CN114844698A - Distributed big data safety management and control system and method - Google Patents

Abstract

The embodiment of the invention discloses a distributed big data security management and control system and a method, wherein the system comprises: the first verification module is used for verifying the user identity authority of all links so as to prevent a user from directly accessing by filling in a URL; the password encryption module is used for carrying out hash encryption on the password of the logged-in user after the permission verification is passed; the second verification module is used for performing double verification on the user form at the server side and the client side respectively; the safety coding module is used for carrying out safety coding on all data submitted by the user form at the server side; the distributed processing module is used for managing the database by using MHA technology when data are stored; the beneficial effects are as follows: the problem that only user authority management and control is conducted and network security risks are ignored in the prior art is solved, and therefore data security is improved.

Description

Translated fromChinese

一种分布式大数据的数据安全管控系统及方法A data security management and control system and method for distributed big data

技术领域technical field

本发明涉及数据安全技术领域，具体涉及一种分布式大数据的数据安全管控系统及方法。The invention relates to the technical field of data security, in particular to a data security management and control system and method for distributed big data.

背景技术Background technique

目前，随着系统的应用更加丰富，大的服务项目一般采用分布式系统，而在系统运行过程中将产生大量的数据，这些数据是企业的核心资产，同时也是攻击者的目标，因此，必须对这些数据的数据安全进行安全防护和管控。At present, with the application of the system more abundant, large service projects generally use distributed systems, and a large amount of data will be generated during the operation of the system. These data are the core assets of the enterprise and the target of attackers. Therefore, it is necessary to Safeguard and control the data security of these data.

由于分布式系统的应用中，可访问与操作的用户众多，并且所产生的各数据之间产生了海量异构数据的融合、存储和管理的问题，现有技术中，大多采用不同的用户权限进行管控，但在存在多用户与网络传输过程中，使得其他网络的安全风险很容易渗透过来，一旦某个客户端遭受恶意攻击，将可能蔓延整个系统，从而对数据安全造成威胁，这种方式仍存在安全性不足的缺陷。In the application of distributed systems, there are many users who can access and operate, and the problems of fusion, storage and management of massive heterogeneous data arise among the generated data. In the prior art, different user permissions are mostly used. However, in the process of multi-user and network transmission, the security risks of other networks are easily penetrated. Once a client is maliciously attacked, it may spread to the entire system, thus posing a threat to data security. This method There are still shortcomings of insufficient security.

发明内容SUMMARY OF THE INVENTION

针对现有技术中的技术缺陷，本发明实施例的目的在于提供一种分布式大数据的数据安全管控系统及方法，以提升数据的安全性。In view of the technical defects in the prior art, the purpose of the embodiments of the present invention is to provide a data security management and control system and method for distributed big data, so as to improve data security.

为实现上述目的，第一方面，本发明实施例提供了一种分布式大数据的数据安全管控系统，所述系统包括：In order to achieve the above object, in the first aspect, an embodiment of the present invention provides a data security management and control system for distributed big data, the system includes:

第一验证模块，用于对所有链接都进行用户身份权限验证，以防止用户直接通过填写URL进行访问；The first verification module is used to perform user identity authorization verification on all links to prevent users from accessing directly by filling in the URL;

密码加密模块，用于在权限验证通过后，对所登录的用户密码进行散列加密；The password encryption module is used to hash and encrypt the logged-in user password after the authority verification is passed;

第二验证模块，用于在服务器端及客户端，分别对用户表单进行双验证；The second verification module is used to perform double verification on the user form on the server side and the client side respectively;

安全编码模块，用于将用户表单提交的所有数据，在服务器端都进行安全编码；The secure encoding module is used to securely encode all the data submitted by the user form on the server side;

分布处理模块，用于在数据存储时，利用MHA技术对数据库进行管理。The distributed processing module is used to manage the database by using the MHA technology when the data is stored.

优选地，所述系统还包括：Preferably, the system further includes:

分层模块，所述分层模块用于将系统分为数据库层，数据访问层和业务逻辑层，且各层之间必须通过接口才能接入并进行参数校验，以保证数据操作的安全。The layered module is used to divide the system into a database layer, a data access layer and a business logic layer, and each layer must be connected through an interface to perform parameter verification to ensure the safety of data operations.

优选地，所述接口采用无状态Restful接口设计，使用Https传输协议，并对敏感信息进行加密处理。Preferably, the interface adopts a stateless Restful interface design, uses the Https transmission protocol, and encrypts sensitive information.

优选地，请求需要登录的接口统一把用户登录成功后拿到的Token设置到请求头中，使得响应数据使用统一格式封装，以保证前端处理的一致性；Preferably, the interface that requests the login needs to uniformly set the Token obtained after the user successfully logs in into the request header, so that the response data is encapsulated in a unified format to ensure the consistency of front-end processing;

同时，对接口数据做加密以增加数据传输的安全性。At the same time, the interface data is encrypted to increase the security of data transmission.

优选地，数据库采用多主多从结构，且在数据存储时，对上传的文件进行多重检查。Preferably, the database adopts a multi-master and multi-slave structure, and when data is stored, multiple checks are performed on the uploaded files.

优选地，所述多重检查具体包括：Preferably, the multiple inspections specifically include:

判断文件类型，且在判断时结合使用MIME Type；Determine the file type, and use MIME Type in combination with the judgment;

检查文件的目录是否有执行权限；Check whether the directory of the file has execute permission;

检查文件是否显示有绝对路径。Check that the file shows an absolute path.

第二方面，本发明实施例还提供了一种分布式大数据的数据安全管控方法，应用于第一方面所述的一种分布式大数据的数据安全管控系统，所述方法包括：In a second aspect, an embodiment of the present invention further provides a data security management and control method for distributed big data, which is applied to the distributed big data data security management and control system described in the first aspect, and the method includes:

对所有链接都进行用户身份权限验证，以防止用户直接通过填写URL进行访问；Perform user authentication on all links to prevent users from accessing directly by filling in the URL;

在权限验证通过后，对所登录的用户密码进行散列加密；After the permission verification is passed, hash and encrypt the logged-in user password;

并在服务器端及客户端，分别对用户表单进行双验证；And on the server side and the client side, the user form is double-authenticated;

将用户表单提交的所有数据，在服务器端都进行安全编码；All data submitted by the user form are securely encoded on the server side;

在数据存储时，利用MHA技术对数据库进行管理。During data storage, the database is managed using MHA technology.

优选地，所述方法还包括：Preferably, the method further includes:

将系统分为数据库层，数据访问层和业务逻辑层，且各层之间必须通过接口才能接入并进行参数校验，以保证数据操作的安全。The system is divided into a database layer, a data access layer and a business logic layer, and each layer must be connected through an interface to perform parameter verification to ensure the security of data operations.

优选地，所述接口采用无状态Restful接口设计，使用Https传输协议，并对敏感信息进行加密处理。Preferably, the interface adopts a stateless Restful interface design, uses the Https transmission protocol, and encrypts sensitive information.

优选地，在数据存储时，对上传的文件进行多重检查，所述多重检查具体包括：Preferably, during data storage, multiple checks are performed on the uploaded files, and the multiple checks specifically include:

判断文件类型，且在判断时结合使用MIME Type；Determine the file type, and use MIME Type in combination with the judgment;

检查文件的目录是否有执行权限；Check whether the directory of the file has execute permission;

检查文件是否显示有绝对路径。Check that the file shows an absolute path.

实施本发明实施例，首先在权限验证的基础上，还对所有管理端链接都进行用户身份权限验证，以防止用户直接通过填写URL进行访问，并且对所登录的用户密码进行散列加密，以及在服务器端及客户端，对用户表单进行双验证，同时，还对用户表单提交所有数据，在服务器端都进行安全编码，以提升数据安全，最后在数据存储时，利用MHA技术对数据库进行管理，进一步保障数据的安全；从而克服现有技术中，仅进行用户权限管控而忽略网络安全风险的问题，从而提升数据的安全性。To implement the embodiment of the present invention, firstly, on the basis of authority verification, user identity authority verification is also performed on all management terminal links to prevent users from directly accessing by filling in URLs, and hash encryption is performed on the logged-in user password, and On the server side and the client side, the user form is double-authenticated. At the same time, all data is submitted to the user form, and the server side is securely coded to improve data security. Finally, when the data is stored, the MHA technology is used to manage the database. , to further ensure the security of the data; thereby overcoming the problem in the prior art that only user authority control is performed while ignoring network security risks, thereby improving the security of the data.

附图说明Description of drawings

为了更清楚地说明本发明具体实施方式或现有技术中的技术方案，下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍。In order to illustrate the specific embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that are required to be used in the description of the specific embodiments or the prior art.

图1是本发明实施例提供的一种分布式大数据的数据安全管控系统的框架示意图；1 is a schematic diagram of a framework of a data security management and control system for distributed big data provided by an embodiment of the present invention;

图2是本发明实施例提供的一种分布式大数据的数据安全管控方法的流程图。FIG. 2 is a flowchart of a data security management and control method for distributed big data provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

需要注意的是，除非另有说明，本申请使用的技术术语或者科学术语应当为本发明所属领域技术人员所理解的通常意义。It should be noted that, unless otherwise specified, the technical or scientific terms used in this application should have the usual meanings understood by those skilled in the art to which the present invention belongs.

请参考图1，本发明实施例提供的一种分布式大数据的数据安全管控系统，所述系统包括：Referring to FIG. 1 , a distributed big data data security management and control system provided by an embodiment of the present invention includes:

第一验证模块，用于对所有链接都进行用户身份权限验证，以防止用户直接通过填写URL进行访问；其中，所有链接包括所有管理端链接；应用时，通过强制访问控制，在主体尝试访问对象时，检查安全属性并决定是否可进行访问。The first verification module is used to perform user identity authorization verification on all links to prevent users from accessing directly by filling in the URL; among them, all links include all management-side links; during application, through mandatory access control, when the subject tries to access the object , check the security properties and decide if access is possible.

密码加密模块，用于在权限验证通过后，对所登录的用户密码进行散列加密；例如，进行SHA1散列加密；由于该加密方法是不可逆的且避免撞库，从而保证密文泄露后的安全问题。The password encryption module is used to hash and encrypt the logged-in user password after the permission verification is passed; for example, perform SHA1 hash encryption; since the encryption method is irreversible and avoids credential collision, it ensures that the ciphertext is leaked. safe question.

第二验证模块，用于在服务器端及客户端，分别对用户表单进行双验证；通过这种方式防止用户通过客户端恶意修改(如不可写文本域、隐藏变量篡改、上传非法文件等)，跳过客户端验证操作数据库。The second verification module is used to perform double verification on the user form on the server side and the client side respectively; in this way, users can be prevented from maliciously modifying through the client side (such as unwritable text fields, tampering with hidden variables, uploading illegal files, etc.), Skip client-side validation to operate the database.

安全编码模块，用于将用户表单提交的所有数据，在服务器端都进行安全编码；从而防止用户提交非法脚本XXS攻击及SQL注入获取敏感数据等，从而确保数据安全。The secure encoding module is used to securely encode all data submitted by the user form on the server side, thereby preventing users from submitting illegal script XXS attacks and SQL injection to obtain sensitive data, thereby ensuring data security.

分布处理模块，用于在数据存储时，利用MHA技术对数据库进行管理。The distributed processing module is used to manage the database by using the MHA technology when the data is stored.

需要说明的是，MHA(Master High Availability)技术目前在MySQL高可用方面是一个相对成熟的解决方案，包括MHA Manager(管理节点)和MHA Node(数据节点)；MHAManager可以单独部署在一台独立的机器上管理多个master-slave集群，也可以部署在一台slave节点上；MHA Node运行在每台MySQL服务器上，MHA Manager会定时探测集群中的master节点，当master出现故障时，它可以自动将最新数据的slave提升为新的master，然后将所有其他的slave重新指向新的master。It should be noted that MHA (Master High Availability) technology is currently a relatively mature solution in terms of MySQL high availability, including MHA Manager (management node) and MHA Node (data node); MHA Manager can be deployed separately on an independent Multiple master-slave clusters are managed on the machine, and can also be deployed on a slave node; MHA Node runs on each MySQL server, and MHA Manager will regularly detect the master node in the cluster. When the master fails, it can automatically Promote the latest data slave to the new master, then repoint all other slaves to the new master.

本实施例中，数据库采用多主多从结构，且在数据存储时，对上传的文件进行多重检查；其中，所述多重检查具体包括：In this embodiment, the database adopts a multi-master and multi-slave structure, and during data storage, multiple checks are performed on the uploaded files; wherein, the multiple checks specifically include:

判断文件类型，且在判断时结合使用MIME Type；通过在后端严格控制可上传的文件扩展名，避免仅前端控制文件上传格式时，可借助工具进行绕过的风险；Determine the file type, and use MIME Type in combination with the judgment; by strictly controlling the file extensions that can be uploaded at the back end, to avoid the risk of bypassing with tools when only the front end controls the file upload format;

检查文件的目录是否有执行权限；上传文件的目录不允许有执行权限，不可解析jsp、php、sh等脚本语言，以避免直接访问上传文件从而执行脚本；Check whether the directory of the file has execution permission; the directory where the file is uploaded is not allowed to have execution permission, and script languages such as jsp, php, and sh cannot be parsed, so as to avoid directly accessing the uploaded file to execute the script;

检查文件是否显示有绝对路径；应用时，不能显示有绝对路径，避免攻击者有机会获得系统文件的路径，从而访问或修改其他受保护的系统资源。Check whether the file shows an absolute path; when applying, it cannot show an absolute path, so as to prevent attackers from having the opportunity to obtain the path of the system file, thereby accessing or modifying other protected system resources.

实施时，在其他实施例中，还包括：When implemented, in other embodiments, it also includes:

移除在HTTP响应头中有关web服务版本和应用框架的相关信息；Remove information about web service version and application framework from HTTP response headers;

禁用不需要的HTTP方法；使得系统不易被攻击；Disable unwanted HTTP methods; make the system less vulnerable to attack;

设置HttpOnly以避免cookie劫持的危险；Set HttpOnly to avoid the danger of cookie hijacking;

在请求地址中添加token，并验证；Add the token to the request address and verify it;

验证HTTP Referer字段；避免攻击者盗用了你的身份，以你的名义向第三方网站发送恶意请求；Verify the HTTP Referer field; prevent attackers from stealing your identity and sending malicious requests to third-party websites in your name;

不要在日志中保存敏感信息；Do not save sensitive information in logs;

在HTML表单中，禁止明文显示或自动填充。In HTML forms, clear text display or autofill is prohibited.

进一步地，在另一实施例中，在上述技术方案的基础上，为提升数据操作的安全性；所述系统还包括：Further, in another embodiment, on the basis of the above technical solution, in order to improve the security of data operations; the system further includes:

分层模块，所述分层模块用于将系统分为数据库层，数据访问层和业务逻辑层，且各层之间必须通过接口才能接入并进行参数校验，以保证数据操作的安全。The layered module is used to divide the system into a database layer, a data access layer and a business logic layer, and each layer must be connected through an interface to perform parameter verification to ensure the safety of data operations.

具体地，采用分层设计的思想，且所述接口采用无状态Restful接口设计，使用Https传输协议，并对敏感信息进行加密处理；其中，对于敏感信息(如密码)使用SHA256加密处理；Specifically, the idea of layered design is adopted, and the interface adopts a stateless Restful interface design, uses Https transmission protocol, and encrypts sensitive information; wherein, SHA256 encryption is used for sensitive information (such as password);

同时，请求需要登录的接口统一把用户登录成功后拿到的Token设置到请求头中，使得响应数据使用统一格式封装，以保证前端处理的一致性；At the same time, the interface that requests login needs to uniformly set the Token obtained by the user after successful login into the request header, so that the response data is encapsulated in a unified format to ensure the consistency of front-end processing;

同时，对接口数据做加密以增加数据传输的安全性。At the same time, the interface data is encrypted to increase the security of data transmission.

上述技术方案，首先在权限验证的基础上，还对所有管理端链接都进行用户身份权限验证，以防止用户直接通过填写URL进行访问，并且对所登录的用户密码进行散列加密，以及在服务器端及客户端，对用户表单进行双验证，同时，还对用户表单提交所有数据，在服务器端都进行安全编码，以提升数据安全，最后在数据存储时，利用MHA技术对数据库进行管理，进一步保障数据的安全；使得不仅在本地还在网络中均进行安全管控，从而克服现有技术中，仅进行用户权限管控而忽略网络安全风险的问题，从而提升数据的安全性。The above technical solution, on the basis of authority verification, also performs user identity authority verification on all management terminal links to prevent users from directly accessing by filling in the URL, and hashes and encrypts the logged-in user password, and logs on the server. At the same time, it also submits all data for the user form, and performs secure coding on the server side to improve data security. Finally, when the data is stored, the MHA technology is used to manage the database, and further Ensure data security; enable security management and control not only locally but also in the network, thereby overcoming the problem of only performing user rights management and ignoring network security risks in the prior art, thereby improving data security.

基于相同的发明构思，如图2所示，本发明实施例还提供了一种分布式大数据的数据安全管控方法，应用于前文所述的一种分布式大数据的数据安全管控系统，所述方法包括：Based on the same inventive concept, as shown in FIG. 2 , an embodiment of the present invention further provides a data security management and control method for distributed big data, which is applied to the data security management and control system for distributed big data described above. The methods described include:

S101，对所有链接都进行用户身份权限验证，以防止用户直接通过填写URL进行访问；S101, perform user authentication on all links to prevent users from accessing directly by filling in the URL;

S102，在权限验证通过后，对所登录的用户密码进行散列加密；S102, after the authority verification is passed, hash and encrypt the logged-in user password;

S103，并在服务器端及客户端，分别对用户表单进行双验证；S103, and perform double verification on the user form on the server side and the client side respectively;

S104，将用户表单提交的所有数据，在服务器端都进行安全编码；S104, all data submitted by the user form are securely encoded on the server side;

S105，在数据存储时，利用MHA技术对数据库进行管理。S105 , during data storage, use the MHA technology to manage the database.

进一步地，数据库采用多主多从结构，且在数据存储时，对上传的文件进行多重检查，所述多重检查具体包括：Further, the database adopts a multi-master and multi-slave structure, and during data storage, multiple checks are performed on the uploaded files, and the multiple checks specifically include:

判断文件类型，且在判断时结合使用MIME Type；Determine the file type, and use MIME Type in combination with the judgment;

检查文件的目录是否有执行权限；Check whether the directory of the file has execute permission;

检查文件是否显示有绝对路径。Check that the file shows an absolute path.

实施时，在其他实施例中，还包括：When implemented, in other embodiments, it also includes:

移除在HTTP响应头中有关web服务版本和应用框架的相关信息；Remove information about web service version and application framework from HTTP response headers;

禁用不需要的HTTP方法；使得系统不易被攻击；Disable unwanted HTTP methods; make the system less vulnerable to attack;

设置HttpOnly以避免cookie劫持的危险；Set HttpOnly to avoid the danger of cookie hijacking;

在请求地址中添加token，并验证；Add the token to the request address and verify it;

验证HTTP Referer字段；避免攻击者盗用了你的身份，以你的名义向第三方网站发送恶意请求；Verify the HTTP Referer field; prevent attackers from stealing your identity and sending malicious requests to third-party websites in your name;

不要在日志中保存敏感信息；Do not save sensitive information in logs;

在HTML表单中，禁止明文显示或自动填充。In HTML forms, clear text display or autofill is prohibited.

在另一实施例中，在上述方案的基础上，所述方法还包括：In another embodiment, on the basis of the above solution, the method further includes:

利用分层技术，使得各层之间必须通过接口才能接入并进行参数校验，以保证数据操作的安全；Using layered technology, all layers must be connected through an interface and parameter verification can be performed to ensure the security of data operations;

例如，将系统分为数据库层，数据访问层和业务逻辑层，且各层之间必须通过接口才能接入并进行参数校验，以保证数据操作的安全。For example, the system is divided into a database layer, a data access layer and a business logic layer, and each layer must be connected through an interface to perform parameter verification to ensure the security of data operations.

应用时，所述接口采用无状态Restful接口设计，使用Https传输协议，并对敏感信息进行加密处理；When applied, the interface adopts a stateless Restful interface design, uses the Https transmission protocol, and encrypts sensitive information;

同时，请求需要登录的接口统一把用户登录成功后拿到的Token设置到请求头中，使得响应数据使用统一格式封装，以保证前端处理的一致性；At the same time, the interface that requests login needs to uniformly set the Token obtained by the user after successful login into the request header, so that the response data is encapsulated in a unified format to ensure the consistency of front-end processing;

同时，对接口数据做加密以增加数据传输的安全性。At the same time, the interface data is encrypted to increase the security of data transmission.

需要说明的是，关于方法实施例中更为具体的工作流程，请参考前述系统实施例部分的记载，在此不再赘述。It should be noted that, for more specific workflow in the method embodiments, please refer to the descriptions in the foregoing system embodiments, which will not be repeated here.

上述方案的实施，在权限验证的基础上，还对所有管理端链接都进行用户身份权限验证，以防止用户直接通过填写URL进行访问，并且对所登录的用户密码进行散列加密，以及在服务器端及客户端，对用户表单进行双验证，同时，还对用户表单提交所有数据，在服务器端都进行安全编码，以提升数据安全，最后在数据存储时，利用MHA技术对数据库进行管理，进一步保障数据的安全；从而克服现有技术中，仅进行权限管控而忽略网络安全风险的问题，从而提升数据的安全性。The implementation of the above scheme, on the basis of authority verification, also conducts user identity authority verification for all management-side links to prevent users from directly accessing by filling in the URL, and hashes and encrypts the logged-in user password, and logs on the server. At the same time, it also submits all data for the user form, and performs secure coding on the server side to improve data security. Finally, when the data is stored, the MHA technology is used to manage the database, and further Ensure the security of data; thus overcome the problem of only performing authority control and ignoring network security risks in the prior art, thereby improving the security of data.

本领域普通技术人员可以意识到，结合本文中所公开的实施例描述的各示例的模块及步骤，能够以电子硬件、计算机软件或者二者的结合来实现，为了清楚地说明硬件和软件的可互换性，在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行，取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能，但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art can realize that the modules and steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two. Interchangeability, the above description has generally described the components and steps of each example in terms of functionality. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of the present invention.

在本申请所提供的几个实施例中，应该理解到，所揭露的方法和系统，可以通过其它的方式实现。例如，以上所描述的系统实施例仅仅是示意性的，例如，所述模块的划分，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，例如多个模块或组件可以结合或者可以集成到另一个装置或系统中，或一些特征可以忽略，或不执行。In the several embodiments provided in this application, it should be understood that the disclosed method and system may be implemented in other manners. For example, the system embodiments described above are only illustrative. For example, the division of the modules is only a logical function division. In actual implementation, there may be other division methods. For example, multiple modules or components may be combined or It may be integrated into another device or system, or some features may be omitted, or not implemented.

以上所述，仅为本发明的具体实施方式，但本发明的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本发明揭露的技术范围内，可轻易想到各种等效的修改或替换，这些修改或替换都应涵盖在本发明的保护范围之内。The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited to this. Any person skilled in the art can easily think of various equivalents within the technical scope disclosed by the present invention. Modifications or substitutions should be included within the protection scope of the present invention.

Claims (10)

Translated fromChinese

1.一种分布式大数据的数据安全管控系统，其特征在于，所述系统包括：1. a data security management and control system of distributed big data, is characterized in that, described system comprises:第一验证模块，用于对所有链接都进行用户身份权限验证，以防止用户直接通过填写URL进行访问；The first verification module is used to perform user identity authorization verification on all links to prevent users from accessing directly by filling in the URL;密码加密模块，用于在权限验证通过后，对所登录的用户密码进行散列加密；The password encryption module is used to hash and encrypt the logged-in user password after the authority verification is passed;第二验证模块，用于在服务器端及客户端，分别对用户表单进行双验证；The second verification module is used to perform double verification on the user form on the server side and the client side respectively;安全编码模块，用于将用户表单提交的所有数据，在服务器端都进行安全编码；The secure encoding module is used to securely encode all the data submitted by the user form on the server side;分布处理模块，用于在数据存储时，利用MHA技术对数据库进行管理。The distributed processing module is used to manage the database by using the MHA technology when the data is stored.2.如权利要求1所述的一种分布式大数据的数据安全管控系统，其特征在于，所述系统还包括：2. The data security management and control system for distributed big data according to claim 1, wherein the system further comprises:分层模块，所述分层模块用于将系统分为数据库层，数据访问层和业务逻辑层，且各层之间必须通过接口才能接入并进行参数校验，以保证数据操作的安全。The layered module is used to divide the system into a database layer, a data access layer and a business logic layer, and each layer must be connected through an interface to perform parameter verification to ensure the safety of data operations.3.如权利要求2所述的一种分布式大数据的数据安全管控系统，其特征在于，所述接口采用无状态Restful接口设计，使用Https传输协议，并对敏感信息进行加密处理。3 . The data security management and control system for distributed big data according to claim 2 , wherein the interface adopts a stateless Restful interface design, uses Https transmission protocol, and encrypts sensitive information. 4 .4.如权利要求3所述的一种分布式大数据的数据安全管控系统，其特征在于，请求需要登录的接口统一把用户登录成功后拿到的Token设置到请求头中，使得响应数据使用统一格式封装，以保证前端处理的一致性；4. the data security management and control system of a kind of distributed big data as claimed in claim 3, it is characterized in that, the interface that requests needs to log in uniformly sets the Token obtained after the user logs in successfully into the request header, so that the response data uses Unified format encapsulation to ensure the consistency of front-end processing;同时，对接口数据做加密以增加数据传输的安全性。At the same time, the interface data is encrypted to increase the security of data transmission.5.如权利要求4所述的一种分布式大数据的数据安全管控系统，其特征在于，数据库采用多主多从结构，且在数据存储时，对上传的文件进行多重检查。5 . The data security management and control system for distributed big data according to claim 4 , wherein the database adopts a multi-master and multi-slave structure, and when data is stored, multiple checks are performed on the uploaded files. 6 .6.如权利要求5所述的一种分布式大数据的数据安全管控系统，其特征在于，所述多重检查具体包括：6. The data security management and control system for distributed big data according to claim 5, wherein the multiple inspections specifically include:判断文件类型，且在判断时结合使用MIME Type；Determine the file type, and use MIME Type in combination with the judgment;检查文件的目录是否有执行权限；Check whether the directory of the file has execute permission;检查文件是否显示有绝对路径。Check that the file shows an absolute path.7.一种分布式大数据的数据安全管控方法，其特征在于，应用于权利要求1所述的一种分布式大数据的数据安全管控系统，所述方法包括：7. A data security management and control method for distributed big data, characterized in that, applied to the data security management and control system for distributed big data according to claim 1, the method comprising:对所有链接都进行用户身份权限验证，以防止用户直接通过填写URL进行访问；Perform user authentication on all links to prevent users from accessing directly by filling in the URL;在权限验证通过后，对所登录的用户密码进行散列加密；After the permission verification is passed, hash and encrypt the logged-in user password;并在服务器端及客户端，分别对用户表单进行双验证；And on the server side and the client side, the user form is double-authenticated;将用户表单提交的所有数据，在服务器端都进行安全编码；All data submitted by the user form are securely encoded on the server side;在数据存储时，利用MHA技术对数据库进行管理。During data storage, the database is managed using MHA technology.8.如权利要求7所述的一种分布式大数据的数据安全管控方法，其特征在于，所述方法还包括：8. The data security management and control method for distributed big data according to claim 7, wherein the method further comprises:将系统分为数据库层，数据访问层和业务逻辑层，且各层之间必须通过接口才能接入并进行参数校验，以保证数据操作的安全。The system is divided into a database layer, a data access layer and a business logic layer, and each layer must be connected through an interface to perform parameter verification to ensure the security of data operations.9.如权利要求8所述的一种分布式大数据的数据安全管控方法，其特征在于，所述接口采用无状态Restful接口设计，使用Https传输协议，并对敏感信息进行加密处理。9 . The data security management and control method for distributed big data according to claim 8 , wherein the interface adopts a stateless Restful interface design, uses Https transmission protocol, and encrypts sensitive information. 10 .10.如权利要求9所述的一种分布式大数据的数据安全管控方法，其特征在于，在数据存储时，对上传的文件进行多重检查，所述多重检查具体包括：10. The data security management and control method for distributed big data according to claim 9, wherein when data is stored, multiple checks are performed on the uploaded files, and the multiple checks specifically include:判断文件类型，且在判断时结合使用MIME Type；Determine the file type, and use MIME Type in combination with the judgment;检查文件的目录是否有执行权限；Check whether the directory of the file has execute permission;检查文件是否显示有绝对路径。Check that the file shows an absolute path.

Images