US-12619759-B2 - Data access method and device, storage medium, and electronic device

Abstract

Provided are a data access method and device, a storage medium and an electronic device. The method includes: a first access request used for requesting access to data in a database is received; the first access request is parsed to obtain the following data corresponding to the first access request: a first access parameter, a first request type, and a first controlled field list; a first data protection operation is performed on the first controlled field list based on the first access parameter and the first request type to obtain a target result; and a second access request is synthesized based on the target result, and the data in the database is accessed based on the second access request, so as to obtain an access result.

Inventors

• Jiahao NIU
• Qiang Zhang
• Dezheng Wang
• Yaofeng TU
• Shaolin Liu
• Yonghua Chen

Assignees

• ZTE CORPORATION

Dates

Publication Date

20260505

Application Date

20210716

Priority Date

20200716

Claims (16)

1. 1 . A data access method, comprising: receiving a first access request used for requesting access to data in a database; parsing the first access request to obtain the following data corresponding to the first access request: a first access parameter, a first request type, and a first controlled field list; performing a first data protection operation on the first controlled field list based on the first access parameter and the first request type to obtain a target result; and synthesizing a second access request based on the target result, and accessing the data in the database based on the second access request to obtain an access result; wherein performing the first data protection operation on the first controlled field list based on the first access parameter and the first request type to obtain the target result comprises: selecting a controlled field from the first controlled field list in a preset order as a first controlled field; determining a first field protection rule, data security classification and data security level corresponding to the first controlled field, wherein different field protection rules correspond to different combinations of trust condition, request type and processing action, and the different combinations of trust condition comprise an access permission condition corresponding to the first access parameter; and performing the first data protection operation on the first controlled field based on the corresponding processing action in the first field protection rule to obtain the target result.
2. 2 . The method according to claim 1 , wherein parsing the first access request to obtain the first controlled field list corresponding to the first access request comprises: in a case that the first access request is a request of Data Query Language (DQL) type, determining a top-level output field list of the request of DQL type as the first controlled field list; and in a case that the first access request is a request other than the request of DQL type, determining a target field list operated by the other request, and determining the target field list as the first controlled field list.
3. 3 . The method according to claim 1 , wherein performing the first data protection operation on the first controlled field based on the corresponding the processing action in the first field protection rule to obtain the target result comprises: executing a set of trust conditions corresponding to the first field protection rule based on the first access parameter obtained, wherein the first access parameter comprise at least one of the following: original request statement, user ID, user access level, access time, and network parameter; determining a first action type and a first action factor comprised in the processing action according to a set of trust conditions execution results, wherein the first action type is used for indicating a specific protection operation, and the first action factor is used for indicating an operator name of the specific protection operation and an actual parameter to be processed; and performing a protection processing on the first controlled field based on the first action factor to obtain the target result.
4. 4 . The method according to claim 3 , wherein protecting the first controlled field based on the first action factor to obtain the target result comprises: in a case that the processing action type comprise one of desensitization action, encryption action, decryption action, anonymization action and customized action, synthesizing the first controlled field into a new Structured Query Language (SQL) statement field based on the first action factor to obtain the target result.
5. 5 . The method according to claim 1 , further comprising: configuring the first field protection rule based on a first configuration instruction received, wherein the first field protection rule comprises a combination of the request type, a set of trust conditions, and the processing action; the request type comprise at least one of the following: DQL type and Data Manipulation Language (DML) type; the different combinations of trust condition are used for defining a basic judgment unit of trusted access, at least comprising trusted access types, trusted access parameter names, judgment operators and parameter values; the trusted access types comprise at least one of the following: ID trust condition, level trust condition, network trust condition, and time trust condition; the judgment operators comprise greater than, greater than or equal to, less than or equal to, less than, equal to, not equal to; the processing action comprises an action type and an action factor; the action type is used for indicating a specific protection operation, and the action factor is used for indicating the operator name of the specific protection operation and an actual parameter to be processed; the action type comprise at least one of the following: denying access, permitting access, displaying raw data, desensitization processing, encryption processing, decryption processing, anonymization processing, audit processing, and alarm processing.
6. 6 . The method according to claim 5 , wherein in a case that the first access parameter comprise a user access level, the different combinations of trust condition comprise the level trust condition corresponding to the user access level; wherein the level trust condition is used for determining that the user access level satisfies the level trust condition when it is determined that the user access level is greater than or equal to the data security level.
7. 7 . The method according to claim 6 , further comprising: configuring the data security classification and data security level corresponding to each controlled field based on a second configuration instruction received, wherein multiple controlled fields under the same data security classification correspond to the same data security level.
8. 8 . A non-transitory computer readable storage medium, in which a computer program is stored, wherein the computer program is configured to execute, when running, the method according to claim 1 .
9. 9 . An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to run the computer program, so as to perform the method according to claim 1 .
10. 10 . An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to run the computer program, so as to perform the method according to claim 2 .
11. 11 . An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to run the computer program, so as to perform the method according to claim 3 .
12. 12 . An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to run the computer program, so as to perform the method according to claim 4 .
13. 13 . An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to run the computer program, so as to perform the method according to claim 5 .
14. 14 . An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to run the computer program, so as to perform the method according to claim 6 .
15. 15 . An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to run the computer program, so as to perform the method according to claim 7 .
16. 16 . A non-transitory computer readable storage medium, in which a computer program is stored, wherein the computer program is configured to execute, when running, the method according to claim 2 .

Description

CROSS-REFERENCE TO RELATED APPLICATION The present disclosure is based upon and claims priority to Chinese patent application No. CN202010688666.6, filed on Jul. 16, 2020 and entitled “Data Access Method and Device, Storage Medium, and Electronic Device”, the disclosure of which is hereby incorporated by reference in its entirety. TECHNICAL FIELD Embodiments of the present disclosure relate to the field of communications, and in particular to a data access method and device, a storage medium, and an electronic device. BACKGROUND With the advent of the era of big data, the problem of the leakage of users' privacy is becoming more and more serious. At the same time, various big data technologies emerge one after another, and new technical architectures, supporting platforms and big data software constantly emerge, which makes data security and privacy protection technologies face greater challenges. In the related art, access control and transparent encryption technologies are often used to protect certain highly sensitive information (such as credit cards, names and ID numbers, or other data considered critical). By performing data encryption at a database layer, the transparent encryption technology prevents possible attackers from bypassing a database and reading the sensitive information directly from storage. Applications and users that pass database permission verification can continue to access encrypted data transparently, while operating system users trying to read sensitive data in table space files and lawbreakers trying to read disk or backup information will not be allowed to access plaintext data. At the same time, privileged accounts can access any application data in the database. Because the privileged accounts and roles can access the database without restrictions, they are also a main target of hackers and can also be abused by insiders to obtain confidential information. Transparent encryption and permission are often invalid for privileged users. Therefore, only permission is used as the premise and main means of sensitive field protection in the related art, which has coarse granularity of protection and potential security risks. It can be seen that there are problems of coarse granularity of data protection and potential security risks in the related art. For the above problem existing in related technologies, no effective solution has been put forward. SUMMARY The embodiments of the present disclosure provide a data access method and device, a storage medium, and an electronic device to at least solve the problems of coarse granularity of data protection and potential security risks in the related art. According to an embodiment of the present disclosure, a data access method is provided, which may include the following operations. A first access request used for requesting access to data in a database is received. The first access request is parsed to obtain the following data corresponding to the first access request: a first access parameter, a first request type, and a first controlled field list. A first data protection operation is performed on the first controlled field list based on the first access parameter and the first request type to obtain a target result. A second access request is synthesized based on the target result, and the data in the database is accessed based on the second access request to obtain an access result. According to another embodiment of the present disclosure, a data access device is provided, which may include: a receiving module, an obtaining module, a performing module, and an accessing module. The receiving module is configured to receive a first access request used for requesting access to data in a database. The obtaining module is configured to parse the first access request to obtain the following data corresponding to the first access request: a first access parameter, a first request type, and a first controlled field list. The performing module is configured to perform a first data protection operation on the first controlled field list based on the first access parameter and the first request type to obtain a target result. The accessing module is configured to synthesize a second access request based on the target result, and access the data in the database based on the second access request to obtain an access result. According to yet another embodiment of the present disclosure, a computer-readable storage medium is also provided, in which a computer program is stored. The computer program is configured to execute, when running, the steps in any above method embodiment. According to yet another embodiment of the present disclosure, an electronic device is also provided, which may include a memory and a processor. The memory stores a computer program. The processor is configured to run the computer program to execute the steps in any above method embodiment. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a structural block diagram of hardw