Database access control method, apparatus, device, and medium

Abstract

This disclosure relates to a database access control method, apparatus, device, and medium. The database access control method is applied to a hot-pluggable rate-limiting plugin, comprising: receiving a database access request, the database access request including a structured query statement for accessing the database; determining whether to execute the database access request based on the user identifier corresponding to the database access request and the structured query statement; when determining to execute the database access request, invoking a target thread in the database to execute the query operation of the structured query statement and returning the query result. Thus, a hot-pluggable rate-limiting plugin can be set on the database to perform rate-limiting judgment of database access requests in the form of a rate-limiting plugin, without modifying the database source code to implement rate-limiting judgment of database access requests, achieving dynamic loading and unloading of functions during database runtime.

Description

Technical Field

[0001] This disclosure relates to the field of computer technology, and in particular to a database access control method, apparatus, device, and medium. Background Technology

[0002] MySQL is a relational database management system that uses Structured Query Language (SQL) to access and manage data in the database. SQL rate limiting is an important database management technique that can limit the number of concurrent SQL queries, thereby avoiding excessive database load, ensuring database stability and reliability, improving database performance and efficiency, and ultimately better supporting business needs.

[0003] The existing technical solutions for SQL rate limiting in databases mainly involve embedding the SQL rate limiting function into the database code, such as MySQL, and adding rate limiting logic to the SQL processing flow by modifying the database source code.

[0004] However, existing technical solutions require modifying the database source code to implement SQL rate limiting, which presents the problem of not being able to dynamically load or unload functions during database operation. Summary of the Invention

[0005] To address the aforementioned technical problems, this disclosure provides a database access control method, apparatus, device, and medium.

[0006] A first aspect of this disclosure provides a database access control method applied to a hot-pluggable rate-limiting plugin, comprising:

[0007] Receive database access requests, which include structured query statements for accessing the database;

[0008] The decision to execute the database access request is based on the user identifier corresponding to the database access request and the structured query statement.

[0009] When a database access request is determined, the target thread in the database is invoked to execute a structured query statement and return the query results.

[0010] A second aspect of this disclosure provides a database access control device suitable for hot-pluggable rate-limiting plug-ins, comprising:

[0011] The request receiving module is used to receive database access requests, which include structured query statements for accessing the database.

[0012] The rate limiting judgment module is used to determine whether to execute the database access request based on the user identifier corresponding to the database access request and the structured query statement.

[0013] The request execution module is used to call the target thread in the database to execute the query operation of the structured query statement when it is determined to execute a database access request, and return the query results.

[0014] A third aspect of this disclosure provides an electronic device, including:

[0015] processor;

[0016] Memory, used to store executable instructions;

[0017] The processor is used to read executable instructions from memory and execute the executable instructions to implement the database access control method provided in the first aspect above.

[0018] A fourth aspect of this disclosure provides a computer-readable storage medium storing a computer program that, when executed by a processor, causes the processor to implement the database access control method provided in the first aspect.

[0019] The technical solution provided in this disclosure has the following advantages compared with the prior art:

[0020] The database access control method, apparatus, device, and medium provided in this disclosure can receive database access requests through a hot-swappable rate-limiting plugin installed on the database. The database access request includes a structured query statement for accessing the database. Upon receiving the database access request, a rate-limiting judgment is performed on the data access request. Based on the user identifier corresponding to the database access request and the structured query statement, it is determined whether to execute the database access request. When it is determined to execute the database access request, the target thread in the database is invoked to execute the query operation of the structured query statement, and the query result is returned. Therefore, a hot-swappable rate-limiting plugin can be set on the database to perform rate-limiting judgment on database access requests in the form of a rate-limiting plugin, without modifying the database source code to implement rate-limiting judgment. Utilizing the dynamic loading or unloading characteristics of the plugin, dynamic loading and unloading of functions are achieved during database runtime. Attached Figure Description

[0021] The accompanying drawings, which are incorporated in and form a part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure.

[0022] To more clearly illustrate the technical solutions in the embodiments of this disclosure or the prior art, the accompanying drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, those skilled in the art can obtain other drawings based on these drawings without creative effort.

[0023] Figure 1 This is a flowchart of a database access control method provided in an embodiment of this disclosure;

[0024] Figure 2 This is a flowchart of a current limiting determination method provided in an embodiment of this disclosure;

[0025] Figure 3 This is a schematic diagram of the structure of a database access control device provided in an embodiment of this disclosure;

[0026] Figure 4 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this disclosure. Detailed Implementation

[0027] To better understand the above-mentioned objectives, features, and advantages of this disclosure, the solutions disclosed herein will be further described below. It should be noted that, unless otherwise specified, the embodiments and features described herein can be combined with each other.

[0028] Numerous specific details are set forth in the following description in order to provide a full understanding of this disclosure, but this disclosure may also be implemented in other ways different from those described herein; obviously, the embodiments in the specification are only some, and not all, of the embodiments of this disclosure.

[0029] It should be understood that the steps described in the method embodiments of this disclosure may be performed in different orders and / or in parallel. Furthermore, the method embodiments may include additional steps and / or omit the steps shown. The scope of this disclosure is not limited in this respect.

[0030] It should be noted that, in this document, relational terms such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0031] It should be noted that the terms "a" and "a plurality of" used in this disclosure are illustrative rather than restrictive, and those skilled in the art should understand that, unless otherwise expressly indicated in the context, they should be understood as "one or more".

[0032] Typically, the technical solution for SQL rate limiting in databases is to embed the SQL rate limiting function into the database code, such as MySQL, by modifying the database source code and adding rate limiting logic to the SQL processing flow to achieve SQL rate limiting.

[0033] However, implementing SQL rate limiting requires modifying the database source code, which presents significant challenges in compiling and updating the code. Furthermore, different database versions require separate adaptation, leading to compatibility issues and the inability to dynamically load or unload functionality during database operation. To address these problems, this disclosure provides a database access control method, which will be described below with reference to specific embodiments.

[0034] Figure 1 This is a flowchart of a database access control method provided in an embodiment of the present disclosure. The method can be executed by a database access control device, which can be implemented in software and / or hardware. The database access control device can be configured in an electronic device, such as a server or terminal, wherein the terminal specifically includes a mobile phone, computer or tablet computer, etc.

[0035] like Figure 1 As shown, the database access control method provided in this embodiment is applied to a hot-swappable rate limiting plugin. This hot-swappable rate limiting plugin is a dynamic library-based hot-swappable rate limiting plugin implemented through the audit plugin interface provided by the database. The database access control method includes the following steps:

[0036] S110. Receive a database access request, which includes a structured query statement for accessing the database.

[0037] In this embodiment of the disclosure, a database access request can be understood as a request to access data in a database, wherein the database can be a relational database such as a MySQL database.

[0038] Specifically, the rate limiting plugin can receive database access requests sent by the client in real time. These requests include Structured Query Language (SQL) statements used to access the database.

[0039] S120. Determine whether to execute the database access request based on the user identifier corresponding to the database access request and the structured query statement.

[0040] Specifically, after receiving a database access request, the rate limiting plugin can parse the request to determine the user identifier corresponding to the user sending the request, and simultaneously parse the structured query statement corresponding to the request. Then, it compares the user identifier with a preset configuration list, and / or, based on the type of the structured query statement and multiple rate limiting rules in a pre-set rate limiting rule set, further determines whether to execute the database access request.

[0041] The configuration item list is a pre-configured list of administrator users for built-in hidden access, i.e., users with unrestricted flow control.

[0042] A rate limiting rule set is a collection of multiple rate limiting rules pre-set in a rate limiting plugin. The rate limiting rules are stored in a multi-value mapping format, meaning they can be stored by establishing a mapping relationship between rate limiting statement types and multiple rate limiting rules.

[0043] For example, each rate limiting rule may include the following:

[0044] Supported version: RDS MySQL AA version;

[0045] Supported rate-limited statement types: select, update, delete, insert, replace;

[0046] Limitation strategy: Maximum concurrency. If set to 0, it means that all matching structured query statements will be restricted from execution.

[0047] Rate limiting time (platform implementation): For example, 0-XXX minutes. If set to 0, it means there is no time limit.

[0048] Execution method (platform implementation): Timed shutdown (specified rate limiting time) / Manual shutdown;

[0049] Rate limiting rule matching mode: SQL statements can be entered. Keywords are automatically split using spaces, commas, and newlines as delimiters. The relationship between multiple keywords is "logical AND". Note 1: The order of multiple keywords matters (to avoid sorting operations during rule matching); Note 2: Keywords themselves support prefix fuzzy matching; Note 3: Keywords are case sensitive; Note 4: Multiple rules can be created for the same keyword.

[0050] Multi-rule matching strategy: Taking the structured query "select * from t1" as an example: Rate limiting rule 1: select concurrency 0; Rate limiting rule 2: select concurrency 1; Rate limiting rule 3: select / from concurrency 1; Rate limiting rule 4: select / from / where concurrency 1; Matching is based on the short-circuit principle: priority is given to matching the one with the fewest keywords. If the keywords are the same, the one with the lowest concurrency is matched; (matching rule 1 in the example above);

[0051] Out-of-limit request handling strategy: Reject the request and return an error code;

[0052] Killing over-limit sessions: Supported;

[0053] Other limitations: Built-in hidden administrator users are not subject to rate control, which facilitates troubleshooting and maintenance operations; a single rate limiting rule supports a maximum of 128 keywords.

[0054] In some examples, when storing multiple rate limiting rules corresponding to the rate limiting statement type, the priority of the multiple rate limiting rules is determined based on the number of keywords in the multiple rate limiting rules, and then the multiple rate limiting rules are sorted in descending order of priority.

[0055] In other examples, when storing multiple rate limiting rules corresponding to the rate limiting statement type, the priority of the multiple rate limiting rules is determined based on the maximum concurrency of the multiple rate limiting rules, and then the multiple rate limiting rules are sorted in descending order of priority.

[0056] S130. When determining to execute a database access request, call the target thread in the database to execute the query operation of the structured query statement and return the query results.

[0057] The target thread can be understood as the thread used to execute structured query statements.

[0058] Specifically, when the rate limiting plugin determines to execute a database access request, it calls the target thread in the database to execute the query operation of the structured query statement corresponding to the database access request, obtains the query result, and returns the query result to the user.

[0059] In this embodiment, a hot-swappable rate-limiting plugin installed on the database can receive database access requests. These requests include structured query statements for accessing the database. Upon receiving a database access request, rate-limiting is performed, determining whether to execute the request based on the user identifier and the structured query statement. If execution is determined, the target thread in the database is invoked to perform the query operation of the structured query statement, and the query result is returned. Therefore, a hot-swappable rate-limiting plugin can be set on the database to perform rate-limiting of database access requests without modifying the database source code. By utilizing the dynamic loading and unloading characteristics of the plugin, dynamic loading and unloading of functions during database runtime is achieved.

[0060] Building upon this foundation, rate limiting for database access requests can be implemented without modifying the database's source code, reducing the difficulty of code compilation and updates. Furthermore, since the rate limiting plugin performs rate limiting independently of the database, it can be used with different database versions, thus improving the adaptability and compatibility of rate limiting rules. The hot-swappable rate limiting plugin requires minimal modification to the database's native code and has good interface isolation; only interface adaptation is needed, resulting in high adaptability and reducing intrusion risks. Additionally, because the database auditing plugin interface is a generic interface, it is more compatible with multiple database versions and has no strong connection to the database code, reducing the complexity of cross-version migration and lowering maintenance costs.

[0061] Based on the above embodiments of this disclosure, in some embodiments, the database access control method may further include: when it is determined that the database access request is denied, returning an error code and incrementing the number of blocked requests by 1.

[0062] In other embodiments, the database access control method may further include: when it is determined that the database access request is denied, determining whether skipping the rate limiting operation is enabled; if it is determined that skipping the rate limiting operation is enabled, then killing the over-limited connection terminates the redundant connection; if it is determined that skipping the rate limiting operation is not enabled, then returning an error code and incrementing the number of blocked requests by 1.

[0063] In this embodiment of the disclosure, different operations can be set for different database access requests, such as skipping rate limiting operations, thereby improving the flexibility of database access control.

[0064] In this embodiment of the disclosure, before receiving a database access request, the database access control method may further include: responding to a rule addition interface command, performing a rate limiting rule addition operation, wherein the rule addition interface command includes the identification information of the rate limiting rule to be added, the target rate limiting statement type, the keyword list, and the maximum concurrency.

[0065] Interface commands can be understood as instructions or functions used by users or applications to interact with the database and / or database plugins.

[0066] The rule-adding interface command can be understood as an interface command used to add rate-limiting rules in the rate-limiting plugin. Each execution triggers a rate-limiting rule addition action. For example, the rule-adding interface command can be a custom function add_keywords_throttler_rule().

[0067] The target rate limiting statement type is the rate limiting statement type corresponding to the rate limiting rule to be added.

[0068] The identifier information of a rate limiting rule can be understood as an identifier used to uniquely identify a rate limiting rule. For example, it can be the ID information of the rate limiting rule. The ID of the rate limiting rule can be generated by a preset hash algorithm; it can also be automatically generated by setting the value of the ID field to auto-increment when setting the database table; it can also be generated by a custom format ID generation method, etc., and there are no restrictions here.

[0069] The types of statements that can be rate-limited include selection statements, update statements, deletion statements, insertion statements, and replacement statements. The specific types can be set according to requirements or application scenarios, and there are no restrictions here.

[0070] The selection statement type can be a select statement type: SQLCOM_SELECT;

[0071] The update statement type can be the update statement type: SQLCOM_UPDATE / SQLCOM_UPDATE_MULTI;

[0072] The delete statement type can be either SQLCOM_DELETE or SQLCOM_DELETE_MULTI.

[0073] The insert statement type can be either SQLCOM_INSERT or SQLCOM_INSERT_SELECT.

[0074] The replacement statement type can be either SQLCOM_REPLACE or SQLCOM_REPLACE_SELECT.

[0075] The keyword list can be understood as a list of multiple keywords corresponding to the traffic limiting rules to be added.

[0076] Specifically, the rate limiting plugin can add rate limiting rules based on a preset target interface when responding to a rule addition interface command, thereby enabling the addition of rate limiting rules in real time and flexibly.

[0077] Furthermore, after performing the operation of adding a rate limiting rule, the database access control method may further include: in response to a rule query interface command, performing a query operation for the rate limiting rule, wherein the rule query interface command includes the identification information of the rate limiting rule to be queried; and / or; in response to a rule deletion interface command, performing a deletion operation for the rate limiting rule, wherein the rule deletion interface command includes a list of identification information of the rate limiting rules to be deleted; and / or; in response to a rule clearing interface command, performing a clearing operation for the rate limiting rule.

[0078] The rule query interface command can be understood as an interface command used to query rate limiting rules in the rate limiting plugin. For example, the rule query interface command can be a custom function `keywords_throttler_rules()`.

[0079] The rule deletion interface command can be understood as an interface command used to delete rate limiting rules in the rate limiting plugin. Each execution triggers a rate limiting rule deletion action. For example, the rule deletion interface command can be a custom function delete_keywords_throttler_rules().

[0080] The rule clearing interface command can be understood as an interface command used to clear rate limiting rules in the rate limiting plugin. Each execution triggers a rate limiting rule clearing action. For example, the rule clearing interface command can be a custom function truncate_keywords_throttler_rules().

[0081] The clearing operation refers to clearing all rate limiting rules in the rate limiting plugin.

[0082] In this embodiment of the disclosure, the variable value is in JSON string format.

[0083] In this embodiment of the disclosure, the addition, query, deletion, and clearing of rate limiting rules can be performed through a preset target interface. Thus, the addition, query, deletion, and clearing of rate limiting rules can be realized in real time and flexibly, achieving dynamic management of rate limiting rules.

[0084] In this embodiment of the disclosure, the rate limiting plugin is provided with a target interface for managing rate limiting rules. When the thread containing the target interface is updated in response to the rate limiting rules in the rate limiting plugin, it sets a target state variable for the rate limiting rules.

[0085] The target state variable can be understood as a value used to determine whether the state of the rate limiting rule has changed, such as "updating," "updating complete," or "not updated." Additionally, when an update occurs, the target state variable also includes updated version information, such as the version number.

[0086] Furthermore, before determining whether to execute the database access request based on the user identifier corresponding to the database access request and the structured query statement, the database access control method may also include: controlling the session thread to perform a rate limiting rule check operation based on the target state variable, and when it is determined that the rate limiting rule has been updated, performing a rate limiting rule update operation to obtain the updated rate limiting rule.

[0087] In this context, a session thread can be understood as one or more threads created in a database system when a user establishes a connection (i.e., a session) with the server to handle requests within that session. In this embodiment, the session thread is a thread used to handle database access requests.

[0088] In this embodiment, the rate limiting rules are accessed simultaneously by multiple sessions (which can be understood as read requests) and may also be updated by the administrator through a command interface (which can be understood as write requests). Therefore, this can be considered a read-heavy, write-light scenario. Since there may be a lengthy rule compilation and editing process during rate limiting rule updates, restricting all sessions' read requests with a mutex lock every time a rule is updated could cause performance fluctuations. Therefore, in this embodiment, thread isolation is used to ensure that each session retains a separate set of compiled rate limiting rules. When matching rate limiting rules, only the respective rate limiting rules are used, thus avoiding contention. That is, each session thread corresponds to a copy of the rate limiting rules; and the update of the session thread's corresponding copy of the rate limiting rules is performed based on copy-and-swap.

[0089] Specifically, each time a rate limiting rule is updated, the rate limiting plugin maintains a global set of rate limiting rules based on the thread containing the target interface (which can be understood as the command interface) and sets target state variables for the rate limiting rules. It then notifies all session threads to update their respective rate limiting rule sets. Before performing rate limiting rule matching—that is, before determining whether to execute a database access request—each session thread performs a rate limiting rule check based on the target state variable. Upon determining that a rate limiting rule has been updated, it performs the update operation, acquires a lock, and copies the global rate limiting rule set to obtain the updated rate limiting rules. Because the lock only guarantees the safety of the copy, the granularity is small, and the performance overhead is low. Therefore, while ensuring rate limiting rule updates, performance overhead is minimized, improving the efficiency of rate limiting rule updates and the accuracy of rate limiting judgments.

[0090] In this embodiment, the database control method may further include establishing a mapping relationship between the connection identifier (i.e., pointer address) corresponding to the database access request and the rate limiting status (i.e., the maximum concurrency and current concurrency corresponding to the rate limiting rule). The rate limiting status can be stored using a concurrent hash map provided by Intel's TBB library to maintain good performance under scenarios with high concurrent read / write operations. This allows for scenarios compatible with thread pools.

[0091] Figure 2 This is a flowchart of another current limiting determination method provided in this disclosure embodiment, such as... Figure 2 As shown, determining whether to execute a database access request based on the user identifier corresponding to the database access request and the structured query statement can specifically include the following steps:

[0092] S210. Determine whether the user is the target user based on the user identifier corresponding to the database access request.

[0093] The target users are those who are not subject to flow control.

[0094] Specifically, after receiving a database access request, the rate limiting plugin determines the user identifier of the user corresponding to the database access request, compares the user identifier with the user identifier in the configured item list, and determines whether there is a target user identifier that matches the user identifier corresponding to the database access request. If there is, the user is determined to be the target user, and step S220 is executed; otherwise, the user is determined not to be the target user, and step S230 is executed.

[0095] S220. If it is the target user, then determine to execute the database access request.

[0096] S230. If it is not the target user, determine whether the target statement type corresponding to the structured query statement is a rate-limited statement type.

[0097] Specifically, when the rate limiting plugin determines that the user corresponding to the database access request is not the target user, it parses the structured query statement, determines the target statement type corresponding to the structured query statement, compares the target statement type with the preset rate limiting statement type, and determines whether the target statement type is a rate limiting statement type. If it is, steps S240-S290 are executed; otherwise, step S2010 is executed.

[0098] S240. If it is a rate-limiting statement type, then obtain the target keyword corresponding to the structured query statement and the target rate-limiting rule corresponding to the target statement type.

[0099] In this embodiment of the disclosure, obtaining the target keywords corresponding to the structured query statement may specifically include: segmenting the structured query statement according to the order of the structured query statement based on preset segmentation symbols to obtain multiple segmentation words; and performing deduplication processing on the multiple segmentation words to obtain multiple target keywords.

[0100] The preset splitting symbols can include punctuation marks (such as English spaces, commas, etc.) and line breaks.

[0101] In this embodiment of the disclosure, obtaining the target rate limiting rule corresponding to the target statement type may specifically include: obtaining at least one target rate limiting rule corresponding to the target statement type based on a preset mapping relationship between rate limiting statement types and rate limiting rules.

[0102] S250. Perform rule matching processing between the target keyword and the target traffic limiting rule to determine at least one first traffic limiting rule that matches the target keyword.

[0103] Specifically, after obtaining the target keyword and the target rate limiting rule, the rate limiting plugin can perform rule matching processing on the target keyword and the target rate limiting rule based on a preset rule matching algorithm, and determine at least one first rate limiting rule that matches the target keyword from multiple target rate limiting rules.

[0104] Depending on the application scenario and the actual matching situation, different rule matching algorithms can be selected. The preset rule matching algorithm can be any one of the following algorithms: regular expression-based matching algorithm, ordered array algorithm, hash checksum algorithm, radix tree algorithm, etc., without any restrictions.

[0105] The rule matching process matches the first string array consisting of the target keywords corresponding to the structured query statement with the second string array consisting of the keywords corresponding to each first rate limiting rule. If the first string array contains every string in the second string array, then the first string array and the second string array are determined to match, that is, the target keyword and the target rate limiting rule are successfully matched, and it is determined as the first rate limiting rule.

[0106] S260. Based on the priority of each first rate limiting rule, determine the second rate limiting rule with the highest priority from at least one first rate limiting rule.

[0107] Specifically, when there are multiple first rate limiting rules, the rate limiting plugin determines the priority of the first rate limiting rule based on the number of keywords contained in the first rate limiting rule. The more keywords, the higher the priority. Then, the rate limiting rule with the highest priority is selected from at least one first rate limiting rule and determined as the second rate limiting rule.

[0108] S270. Obtain the maximum concurrency and current concurrency corresponding to the second rate limiting rule.

[0109] Specifically, after determining the second rate limiting rule, the rate limiting plugin extracts the maximum concurrency and current concurrency in the second rate limiting rule, and obtains the maximum concurrency and current concurrency corresponding to the second rate limiting rule.

[0110] S280. When the maximum concurrency is greater than or equal to the current concurrency, determine to execute the database access request, increment the counter corresponding to the second rate limiting rule, and set the rate limiting rule identifier for the connection corresponding to the database access request. The counter is in the form of an atomic variable.

[0111] By setting a rate limiting rule identifier for the connection corresponding to the database access request, it is convenient to release the current concurrency of the rate limiting rule after the database access request is completed.

[0112] Using atomic variables in a counter can improve its performance and accuracy.

[0113] Specifically, when the rate limiting plugin determines that the maximum concurrency is greater than or equal to the current concurrency, it indicates that the limit has not been exceeded, and it determines to execute the database access request. Based on the mapping relationship between the preset counter and the rate limiting rule, it determines the counter corresponding to the second rate limiting rule and performs incremental processing on it, and sets the rate limiting rule identifier for the connection corresponding to the database access request.

[0114] S290. If the maximum concurrency is less than the current concurrency, then the database access request will be rejected and the number of blocked requests will be incremented by 1.

[0115] Specifically, when the rate limiting plugin determines that the maximum concurrency is less than the current concurrency, it indicates that the limit has been exceeded, and it will refuse to execute the database access request and increment the number of blocked requests by 1.

[0116] S2010. If it is not a rate-limiting statement type, then the database access request will be executed.

[0117] In this embodiment, the user type can be determined first by the user identifier, i.e., whether the user is the target user. If so, the database access request is executed directly without further rate limiting judgment. If not, the rate limiting is determined based on the target statement type corresponding to the structured query statement. Only when the target statement type is a rate-limiting statement type will the database access request be executed based on the preset rate limiting rules. Thus, by proceeding step by step, the efficiency of rate limiting judgment is effectively improved and the resource consumption of rate limiting judgment is reduced.

[0118] In this embodiment of the disclosure, after the target thread in the database executes a structured query statement and returns the query result, the database access control method may further include: determining whether the connection corresponding to the database access request is set with a rate limiting rule identifier; if so, determining the corresponding third rate limiting rule based on the rate limiting rule identifier; and decrementing the counter corresponding to the third rate limiting rule based on the preset mapping relationship between the counter and the rate limiting rule.

[0119] In this embodiment of the disclosure, by performing a counter decrement operation corresponding to the rate limiting rule after the database access request is completed, the subsequent database access requests can be executed quickly and effectively, thereby improving the accuracy of rate limiting judgment.

[0120] In this embodiment of the disclosure, the database access control method can also be applied to a database proxy or load balancer, which executes the database access control method provided in this embodiment. The database proxy or load balancer can be understood as a proxy or balancer positioned between the user terminal and the database. This means that after the user terminal sends a database access request, the database proxy or load balancer receives the request and performs a rate limiting judgment operation based on the aforementioned database access control method.

[0121] Figure 3 This is a schematic diagram of the structure of a database access control device provided in an embodiment of this disclosure.

[0122] In this embodiment, the database access control device can be located within an electronic device and is understood as a functional module within the aforementioned electronic device. Specifically, the electronic device can be a server or a terminal, wherein the terminal specifically includes mobile phones, computers, or tablet computers, etc., without limitation.

[0123] like Figure 3 As shown, the database access control device 300 is suitable for hot-swappable rate limiting plug-ins and may include a request receiving module 310, a rate limiting judgment module 320, and a request execution module 330.

[0124] The request receiving module 310 can be used to receive database access requests, which include structured query statements for accessing the database.

[0125] The rate limiting judgment module 320 can be used to determine whether to execute a database access request based on the user identifier corresponding to the database access request and the structured query statement.

[0126] The request execution module 330 can be used to call the target thread in the database to execute the query operation of the structured query statement when it is determined to execute a database access request, and return the query results.

[0127] In this embodiment, a hot-swappable rate-limiting plugin installed on the database can receive database access requests. These requests include structured query statements for accessing the database. Upon receiving a database access request, rate-limiting is performed, determining whether to execute the request based on the user identifier and the structured query statement. If execution is determined, the target thread in the database is invoked to perform the query operation of the structured query statement, and the query result is returned. Therefore, a hot-swappable rate-limiting plugin can be set on the database to perform rate-limiting of database access requests without modifying the database source code. By utilizing the dynamic loading and unloading characteristics of the plugin, dynamic loading and unloading of functions during database runtime is achieved.

[0128] In some embodiments of this disclosure, the database access control device 300 may further include a rule addition module, a rule query module, a rule deletion module, and a rule clearing module.

[0129] The rule addition module can be used to respond to the rule addition interface command and perform the operation of adding rate limiting rules. The rule addition interface command includes the identification information of the rate limiting rule to be added, the target rate limiting statement type, the keyword list, and the maximum concurrency.

[0130] The rule query module can be used to respond to rule query interface commands and perform query operations on rate limiting rules. The rule query interface commands include the identification information of the rate limiting rule to be queried.

[0131] The rule deletion module can be used to delete rate limiting rules in response to rule deletion interface commands. The rule deletion interface commands include a list of identification information of the rate limiting rules to be deleted.

[0132] The rule clearing module can be used to clear rate limiting rules in response to rule clearing interface commands.

[0133] In some embodiments of this disclosure, the rate limiting plugin is provided with a target interface for managing rate limiting rules. When the thread containing the target interface is updated in response to a rate limiting rule in the rate limiting plugin, it sets a target state variable for the rate limiting rule.

[0134] The database access control device 300 may also include a rule update module.

[0135] The rule update module can be used to control the session thread to perform rate limiting rule checks based on the target state variable before determining whether to execute the database access request based on the user identifier and structured query statement corresponding to the database access request. When it is determined that the rate limiting rule has been updated, the update operation of the rate limiting rule is performed to obtain the updated rate limiting rule.

[0136] In some embodiments of this disclosure, the rate limiting judgment module 320 can be specifically used to determine whether a user is a target user based on the user identifier. If it is a target user, then it is determined to execute a database access request. The target user is a user who is not subject to rate limiting control.

[0137] If the user is not the target user, determine whether the target statement type corresponding to the structured query statement is a rate-limited statement type. If it is not a rate-limited statement type, then determine whether to execute the database access request.

[0138] In some embodiments of this disclosure, the database access control device 300 may further include a rate limiting rule determination module.

[0139] The rate limiting rule determination module can be used to obtain the target keywords corresponding to the structured query statement and the target rate limiting rule corresponding to the target statement type if the target statement type is a rate limiting statement type.

[0140] The target keywords are matched with the target rate limiting rules to determine at least one first rate limiting rule that matches the target keywords.

[0141] Based on the priority of each first rate limiting rule, determine the second rate limiting rule with the highest priority from at least one first rate limiting rule;

[0142] The second rate limiting rule determines whether to execute the database access request.

[0143] In some embodiments of this disclosure, the rate limiting rule determination module can be specifically used to obtain the maximum concurrency and the current concurrency corresponding to the second rate limiting rule;

[0144] When the maximum concurrency is greater than or equal to the current concurrency, the database access request is executed, the counter corresponding to the second rate limiting rule is incremented, and the rate limiting rule identifier is set for the connection corresponding to the database access request. The counter is in the form of an atomic variable.

[0145] If the maximum concurrency is less than the current concurrency, the database access request will be rejected and the number of blocked requests will be incremented by 1.

[0146] In some embodiments of this disclosure, the database access control device 300 may further include a counter decrement module.

[0147] The counter decrement module can be used to determine whether the connection corresponding to the database access request has a rate limiting rule flag set after the target thread in the database executes a structured query statement and returns the query results. If so, the corresponding third rate limiting rule is determined based on the rate limiting rule flag.

[0148] Based on the preset mapping relationship between counters and rate limiting rules, the counter corresponding to the third rate limiting rule is reduced.

[0149] It should be noted that, Figure 3 The database access control device 300 shown can execute the various steps in the above method embodiments and realize the various processes and effects in the above method embodiments, which will not be elaborated here.

[0150] Figure 4 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this disclosure.

[0151] In this embodiment of the disclosure, Figure 4 The electronic devices shown can be servers or terminals, and terminals specifically include mobile phones, computers, or tablets, etc., without limitation.

[0152] like Figure 4 As shown, the electronic device may include a processor 410 and a memory 420 storing computer program instructions.

[0153] Specifically, the processor 410 may include a central processing unit (CPU), an application specific integrated circuit (ASIC), or one or more integrated circuits that can be configured to implement the embodiments of this disclosure.

[0154] Memory 420 may include mass storage for information or instructions. For example, and not limitingly, memory 420 may include a hard disk drive (HDD), floppy disk drive, flash memory, optical disk, magneto-optical disk, magnetic tape, or Universal Serial Bus (USB) drive, or a combination of two or more of these. Where appropriate, memory 420 may include removable or non-removable (or fixed) media. Where appropriate, memory 420 may be internal or external to the integrated gateway device. In a particular embodiment, memory 420 is non-volatile solid-state memory. In a particular embodiment, memory 420 includes read-only memory (ROM). Where appropriate, the ROM may be a mask-programmed ROM, a programmable ROM (PROM), an erasable PROM (Electrically Programmable ROM, EPROM), an electrically erasable programmable PROM (EEPROM), an electrically alterable ROM (EAROM), or flash memory, or a combination of two or more of these.

[0155] The processor 410 reads and executes computer program instructions stored in the memory 420 to perform the steps of the database access control method provided in this embodiment of the disclosure.

[0156] In one example, the electronic device may also include a transceiver 430 and a bus 440. Wherein, as... Figure 4 As shown, the processor 410, memory 420 and transceiver 430 are connected via bus 440 and communicate with each other.

[0157] Bus 440 may include hardware, software, or both. For example, and not limitingly, the bus may include an Accelerated Graphics Port (AGP) or other graphics bus, an Extended Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hyper Transport (HT) interconnect, an Industrial Standard Architecture (ISA) bus, an Infinite Bandwidth Interconnect, a Low Pin Count (LPC) bus, a memory bus, a MicroChannel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a Video Electronics Standards Association Local Bus (VLB) bus, or other suitable buses, or a combination of two or more of these. Where appropriate, bus 440 may include one or more buses.

[0158] This disclosure also provides a computer-readable storage medium that can store a computer program, which, when executed by a processor, enables the processor to implement the database access control method provided in this disclosure.

[0159] The aforementioned storage medium may, for example, include a memory 420 containing computer program instructions, which can be executed by a processor 410 of an electronic device to perform the database access control method provided in this embodiment. Optionally, the storage medium may be a non-transitory computer-readable storage medium, such as a ROM, random access memory (RAM), compact disc-only memory (CD-ROM), magnetic tape, floppy disk, and optical data storage device.

[0160] The above description is merely a specific embodiment of this disclosure, enabling those skilled in the art to understand or implement it. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of this disclosure. Therefore, this disclosure is not to be limited to the embodiments described herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A database access control method, characterized in that, Applications to hot-swappable current limiting plug-ins include: Receive a database access request, wherein the database access request includes a structured query statement for accessing the database; The decision to execute the database access request is based on the user identifier corresponding to the database access request and the structured query statement. When it is determined that the database access request will be executed, the target thread in the database is invoked to execute the query operation of the structured query statement and return the query results.

2. The method according to claim 1, characterized in that, Before receiving the database access request, the method further includes: In response to the rule addition interface command, the operation of adding a rate limiting rule is performed. The rule addition interface command includes the identification information of the rate limiting rule to be added, the target rate limiting statement type, the keyword list, and the maximum concurrency. After the operation of adding the rate limiting rule is performed, the method further includes: In response to the rule query interface command, a query operation for the rate limiting rule is performed, wherein the rule query interface command includes the identification information of the rate limiting rule to be queried; and / or; In response to the rule deletion interface command, the rate limiting rule deletion operation is performed, wherein the rule deletion interface command includes a list of identification information of the rate limiting rule to be deleted; and / or; In response to the rule clearing interface command, perform the clearing operation of the rate limiting rules.

3. The method according to claim 1, characterized in that, The rate limiting plugin is provided with a target interface for managing rate limiting rules. When the thread containing the target interface responds to an update of the rate limiting rules in the rate limiting plugin, it sets a target state variable for the rate limiting rules. Before determining whether to execute the database access request based on the user identifier corresponding to the database access request and the structured query statement, the method further includes: The control session thread performs a rate limiting rule check operation based on the target state variable, and when it is determined that the rate limiting rule has been updated, it performs a rate limiting rule update operation to obtain the updated rate limiting rule.

4. The method according to claim 1, characterized in that, The step of determining whether to execute the database access request based on the user identifier corresponding to the database access request and the structured query statement includes: Based on the user identifier, it is determined whether the user is the target user. If the user is the target user, it is determined to execute the database access request. The target user is a user who is not subject to flow control. If the user is not the target user, determine whether the target statement type corresponding to the structured query statement is a rate-limited statement type. If it is not a rate-limited statement type, determine whether to execute the database access request.

5. The method according to claim 4, characterized in that, The method further includes: If the target statement type is a rate-limiting statement type, then obtain the target keyword corresponding to the structured query statement and obtain the target rate-limiting rule corresponding to the target statement type; The target keyword is matched with the target rate limiting rule to determine at least one first rate limiting rule that matches the target keyword. Based on the priority of each first rate limiting rule, determine the second rate limiting rule with the highest priority from the at least one first rate limiting rule; The decision on whether to execute the database access request is based on the second rate limiting rule.

6. The method according to claim 5, characterized in that, The step of determining whether to execute the database access request based on the second rate limiting rule includes: Obtain the maximum concurrency and current concurrency corresponding to the second rate limiting rule; When the maximum concurrency is greater than or equal to the current concurrency, the database access request is executed, the counter corresponding to the second rate limiting rule is incremented, and a rate limiting rule identifier is set for the connection corresponding to the database access request, wherein the counter is in the form of an atomic variable; If the maximum concurrency is less than the current concurrency, the database access request is rejected and the number of blocked requests is incremented by 1.

7. The method according to claim 1, characterized in that, After the target thread in the database executes the query operation of the structured query statement and returns the query results, the method further includes: Determine whether the connection corresponding to the database access request has a rate limiting rule identifier set. If so, determine the corresponding third rate limiting rule based on the rate limiting rule identifier. Based on the preset mapping relationship between counters and rate limiting rules, the counter corresponding to the third rate limiting rule is decremented.

8. A database access control device, characterized in that, Suitable for hot-swappable current limiting plugins, including: A request receiving module is used to receive database access requests, wherein the database access requests include structured query statements for accessing the database; The rate limiting judgment module is used to determine whether to execute the database access request based on the user identifier corresponding to the database access request and the structured query statement; The request execution module is used to, when it is determined that the database access request will be executed, call the target thread in the database to execute the query operation of the structured query statement and return the query result.

9. An electronic device, characterized in that, include: processor; Memory, used to store executable instructions; The processor is configured to read the executable instructions from the memory and execute the executable instructions to implement the database access control method according to any one of claims 1-7.

10. A computer-readable storage medium, characterized in that, The storage medium stores a computer program that, when executed by a processor, causes the processor to implement the database access control method according to any one of claims 1-7.

Images