CN-121984992-A - Construction method and platform of trusted data service for hydroelectric industry

Abstract

The invention provides a method for constructing a trusted data service for the hydroelectric industry, which comprises the steps of constructing a trusted data space, establishing a data model by collecting metadata of a multi-service system, classifying, grading and differentially encrypting, generating a controllable data service, automatically generating a single table and multi-table associated interface based on the data model or generating an interface through a custom SQL (structured query language), configuring row-column level authority to control a data range, dynamically authorizing a service, generating a dynamic key based on role configuration calling times and validity period, encrypting access parameters, monitoring service node resources and calling behaviors, and recording a calling message for tracing. The invention realizes the whole flow safety and controllability of hydropower data from integration, treatment to service sharing by constructing a trusted data space, generating controllable data service, dynamic service authorization and service monitoring traceability, and effectively solves the problems of data island, safety weakness and architecture rigidification.

Inventors

• XU BO
• JING XUAN
• SUN YUANBIN
• WU SHUJING
• FU ZHIXIANG
• XIAO HANFEI
• WANG PENGYI
• QU YUAN
• Hei Zhichen
• SU XINHUA
• SUN QIWEI
• ZENG FANLIN
• ZHANG MING
• HONG YUN
• YANG NING
• YANG FEI
• ZHU JUNMEI

Assignees

• 汉江水利水电(集团)有限责任公司

Dates

Publication Date

20260505

Application Date

20251229

Claims (10)

1. 1. The method for constructing the trusted data service for the hydroelectric industry is characterized by comprising the following steps of: The method comprises the steps of establishing a trusted data space, namely collecting metadata of each business system of the hydroelectric generation to establish a data model, establishing association between the data model and a physical data source, classifying and grading fields in the data model according to the sensitivity degree, and encrypting the sensitive data by adopting a corresponding encryption algorithm according to the grading result to form the trusted data space; Generating controllable data service, namely automatically generating a data service interface associated with a single table or multiple tables based on a data model in the trusted data space, or generating the data service interface through a custom SQL statement, and configuring row-level authority and column-level authority for the data service interface to control a returned data range and field; dynamic service authorization, namely distributing users and roles for the data service, configuring the calling frequency threshold and the access validity period of the service based on the roles, dynamically generating a time-efficient access key, and encrypting sensitive information in access parameters of the data service to complete the construction of the trusted data service.
2. 2. The method of claim 1, wherein the step of collecting metadata to build a data model and to build an association with a physical data source comprises: Automatically acquiring table structure information from a database of the SCADA, ERP and weather monitoring business system by deploying a metadata collector, and constructing a logic data model; Receiving CDM, LDM, PDM, XLSX or XLS format model files in a file uploading mode, and analyzing table and field definitions in the model files; And mapping and correlating the model analyzed by the logic data model or the model file with a physical database table in the service system to ensure that a data acquisition relationship exists between the data model and the service system database table.
3. 3. The method of constructing a hydro-power industry-oriented trusted data service of claim 1, wherein classifying and encrypting the fields in the data model comprises: l1 level, wherein the public data is not encrypted; L2 level, wherein the internal data adopts an AES-256 encryption algorithm; L3 level, wherein important data adopts SM4 encryption algorithm; And L4, adopting an irreversible encryption algorithm for core data.
4. 4. The method for constructing a trusted data service for the hydro-power generation industry as claimed in claim 1, wherein the data service interface is generated by custom SQL statements, comprising the steps of: Defining input parameters and data types of SQL queries; Constructing the SQL statement by utilizing parameterized query or precompiled statement to prevent SQL injection attack; Performing white list verification on table names and field names appearing in SQL sentences to ensure that the table names and the field names are positioned in the range of an authorized data model; And applying the column-level authority and row-level authority control to the result set returned by executing SQL.
5. 5. The method for constructing a reliable data service for the hydro-power generation industry as recited in claim 4, wherein the method for applying the column level authority and row level authority control comprises: column level authority control, namely selecting a field subset which is allowed to be returned from all attribute fields of a data model to be configured, wherein a data service response message only contains the field subset, and filtering unauthorized fields; And when the data service is called, the system automatically converts the authority tree into a WHER clause condition of SQL query, and the WHER clause condition is added into a query statement to return only the data line meeting the condition.
6. 6. The method for constructing a trusted data service for the hydro-power generation industry of claim 1, wherein the method for dynamically generating the time-dependent access key comprises: the data demand party submits an identity credential to apply for a dynamic key for accessing a specific data service by calling a special key acquisition interface; the system generates a dynamic key K according to the user identity, the current timestamp, the called times and the key validity period by using the following formula: ; Wherein H is SHA-3 hash function, For a unique identity identifier of the user, The character string splicing operation is represented by a character string, For the current timestamp at the time of the application of the key, For the number of invocations of the service by the user, A key validity period configured for the system, mod being a modulo operation; When the data demand party calls the data service, the dynamic key is substituted into the request, and after the service party receives the request, the service party sequentially verifies whether the user permission, the calling times and the validity period are in the permitted range and whether the dynamic key is accurate or not, and all the access is allowed through the rear part.
7. 7. The method for constructing a trusted data service for the hydro-power generation industry as claimed in claim 1, wherein the method for encrypting the sensitive information in the access parameters of the data service comprises: for the sensitive information in the access parameters, one or more of the following desensitization rules are configured for transmission after conversion: The out-of-order desensitization, namely randomly disturbing the sequence of the original data characters, and recalculating check bits based on a Luhn algorithm to keep the format legal; Offset desensitization, namely adding a controllable random offset for the original numerical value to avoid data distortion, and simultaneously keeping data statistics and service logic effectiveness; average desensitization, replacing the original value with the statistical average value of the classification to which the original value belongs, so as to eliminate individual characteristics and retain population trend.
8. 8. The method for constructing a trusted data service for the hydro-power generation industry of claim 1, further comprising: and the service monitoring tracing step is to monitor the resource state of the server node deploying the trusted data service, count and alarm the calling behavior of the data service, and record the request and response message of each calling for query tracing, wherein the statistical index of the calling behavior comprises the calling success rate.
9. 9. A trusted data service platform for the hydro-power generation industry, comprising: a trusted data space building module comprising: The metadata acquisition and construction unit is used for automatically acquiring data table metadata from the SCADA, ERP and weather monitoring business system; the model management unit supports uploading a data model through a file and establishes a mapping relation between the data model and a physical data table of the service system; the data classification and grading unit is internally provided with data classification standards and rules; the encryption storage unit is used for calling a corresponding encryption algorithm to execute encryption storage according to the data grading result; A controllable data service generation module comprising: The service development unit is used for generating a data service interface based on a single-table model, a multi-table association model or custom SQL; The row-column authority management unit is used for configuring a field range and a data line range which can be returned for the data service interface; a service authorization module comprising: the dynamic key authorization unit is used for dynamically generating and verifying the access key based on the user roles, the calling times and the validity period; The parameter configuration unit is used for configuring encryption rules of the access parameters of the data service interface according to the data security rules; and the service release unit is used for controlling the release state of the data service interface and only allowing the released service to be accessed.
10. 10. The hydro-power generation industry oriented trusted data service platform of claim 9, wherein said service platform further comprises: a service monitoring module, comprising: The service engine monitoring unit is used for monitoring the host state and the process resource utilization rate of the service deployment node; the service call statistics alarm unit is used for counting the success rate and average response time of service call and triggering alarm when the index is abnormal; and the service call inquiring unit is used for recording and inquiring the contents of the request and response messages of each service call.

Description

Construction method and platform of trusted data service for hydroelectric industry Technical Field The invention relates to the technical field of data management, in particular to a method and a platform for constructing trusted data service for hydroelectric industry. Background The hydroelectric industry is an important component in the energy field, and a large amount of high-value data is involved in the production, operation and management processes of the hydroelectric power generation industry, including equipment state data, hydrologic monitoring data, power scheduling data and the like. However, the current industry has significant technical bottlenecks in data service construction and management, and restricts the value mining and security application of data. First, the data integration and standardization are low, and it is difficult to form a unified data view. Internal systems (such as SCADA, ERP and meteorological monitoring) of hydropower enterprises are mutually independent, data models are heterogeneous, storage is dispersed, and serious data islands are formed. This results in cumbersome custom development for each data source when constructing a cross-business data service, long data preparation period, high cost, and inability to quickly respond to business demands. Secondly, security control of data service is weak, and leakage and override risks exist. The traditional data sharing mode mostly adopts static account passwords or simple API keys, and lacks a dynamic authorization mechanism with fine granularity. At the same time, there is a lack of effective field level protection for the sensitive data returned (real-time load, device parameters), and once the interface is invoked, all the data will be fully exposed. The existing static encryption scheme is also difficult to cope with dynamic security threat, and can not realize minimized authority output while guaranteeing the availability of data. Finally, the service architecture is stiff, and lacks flexibility and controllability. The existing data service interfaces are mostly in a pre-customized fixed mode, and the returned data range and content are difficult to dynamically adjust according to the specific authority and scene of the demander. When multi-table association inquiry or complex condition screening service is required to be provided, an interface is often required to be redeveloped, the interface cannot be quickly generated in a configuration mode, and the flexibility of service generation and authorization is seriously insufficient. Disclosure of Invention The invention provides a method and a platform for constructing trusted data service for the hydroelectric industry, which solve the technical problems of data island forestation, weak safety control, service architecture rigidification and the like of the data service in the existing hydroelectric industry. The technical scheme of the invention is realized as follows: the first aspect of the invention provides a method for constructing a trusted data service for the hydroelectric industry, which comprises the following steps: The method comprises the steps of establishing a trusted data space, namely collecting metadata of each business system of the hydroelectric generation to establish a data model, establishing association between the data model and a physical data source, classifying and grading fields in the data model according to the sensitivity degree, and encrypting the sensitive data by adopting a corresponding encryption algorithm according to the grading result to form the trusted data space; Generating controllable data service, namely automatically generating a data service interface associated with a single table or multiple tables based on a data model in the trusted data space, or generating the data service interface through a custom SQL statement, and configuring row-level authority and column-level authority for the data service interface to control a returned data range and field; dynamic service authorization, namely distributing users and roles for the data service, configuring the calling frequency threshold and the access validity period of the service based on the roles, dynamically generating a time-efficient access key, and encrypting sensitive information in access parameters of the data service to complete the construction of the trusted data service. Specifically, a method of collecting metadata to build a data model and establish an association with a physical data source includes: Automatically acquiring table structure information from a database of the SCADA, ERP and weather monitoring business system by deploying a metadata collector, and constructing a logic data model; Receiving CDM, LDM, PDM, XLSX or XLS format model files in a file uploading mode, and analyzing table and field definitions in the model files; And mapping and correlating the model analyzed by the logic data model or the model file with a physical database tab