CN107657182B - Method for enhancing reliability of media data authority control - Google Patents
Method for enhancing reliability of media data authority control Download PDFInfo
- Publication number
- CN107657182B CN107657182B CN201710972256.2A CN201710972256A CN107657182B CN 107657182 B CN107657182 B CN 107657182B CN 201710972256 A CN201710972256 A CN 201710972256A CN 107657182 B CN107657182 B CN 107657182B
- Authority
- CN
- China
- Prior art keywords
- user
- authority
- authorization information
- processing engine
- white list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for enhancing the reliability of media data authority control, which comprises the following steps: authorizing, the user initiates an authentication request, if the authentication is successful, the object processing engine returns a usertoken value to the user; the user transmits the obtained usertoken value to the control program; the control program requests authorization information from the object processing engine; the object processing engine returns authorization information to the control program; the control program sets the authorization information into the driving program; and the driver judges the user authority according to the authorization information. According to the scheme, the data access process of the user is controlled by setting the object processing engine and the control program, so that the authority management and the data access are realized, the service user and the storage user are bound, the authorities of the service user and the storage user are consistent, and the purpose of enhancing the safety and reliability is realized.
Description
Technical Field
The present invention relates to a media data processing method, and more particularly, to a method for enhancing reliability of media data rights control.
Background
The existing media data authority control method adopts a single authority control method from a service layer and sets the access authority of a file by the traditional authority control method of a file system. Such an authority control method has the following three disadvantages:
1) the safety and reliability are poor: the conventional media data permission control method has weak permission control strength on metadata and files, and for media data in the radio and television industry, permission control on materials is mostly achieved, but for files, writing in, reading out and the like on a file level are limited, and safe and reliable permission control cannot be provided for users.
2) And (3) separating the authority: the existing media data authority control method separates the authorities of a service user and a storage user and can not be managed uniformly.
3) Capacity control is not accurate: the storage space quota of the user is not subjected to real-time accurate statistical control, so that the occupied space of the written-in file of the user is excessive, and the quota use is in a chaotic state.
Disclosure of Invention
The invention aims to: the invention provides a method for enhancing the media data authority control reliability, which aims at solving the problem that in the existing media data authority control method, a service user can only access metadata, a storage user can only access files, and the authorities of the service user and the storage user are mutually separated, so that the safety reliability caused by weak control strength of the metadata and the files is poor.
The technical scheme adopted by the invention is as follows:
a method for enhancing reliability of rights control for media data, comprising the steps of,
(1) authorization: media service authorization and process white list setting are carried out through an object processing engine, and authorization information is obtained;
(2) the user, namely the authentication user, initiates an authentication request, and if the authentication is successful, the object processing engine returns a usertoken value to the user;
(3) the user transmits the obtained usertoken value to the control program;
(4) the control program requests authorization information from the object processing engine;
(5) the object processing engine returns authorization information to the control program;
(6) the control program sets the authorization information into the driving program;
(7) the driver judges the user authority according to the authorization information, if the user authority is legal, corresponding operation is executed to the storage, and then the step (8) is executed; otherwise, operation is refused;
(8) and the driver feeds back the information of the file operation to the control program.
Further, the driver includes: the IRP _ CREATE function is to CREATE and open files and folders, the IRP _ READ function is to READ files, the IRP _ WRITE function is to WRITE files, the IRP _ CLOSE function is to CLOSE files, and the IRP _ SET _ INFORMATION function is to rename and delete files.
Further, the authorization information includes user white lists, managed UNC paths, allowed actions.
Further, the media service authorization step in step (1) is:
(111) distributing the authority for acquiring the file access path for the DB role;
(112) allocating storage space quota size for the Unit folder;
(113) distributing file operation permissions including file reading, file writing and file deleting for the Unit folder;
(114) allocating DB roles for service users;
(115) establishing a corresponding relation between a storage user and a Unit folder;
(116) and binding the service users and the storage users one by one.
Further, the setting step of the process white list in the step (1) is as follows:
(121) setting a process white list in an object processing engine;
(122) the object processing engine sends the process white list information to the driver;
(123) a process initiates an access request;
(124) and the driver carries out filtering interception according to the process white list information, allows the access request if judging the process belonging to the white list, and refuses the access request if not belonging to the process in the white list.
Further, the user authority judging step is as follows:
(71) the authentication program acquires the authority corresponding to the role through the role of the authentication user in the step (2);
(72) the authentication program records the role authority of the user acquired in the step (1) to a memory and returns an access path to the user side;
(73) the user side initiates a request for accessing the material according to the access path returned in the step (72);
(74) the authentication program judges the legality of the user request through the recorded role authority, namely judges whether the user request is in the authorization information, if the user request is in the authorization information, the user authority is judged to be legal, otherwise, the user authority is illegal.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
1. the safety and reliability are strong: according to the scheme, the flexible and powerful security access mechanisms such as authentication, authorization and white list are combined, the user is authenticated by combining the white list mechanism with the authorization mechanism, and the access authority of the storage process is granted to the user, so that the security and reliability of the media data are enhanced.
2. And (4) unifying the authority: in the scheme, in order to avoid the condition that the authorities of the business layer users and the storage layer users are separated and cannot be managed in a unified manner, the business users and the storage users are bound one by one, the unification of DB authorities and storage authorities is realized, and the business users can realize the operation in corresponding authorities through the binding relationship established with the storage users.
3. Capacity accurate control: and feeding back the operation of the user to the control program through the driver IRP _ WRITE, and carrying out real-time accurate statistics on the capacity of the user storage space through the control program to realize the capacity control of the application program on the writing of the file.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
FIG. 1 is a general flow diagram of the present invention;
FIG. 2 is an authorization flow diagram of the present invention;
FIG. 3 is a flow chart of authentication of the present invention;
FIG. 4 is a flow chart of the white list process of the present invention.
Detailed Description
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
The present invention will be described in detail with reference to fig. 1, 2, 3 and 4.
In the scheme, the service user refers to a user accessing the metadata in the media data access in the prior art; the storage user refers to a user who accesses a file in the related art media data access.
A method for enhancing reliability of rights control for media data, comprising the steps of,
(1) authorization: media service authorization and process white list setting are carried out through an object processing engine, and authorization information is obtained;
(2) the user initiates an authentication request, the user initiating the authentication request is an authentication user, and if the authentication is successful, the object processing engine returns a usertoken value to the user;
(3) the user transmits the obtained usertoken value to the control program; the control program is used for controlling the authorization process, serving as a pipeline to transmit usertoken to the object processing engine, calculating authorization information and returning the authorization information to the driver.
(4) The control program requests authorization information from the object processing engine;
(5) the object processing engine returns authorization information to the control program;
(6) the control program sets the authorization information into the driving program;
(7) the driver judges the user authority according to the authorization information, if the user authority is legal, corresponding operation is executed to the storage, and then the step (8) is executed; otherwise, operation is refused;
(8) and the driver feeds back the information of the file operation to the control program. Wherein, IRP _ WRITE can accurately count and feed back the storage space capacity of the user.
And a driver: the IRP _ CREATE function is to CREATE and open files and folders, the IRP _ READ function is to READ files, the IRP _ WRITE function is to WRITE files, the IRP _ CLOSE function is to CLOSE files, and the IRP _ SET _ INFORMATION function is to rename and delete files.
Further, the authorization information includes user whitelists, managed UNC paths, allowed actions, and other authorization information that will occur to those of skill in the art.
For the media service characteristics, the media material includes metadata stored in the database DB and files stored in the storage, so that when authorization is performed, service users and storage users are bound one by one, and the permission of the DB role and the permission of the storage user to the Unit folder are granted to the users in a "role + permission" manner, so as to ensure that the permissions of the service users and the storage users are controlled uniformly, and the authorization flowchart is shown in fig. 2.
Further, the media service authorization step is:
(111) distributing the authority for acquiring the file access path for the DB role;
(112) allocating storage space quota size for the Unit folder;
(113) distributing file operation permissions including file reading, file writing and file deleting for the Unit folder;
(114) allocating DB roles for service users;
(115) establishing a corresponding relation between a storage user and a Unit folder;
(116) and binding the service users and the storage users one by one.
The process of the white list set in the authorization information is as follows:
(121) setting a process white list in an object processing engine;
(122) the object processing engine sends the process white list information to the driver;
(123) a process initiates an access request;
(124) and the driver carries out filtering interception according to the process white list information, allows the access request if judging the process belonging to the white list, and refuses the access request if not belonging to the process in the white list.
Further, the user authority judging step is as follows:
(71) the authentication program acquires the authority corresponding to the role through calculating the role of the authentication user in the step (2); when the authority of the authenticated user is calculated, firstly, a role list of the user is obtained, the role list is merged, and then the authority owned by the user is obtained by combining the access authority bound by the role.
(72) The authentication program records the role authority of the user acquired in the step (1) to a memory and returns an access path to the user side;
(73) the user side initiates a request for accessing the material according to the access path returned in the step (72);
(74) the authentication program judges the legality of the user request through the recorded role authority, namely judges whether the user request is in the authorization information, if the user request is in the authorization information, the user authority is judged to be legal, otherwise, the user authority is illegal.
Claims (5)
1. A method for enhancing reliability of rights control for media data, comprising the steps of,
(1) authorization: media service authorization and process white list setting are carried out through an object processing engine, and authorization information is obtained;
the media service authorization steps are as follows:
(111) distributing the authority for acquiring the file access path for the DB role;
(112) allocating storage space quota size for the Unit folder;
(113) distributing file operation permissions including file reading, file writing and file deleting for the Unit folder;
(114) allocating DB roles for service users;
(115) establishing a corresponding relation between a storage user and a Unit folder;
(116) binding the service users and the storage users one by one;
(2) the user, namely the authentication user, initiates an authentication request, and if the authentication is successful, the object processing engine returns a usertoken value to the user;
(3) the user transmits the obtained usertoken value to the control program;
(4) the control program requests authorization information from the object processing engine;
(5) the object processing engine returns authorization information to the control program;
(6) the control program sets the authorization information into the driving program;
(7) the driver judges the user authority according to the authorization information, if the user authority is legal, corresponding operation is executed to the storage, and then the step (8) is executed; otherwise, operation is refused;
(8) and the driver feeds back the information of the file operation to the control program.
2. The method of claim 1, wherein the driver comprises: the IRP _ CREATE function is to CREATE and open files and folders, the IRP _ READ function is to READ files, the IRP _ WRITE function is to WRITE files, the IRP _ CLOSE function is to CLOSE files, and the IRP _ SET _ INFORMATION function is to rename and delete files.
3. The method of claim 1, wherein the authorization information comprises a user white list, a managed UNC path, and allowed actions.
4. A method for enhancing reliability of media data right control according to any of claims 1-3, wherein the step of setting the white list in the process (1) is:
(121) setting a process white list in an object processing engine;
(122) the object processing engine sends the process white list information to the driver;
(123) a process initiates an access request;
(124) and the driver carries out filtering interception according to the process white list information, allows the access request if judging the process belonging to the white list, and refuses the access request if not belonging to the process in the white list.
5. The method of claim 1, wherein the step of determining the user's right comprises:
(71) the authentication program acquires the authority corresponding to the role through calculating the role of the authentication user in the step (2);
(72) the authentication program records the role authority of the user acquired in the step (1) to a memory and returns an access path to the user side;
(73) the user side initiates a request for accessing the material according to the access path returned in the step (72);
(74) the authentication program judges the legality of the user request through the recorded role authority, namely judges whether the user request is in the authorization information, if the user request is in the authorization information, the user authority is judged to be legal, otherwise, the user authority is illegal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710972256.2A CN107657182B (en) | 2017-10-18 | 2017-10-18 | Method for enhancing reliability of media data authority control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710972256.2A CN107657182B (en) | 2017-10-18 | 2017-10-18 | Method for enhancing reliability of media data authority control |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107657182A CN107657182A (en) | 2018-02-02 |
| CN107657182B true CN107657182B (en) | 2020-12-01 |
Family
ID=61118400
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710972256.2A Active CN107657182B (en) | 2017-10-18 | 2017-10-18 | Method for enhancing reliability of media data authority control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107657182B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227285A (en) * | 2008-01-29 | 2008-07-23 | 中兴通讯股份有限公司 | System and method for dynamic controlling terminal user authority |
| CN102546664A (en) * | 2012-02-27 | 2012-07-04 | 中国科学院计算技术研究所 | User and authority management method and system for distributed file system |
| CN103077354A (en) * | 2013-02-19 | 2013-05-01 | 成都索贝数码科技股份有限公司 | Method for controlling Windows file system access permissions |
| CN105227315A (en) * | 2015-08-31 | 2016-01-06 | 青岛海尔智能家电科技有限公司 | A kind of Web application authentication method, server and system thereof |
| CN106685955A (en) * | 2016-12-28 | 2017-05-17 | 武汉微创光电股份有限公司 | Radius-based video monitoring platform security certification method |
| CN107026825A (en) * | 2016-02-02 | 2017-08-08 | 中国移动通信集团陕西有限公司 | A kind of method and system for accessing big data system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140343989A1 (en) * | 2013-05-16 | 2014-11-20 | Phantom Technologies, Inc. | Implicitly linking access policies using group names |
-
2017
- 2017-10-18 CN CN201710972256.2A patent/CN107657182B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227285A (en) * | 2008-01-29 | 2008-07-23 | 中兴通讯股份有限公司 | System and method for dynamic controlling terminal user authority |
| CN102546664A (en) * | 2012-02-27 | 2012-07-04 | 中国科学院计算技术研究所 | User and authority management method and system for distributed file system |
| CN103077354A (en) * | 2013-02-19 | 2013-05-01 | 成都索贝数码科技股份有限公司 | Method for controlling Windows file system access permissions |
| CN105227315A (en) * | 2015-08-31 | 2016-01-06 | 青岛海尔智能家电科技有限公司 | A kind of Web application authentication method, server and system thereof |
| CN107026825A (en) * | 2016-02-02 | 2017-08-08 | 中国移动通信集团陕西有限公司 | A kind of method and system for accessing big data system |
| CN106685955A (en) * | 2016-12-28 | 2017-05-17 | 武汉微创光电股份有限公司 | Radius-based video monitoring platform security certification method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107657182A (en) | 2018-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107480555B (en) | Database access authority control method and device based on block chain | |
| US11488258B2 (en) | Authentication, authorization and audit of digital assets using the blockchain | |
| CN109510849B (en) | Cloud-storage account authentication method and device | |
| US10404708B2 (en) | System for secure file access | |
| US8984624B2 (en) | Resource access based on multiple scope levels | |
| US8868929B2 (en) | Method of mass storage memory management for large capacity universal integrated circuit cards | |
| US9507812B2 (en) | Systems and methods for scalable object storage | |
| US8621036B1 (en) | Secure file access using a file access server | |
| KR102107277B1 (en) | System and method for anti-fishing or anti-ransomware application | |
| CA2623141A1 (en) | Content cryptographic firewall system | |
| KR20110097802A (en) | Managing access to an address range in a storage device | |
| US10713388B2 (en) | Stacked encryption | |
| CN103581196A (en) | Distributed file transparent encryption method and transparent decryption method | |
| US10503920B2 (en) | Methods and systems for management of data stored in discrete data containers | |
| EP3818461A1 (en) | Vehicular data privacy management systems and methods | |
| KR20110083889A (en) | Apparatus and method for processing data according to remote control in data storage device | |
| CN113672966A (en) | File access control method and system | |
| CN107609408B (en) | Method for controlling file operation behavior based on filter driver | |
| EP3365822B1 (en) | Managing application specific feature rights | |
| CN107657182B (en) | Method for enhancing reliability of media data authority control | |
| CN109656884A (en) | A kind of method and device accessing file | |
| KR100941320B1 (en) | Method for Managing Distribution Duration of Secret Material through Inter-working DRM with Portable Memory and the System | |
| CN105205403A (en) | Method and system for managing and controlling file data of local area network based on file filtering | |
| US9825763B2 (en) | Systems for automated forensic data capture | |
| CN105208115B (en) | A kind of network-based file separation storage and transmission and management system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |