CN108881309A - Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform - Google Patents
Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform Download PDFInfo
- Publication number
- CN108881309A CN108881309A CN201810925077.8A CN201810925077A CN108881309A CN 108881309 A CN108881309 A CN 108881309A CN 201810925077 A CN201810925077 A CN 201810925077A CN 108881309 A CN108881309 A CN 108881309A
- Authority
- CN
- China
- Prior art keywords
- access
- big data
- client device
- data platform
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
本申请实施例提供了一种大数据平台的访问方法、装置、电子设备及可读存储介质。该方法包括:当接收到客户端设备发送的大数据平台的访问请求时,获取客户端设备的当前访问标识,当前访问标识用于标识客户端设备和客户端设备的当前用户;根据当前访问标识查询预配置的访问白名单文件,若当前访问标识存在于访问白名单文件中,则接受客户端设备对大数据平台的访问。本申请实施例的方案,基于客户端设备的访问标识是否在访问白名单文件中,来确定是否接受客户端设备对大数据平台的访问,由于访问标识能够同时标识设备和设备的当前用户,因此,通过该方案能够有效保证大数据平台访问的安全性。
Embodiments of the present application provide a method, device, electronic equipment, and readable storage medium for accessing a big data platform. The method includes: when receiving the access request of the big data platform sent by the client device, obtaining the current access identifier of the client device, where the current access identifier is used to identify the client device and the current user of the client device; Query the pre-configured access whitelist file, and if the current access ID exists in the access whitelist file, then accept the client device's access to the big data platform. In the solution of the embodiment of the present application, it is determined whether to accept the access of the client device to the big data platform based on whether the access identifier of the client device is in the access whitelist file. Since the access identifier can identify the device and the current user of the device at the same time, therefore , through this scheme, the security of big data platform access can be effectively guaranteed.
Description
技术领域technical field
本申请涉及大数据技术领域,具体而言,本申请涉及一种大数据平台的访问方法、装置、电子设备及可读存储介质。The present application relates to the technical field of big data, and in particular, the present application relates to an access method, device, electronic equipment and readable storage medium of a big data platform.
背景技术Background technique
大数据技术,是指从各种各样类型的数据中,快速获得有价值信息的能力。大数据平台是一个集数据接入、数据处理、数据存储、查询检索、分析挖掘等、应用接口等为一体的平台。Big data technology refers to the ability to quickly obtain valuable information from various types of data. The big data platform is a platform that integrates data access, data processing, data storage, query retrieval, analysis and mining, and application interfaces.
随着大数据技术的发展,企业对于大数据平台的应用越来越普遍,企业内部用户在访问大数据平台时,首先需要进行用户的访问验证,由于企业内部的网络环境是受信任的,而且企业内部用户需要频繁访问大数据平台,因此现在常采用的一种访问验证方案为:通过用户所使用的客户端设备的域账号作为访问大数据平台的用户账号。用户通过操作系统登录至当前客户端设备,当用户发出访问大数据平台的请求时,便自动使用当前客户端设备的域账号进行访问验证。这种方式能够避免多次输入用户名等登录信息进行登录,减少对用户造成的不便。但是客户端设备操作系统有多种方式可以临时改变当前用户,导致只要使用该设备的用户均能够登录到大数据平台,使得大数据平台的安全性较低,得不到保障。With the development of big data technology, the application of big data platforms by enterprises is becoming more and more common. When internal users of enterprises access big data platforms, they first need to perform user access verification, because the internal network environment of enterprises is trusted, and Internal users of the enterprise need to frequently access the big data platform, so an access verification scheme that is often used now is: use the domain account of the client device used by the user as the user account for accessing the big data platform. The user logs in to the current client device through the operating system. When the user sends a request to access the big data platform, the domain account of the current client device is automatically used for access verification. This method can avoid multiple input of user name and other login information for login, and reduce inconvenience to the user. However, there are many ways for the operating system of the client device to temporarily change the current user, so that only users who use the device can log in to the big data platform, which makes the security of the big data platform low and cannot be guaranteed.
现有的另一种访问验证方案为:使用Kerberos(网络认证协议)协议进行认证,该方案中每个用户被分配一个Keytab(密钥表文件)文件。用户需要先通过密钥分配中心(KeyDistribution Center,KDC)服务进行登录认证,通过登录认证后才能访问大数据平台。这种方式虽然安全性较高,但仍存在如下缺陷:(1)需要大数据生态中的每个组件都需要实现Kerberos 的逻辑,具体实现相对比较复杂;(2)需要额外部署KDC服务;(3) 认证依赖Keytab文件,如果Keytab文件泄露,将导致其他用户也能够认证通过。Another existing access verification scheme is: use the Kerberos (network authentication protocol) protocol for authentication, in which each user is assigned a Keytab (key table file) file. Users need to log in and authenticate through the Key Distribution Center (KDC) service first, and then they can access the big data platform after passing the login authentication. Although this method has high security, it still has the following defects: (1) Every component in the big data ecosystem needs to implement Kerberos logic, and the specific implementation is relatively complicated; (2) Additional KDC services need to be deployed; ( 3) Authentication relies on the Keytab file. If the Keytab file is leaked, other users will also be able to pass the authentication.
发明内容Contents of the invention
本申请的目的旨在至少能解决上述的技术缺陷之一。本申请所采用的技术方案如下:The purpose of this application is to at least solve one of the above-mentioned technical defects. The technical scheme adopted in this application is as follows:
第一方面,提供了一种大数据平台的访问方法,包括:In the first aspect, an access method of a big data platform is provided, including:
当接收到客户端设备发送的大数据平台的访问请求时,获取客户端设备的当前访问标识,当前访问标识用于标识客户端设备和客户端设备的当前用户;When the access request of the big data platform sent by the client device is received, the current access identifier of the client device is obtained, and the current access identifier is used to identify the client device and the current user of the client device;
根据当前访问标识查询预配置的访问白名单文件,若当前访问标识存在于访问白名单文件中,则接受客户端设备对大数据平台的访问。Query the pre-configured access white list file according to the current access ID, and if the current access ID exists in the access white list file, then accept the client device's access to the big data platform.
可选的,访问白名单文件为预配置的、用于存储被授权访问大数据平台的客户端设备的访问标识的文件。Optionally, the access whitelist file is a pre-configured file used to store access identifiers of client devices authorized to access the big data platform.
当前访问标识包括当前用户的用户标识和客户端设备的设备标识,当前访问标识存在于访问白名单文件中是指用户标识和设备标识关联存在于访问白名单文件中。The current access ID includes the user ID of the current user and the device ID of the client device, and the existence of the current access ID in the access white list file means that the association between the user ID and the device ID exists in the access white list file.
可选的,用户标识包括用户名。Optionally, the user ID includes a user name.
可选的,设备标识包括客户端设备的互联网协议IP地址、客户端设备的媒体访问控制MAC地址、自定义设备标识中的至少一种。Optionally, the device identifier includes at least one of an Internet Protocol IP address of the client device, a media access control MAC address of the client device, and a user-defined device identifier.
可选的,该方法还包括:Optionally, the method also includes:
若当前访问标识不存在访问白名单文件中,则拒绝客户端设备对大数据平台的访问。If the current access identifier does not exist in the access whitelist file, the client device is denied access to the big data platform.
可选的,该方法还包括:Optionally, the method also includes:
若当前访问标识不存在访问白名单文件中,则根据当前访问标识查询预配置的访问黑名单文件,若当前访问标识存在于访问黑名单文件中,则拒绝客户端设备的访问;If the current access ID does not exist in the access whitelist file, then query the pre-configured access blacklist file according to the current access ID, and if the current access ID exists in the access blacklist file, then deny the access of the client device;
访问黑名单文件为预配置的、用于存储禁止访问大数据平台的客户端设备的访问标识的文件。The access blacklist file is a pre-configured file used to store access identifiers of client devices that are prohibited from accessing the big data platform.
可选的,当当前访问标识包括用户标识和设备标识时,当前访问标识存在于访问黑名单文件是指用户标识或设备标识存在于访问黑名单文件,或者,用户标识与设备标识关联存在于访问黑名单文件。Optionally, when the current access ID includes a user ID and a device ID, the existence of the current access ID in the access blacklist file means that the user ID or device ID exists in the access blacklist file, or the association between the user ID and the device ID exists in the access blacklist file.
可选的,若当前访问标识不存在于访问黑名单文件中,该方法还包括:Optionally, if the current access ID does not exist in the access blacklist file, the method further includes:
根据预配置的第一访问验证策略对客户端设备进行验证,若验证通过,则接受客户端设备对大数据平台的访问,若验证未通过,则拒绝客户端设备对大数据平台的访问。The client device is verified according to the pre-configured first access verification strategy. If the verification is passed, the access of the client device to the big data platform is accepted, and if the verification fails, the client device is denied access to the big data platform.
可选的,该方法还包括:Optionally, the method also includes:
接收对访问白名单文件的修改请求;Receive modification requests for access whitelist files;
根据访问白名单文件的修改请求对访问白名单文件进行修改。Modify the access whitelist file according to the modification request of the access whitelist file.
可选的,该方法还包括:Optionally, the method also includes:
接收访问黑名单文件的修改请求;Receive modification requests for accessing blacklist files;
根据访问黑名单文件的修改请求对访问黑名单文件进行修改。Modify the access blacklist file according to the modification request of the access blacklist file.
可选的,若访问标识存在于访问白名单文件中,则接受客户端设备对大数据平台的访问,包括:Optionally, if the access identifier exists in the access whitelist file, then the access of the client device to the big data platform is accepted, including:
若当前访问标识存在于访问白名单文件中,获取客户端设备上一次访问大数据平台的第一地址信息以及当前请求访问大数据平台的第二地址信息;If the current access identifier exists in the access whitelist file, obtain the first address information of the client device's last access to the big data platform and the second address information of the current request to access the big data platform;
若第一地址信息和与第二地址信息相同,则接受客户端设备对大数据平台的访问。If the first address information is the same as the second address information, the access of the client device to the big data platform is accepted.
可选的,若第一地址信息和与第二地址信息不同,该方法还包括:Optionally, if the first address information is different from the second address information, the method further includes:
拒绝客户端设备对大数据平台的访问;或者,确定两次访问的访问间隔,若访问间隔小于设定时长,则拒绝客户端设备对大数据平台的访问;Deny the client device's access to the big data platform; or, determine the access interval between two visits, and if the access interval is less than the set time, deny the client device's access to the big data platform;
若访问间隔不小于设定时长,则接受客户端设备对大数据平台的访问,或者根据预配置的第二访问验证策略对客户端设备进行验证,若验证通过,则接受客户端设备对大数据平台的访问,若验证未通过,则拒绝客户端设备对大数据平台的访问。If the access interval is not less than the set time, the client device will accept the access to the big data platform, or verify the client device according to the pre-configured second access verification strategy. If the verification is passed, the client device will accept the big data platform. Platform access, if the verification fails, the client device will be denied access to the big data platform.
可选的,若访问标识存在于访问白名单文件中,则接受客户端设备对大数据平台的访问,包括:Optionally, if the access identifier exists in the access whitelist file, then the access of the client device to the big data platform is accepted, including:
若当前访问标识存在于访问白名单文件中,获取客户端设备的当前地址信息,根据当前地址信息查询预设的常用地址信息表,若当前地址信息属于常用地址信息表中客户端设备的常用地址信息,则接受客户端设备对大数据平台的访问。If the current access identifier exists in the access whitelist file, obtain the current address information of the client device, and query the preset common address information table according to the current address information, if the current address information belongs to the common address of the client device in the common address information table information, it accepts the access of the client device to the big data platform.
可选的,若当前地址信息不属于常用地址信息表中客户端设备的常用地址信息,该方法还包括:Optionally, if the current address information does not belong to the common address information of the client device in the common address information table, the method further includes:
拒绝客户端设备对大数据平台的访问;或者,Deny Client Device access to the Big Data Platform; or,
根据预配置的第三访问验证策略对客户端设备进行验证,若验证通过,则接受客户端设备对大数据平台的访问;若验证未通过,则拒绝客户端设备对大数据平台的访问。The client device is verified according to the pre-configured third access verification strategy. If the verification is passed, the client device's access to the big data platform is accepted; if the verification fails, the client device's access to the big data platform is rejected.
可选的,该方法还包括:Optionally, the method also includes:
接受客户端设备对大数据平台的访问后,根据客户端设备的当前用户对大数据平台的操作权限为客户端设备分配相应的操作权限。After accepting the client device's access to the big data platform, the client device is assigned corresponding operation rights according to the current user's operation rights on the big data platform.
第二方面,提供了一种大数据平台的访问装置,包括:In the second aspect, an access device for a big data platform is provided, including:
获取模块,用于在接收到客户端设备发送的大数据平台的访问请求时,获取客户端设备的当前访问标识,当前访问标识用于标识客户端设备和客户端设备的当前用户;访问验证模块,The obtaining module is used to obtain the current access identifier of the client device when receiving the access request of the big data platform sent by the client device, and the current access identifier is used to identify the client device and the current user of the client device; the access verification module ,
用于根据当前访问标识查询预配置的访问白名单文件,在当前访问标识存在于访问白名单文件时,接受客户端设备对大数据平台的访问。It is used to query the pre-configured access whitelist file according to the current access ID, and accept the access of the client device to the big data platform when the current access ID exists in the access white list file.
可选的,访问白名单文件为预配置的、用于存储被授权访问大数据平台的客户端设备的访问标识的文件。Optionally, the access whitelist file is a pre-configured file used to store access identifiers of client devices authorized to access the big data platform.
可选的,当前访问标识包括当前用户的用户标识和客户端设备的设备标识,当前访问标识存在于访问白名单文件中是指用户标识和设备标识关联存在于访问白名单文件中。Optionally, the current access ID includes the user ID of the current user and the device ID of the client device, and the existence of the current access ID in the access whitelist file means that the association between the user ID and the device ID exists in the access whitelist file.
可选的,用户标识包括用户名。Optionally, the user ID includes a user name.
可选的,设备标识包括客户端设备的互联网协议IP地址、客户端设备的媒体访问控制MAC地址、自定义设备标识中的至少一种。Optionally, the device identifier includes at least one of an Internet Protocol IP address of the client device, a media access control MAC address of the client device, and a user-defined device identifier.
可选的,访问验证模块还用于:Optionally, the access verification module is also used for:
在当前访问标识不存在访问白名单文件时拒绝客户端设备对大数据平台的访问。Deny the client device's access to the big data platform when the current access ID does not have an access whitelist file.
可选的,访问验证模块还用于:Optionally, the access verification module is also used for:
在当前访问标识不存在访问白名单文件中时,根据当前访问标识查询预配置的访问黑名单文件,若当前访问标识存在于访问黑名单文件中,则拒绝客户端设备的访问;When the current access ID does not exist in the access whitelist file, query the pre-configured access blacklist file according to the current access ID, and if the current access ID exists in the access blacklist file, deny the access of the client device;
访问黑名单文件为预配置的、用于存储禁止访问大数据平台的客户端设备的访问标识的文件。The access blacklist file is a pre-configured file used to store access identifiers of client devices that are prohibited from accessing the big data platform.
可选的,当当前访问标识包括用户标识和设备标识时,当前访问标识存在于访问黑名单文件是指用户标识存在于访问黑名单文件,或者,设备标识存在于访问黑名单文件,或者,用户标识与设备标识关联存在于访问黑名单文件。Optionally, when the current access ID includes a user ID and a device ID, the existence of the current access ID in the access blacklist file means that the user ID exists in the access blacklist file, or that the device ID exists in the access blacklist file, or that the user The ID associated with the device ID exists in the access blacklist file.
可选的,在访问标识不存在于访问黑名单文件时,访问验证模块还用于:Optionally, when the access identifier does not exist in the access blacklist file, the access verification module is also used to:
根据预配置的第一访问验证策略对客户端设备进行验证,若验证通过,则接受客户端设备对大数据平台的访问;若验证未通过,则拒绝客户端设备对大数据平台的访问。The client device is verified according to the pre-configured first access verification strategy. If the verification is passed, the client device's access to the big data platform is accepted; if the verification fails, the client device's access to the big data platform is rejected.
可选的,该装置还包括:Optionally, the device also includes:
修改模块,用于接收对访问白名单文件的修改请求;根据访问白名单文件的修改请求对访问白名单文件进行修改。The modification module is configured to receive a modification request for the access white list file; and modify the access white list file according to the modification request for the access white list file.
可选的,修改模块还用于:Optionally, the modification module is also used to:
接收访问黑名单文件的修改请求;根据访问黑名单文件的修改请求对访问黑名单文件进行修改。Receive the modification request of the access blacklist file; modify the access blacklist file according to the modification request of the access blacklist file.
可选的,访问验证模块在当前访问标识存在于访问白名单文件时,接受客户端设备对大数据平台的访问时,具体用于:Optionally, when the access verification module accepts the client device's access to the big data platform when the current access identification exists in the access whitelist file, it is specifically used for:
在当前访问标识存在于访问白名单文件中时,获取客户端设备上一次访问大数据平台的第一地址信息以及当前请求访问大数据平台的第二地址信息;When the current access identifier exists in the access whitelist file, obtain the first address information of the client device's last access to the big data platform and the second address information of the current request to access the big data platform;
若第一地址信息和与第二地址信息相同,则接受客户端设备对大数据平台的访问。If the first address information is the same as the second address information, the access of the client device to the big data platform is accepted.
可选的,在第一地址信息和与第二地址信息不同时,访问验证模块还用于:Optionally, when the first address information is different from the second address information, the access verification module is also used to:
拒绝客户端设备对大数据平台的访问;或者,Deny Client Device access to the Big Data Platform; or,
确定两次访问的访问间隔,若访问间隔小于设定时长,则拒绝客户端设备对大数据平台的访问;Determine the access interval between two visits, if the access interval is less than the set time, deny the client device's access to the big data platform;
若访问间隔不小于设定时长,则接受客户端设备对大数据平台的访问或者根据预配置的第二访问验证策略对客户端设备进行验证,若验证通过,则接受客户端设备对大数据平台的访问;若验证未通过,则拒绝客户端设备对大数据平台的访问。If the access interval is not less than the set duration, then accept the client device's access to the big data platform or verify the client device according to the pre-configured second access verification strategy. If the verification passes, then accept the client device's access to the big data platform. access; if the verification fails, the client device is denied access to the big data platform.
可选的,在当前地址信息不属于常用地址信息表中客户端设备的常用地址信息时,访问验证模块,具体用于:Optionally, when the current address information does not belong to the common address information of the client device in the common address information table, the access verification module is specifically used for:
在当前访问标识存在于访问白名单文件中时,获取客户端设备的当前地址信息,根据当前地址信息查询预设的常用地址信息表,若当前地址信息属于常用地址信息表中客户端设备的常用地址信息,则接受客户端设备对大数据平台的访问。When the current access identifier exists in the access whitelist file, obtain the current address information of the client device, query the preset common address information table according to the current address information, if the current address information belongs to the common address information table of the client device in the common address information table address information, it accepts the access of the client device to the big data platform.
可选的,在当前地址信息不属于常用地址信息表中客户端设备的常用地址信息时,访问验证模块还用于:Optionally, when the current address information does not belong to the common address information of the client device in the common address information table, the access verification module is also used to:
拒绝客户端设备对大数据平台的访问;或者,Deny Client Device access to the Big Data Platform; or,
根据预配置的第三访问验证策略对客户端设备进行验证,若验证通过,则接受客户端设备对大数据平台的访问;若验证未通过,则拒绝客户端设备对大数据平台的访问。The client device is verified according to the pre-configured third access verification strategy. If the verification is passed, the client device's access to the big data platform is accepted; if the verification fails, the client device's access to the big data platform is rejected.
可选的,该装置还包括:Optionally, the device also includes:
操作权限分配模块,用于在接受客户端设备对大数据平台的访问后,根据客户端设备的当前用户对大数据平台的操作权限为客户端设备分配相应的操作权限。The operation authority assignment module is configured to assign corresponding operation authority to the client device according to the operation authority of the current user of the client device on the big data platform after accepting the client device's access to the big data platform.
第三方面,提供了一种电子设备,其包括处理器和存储器;In a third aspect, an electronic device is provided, which includes a processor and a memory;
存储器,用于存储操作指令;memory for storing operation instructions;
处理器,用于通过调用操作指令,执行如本申请的第一方面所示的一种大数据平台的访问方法对应操作。The processor is configured to execute an operation corresponding to an access method of a big data platform as shown in the first aspect of the present application by calling an operation instruction.
第四方面,提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如本申请的第一方面所示的一种大数据平台的访问方法。In a fourth aspect, a computer-readable storage medium is provided, on which a computer program is stored, and when the program is executed by a processor, a method for accessing a big data platform as shown in the first aspect of the present application is implemented.
本申请实施例提供的技术方案带来的有益效果是:The beneficial effects brought by the technical solutions provided by the embodiments of the present application are:
本申请的实施例中,通过确定当前访问标识是否在访问白名单文件中,来确定是否接受对应的客户端设备对大数据平台的访问,由于该当前访问标识能够同时标识设备和用户,因此,通过该方式实现了对请求访问大数据平台的设备及当前用户的同时验证,保证了只有白名单文件中被授权的设备及该设备对应的被授权用户才能够访问平台,从而保证了大数据平台的安全性,同时该方式与现有的采用Kerberos协议认证的方式相比实现简单,避免了复杂的部署及验证过程。In the embodiment of the present application, it is determined whether to accept the corresponding client device's access to the big data platform by determining whether the current access identifier is in the access whitelist file. Since the current access identifier can identify both the device and the user, therefore, Through this method, the simultaneous verification of the device requesting to access the big data platform and the current user is realized, ensuring that only the device authorized in the whitelist file and the authorized user corresponding to the device can access the platform, thus ensuring the big data platform Compared with the existing Kerberos protocol authentication method, this method is simple to implement and avoids complicated deployment and verification processes.
附图说明Description of drawings
为了更清楚地说明本申请实施例中的技术方案,下面将对本申请实施例描述中所需要使用的附图作简单地介绍。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the following briefly introduces the drawings that need to be used in the description of the embodiments of the present application.
图1为本申请实施例提供的一种大数据平台的访问方法的流程示意图;FIG. 1 is a schematic flow diagram of a method for accessing a big data platform provided by an embodiment of the present application;
图2为本申请实施例提供的另一种大数据平台的访问方法的流程示意图;FIG. 2 is a schematic flow diagram of another method for accessing a big data platform provided by an embodiment of the present application;
图3为本申请实施例提供的一种大数据平台的访问装置的结构示意图;FIG. 3 is a schematic structural diagram of an access device for a big data platform provided by an embodiment of the present application;
图4为本申请实施例提供的另一种大数据平台的访问装置的结构示意图;FIG. 4 is a schematic structural diagram of another access device for a big data platform provided by an embodiment of the present application;
图5为本申请实施例提供的一种电子设备的结构示意图。FIG. 5 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
具体实施方式Detailed ways
下面详细描述本申请的实施例,实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,仅用于解释本申请,而不能解释为对本申请的限制。Embodiments of the present application are described in detail below, and examples of the embodiments are shown in the drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary only for explaining the present application, and are not construed as limiting the present application.
本技术领域技术人员可以理解,除非特意声明,这里使用的单数形式“一”、“一个”、“”和“该”也可包括复数形式。应该进一步理解的是,本申请的说明书中使用的措辞“包括”是指存在特征、整数、步骤、操作、元件和/或组件,但是并不排除存在或添加一个或多个其他特征、整数、步骤、操作、元件、组件和/或它们的组。应该理解,当我们称元件被“连接”或“耦接”到另一元件时,它可以直接连接或耦接到其他元件,或者也可以存在中间元件。此外,这里使用的“连接”或“耦接”可以包括无线连接或无线耦接。这里使用的措辞“和/或”包括一个或更多个相关联的列出项的全部或任一单元和全部组合。Those skilled in the art will understand that unless otherwise stated, the singular forms "a", "an", "" and "the" used herein may also include plural forms. It should be further understood that the word "comprising" used in the description of the present application refers to the presence of features, integers, steps, operations, elements and/or components, but does not exclude the presence or addition of one or more other features, integers, Steps, operations, elements, components and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Additionally, "connected" or "coupled" as used herein may include wireless connection or wireless coupling. The expression "and/or" used herein includes all or any elements and all combinations of one or more associated listed items.
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the purpose, technical solution and advantages of the present application clearer, the implementation manners of the present application will be further described in detail below in conjunction with the accompanying drawings.
现有对于大数据平台的访问控制技术中,使用当前客户端设备的域账号进行访问验证的方式安全性较差;使用Kerberos协议进行访问认证的方式在方案部署及实现均较为复杂。In the existing access control technology for big data platforms, the way of using the domain account of the current client device for access verification is less secure; the way of using the Kerberos protocol for access verification is more complicated in solution deployment and implementation.
本申请提供了一种大数据平台的访问方法、装置、电子设备及可读存储介质,旨在解决现有技术的如上技术问题。The present application provides a big data platform access method, device, electronic equipment and readable storage medium, aiming to solve the above technical problems in the prior art.
下面以具体地实施例对本申请的技术方案以及本申请的技术方案如何解决上述技术问题进行详细说明。下面这几个具体的实施例可以相互结合,对于相同或相似的概念或过程可能在某些实施例中不再赘述。下面将结合附图,对本申请的实施例进行描述。The technical solution of the present application and how the technical solution of the present application solves the above technical problems will be described in detail below with specific embodiments. The following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below in conjunction with the accompanying drawings.
实施例一Embodiment one
本申请实施例提供了一种大数据平台的访问方法,该方法由服务器执行,如图1所示,该方法包括:The embodiment of the present application provides a method for accessing a big data platform, the method is executed by a server, as shown in Figure 1, the method includes:
步骤S110:当接收到客户端设备发送的大数据平台的访问请求时,获取客户端设备的当前访问标识,当前访问标识用于标识客户端设备和客户端设备的当前用户;Step S110: when receiving the access request of the big data platform sent by the client device, obtain the current access identifier of the client device, where the current access identifier is used to identify the client device and the current user of the client device;
步骤S120:根据当前访问标识查询预配置的访问白名单文件,若当前访问标识存在于访问白名单文件中,则接受客户端设备对大数据平台的访问。Step S120: Query the preconfigured access whitelist file according to the current access identifier, and if the current access identifier exists in the access whitelist file, then accept the client device's access to the big data platform.
本申请的实施例中,客户端设备的当前访问标识为用于同时标识客户端设备和识别的当前用户的信息,当前访问标识可以包括客户端设备的设备标识及该设备的当前用户的用户标识,也可以是根据客户端设备的设备标识与当前用户的用户标识所生成的能够唯一标识设备和用户的信息。In the embodiment of the present application, the current access ID of the client device is information used to simultaneously identify the client device and the identified current user, and the current access ID may include the device ID of the client device and the user ID of the current user of the device , may also be information that can uniquely identify the device and the user generated according to the device ID of the client device and the user ID of the current user.
本申请的实施例中,通过确定当前访问标识是否在访问白名单文件中,来确定是否接受对应的客户端设备对大数据平台的访问,由于该当前访问标识能够同时标识设备和用户,因此,通过该方式实现了对请求访问大数据平台的设备及当前用户的同时验证,保证了只有白名单文件中被授权的设备及该设备对应的被授权用户才能够访问平台,从而保证了大数据平台的安全性,同时该方式与现有的采用Kerberos协议认证的方式相比实现简单,避免了复杂的部署及验证过程。In the embodiment of the present application, it is determined whether to accept the corresponding client device's access to the big data platform by determining whether the current access identifier is in the access whitelist file. Since the current access identifier can identify both the device and the user, therefore, Through this method, the simultaneous verification of the device requesting to access the big data platform and the current user is realized, ensuring that only the device authorized in the whitelist file and the authorized user corresponding to the device can access the platform, thus ensuring the big data platform Compared with the existing Kerberos protocol authentication method, this method is simple to implement and avoids complicated deployment and verification processes.
本申请实施例的方案,在接收到用户通过客户端设备发送的访问请求时,通过自动获取访问标识实现对访问请求的验证,由于整个过程都是由服务器自动完成的,也就是验证过程对用户来说基本上是透明的,因此,能够在保证对大数据平台访问的安全控制外,能够更好的满足用户的实际应用需求。该方案尤其适用于内网环境的大数据平台的访问控制中,由于内网环境的大数据平台的访问是一个频繁的过程,采用该方案可以无需用户输入登录信息,在用户触发访问请求后,服务器自动获取访问标识完成验证即可,很好的满足了内网环境的实际使用需求。In the solution of the embodiment of the present application, when receiving the access request sent by the user through the client device, the verification of the access request is realized by automatically obtaining the access identifier. It is basically transparent, so it can better meet the actual application needs of users in addition to ensuring the security control of access to the big data platform. This solution is especially suitable for the access control of the big data platform in the intranet environment. Since the access to the big data platform in the intranet environment is a frequent process, this solution does not require the user to enter login information. After the user triggers the access request, The server can automatically obtain the access ID and complete the verification, which satisfies the actual use requirements of the intranet environment.
本申请的实施例中,访问白名单文件为预配置的、用于存储被授权访问大数据平台的客户端设备的访问标识的文件。In the embodiment of the present application, the access whitelist file is a pre-configured file for storing access identifiers of client devices authorized to access the big data platform.
访问白名单文件中存储了被授权访问大数据平台的设备的访问标识。可以理解的是,上述客户端设备的当前访问标识的形式与访问白名单文件中存储的访问标识的形式是一致的,例如,当访问标识若采用包括用户标识和设备标识的形式时,访问白名单文件中存在的访问标识也采用用户标识和设备标识关联存储的形式。通过确定发送访问请求的设备的当前访问标识是否存在于访问白名单文件中,实现对访问大数据平台的设备及用户的验证。由于访问白名单文件存储在服务器端,不会出现因为分发至各客户端设备导致访问白名单文件的泄露的问题,保证了对大数据平台的访问安全性的控制。Access identifiers of devices authorized to access the big data platform are stored in the access whitelist file. It can be understood that the form of the current access ID of the client device is consistent with the form of the access ID stored in the access white list file. The access ID existing in the list file is also stored in the form of associated storage of the user ID and the device ID. By determining whether the current access identifier of the device sending the access request exists in the access whitelist file, the verification of the device and user accessing the big data platform is realized. Since the access whitelist file is stored on the server side, there will be no leakage of the access whitelist file due to distribution to each client device, which ensures the control of the access security of the big data platform.
本申请的实施例中,当前访问标识可以包括当前用户的用户标识和客户端设备的设备标识,当前访问标识存在于访问白名单文件中是指用户标识和设备标识关联存在于访问白名单文件中。In the embodiment of this application, the current access ID may include the user ID of the current user and the device ID of the client device, and the existence of the current access ID in the access whitelist file means that the user ID and device ID are associated in the access white list file .
具体而言,用户标识可以包括用户名;设备标识可以包括客户端设备的IP地址、客户端设备的MAC地址、自定义设备标识中的至少一种。其中,自定义设备标识可以根据实际需要配置,可以是服务器为每个被授权访问大数据平台的客户端设备的唯一标识,例如,该标识可以为能够唯一标识设备的编码或其它信息。Specifically, the user identifier may include a user name; the device identifier may include at least one of an IP address of the client device, a MAC address of the client device, and a custom device identifier. Among them, the custom device identification can be configured according to actual needs, and can be the unique identification of the server for each client device authorized to access the big data platform. For example, the identification can be a code or other information that can uniquely identify the device.
可选的,在内网环境的大数据平台的访问控制中,由于内网环境基本可信,并且在服务器内部IP地址是可控的,因此,内网环境中可以采用 IP地址作为设备标识。Optionally, in the access control of the big data platform in the intranet environment, since the intranet environment is basically trusted and the internal IP address of the server is controllable, the IP address can be used as the device identifier in the intranet environment.
在当前访问标识包括用户标识和设备标识时,用户标识和设备标识关联存在于访问白名单文件是指用户标识和设备标识是绑定存在于访问白名单文件中。例如,在用户标识为用户名,设备标识为IP地址时,访问白名单文件可以采用如下表1中的形式:When the current access identifier includes a user identifier and a device identifier, the association between the user identifier and the device identifier exists in the access whitelist file means that the user identifier and the device identifier are bound and exist in the access whitelist file. For example, when the user identifier is a user name and the device identifier is an IP address, the access whitelist file can be in the form of the following table 1:
表1Table 1
如表1中所示,访问白名单文件存储了三个被授权访问大数据平台的访问标识,具体为用户1和IP地址192.168.1.1,用户2和IP地址 192.168.1.1,以及用户1和IP地址192.16.1.2。可见,用户1被允许通过 IP地址为192.168.1.1的设备或IP地址为192.168.1.2的设备访问大数据平台,用户1和用户2均能够通过IP地址为192.168.1.1的设备访问大数据平台。即用户1与IP地址192.168.1.1关联存在于访问白名单文件中,用户1通过IP地址192.168.1.1的客户端设备发起访问请求时,可以允许该客户端设备访问大数据平台;同样的,用户1还与IP地址192.168.1.2关联存在于访问白名单文件中,用户1通过IP地址192.168.1.2的客户端设备发起访问请求时,也可以允许该客户端设备访问大数据平台;用户2与 IP地址192.168.1.1关联存在于访问白名单文件,用户2通过IP地址192.168.1.1的客户端设备发起访问请求时,也可以允许该客户端设备访问大数据平台。As shown in Table 1, the access whitelist file stores three access identifiers authorized to access the big data platform, specifically user 1 and IP address 192.168.1.1, user 2 and IP address 192.168.1.1, and user 1 and IP Address 192.16.1.2. It can be seen that user 1 is allowed to access the big data platform through a device with an IP address of 192.168.1.1 or a device with an IP address of 192.168.1.2, and both user 1 and user 2 can access the big data platform through a device with an IP address of 192.168.1.1. That is, the association between user 1 and IP address 192.168.1.1 exists in the access whitelist file. When user 1 initiates an access request through the client device with IP address 192.168.1.1, the client device can be allowed to access the big data platform; similarly, user 1 is also associated with the IP address 192.168.1.2 and exists in the access whitelist file. When user 1 initiates an access request through the client device with the IP address 192.168.1.2, the client device can also be allowed to access the big data platform; user 2 and the IP address The address 192.168.1.1 is associated with the access whitelist file. When user 2 initiates an access request through the client device with IP address 192.168.1.1, the client device can also be allowed to access the big data platform.
基于表1中所示的访问白名单文件,在接收到的当前访问标识为用户 2和192.168.1.2时,虽然用户2和192.168.1.2都存在于白名单文件中,但用户2和192.168.1.2没有关联存储在访问白名单文件中,则不能够直接接受该当前访问标识对应的客户端端设备对大数据平台的访问请求。Based on the access whitelist file shown in Table 1, when the received current access ID is user 2 and 192.168.1.2, although both user 2 and 192.168.1.2 exist in the whitelist file, user 2 and 192.168.1.2 If no association is stored in the access whitelist file, the access request of the client device corresponding to the current access ID to the big data platform cannot be directly accepted.
本申请的实施例中,上述访问方法还可以包括:若当前访问标识不存在访问白名单文件中,则拒绝客户端设备对大数据平台的访问。In the embodiment of the present application, the above access method may further include: if the current access identifier does not exist in the access whitelist file, denying the client device's access to the big data platform.
例如,基于表1中所示的访问白名单文件,用户3使用IP地址 192.168.1.4的客户端设备发起访问请求,用户3与IP地址192.168.1.4没有关联存在于白名单文件,认为该客户端设备当前的访问标识未被授权,拒绝该客户端设备访问大数据平台。For example, based on the access whitelist file shown in Table 1, user 3 uses a client device with IP address 192.168.1.4 to initiate an access request, and user 3 is not associated with IP address 192.168.1.4 in the whitelist file. The current access ID of the device is not authorized, and the client device is denied access to the big data platform.
本申请的实施例中,上述访问方法还可以包括:In the embodiment of the present application, the above access method may also include:
若当前访问标识不存在访问白名单文件中,则根据当前访问标识查询预配置的访问黑名单文件,若当前访问标识存在于访问黑名单文件中,则拒绝客户端设备的访问;访问黑名单文件为预配置的、用于存储不被授权访问大数据平台的客户端设备的访问标识的文件。If the current access ID does not exist in the access whitelist file, then query the pre-configured access blacklist file according to the current access ID, if the current access ID exists in the access blacklist file, then deny the access of the client device; access the blacklist file It is a pre-configured file used to store the access IDs of client devices that are not authorized to access the big data platform.
具体而言,访问标识包括用户标识和设备标识时,当前访问标识存在于访问黑名单文件是指用户标识存在于访问黑名单文件,或者,设备标识存在于访问黑名单文件,或者,用户标识与设备标识关联存在于访问黑名单文件。Specifically, when the access identifier includes a user identifier and a device identifier, the current access identifier exists in the access blacklist file, which means that the user identifier exists in the access blacklist file, or the device identifier exists in the access blacklist file, or the user identifier and Device identity associations exist in the access blacklist file.
相应的,访问黑名单文件可以包括多种设置形式,至少可以包括如下三种中的一种:Correspondingly, the access blacklist file may include various setting forms, at least one of the following three types may be included:
第一种,将用户标识设置于访问黑名单文件中,例如:用户标识为用户名,访问黑名单文件采用如表2中方式:The first one is to set the user ID in the access blacklist file, for example: the user ID is the user name, and the method in Table 2 is used to access the blacklist file:
表2Table 2
如表2中,访问黑名单文件存储了用户4、用户5及用户6,均被禁止访问大数据平台,用户4、用户5及用户6通过任何客户端设备发起问请求时,均拒绝其当前客户端设备访问大数据平台。由此,采用用户标识存在于访问黑名单文件时,实现拒绝特定用户发出的访问请求。As shown in Table 2, the access blacklist file stores user 4, user 5, and user 6, all of whom are prohibited from accessing the big data platform. Client devices access the big data platform. Thus, when the user identifier exists in the access blacklist file, the access request sent by the specific user is rejected.
第二种,将设备标识设置于访问黑名单文件中,例如:设备标识为IP 地址,访问黑名单文件可以采用如表3中方式:The second is to set the device identification in the access blacklist file, for example: the device identification is an IP address, and the access blacklist file can be used as shown in Table 3:
表3table 3
如表中,IP地址为192.168.1.6、192.168.1.7及192.168.1.8的客户端设备均存在于访问黑名单文件中,任何用户通过P地址为192.168.1.6、 192.168.1.7及192.168.1.8的客户端设备发起问请求时,均拒绝其访问大数据平台。由此,采用设备标识存在于访问黑名单文件时,实现拒绝特定的客户端设备发出的访问请求。As shown in the table, the client devices with IP addresses 192.168.1.6, 192.168.1.7, and 192.168.1.8 all exist in the access blacklist file. When the end device initiates a query request, it is denied access to the big data platform. Thus, when the device identification exists in the access blacklist file, the access request sent by the specific client device can be rejected.
另外,表3中,用户7也存在于访问黑名单文件,用户7通过任何客户端设备发起问请求时,均拒绝其当前客户端设备访问大数据平台。可见, IP地址及用户名可以均存在于访问黑名单,实现拒绝特定的客户端设备以及特定的用户发出的访问请求。In addition, in Table 3, user 7 also exists in the access blacklist file. When user 7 initiates a query request through any client device, his current client device is denied access to the big data platform. It can be seen that both the IP address and the user name may exist in the access blacklist, so as to reject the access request sent by a specific client device and a specific user.
第三种,将用户标识与设备标识关联设置于访问黑名单文件中,即指用户标识和设备标识是绑定存在于访问黑名单文件中。例如:在用户标识为用户名,设备标识为IP地址时,访问黑名单文件采用如表4中的方式:The third way is to set the association between the user ID and the device ID in the access blacklist file, which means that the user ID and the device ID are bound and exist in the access blacklist file. For example: when the user ID is the user name and the device ID is the IP address, access the blacklist file as shown in Table 4:
表4Table 4
如表4中,访问黑名单文件存储了用户名及其绑定的IP地址,用户8 与IP地址192.168.1.3对应存在于访问黑名单文件中,用户8通过IP地址 192.168.1.3的客户端设备发起访问请求时,则禁止该客户端设备访问大数据平台;同时,用户8还与IP地址192.168.1.5对应存在于访问白名单文件中,用户8通过IP地址192.168.1.5的客户端设备发起访问请求时,也拒绝该客户端设备访问大数据平台;另外,用户9也与IP地址192.168.1.5 对应存在于访问白名单文件,用户9通过IP地址192.168.1.5的客户端设备发起访问请求时,则也可以拒绝该客户端设备访问大数据平台。由此,采用用户标识与设备标识关联存在于访问黑名单文件中,实现拒绝特定用户在特定客户端设备上发出的访问请求。As shown in Table 4, the access blacklist file stores the user name and its bound IP address. User 8 exists in the access blacklist file corresponding to the IP address 192.168.1.3. User 8 passes through the client device with the IP address 192.168.1.3 When an access request is initiated, the client device is prohibited from accessing the big data platform; at the same time, user 8 also exists in the access whitelist file corresponding to IP address 192.168.1.5, and user 8 initiates access through the client device with IP address 192.168.1.5 When requesting, the client device is also denied access to the big data platform; in addition, user 9 also exists in the access whitelist file corresponding to the IP address 192.168.1.5, and when user 9 initiates an access request through the client device with IP address 192.168.1.5, Then the client device can also be denied access to the big data platform. Thus, the association between the user ID and the device ID exists in the access blacklist file, so as to realize the denial of the access request sent by the specific user on the specific client device.
本申请的实施例中,若当前访问标识不存在于访问黑名单文件中,上述访问方法还可以包括:In the embodiment of the present application, if the current access identifier does not exist in the access blacklist file, the above access method may also include:
根据预配置的第一访问验证策略对客户端设备进行验证,若验证通过,则接受客户端设备对大数据平台的访问,若验证未通过,则拒绝客户端设备对大数据平台的访问。The client device is verified according to the pre-configured first access verification strategy. If the verification is passed, the access of the client device to the big data platform is accepted, and if the verification fails, the client device is denied access to the big data platform.
通过预配置第一访问验证策略,对不存在于访问黑名单文件中的访问标识进行进一步的验证,从而增加验证的安全性,第一访问验证策略可以根据需要配置,例如可以为现有的安全验证方式,还可以是用户标识和设备标识同时存在于访问白名单文件中,例如,在当前访问标识包括用户标识和设备标识时,如果访问标识在为存在于访问黑名单文件中时,虽然用户标识和设备标识未关联存在于访问白名单文件中,但两者同时存在访问白名单文件中时,则可以允许访问。By pre-configuring the first access verification policy, further verification is performed on the access IDs that do not exist in the access blacklist file, thereby increasing the security of verification. The first access verification policy can be configured as required, for example, it can be used for existing security The verification method can also be that the user ID and the device ID exist in the access whitelist file at the same time. For example, when the current access ID includes the user ID and the device ID, if the access ID does not exist in the access blacklist file, although the user The ID and the device ID are not associated and exist in the access whitelist file, but when both exist in the access whitelist file, access can be allowed.
本申请的实施例中,上述访问方法还可以包括:接收对访问白名单文件的修改请求;根据访问白名单文件的修改请求对访问白名单文件进行修改。In an embodiment of the present application, the access method may further include: receiving a modification request for the access whitelist file; and modifying the access whitelist file according to the modification request for the access whitelist file.
需要说明的是,该修改请求的发出者为大数据平台的管理员或者其他被授权能够对访问白名单文件进行修改的人员。大数据平台的管理人员可根据需要对访问白名单文件进行修改,例如,新增被授权访问标识、删除被授权访问标识、修改被授权访问标识等。It should be noted that the sender of the modification request is the administrator of the big data platform or other personnel authorized to modify the access whitelist file. The management personnel of the big data platform can modify the access whitelist file as needed, for example, adding an authorized access ID, deleting an authorized access ID, modifying an authorized access ID, etc.
本申请的实施例中,上述访问方法还可以包括:接收访问黑名单文件的修改请求;根据访问黑名单文件的修改请求对访问黑名单文件进行修改。In an embodiment of the present application, the access method may further include: receiving a modification request of the access blacklist file; modifying the access blacklist file according to the modification request of the access blacklist file.
同样的,该修改请求的发出者为大数据平台的管理员或者其他被授权能够对访问黑名单文件进行修改的人员。例如,新增禁止访问大数据平台的客户端设备,新增禁止访问大数据平台的用户等。Similarly, the sender of the modification request is the administrator of the big data platform or other personnel authorized to modify the access blacklist file. For example, adding client devices that are prohibited from accessing the big data platform, adding users that are prohibited from accessing the big data platform, etc.
本申请的实施例中,若访问标识存在于访问白名单文件中,则接受客户端设备对大数据平台的访问,包括:In the embodiment of the present application, if the access identifier exists in the access whitelist file, then the access of the client device to the big data platform is accepted, including:
若当前访问标识存在于访问白名单文件中,获取客户端设备上一次访问大数据平台的第一地址信息以及当前请求访问大数据平台的第二地址信息;若第一地址信息和与第二地址信息相同,则接受客户端设备对大数据平台的访问。If the current access identifier exists in the access whitelist file, obtain the first address information of the client device's last access to the big data platform and the second address information of the current request to access the big data platform; if the first address information and the second address If the information is the same, the access of the client device to the big data platform is accepted.
实际应用中,可以通过获取发送访问请求时客户端设备所在地的地址信息进行进一步的验证,客户端设备所在地的地址信息可以基于客户端设备的网络地址得到,例如可以基于设备的IP地址得到。如用户本次访问时客户端设备所在地的访问地址信息与上次访问时相同,则可认为用户本次访问仍在之前已经进行过访问的安全地址,在访问标识存在于访问白名单的前提下,可授权其访问大数据平台。例如,用户A上次访问大数据平台时,客户端设备的所在地为北京,本次访问是客户端设备的所在地仍为北京,在访问标识存在于访问白名单的前提下,可认为用户A在进行正常的访问,可授权用户A在该客户端设备上访问大数据平台。In practical applications, further verification can be performed by obtaining the address information of the location of the client device when the access request is sent. The address information of the location of the client device can be obtained based on the network address of the client device, for example, based on the IP address of the device. If the access address information of the client device location during this visit is the same as that of the previous visit, it can be considered that the user's current visit is still at the secure address that has been visited before, provided that the access identifier exists in the access whitelist , which can be authorized to access the big data platform. For example, when user A visited the big data platform last time, the location of the client device was Beijing, and the location of the client device is still Beijing in this visit. For normal access, user A can be authorized to access the big data platform on the client device.
本申请的实施例中,若第一地址信息和与第二地址信息不同,上述访问方法还可以包括:In the embodiment of the present application, if the first address information is different from the second address information, the above access method may also include:
拒绝客户端设备对大数据平台的访问;或者,Deny Client Device access to the Big Data Platform; or,
确定两次访问的访问间隔,若访问间隔小于设定时长,则拒绝客户端设备对大数据平台的访问;若访问间隔不小于设定时长,则接受客户端设备对大数据平台的访问或者根据预配置的第二访问验证策略对客户端设备进行验证,若验证通过,则接受客户端设备对大数据平台的访问;若验证未通过,则拒绝客户端设备对大数据平台的访问。Determine the access interval between two visits. If the access interval is less than the set time, the client device’s access to the big data platform will be rejected; if the access interval is not less than the set time, the client device’s access to the big data platform will be accepted. The pre-configured second access verification policy verifies the client device, and if the verification passes, the client device's access to the big data platform is accepted; if the verification fails, the client device's access to the big data platform is rejected.
如果本次访问请求与上次访问的客户端设备所在地的地址信息发生变化,则可以分析两次访问的访问间隔,将其与设定时长比较。设定时长可以根据经验进行设置,用户在少于设定时长的时间内,无法实现在两次访问地址之间的移动。若访问间隔小于设定时长,用户不可能在该设定时长内由上次访问的所在地址移动至本次访问的所在地址,则可认为存在异常情况,拒绝客户端设备对大数据平台的访问;而若访问间隔不小于设定时长,则可以进一步进行访问验证。If the address information of the location of the client device that was visited last time changes between this visit request and the last visit, the visit interval between the two visits can be analyzed and compared with the set duration. The set duration can be set based on experience, and the user cannot move between two visit addresses within a time shorter than the set duration. If the access interval is less than the set time, and it is impossible for the user to move from the address of the last visit to the address of the current visit within the set time, it can be considered that there is an abnormal situation and the access of the client device to the big data platform is rejected. ; and if the access interval is not less than the set duration, further access verification can be performed.
通过预配置第二访问验证策略,对本次访问请求与上次访问时,客户端设备的地址信息发生变化且不能通过访问间隔判定其是否存在异常的情况进行进一步的验证,第二访问验证策略可以根据需要配置。By pre-configuring the second access verification strategy, the address information of the client device has changed between this access request and the last visit, and it is impossible to determine whether there is any abnormality through the access interval. The second access verification strategy Can be configured as needed.
通过比对用户两次访问时其所使用的客户端设备的地址信息,进一步实现访问验证,提高访问验证的安全性。By comparing the address information of the client device used by the user during the two visits, the access verification is further realized and the security of the access verification is improved.
例如,用户B上次访问的所在地为北京,本次访问所在地为深圳,而访问间隔仅为五分钟,显然用户B不可能在五分钟之内由北京移动至深圳,并进行访问请求,可以认为用户B的本次登录是存在异常的,拒绝其对大数据平台的访问请求。如果用户B的两次访问间隔为一天,那么在该访问间隔时间内,用户B由北京出差至深圳并发出大数据平台的访问请求是合理的,可以通过进一步的验证的方式增加访问验证的安全性。For example, the location of user B's last visit was Beijing, and the location of this visit is Shenzhen, and the visit interval is only five minutes. Obviously, it is impossible for user B to move from Beijing to Shenzhen within five minutes and make an access request. It can be considered that User B's login is abnormal this time, and his request to access the big data platform is rejected. If the interval between two visits of user B is one day, it is reasonable for user B to travel from Beijing to Shenzhen and send an access request to the big data platform during the interval between visits, and further verification can be used to increase the security of access verification sex.
本申请的实施例中,若当前访问标识存在于访问白名单文件中,则接受客户端设备对大数据平台的访问,包括:若当前访问标识存在于访问白名单文件中,获取客户端设备的当前地址信息,根据当前地址信息查询预设的常用地址信息表,若当前地址信息属于常用地址信息表中客户端设备的常用地址信息,则接受客户端设备对大数据平台的访问。In the embodiment of the present application, if the current access identifier exists in the access whitelist file, then accepting the client device's access to the big data platform includes: if the current access identifier exists in the access whitelist file, obtaining the client device's For the current address information, query the preset common address information table according to the current address information, and if the current address information belongs to the common address information of the client device in the common address information table, then accept the access of the client device to the big data platform.
若当前地址信息不属于常用地址信息表中客户端设备的常用地址信息,还包括:拒绝客户端设备对大数据平台的访问;或者,根据预配置的第三访问验证策略对客户端设备进行验证,若验证通过,则接受客户端设备对大数据平台的访问;若验证未通过,则拒绝客户端设备对大数据平台的访问。If the current address information does not belong to the common address information of the client device in the common address information table, it also includes: denying the client device's access to the big data platform; or, verifying the client device according to the pre-configured third access verification strategy , if the verification is passed, the client device's access to the big data platform is accepted; if the verification fails, the client device's access to the big data platform is rejected.
其中,常用地址信息表中可以存储有被授权访问大数据平台的访问标识所对应的客户端设备的常用地址信息,并在访问请求时将用户当前使用的客户端设备的地址信息与常用地址信息表比对,如果用户在常用的地址发出访问请求时,可授权在该客户端设备访问大数据平台。如果用户不在常用的地址发出访问请求,那么则可拒绝该客户端设备上访问大数据平台或者以进一步进行访问验证。Among them, the frequently used address information table can store the commonly used address information of the client device corresponding to the access identifier authorized to access the big data platform, and the address information of the client device currently used by the user and the commonly used address information Table comparison, if the user sends an access request at a commonly used address, the client device can be authorized to access the big data platform. If the user does not send an access request at a commonly used address, then the client device can be denied access to the big data platform or further access verification can be performed.
通过预配置第三访问验证策略,对本次访问请求的地址信息不在常用地址信息表内的情况进行进一步的验证,第三访问验证策略可以根据需要配置配置。By pre-configuring the third access verification strategy, further verification is performed on the case that the address information of this access request is not in the common address information table, and the third access verification strategy can be configured as required.
可以理解的是,上述第一访问验证策略、第二访问验证策略及第三访问验证策略可以相同,也可以不同。It can be understood that the first access verification policy, the second access verification policy, and the third access verification policy may be the same or different.
通过将用户访问时其当前客户端设备的地址信息与预设置的常用地址信息表进行比对,进一步实现访问验证,提高访问验证的安全性。By comparing the address information of the user's current client device with the preset common address information table when the user visits, the access verification is further realized and the security of the access verification is improved.
例如,用户C工作地点在北京,经常需要去深圳出差,那么在常用地址信息表中预设置的用户C的客户端设备的常用地址为北京、深圳。如果在用户C在北京或者深圳发起访问请求时,用户C当前的客户端设备的地址信息在常用地址信息表内,在访问标识存在于访问白名单的前提下,可以接受用户C对大数据平台的访问请求;如果用户C在上海发起访问请求时,用户C当前的客户端设备的地址信息不在常用地址信息表内,可以认为用户C的当前访问请求存在安全隐患,可以拒绝该客户端设备的访问请求,也可以通过进一步的验证的方式增加访问验证的安全性。For example, user C works in Beijing and often needs to go on business trips to Shenzhen, so the pre-set common addresses of user C's client device in the common address information table are Beijing and Shenzhen. If when user C initiates an access request in Beijing or Shenzhen, the address information of user C's current client device is in the common address information table, and the access identifier exists in the access whitelist, user C's access to the big data platform can be accepted. If user C initiates an access request in Shanghai, the address information of user C's current client device is not in the common address information table, it can be considered that user C's current access request has potential security risks, and the client device's address information can be rejected. Access requests can also increase the security of access verification through further verification.
如图2,在图1中所示的方法的基础上,本申请的实施例中的访问方法还可以包括:As shown in Figure 2, on the basis of the method shown in Figure 1, the access method in the embodiment of the present application may also include:
步骤S130:接受客户端设备对大数据平台的访问后,根据客户端设备的当前用户对大数据平台的操作权限为客户端设备分配相应的操作权限。Step S130: After accepting the client device's access to the big data platform, assign corresponding operation rights to the client device according to the current user's operation rights on the big data platform.
客户端设备通过访问验证后,可在自身对应的操作权限内访问大数据平台。After the client device passes the access verification, it can access the big data platform within its corresponding operation authority.
实施例二Embodiment two
本申请实施例还提供了一种大数据平台的访问装置20,如图3所示,该装置可以包括:The embodiment of the present application also provides a big data platform access device 20, as shown in Figure 3, the device may include:
获取模块210,用于在接收到客户端设备发送的大数据平台的访问请求时,获取客户端设备的当前访问标识,当前访问标识用于标识客户端设备和客户端设备的当前用户;访问验证模块220,The obtaining module 210 is configured to obtain the current access identifier of the client device when receiving the access request of the big data platform sent by the client device, and the current access identifier is used to identify the client device and the current user of the client device; access verification Module 220,
用于根据当前访问标识查询预配置的访问白名单文件,在当前访问标识存在于访问白名单文件时,接受客户端设备对大数据平台的访问。It is used to query the pre-configured access whitelist file according to the current access ID, and accept the access of the client device to the big data platform when the current access ID exists in the access white list file.
本申请的实施例中所提供的大数据平台的访问装置,通过确定当前访问标识是否在访问白名单文件中,来确定是否接受对应的客户端设备对大数据平台的访问,由于该当前访问标识能够同时标识设备和用户,因此,通过该方式实现了对请求访问大数据平台的设备及当前用户的同时验证,保证了只有白名单文件中被授权的设备及该设备对应的被授权用户才能够访问平台,从而保证了大数据平台的安全性,同时该方式与现有的采用Kerberos协议认证的方式相比实现简单,避免了复杂的部署及验证过程。The access device of the big data platform provided in the embodiment of the present application determines whether to accept the corresponding client device’s access to the big data platform by determining whether the current access ID is in the access whitelist file, because the current access ID Devices and users can be identified at the same time. Therefore, this method realizes simultaneous verification of devices requesting access to the big data platform and current users, ensuring that only authorized devices in the whitelist file and the corresponding authorized users of the device can Access to the platform, thereby ensuring the security of the big data platform. At the same time, this method is simpler to implement than the existing authentication method using the Kerberos protocol, and avoids complicated deployment and verification processes.
可选的,访问白名单文件为预配置的、用于存储被授权访问大数据平台的客户端设备的访问标识的文件。Optionally, the access whitelist file is a pre-configured file used to store access identifiers of client devices authorized to access the big data platform.
可选的,当前访问标识包括当前用户的用户标识和客户端设备的设备标识,当前访问标识存在于访问白名单文件中是指用户标识和设备标识关联存在于访问白名单文件中。Optionally, the current access ID includes the user ID of the current user and the device ID of the client device, and the existence of the current access ID in the access whitelist file means that the association between the user ID and the device ID exists in the access whitelist file.
可选的,用户标识包括用户名。Optionally, the user ID includes a user name.
可选的,设备标识包括客户端设备的互联网协议IP地址、客户端设备的媒体访问控制MAC地址、自定义设备标识中的至少一种。Optionally, the device identifier includes at least one of an Internet Protocol IP address of the client device, a media access control MAC address of the client device, and a user-defined device identifier.
可选的,访问验证模块还用于:Optionally, the access verification module is also used for:
在当前访问标识不存在访问白名单文件时拒绝客户端设备对大数据平台的访问。Deny the client device's access to the big data platform when the current access ID does not have an access whitelist file.
可选的,访问验证模块还用于:Optionally, the access verification module is also used for:
在当前访问标识不存在访问白名单文件中时,根据当前访问标识查询预配置的访问黑名单文件,若当前访问标识存在于访问黑名单文件中,则拒绝客户端设备的访问;When the current access ID does not exist in the access whitelist file, query the pre-configured access blacklist file according to the current access ID, and if the current access ID exists in the access blacklist file, deny the access of the client device;
访问黑名单文件为预配置的、用于存储禁止访问大数据平台的客户端设备的访问标识的文件。The access blacklist file is a pre-configured file used to store access identifiers of client devices that are prohibited from accessing the big data platform.
可选的,当当前访问标识包括用户标识和设备标识时,当前访问标识存在于访问黑名单文件是指用户标识存在于访问黑名单文件,或者,设备标识存在于访问黑名单文件,或者,用户标识与设备标识关联存在于访问黑名单文件。Optionally, when the current access ID includes a user ID and a device ID, the existence of the current access ID in the access blacklist file means that the user ID exists in the access blacklist file, or that the device ID exists in the access blacklist file, or that the user The ID associated with the device ID exists in the access blacklist file.
可选的,在访问标识不存在于访问黑名单文件时,访问验证模块还用于:Optionally, when the access identifier does not exist in the access blacklist file, the access verification module is also used to:
根据预配置的第一访问验证策略对客户端设备进行验证,若验证通过,则接受客户端设备对大数据平台的访问;若验证未通过,则拒绝客户端设备对大数据平台的访问。The client device is verified according to the pre-configured first access verification strategy. If the verification is passed, the client device's access to the big data platform is accepted; if the verification fails, the client device's access to the big data platform is rejected.
可选的,该装置还包括:Optionally, the device also includes:
修改模块,用于接收对访问白名单文件的修改请求;根据访问白名单文件的修改请求对访问白名单文件进行修改。The modification module is configured to receive a modification request for the access white list file; and modify the access white list file according to the modification request for the access white list file.
可选的,修改模块还用于:Optionally, the modification module is also used to:
接收访问黑名单文件的修改请求;根据访问黑名单文件的修改请求对访问黑名单文件进行修改。Receive the modification request of the access blacklist file; modify the access blacklist file according to the modification request of the access blacklist file.
可选的,访问验证模块在当前访问标识存在于访问白名单文件时,接受客户端设备对大数据平台的访问时,具体用于:Optionally, when the access verification module accepts the client device's access to the big data platform when the current access identification exists in the access whitelist file, it is specifically used for:
在当前访问标识存在于访问白名单文件中时,获取客户端设备上一次访问大数据平台的第一地址信息以及当前请求访问大数据平台的第二地址信息;When the current access identifier exists in the access whitelist file, obtain the first address information of the client device's last access to the big data platform and the second address information of the current request to access the big data platform;
若第一地址信息和与第二地址信息相同,则接受客户端设备对大数据平台的访问。If the first address information is the same as the second address information, the access of the client device to the big data platform is accepted.
可选的,在第一地址信息和与第二地址信息不同时,访问验证模块还用于:Optionally, when the first address information is different from the second address information, the access verification module is also used to:
拒绝客户端设备对大数据平台的访问;或者,Deny Client Device access to the Big Data Platform; or,
确定两次访问的访问间隔,若访问间隔小于设定时长,则拒绝客户端设备对大数据平台的访问;Determine the access interval between two visits, if the access interval is less than the set time, deny the client device's access to the big data platform;
若访问间隔不小于设定时长,则接受客户端设备对大数据平台的访问或者根据预配置的第二访问验证策略对客户端设备进行验证,若验证通过,则接受客户端设备对大数据平台的访问;若验证未通过,则拒绝客户端设备对大数据平台的访问。If the access interval is not less than the set duration, then accept the client device's access to the big data platform or verify the client device according to the pre-configured second access verification strategy. If the verification passes, then accept the client device's access to the big data platform. access; if the verification fails, the client device is denied access to the big data platform.
可选的,在当前地址信息不属于常用地址信息表中客户端设备的常用地址信息时,访问验证模块,具体用于:Optionally, when the current address information does not belong to the common address information of the client device in the common address information table, the access verification module is specifically used for:
在当前访问标识存在于访问白名单文件中时,获取客户端设备的当前地址信息,根据当前地址信息查询预设的常用地址信息表,若当前地址信息属于常用地址信息表中客户端设备的常用地址信息,则接受客户端设备对大数据平台的访问。When the current access identifier exists in the access whitelist file, obtain the current address information of the client device, query the preset common address information table according to the current address information, if the current address information belongs to the common address information table of the client device in the common address information table address information, it accepts the access of the client device to the big data platform.
可选的,在当前地址信息不属于常用地址信息表中客户端设备的常用地址信息时,访问验证模块还用于:Optionally, when the current address information does not belong to the common address information of the client device in the common address information table, the access verification module is also used to:
拒绝客户端设备对大数据平台的访问;或者,Deny Client Device access to the Big Data Platform; or,
根据预配置的第三访问验证策略对客户端设备进行验证,若验证通过,则接受客户端设备对大数据平台的访问;若验证未通过,则拒绝客户端设备对大数据平台的访问。The client device is verified according to the pre-configured third access verification strategy. If the verification is passed, the client device's access to the big data platform is accepted; if the verification fails, the client device's access to the big data platform is rejected.
如图4,本申请的实施例中在图3中访问装置的基础上,访问装置20 还可以包括:As shown in Figure 4, in the embodiment of the present application, on the basis of the access device in Figure 3, the access device 20 may also include:
操作权限分配模块230,用于在接受客户端设备对大数据平台的访问后,根据客户端设备的当前用户对大数据平台的操作权限为客户端设备分配相应的操作权限。The operation authority assignment module 230 is configured to assign corresponding operation authority to the client device according to the operation authority of the current user of the client device on the big data platform after accepting the client device's access to the big data platform.
可以理解的是,本实施例中的访问装置的上述各模块具有实现上述图 1及图2或基于图1及图2的对应大数据平台的访问方法中的相应步骤的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。上述模块可以是软件和/或硬件,上述各模块可以单独实现,也可以多个模块集成实现。对于上述用户终端设备的各模块的功能描述具体可以参见上述图1及图2 或基于图1及图2的大数据平台的访问方法中的对应描述,在此不再赘述。It can be understood that the above-mentioned modules of the access device in this embodiment have the function of implementing the corresponding steps in the above-mentioned Fig. 1 and Fig. 2 or the access method corresponding to the big data platform based on Fig. 1 and Fig. 2 . This function may be implemented by hardware, or may be implemented by executing corresponding software on the hardware. The hardware or software includes one or more modules corresponding to the above functions. The above-mentioned modules may be software and/or hardware, and each of the above-mentioned modules may be realized independently, or multiple modules may be integrated and realized. For the functional description of each module of the above-mentioned user terminal equipment, please refer to the above-mentioned FIG. 1 and FIG. 2 or the corresponding description in the access method of the big data platform based on FIG. 1 and FIG. 2 , which will not be repeated here.
实施例三Embodiment three
本申请实施例提供了一种电子设备,如图5所示,图5所示的电子设备2000包括:处理器2001和收发器2004。其中,处理器2001和收发器 2004相连,如通过总线2002相连。可选的,电子设备2000还可以包括存储器2003。需要说明的是,实际应用中收发器2004不限于一个,该电子设备2000的结构并不构成对本申请实施例的限定。An embodiment of the present application provides an electronic device. As shown in FIG. 5 , the electronic device 2000 shown in FIG. 5 includes: a processor 2001 and a transceiver 2004 . Wherein, the processor 2001 is connected to the transceiver 2004, such as through a bus 2002. Optionally, the electronic device 2000 may further include a memory 2003 . It should be noted that in practical applications, the transceiver 2004 is not limited to one, and the structure of the electronic device 2000 does not limit the embodiment of the present application.
其中,处理器2001应用于本申请实施例中,用于实现上述方法实施例所示的方法。收发器2004包括接收机和发射机,收发器2004应用于本申请实施例中,用于执行时实现上述设备实施例所示的设备与其他设备通信的功能。Wherein, the processor 2001 is applied in the embodiment of the present application to implement the method shown in the foregoing method embodiment. The transceiver 2004 includes a receiver and a transmitter. The transceiver 2004 is applied in the embodiment of the present application, and is used to realize the function of communication between the device shown in the above device embodiment and other devices during execution.
处理器2001可以是CPU,通用处理器,DSP,ASIC,FPGA或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本申请公开内容所描述的各种示例性的逻辑方框,模块和电路。处理器2001也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等。The processor 2001 may be a CPU, a general processor, DSP, ASIC, FPGA or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. It can implement or execute the various illustrative logical blocks, modules and circuits described in connection with the present disclosure. The processor 2001 may also be a combination that implements computing functions, for example, a combination of one or more microprocessors, a combination of DSP and a microprocessor, and the like.
总线2002可包括一通路,在上述组件之间传送信息。总线2002可以是PCI总线或EISA总线等。总线2002可以分为地址总线、数据总线、控制总线等。为便于表示,图5中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。Bus 2002 may include a path for communicating information between the components described above. The bus 2002 can be a PCI bus or an EISA bus, etc. The bus 2002 can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 5 , but it does not mean that there is only one bus or one type of bus.
存储器2003可以是ROM或可存储静态信息和指令的其他类型的静态存储设备,RAM或者可存储信息和指令的其他类型的动态存储设备,也可以是EEPROM、CD-ROM或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。Memory 2003 can be ROM or other types of static storage devices that can store static information and instructions, RAM or other types of dynamic storage devices that can store information and instructions, and can also be EEPROM, CD-ROM or other optical disk storage, optical disk storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be programmed by a computer Any other medium accessed, but not limited to.
可选的,存储器2003用于存储执行本申请方案的应用程序代码,并由处理器2001来控制执行。处理器2001用于执行存储器2003中存储的应用程序代码,以实现上述实施例1中所示的方法。Optionally, the memory 2003 is used to store application program codes for executing the solution of the present application, and the execution is controlled by the processor 2001 . The processor 2001 is configured to execute the application program code stored in the memory 2003, so as to implement the method shown in Embodiment 1 above.
本申请实施例提供了一种电子设备,与现有技术相比,通过确定当前访问标识是否在访问白名单文件中,来确定是否接受对应的客户端设备对大数据平台的访问,由于该当前访问标识能够同时标识设备和用户,因此,通过该方式实现了对请求访问大数据平台的设备及当前用户的同时验证,保证了只有白名单文件中被授权的设备及该设备对应的被授权用户才能够访问平台,从而保证了大数据平台的安全性,同时该方式与现有的采用Kerberos协议认证的方式相比实现简单,避免了复杂的部署及验证过程。The embodiment of the present application provides an electronic device. Compared with the prior art, it determines whether to accept the corresponding client device's access to the big data platform by determining whether the current access identifier is in the access whitelist file. The access ID can identify the device and the user at the same time. Therefore, this method realizes the simultaneous verification of the device requesting to access the big data platform and the current user, ensuring that only the authorized device in the whitelist file and the authorized user corresponding to the device Only then can the platform be accessed, thereby ensuring the security of the big data platform. At the same time, this method is simpler to implement than the existing authentication method using the Kerberos protocol, and avoids complicated deployment and verification processes.
实施例四Embodiment Four
本申请实施例提供了一种计算机可读存储介质,该计算机可读存储介质上存储有计算机程序,该程序被处理器执行时实现上述方法实施例所示的方法。An embodiment of the present application provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the program is executed by a processor, the methods shown in the foregoing method embodiments are implemented.
本申请实施例提供了一种计算机可读存储介质,与现有技术相比,通过确定当前访问标识是否在访问白名单文件中,来确定是否接受对应的客户端设备对大数据平台的访问,由于该当前访问标识能够同时标识设备和用户,因此,通过该方式实现了对请求访问大数据平台的设备及当前用户的同时验证,保证了只有白名单文件中被授权的设备及该设备对应的被授权用户才能够访问平台,从而保证了大数据平台的安全性,同时该方式与现有的采用Kerberos协议认证的方式相比实现简单,避免了复杂的部署及验证过程。The embodiment of the present application provides a computer-readable storage medium. Compared with the prior art, it is determined whether to accept the corresponding client device's access to the big data platform by determining whether the current access identifier is in the access whitelist file. Since the current access ID can identify the device and the user at the same time, this method realizes the simultaneous verification of the device requesting to access the big data platform and the current user, ensuring that only the authorized device in the whitelist file and the device's corresponding Only authorized users can access the platform, thereby ensuring the security of the big data platform. At the same time, this method is simple to implement compared with the existing Kerberos protocol authentication method, and avoids complicated deployment and verification processes.
本申请实施例提供了一种计算机可读存储介质适用于上述方法实施例。在此不再赘述。An embodiment of the present application provides a computer-readable storage medium applicable to the foregoing method embodiments. I won't repeat them here.
应该理解的是,虽然附图的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,其可以以其他的顺序执行。而且,附图的流程图中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,其执行顺序也不必然是依次进行,而是可以与其他步骤或者其他步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that although the various steps in the flow chart of the accompanying drawings are displayed in sequence according to the arrows, these steps are not necessarily executed in sequence in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some of the steps in the flowcharts of the accompanying drawings may include multiple sub-steps or multiple stages, and these sub-steps or stages are not necessarily executed at the same time, but may be executed at different times, and the order of execution is also It is not necessarily performed sequentially, but may be performed alternately or alternately with at least a part of other steps or sub-steps or stages of other steps.
以上仅是本申请的部分实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本申请的保护范围。The above are only some implementations of the present application. It should be pointed out that for those of ordinary skill in the art, some improvements and modifications can be made without departing from the principle of the application, and these improvements and modifications should also be considered as For the scope of protection of this application.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810925077.8A CN108881309A (en) | 2018-08-14 | 2018-08-14 | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810925077.8A CN108881309A (en) | 2018-08-14 | 2018-08-14 | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108881309A true CN108881309A (en) | 2018-11-23 |
Family
ID=64318125
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810925077.8A Pending CN108881309A (en) | 2018-08-14 | 2018-08-14 | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108881309A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110392062A (en) * | 2019-08-06 | 2019-10-29 | 深圳萨摩耶互联网金融服务有限公司 | A kind of multidimensional encryption method and device based on big data |
| CN110753025A (en) * | 2019-01-07 | 2020-02-04 | 陈庆梅 | Big data security access control method |
| CN111147480A (en) * | 2019-12-25 | 2020-05-12 | 中国银联股份有限公司 | File access control method, device, device and medium |
| CN112100681A (en) * | 2020-11-18 | 2020-12-18 | 北京联想协同科技有限公司 | Data access method, device and storage medium |
| CN112532623A (en) * | 2020-11-27 | 2021-03-19 | 杭州安恒信息安全技术有限公司 | Network hidden danger detection method and device, storage medium and equipment |
| CN112953905A (en) * | 2021-01-27 | 2021-06-11 | 湖南快乐阳光互动娱乐传媒有限公司 | Data transmission method, system and server equipment |
| CN114546705A (en) * | 2022-02-28 | 2022-05-27 | 北京百度网讯科技有限公司 | Operation response method, operation response device, electronic device, and storage medium |
| CN115225387A (en) * | 2022-07-21 | 2022-10-21 | 济宁简约信息技术有限公司 | Data security tamper-proof method and system based on big data and cloud platform |
| CN115391358A (en) * | 2022-07-15 | 2022-11-25 | 北京沃东天骏信息技术有限公司 | Array updating method and device, electronic equipment and computer readable medium |
| CN119766473A (en) * | 2024-11-22 | 2025-04-04 | 天翼云科技有限公司 | IP access control method, device, system, storage medium and electronic device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060114863A1 (en) * | 2004-12-01 | 2006-06-01 | Cisco Technology, Inc. | Method to secure 802.11 traffic against MAC address spoofing |
| CN101917398A (en) * | 2010-06-28 | 2010-12-15 | 北京星网锐捷网络技术有限公司 | Method and equipment for controlling client access authority |
| CN102664877A (en) * | 2012-03-30 | 2012-09-12 | 北京千橡网景科技发展有限公司 | Method and device for exception handling in login process |
| US8910250B2 (en) * | 2013-01-24 | 2014-12-09 | Cisco Technology, Inc. | User notifications during computing network access |
| CN104717223A (en) * | 2015-03-26 | 2015-06-17 | 小米科技有限责任公司 | Data access method and device |
| CN105847245A (en) * | 2016-03-21 | 2016-08-10 | 杭州朗和科技有限公司 | Electronic mail box login authentication method and device |
| CN108282508A (en) * | 2017-01-06 | 2018-07-13 | 阿里巴巴集团控股有限公司 | Determination method and device, information-pushing method and the device in geographical location |
-
2018
- 2018-08-14 CN CN201810925077.8A patent/CN108881309A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060114863A1 (en) * | 2004-12-01 | 2006-06-01 | Cisco Technology, Inc. | Method to secure 802.11 traffic against MAC address spoofing |
| CN101917398A (en) * | 2010-06-28 | 2010-12-15 | 北京星网锐捷网络技术有限公司 | Method and equipment for controlling client access authority |
| CN102664877A (en) * | 2012-03-30 | 2012-09-12 | 北京千橡网景科技发展有限公司 | Method and device for exception handling in login process |
| US8910250B2 (en) * | 2013-01-24 | 2014-12-09 | Cisco Technology, Inc. | User notifications during computing network access |
| CN104717223A (en) * | 2015-03-26 | 2015-06-17 | 小米科技有限责任公司 | Data access method and device |
| CN105847245A (en) * | 2016-03-21 | 2016-08-10 | 杭州朗和科技有限公司 | Electronic mail box login authentication method and device |
| CN108282508A (en) * | 2017-01-06 | 2018-07-13 | 阿里巴巴集团控股有限公司 | Determination method and device, information-pushing method and the device in geographical location |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110753025A (en) * | 2019-01-07 | 2020-02-04 | 陈庆梅 | Big data security access control method |
| CN110392062A (en) * | 2019-08-06 | 2019-10-29 | 深圳萨摩耶互联网金融服务有限公司 | A kind of multidimensional encryption method and device based on big data |
| CN111147480B (en) * | 2019-12-25 | 2022-11-18 | 中国银联股份有限公司 | File access control method, device, equipment and medium |
| CN111147480A (en) * | 2019-12-25 | 2020-05-12 | 中国银联股份有限公司 | File access control method, device, device and medium |
| CN112100681A (en) * | 2020-11-18 | 2020-12-18 | 北京联想协同科技有限公司 | Data access method, device and storage medium |
| CN112532623A (en) * | 2020-11-27 | 2021-03-19 | 杭州安恒信息安全技术有限公司 | Network hidden danger detection method and device, storage medium and equipment |
| CN112953905A (en) * | 2021-01-27 | 2021-06-11 | 湖南快乐阳光互动娱乐传媒有限公司 | Data transmission method, system and server equipment |
| CN114546705A (en) * | 2022-02-28 | 2022-05-27 | 北京百度网讯科技有限公司 | Operation response method, operation response device, electronic device, and storage medium |
| CN114546705B (en) * | 2022-02-28 | 2023-02-07 | 北京百度网讯科技有限公司 | Operation response method, operation response device, electronic device, and storage medium |
| US12158801B2 (en) | 2022-02-28 | 2024-12-03 | Beijing Baidu Netcom Science Technology Co., Ltd. | Method of responding to operation, electronic device, and storage medium |
| CN115391358A (en) * | 2022-07-15 | 2022-11-25 | 北京沃东天骏信息技术有限公司 | Array updating method and device, electronic equipment and computer readable medium |
| CN115225387A (en) * | 2022-07-21 | 2022-10-21 | 济宁简约信息技术有限公司 | Data security tamper-proof method and system based on big data and cloud platform |
| CN119766473A (en) * | 2024-11-22 | 2025-04-04 | 天翼云科技有限公司 | IP access control method, device, system, storage medium and electronic device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12199971B2 (en) | System and method for transferring device identifying information | |
| CN108881309A (en) | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform | |
| US10652226B2 (en) | Securing communication over a network using dynamically assigned proxy servers | |
| US9639678B2 (en) | Identity risk score generation and implementation | |
| US9237021B2 (en) | Certificate grant list at network device | |
| US11201778B2 (en) | Authorization processing method, device, and system | |
| US20150288701A1 (en) | Invitation links with enhanced protection | |
| US20220311777A1 (en) | Hardening remote administrator access | |
| WO2017024791A1 (en) | Authorization processing method and device | |
| CN110968848B (en) | User-based rights management method, device and computing device | |
| CN106330836B (en) | Access control method of server to client | |
| US8793782B1 (en) | Enforcing a health policy in a local area network | |
| US12375475B2 (en) | Confining lateral traversal within a computer network | |
| US11477189B2 (en) | Primary domain and secondary domain authentication | |
| US10560478B1 (en) | Using log event messages to identify a user and enforce policies | |
| US20250106214A1 (en) | Determining digital trust of a client device and user for access permission | |
| CN118573386A (en) | Authority operation method, device, equipment and storage medium based on distributed cluster | |
| CN121009532A (en) | Resource access methods, devices, electronic equipment and storage media | |
| CN115694855A (en) | An authentication method, device and equipment | |
| HK1191159B (en) | Identity risk score generation and implementation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181123 |
|
| RJ01 | Rejection of invention patent application after publication |