Database personal account self-operation processing method and device
By setting up restricted management accounts and secure execution units at the database level, the problems of rigid database access and insufficient security of self-service account operations are solved. Dynamic database access and account lifecycle management without restarting the service are realized, improving security and operational efficiency.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- ACCOUNTING CENT OF CHINA AVIATION LTD CO
- Filing Date
- 2026-02-11
- Publication Date
- 2026-06-19
AI Technical Summary
Existing database management methods suffer from rigid database access, insufficient security of self-service account operations, and a lack of account lifecycle governance. Especially in large enterprises or data-intensive business environments, adding a new database requires modifying the configuration and restarting the service, and account operations pose a risk of exceeding privileges. Long-term validity of read and write permissions accounts violates the principle of least privilege.
By constructing a data source configuration table to store restricted management accounts, using dynamic data source routing to connect to the target database, and setting up a security execution unit at the database level, self-service account operations can be achieved without restarting the service. It supports triggering database connections on demand and processing operation requests in combination with restricted management accounts and security execution units, including unlocking, resetting passwords, and setting expiration dates.
It enables dynamic database access without restarting the service, improves the security and lifecycle management of self-service account operations, eliminates the risk of unauthorized access, supports a unified self-service operation interface for multiple types of databases, complies with the principle of least privilege, and reduces the burden of operation and maintenance.
Smart Images

Figure CN122241668A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of database technology, and in particular to a method and apparatus for self-service operation processing of personal database accounts. Background Technology
[0002] In large enterprises or data-intensive business environments, there are often numerous business product application systems, each typically corresponding to an independent database. Therefore, the total number of databases involved can reach dozens or even hundreds. Existing database management methods suffer from the following technical bottlenecks: Inflexible database access: Database connection configurations are typically fixed in application configuration files or external configuration centers. Adding a new database requires modifying the configuration and restarting the service, impacting system availability and operational efficiency. Insufficient security in self-service account operations: Developers or operations personnel frequently request account recovery due to issues such as "forgotten passwords" or "account lockout." Existing self-service platforms mostly rely on high-privilege management accounts to directly execute statements such as ALTER USER, and only perform account ownership verification at the application layer. Once there is a risk of parameter forgery or interface bypass, it can easily lead to unauthorized operations. Lack of account lifecycle governance: Once an account with read and write permissions is activated, it remains valid indefinitely, violating the principle of least privilege (only the minimum permissions necessary to complete its task should be granted, no more and no less).
[0003] Therefore, there is an urgent need for a unified technical solution that requires no restart, is secure and controllable, and has the ability to manage the account lifecycle. Summary of the Invention
[0004] This invention provides a method for processing self-service operations of database personal accounts, which eliminates the need to restart the service during self-service operations of database personal accounts, improves the security of self-service operations, and enables lifecycle management of database personal accounts. The method includes: Receive user requests for operations on personal accounts in the target database; The restricted management account for the target database is obtained from the data source configuration table based on the target database's personal account; the data source configuration table stores restricted management accounts for multiple databases; the restricted management account is only granted permission to call the corresponding database's security execution unit; the security execution unit is used to encapsulate the operation logic for the account; Based on a restricted management account, a connection to the target database is established via dynamic data source routing; the dynamic data source routing is used to dynamically route to the target database at runtime based on the restricted management account. The system transmits a user's operation request for the target database's personal account to the security execution unit of the target database, and calls the security execution unit to process the operation request for the target database's personal account; the operation request processing includes one or any combination of unlocking, resetting password, locking, and setting expiration date.
[0005] This invention also provides a database personal account self-service operation processing device, which enables self-service operation of database personal accounts without restarting the service, improves the security of account self-service operation, and realizes lifecycle management of database personal accounts. The device includes: The operation request receiving module is used to receive user operation requests for personal accounts in the target database; The restricted management account acquisition module is used to obtain the restricted management account of the target database from the data source configuration table based on the target database personal account; the data source configuration table stores restricted management accounts for multiple databases; the restricted management account is only granted permission to call the security execution unit of the corresponding database; the security execution unit is used to encapsulate the operation logic of the account; The database management module is used to connect to the target database based on a restricted management account via dynamic data source routing; the dynamic data source routing is used to dynamically route to the target database based on the restricted management account at runtime. The security control module is used to transmit user operation requests for personal accounts in the target database to the security execution unit of the target database, and to call the security execution unit to process the operation request for the personal accounts in the target database; the operation request processing includes one or any combination of unlocking, resetting password, locking, and setting expiration period.
[0006] This invention also provides a computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the above-described self-service operation processing method for database personal accounts.
[0007] This invention also provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the aforementioned database personal account self-service operation processing method.
[0008] This invention also provides a computer program product, which includes a computer program that, when executed by a processor, implements the above-described database personal account self-service operation processing method.
[0009] In this embodiment of the invention, restricted management accounts for each database are pre-built. When a user requests to operate on a personal account in a target database, the corresponding restricted management account is used to connect to the target database through dynamic data source routing. This does not require restarting the service and supports seamless database expansion at runtime, completely solving the problem of rigid management. This mechanism is directly triggered by business access behavior, so that when a user initiates a self-service operation on a personal database account in a database that the system has not yet connected to, the system can automatically complete the creation of the connection pool and subsequent account management without the need for pre-creating the database connection pool.
[0010] Meanwhile, in this embodiment of the invention, the restricted management account is only granted the permission to call the security execution unit of the corresponding database. When connected to the target database, the operation request is processed through the security execution unit that can only be called, which achieves security and controllability. The application layer cannot bypass the security execution unit to directly perform account modification operations, eliminates the risk of unauthorized access, and improves the security of self-service account operations.
[0011] This invention supports users in performing self-service operations such as password reset and unlocking of personal accounts in the database. It also allows setting an expiration date, which complies with the principle of least privilege and realizes the lifecycle management of personal accounts in the database from locking to applying for unlocking and resetting passwords (setting an expiration date) to expiration. Attached Figure Description
[0012] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort. In the drawings: Figure 1 This is a flowchart illustrating the self-service operation method for database personal accounts in an embodiment of the present invention. Figure 2 This is a specific example diagram of the database personal account self-service operation processing method in the embodiments of the present invention; Figure 3 This is another specific example of the database personal account self-service operation processing method in the embodiments of the present invention; Figure 4 This is another specific example of the self-service operation processing of database personal accounts in the embodiments of the present invention; Figure 5 This is another specific example of the self-service operation processing of database personal accounts in the embodiments of the present invention; Figure 6 This is a schematic diagram of a database personal account self-service operation processing device in an embodiment of the present invention. Detailed Implementation
[0013] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the embodiments of the present invention will be further described in detail below with reference to the accompanying drawings. Here, the illustrative embodiments of the present invention and their descriptions are used to explain the present invention, but are not intended to limit the present invention.
[0014] To facilitate a clear description of the technical solutions of the embodiments of the present invention, the terms "first" and "second" are used in the embodiments of the present invention to distinguish the same or similar items with essentially the same function and effect. Those skilled in the art will understand that the terms "first" and "second" do not limit the quantity or execution order.
[0015] The acquisition, storage, use, and processing of data in this application comply with relevant laws and regulations.
[0016] First, the technical terms involved in the embodiments of the present invention will be explained.
[0017] Database service account: This is the account used to connect to the application system database. It usually has high data processing privileges and is used for background operation to process business data. It is not for direct human use.
[0018] Database personal account: An independent database account used by business personnel or operations and maintenance personnel to access and maintain the database in their daily work.
[0019] Application system database: Each application system corresponds to an independent database, which can be simply referred to as a database. In this embodiment of the invention, the target database is the application system database corresponding to the user operation request.
[0020] Restricted Management Accounts: These are dedicated service accounts provided by each application system's database management system for connecting to the application system. These accounts have limited permissions and do not have the authority to process data within the application system's database. They do not possess high-level privileges for database account operations themselves; they can only perform management operations on individual database accounts by calling the security execution unit deployed within the application system's database.
[0021] Dynamic data source: refers to a database connection pool that is created and registered on demand based on business access requests during application runtime, without the need to preload configuration when the application starts.
[0022] DruidDataSource: An open-source implementation of a high-performance database connection pool, supporting features such as connection monitoring, firewall functionality, and statistical analysis.
[0023] The first existing database management method is a "static registration-based dynamic data source management solution driven by an external configuration center," typically used for database connection management with configuration centers such as Nacos, Apollo, or Consul. Its core idea is to centrally store database connection information in the configuration center and dynamically add or delete data source instances within the application by listening for configuration change events.
[0024] The technical limitations of this solution stem from its inherent reliance on the event-driven and static pre-registration mechanism of a configuration center. Since data source loading is typically completed during application startup or the connection pool is initialized immediately after receiving the configuration push, all configured database connection resources are created in advance and reside in application memory for a long time. Even if these databases are not accessed by any business for a considerable period of time, they will still continuously occupy valuable heap space and database connection quotas, resulting in unnecessary resource redundancy.
[0025] Furthermore, the effectiveness of new data sources is highly dependent on the service availability of the configuration center and the quality of network communication. Event delays, data loss, or listener failures will cause inconsistencies between the configuration state and the actual operating environment, preventing newly added databases from being promptly included in management. More critically, data source registration in this model is triggered by external configuration changes rather than driven by actual business requests. The system cannot achieve true on-demand loading and lazy execution, requiring manual intervention or scheduled synchronization mechanisms to ensure eventual consistency of configuration updates. Simultaneously, this approach focuses on extending capabilities at the connection routing layer without coordinating with upper-layer account management functions. When faced with user requests to access personal database accounts in unmanaged databases, it lacks a closed-loop processing mechanism to automatically complete connections and continue subsequent operations, making it difficult to support end-to-end self-service capabilities.
[0026] The second existing database management method is the "traditional self-service database account management model based on direct execution of DDL (Data Definition Language) statements at the application layer," which is widely used in early self-developed operation and maintenance platforms or internal systems of small and medium-sized enterprises. The basic architecture of this solution is as follows: the system configures a database connection account with high privileges for each target database and performs account operations by directly executing native SQL statements through JDBC (Java's general interface for connecting to databases). When a user submits a password reset, unlock, or other request, the system establishes a connection using the pre-configured high-privilege account.
[0027] The fundamental flaw in this solution lies in its security control logic being concentrated at the application layer and its ambiguous boundaries of operational permissions. The security of account operations relies entirely on the identity verification and permission judgment process of the application service. Once this process has logical vulnerabilities, inadequate parameter validation, or the interface is bypassed, attackers can construct illegal requests and use high-privilege management accounts to modify any database user, leading to serious privilege escalation risks.
[0028] While some platforms have introduced approval workflows or operational audits as post-incident traceability measures, these mechanisms are passive defenses and cannot fundamentally prevent malicious operations. The management accounts used are often granted broad privileges at the ALTER USER (modify user statements), CREATE USER (create user statements), or even DBA (Database Administrator) level, far exceeding the needs of account lifecycle management, violating the principle of least privilege, and increasing the overall attack surface of the system. For read-write permission accounts, existing solutions generally lack automated eviction mechanisms; once activated, they remain active for a long time, easily generating a large number of idle or forgotten active accounts, creating a hidden risk of data leakage.
[0029] Meanwhile, due to significant differences in account models and syntax specifications among different relational databases, the application layer needs to write independent SQL execution logic for each database. This not only results in high development and maintenance costs but also makes it difficult to provide a unified operation interface and user experience. The entire process generates DDL statements for execution through string concatenation, lacking structured encapsulation and transaction guarantees, further exacerbating the uncontrollability of operations and potential injection risks.
[0030] The two existing technologies mentioned above focus on "connection management" or "operation execution" respectively, but neither manages to organically combine the two. The embodiments of the present invention aim to solve the following technical problems existing in the prior art: In large-scale, multi-database environments, traditional dynamic data source solutions, relying on pre-loading by a configuration center, cannot support the immediate management of newly added databases. Meanwhile, existing self-service account platforms pose a risk of privilege escalation due to the use of high-privilege accounts to directly execute DDL statements. Furthermore, the lack of an automatic revocation mechanism for read / write permission accounts results in prolonged validity, violating security principles. This invention addresses this issue by implementing on-demand management, database-level security execution units, and lifecycle-linked control, achieving an end-to-end solution that is restart-free, secure, controllable, and automatically managed.
[0031] Figure 1 This is a flowchart illustrating the self-service operation method for database personal accounts in an embodiment of the present invention, as shown below. Figure 1 As shown, the method includes: Step 101: Receive user requests for operations on the target database's personal account; Step 102: Obtain the restricted management account for the target database from the data source configuration table based on the target database personal account; the data source configuration table stores restricted management accounts for multiple databases; the restricted management account is only granted permission to call the security execution unit of the corresponding database; the security execution unit is used to encapsulate the operation logic of the account; Step 103: Based on the restricted management account, connect to the target database through dynamic data source routing; the dynamic data source routing is used to dynamically route to the target database based on the restricted management account at runtime; Step 104: Pass the user's operation request for the target database personal account to the security execution unit of the target database, and call the security execution unit to process the operation request for the target database personal account; the operation request processing includes unlocking, resetting password, locking, setting expiration period or any combination thereof.
[0032] The self-service operation method for database personal accounts in this embodiment of the invention is a method for self-service operation of personal database accounts that dynamically accesses the database on demand. It is applicable to various databases that support independent user management and access control. Through the organic synergy of four key technical means, an end-to-end closed loop of database management, account operation, security control, and lifecycle governance is achieved. After testing, it has been running stably in 135 different types of relational databases and 3449 database personal accounts.
[0033] The following is a detailed explanation of the self-service operation method for database personal accounts in this embodiment of the invention.
[0034] I. On-demand dynamic data source management mechanism based on master database configuration table.
[0035] Abandoning the traditional approach of embedding database configurations in application configuration files or relying on configuration centers for pre-loading, this invention constructs a data source configuration table. This table stores connection information for multiple databases and allows for the addition, updating, or modification of this information at any time through the client interface of the personal database account management system. The corresponding configuration is used when the target database is actually connected. The information in the database configuration table can also be referred to as data source configuration information. This connection information includes a restricted management account, database type, URL (Uniform Resource Locator, a string used to connect to the database, containing information such as host, port, and database name), driver class, etc.
[0036] This invention can be applied to the implementation of a personal database account management application system. In this embodiment, the personal database account management application system manages and stores personal accounts for each database. The database of the personal database account management application system is called the main database, which stores configuration tables for each data source, a personal database account table, and other data tables that support the operation of this application system.
[0037] The personal database account management system connects to the databases of each application system through restricted management accounts, and manages the personal database accounts of each application system by calling the security execution units in each application system database through the restricted management accounts.
[0038] In this embodiment, all connection information for the target databases, including database type, URL, driver class (connection driver class name for different database types), restricted management account, and restricted management account password encryption credential, is uniformly stored in the data source configuration table of the main database (which can be denoted as data_source_config). The target database is the application system database where the personal account for which the operation is requested resides.
[0039] In this embodiment of the invention, a restricted management account is established for each application system database. The restricted management account is a dedicated service account for connecting to the target database to perform personal account management operations. It is only granted the minimum permissions required to perform database account management operations (e.g., only the permission to call the corresponding database's secure execution unit). It does not have high-risk permissions such as ALTER ANY USER (modify any user), nor does it have permissions to read or write database data.
[0040] In one embodiment, a personal database account table is also stored in the main database. This table is used to uniformly store personal database accounts, including account information, owner information, and database information of the application system to which they belong. Users can only see personal database accounts under their own name. The personal database account table supports hot updates. For example, there is a one-to-one relationship between a personal database account and a target database.
[0041] When a user selects a database personal account under their name, i.e., the target database personal account, the personal database account management application system receives the user's operation request for the target database personal account, such as unlocking, resetting the password, or locking.
[0042] Upon receiving a user's operation request for a target database personal account, the personal database account management application system retrieves the personal database account table. The target database personal account carries the target database identification information. Based on the target database identification information carried by the target database personal account, the system obtains the restricted management account for the target database from the data source configuration table.
[0043] Based on the restricted management account, a connection to the target database is established via dynamic data source routing; the dynamic data source routing is used to dynamically route to the target database at runtime based on the restricted management account.
[0044] Figure 2 This is a specific example diagram of the database personal account self-service operation processing method in an embodiment of the present invention, for reference. Figure 2 Connecting to the target database via dynamic data source routing, based on a restricted management account, can include: Step 201: Check whether the data source corresponding to the target database has been registered in the dynamic data source routing; Step 202: If already registered, obtain registration information and execute the connection; Step 203: If not registered, use the connection information of the target database belonging to the restricted management account to create a connection pool for the target database, and connect to the target database through the connection pool.
[0045] In one embodiment, a connection pool for the target database is created using the connection information of the target database to which the restricted management account belongs. Connecting to the target database through the connection pool includes: First, use a restricted management account to connect to the target database via a standard JDBC interface to verify connectivity; After successful verification, the corresponding database connection pool template is obtained from the database type in the connection information of the target database to which the restricted management account belongs. The database connection pool template is used to create a connection pool, and the created connection pool is used to connect to the target database. The database connection pool template is used to create a connection pool.
[0046] When a user initiates an operation request for a specific database account, the personal database account management application system retrieves the database data source configuration information belonging to the account from the personal database account table to confirm the database connection pool. Each database data source configuration defines a data source identifier (code). The personal database account table stores the database data source identifier corresponding to each personal database account, which is part of the application system database (i.e., the target database). When a user initiates a request, the system retrieves the corresponding configuration information from the data source configuration table based on the data source identifier corresponding to the personal database account information. After registration, this data source identifier is also included in the registration information; subsequent checks to confirm registration are based on whether the data source identifier is already in the registered data source route.
[0047] When a database data source is accessed for the first time, connection pool creation is triggered on demand. First, it checks if the corresponding database data source is registered in the dynamic data source route. If not, it independently verifies connectivity using the restricted management account configured for the corresponding data source via a standard JDBC interface (such as DriverManager.getConnection), avoiding invalid configuration pollution. After successful verification, it clones an instance based on a preset database connection pool template, overriding specific parameters of the target database (URL, driver, restricted management account, and password). Then, it performs initialization operations, creating and starting the connection pool according to the restricted management account configured in the data source configuration. For example, it calls `init()` to initialize and create the connection pool using the restricted management account configured for the corresponding data source. Subsequently, it registers with the dynamic data source route and refreshes the route context. If already registered, it retrieves registration information and performs a health check (attempting to acquire a connection). In case of an exception, it automatically cleans up and rebuilds the connection pool, achieving self-healing.
[0048] The database connection pool template defines a pre-configured DruidDataSource object as a template, containing necessary parameters for creating the connection pool, such as: the number of connections created during connection pool initialization; the maximum number of connections; the minimum number of idle connections maintained in the connection pool; the maximum number of concurrent active connections; the maximum wait time for acquiring a connection (with timeout error); the idle connection reclaimer's running interval; the minimum idle time a connection can remain idle before being reclaimed; validity checks before reclaiming idle connections; no checks when lending out connections; no checks when returning connections; enabling prepared statement caching (PSCache); and the maximum number of prepared statements cached per connection. Different types of databases have different database connection pool templates, with specific parameters configured for certain special database types. The parameters in different database connection pool templates are automatically generated in advance using intelligent algorithms and can be adjusted by the user.
[0049] The dynamic data source routing mentioned above is an abstract data source class provided by the Spring Framework, such as AbstractRoutingDataSource, which is used to implement dynamic routing to different target data sources at runtime. Specifically, at runtime, it dynamically routes to the target database based on the restricted management account.
[0050] After confirming the database source connection pool, switch to the corresponding connection pool and process the account operation request submitted by the individual database account, such as unlocking or resetting the password.
[0051] In this embodiment of the invention, new databases can be added and updated at any time, but connections are not created immediately. Connections are only initialized and created on demand when the corresponding database actually needs to be connected. After being released from long-term inactivity, the connection pool is checked and rebuilt when it is needed again. This solves the resource redundancy problem in the prior art where static pre-injection creates a connection pool even if it is not used after being added.
[0052] In this invention, the database data source configuration is uniformly stored in the main database of the personal database account management application system. The creation of registration connections is driven by user requests, without relying on external configuration center event listeners to wait for asynchronous events to arrive, and performs health checks on the existing connection pool, automatically cleaning up and rebuilding it when abnormalities occur.
[0053] The on-demand dynamic data source management mechanism based on the master database configuration table in this embodiment of the invention does not require service restarts, supports seamless database expansion at runtime, and completely solves the problem of rigid management. Because this mechanism is directly triggered by business access behavior, when a user initiates a self-service operation on a database personal account in an application system database that is not yet connected to, the system can automatically complete the creation of a connection pool and subsequent account management, without the need for pre-creating a database connection pool.
[0054] II. Unified Adaptation Architecture Independent of Database Type
[0055] To address the differences in connection parameters, permission models, and protocol specifications among different types of databases, this invention employs a unified adaptation layer. Based on the database type recorded in the data source configuration table, the corresponding connection pool initialization strategy and security execution unit call interface are dynamically selected. The connection pool initialization strategy is implemented using different database connection pool templates. In this embodiment, different database connection pool templates are configured for different database types and databases with different performance characteristics. These differences are reflected in the varying parameters within each database connection pool template. When a user initiates an operation request for a target database account, the database type can be obtained from the data source configuration table. Based on the preset mapping relationship between database types and database connection pool templates, the database connection pool template corresponding to the target database in the user's request can be obtained. The connection pool is then created according to the template parameters, thereby achieving adaptive connections for different types of databases.
[0056] In this embodiment of the invention, the personal account management application system implements processing logic for different types of databases. When a user's operation request for a personal account in a target database is received, the corresponding data source identifier is obtained based on the operation request, the corresponding database type is retrieved from the data source configuration table, and the processing logic for that type of database is switched for processing.
[0057] This invention enables the identification and processing of different database types. During dynamic management, a connection pool is automatically created based on the connection information in the data source (environment_source). This architecture only routes application-layer user requests for operations on the target database's personal account to the target database's security execution unit, without participating in any specific account rule verification process. Through this design, the upper-layer self-service interface is completely unified; adding a new database type only requires extending the system's built-in adapter logic, without modifying the core architecture.
[0058] III. Database layer account operations based on secure execution units.
[0059] Existing technologies exhibit significant differences in account management syntax and permission models within the same database, making it difficult to construct a unified self-service interface. This invention addresses this by establishing a secure execution unit at the database's underlying layer. In self-service operations involving personal accounts, such as unlocking and resetting passwords, processing must be handled through this secure execution unit, thus creating an unbypassable security barrier for account operations. The secure execution unit is deployed within the target database and encapsulates the logic for account operations, as well as the logic for legitimacy verification. Specifically, the secure execution unit can be implemented through custom procedures, functions, triggers, scripts, etc., encapsulated at the database's underlying layer.
[0060] During the deployment phase, the system creates standardized security execution unit components in each target database. These units encapsulate account operation logic for different databases. The system uses a restricted management account to connect to the target database. This restricted management account is granted only the minimum permissions required to execute or invoke the security execution unit, and all high-risk permissions such as ALTER USER and CREATE USER are removed through explicit REVOKE operations to ensure that it cannot directly manipulate database accounts.
[0061] After connecting to the target database, the system sends a user's operation request for the target database's personal account to the target database's security execution unit, and then invokes the security execution unit to process the operation request for the target database's personal account. The operation request processing includes one or any combination of unlocking, resetting the password, locking, and setting an expiration date. If the operation request is to unlock, the security execution unit is invoked to unlock the target database's personal account; if the operation request is to reset the password, the security execution unit is invoked to reset the password for the target database's personal account.
[0062] In one embodiment, the processing of a request to invoke a secure execution unit to perform an operation on a personal account in the target database may include: The secure execution unit is invoked to verify the legitimacy of the target database personal account. Upon successful verification, the operation request for the target database personal account is processed. This legitimacy is verified using personal database account rules, which are a set of preset policies used to distinguish between database service accounts and personal accounts. These rules include, but are not limited to, username naming conventions, user configuration policies, and role or permission group affiliations. User configuration policies include resource limitation rules assigned to database users, such as maximum number of connections, CPU usage time per query, and password policies such as password validity period and number of incorrect login attempts.
[0063] During execution, the security execution unit first verifies whether the database personal account submitting the operation request conforms to the personal database account rules (including naming conventions, configuration strategies, and role affiliation). After successful verification, the operation is completed within the same transaction, and the two are inseparable. Since the restricted management account itself does not have the permission to directly execute DDL statements, all operations of the restricted management account must be completed by calling the pre-built security execution unit, forming a mandatory security boundary from the application layer (i.e., the personal database account management application system) to the database layer.
[0064] The key advantage of the secure execution unit proposed in this invention lies in deploying security verification to the native database layer, making the security mechanism no longer dependent on the integrity of the application layer code. Even if there are potential vulnerabilities in the application layer or the interface is bypassed, attackers cannot perform unauthorized operations because the restricted management account simply does not have the necessary permissions to perform high-risk operations.
[0065] IV. Closed-loop lifecycle management of read-write permission accounts.
[0066] In this embodiment of the invention, the target database personal accounts are divided into read-only accounts and read-write permission accounts; read-only accounts are valid indefinitely and support password reset and unlocking; read-write permission accounts are locked by default and are only temporarily unlocked after the user applies for them, by calling the security execution unit to generate a random password and setting an expiration period.
[0067] Read-only accounts: Database personal accounts with only query permissions, valid indefinitely, and support user self-service password reset or unlocking.
[0068] Read / write permission accounts: Database personal accounts with data manipulation permissions (DML permissions) and data definition language permissions (DDL permissions). They are locked by default and need to be temporarily unlocked and have an expiration period set upon application.
[0069] In one embodiment, the processing of a request to invoke the security execution unit to perform an operation on a target database personal account may include: invoking the security execution unit to determine the read and write permissions of the target database personal account; when it is determined that the target database personal account has read and write permissions, after performing an unlocking operation, resetting the password and setting an expiration period; and automatically reclaiming and locking the target database personal account when it expires.
[0070] For example, when a user requests to unlock a personal account in the target database, the security execution unit is invoked to determine the read and write permissions of the personal account in the target database. When it is determined that the personal account in the target database has read and write permissions, the password is reset after the unlocking operation is performed, and an expiration period is set. When the expiration period expires, the personal account in the target database is automatically reclaimed and locked.
[0071] In practice, differentiated management is implemented for personal accounts in the database: read-only accounts are valid indefinitely and support self-service password reset and unlocking; read-write accounts are locked by default and are only temporarily unlocked after the user applies for them, with the system generating a strong random password and setting a limited validity period.
[0072] The system sets the validity period for each database personal account in the personal database account table of the main database. For example, it sets the account_effective_to field to indicate the validity period of the database personal account.
[0073] Set a scheduled task to periodically scan the personal database account table, reclaim and lock expired personal database accounts, and automatically call the security execution unit to lock the expired personal database account and update its status to locked, provided that the database connection pool corresponding to the expired personal database account is available.
[0074] For example, for accounts that meet the condition CURRENT_TIMESTAMP (current time) > account_effective_to (expiration date) and have a status of "unlocked," the security execution unit is automatically invoked to lock the account and update its status to locked, provided that the corresponding database connection pool is available. Users must resubmit the operation request if they wish to continue using the account. This embodiment of the invention implements "authorization on demand, locking after use," effectively adhering to the principles of least privilege and zero trust security.
[0075] Through the deep integration of the above four technical means, the embodiments of the present invention not only realize the dynamic management of databases and self-service operation of accounts, but also build a secure, efficient and scalable system covering the entire chain of "on-demand connection-secure operation-governance", which significantly reduces the operation and maintenance burden of database administrators and improves the user self-service experience.
[0076] Figure 3This is another specific example diagram of the database personal account self-service operation processing method in the embodiments of the present invention, such as... Figure 3 As shown, the method includes: Step 301: The user submits a personal database account operation request through the personal database account table, such as unlocking or resetting the password.
[0077] Step 302: Based on the database personal account information, obtain the database data source connection information, such as database type, connection configuration, and restricted management account, from the data source configuration table, and determine whether the corresponding database is being accessed for the first time based on the dynamic data source routing. Step 303: If it is the first access, use the restricted management account of the corresponding database to establish a connection pool for the database. If it is not the first access, connect directly to the database through the connection pool. Step 304: Pass the database personal account to be operated on to the database security execution unit. The security execution unit checks whether the account conforms to the personal database account rules and determines whether the database personal account is a read-write permission account or a read-only permission account. Step 305: Upon successful verification, the security execution unit performs operations on the corresponding personal database account, such as unlocking, resetting the password, or locking.
[0078] Step 306: For accounts with read and write permissions, the password will be reset during the unlocking operation, and an expiration date will be set. When the expiration date is reached, the personal database account will be automatically reclaimed and locked.
[0079] Figure 4 This is another specific example of the self-service operation processing of personal accounts in the database, as shown in the following diagram. Figure 4 The diagram shown illustrates the process of resetting a read-only account password using a self-service method, including: The user selects a read-only database account to initiate a password reset. After obtaining its ownership relationship, switch to the corresponding data source based on the database type to which the account belongs; Invoke the pre-built secure execution unit in the database, passing in the database user account information; The security execution unit verifies whether the account complies with personal account rules (such as name prefix, policy binding, etc.). Verification successful. Generate a random password and perform a password update operation. Verification failed, error message displayed; Finally, return the results and switch back to the main data source.
[0080] Figure 5 This diagram illustrates another specific example of self-service operation processing for database personal accounts in this invention, demonstrating the temporary authorization and revocation process for read / write accounts. Figure 5As shown, the method includes: A user requests an account with specific read / write permissions; The system switches to the target database, unlocks the account and resets the password via the secure execution unit, and sets a limited validity period. During the validity period, users can use this account to perform read and write operations; After the expiration period, the task automatically detects that the account has expired. After the dynamic data source engine confirms that the database connection pool is in a valid state, it calls the security execution unit to relock the account and update the account status to "reclaimed", thus completing the lifecycle loop.
[0081] In summary, the embodiments of the present invention specifically include the following: (1) On-demand triggered dynamic data source creation mechanism: each database configuration is stored in the master database table. When the configured database is accessed for the first time, a connection pool is automatically created, which includes connectivity verification and health check reconstruction logic. (2) Secure execution unit mechanism: The account validity verification and operation execution are encapsulated in the database's built-in controlled unit (such as a stored procedure), forming an unbypassable security boundary; (3) Personal database account rules: Personal database accounts are defined through multiple dimensions such as naming conventions, configuration strategies, and role affiliation, adapting to any relational database; (4) Read and write database personal account lifecycle state machine: Lock → Apply → Unlock Reset password (set validity period) → Expiration → Automatic recycling; (5) Database type-independent adaptation architecture: Differences are encapsulated through the strategy pattern to support various relational databases.
[0082] The embodiments of the present invention have the following technical effects: (1) Uninterrupted service management: Adding a new database only requires writing it into the configuration table, and it will take effect automatically on the next access without restarting; (2) Support for self-service operation: In the production environment of 135+ different types of relational databases and 3449+ personal database accounts, users can perform self-service operations to reset and unlock their personal database accounts. The relevant requests are processed automatically by the system. (3) Secure and controllable: Through the triple protection of “restricted management account + secure execution unit + personal database account rules”, the application layer cannot bypass the secure execution unit to directly execute account modification operations, thus eliminating the risk of unauthorized access; (4) Compliance governance: Read and write accounts are locked by default, and are only temporarily unlocked after the user applies and a validity period is set. They are automatically reclaimed after the expiration, which complies with the principles of least privilege and zero trust security. (5) Unified experience: Mask the differences in syntax and permission models between different databases and provide a consistent self-service interface; (6) High scalability: Adding a new database type only requires implementing the corresponding security execution unit and routing logic, without changing the core architecture; (7) Unified operation process: The dynamic data source management mechanism is deeply linked with the security account operation. When a user makes the first password reset or unlock request for a personal database account in the newly configured database, the connection pool can be automatically created and the security operation can be completed, achieving a seamless connection from configuration to use.
[0083] This invention also provides a self-service operation processing device for database personal accounts, as described in the following embodiments. Since the principle by which this device solves the problem is similar to the self-service operation processing method for database personal accounts, the implementation of this device can refer to the implementation of the self-service operation processing method for database personal accounts; repeated details will not be elaborated further.
[0084] Figure 6 This is a schematic diagram of a database personal account self-service operation processing device in an embodiment of the present invention, such as... Figure 6 As shown, the device 600 includes: The operation request receiving module 601 is used to receive user operation requests for personal accounts in the target database. The restricted management account acquisition module 602 is used to obtain the restricted management account of the target database from the data source configuration table based on the personal account of the target database; the data source configuration table stores restricted management accounts for multiple databases; the restricted management account is only granted permission to call the security execution unit of the corresponding database; the security execution unit is used to encapsulate the operation logic of the account; The database management module 603 is used to connect to the target database based on a restricted management account through dynamic data source routing; the dynamic data source routing is used to dynamically route to the target database based on the restricted management account at runtime. The security control module 604 is used to transmit user operation requests for personal accounts in the target database to the security execution unit of the target database, and to call the security execution unit to process the operation request for personal accounts in the target database; the operation request processing includes one or any combination of unlocking, resetting password, locking, and setting expiration period.
[0085] In one embodiment, the secure execution unit is further configured to encapsulate legality verification logic; The safety control module 604 is specifically used for: Call the secure execution unit: verify the legitimacy of the target database personal account, and process the operation request for the target database personal account after the verification is successful.
[0086] In one embodiment, the safety control module 604 is specifically used for: Call the security execution unit: Determine the read and write permissions of the target database personal account. When it is determined that the target database personal account has read and write permissions, the password is reset after the unlocking operation is performed, and an expiration period is set. When the expiration period expires, the target database personal account is automatically reclaimed and locked.
[0087] In one embodiment, the target database personal accounts are divided into read-only accounts and read-write permission accounts; read-only accounts are valid indefinitely and support password reset and unlocking; read-write permission accounts are locked by default and are only temporarily unlocked after the user applies for them, by calling the security execution unit to generate a random password and setting an expiration period.
[0088] In one embodiment, the data source configuration table is used to store connection information for multiple databases; the connection information includes a restricted management account, database type, URL, and driver class; Database management module 603 is specifically used for: Check whether the data source corresponding to the target database has been registered in the dynamic data source routing. If already registered, retrieve registration information and execute the connection; If not registered, a connection pool for the target database is created using the connection information of the target database belonging to the restricted management account, and the connection to the target database is established through the connection pool.
[0089] This invention also provides a computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the above-described self-service operation processing method for database personal accounts.
[0090] This invention also provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the aforementioned database personal account self-service operation processing method.
[0091] This invention also provides a computer program product, which includes a computer program that, when executed by a processor, implements the above-described database personal account self-service operation processing method.
[0092] Existing technologies using database proxy middleware can achieve dynamic routing, but require additional proxy layer deployment, increasing architectural complexity and lacking support for account lifecycle management. Application-layer direct DDL execution with strong auditing, while allowing for self-service operation, grants excessive privileges, and auditing is only retrospective, failing to prevent unauthorized access. This invention, through the organic synergy of four key technical means, achieves an end-to-end closed loop of database management, account operation, security control, and lifecycle governance. It requires no restart, is secure and controllable, supports multiple types of relational databases, and possesses account lifecycle management capabilities.
[0093] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0094] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0095] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0096] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1The steps of the function specified in one or more boxes.
[0097] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above descriptions are merely specific embodiments of the present invention and are not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.
Claims
1. A method for self-operation of a personal account of a database, characterized in that, include: Receive user requests for operations on personal accounts in the target database; Retrieve the restricted management account for the target database from the data source configuration table based on the target database's personal account; The data source configuration table stores restricted management accounts for multiple databases; The restricted management account is only granted permission to call the security execution unit of the corresponding database; The secure execution unit is used to encapsulate the operation logic for the account; Based on a restricted management account, a connection to the target database is established via dynamic data source routing; the dynamic data source routing is used to dynamically route to the target database at runtime based on the restricted management account. The system transmits a user's operation request for the target database's personal account to the security execution unit of the target database, and calls the security execution unit to process the operation request for the target database's personal account; the operation request processing includes one or any combination of unlocking, resetting password, locking, and setting expiration date.
2. The method of claim 1, wherein, The secure execution unit is also used to encapsulate legality verification logic; The processing of requests to invoke the secure execution unit to perform operations on personal accounts in the target database includes: Call the secure execution unit: verify the legitimacy of the target database personal account, and process the operation request for the target database personal account after the verification is successful.
3. The method of claim 1, wherein, The processing of requests to invoke the secure execution unit to perform operations on personal accounts in the target database includes: Call the security execution unit: Determine the read and write permissions of the target database personal account. When it is determined that the target database personal account has read and write permissions, the password is reset after the unlocking operation is performed, and an expiration period is set. When the expiration period expires, the target database personal account is automatically reclaimed and locked.
4. The method of claim 1, wherein, The target database personal accounts are divided into read-only accounts and read-write permission accounts; read-only accounts are valid indefinitely and support password reset and unlocking; read-write permission accounts are locked by default and are only temporarily unlocked after the user applies for them, by calling the security execution unit to generate a random password and setting an expiration period.
5. The method of claim 1, wherein, The data source configuration table is used to store connection information for multiple databases; the connection information includes restricted management account, database type, URL, and driver class; Based on a restricted management account, a connection to the target database is established via dynamic data source routing, including: Check whether the data source corresponding to the target database has been registered in the dynamic data source routing. If already registered, retrieve registration information and execute the connection; If not registered, a connection pool for the target database is created using the connection information of the target database belonging to the restricted management account, and the connection to the target database is established through the connection pool.
6. A database personal account self-operation processing device, characterized by comprising: include: The operation request receiving module is used to receive user operation requests for personal accounts in the target database; The restricted management account acquisition module is used to obtain the restricted management account of the target database from the data source configuration table based on the personal account of the target database; The data source configuration table stores restricted management accounts for multiple databases; The restricted management account is only granted permission to call the security execution unit of the corresponding database; The secure execution unit is used to encapsulate the operation logic for the account; The database management module is used to connect to the target database based on a restricted management account via dynamic data source routing; the dynamic data source routing is used to dynamically route to the target database based on the restricted management account at runtime. The security control module is used to transmit user operation requests for personal accounts in the target database to the security execution unit of the target database, and to call the security execution unit to process the operation request for the personal accounts in the target database; the operation request processing includes one or any combination of unlocking, resetting password, locking, and setting expiration period.
7. The apparatus of claim 6, wherein, The secure execution unit is also used to encapsulate legality verification logic; The safety control module is specifically used for: Call the secure execution unit: verify the legitimacy of the target database personal account, and process the operation request for the target database personal account after the verification is successful.
8. The apparatus of claim 6, wherein, The safety control module is specifically used for: Call the security execution unit: Determine the read and write permissions of the target database personal account. When it is determined that the target database personal account has read and write permissions, the password is reset after the unlocking operation is performed, and an expiration period is set. When the expiration period expires, the target database personal account is automatically reclaimed and locked.
9. The apparatus of claim 6, wherein, The target database personal accounts are divided into read-only accounts and read-write permission accounts; read-only accounts are valid indefinitely and support password reset and unlocking; read-write permission accounts are locked by default and are only temporarily unlocked after the user applies for them, by calling the security execution unit to generate a random password and setting an expiration period.
10. The apparatus of claim 6, wherein, The data source configuration table is used to store connection information for multiple databases; the connection information includes restricted management account, database type, URL, and driver class; The database management module is specifically used for: Check whether the data source corresponding to the target database has been registered in the dynamic data source routing. If already registered, retrieve registration information and execute the connection; If not registered, a connection pool for the target database is created using the connection information of the target database belonging to the restricted management account, and the connection to the target database is established through the connection pool.
11. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the method of any one of claims 1 to 5.
12. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the method of any one of claims 1 to 5.
13. A computer program product, characterised in that, The computer program product includes a computer program that, when executed by a processor, implements the method of any one of claims 1 to 5.