Search

US-20260129046-A1 - DATA ACCESS

US20260129046A1US 20260129046 A1US20260129046 A1US 20260129046A1US-20260129046-A1

Abstract

This application relates to the field of communication technologies, and specifically provides a data access method and apparatus, an electronic device, and a storage medium. The data access method includes: when it is determined that a data access request sent by a client is received, obtaining an access control condition for a subnet address segment of a data server, where the subnet address segment is obtained through division from a local area network address segment corresponding to the first VPC, and the client is deployed in a second VPC; generating a data response message based on the data access request if it is determined that the data access request satisfies the access control condition; obtaining a routing table rule for the subnet address segment of the data server; and returning the data response message to the client based on the routing table rule. In this way, a quantity of consumed VPC is reduced while data isolation is ensured.

Inventors

  • Yi Lu
  • Tianchi Liu

Assignees

  • Beijing Oceanbase Technology Co., Ltd.

Dates

Publication Date
20260507
Application Date
20251229
Priority Date
20231017

Claims (20)

  1. 1 . A data access method, comprising: in response to a data access request from a client, obtaining an access control condition for a subnet address segment of a data server of a data processing system, the data processing system deployed in a first virtual private cloud (VPC), wherein the subnet address segment is a part of a local area network address segment corresponding to the first VPC, and the client is deployed in a second VPC; generating a data response message based on the data access request in response to it is determined that the data access request satisfies the access control condition; obtaining a routing table rule for the subnet address segment of the data server; and sending the data response message to the client based on the routing table rule.
  2. 2 . The method according to claim 1 , further comprising: before the obtaining the access control condition for the subnet address segment of the data server, obtaining the local area network address segment configured for the first VPC; dividing the local area network address segment, to obtain a plurality of subnet address segments; allocating a corresponding subnet address segment to each data server on the first VPC; and setting a corresponding access control condition and a corresponding routing table rule for each subnet address segment.
  3. 3 . The method according to claim 1 , wherein the generating the data response message based on the data access request in response to it is determined that the data access request satisfies the access control condition comprises: obtaining a client address in the data access request; in response to it is determined that the client address satisfies the access control condition, performing a data query based on the data access request, to obtain a query result; and generating the data response message based on the query result and the client address.
  4. 4 . The method according to claim 3 , further comprising: discarding the data access request in response to it is determined that the client address does not satisfy the access control condition.
  5. 5 . The method according to claim 3 , wherein the sending the data response message to the client based on the routing table rule comprises: determining a routing address segment corresponding to the client address based on the routing table rule; and sending the data response message to the client based on the routing address segment.
  6. 6 . The method according to claim 5 , further comprising: discarding the data response message in response to it is determined, based on the routing table rule, that a routing address segment corresponding to the client address does not exist.
  7. 7 . The method according to claim 1 , wherein the subnet address segment is obtained through division from the local area network address segment corresponding to the first VPC.
  8. 8 . An electronic device, comprising: one or more processors; and one or more memory devices, individually or collectively, storing computer instructions, the computer instructions, when executed by the one or more processors, enabling the one or more processors to, individually or collectively, implement actions including: in response to a data access request from a client, obtaining an access control condition for a subnet address segment of a data server of a data processing system, the data processing system deployed in a first virtual private cloud (VPC), wherein the subnet address segment is a part of a local area network address segment corresponding to the first VPC, and the client is deployed in a second VPC; generating a data response message based on the data access request in response to it is determined that the data access request satisfies the access control condition; obtaining a routing table rule for the subnet address segment of the data server; and sending the data response message to the client based on the routing table rule.
  9. 9 . The electronic device according to claim 8 , wherein the actions further include: before the obtaining the access control condition for the subnet address segment of the data server, obtaining the local area network address segment configured for the first VPC; dividing the local area network address segment, to obtain a plurality of subnet address segments; allocating a corresponding subnet address segment to each data server on the first VPC; and setting a corresponding access control condition and a corresponding routing table rule for each subnet address segment.
  10. 10 . The electronic device according to claim 8 , wherein the generating the data response message based on the data access request in response to it is determined that the data access request satisfies the access control condition comprises: obtaining a client address in the data access request; in response to it is determined that the client address satisfies the access control condition, performing a data query based on the data access request, to obtain a query result; and generating the data response message based on the query result and the client address.
  11. 11 . The electronic device according to claim 10 , wherein the actions further include: discarding the data access request in response to it is determined that the client address does not satisfy the access control condition.
  12. 12 . The electronic device according to claim 10 , wherein the sending the data response message to the client based on the routing table rule comprises: determining a routing address segment corresponding to the client address based on the routing table rule; and sending the data response message to the client based on the routing address segment.
  13. 13 . The electronic device according to claim 12 , wherein the actions further include: discarding the data response message in response to it is determined, based on the routing table rule, that a routing address segment corresponding to the client address does not exist.
  14. 14 . The electronic device according to claim 8 , wherein the subnet address segment is obtained through division from the local area network address segment corresponding to the first VPC.
  15. 15 . A storage medium, storing computer instructions, the computer instructions, when executed by one or more processors, enabling the one or more processors to, individually or collectively, implement actions comprising: in response to a data access request from a client, obtaining an access control condition for a subnet address segment of a data server of a data processing system, the data processing system deployed in a first virtual private cloud (VPC), wherein the subnet address segment is a part of a local area network address segment corresponding to the first VPC, and the client is deployed in a second VPC; generating a data response message based on the data access request in response to it is determined that the data access request satisfies the access control condition; obtaining a routing table rule for the subnet address segment of the data server; and sending the data response message to the client based on the routing table rule.
  16. 16 . The storage medium according to claim 15 , wherein the actions further include: before the obtaining the access control condition for the subnet address segment of the data server, obtaining the local area network address segment configured for the first VPC; dividing the local area network address segment, to obtain a plurality of subnet address segments; allocating a corresponding subnet address segment to each data server on the first VPC; and setting a corresponding access control condition and a corresponding routing table rule for each subnet address segment.
  17. 17 . The storage medium according to claim 15 , wherein the generating the data response message based on the data access request in response to it is determined that the data access request satisfies the access control condition comprises: obtaining a client address in the data access request; in response to it is determined that the client address satisfies the access control condition, performing a data query based on the data access request, to obtain a query result; and generating the data response message based on the query result and the client address.
  18. 18 . The storage medium according to claim 17 , wherein the actions further include: discarding the data access request in response to it is determined that the client address does not satisfy the access control condition.
  19. 19 . The storage medium according to claim 17 , wherein the sending the data response message to the client based on the routing table rule comprises: determining a routing address segment corresponding to the client address based on the routing table rule; and sending the data response message to the client based on the routing address segment.
  20. 20 . The storage medium according to claim 19 , wherein the actions further include: discarding the data response message in response to it is determined, based on the routing table rule, that a routing address segment corresponding to the client address does not exist.

Description

TECHNICAL FIELD This application relates to the field of communication technologies, and for example, to a data access method and apparatus, an electronic device, and a storage medium. BACKGROUND A private network (e.g., virtual private cloud, VPC) is a cloud running on a public resource, and can ensure that resources of clients of different VPCs are isolated. Instances of different VPCs communicate through an established private connection (e.g., VPC peering). In the related technology, a plurality of clients and a plurality of data servers are usually respectively deployed in different VPCs, and VPC peering is established between each client and a corresponding data server. During data access, the client can access the corresponding data server through an established private connection, to ensure security isolation between different data servers. In an example, the data server can be a database server, and the client can be an application (APP). When there are a relatively large quantity of data servers, a large quantity of VPCs are consumed. However, because of a limitation of a VPC resource, it is usually difficult to satisfy a VPC requirement of a user. SUMMARY Embodiments of this application provide a data access method and apparatus, an electronic device, and a storage medium, which, among others, reduce a quantity of consumed VPCs while ensuring data isolation. According to an aspect, an implementation of this application provides a data access method, applied to any data server in a data processing system. The data processing system includes at least one data server, the data processing system is deployed in a first private network VPC, and the method includes: when it is determined that a data access request sent by a client is received, obtaining an access control condition configured for a subnet address segment of the data server, where the subnet address segment is obtained through division from a local area network address segment corresponding to the first VPC, and the client is deployed in a second VPC; generating a data response message based on the data access request if it is determined that the data access request satisfies the access control condition; obtaining a routing table rule configured for the subnet address segment of the data server; and returning the data response message to the client based on the routing table rule. In an implementation, before the obtaining an access control condition configured for a subnet address segment of the data server, the method further includes: obtaining the local area network address segment correspondingly configured for the first VPC; dividing the local area network address segment, to obtain a plurality of subnet address segments; allocating a corresponding subnet address segment to each data server; and setting a corresponding access control condition and a corresponding routing table rule for each subnet address segment. In an implementation, the generating a data response message based on the data access request if it is determined that the data access request satisfies the access control condition includes: obtaining a client address in the data access request; if it is determined that the client address satisfies the access control condition, performing a data query based on the data access request, to obtain a query result; and generating the data response message based on the query result and the client address. In an implementation, the method further includes: discarding the data access request if it is determined that the client address does not satisfy the access control condition. In an implementation, the returning the data response message to the client based on the routing table rule includes: determining a routing address segment corresponding to the client address based on the routing table rule; and sending the data response message to the client based on the routing address segment. In an implementation, the method further includes: discarding the data response message if it is determined, based on the routing table rule, that a routing address segment corresponding to the client address does not exist. According to an aspect, an implementation of this application provides a data access apparatus, applied to any data server in a data processing system. The data processing system includes at least one data server, the data processing system is deployed in a first private network VPC, and the apparatus includes: a receiving unit, configured to: when it is determined that a data access request sent by a client is received, obtain an access control condition configured for a subnet address segment of the data server, where the subnet address segment is obtained through division from a local area network address segment corresponding to the first VPC, and the client is deployed in a second VPC; a generation unit, configured to generate a data response message based on the data access request if it is determined that the data a