Permission verification method based on cloud management platform, and cloud management platform

Abstract

Disclosed are a permission verification method based on a cloud management platform, and a cloud management platform, which relate to the technical field of cloud computing. In the method, infrastructure managed by a cloud management platform is used for providing object storage services, the infrastructure stores permission control information, which is used for indicating the correspondence between data identifier information and an access control label, and the data identifier information comprises an identifier of a bucket and a prefix of an identifier of data. Since the granularity of a prefix of an identifier of data is larger than that of the identifier of the data, the number of permission entries in the permission control information is much smaller than the number of pieces of data stored in the infrastructure. On this basis, when the cloud management platform has received an operation request for target data and then traverses the permission control information to determine an access control label corresponding to data identifier information of the target data, the number of permission entries that need to be traversed is relatively small, so that the speed of traversing the permission control information can be significantly increased, thereby significantly improving the performance of permission verification.

Description

Permission verification methods based on cloud management platforms and cloud management platforms

[0001] This application claims priority to Chinese patent application filed on December 10, 2024, with application number 202411815350.3 and title "Authorization Verification Method and Cloud Management Platform Based on Cloud Management Platform", the entire contents of which are incorporated herein by reference. Technical Field

[0002] This application relates to the field of cloud computing technology, specifically to a permission verification method based on a cloud management platform and a cloud management platform. Background Technology

[0003] Currently, object storage services (OBS) provided by infrastructure perform permission checks on data access requests to improve data security and determine whether the access request has the necessary permissions. The permission check scheme used in this technology involves pre-establishing authentication entries for user and data identifiers. Upon receiving an access request, the system checks whether the user identifier and data identifier indicated in the access request belong to the pre-established authentication entries to determine whether the user has the necessary permissions.

[0004] However, when using related technologies, as the amount of data stored in the infrastructure increases, the number of pre-established authentication entries also increases.

[0005] Therefore, when performing permission verification using related technologies, it is necessary to traverse a large number of pre-established authentication entries, which leads to increasingly slower permission verification speed and seriously affects permission verification performance. Summary of the Invention

[0006] This application provides a permission verification method and a cloud management platform based on a cloud management platform, which helps to improve permission verification performance.

[0007] Firstly, a permission verification method based on a cloud management platform is provided. This method is applied to a cloud management platform that provides object storage services to tenants and manages the infrastructure for providing buckets within the object storage service. The infrastructure stores permission control information, which indicates the correspondence between at least one data identifier and at least one access control label. The data identifier includes a bucket identifier and a prefix of a data identifier. The bucket stores data, and the access control label indicates access rights to the data indicated by the data identifier corresponding to the access control label. The method includes: the cloud management platform receiving an operation request from a tenant, wherein the operation request includes an identifier of a target bucket and an identifier of target data, and the target bucket is a bucket storing the target data; if the operation request includes a target access control label, the cloud management platform determines the access control label corresponding to the data identifier of the target data based on the permission control information, wherein the data identifier of the target data includes an identifier of the target bucket and a prefix of the target data identifier; and the cloud management platform determines the permission verification result of the operation request based on the target access control label and the access control label corresponding to the data identifier of the target data, wherein the permission verification result includes verification success or verification failure.

[0008] In the above scheme, after receiving an operation request from a tenant, the cloud management platform determines the access control label corresponding to the operation request instruction data identifier information (i.e., the identifier of the target bucket and the prefix of the identifier of the target data) based on the access control information. Then, based on the target access control label of the operation request instruction and the access control label corresponding to the operation request instruction data identifier information, the platform determines the permission verification result of the tenant's operation request. This scheme employs a layered approach, dividing the identifiers of the data stored in the bucket into layers. It extracts the prefixes of the identifiers from the data identifiers and establishes access control labels corresponding to different prefixes at the granularity, thus obtaining the access control information. Since different data identifiers can have the same prefix, the amount of data in the prefixes of the data identifiers is much smaller than the amount of data in the identifiers themselves. For the large amount of data stored in the infrastructure, the number of permission entries in the access control information will be much smaller than the number of authentication entries in related technologies. This allows the cloud management platform to significantly improve the traversal speed when determining the access control label corresponding to the operation request instruction data identifier information compared to related technologies, thereby significantly improving the permission verification performance of the cloud management platform.

[0009] Furthermore, this scheme associates users and the data they wish to access with access control tags. Specifically, it associates the user concept (the user requesting access to data) with the resource concept (the data the user requests access to). On the user side, only the access control tags possessed by different users are managed, allowing user-sent operation requests to carry these tags, thus reducing the complexity of user-side permission management. Permission control information is decentralized to the OBS side; that is, the infrastructure providing OBS stores the permission control information. This allows the OBS side to perform authentication based on the permission control information and the access control tags carried in the operation request, without needing to be aware of the business logic (i.e., specific semantics) of the access control tags. This simplifies the authentication complexity on the OBS side and further improves permission verification performance.

[0010] In one possible implementation, the permission verification result of the operation request is determined based on the access control label corresponding to the target access control label and the access control label corresponding to the data identification information of the target data. This includes: if the access control label corresponding to the data identification information of the target data includes the target access control label, the cloud management platform determines that the permission verification result of the operation request is successful; if the access control label corresponding to the data identification information of the target data does not include the target access control label, the cloud management platform determines that the permission verification result of the operation request is unsuccessful.

[0011] In another possible implementation, the infrastructure stores delimiter information, which is used to indicate the correspondence between bucket identifiers and delimiters. The method further includes: the cloud management platform determining the target delimiter corresponding to the identifier of the target bucket based on the delimiter information; and the cloud management platform segmenting the identifier of the target data based on the target delimiter to obtain the prefix of the identifier of the target data.

[0012] In this implementation, the delimiter information is provided by the infrastructure. After receiving the operation request, the cloud management platform determines the target delimiter to be used to split the target data based on the identifier of the target bucket indicated in the operation request. This helps reduce the workload of tenants in managing delimiters, thereby improving the user experience for tenants.

[0013] In another possible implementation, before receiving the operation request from the tenant, the method further includes: the cloud management platform receiving a target request from the tenant, the target request including a bucket identifier and a separator corresponding to the bucket identifier; the cloud management platform responding to the target request storing the separator information.

[0014] In this implementation, the cloud management platform sets delimiters for the data in the bucket specified by the tenant based on the delimiter specified by the tenant. In this way, the tenant can define the data delimiters according to actual needs, which not only helps to improve the scalability and ease of use of the delimiters, but also helps to improve the flexibility of the delimiters.

[0015] In another possible implementation, before receiving an operation request from a tenant, the method further includes: the cloud management platform receiving a permission setting request from the tenant, the permission setting request including at least one data identification information and at least one access control tag corresponding to the at least one data identification information; the cloud management platform responding to the permission setting request storing permission control information.

[0016] In this implementation, the cloud management platform defines access control labels corresponding to different data identification information based on the access control labels specified by the tenant. In this way, the tenant can define the form of access control labels according to actual needs, which not only helps to improve the scalability and ease of use of access control labels, but also helps to improve the flexibility of access control labels.

[0017] In another possible implementation, the operation request is also used to indicate the target user identifier; the method further includes: if the operation request does not include a target access control label, the cloud management platform obtains the user identifier corresponding to the target data, wherein the user identifier corresponding to the target data includes at least one of the identifier of the user who created the target data or the identifier of the user who created the target bucket; the cloud management platform determines the permission verification result of the operation request based on the user identifier corresponding to the target data and the target user identifier.

[0018] In this implementation, if a tenant believes that the current operation request does not require permission verification via an access control tag, the operation request can omit the access control tag. In this scenario, the cloud management platform can perform permission verification based on the target user identifier indicated in the operation request and the user identifier that created the target data or target bucket, thereby ensuring the security of the target data requested by the operation request.

[0019] In another possible implementation, the cloud management platform determines the permission verification result of the operation request based on the user identifier corresponding to the target data and the target user identifier. This includes: if the user identifier corresponding to the target data includes the target user identifier, the cloud management platform determines the permission verification result as successful; if the user identifier corresponding to the target data does not include the target user identifier, the cloud management platform determines the permission verification result as unsuccessful.

[0020] In another possible implementation, the operation request also includes the target operation type and the target operation permission of the target access control label; the cloud management platform determines the permission verification result of the operation request based on the target access control label and the access control label corresponding to the data identification information of the target data, including: the cloud management platform determines the permission verification result of the operation request based on the access control label corresponding to the data identification information of the target data and the target access control label, as well as the target operation type and the target operation permission of the target access control label.

[0021] In another possible implementation, the operation request is also used to indicate the target time period. The cloud management platform determines the permission verification result of the operation request based on the access control label corresponding to the target access control label and the data identification information of the target data, as well as the target operation type and the target operation permission of the target access control label. This includes: if the current time belongs to the target time period, the cloud management platform determines the permission verification result of the operation request based on the access control label corresponding to the target access control label and the data identification information of the target data, as well as the target operation type and the target operation permission of the target access control label.

[0022] In another possible implementation, the cloud management platform determines the permission verification result of the operation request based on the access control label corresponding to the data identifier information of the target data and the target access control label, as well as the target operation type and the target operation permission of the target access control label. This includes: if the access control label corresponding to the data identifier information of the target data includes the target access control label, and the target operation permission of the target access control label includes the target operation type, the cloud management platform determines that the permission verification result of the operation request is successful; if the access control label corresponding to the data identifier information of the target data does not include the target access control label, or if the target operation permission of the target access control label does not include the target operation type, the cloud management platform determines that the permission verification result of the operation request is unsuccessful.

[0023] In another possible implementation, the operation request also includes a prefix indicating the identity of the target data.

[0024] In another possible implementation, the method further includes: the cloud management platform obtaining the target delimiter of the target data; and segmenting the identifier of the target data according to the target delimiter to obtain the prefix of the identifier of the target data.

[0025] In another possible implementation, the operation request also includes a target separator; the target separator for the cloud management platform to obtain the target data includes: the target separator in the operation request obtained by the cloud management platform.

[0026] In another possible implementation, if the target data is identified as a file identifier, the target delimiter is a forward slash.

[0027] In another possible implementation, the access control label includes at least one of a user identifier, a user group identifier, or a project identifier.

[0028] In another possible implementation, the method further includes: the cloud management platform receiving a permission query request from a tenant, the permission query request including target data identification information, the target data identification information including the identifier of the target bucket and a prefix of the identifier of the target data; the cloud management platform responding to the permission query request and returning the access control label corresponding to the target data identification information.

[0029] In another possible implementation, the method further includes: the cloud management platform receiving a permission query request from a tenant, the permission query request including the identifier of the target bucket; and the cloud management platform responding to the permission query request by returning the access control label corresponding to the identifier of the target bucket.

[0030] In another possible implementation, the method further includes: the cloud management platform receiving a delimiter query request from a tenant, the delimiter query request including the identifier of the target bucket; and the cloud management platform responding to the delimiter query request by returning the target delimiter corresponding to the identifier of the target bucket.

[0031] In another possible implementation, the method further includes: the cloud management platform receiving a permission update request from the tenant, the permission update request including target data identification information and an updated access control label corresponding to the target data identification information; the cloud management platform responding to the permission update request updating the permission control information, the updated permission control information being used to indicate the correspondence between the target data identification information and the updated access control label.

[0032] In another possible implementation, the method further includes: the cloud management platform receiving a permission update request from the tenant, the permission update request including the identifier of the target bucket and the updated access control label corresponding to the identifier of the target bucket; the cloud management platform responding to the permission update request updating the permission control information, the updated permission control information being used to indicate the correspondence between the identifier of the target bucket and the updated access control label.

[0033] In another possible implementation, the method further includes: the cloud management platform receiving a delimiter update request from the tenant, the delimiter update request including the identifier of the target bucket and the first delimiter corresponding to the identifier of the target bucket; the cloud management platform responding to the delimiter update request updating the delimiter information, the updated delimiter information being used to indicate the correspondence between the identifier of the target bucket and the first delimiter.

[0034] In another possible implementation, the method further includes: the cloud management platform receiving a permission deletion request from the tenant, the permission deletion request including target data identification information; the cloud management platform responding to the permission deletion request by deleting the target data identification information and the access control tag corresponding to the target data identification information from the permission control information.

[0035] In another possible implementation, the method further includes: the cloud management platform receiving a permission deletion request from a tenant, the permission deletion request including the identifier of the target bucket; the cloud management platform responding to the permission deletion request by deleting the identifier of the target bucket and the access control tag corresponding to the identifier of the target bucket from the permission control information.

[0036] In another possible implementation, the method further includes: the cloud management platform receiving a delimiter deletion request from a tenant, the delimiter deletion request including the identifier of the target bucket; and the cloud management platform responding to the delimiter deletion request by deleting the identifier of the target bucket and the delimiter corresponding to the identifier of the target bucket from the delimiter information.

[0037] In another possible implementation, the method further includes: if the permission verification result is successful, the cloud management platform processes the operation request; if the permission verification result is unsuccessful, the cloud management platform returns the permission verification result according to the operation request.

[0038] Secondly, a cloud management platform is provided, comprising: functional modules for executing any of the methods provided in the first aspect, wherein the actions performed by each functional module are implemented through hardware or through hardware-executed corresponding software. For example, the cloud management platform may include: a receiving module and a permission verification module; the receiving module is used to receive operation requests from tenants, wherein the operation request includes an identifier of a target bucket and an identifier of target data, the target bucket being a bucket storing the target data; the permission verification module is used to, when the operation request includes a target access control tag, determine the access control tag corresponding to the data identifier information of the target data based on permission control information, wherein the data identifier information of the target data includes the identifier of the target bucket and a prefix of the identifier of the target data; the permission verification module is further used to determine the permission verification result of the operation request based on the access control tag corresponding to the data identifier information of the target data and the target access control tag, wherein the permission verification result includes verification success or verification failure.

[0039] Thirdly, a processor is provided for executing any of the methods provided in the first aspect above.

[0040] Fourthly, a chip is provided, comprising: a processor and a power supply circuit; the power supply circuit is used to supply power to the chip; the processor is used to execute any of the methods provided in the first aspect above.

[0041] Fifthly, a computing device is provided, the computing device including a processor and a memory; the processor of the computing device is configured to execute instructions stored in the memory of the computing device, so that the computing device performs any of the methods provided in the first aspect above.

[0042] In a sixth aspect, a computing device cluster is provided, the computing device cluster including at least one computing device; each computing device includes a processor, a memory, and computer programs / instructions stored in the memory; the processor of each computing device executes the computer programs / instructions stored in the memory of each computing device to cause each computing device to perform any of the methods provided in the first aspect above.

[0043] In a seventh aspect, a computer-readable storage medium is provided, comprising: computer program instructions, which, when executed by a computing device, perform any of the methods provided in the first aspect above.

[0044] Eighthly, a computer program product containing instructions is provided, which, when the instruction computing device is run, causes the computing device to execute any of the methods provided in the first aspect above.

[0045] The technical effects of any of the implementation methods in aspects two through eight can be found in the technical effects of different implementation methods in aspect one above, and will not be repeated here. Attached Figure Description

[0046] Figure 1 is a schematic diagram of the architecture of an object storage system provided in an embodiment of this application;

[0047] Figure 2 is a schematic diagram of at least one application scenario provided by an embodiment of this application;

[0048] Figure 3 is a flowchart of a permission verification method provided in an embodiment of this application;

[0049] Figure 4 is a flowchart of obtaining access credentials according to an embodiment of this application;

[0050] Figure 5 is a flowchart of a separator setting method provided in an embodiment of this application;

[0051] Figure 6 is a flowchart of a permission setting method provided in an embodiment of this application;

[0052] Figure 7 is a schematic diagram of a cloud management platform provided in an embodiment of this application;

[0053] Figure 8 is a schematic diagram of a computing device provided in an embodiment of this application;

[0054] Figure 9 is a schematic diagram of a computing device cluster provided in an embodiment of this application;

[0055] Figure 10 is a connection diagram of a computing device provided in an embodiment of this application. Detailed Implementation

[0056] To facilitate understanding, the interpretation of some terms involved in the embodiments of this application will be explained first.

[0057] In the embodiments of this application, the terminology used is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification and appended claims of this application, the singular expressions “a,” “an,” “the,” “the,” “the,” and “this” are intended to include expressions such as “one or more” unless the context clearly indicates otherwise. It should also be understood that in the following embodiments of this application, “at least one” and “one or more” refer to one or more (including two).

[0058] References to "one embodiment" or "some embodiments" in this specification mean that one or more embodiments of this application include a specific feature, structure, or characteristic described in connection with that embodiment. Therefore, the phrases "in one embodiment," "in some embodiments," "in other embodiments," "in still other embodiments," etc., appearing in different parts of this specification do not necessarily refer to the same embodiment, but rather mean "one or more, but not all, embodiments," unless otherwise specifically emphasized. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless otherwise specifically emphasized. The term "connection" includes direct connections and indirect connections, unless otherwise stated. "First" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated.

[0059] In the embodiments of this application, the words "exemplarily" or "for example" are used to indicate examples, illustrations, or explanations. Any embodiment or design described as "exemplarily" or "for example" in the embodiments of this application should not be construed as being more preferred or advantageous than other embodiments or design solutions. Specifically, the use of the words "exemplarily" or "for example" is intended to present the relevant concepts in a specific manner.

[0060] The following is a brief introduction to the terminology used in the embodiments of this application.

[0061] OBS is an object-based storage service with advantages such as massive capacity, security, high reliability, and low cost. OBS is an internet-accessible service. Tenants can establish connections with the object storage service layer (supporting OBS compute nodes) through object storage clients, create buckets in the storage nodes managed by the object storage service layer, and then access and manage the objects within the buckets. The object storage service layer uses a sequential distribution method by default to store objects in buckets; this sequential distribution method is also known as lexicographical distribution or range distribution.

[0062] An object is the basic unit of data storage in an object storage service. An object is essentially a collection of a file's data and its associated attribute information (metadata). Data uploaded by a tenant to OBS can be stored in buckets as objects. An object consists of three parts: a key, metadata, and data. The key, or object name, is, for example, a UTF-8 encoded character sequence greater than 0 and not exceeding 1024 characters. Each object in a bucket has a unique object key.

[0063] A bucket is a container for storing objects in OBS. Object storage services provide a flat storage approach based on buckets and objects. All objects in a bucket are at the same logical level, eliminating the multi-level tree directory structure of the file system. Each bucket has its own storage category, access permissions, and region attributes. Tenants can create buckets with different storage categories and access permissions, and configure more advanced attributes to meet the storage needs of different scenarios.

[0064] Object storage device (OSD): It is the basic storage unit of the object storage system. It is set on the physical disk and is a fixed-size storage space of the physical disk. The object storage system manages the physical disks of multiple computing devices in the form of OSD.

[0065] Access Control Label: Also known simply as Access Label, it is used to indicate a tenant's access permissions to data. For example, if at least one piece of data 1 stored in the object storage service corresponds to Access Control Label 1, then a tenant with Access Control Label 1 has permission to access at least one piece of data 1.

[0066] The technical solution provided in this application will now be described in detail with reference to the accompanying drawings.

[0067] To enhance the security of stored data, OBS performs permission verification on data access requests to determine whether the requester has the necessary authorization to access the data, thereby preventing data security risks such as data leakage, data tampering, data misuse, and unauthorized access. Based on this, various permission verification schemes have been proposed.

[0068] In one example, a unified identity and access management (IAM) scheme was proposed. The IAM scheme controls access permissions for specific users' operations on specific data; that is, it verifies permissions through a combination of user identifiers and data identifiers. Therefore, IAM permission information includes a large number of authentication entries. This not only requires traversing a large number of authentication entries in the IAM permission information when performing permission verification based on the IAM scheme, but also causes the number of authentication entries in the IAM permission information to quickly reach the upper limit stipulated by the IAM scheme. Consequently, it becomes impossible to set access permissions for new users, which severely impacts the performance of permission verification.

[0069] In another example, the related technology proposed a bucket policy scheme. A bucket policy is a strategy that authorizes specific users to operate on buckets and specific objects within those buckets. Therefore, the permission information for bucket policies also contains a large number of authentication entries. This not only requires traversing a large number of authentication entries in the bucket policy's permission information when performing permission verification based on the bucket policy, but also causes the bucket policy's permission information to reach the storage limit of the metadata, since the permission information is stored in the bucket's metadata. All of this severely impacts the performance of permission verification.

[0070] In view of this, embodiments of this application provide a permission verification method applied to a cloud management platform. The cloud management platform provides object storage services to tenants and manages the infrastructure for providing buckets in the object storage services. The infrastructure stores permission control information, which indicates the correspondence between at least one data identifier and at least one access control label. The at least one data identifier includes a prefix representing a data identifier. Based on this, after receiving an operation request from a tenant, the cloud management platform determines the access control label corresponding to the data identifier indicated by the operation request according to the permission control information, and determines the permission verification result corresponding to the tenant's operation request based on the target access control label indicated by the operation request and the access control label corresponding to the data identifier indicated by the operation request.

[0071] In the above scheme, the object storage service node of the cloud management platform adopts a layered approach, dividing the identifiers of the data stored in the bucket into layers. Prefixes are extracted from the data identifiers, and access control labels corresponding to different prefixes are established at the granularity of these prefixes to obtain permission control information. Since different data identifiers can have the same prefix, the amount of data in the prefixes of the data identifiers is much smaller than the amount of data in the data identifiers themselves. For the large amount of data stored in the infrastructure, the number of permission entries in the permission control information will be much smaller than the number of authentication entries in related technologies, such as the number of authentication entries in IAM permission information or the number of authentication entries in bucket policy permission information. This allows the cloud management platform to significantly improve the traversal speed when iterating through the permission control information to determine the access control label corresponding to the operation request indication data identifier information compared to related technologies, thereby significantly improving the permission verification performance of the cloud management platform.

[0072] Furthermore, since permission entries are determined at the granularity of data identifier prefixes, the number of permission entries that need to be created can be significantly reduced. Therefore, this scheme can also effectively slow down the growth rate of permission entries. In addition, the permission control information in this scheme is stored in the infrastructure. Compared with storing it in the metadata of the bucket, this avoids the data of permission control information being limited by the storage space of metadata. This helps to prevent the permission control information from reaching a bottleneck, and thus helps to provide permission verification services for more data.

[0073] Furthermore, this scheme associates users and the data they wish to access with access control tags. Specifically, it associates the user concept (the user requesting access to data) with the resource concept (the data the user requests access to). On the user side, only the access control tags possessed by different users are managed, allowing user-sent operation requests to carry these tags, thus reducing the complexity of user-side permission management. Permission control information is decentralized to the OBS side; that is, the infrastructure providing OBS stores the permission control information. This allows the OBS side to perform authentication based on the permission control information and the access control tags carried in the operation request, without needing to be aware of the business logic (i.e., specific semantics) of the access control tags. This simplifies the authentication complexity on the OBS side and further improves permission verification performance.

[0074] It should be noted that the various implementation methods of the above-mentioned permission verification scheme will be described in detail in the embodiment shown in Figure 3, and will not be elaborated here. Furthermore, the embodiments of this application do not limit the application scenarios of the above-mentioned permission verification scheme; the above are merely illustrative examples.

[0075] Next, the system architecture involved in the technical solution provided by the embodiments of this application will be further described in conjunction with the accompanying drawings.

[0076] Figure 1 shows a schematic diagram of the architecture of an object storage system according to an embodiment of this application. The object storage system includes an object storage client, an object storage service layer, and an object storage device. The object storage service layer and the object storage device can be provided through infrastructure.

[0077] For example, the object storage client can be configured on a tenant's electronic device, which can be a mobile phone, laptop, tablet, PDA, wireless terminal in a smart city, or wireless device in a smart home. The tenant logs into the cloud management platform through the client, where they select and purchase object storage cloud services.

[0078] A cloud management platform is used to provide object storage services to tenants and manage one or more object storage devices. The cloud management platform includes one or more servers, which can be located within service devices at the object storage service layer. For example, the service device connects to the object storage device via a switching device. As another example, the service device connects to the tenant's electronic device via a remote connection gateway.

[0079] Tenants log in to the cloud management platform using their accounts through the object storage client. On the platform, they select and purchase object storage cloud services, such as creating buckets and configuring bucket names. After detecting a tenant's action (e.g., creating a bucket), the cloud management platform sends a creation command to the object storage device. This command includes information such as the bucket name and domain name, and is used to instruct the storage device to create the bucket, saving the bucket name and domain name information. After bucket creation, tenants can access the bucket domain name through the object storage client to locate the bucket on the storage device and upload, download, or delete objects from the bucket, or write, read, or delete files from the bucket.

[0080] For example, the infrastructure providing the object storage service layer can be set up in multiple data centers in different regions. Each data center includes multiple servers, and the data center can provide basic resources for the object storage service, such as computing resources and storage resources. The object storage service layer includes a control unit and an operating system, where the control unit runs on the operating system. The operating system includes disk drivers and physical network card drivers, etc. The control unit can control the disk controller through the disk drivers to set up physical disks as multiple persistent storage units (PLOGs).

[0081] For example, the infrastructure providing object storage devices can be set up across multiple data centers in different regions. For example, object storage devices can be set up in multiple data centers in different regions, with each data center including multiple object storage devices. Each object storage device includes at least one physical disk. For example, the disk controller sets physical disk 11 and physical disk 12 in Region 1 as 4 PLOGs.

[0082] For example, after receiving the creation instruction for bucket 1, the cloud management platform notifies the control unit to create bucket 1. The control unit creates bucket 1 on physical disk 11 and physical disk 12 in the object storage device through the operating system. The PLOG of bucket 1 is distributed on physical disk 11 and physical disk 12, and information such as bucket name and bucket domain name of bucket 1 is saved.

[0083] When a tenant needs to store data in bucket 1 via a client—for example, to store objects or files—the tenant can trigger the object storage device to write the data to bucket 1. Alternatively, the data can be written to bucket 1 by a control unit within the object storage service layer.

[0084] When a tenant needs to retrieve data from bucket 1 via a client, the tenant can trigger the object storage device to read the data from bucket 1. For example, a control unit in the object storage service layer can retrieve the data from bucket 1 and send it back to the client.

[0085] Figure 2 shows a schematic diagram of at least one application scenario of an embodiment of this application.

[0086] As shown in Figure 2, tenant A's electronic device runs an object storage client. Tenant A logs into the cloud management platform through the object storage client on the electronic device, selects and purchases cloud services for object storage services on the cloud management platform, and after purchase, tenant A can perform object storage, file storage, and other functions based on the functions provided by the object storage service.

[0087] For example, when tenants purchase and use object storage services, they primarily pay for the resources they use. Specifically, the object storage service provides the domain name of a bucket. Tenants can access the domain name of the bucket through an object storage client to upload or download data to the bucket. The uploaded data is stored in the bucket as objects or as files. Each bucket can include multiple data sets, and the data in different buckets is isolated from each other. For example, data 11 and data 12 stored in bucket 1, data 21 and data 22 stored in bucket 2, ..., and data n1 and data n2 stored in bucket n are isolated from each other.

[0088] It should be noted that the application scenario shown in Figure 2 is only an illustrative example. Therefore, the application shown in Figure 2 does not constitute a limitation on the application scenario of the permission verification method provided in the embodiments of this application.

[0089] It should be noted that the system architecture and application scenarios described in this application are for the purpose of more clearly illustrating the technical solutions of this application, and do not constitute a limitation on the technical solutions provided in this application. As those skilled in the art will know, with the evolution of system architecture and the emergence of new application scenarios, the technical solutions provided in this application are also applicable to similar technical problems.

[0090] For ease of understanding, the permission setting method and permission verification method provided in the embodiments of this application will be described exemplarily below with reference to the above system architecture and the accompanying drawings.

[0091] Figure 3 illustrates a permission verification method provided in an embodiment of this application. Exemplarily, this permission verification method may include the following steps 301-304. In this embodiment, "step" can be abbreviated as "S," and will not be described further hereafter.

[0092] For example, after tenant A purchases object storage service on the cloud management platform, they can create a target bucket and store multiple data in it. For instance, the target bucket is bucket 1 as shown in Figure 2, and the multiple data include data 11 and data 12. Based on this, when user A, a subordinate of tenant A, requests to perform a target operation on the multiple data, the cloud management platform can use the permission verification method provided in this application embodiment to verify user A's operation request to determine whether user A has the permission to perform the target operation on the multiple data.

[0093] For example, the multiple data includes target data, which is any one of the multiple data. The following uses target data as an example to illustrate the embodiments of this application.

[0094] Example 1: The target data is stored in the target bucket as objects. The identifier of the target data is the object identifier, that is, the identifier of the target data is an object semantic identifier.

[0095] Example 2: The cloud management platform provides a file service based on object storage, meaning a file service is built on top of object storage. Based on this, target data is stored as files in target buckets. The identifier for the target data is the file identifier; that is, the identifier for the target data is a semantic identifier for the file.

[0096] In this embodiment of the application, before executing S301, the permission verification method further includes the following S1-S5. The process of user A's business electronic device obtaining access credentials through S1-S5 is described below with reference to Figure 4, wherein the access credentials are the credentials for user A to access data in the target bucket.

[0097] S1: The business electronic device sends an acquisition request to the management electronic device. The acquisition request is used to request access credentials.

[0098] For example, when user A wants to access target data, user A can send an access request to the management electronic device through the business electronic device to request access credentials for user A.

[0099] Optionally, the request is used to indicate the target user identifier. The target user identifier is the user identifier of user A.

[0100] Example 1a: The retrieval request uses a target user identifier to indicate that the access control label of user A is being retrieved, rather than the access control label of any other user. For instance, authentication between the business electronic device and the management electronic device is performed using an access key ID (AK) / secret access key (SK). The retrieval request carries the target AK and a target signature, which is generated based on the target SK corresponding to the target AK. After receiving the retrieval request, the management electronic device decrypts the target signature based on the target SK corresponding to the target AK to obtain the identity information of user A.

[0101] Subsequently, the management electronic device obtains user A's user identifier, i.e., the target user identifier, based on user A's identity information. For example, the authentication management node used to provide IAM services stores key mapping relationships, which include the mapping relationship between at least one user's identity information and at least one user identifier. Based on this, the management electronic device can obtain user A's user identifier from the authentication management node.

[0102] It should be noted that the embodiments of this application do not limit the method by which the management electronic device obtains the target user identifier of the acquisition request instruction; the above is merely an illustrative example.

[0103] Optionally, the retrieval request includes the identifier of the target bucket, which is the bucket that stores the target data.

[0104] Example 1b retrieves the target bucket identifier, indicating the delimiter of the target bucket, where the target bucket delimiter is used to split the prefix of the target data.

[0105] In this embodiment, the retrieval request is also set to indicate the delimiter of the target bucket, so that the access credentials can provide a delimiter that identifies the target data. This not only helps to improve the multiple ways of providing delimiters, but also helps to simplify the convenience of tenants to modify delimiters, thereby helping to improve the user experience of tenants.

[0106] S2: In response to the received acquisition request, the management electronic device sends a generation request to the authentication management node. The generation request is used to request the generation of access credentials.

[0107] Optionally, the request may include at least one of the following: target access control label, target data delimiter (i.e., target delimiter), prefix of the target data identifier, target operation permission, or target duration.

[0108] Example 2a: The request to generate can include the target access control label. The target access control label is the access control label for user A.

[0109] For example, the management electronic device stores a first correspondence, which indicates the correspondence between at least one user identifier and at least one access control tag, wherein one user identifier may correspond to one or more access control tags. After receiving an acquisition request, the management electronic device, in response to the acquisition request, acquires the access control tag corresponding to the target user identifier of user A from the first correspondence, i.e., the target access control tag, thereby obtaining the access control tag of user A.

[0110] In this example, by setting the generation request to include the target access control tag, the final generated target access credential can include the target access control tag. This allows the operation request sent to the cloud management platform to include the target access control tag. In this way, the cloud management platform can perform permission verification on the operation request based on the target access control tag, thereby helping to improve the performance of the permission verification service provided by the cloud management platform.

[0111] Example 2b generates a request that includes the target bucket delimiter (i.e., the target delimiter).

[0112] For example, in conjunction with 1b above, the management electronic device stores a second correspondence, which indicates the correspondence between at least one bucket identifier and at least one separator, wherein an identifier of a bucket may correspond to one or more separators. After receiving a retrieval request, the management electronic device, in response to the retrieval request, retrieves the separator corresponding to the identifier of the target bucket from the second correspondence, i.e., the target separator, thereby obtaining the separator of the target bucket.

[0113] In this example, by setting the generation request to include the target bucket's separator, the final generated access credentials can include the target bucket's separator. This, in turn, allows the operation request sent to the cloud management platform to include the target bucket's separator. In this way, the cloud management platform can obtain the target bucket's separator from the operation request, thereby helping to improve the diversity of ways to obtain the separator.

[0114] Example 2c generates a request that includes a prefix indicating the identity of the target data.

[0115] For example, the retrieval request also includes the identifier of the target data and the target delimiter stored on the management electronic device for the target bucket. After receiving the retrieval request, the management electronic device, in response to the retrieval request, segments the identifier of the target data according to the target delimiter to obtain a prefix of the identifier of the target data.

[0116] In this example, by setting a prefix that includes the identifier of the target data in the generation request, the final generated target access credential includes the prefix of the target data identifier. This allows the operation request sent to the cloud management platform to include the separator of the target data identifier. In this way, the cloud management platform can directly obtain the prefix of the target data identifier from the operation request, thereby helping to improve the diversity of ways to obtain the prefix.

[0117] Example 2d: The generated request also includes the target operation permissions.

[0118] Here, the target operation permission refers to user A's operation permission on the target data. The target operation permission can also be called the operation permission corresponding to the target access control tag, or the operation permission of the target access control tag.

[0119] For example, when the target data is stored in the target bucket as a file, the target operation permissions can include file-semantic operation permissions, such as read, write, modify, and delete permissions. When the target data is stored in the target bucket as an object, the target operation permissions can include object-semantic operation permissions, such as download and delete permissions.

[0120] In one example, the management electronic device stores a third mapping relationship, which indicates the correspondence between at least one access control tag and at least one operation permission, wherein one access control tag can correspond to one or more operation permissions. Upon receiving a request, the management electronic device, in response to the request, retrieves the operation permission corresponding to the target access control tag from the third mapping relationship, i.e., the target operation permission, thereby obtaining user A's target operation permission for the data.

[0121] It should be noted that the embodiments of this application do not limit the method of determining the target operation permissions in the generation request; the above is merely an illustrative example. For example, the operation permissions that user A has for the target data can also be determined based on the target user identifier of user A.

[0122] In this example, by setting the generated request to include the target operation permission, the final generated access credential includes the target operation permission. This allows the operation request sent to the cloud management platform to include the target operation permission. In this way, the cloud management platform can combine the target operation permission to perform permission verification on the operation type requested by the operation request, thereby helping to improve the comprehensiveness of permission verification and the security of the target data.

[0123] Example 2e also includes a target duration in the generated request. The target duration indicates the effective duration of the target operation permission.

[0124] For example, the management electronic device stores a fourth correspondence, which indicates the correspondence between at least one access control tag and at least one duration, wherein one access control tag corresponds to one duration. After receiving a retrieval request, the management electronic device, in response to the retrieval request, retrieves the duration corresponding to the target access control tag, i.e., the target duration, from the fourth correspondence, thereby obtaining the duration for which user A has the target operation permission for the target data.

[0125] It should be noted that the embodiments of this application do not limit the method of determining the target duration in the generated request; the above is merely an illustrative example. For instance, the duration for which user A has target operation permissions on target data can also be determined based on user A's target user identifier, target operation permissions, etc.

[0126] In this example, by setting the generation request to include the target duration, the final generated access credentials will include the target duration. This allows the operation request sent to the cloud management platform to include the target duration. In this way, the cloud management platform can combine the target duration to verify the validity of the target operation permissions carried in the operation request, thereby helping to improve the comprehensiveness of permission verification and the security of target data.

[0127] It should be noted that the above examples 2a, 2b, 2c, 2d, and 2e can be used in combination or individually, and this application embodiment does not limit this.

[0128] S3: The authentication management node responds to the received generation request by returning the target access credential to the managed electronic device.

[0129] In this embodiment, after receiving the generation request, the authentication management node, in response to the generation request, generates the target access credential based on the session policy and the content indicated in the generation request. Then, the authentication management node returns the generated target access credential to the management device.

[0130] For example, in conjunction with at least one of the above examples 2a, 2b, 2c, 2d, and 2e, the target access credential generated by the authentication management node can be used to indicate at least one of the following: target access control label, target separator, prefix of the identifier of target data, target operation permission, or target duration.

[0131] For example, the target access credential can be a token. It should be noted that the embodiments of this application do not limit the form of the target access credential; the above is merely an illustrative example.

[0132] It should be noted that, in the embodiments of this application, the operations performed by the authentication management node can also be performed through the cloud management platform.

[0133] S4: The management electronic device receives the target access credential and returns the target access credential to the business electronic device.

[0134] In this embodiment of the application, after receiving the target access credential returned by the authentication management node, the management electronic device returns the target access credential to the business electronic device based on the acquisition request sent by the business electronic device.

[0135] S5: The business electronic device receives the target access credential returned by the management electronic device.

[0136] In this embodiment of the application, after the business electronic device receives the target access credential returned by the management electronic device, it can generate an operation request for the target data based on the target access credential.

[0137] In the above embodiments, when a user wants to access target data stored in the target bucket, they can first obtain their access credentials from the management electronic device, so that the operation request sent to the cloud management platform can carry information from the access credentials, such as the target access control tag, thereby helping to improve the diversity of permission verification methods that the cloud management platform can use.

[0138] The following section, using S301-S304, provides an example of the permission verification process performed by the cloud management platform when user A accesses target data in the target bucket. The cloud management platform provides object storage services to tenants and manages the infrastructure, which in turn provides buckets within the object storage service.

[0139] In this embodiment of the application, the infrastructure stores access control information. The access control information is used to indicate the correspondence between at least one data identification information and at least one access control label. The cloud management platform performs access control verification on user A's request to access target data based on the access control information stored in the infrastructure.

[0140] In this embodiment of the application, the data identification information includes the identifier of the bucket and the prefix of the data identifier. The bucket is used to store data, and the access control label is used to indicate that there is access permission to the data indicated by the data identification information corresponding to the access control label.

[0141] For example, in access control information, one data identification information can correspond to one or more access control tags.

[0142] It should be noted that the embodiments of this application do not limit the number of access control tags corresponding to one data identification information. Hereinafter, one data identification information corresponding to one access control tag is used as an example to illustrate this application.

[0143] In this embodiment of the application, the data identifier includes multiple identifier fields, wherein different identifier fields are separated by delimiters. That is, the delimiters in the data identifier can be used to separate different fields among the multiple identifier fields.

[0144] In one example, data is stored in buckets as files, identified as Dir1 / Dir2 / ... / DirM / file1, separated by a " / ". Multiple identifier fields include Dir1, Dir2,...DirM, and file1. Here, file1 represents the filename, and Dir1, Dir2,...DirM represent the directory names of the directories to which the data belongs. Different files may have different filenames, but since different files can belong to the same directory, they can also have the same directory name.

[0145] In another example, data is stored in buckets as objects, identified as "Business 1 * Project 1 * object1" with "*" as the separator. Multiple identifier fields include "Business 1", "Project 1", and "object1". Here, "object1" represents the object name, while "Business 1" and "Project 1" represent the object's characteristic names. Different objects have different object names, but since different objects can have the same characteristics, they can also have the same characteristic names.

[0146] Optionally, the feature name of an object can be determined based on the object's target features. The target features include at least one of the following: business features, project features, time features, geographic features, or user features.

[0147] Example a: Business characteristics are used to indicate the business that created the data, or in other words, to indicate the business to which the data belongs.

[0148] For example, if the target data is created during the operation of a target business by a business electronic device, then the business that creates the target data is the target business, or in other words, the business to which the target data belongs is the target business.

[0149] In this example, by setting the feature name, it can be determined based on business characteristics, so that the prefix of the data identifier is used to indicate the business characteristics of the data. This allows data with the same business characteristics to have the same prefix. In other words, data belonging to the same business have the same prefix. In this way, by setting the same access control label for data with the same business characteristics, it is possible to authenticate the data stored on the object storage service side from the business dimension, thereby helping to improve the diversity of authentication granularity.

[0150] Example b: Project characteristics are used to indicate the project that created the data, or in other words, to indicate the project to which the data belongs.

[0151] For example, if the target data is created during the operation of a target project by a business electronic device, then the project that created the target data is the target project, or in other words, the project to which the target data belongs is the target project.

[0152] In this example, by setting the feature name, it can be determined based on the project characteristics, so that the prefix of the data identifier is used to indicate the project characteristics of the data. This allows data with the same project characteristics to have the same prefix, that is, data belonging to the same project have the same prefix. In this way, by setting the same access control label for data with the same project characteristics, it is possible to authenticate the data stored on the OBS side from the project dimension, thereby helping to improve the diversity of authentication granularity.

[0153] Example c: The time feature is used to indicate when the data was created. For example, if the target data was created on October 1, 2004, then the time feature for creating the target data is October 1, 2004.

[0154] In this example, by setting the feature name, it can be determined based on the time feature, so that the prefix of the data identifier is used to indicate the time feature of the data. This allows data with the same time feature to have the same prefix. That is, data created at the same time have the same prefix. In this way, by setting the same access control label for data with the same time feature, it is possible to authenticate the data stored on the OBS side from the time dimension, which helps to improve the diversity of authentication granularity.

[0155] Example d: The region feature is used to indicate the region where the data was created, or in other words, to indicate the region to which the data belongs.

[0156] For example, if the target data is created by a business electronic device in the target area, then the area where the target data is created is the target area, or in other words, the geographical region to which the target data belongs is the target area.

[0157] In this example, by setting the feature name, it can be determined based on the regional characteristics, so that the prefix of the data identifier is used to indicate the regional characteristics of the data. Data with the same regional characteristics can have the same prefix, that is, data of the same region have the same prefix. In this way, by setting the same access control label for data with the same regional characteristics, it is possible to authenticate the data stored on the OBS side from the regional dimension, which helps to improve the diversity of authentication granularity.

[0158] In the above embodiments, when the identifier of the target data is set as the object identifier, the feature name of the object can be determined according to the target feature of the object. This allows the prefix of the identifier of the target data to indicate the target feature of the target data, thereby enabling fine-grained permission verification of the target data at the target feature level, such as fine-grained permission verification at the time dimension level, the region dimension level, the business dimension level, the project dimension level, etc., which helps to improve the reliability of the authentication method.

[0159] Optionally, the access control label can be at least one of a user identifier, a user group identifier, or a project identifier.

[0160] Example e: The access control label is the user identifier. Different users have different user identifiers.

[0161] In Example e, by setting the access control label to the user identifier, user operation requests can be authenticated at the user level. Since the user is the smallest unit of data in the access bucket, using the user identifier as the access control label can reduce the granularity of the accessor in the permission verification, thereby helping to perform fine-grained permission verification for the data and thus helping to improve data security.

[0162] Example f: The access control label is a user group identifier. A user group can include at least one user, and at least one user in a user group can use the same user group identifier.

[0163] In example f, by setting the access control label to the user group identifier, user operation requests can be subject to user group-level permissions. Since the number of user groups is less than the number of users, this helps to reduce the number of access control information entries. This not only helps to further improve the authentication performance of the object storage service node, but also helps to reduce the storage space occupied by access control information.

[0164] Example g, the access control label is the project identifier, where a project can include at least one user, and at least one user under a project uses the same project identifier.

[0165] In example g, by setting the access control label to the project identifier, user operation requests can be authenticated at the project level. Since the number of projects is less than the number of users and user groups, this helps to reduce the number of access control information entries. This not only helps to further improve the authentication performance of the object storage service node, but also helps to reduce the storage space occupied by access control information.

[0166] It should be noted that the embodiments of this application do not limit the type of access control labels; the above is merely an illustrative example.

[0167] S301: The object storage client sends an operation request to the cloud management platform. The operation request includes the identifier of the target bucket and the identifier of the target data.

[0168] Example 1A: User A's electronic device runs an object storage client. When User A wants to access target data, they first obtain target access credentials through the electronic device. After obtaining the target access credentials, the electronic device generates an operation request for the target data based on the credentials and sends the operation request to the cloud management platform through the object storage client. The operation request can be used to indicate information from the target access credentials.

[0169] Example 1B: When user A wants to access target data, they directly generate an operation request for the target data through their business electronic device. That is, the operation request does not include information from the target access credentials. Then, the operation request for the target data is sent to the cloud management platform via the client.

[0170] For example, the operations performed by the object storage client, such as the operations in S301, can be considered as operations performed by the electronic device through the object storage client, or operations performed by the electronic device during the process of running the object storage client, which will not be described in detail hereafter.

[0171] S302: The cloud management platform receives operation requests from tenants.

[0172] For example, after receiving an operation request from a client, the cloud management platform can parse the operation request to obtain the information carried in the operation request, such as the identifier of the target bucket and the identifier of the target data carried in the operation request.

[0173] For example, the operations performed by the cloud management platform, such as the operations in S302, can be considered as operations performed by the service device through the cloud management platform, or operations performed by the service device during the process of running the cloud management platform, which will not be elaborated further.

[0174] S303: When the operation request includes a target access control tag, the cloud management platform obtains the access control tag corresponding to the data identifier information of the target data based on the permission control information.

[0175] The data identification information of the target data includes the identifier of the target bucket and the prefix of the identifier of the target data.

[0176] In this embodiment of the application, when the cloud management platform determines that the operation request carries an access control label, the cloud management platform obtains the prefix of the label of the target data so as to determine the access control label corresponding to the data identification information of the target data based on the prefix of the identifier of the target data.

[0177] The following describes, through methods a to c, exemplarily, the methods for obtaining the prefix of the identifier of the target data.

[0178] First, method a will be exemplarily described in the following S6-S7.

[0179] S6: The cloud management platform obtains the target delimiter corresponding to the identifier of the target bucket based on the delimiter information.

[0180] In this embodiment of the application, the infrastructure managed by the cloud management platform stores delimiter information. The delimiter information is used to indicate the correspondence between the identifier of at least one bucket and at least one delimiter, wherein the identifier of one bucket corresponds to one or more delimiters.

[0181] It should be noted that the embodiments of this application do not limit the number of separators corresponding to a bucket identifier. Hereinafter, the application will be illustrated by taking one bucket identifier corresponding to one separator as an example.

[0182] Optionally, if the target data is identified as a file identifier, the target delimiter is a forward slash, i.e., " / ".

[0183] In this context, the delimiter for the file identifier is also the delimiter for the file semantics. For ease of distinction, the target delimiter for the file identifier will be referred to as the file delimiter below, and will not be elaborated upon further.

[0184] In this embodiment, by setting forward slashes as delimiters for file identifiers, not only can a file semantic permission verification scheme be implemented under object storage semantics, thereby improving the security of files stored in the object storage service and the diversity of authentication methods, but also a directory-level fine-grained authentication scheme can be implemented for files stored in the object storage service, which in turn helps to improve the permission verification performance of the cloud management platform.

[0185] Optionally, if the target data is identified as an object identifier, the target delimiter can be a reserved character or a non-reserved character.

[0186] For ease of distinction, the target delimiter of the object identifier will be referred to as the object delimiter below, and will not be elaborated on further.

[0187] For example, the object delimiter can be any character in the identifier of the target data, excluding the identifier field.

[0188] It should be noted that the embodiments of this application do not impose restrictions on the object delimiter, as long as the identifier field of the object identifier and the delimiter can be distinguished.

[0189] In this embodiment, by setting a separator for the object identifier, a prefix can be extracted from the object identifier. This not only enables a semantic permission verification scheme for objects and improves the diversity of security authentication methods for objects stored in the object storage service, but also enables a fine-grained authentication scheme at the prefix level for objects stored in the object storage service, thereby helping to improve the permission verification service capabilities of the object storage service node.

[0190] For example, the delimiter information stored in the infrastructure may include a correspondence as shown in 1.

[0191] Table 1

[0192] For example, as shown in Table 1, the delimiter information may include correspondence 5 and correspondence 6, wherein correspondence 5 includes the correspondence between Bucket1 and “ / ”, and correspondence 6 includes the correspondence between Bucket2 and “*”.

[0193] For example, at least one bucket identifier includes the target bucket identifier, and at least one delimiter includes the target delimiter. That is, the delimiter information can indicate the correspondence between the target bucket identifier and the target delimiter. Based on this, after the cloud management platform receives an operation request, it retrieves the delimiter corresponding to the target bucket identifier from the delimiter information, i.e., the target delimiter, according to the target bucket identifier in the operation request, thereby obtaining the target delimiter used to segment the target data.

[0194] S7: The cloud management platform segments the target data identifiers according to the target delimiter, and obtains the prefix of the target data identifiers.

[0195] In this embodiment of the application, after the cloud management platform obtains the target delimiter, it segments the target data according to the identifier of the target delimiter object to obtain the prefix of the target data identifier.

[0196] Optionally, the identifier of the target data includes the same number of prefixes as the identifier of the target data includes the same number of delimiters.

[0197] For example, if the identifier of the target data includes M delimiters, then the identifier of the target data includes M prefixes. For instance, if the identifier of the target data is Dir1 / object, the identifier of the target data includes one file delimiter, namely the " / " between "Dir1" and "object", and the identifier of the target data includes one prefix, namely "Dir1". As another example, if the file identifier is Dir1 / Dir2 / file1, the identifier of the target data includes two delimiters, namely the " / " between "Dir1" and "Dir2", and the " / " between "Dir2" and "file1", and the identifier of the target data includes two prefixes, namely "Dir1" and "Dir2".

[0198] For example, in the identifier of the target data, the characters before the last delimiter from left to right are the prefix of the file identifier, and the characters after the last delimiter are the suffix of the file identifier. For instance, if the identifier of the target data is Dir1 / Dir2 / Dir3 / object1, and the file delimiter is " / ", then the prefix of the target data identifier includes "Dir1", "Dir2", and "Dir3", and the suffix of the target data identifier includes "object".

[0199] It should be noted that this application embodiment does not limit the number of prefixes for the identifier of the target data.

[0200] Example 7a, combined with Example 1 above, the target bucket is identified as Bucket1. Based on this, the target delimiter obtained by the cloud management platform is " / ". The target data identifiers include Dir1 / Dir2 / Dir3 / file1. By splitting the target data identifiers using " / ", the prefixes of the obtained target data identifiers include Dir1, Dir2, and Dir3.

[0201] Example 7b, combined with Example 2 above, identifies the target bucket as Bucket2. Based on this, the target delimiter obtained by the cloud management platform is "*". The target data identifier includes Business 1 * Project 1 * object1. By splitting the target data identifier using "*", the prefix of the obtained target data identifier includes Business 1 and Project 1.

[0202] In this approach, the delimiter information is stored on the infrastructure managed by the cloud management platform. After receiving an operation request, the cloud management platform can obtain the target bucket identifier corresponding to the target delimiter from the infrastructure. This helps the cloud management platform to uniformly manage permission-related data, thereby improving the security of permission-related data.

[0203] Hereinafter, method b will be described by way of example through S8.

[0204] S8: The cloud management platform segments the identifier of the target data based on the target delimiter included in the operation request, and obtains the prefix of the target data identifier.

[0205] For example, referring to Example 2b in S2, the operation request includes a target delimiter for the target bucket. Based on this, after receiving the operation request, the cloud management platform can obtain the target delimiter for the target bucket from the operation request. Then, based on the target delimiter obtained from the operation request, it segments the identifier of the target data to obtain the prefix of the target data identifier.

[0206] It should be noted that other relevant explanations for method b can be found in the explanations for method a above, and will not be repeated here.

[0207] In this approach, carrying the target bucket's delimiter in the operation request helps improve the speed of delimiter retrieval, thereby improving authentication speed and ultimately enhancing the permission verification performance of the cloud management platform. Furthermore, it also increases the diversity of methods for retrieving delimiters.

[0208] Hereinafter, method c will be described by way of example using S9.

[0209] S9: A prefix indicating the identifier of the target data included in the operation request obtained by the cloud management platform.

[0210] For example, referring to Example 2c in S2, the operation request includes a prefix indicating the identifier of the target data. Based on this, after receiving the operation request, the cloud management platform can directly obtain the prefix indicating the identifier of the target data from the operation request.

[0211] It should be noted that other relevant explanations for method c can be found in the explanations for methods a and b above, and will not be repeated here.

[0212] In this approach, the target data's identifier prefix is ​​directly carried in the operation request. The cloud management platform directly obtains the prefix from the operation request, which helps improve the speed of prefix retrieval, thereby improving authentication speed and ultimately enhancing the cloud management platform's permission verification performance. Furthermore, it also increases the diversity of methods for obtaining the prefix.

[0213] It should be noted that the embodiments of this application do not limit the method of prefixing the identifier of the target data; the above is merely an illustrative example.

[0214] In this embodiment, after obtaining the prefix of the target data's identifier, the cloud management platform combines it with the identifier of the bucket indicated by the operation request (i.e., the identifier of the target bucket) to obtain the target data's data identifier information. Then, based on the target data's data identifier information, the access control tag corresponding to the target data's data identifier information is determined from the access control information.

[0215] For example, the access control information stored in the infrastructure may include the mapping relationships shown in Table 2.

[0216] Table 2

[0217] For example, as shown in Table 2, the access control information includes correspondence 1, correspondence 2, correspondence 3 and correspondence 4. Correspondence 1 includes the correspondence between Bucket1 and Dir1 and userA_AL, correspondence 2 includes the correspondence between Bucket1 and Dir2 and userB_AL, correspondence 3 includes the correspondence between Bucket1 and Dir3 and userC_AL, and correspondence 4 includes the correspondence between Bucket2 and Dir4 and userD_AL.

[0218] It should be noted that the embodiments of this application do not impose any restrictions on the fields of bucket identifier, data identifier prefix, or access control label; the above are merely illustrative examples.

[0219] In one example, taking Table 2 above as an example, combined with Example 7a above, the prefix of the target data identifier includes Dir1, Dir2, and Dir3, and the identifier of the target bucket is Bucket1. Based on this, the data identifier information of the target data includes Bucket1-Dir1, Bucket1-Dir2, and Bucket1-Dir3. Among them, the access control label corresponding to Bucket1-Dir1 is userA_AL, the access control label corresponding to Bucket1-Dir2 is userB_AL, and the access control label corresponding to Bucket1-Dir3 is userC_AL. Therefore, the access control labels corresponding to the data identifier information of the target data include userA_AL, userB_AL, and userC_AL.

[0220] It should be noted that the embodiments of this application do not limit the number of data identification information corresponding to the target data; the above is merely an illustrative example.

[0221] For example, the correspondence between a data identifier and an access control label can be represented in the form of a key-value pair. For instance, as shown in Table 2, KEY1 can represent the bucket identifier, KEY2 can represent the prefix of the data identifier, and VALUE can represent the access control label.

[0222] It should be noted that the embodiments of this application do not limit the form of the correspondence between data identification information and access control labels; the above is merely an illustrative example.

[0223] It should be noted that, in the embodiments of this application, the correspondence between a data identifier and an access control label can be referred to as a permission entry. Based on this, the permission control information includes multiple permission entries, and each permission entry includes a data identifier and the access control label corresponding to that data identifier.

[0224] S304: The cloud management platform determines the permission verification result of the operation request based on the access control label corresponding to the target access control label and the data identification information of the target data. The permission verification result includes whether the verification was successful or failed.

[0225] In this application embodiment, S304 includes multiple implementation methods, which are exemplarily described below through methods 1 to 3.

[0226] Method 1, S304 includes: The cloud management platform determines the permission verification result of the operation request only based on the access control label corresponding to the target access control label and the data identification information of the target data.

[0227] For example, after the cloud management platform determines the access control label corresponding to the data identification information of the target data, it obtains the intersection of the access control label corresponding to the data identification information of the target data and the target access control label, and determines the permission verification result based on the intersection.

[0228] In one example, the intersection includes the target access control label, indicating that the access control label corresponding to the data identification information of the target data includes the target access control label. The cloud management platform determines that the permission verification result is successful, that is, the authentication is passed.

[0229] For example, if the access control labels corresponding to the data identifier information of the target data include userA_AL, userB_AL, and userC_AL, and the target access control label includes userA_AL, then the intersection includes userA_AL, and the cloud management platform determines the permission verification result as successful.

[0230] In another example, the intersection does not include the target access control label, or in other words, the intersection is empty. This means that the access control label corresponding to the data identification information of the target data does not include the target access control label. The cloud management platform determines that the permission verification result is a verification failure, that is, authentication fails.

[0231] For example, if the access control labels corresponding to the data identification information of the target data include userA_AL, userB_AL, and userC_AL, and the target access control label is userD_AL, then the intersection does not include userD_AL, and the permission verification result is determined to be verification failure.

[0232] In this method, the permission verification result is determined only based on the access control label corresponding to the data identification information of the target data and the target access control label, which helps to improve the authentication efficiency.

[0233] Method 2, S304 includes: The cloud management platform determines the permission verification result of the operation request based on the access control label corresponding to the target access control label and the data identification information of the target data, as well as the target operation type and the target operation permission corresponding to the target access control label.

[0234] For ease of description, the “access control label corresponding to the target access control label and the data identification information of the target data” will be referred to as the first authentication parameter combination, and the “target operation type and the target operation permission corresponding to the target access control label” will be referred to as the second authentication parameter combination.

[0235] For example, in conjunction with Example 2d in S2 above, when the operation request includes the target operation permission corresponding to the target access control tag, the object storage service node can combine the first authentication parameter combination and the second authentication parameter combination to determine the permission verification result of the operation request.

[0236] The following example 1 illustrates the process of determining the permission verification result of an operation request based on the first combination of authentication parameters.

[0237] For example, if the access control label corresponding to the data identification information of the target data includes the target access control label, it indicates that the target access control label has the permission to operate on the target data. Conversely, if the access control label corresponding to the data identification information of the target data does not include the target access control label, it indicates that the target access control label does not have the permission to operate on the target data.

[0238] The following example, Example 2, illustrates the process of determining the permission verification result of an operation request based on the combination of the second authentication parameters.

[0239] For example, the operation request includes a target operation type. The operation request is used to request the execution of a target operation on the target data; that is, user A requests the execution of a target operation on the target data. Based on this, and referring to example 2d in S2 above, the operation request also carries the target operation permission corresponding to the target access control label. Based on this, the cloud management platform can determine the permission verification result of the operation request according to the second authentication parameter combination. When determining the permission verification result according to the second authentication parameter combination, if the target operation permission includes the target operation type, it indicates that user A has the permission to execute the target operation type on the target data. Conversely, if the target operation permission does not include the target operation type, it indicates that user A does not have the permission to execute the target operation type on the target data.

[0240] In one example, when the operation request is an object-based request, the target operation type can include downloading an object (i.e., a GET operation), deleting an object (i.e., a DELETE operation), and batch deleting objects (i.e., a POST operation). Target operation permissions can include GET permissions, DELETE permissions, and POST permissions.

[0241] For example, if the target operation permission includes GET and DELETE, and the target operation type is GET, then the target operation permission includes the target operation type, and user A has the permission to perform a GET operation on the target data. If the target operation permission includes GET, but the target operation type is POST, then the target operation permission does not include the target operation type, and user A does not have the permission to perform a POST operation on the target data.

[0242] In another example, when the operation request is a file-related request, the target operation type can include read operations, write operations, delete operations, etc. Target operation permissions can include read permissions, write permissions, delete permissions, etc.

[0243] For example, if the target operation permission includes read and delete, and the target operation type is read, then the target operation permission includes the target operation type, and user A has the permission to perform a read operation on the target data. If the target operation permission includes read, but the target operation type is delete, then the target operation permission does not include the target operation type, and user A does not have the permission to perform a delete operation on the target data.

[0244] Combining Examples 1 and 2 above, if the access control label corresponding to the data identifier information of the target data includes the target access control label, and the target operation permission includes the target operation type, that is, if the target access control label has the permission to operate on the target data, and user A has the permission to perform the target operation type operation on the target data, the cloud management platform determines that the permission verification result is successful.

[0245] If the access control label corresponding to the data identifier information of the target data does not include the target access control label, or if the target operation permission does not include the target operation type, that is, if the target access control label does not have the permission to operate the target data, or if user A does not have the permission to perform the target operation type on the target data, the cloud management platform determines that the permission verification result has failed.

[0246] It should be noted that the embodiments of this application do not restrict the order in which the permission verification result is determined based on the first authentication parameter combination and the second authentication parameter combination.

[0247] In one example, the object storage service node can first determine the first combination of authentication parameters, and then determine the second combination of authentication parameters. In another example, the object storage service node can first determine the second combination of authentication parameters, and then determine the first combination of authentication parameters.

[0248] It should be noted that other relevant explanations for Method 2 can be found in the explanations for Method 1 above, and will not be repeated here.

[0249] Method 3, S304 includes: The cloud management platform determines the permission verification result of the operation request based on the access control label corresponding to the target access control label and the data identification information of the target data, the target operation type and the target operation permission corresponding to the target access control label, as well as the current time and the target time period.

[0250] For ease of description, the “current time and target time period” will be referred to as the third authentication parameter combination below, and will not be elaborated on further.

[0251] Example 3: The operation request also includes a target duration and a target timestamp. The target timestamp indicates the start time of the target time period. The end time of the target duration can be obtained by accumulating the target duration based on the start time indicated by the target timestamp. The target time period includes the time interval between the start and end times indicated by the target timestamp.

[0252] Based on this, the cloud management platform can determine the permission verification result of the operation request according to the combination of third authentication parameters. When determining the permission verification result based on the combination of third authentication parameters, if the current time belongs to the target time period, it means that the target operation permission is valid. Conversely, if the current time does not belong to the target time period, it means that the target operation permission is invalid.

[0253] For example, if the target duration is 2 hours and the target timestamp indicates 8:00 AM on October 1, 2024, then the target time is 8:00 AM to 10:00 AM on October 1, 2024. Based on this, if the current time is any time between 8:00 AM and 10:00 AM on October 1, 2024, for example, 9:00 AM on October 1, 2024, then the current time belongs to the target time period, and the target operation permission is valid. Conversely, if the current time is any time other than 8:00 AM to 10:00 AM on October 1, 2024, for example, 12:00 PM on October 1, 2024, then the current time does not belong to the target time period, and the target operation permission is invalid.

[0254] Combining Examples 1, 2, and 3 above, if the access control label corresponding to the data identifier information of the target data includes the target access control label, the target operation permission includes the target operation type, and the current time belongs to the target time period, that is, if the target access control label has the permission to operate the target data, user A has the permission to perform the target operation type operation on the target data, and the target operation permission is in a valid state, the cloud management platform determines that the permission verification result is successful.

[0255] If the access control label corresponding to the data identifier information of the target data does not include the target access control label, or the target operation permission does not include the target operation type, or the current time does not belong to the target time period, the cloud management platform determines that the permission verification result fails. In other words, if the target access control label does not have permission to operate on the target data, or user A does not have permission to perform the target operation type on the target data, or the target operation permission is invalid, the cloud management platform determines that the permission verification result fails.

[0256] It should be noted that the embodiments of this application do not restrict the order in which the permission verification results are determined based on the first authentication parameter combination, the second authentication parameter combination, and the third authentication parameter combination.

[0257] It should be noted that the embodiments of this application do not limit the type of target timestamp. For example, the target timestamp can be used to indicate the time when the target access credential is generated, the time when the authentication management node sends the target access credential to the management electronic device, etc.

[0258] It should be noted that other relevant explanations for Method 3 can be found in the explanations for Method 1 and Method 2 above, and will not be repeated here.

[0259] In the above scheme, after receiving an operation request from a tenant, the cloud management platform determines the access control label corresponding to the operation request instruction data identifier information (i.e., the identifier of the target bucket and the prefix of the identifier of the target data) based on the access control information. Then, based on the target access control label of the operation request instruction and the access control label corresponding to the operation request instruction data identifier information, the platform determines the permission verification result of the tenant's operation request. This scheme employs a layered approach, dividing the identifiers of the data stored in the bucket into layers. It extracts the prefixes of the identifiers from the data identifiers and establishes access control labels corresponding to different prefixes at the granularity, thus obtaining the access control information. Since different data identifiers can have the same prefix, the amount of data in the prefixes of the data identifiers is much smaller than the amount of data in the identifiers themselves. For the large amount of data stored in the infrastructure, the number of permission entries in the access control information will be much smaller than the number of authentication entries in related technologies. This allows the cloud management platform to significantly improve the traversal speed when determining the access control label corresponding to the operation request instruction data identifier information compared to related technologies, thereby significantly improving the permission verification performance of the cloud management platform.

[0260] Optionally, the permission verification method also includes the following S10-S11. The following S10-S11 provide another permission verification method.

[0261] For example, combining Examples 1A and 1B in S301 above, when the operation request sent by user A through the client on the electronic device does not require authentication via an access control tag, the operation request does not include a target access control tag.

[0262] S10: If the operation request does not include the target access control label, the cloud management platform obtains the user identifier corresponding to the target data.

[0263] In this embodiment of the application, after receiving an operation request, the cloud management platform determines whether the operation request includes an access control label. If the determination result is that the operation request does not include an access control label, the cloud management platform obtains the user identifier corresponding to the target data so as to authenticate the operation request based on the user identifier corresponding to the target data.

[0264] In this embodiment of the application, the user identifier corresponding to the target data includes at least one of the identifier of the user who created the target data or the identifier of the user who created the target bucket.

[0265] Example 10a: The user identifier corresponding to the target data includes the identifier of the user who created the target data.

[0266] For example, the cloud management platform can obtain the identifier of the user who created the target data from the target data's metadata, thereby obtaining the user identifier corresponding to the target data.

[0267] In this example, by setting the user identifier corresponding to the target data to include the identifier of the user who created the target data, the creator of the target data can be granted access permissions to the target data. This not only helps to ensure the security of the target data, but also helps to improve the normal access of the target data owner, thereby improving the user experience of the target data owner.

[0268] Example 10b: The user identifier corresponding to the target data includes the identifier of the user who created the target bucket, which is used to store the target data.

[0269] For example, the cloud management platform can obtain the identifier of the user who created the target bucket from the target bucket's metadata, thereby obtaining the user identifier corresponding to the target data.

[0270] In this example, by setting the user identifier corresponding to the target data to include the identifier of the user who created the target bucket, the creator of the target bucket can be granted permission to access the target data stored in the target bucket. This not only helps to ensure the security of the target data, but also helps to ensure that the owner of the target bucket can access the data in the target bucket normally, thereby helping to improve the user experience of the owner of the target bucket.

[0271] Example 10c: The user identifier corresponding to the target data includes the identifier of the user who created the target data or the identifier of the user who created the target bucket.

[0272] It should be noted that the relevant explanations for Example 10c can be found in the explanations of Examples 10a and 10b above, and will not be repeated here.

[0273] In this embodiment of the application, if the cloud management platform determines that the operation request does not include an access control label, the cloud management platform also obtains the target user identifier indicated by the operation request.

[0274] For example, the operation request carries a target AK and a target signature. The cloud management platform decrypts the target signature using the target SK corresponding to the target AK to obtain the identity information of user A. Then, the cloud management platform obtains the user identifier corresponding to the identity information of user A from the key correspondence relationship, thereby obtaining the target user identifier indicated by the operation request.

[0275] In one example, the infrastructure stores key mappings, and the cloud management platform can obtain the target user identifier for the operation request indication from the infrastructure. In another example, the authentication management node stores key mappings, and the cloud management platform obtains the target user identifier for the operation request indication from the authentication management node.

[0276] It should be noted that the embodiments of this application do not limit the method of obtaining the target user identifier of the operation request indication; the above is merely an illustrative example.

[0277] It should be noted that the embodiments of this application do not limit the order of obtaining the user identifier corresponding to the target data and the target user identifier indicated by the operation request; the above is merely an illustrative example.

[0278] S11: The cloud management platform determines the permission verification result of the operation request based on the user identifier corresponding to the target data and the target user identifier.

[0279] In this embodiment, after obtaining the user identifier corresponding to the target data and the target user identifier indicated by the operation request, the cloud management platform determines whether the user identifier corresponding to the target data includes the target user identifier. If the determination result is that the user identifier corresponding to the target data includes the target user identifier, the cloud management platform determines that the permission verification result of the operation request is successful. If the determination result is that the user identifier corresponding to the target data does not include the target user identifier, the cloud management platform determines that the permission verification result of the operation request is unsuccessful.

[0280] Example 11a, combined with Example 10a above, if the user identifier corresponding to the target data includes the target user identifier, then the identifier of the user who created the target data includes the target user identifier, indicating that user A is the user who created the target data. Based on this, the cloud management platform determines that the permission verification result of the operation request is successful. Conversely, if the user identifier corresponding to the target data does not include the target user identifier, then the identifier of the user who created the target data does not include the target user identifier, indicating that user A is not the user who created the target data. Based on this, the cloud management platform determines that the permission verification result is unsuccessful.

[0281] Example 11b, combined with Example 10b above, if the user identifier corresponding to the target data includes the target user identifier, then the identifier of the user who created the target bucket also includes the target user identifier, indicating that user A is the user who created the target bucket. Based on this, the cloud management platform determines the permission verification result as successful. Conversely, if the user identifier corresponding to the target data does not include the target user identifier, then the identity identifier of the creator of the target bucket includes the target user identifier, indicating that user A is not the user who created the target bucket. Based on this, the cloud management platform determines the permission verification result as failed.

[0282] In the above embodiments, when the operation request does not include the target access control label, authentication is performed based on the user identifier corresponding to the target data and the target user identifier indicated by the operation request. This ensures that the owner of the target data or the owner of the target bucket can access the target data, which not only helps to ensure the security of the target data, but also helps to ensure the user experience of the data owner or bucket owner.

[0283] Optionally, the permission verification method also includes: the cloud management platform responding to the operation request based on the permission verification result of the operation request.

[0284] In one example, the permission verification result is successful, meaning that user A has the permission to perform the target operation on the target data.

[0285] Example 1: Responding to an operation request may include: the cloud management platform processing the operation request. In other words, the cloud management platform performs the target operation on the target data.

[0286] For example, if an operation request is used to request the deletion of target data, the cloud management platform will execute the operation to delete the target data. As another example, if an operation request is used to request the download or reading of target data, the cloud management platform will execute the operation to return the target data to the business electronic device.

[0287] Example 2: A response to an operation request may include: the cloud management platform processing the operation request and returning a permission verification result to the business electronic device. The permission verification result is "verification successful".

[0288] In this embodiment, when the permission verification result is successful, the cloud management platform returns permission verification result information to the business electronic device, which helps users understand the permission verification result in a timely manner, thereby improving the user experience.

[0289] In another example, the permission check failed, meaning that user A does not have permission to perform the target operation on the target data.

[0290] Example 3: A response to an operation request may include: the cloud management platform returning a permission verification result to the business electronic device based on the operation request. The permission verification result is "verification failed".

[0291] In this embodiment, when the permission verification result is a failure, the cloud management platform returns a permission verification failure message to the business electronic device, which helps users understand the permission verification result in a timely manner, thereby improving the user experience.

[0292] The above embodiments detail the scheme for cloud management platforms to perform permission verification on operation requests. Below, with reference to Figure 5, an exemplary description is provided of the target separator setting scheme used in the above permission verification scheme.

[0293] It should be noted that the following will only detail the differences between the two schemes, and will not repeat the similarities.

[0294] For example, after tenant A purchases a storage object storage service on a cloud management platform, they can manage the permissions of the rented object storage service through management electronic devices, such as managing bucket delimiters.

[0295] Figure 5 is a flowchart of a delimiter setting method provided in an embodiment of this application. Exemplarily, the delimiter setting method may include the following steps S501-S502.

[0296] S501: The cloud management platform receives a target request from a tenant. The target request includes the bucket identifier and the separator corresponding to the bucket identifier.

[0297] For example, a target request may include an identifier for at least one bucket and a separator corresponding to the identifier for each bucket in the at least one bucket identifier.

[0298] It should be noted that this application embodiment does not limit the identifier of the bucket included in the target request.

[0299] In this application embodiment, the target request includes various situations, which are exemplarily described below through situation 1 and situation 2.

[0300] Case 1: The target request is a bucket creation request, which is used to request the creation of a bucket.

[0301] The bucket creation request includes the identifier of the bucket to be created, and the separator corresponding to the identifier of the bucket to be created. For example, the bucket creation request includes the identifier of the target bucket, and the target separator corresponding to the identifier of the target bucket; that is, the bucket to be created is the target bucket.

[0302] For example, after tenant A purchases storage object storage services on the cloud management platform, it sends a bucket creation request to the cloud management platform through the object storage client to request the creation of a bucket. At the same time, it requests to set a separator for the newly created bucket.

[0303] In scenario 1, setting a separator for the bucket when creating it not only simplifies the process of setting separators for the bucket but also increases the diversity of ways to set separators.

[0304] Case 2: The target request is a delimiter setting request, which is used to set the delimiter for a bucket.

[0305] The delimiter setting request includes the identifier of the bucket to which the delimiter is to be set, and the delimiter corresponding to the bucket identifier. For example, the delimiter setting request includes the identifier of the target bucket, and the target delimiter corresponding to the target bucket identifier; that is, the bucket to which the delimiter is to be set is the target bucket.

[0306] For example, after tenant A purchases object storage service on the cloud management platform, they send a bucket creation request to the cloud management platform through the object storage client to request the creation of a bucket. After the bucket is created, tenant A can also send a delimiter setting request to the cloud management platform through the object storage client to request the setting of a delimiter for the previously created bucket.

[0307] In scenario 2, after creating a bucket, a delimiter setting request is sent to the cloud management platform to set a delimiter for the created bucket, thereby setting a delimiter for historically created buckets. In this way, the data stored in historically created buckets can be authenticated through access control tags, which helps to improve the application scope of the permission verification method provided in this application embodiment.

[0308] S502: The cloud management platform responds to the target request and stores the delimiter information.

[0309] The separator information is used to indicate the correspondence between the bucket identifier and the separator. For example, the separator information can be used to indicate the correspondence between the target bucket identifier and the target separator.

[0310] In one example, in conjunction with situation 1 above, after receiving a bucket creation request, the cloud management platform responds by creating the target bucket and storing the correspondence between the target bucket's identifier and the target delimiter, thereby obtaining the delimiter information.

[0311] In another example, in conjunction with situation 2 above, after receiving the delimiter setting request, the cloud management platform responds by storing the correspondence between the target bucket identifier and the target delimiter, thereby obtaining the delimiter information.

[0312] Optionally, the cloud management platform can store delimiter information in the bucket's metadata. For example, the "correspondence between the target bucket's identifier and the target delimiter" can be stored in the target bucket's metadata.

[0313] In this embodiment, by storing the delimiter information of each bucket in the metadata of each bucket, it helps to improve the convenience of the cloud management platform to obtain the delimiter of each bucket.

[0314] It should be noted that the embodiments of this application do not limit the storage location of the separator information; the above is merely an illustrative example.

[0315] In the above embodiments, the cloud management platform sets delimiters for each bucket by receiving target requests from tenants. This allows tenants to set appropriate delimiters for each bucket according to their actual scenarios and needs, which not only helps improve the scalability and flexibility of delimiters, but also helps improve the tenant's experience of using object storage services.

[0316] For example, after tenant A creates a target bucket and sets a target delimiter for it, they can store data in the bucket. For instance, when tenant A stores target data in the target bucket through an object storage client, they can set an identifier for the target data, including the delimiter. For example, if the target data is stored in the target bucket as a file, the identifier for the target data can be set to Dir1 / Dir2 / Dir3 / file1. Or, for example, if the target data is stored in the target bucket as an object, the identifier for the target data can be set to Business1*Project1*object1.

[0317] Optionally, the delimiter setting method may also include the following steps S12-S13. Tenants can use S12-S13 to query the delimiter set in the target bucket previously.

[0318] S12: The cloud management platform receives a delimiter query request from a tenant. The delimiter query request includes the identifier of the target bucket.

[0319] For example, when tenant A sets a delimiter for bucket 1 and wants to refer to a delimiter previously set for the target bucket, or when tenant A wants to determine a delimiter previously set for the target bucket, tenant A can send a delimiter query request to the cloud management platform through the object storage client to request a query for the target bucket's delimiter. For example, the delimiter query request includes the target bucket's identifier, and the delimiter query request uses the target bucket's identifier to indicate the delimiter to be queried for the target bucket.

[0320] S13: In response to the delimiter query request, the cloud management platform returns the target delimiter corresponding to the identifier of the target bucket.

[0321] For example, after receiving a delimiter query request, the cloud management platform retrieves the target delimiter corresponding to the target bucket identifier based on the identifier carried in the delimiter query request. For instance, it can obtain the delimiter from the target bucket's metadata. Then, the cloud management platform returns the target delimiter corresponding to the target bucket identifier to tenant A.

[0322] In this embodiment, the cloud management platform provides the tenant with the delimiter previously set for the bucket by receiving the delimiter query request from the tenant. In this way, the tenant does not need to record the delimiter set for the bucket itself, which helps to improve the user experience of the tenant.

[0323] Optionally, the delimiter setting method may also include the following steps S14-S15. Tenants can modify the delimiter previously set for the target bucket through steps S14-S15.

[0324] S14: The cloud management platform receives a delimiter update request from the tenant. The delimiter update request includes the identifier of the target bucket and the first delimiter corresponding to the identifier of the target bucket.

[0325] For example, after tenant A sets a delimiter for a target bucket, if they want to modify the target bucket's delimiter, they can send a delimiter update request to the cloud management platform through the object storage client to request an update to the target bucket's delimiter. For instance, if the target delimiter was previously set to " / ", and tenant A wants to update the target bucket's delimiter to the first delimiter, then the delimiter update request can include the target bucket's identifier and the first delimiter corresponding to the target bucket's identifier, for example, the first delimiter is "*".

[0326] S15: The cloud management platform responds to the delimiter update request by updating the delimiter information. The updated delimiter information is used to indicate the correspondence between the target bucket identifier and the first delimiter.

[0327] For example, after receiving a delimiter update request, the cloud management platform, based on the identifier of the target bucket carried in the delimiter update request, modifies the identifier of the target bucket to correspond to the target delimiter, so that the identifier of the target bucket corresponds to the first delimiter, thereby obtaining the updated delimiter information.

[0328] In this embodiment, the cloud management platform receives a delimiter update request from the tenant and modifies the delimiter previously set by the tenant for the bucket. In this way, the tenant can change the delimiter of the bucket according to actual needs, thereby helping to improve the user experience of the tenant.

[0329] Optionally, the delimiter setting method may also include the following steps S16-S17. Tenants can use steps S16-S17 to delete the delimiter previously set for the target bucket.

[0330] S16: The cloud management platform receives a delimiter deletion request from a tenant. The delimiter deletion request includes the identifier of the target bucket.

[0331] For example, after tenant A sets a target delimiter for a target bucket, if they want to delete the target bucket's delimiter, they can send a delimiter deletion request to the cloud management platform through the object storage client to request the deletion of the target bucket's delimiter. For instance, the delimiter deletion request includes the target bucket's bar number, and the delimiter deletion request indicates the deletion of the target bucket's delimiter through the target bucket's identifier.

[0332] S17: The cloud management platform responds to the delimiter deletion request by deleting the target bucket identifier and the delimiter corresponding to the target bucket identifier from the delimiter information.

[0333] For example, after receiving a delimiter deletion request, the cloud management platform deletes the target delimiter corresponding to the target bucket's identifier based on the target bucket's identifier carried in the delimiter deletion request. For instance, it deletes the mapping between the target bucket's identifier and the target delimiter stored in the target bucket's metadata.

[0334] In this embodiment, the cloud management platform receives a delimiter deletion request from the tenant and deletes the delimiter that the tenant previously set for the bucket. In this way, the tenant can delete the bucket delimiter according to actual needs, which helps to improve the user experience of the tenant.

[0335] The above embodiments detail the setting scheme of the separator in the permission verification scheme shown in Figure 5. Below, with reference to Figure 6, an exemplary description is provided of the setting scheme of permission verification information in the permission verification scheme shown in Figure 3.

[0336] It should be noted that the following will only detail the differences between the two schemes, and will not repeat the similarities.

[0337] Figure 6 illustrates a permission setting method provided in an embodiment of this application. For example, this permission setting method may include the following steps S601-S602.

[0338] S601: The cloud management platform receives permission setting requests from tenants. These permission setting requests are used to request the setting of permission control information.

[0339] In this embodiment, after tenant A purchases object storage service on the cloud management platform, it sends a permission setting request to the cloud management platform through the object storage client to request the setting of permission control information. This permission control information is used to verify permissions for the data in the bucket created by tenant A. The permission setting request includes at least one data identifier and at least one access control tag corresponding to each data identifier.

[0340] For example, the permission setting request includes data identification information of the target data and at least one access control label corresponding to the data identification information of the target data. For instance, at least one access control label corresponding to the data identification information of the target data includes userA_AL corresponding to Bucket1 and Dir1, userB_AL corresponding to Bucket1 and Dir2, and userC_AL corresponding to Bucket1 and Dir3.

[0341] S602: The cloud management platform responds to permission setting requests and stores permission control information.

[0342] In this embodiment of the application, after receiving the permission setting request, the cloud management platform obtains permission control information based on at least one data identification information and at least one access control tag corresponding to each data identification information, and stores the permission control information.

[0343] Optionally, the cloud management platform stores access control information on the infrastructure.

[0344] For example, access control information is stored on the infrastructure and not in the bucket's metadata; in other words, access control information is not stored along with the bucket's metadata. This not only makes full use of the storage space provided by the infrastructure but also avoids the access control information being limited by the storage space of the metadata, thereby helping to prevent the number of access control entries from being limited by the storage space of the metadata.

[0345] For example, access control information is stored on the infrastructure and as a separate table. This helps prevent the number of access control entries from being affected by other data, rather than storing it in the same table with other data, thus allowing the cloud management platform to store more access control entries.

[0346] In this embodiment, storing access control information on the infrastructure helps improve the convenience of the cloud management platform in obtaining access control information, thereby helping to improve the authentication efficiency of the cloud management platform.

[0347] It should be noted that the execution order of the schemes shown in Figure 5 and Figure 6 is not limited in the embodiments of this application; the above is merely an illustrative example. For instance, the cloud management platform may execute the scheme shown in Figure 6 first, and then execute the scheme shown in Figure 5.

[0348] In the above embodiments, the cloud management platform receives permission setting requests from tenants and sets access control tags for the data identification information corresponding to each piece of data stored by the tenants. In this way, tenants can set appropriate access control tags for the data identification information according to actual scenarios and needs, which not only helps to improve the scalability, availability and flexibility of access control tags, but also helps to improve the tenants' experience of using object storage services.

[0349] Optionally, the permission setting method also includes the following steps S18-S19. Tenants can use S18-S19 to query permission entries in the previously set permission control information.

[0350] S18: The cloud management platform receives permission query requests from tenants.

[0351] Example 18a: The permission query request includes the identifier of the target bucket.

[0352] For example, when tenant A needs to determine the access control label corresponding to the identifier of a target bucket, it can send a permission query request to the cloud management platform through the object storage client to request a query for the access control label corresponding to the identifier of the target bucket. The permission query request can use the identifier of the target bucket to indicate the access control label to be queried. For example, the identifier of the target bucket is Bucket1.

[0353] Example 18b: The permission query request includes target data identification information, which includes the identifier of the target bucket and a prefix of the identifier of the target data.

[0354] For example, when tenant A wants to determine the access control labels previously configured for target data, they can send a permission query request to the cloud management platform through the object storage client to request a query for the access control labels configured for the target data. The delimiter query request can use target data identification information to indicate the access control labels to be queried for the target data. For example, the target data identification information may include data identification information 1 and data identification information 2, where data identification information 1 is Bucket1 and Dir1, and data identification information 2 is Bucket1 and Dir2.

[0355] S19: The cloud management platform responds to the permission query request and returns the target entry of the permission control information.

[0356] Example 19a: The target entry for access control information includes the access control label corresponding to the identifier of the target bucket.

[0357] Based on S18a above, after receiving the permission query request, the cloud management platform obtains the access control label corresponding to the target bucket identifier based on the identifier carried in the permission query request, and returns the access control label corresponding to the target bucket identifier to tenant A. For example, according to Table 2, the access control labels corresponding to the target bucket identifier include userA_AL corresponding to Bucket1 and Dir1, userB_AL corresponding to Bucket1 and Dir2, and userC_AL corresponding to Bucket1 and Dir3.

[0358] Example 19b: The target entries for access control information include the access control label corresponding to the target data identification information.

[0359] In conjunction with 18b above, after receiving a permission query request, the cloud management platform, based on the target data identifier information carried in the permission query request, obtains the access control label corresponding to the target data identifier information and returns the access control label corresponding to the target data identifier information to tenant A. For example, referring to Table 2, the access control label corresponding to data identifier information 1 is userA_AL, and the access control label corresponding to data identifier information 2 is userB_AL.

[0360] In this embodiment, the cloud management platform receives permission query requests from tenants and provides them with access control tags that were previously set for bucket identifiers or data identifiers. In this way, tenants do not need to record the access control tags that were set for bucket identifiers or data identifiers themselves, thereby helping to improve the tenant's user experience.

[0361] Optionally, the permission setting method also includes the following steps S20-S21. Tenants can modify the permission entries in the previously set permission control information through steps S20-S21.

[0362] S20: The cloud management platform receives permission update requests from tenants.

[0363] Example 20a: The permission update request includes the identifier of the target bucket and the update access control label corresponding to the identifier of the target bucket.

[0364] For example, if tenant A wants to modify the access control label corresponding to the identifier of a target bucket, they can send a permission update request to the cloud management platform through the object storage client to request an update to the access control label corresponding to the identifier of the target bucket. The permission update request can use the identifier of the target bucket to indicate the access control label to be updated. For example, if the identifier of the target bucket is Bucket1, the updated access control label corresponding to the identifier of the target bucket is userF_AL.

[0365] Example 20b: The permission update request includes the target data identifier information and the update access control label corresponding to the target data identifier information.

[0366] For example, when tenant A responds to a request to modify the access control label corresponding to the target data identifier information, it can send a permission update request to the cloud management platform through the object storage client to request an update to the access control label corresponding to the target data identifier information. The permission update request can use the target data identifier information to indicate the update of the access control label corresponding to the target data identifier information. For example, the target data identifier information may include data identifier information 1 and data identifier information 2, where data identifier information 1 is Bucket1 and Dir1, data identifier information 2 is Bucket1 and Dir2, the updated access control label corresponding to data identifier information 1 is userE_AL, and the updated access control label corresponding to data identifier information 2 is userG_AL.

[0367] S21: The cloud management platform responds to the permission update request and updates the permission control information.

[0368] Example 21a: The updated access control information is used to indicate the correspondence between the target bucket identifier and the updated access control label.

[0369] Referring to Example 20a above, after receiving a permission update request, the cloud management platform, based on the identifier of the target bucket carried in the permission update request, modifies the historical access control label corresponding to the identifier of the target bucket to the updated access control label corresponding to the identifier of the target bucket. For example, referring to Table 2, Bucket1 and Dir1 are modified to correspond to userF_AL, Bucket1 and Dir2 are modified to correspond to userF_AL, and Bucket1 and Dir3 are modified to correspond to userF_AL.

[0370] Example 21b shows that the updated access control information is used to indicate the correspondence between target data identification information and updated access control labels.

[0371] Referring to Example 20b above, after receiving a permission update request, the cloud management platform, based on the target data identifier information carried in the permission update request, modifies the historical access control label corresponding to the target data identifier information to the updated access control label corresponding to the target data identifier. For example, referring to Table 2, the access control label corresponding to data identifier information 1 is modified to userE_AL, and the access control label corresponding to data identifier information 2 is modified to userG_AL.

[0372] In this embodiment, the cloud management platform receives permission update requests from tenants and modifies the access control labels previously set by the tenants for bucket identifiers or data identifiers. In this way, tenants can change the access control labels set for bucket identifiers or data identifiers according to their actual needs, thereby helping to improve the tenant's user experience.

[0373] Optionally, the permission setting method also includes the following steps S22-S23. Tenants can use steps S22-S23 to delete permission entries in the previously set permission control information.

[0374] S22: The cloud management platform receives a permission deletion request from a tenant.

[0375] Example 22a: The permission deletion request includes the identifier of the target bucket.

[0376] For example, if tenant A wants to delete the access control label corresponding to the identifier of a target bucket, they can send a permission deletion request to the cloud management platform through the object storage client to request the deletion of the access control label corresponding to the identifier of the target bucket. The permission deletion request can use the identifier of the target bucket to indicate the access control label to be deleted. For example, the identifier of the target bucket is Bucket1.

[0377] Example 22b: The permission deletion request includes target data identification information.

[0378] For example, when tenant A wants to delete the access control label corresponding to the target data identifier information, they can send a permission deletion request to the cloud management platform through the object storage client to request the deletion of the access control label corresponding to the target data identifier information. The permission deletion request can use the target data identifier information to indicate the deletion of the access control label corresponding to the identifier of the target bucket. For example, the target data identifier information may include data identifier information 1 and data identifier information 2, where data identifier information 1 is Bucket1 and Dir1, and data identifier information 2 is Bucket1 and Dir2.

[0379] S23: The cloud management platform responds to the permission deletion request and deletes the target entry of the permission control information.

[0380] Example 23a: The target entry for access control information includes the access control label corresponding to the identifier of the target bucket.

[0381] Referring to Example 22a above, after receiving a permission deletion request, the cloud management platform deletes the access control label corresponding to the target bucket identifier, i.e., the target entry, based on the identifier of the target bucket carried in the permission deletion request. For example, referring to Table 2, the target entries deleted by the cloud management platform include userA_AL corresponding to Bucket1 and Dir1, userB_AL corresponding to Bucket1 and Dir2, and userC_AL corresponding to Bucket1 and Dir3.

[0382] Example 23b: The target entries for access control information include the access control label corresponding to the target data identification information.

[0383] Referring to Example 22b above, after receiving a permission deletion request, the cloud management platform deletes the access control label corresponding to the target data identifier information, i.e., the target entry, based on the target data identifier information carried in the permission deletion request. For example, referring to Table 2, the target entries deleted by the cloud management platform include userA_AL corresponding to data identifier information 1 and userB_AL corresponding to data identifier information 2.

[0384] In this embodiment, the cloud management platform receives permission deletion requests from tenants and deletes the access control tags previously set by the tenants for bucket identifiers or data identifier information. In this way, tenants can delete the access control tags set for bucket identifiers or data identifier information according to their actual needs, thereby helping to improve the tenant's user experience.

[0385] The foregoing mainly describes the solutions provided by the embodiments of this application from a methodological perspective. To achieve the above functions, the cloud management platform includes the corresponding hardware structures and / or software modules for executing each function. Those skilled in the art should readily recognize that, based on the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein, this application can be implemented in hardware or a combination of hardware and computer software. Whether a function is executed in hardware or by computer software driving hardware depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0386] This application embodiment can, according to the above method, exemplarily divide a cloud management platform into functional modules. For example, the cloud management platform may include various functional modules corresponding to each functional division, or two or more functions may be integrated into one processing module. The integrated module can be implemented in hardware or as a software functional module. It should be noted that the module division in this application embodiment is illustrative and only represents one logical functional division; in actual implementation, there may be other division methods.

[0387] For example, Figure 7 illustrates a possible schematic diagram of the cloud management platform (denoted as cloud management platform 700) involved in the above embodiments. The cloud management platform 700 includes a receiving module 701 and a permission verification module 702. The receiving module 701 is used to receive operation requests from tenants, wherein the operation request includes an identifier of a target bucket and an identifier of target data, and the target bucket is a bucket storing the target data. For example, as shown in S302 of Figure 3. The permission verification module 702 is used to determine the access control label corresponding to the data identifier information of the target data based on permission control information when the operation request includes a target access control label, wherein the data identifier information of the target data includes the identifier of the target bucket and a prefix of the identifier of the target data. For example, as shown in S303 of Figure 3. The permission verification module 702 is also used to determine the permission verification result of the operation request based on the access control label corresponding to the data identifier information of the target data and the target access control label, wherein the permission verification result includes verification success or verification failure. For example, as shown in S304 of Figure 3.

[0388] Optionally, the permission verification module 702 is specifically used to: determine that the permission verification result of the operation request is successful if the access control label corresponding to the data identification information of the target data includes the target access control label; and determine that the permission verification result of the operation request is unsuccessful if the access control label corresponding to the data identification information of the target data does not include the target access control label.

[0389] Optionally, the infrastructure stores delimiter information, which is used to indicate the correspondence between the bucket identifier and the delimiter. The permission verification module 702 is also used to: determine the target delimiter corresponding to the identifier of the target bucket based on the delimiter information; and segment the identifier of the target data based on the target delimiter to obtain the prefix of the identifier of the target data.

[0390] Optionally, the cloud management platform 700 also includes a delimiter setting module 703. Before receiving an operation request from a tenant, the delimiter setting module 703 is used to: receive a target request from a tenant, the target request including a bucket identifier and a delimiter corresponding to the bucket identifier; and in response to the target request, store the delimiter information.

[0391] Optionally, the cloud management platform 700 also includes a permission setting module 704. Before receiving an operation request from a tenant, the permission setting module is used to: receive a permission setting request from a tenant, the permission setting request including at least one data identification information and at least one access control tag corresponding to the at least one data identification information; and in response to the permission setting request, store permission control information.

[0392] Optionally, the operation request is further used to indicate the target user identifier; the permission verification module 702 is further used to: obtain the user identifier corresponding to the target data when the operation request does not include the target access control label, wherein the user identifier corresponding to the target data includes at least one of the identifier of the user who created the target data or the identifier of the user who created the target bucket; and determine the permission verification result of the operation request based on the user identifier corresponding to the target data and the target user identifier.

[0393] Optionally, the permission verification module 702 is specifically used to: determine the permission verification result as successful if the user identifier corresponding to the target data includes the target user identifier; and determine the permission verification result as unsuccessful if the user identifier corresponding to the target data does not include the target user identifier.

[0394] Optionally, the operation request may also include the target operation type and the target operation permission of the target access control label; the permission verification module 702 is specifically used to: determine the permission verification result of the operation request based on the access control label and the target access control label corresponding to the data identification information of the target data, and the target operation permission of the target operation type and the target access control label.

[0395] Optionally, the operation request is also used to indicate the target time period. The permission verification module 702 is specifically used to: determine the permission verification result of the operation request based on the access control label corresponding to the target access control label and the data identification information of the target data, as well as the target operation type and the target operation permission of the target access control label, when the current time belongs to the target time period.

[0396] Optionally, the permission verification module 702 is specifically used to: determine that the permission verification result of the operation request is successful if the access control label corresponding to the data identification information of the target data includes the target access control label and the target operation permission of the target access control label includes the target operation type; and determine that the permission verification result of the operation request is unsuccessful if the access control label corresponding to the data identification information of the target data does not include the target access control label, or if the target operation permission of the target access control label does not include the target operation type.

[0397] Optionally, the operation request may also include a prefix indicating the identity of the target data.

[0398] Optionally, the permission verification module 702 is also used to: obtain the target delimiter of the target data; and segment the identifier of the target data according to the target delimiter to obtain the prefix of the identifier of the target data.

[0399] Optionally, the operation request may also include a target separator; the permission verification module 702 is specifically used to: obtain the target separator in the operation request.

[0400] Optionally, if the target data is identified as a file identifier, the target delimiter is a forward slash.

[0401] Optionally, the access control label includes at least one of a user identifier, a user group identifier, or a project identifier.

[0402] Optionally, the cloud management platform also includes a management module 705, which is used to: receive permission query requests from tenants, the permission query requests including target data identification information, the target data identification information including the identifier of the target bucket and the prefix of the identifier of the target data; and in response to the permission query requests, return the access control label corresponding to the target data identification information.

[0403] Optionally, the management module 705 is further configured to: receive a permission query request from a tenant, the permission query request including the identifier of the target bucket; and in response to the permission query request, return the access control label corresponding to the identifier of the target bucket.

[0404] Optionally, the management module 705 is further configured to: receive a delimiter query request from a tenant, the delimiter query request including the identifier of the target bucket; and in response to the delimiter query request, return the target delimiter corresponding to the identifier of the target bucket.

[0405] Optionally, the management module 705 is further configured to: receive a permission update request from a tenant, the permission update request including target data identification information and an updated access control label corresponding to the target data identification information; and in response to the permission update request, update the permission control information, the updated permission control information being used to indicate the correspondence between the target data identification information and the updated access control label.

[0406] Optionally, the management module 705 is further configured to: receive a permission update request from a tenant, the permission update request including the identifier of the target bucket and the updated access control label corresponding to the identifier of the target bucket; and in response to the permission update request, update the permission control information, the updated permission control information being used to indicate the correspondence between the identifier of the target bucket and the updated access control label.

[0407] Optionally, the management module 705 is further configured to: receive a delimiter update request from a tenant, the delimiter update request including the identifier of the target bucket and the first delimiter corresponding to the identifier of the target bucket; and update the delimiter information in response to the delimiter update request, the updated delimiter information being used to indicate the correspondence between the identifier of the target bucket and the first delimiter.

[0408] Optionally, the management module 705 is configured to: receive a permission deletion request from a tenant, the permission deletion request including target data identification information; and in response to the permission deletion request, delete the access control tag corresponding to the target data identification information in the permission control information.

[0409] Optionally, the management module 705 is configured to: receive a permission deletion request from a tenant, the permission deletion request including the identifier of the target bucket; and in response to the permission deletion request, delete the access control tag corresponding to the identifier of the target bucket in the permission control information.

[0410] Optionally, the deletion module 707 is further configured to: receive a delimiter deletion request from a tenant, the delimiter deletion request including the identifier of the target bucket; and in response to the delimiter deletion request, delete the identifier of the target bucket and the delimiter corresponding to the identifier of the target bucket from the delimiter information.

[0411] Optionally, the cloud management platform also includes an execution module 708, which is used to: process the operation request if the permission verification result is successful; the permission verification module 702 is also used to: return the permission verification result according to the operation request if the permission verification result is unsuccessful.

[0412] For a detailed description of the above-mentioned optional methods, please refer to the foregoing method embodiments, which will not be repeated here. Furthermore, the explanation of any of the cloud platform 700 provided above, as well as the description of its beneficial effects, can be found in the corresponding method embodiments described above, and will not be repeated here.

[0413] In this embodiment, the receiving module 701, the permission verification module 702, the separator setting module 703, the permission setting module 704, and the management module 705 can all be implemented in software or in hardware. For example, the implementation of the permission verification module 702 will be described below. Similarly, the implementation of the receiving module 701, the separator setting module 703, the permission setting module 704, and the management module 705 can refer to the implementation of the permission verification module 702.

[0414] As an example of a software functional unit, the permission verification module 702 may include code running on a computing instance. The computing instance may include at least one of a physical host (computing device), a virtual machine, or a container. Further, the aforementioned computing instance may be one or more. For example, the permission verification module 702 may include code running on multiple hosts / virtual machines / containers. It should be noted that the multiple hosts / virtual machines / containers used to run the code may be distributed within the same region or in different regions. Further, the multiple hosts / virtual machines / containers used to run the code may be distributed within the same availability zone (AZ) or in different AZs, each AZ including one or more geographically proximate data centers. Typically, a region may include multiple AZs.

[0415] Similarly, multiple hosts / virtual machines / containers used to run this code can be distributed within the same Virtual Private Cloud (VPC) or across multiple VPCs. Typically, a VPC is set up within a region. Communication between two VPCs within the same region, as well as between VPCs in different regions, requires a communication gateway to be set up within each VPC to enable interconnection between VPCs.

[0416] As an example of a hardware functional unit, the authorization verification module 702 may include at least one computing device, such as a server. Alternatively, the authorization verification module 702 may also be a device implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD). The PLD may be implemented using a complex programmable logical device (CPLD), a field-programmable gate array (FPGA), generic array logic (GAL), or any combination thereof.

[0417] The multiple computing devices included in the permission verification module 702 can be distributed within the same region or in different regions. Similarly, the multiple computing devices included in the permission verification module 702 can be distributed within the same Availability Zone (AZ) or in different AZs. Likewise, the multiple computing devices included in the permission verification module 702 can be distributed within the same VPC or in multiple VPCs. These multiple computing devices can be any combination of computing devices such as servers, ASICs, PLDs, CPLDs, FPGAs, and GALs.

[0418] It should be noted that, in other embodiments, the permission verification module 702 can be used to execute any step in the permission verification method, the receiving module 701 can be used to execute any step in the permission verification method, the separator setting module 703 can be used to execute any step in the permission verification method, the permission setting module 704 can be used to execute any step in the permission verification method, and the query module 705 can be used to execute any step in the permission verification method. The steps implemented by the receiving module 701, permission verification module 702, separator setting module 703, permission setting module 704, and management module 705 can be specified as needed. By implementing different steps in the permission verification method through the receiving module 701, permission verification module 702, separator setting module 703, permission setting module 704, and management module 705, all functions of the cloud management platform can be realized.

[0419] This application also provides a computing device 800. As shown in FIG8, the computing device 800 includes: a bus 802, a processor 804, a memory 806, and a communication interface 808. The processor 804, the memory 806, and the communication interface 808 communicate with each other via the bus 802. The computing device 800 may be a server or a terminal device. It should be understood that this application does not limit the number of processors and memories in the computing device 800.

[0420] Bus 802 can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. Buses can be categorized as address buses, data buses, control buses, etc. For ease of illustration, only one line is used in Figure 8, but this does not imply that there is only one bus or one type of bus. Bus 802 can include pathways for transmitting information between various components of computing device 800 (e.g., memory 806, processor 804, communication interface 808).

[0421] Processor 804 may include any one or more processors such as a central processing unit (CPU), a graphics processing unit (GPU), a microprocessor (MP), or a digital signal processor (DSP).

[0422] The memory 806 may include volatile memory, such as random access memory (RAM). The processor 804 may also include non-volatile memory, such as read-only memory (ROM), flash memory, hard disk drive, or solid-state drive.

[0423] The memory 806 stores executable program code, which the processor 804 executes to implement the functions of the aforementioned receiving module 701, permission verification module 702, separator setting module 703, permission setting module 704, and management module 705, thereby implementing the permission verification method. In other words, the memory 806 stores instructions for executing the permission verification method.

[0424] The communication interface 808 uses transceiver modules such as, but not limited to, network interface cards and transceivers to enable communication between the computing device 800 and other devices or communication networks.

[0425] For example, the computing device 800 described above may be a computing device running the control unit and operating system shown in FIG1.

[0426] This application also provides a computing device cluster. The computing device cluster includes at least one computing device. The computing device can be a server, such as a central server, an edge server, or a local server in a local data center. In some embodiments, the computing device can also be a terminal device such as a desktop computer, a laptop computer, or a smartphone.

[0427] As shown in Figure 9, the computing device cluster 900 includes at least one computing device 800. The memory 806 of one or more computing devices 800 in the computing device cluster 900 may store the same instructions for executing the permission verification method.

[0428] In some possible implementations, the memory 806 of one or more computing devices 800 in the computing device cluster 900 may also store partial instructions for executing the permission verification method. In other words, a combination of one or more computing devices 800 can jointly execute the instructions for executing the permission verification method.

[0429] It should be noted that the memory 806 in different computing devices 800 within the computing device cluster 900 can store different instructions, each used to execute a portion of the functions of the data processing device. That is, the instructions stored in the memory 806 of different computing devices 800 can implement the functions of one or more modules among the receiving module 701, the permission verification module 702, the delimiter setting module 703, the permission setting module 704, and the management module 705.

[0430] In some possible implementations, one or more computing devices 800 in the computing device cluster 900 can be connected via a network. This network can be a wide area network (WAN) or a local area network (LAN), etc. Figure 10 illustrates one possible implementation. As shown in Figure 10, computing devices 800A and 800B are connected via a network. Specifically, they are connected to the network through communication interfaces in each computing device.

[0431] In this type of possible implementation, the memory 806 in computing device 800A stores instructions for the functions of the receiving module 701 and the permission verification module 702. Meanwhile, the memory 806 in computing device 800B stores instructions for executing the functions of the delimiter setting module 703, the permission setting module 704, and the management module 705.

[0432] The connection method between the computing device clusters shown in Figure 10 can be considered as follows: taking into account that the permission verification method provided in this application embodiment needs to perform a large amount of computation, the functions of the separator setting module 703, permission setting module 704, and management module 705 are considered to be performed by the computing device 800B.

[0433] It should be understood that the functions of computing device 800A shown in Figure 10 can also be performed by multiple computing devices 800. Similarly, the functions of computing device 800B can also be performed by multiple computing devices 800.

[0434] This application also provides another computing device cluster. The connection relationship between the computing devices in this computing device cluster can be similarly referred to the connection method of the computing device cluster shown in Figures 9 and 10. The difference is that the memory 806 of one or more computing devices 800 in this computing device cluster can store the same instructions for executing the permission verification method.

[0435] In some possible implementations, the memory 806 of one or more computing devices 800 in the computing device cluster may also store partial instructions for executing the permission verification method. In other words, a combination of one or more computing devices 800 can jointly execute the instructions for executing the permission verification method.

[0436] This application also provides a processor that can be used to execute the above methods.

[0437] This application also provides a chip, including: a processor and a power supply circuit; the power supply circuit can be used to supply power to the processor; the processor can be used to execute the above-described method.

[0438] This application also provides a computing device, which may include a processor, a memory, and computer programs / instructions stored in the memory; the processor executes the computer programs / instructions to enable the computing device to implement the above-described methods.

[0439] This application also provides a computing device cluster, which includes at least one computing device; each computing device includes a processor, a memory, and computer programs / instructions stored in the memory, wherein the processor of each computing device executes the computer programs / instructions stored in the memory of each computing device to enable each computing device to implement the above-described method.

[0440] This application also provides a computer program product. The computer program product includes a computer program / instructions that are capable of running on a computing device or stored on any usable medium. When the computer program / instructions are executed on at least one computing device, the at least one computing device can perform the methods described above.

[0441] This application also provides a computer-readable storage medium, which can be any available medium that a computing device can store, or a data storage device such as a data center containing one or more available media. The computer-readable storage medium stores a computer program / instructions that, when executed on at least one computing device, enable the at least one computing device to perform the described method.

[0442] For example, the available media may be magnetic media (e.g., floppy disks, magnetic disks, magnetic tapes), optical media (e.g., digital video discs (DVDs)), or semiconductor media (e.g., solid-state drives (SSDs)).

[0443] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the protection scope of the technical solutions of the embodiments of the present invention.

Claims

1. A permission verification method based on a cloud management platform, characterized in that, The method is applied to the cloud management platform, which provides object storage services to tenants and manages the infrastructure for providing buckets in the object storage services. The infrastructure stores access control information, which indicates a correspondence between at least one data identifier and at least one access control tag. The data identifier includes an identifier for the bucket and a prefix for the identifier of the data. The bucket stores the data. The access control tag indicates access rights to the data indicated by the data identifier corresponding to the access control tag. The method includes: The cloud management platform receives an operation request from the tenant, wherein the operation request includes an identifier of a target bucket and an identifier of target data, and the target bucket is a bucket that stores the target data; When the operation request includes a target access control tag, the cloud management platform determines the access control tag corresponding to the data identification information of the target data based on the permission control information, wherein the data identification information of the target data includes the identifier of the target bucket and the prefix of the identifier of the target data; The cloud management platform determines the permission verification result of the operation request based on the access control tag corresponding to the target access control tag and the data identification information of the target data. The permission verification result includes verification success or verification failure.

2. The method according to claim 1, characterized in that, The cloud management platform determines the permission verification result of the operation request based on the access control tag corresponding to the target access control tag and the data identification information of the target data, including: If the access control label corresponding to the data identification information of the target data includes the target access control label, the cloud management platform determines that the permission verification result of the operation request is successful. If the access control label corresponding to the data identifier information of the target data does not include the target access control label, the cloud management platform determines that the permission verification result of the operation request is a verification failure.

3. The method according to claim 1 or 2, characterized in that, The infrastructure stores delimiter information, which is used to indicate the correspondence between the bucket identifier and the delimiter. The method further includes: The cloud management platform determines the target delimiter corresponding to the identifier of the target bucket based on the delimiter information; The cloud management platform segments the identifier of the target data according to the target delimiter to obtain the prefix of the identifier of the target data.

4. The method according to claim 3, characterized in that, Before the cloud management platform receives the operation request from the tenant, the method further includes: The cloud management platform receives a target request from the tenant, the target request including the identifier of the bucket and the separator corresponding to the identifier of the bucket; The cloud management platform responds to the target request by storing the delimiter information.

5. The method according to any one of claims 1-4, characterized in that, Before the cloud management platform receives the operation request from the tenant, the method further includes: The cloud management platform receives a permission setting request from the tenant, the permission setting request including at least one data identification information and at least one access control tag corresponding to the at least one data identification information; The cloud management platform responds to the permission setting request and stores the permission control information.

6. The method according to any one of claims 1-5, characterized in that, The operation request is also used to indicate a target user identifier; the method further includes: If the operation request does not include a target access control label, the cloud management platform obtains the user identifier corresponding to the target data, wherein the user identifier corresponding to the target data includes at least one of the identifier of the user who created the target data or the identifier of the user who created the target bucket; The cloud management platform determines the permission verification result of the operation request based on the user identifier corresponding to the target data and the target user identifier.

7. A cloud management platform, characterized in that, The cloud management platform is used to provide object storage services to tenants and manage the infrastructure for providing buckets in the object storage services. The infrastructure stores access control information, which indicates the correspondence between at least one data identifier and at least one access control tag. The data identifier includes an identifier for the bucket and a prefix for the data identifier. The bucket is used to store the data. The access control tag indicates access rights to the data indicated by the data identifier corresponding to the access control tag. The cloud management platform includes: A receiving module is configured to receive an operation request from the tenant, wherein the operation request includes an identifier of a target bucket and an identifier of target data, and the target bucket is a bucket that stores the target data; The permission verification module is used to determine the access control label corresponding to the data identification information of the target data according to the permission control information when the operation request includes a target access control label, wherein the data identification information of the target data includes the identifier of the target bucket and the prefix of the identifier of the target data; The permission verification module is further configured to determine the permission verification result of the operation request based on the access control tag corresponding to the data identification information of the target data and the target access control tag, wherein the permission verification result includes verification success or verification failure.

8. The cloud management platform according to claim 7, characterized in that, The permission verification module is specifically used for: If the access control label corresponding to the data identification information of the target data includes the target access control label, the permission verification result of the operation request is determined to be successful. If the access control label corresponding to the data identification information of the target data does not include the target access control label, the permission verification result of the operation request is determined to be a verification failure.

9. The cloud management platform according to claim 7 or 8, characterized in that, The infrastructure stores delimiter information, which is used to indicate the correspondence between the bucket identifier and the delimiter. The permission verification module is also used for: Based on the delimiter information, determine the target delimiter corresponding to the identifier of the target bucket for obtaining the target data; The identifier of the target data is segmented according to the target delimiter to obtain the prefix of the target data identifier.

10. The cloud management platform according to claim 9, characterized in that, The cloud management platform also includes a separator setting module, which, before receiving an operation request from the tenant, is used to: Receive a target request from the tenant, the target request including the identifier of the bucket and the separator corresponding to the identifier of the bucket; In response to the target request, the delimiter information is stored.

11. The cloud management platform according to any one of claims 7-10, characterized in that, The cloud management platform also includes a permission setting module, which, before receiving an operation request from the tenant, is used to: Receive a permission setting request from the tenant, the permission setting request including at least one data identification information and at least one access control tag corresponding to the at least one data identification information; In response to the permission setting request, the permission control information is stored.

12. The cloud management platform according to any one of claims 7-11, characterized in that, The operation request is also used to indicate the target user identifier; the permission verification module is also used for: If the operation request does not include a target access control label, obtain the user identifier corresponding to the target data, wherein the user identifier corresponding to the target data includes at least one of the identifier of the user who created the target data or the identifier of the user who created the target bucket; The permission verification result of the operation request is determined based on the user identifier corresponding to the target data and the target user identifier.

13. A computing device cluster, characterized in that, The computing device cluster includes at least one computing device; Each of the at least one computing device includes a processor, a memory, and a computer program / instructions stored in the memory; The processor of each computing device executes computer programs / instructions stored in the memory of each computing device to enable each computing device to implement the method as described in any one of claims 1-6.

14. A computer program product, characterized in that, The computer program product includes a computer program / instruction, which, when executed by a computing device, implements the method as described in any one of claims 1-6.

15. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program / instruction, which, when executed by a computing device, implements the method as described in any one of claims 1-6.

Images