库中所述被重建或删除的数据表。And an empowering module, configured to re-grant the user rights to the reconstructed or deleted data table in the database.
  8. 根据权利要求7所述的装置,其特征在于,所述权限继承请求中包括DDL事件,其中,所述解析模块包括:解析单元,用于解析所述DDL事件,得到所述数据库中所述被重建或删除的数据表的表信息。The apparatus according to claim 7, wherein the permission inheritance request includes a DDL event, wherein the parsing module comprises: a parsing unit, configured to parse the DDL event, to obtain the quilt in the database Reconstruct or delete table information for the data table.
  9. 根据权利要求8所述的装置,其特征在于,所述查询模块包括:The apparatus according to claim 8, wherein the query module comprises:
    判断单元,用于根据所述被重建或删除的数据表的表信息判断所述数据表是否为用户之前申请过的数据表;a determining unit, configured to determine, according to the table information of the reconstructed or deleted data table, whether the data table is a data table that the user has previously applied for;
    查询单元,用于如果所述被重建或删除的数据表为所述用户之前申请过的数据表,则从本地关系数据库中查询得到所述用户之前为所述数据表设置的历史用户权限;a query unit, configured to: if the data table that is reconstructed or deleted is a data table that the user has applied for before, query, from a local relational database, a historical user right that is previously set by the user for the data table;
    赋值单元,用于将所述用户之前为所述数据表设置的历史用户权限赋值给所述被重建或删除的数据表,得到为所述被重建或删除的数据表重新赋权的所述用户权限。An evaluation unit, configured to assign, to the reconstructed or deleted data table, historical user rights previously set by the user for the data table, to obtain the user re-weighted for the reconstructed or deleted data table Permissions.
  10. 根据权利要求9所述的装置,其特征在于,所述装置还包括:The device according to claim 9, wherein the device further comprises:
    存储模块,用于如果所述数据库中已经保存任意一个数据表被用户申请,且申请成功,则生成并存储被所述用户申请过的数据表的表信息集合;a storage module, configured to generate and store a table information set of a data table applied by the user if any data table in the database has been saved by the user and the application is successful;
    其中,如果所述被重建或删除的数据表的表信息在已经存储的所述用户之前申请过的数据表的表信息集合中匹配成功,则确定所述被重建或删除的数据表为所述用户之前申请过的数据表。 Wherein, if the table information of the reconstructed or deleted data table is successfully matched in the table information set of the data table that has been previously applied by the user, it is determined that the reconstructed or deleted data table is the The data sheet that the user has previously applied for.
  11. 根据权利要求7所述的装置,其特征在于,所述赋权模块包括:The apparatus according to claim 7, wherein the weighting module comprises:
    封装单元,用于将所述被重建或删除的数据表的表信息及获取到的所述被重建或删除的数据表所对应的用户权限进行封装,得到允许所述数据库识别的权限重置语句;a packaging unit, configured to encapsulate the table information of the reconstructed or deleted data table and the obtained user rights corresponding to the reconstructed or deleted data table, to obtain a permission reset statement that allows the database to be recognized ;
    赋权单元,用于将所述权限重置语句返回至所述数据库所在的服务器,使得所述用户权限重新赋权给所述数据库中所述被重建或删除的数据表。And an authorizing unit, configured to return the rights reset statement to a server where the database is located, so that the user rights are re-granted to the reconstructed or deleted data table in the database.
  12. 根据权利要求7-11中任意一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 7-11, wherein the device further comprises:
    触发模块,用于在所述数据库中的任意一个数据表被重建或删除之后,触发系统自动生成所述权限继承请求。The triggering module is configured to trigger the system to automatically generate the permission inheritance request after any one of the data tables in the database is reconstructed or deleted.
  13. 一种数据库的访问权限处理系统,其特征在于,包括:A database access authority processing system, comprising:
    数据库服务器,用于保存数据库,在所述数据库中的任意一个数据表被重建或删除后,触发生成用于自动继承访问权限的权限继承请求;a database server, configured to save a database, and after any data table in the database is reconstructed or deleted, triggering a permission inheritance request for automatically inheriting access rights;
    权限处理系统,用于接收并解析所述权限继承请求,获取被重建或删除的数据表的表信息,在根据所述被重建或删除的数据表的表信息查询得到所述被重建或删除的数据表所对应的用户权限之后,将所述用户权限重新赋权给所述数据库中所述被重建或删除的数据表。 a permission processing system, configured to receive and parse the permission inheritance request, obtain table information of the reconstructed or deleted data table, and obtain the reconstructed or deleted according to the table information query according to the reconstructed or deleted data table After the user rights corresponding to the data table, the user rights are re-granted to the reconstructed or deleted data table in the database.
PCT/CN2016/092672 2015-08-10 2016-08-01 Database access right processing method, device, and system WO2017024956A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510486696.8 2015-08-10
CN201510486696.8A CN106407757B (en) 2015-08-10 2015-08-10 The access authority processing method of database, apparatus and system

Publications (1)

Publication Number Publication Date
WO2017024956A1 true WO2017024956A1 (en) 2017-02-16

Family

ID=57982979

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/092672 WO2017024956A1 (en) 2015-08-10 2016-08-01 Database access right processing method, device, and system

Country Status (2)

Country Link
CN (1) CN106407757B (en)
WO (1) WO2017024956A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110868428A (en) * 2019-12-06 2020-03-06 吉林建筑大学 Computer network safety early warning device
CN112149070A (en) * 2019-06-27 2020-12-29 杭州海康威视数字技术股份有限公司 Authority control method and device

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109299613B (en) * 2018-09-03 2023-07-21 中国平安人寿保险股份有限公司 Database partition authority setting method and terminal equipment
CN109522368A (en) * 2018-09-28 2019-03-26 北京英视睿达科技有限公司 A kind of method for managing user right and system
CN110717153B (en) * 2019-09-30 2021-08-24 新华三大数据技术有限公司 Authority verification method and device
CN110990380B (en) * 2019-11-27 2023-11-03 杭州安恒信息技术股份有限公司 Account information monitoring method and system
CN111352922B (en) * 2020-02-25 2021-02-12 帆软软件有限公司 Data authority inheritance method for multiple data tables in BI tool
CN112231681A (en) * 2020-03-16 2021-01-15 沈寿娟 Access right verification method and system based on Internet of things
CN111767534A (en) * 2020-06-23 2020-10-13 深圳市云智融科技有限公司 Data processing method, computing device and storage medium
CN115510121B (en) * 2022-10-08 2024-01-05 上海数禾信息科技有限公司 List data management method, device, equipment and readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5878415A (en) * 1997-03-20 1999-03-02 Novell, Inc. Controlling access to objects in a hierarchical database
CN102129539A (en) * 2011-03-11 2011-07-20 清华大学 Data resource authority management method based on access control list
CN104156640A (en) * 2014-08-01 2014-11-19 浪潮软件股份有限公司 Data access right control method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101373527A (en) * 2007-08-24 2009-02-25 上海全成通信技术有限公司 Human authority control method engaged with system
JP5772009B2 (en) * 2011-01-26 2015-09-02 株式会社リコー Image processing apparatus, function use control method, function use control program, and recording medium recording the program
CN104573480A (en) * 2015-02-10 2015-04-29 国家电网公司 Permission processing method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5878415A (en) * 1997-03-20 1999-03-02 Novell, Inc. Controlling access to objects in a hierarchical database
CN102129539A (en) * 2011-03-11 2011-07-20 清华大学 Data resource authority management method based on access control list
CN104156640A (en) * 2014-08-01 2014-11-19 浪潮软件股份有限公司 Data access right control method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112149070A (en) * 2019-06-27 2020-12-29 杭州海康威视数字技术股份有限公司 Authority control method and device
CN112149070B (en) * 2019-06-27 2024-04-23 杭州海康威视数字技术股份有限公司 Authority control method and device
CN110868428A (en) * 2019-12-06 2020-03-06 吉林建筑大学 Computer network safety early warning device

Also Published As

Publication number Publication date
CN106407757B (en) 2019-08-13
CN106407757A (en) 2017-02-15

Similar Documents

Publication Publication Date Title
WO2017024956A1 (en) Database access right processing method, device, and system
US20200285978A1 (en) Model training system and method, and storage medium
TWI632472B (en) Business data processing method and system thereof
TWI743405B (en) Voice broadcast method, intelligent broadcast device, one or more non-temporary computer storage media encoded with computer program instructions, and intelligent broadcast equipment
CN106575342B (en) Kernel program including relational database and the method and apparatus for performing described program
US20130221096A1 (en) Acquiring information dynamically regarding a hardware component in the cloud computing system while on the floor of the data center
TWI512526B (en) System and method for resetting password
CN105684388A (en) Web-based single sign-on with form-fill proxy application
WO2018095326A1 (en) Method and apparatus for determining access permission, and terminal
WO2019140777A1 (en) Requesting method and apparatus for data of app of mobile terminal, device, and storage medium
WO2015101320A1 (en) Account number generation method, terminal and background server
WO2016029793A1 (en) Processing method, device, and system for interactive information
CN106713004B (en) Router adaptation method and system
CN105337974A (en) Account authorization method, account login method, account authorization device and client end
EP3534319A1 (en) Data processing method and system, terminal, and server
WO2013174195A1 (en) Document authority control method, device and system
US11882154B2 (en) Template representation of security resources
TW201706894A (en) Intelligent device user information preconfigured structure and method
WO2017107792A1 (en) Data information processing method, and data storage system
CN112527873A (en) Big data management application system based on chain number cube
CN104158857B (en) A kind of apparatus and method that the service of networking operating system is provided
WO2016089639A1 (en) Location-based user disambiguation
WO2021007250A1 (en) Secure personal data transfer using a personal data sharing platform
WO2020057226A1 (en) Algorithm download method, device, and related product
CN110851794A (en) Media file uplink method and device, storage medium and electronic device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16834580

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16834580

Country of ref document: EP

Kind code of ref document: A1