1. A method for data protection of an object store, comprising:

acquiring a target matching condition, wherein the target matching condition comprises: file prefixes, file tags, and/or bucket identifiers;

determining a target file matched with the target matching condition according to the attribute information of the candidate file, wherein the attribute information comprises: the file prefix, the file label and/or the bucket identification, and the attribute information of the target file is the same as the target matching condition;

acquiring target security configuration information corresponding to the target matching condition according to the corresponding relation between the matching condition and the security configuration information, wherein the target security configuration information comprises: presetting conditions;

controlling the operation authority of the target file according to a preset condition in the target security configuration information, wherein the operation authority comprises: deletion and/or modification is prohibited.

2. The method according to claim 1, wherein the preset condition comprises:

prohibiting deletion and/or modification of the target file within a first time range;

the controlling the operation authority of the target file according to the preset condition in the target security configuration information comprises the following steps:

and controlling the deletion inhibition and/or modification inhibition of the target file in a first time range.

3. The method according to claim 1, wherein the preset condition comprises:

prohibiting deletion and/or modification of the target file when a first limiting condition exists;

the controlling the operation authority of the target file according to the preset condition in the target security configuration information comprises the following steps:

and when a first limiting condition exists, controlling to prohibit deletion and/or prohibit modification of the target file.

4. The method of claim 1, wherein the target security configuration information further comprises: validation conditions, the validation conditions comprising: taking effect immediately, determining the taking effect again and/or delaying the preset time to take effect;

controlling the operation authority of the target file according to a preset condition in the target security configuration information, wherein the control method comprises the following steps:

and controlling the operation authority of the target file according to the preset condition and the effective condition in the target security configuration information.

5. The method of any of claims 1-3, wherein the target file is in a data tape mode.

6. The method of claim 2, further comprising:

and controlling the deletion allowance and/or modification allowance of the target file outside the first time range.

7. The method of claim 3, further comprising:

and when the first limiting condition does not exist, controlling the deletion and/or modification of the target file to be allowed.

8. An apparatus for data protection of an object store, comprising:

a target matching condition obtaining module, configured to obtain a target matching condition, where the target matching condition includes: file prefixes, file tags, and/or bucket identifiers;

the target file determining module is used for determining a target file matched with the target matching condition according to the attribute information of the candidate file, wherein the attribute information comprises: the file prefix, the file label and/or the bucket identification, and the attribute information of the target file is the same as the target matching condition;

a target security configuration information obtaining module, configured to obtain, according to a correspondence between a matching condition and security configuration information, target security configuration information corresponding to the target matching condition, where the target security configuration information includes: presetting conditions;

an operation authority control module, configured to control an operation authority for the target file according to a preset condition in the target security configuration information, where the operation authority includes: deletion and/or modification is prohibited.

9. A computer device, comprising:

one or more processors;

a storage device for storing one or more programs,

when executed by the one or more processors, cause the one or more processors to implement a data protection method as claimed in any one of claims 1 to 7.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method for protecting data according to any one of claims 1 to 7.

Background

Because important electronic data is deleted by mistake in each country, the electronic data is more and more seriously stored in compliance, a series of laws are formulated by governments of each country, such as the United states 'Spanish Law' and the like, strict regulations are made on retention periods of different types of electronic data, the state is not laggard, a series of regulations such as the medical industry, the basic specifications of electronic medical records and the like define retention periods of different types of medical data, and the like are also applied to other industries, and in terms of data retention strategies, strict authority control, regular alternation of keys, data backup and sound auditing function coordination are usually adopted.

The security of the data at present still needs to be improved. In the prior art, in order to ensure the data security of object storage, an access control mechanism and an audit mechanism are mostly combined, that is, the authority of modifying and deleting a file is authorized to a corresponding person in charge, and the person in charge regularly changes a key of the file, so that the security of data storage is improved. However, the responsible person who has the authority to modify and delete the file still has the operation of deleting the file by mistake, and cannot recover the deleted data after deletion, which brings serious illegal risks to the enterprises that keep compliance, and meanwhile, the deletion and modification of the data also bring irreparable loss to the business.

Disclosure of Invention

In order to solve the technical problems or at least partially solve the technical problems, the present disclosure provides a data protection method, device, apparatus, and readable storage medium for object storage, which avoid data deletion and/or misoperation and improve data security.

In a first aspect, an embodiment of the present disclosure provides a data protection method for object storage, including:

acquiring a target matching condition, wherein the target matching condition comprises: file prefixes, file tags, and/or bucket identifiers;

determining a target file matched with the target matching condition according to the attribute information of the candidate file, wherein the attribute information comprises: the file prefix, the file label and/or the bucket identification, and the attribute information of the target file is the same as the target matching condition;

acquiring target security configuration information corresponding to the target matching condition according to the corresponding relation between the matching condition and the security configuration information, wherein the target security configuration information comprises: presetting conditions;

controlling the operation authority of the target file according to a preset condition in the target security configuration information, wherein the operation authority comprises: deletion and/or modification is prohibited.

Optionally, the preset conditions include:

prohibiting deletion and/or modification of the target file within a first time range;

the controlling the operation authority of the target file according to the preset condition in the target security configuration information comprises the following steps:

and controlling the deletion inhibition and/or modification inhibition of the target file in a first time range.

Optionally, the preset conditions include:

prohibiting deletion and/or modification of the target file when a first limiting condition exists;

the controlling the operation authority of the target file according to the preset condition in the target security configuration information comprises the following steps:

and when a first limiting condition exists, controlling to prohibit deletion and/or prohibit modification of the target file.

Optionally, the target security configuration information further includes: validation conditions, the validation conditions comprising: taking effect immediately, determining the taking effect again and/or delaying the preset time to take effect;

controlling the operation authority of the target file according to a preset condition in the target security configuration information, wherein the control method comprises the following steps:

and controlling the operation authority of the target file according to the preset condition and the effective condition in the target security configuration information.

Optionally, the target file is in a data tape mode.

Optionally, the method further includes:

and controlling the deletion allowance and/or modification allowance of the target file outside the first time range.

Optionally, the method further includes:

and when the first limiting condition does not exist, controlling the deletion and/or modification of the target file to be allowed.

In a second aspect, an embodiment of the present disclosure further provides an apparatus for protecting data stored in an object, including:

a target matching condition obtaining module, configured to obtain a target matching condition, where the target matching condition includes: file prefixes, file tags, and/or bucket identifiers;

the target file determining module is used for determining a target file matched with the target matching condition according to the attribute information of the candidate file, wherein the attribute information comprises: the file prefix, the file label and/or the bucket identification, and the attribute information of the target file is the same as the target matching condition;

a target security configuration information obtaining module, configured to obtain, according to a correspondence between a matching condition and security configuration information, target security configuration information corresponding to the target matching condition, where the target security configuration information includes: presetting conditions;

an operation authority control module, configured to control an operation authority for the target file according to a preset condition in the target security configuration information, where the operation authority includes: deletion and/or modification is prohibited.

In a third aspect, an embodiment of the present invention further provides a computer device, including:

one or more processors;

a storage device for storing one or more programs,

when executed by the one or more processors, cause the one or more processors to implement a data protection method as described in any one of the first aspects.

In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the data protection method according to any one of the first aspect.

Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:

the data protection method, the device, the equipment and the storage medium for object storage provided by the embodiment of the invention are used for obtaining the target matching condition, determining the target file matched with the target matching condition according to the attribute information of the candidate file, obtaining the target security configuration information corresponding to the target matching condition according to the corresponding relation between the matching condition and the security configuration information, and finally controlling the operation authority of the target file according to the preset condition in the target security configuration information, namely controlling the deletion and/or modification prohibition of the target operation according to the preset condition in the target configuration information of the target file, namely, in the preset condition of the target configuration information of the target file, the target file cannot be deleted and/or modified even if a secret key is leaked, so that the security of the data in the target file is improved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.

In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.

Fig. 1 is a schematic flowchart of a data protection method for object storage according to an embodiment of the present invention;

fig. 2 is a schematic structural diagram of a data protection method for object storage according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of another data protection method for object storage according to an embodiment of the present invention;

FIG. 4 is a schematic structural diagram of a data protection method for object storage according to another embodiment of the present invention;

FIG. 5 is a schematic structural diagram of a data protection method for object storage according to another embodiment of the present invention;

FIG. 6 is a flowchart illustrating another method for protecting data stored in an object storage according to an embodiment of the present invention;

FIG. 7 is a flowchart illustrating a data protection method for object storage according to another embodiment of the present invention;

FIG. 8 is a flowchart illustrating a data protection method for an object store according to another embodiment of the present invention;

FIG. 9 is a schematic structural diagram of a data protection apparatus for object storage according to an embodiment of the present invention;

fig. 10 is a schematic structural diagram of a computer device according to an embodiment of the present invention.

Detailed Description

In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.

Fig. 1 is a schematic flowchart of a data protection method for object storage according to an embodiment of the present disclosure. The embodiment can be applied to the condition of carrying out classification protection on the data stored in the public cloud object. The method of the embodiment can be executed by a data protection device of an object storage, which can be implemented in a hardware/software manner and can be configured in a computer device. The data protection device for object storage according to any embodiment of the present application can be implemented.

In the prior art, an access control mechanism and an audit mechanism are mostly combined for data stored in an object, that is, a key is regularly replaced by a person in charge who owns an authority for modifying and deleting a file, so that malicious deletion of the data or deletion or incorrect modification due to misoperation is avoided.

As shown in fig. 1, the method specifically includes the following steps:

s110, obtaining target matching conditions, wherein the target matching conditions comprise: file prefixes, file tags, and/or bucket identifications.

In this embodiment, first, a target matching condition is obtained, specifically, the target matching condition includes a file prefix, a file tag and/or a bucket identifier, and exemplarily, the target matching condition is that the file prefix is 123, the file tag is [ data ] and/or the bucket identifier. And acquiring a target file matched with the target matching condition from the candidate files according to the target matching condition by acquiring the target matching condition.

S120, determining a target file matched with the target matching condition according to the attribute information of the candidate file, wherein the attribute information comprises: file prefix, file label and/or bucket identification, and the attribute information of the target file is the same as the target matching condition.

And determining a target file matched with the target matching condition according to the attribute information of the candidate file, wherein the attribute information comprises a file prefix, a file label and/or a bucket identifier. Illustratively, different files in the candidate files have different attribute information, for example, the candidate file includes a file prefix 123, where the attribute information of the corresponding candidate file is the file prefix 123, or the candidate file includes a file tag [ data ], where the attribute information of the corresponding candidate file is the file tag [ data ], or the candidate file includes a bucket identifier, where the attribute information of the corresponding candidate file is the bucket identifier. If the target matching condition of the target file to be acquired is the file prefix 123, at this time, the candidate file whose attribute information is the file prefix 123 may be selected as the target file according to the attribute information of the candidate file, if the target matching condition of the target file to be acquired is the file tag [ data ], at this time, the candidate file whose attribute information is the file tag [ data ] may be selected as the target file according to the attribute information of the candidate file, and if the target matching condition of the target file to be acquired is the file with the bucket identifier, at this time, the candidate file whose attribute information is the bucket identifier may be selected as the target file according to the attribute information of the candidate file. For example, as shown in fig. 2, fig. 2 exemplarily determines a target file by taking a target matching condition as a file prefix, selects a file with attribute information of file prefix 123 in a candidate file as the target file, and fig. 3 exemplarily determines the target file by taking the target matching condition as a file tag [ data ] in the candidate file as the target file.

S130, acquiring target security configuration information corresponding to the target matching condition according to the corresponding relation between the matching condition and the security configuration information, wherein the target security configuration information comprises: and (4) presetting conditions.

In this embodiment, the corresponding relationship between the matching condition and the security configuration information may be, for example, that the matching condition is a file tag [ data ], the security configuration information is a security configuration information 1, the matching condition is a file prefix 123, the security configuration information is a security configuration information 2, the matching condition is a bucket identifier, and the security configuration information is a security configuration information 3, where the security configuration information 1, the security configuration information 2, and the security configuration information 3 correspond to different preset conditions, for example, the preset condition in the security configuration information 1 is a first time range, the preset condition in the security configuration information 2 is a first limitation condition, and the preset condition in the security configuration information 3 is a second time range.

And determining a target file matched with the target matching condition according to the attribute information of the candidate file, wherein the target file refers to a file set with specific characteristics in a file bucket, for example, all files of the file bucket containing the file prefix 123 are one target file, and for example, all files of the file bucket containing the file tag [ data ] are one target file. And acquiring target safety configuration information corresponding to the target matching condition according to the corresponding relation between the matching condition and the safety configuration information. For example, if the target matching condition in the obtained target file is the file prefix 123, it may be determined that the target security configuration information corresponding to the target matching condition is the security configuration information 2, and if the target matching condition in the obtained target file is the file tag [ data ], it may be determined that the target security configuration information corresponding to the target matching condition is the security configuration information 1. The target security configuration information of the target file includes a preset condition, for example, the configuration information based on the time policy is obtained from the target security configuration information in the target file, that is, the preset condition includes a time range, or the configuration information based on the retention policy, that is, the preset condition includes a restriction condition. When the preset condition includes a time range, the time range may be a period of years, a period of days, or a period of hours.

Acquiring the target security configuration information of the target file refers to acquiring the security configuration information of the target file of the file prefix 123 in the file bucket, also refers to acquiring the security configuration information of the target file of the file tag [ data ] in the file bucket, and also refers to acquiring the security configuration information of the bucket identifier in the whole file bucket. Illustratively, the security configuration information of the target file of the file prefix 123 in the file bucket based on the time policy is acquired, or the security configuration information of the target file of the file prefix 123 in the file bucket based on the retention policy is acquired; acquiring security configuration information of a target file of a file tag [ data ] in a file bucket based on a time strategy or acquiring security configuration information of the target file of the file tag [ data ] in the file bucket based on a retention strategy; or acquiring the security configuration information of the target file of the bucket identifier in the file bucket based on the time policy, or acquiring the security configuration information of the target file of the bucket identifier in the file bucket based on the retention policy.

And when the target matching condition is a file prefix, determining target security configuration information corresponding to the target matching condition according to the corresponding relation between the matching condition and the security configuration information. Specifically, as shown in fig. 2, the preset condition in the security configuration information corresponding to the file prefix 123 is configuration information based on a time policy, that is, the preset condition is based on a time range, and if the target matching condition is the file prefix 123, the target security configuration information corresponding to the target matching condition protects the file with the file prefix 123 in the file bucket by using the time policy, and the protection period is 3 years. And when the target matching condition is a file label, determining target security configuration information corresponding to the target matching condition according to the corresponding relation between the matching condition and the security configuration information. Specifically, as shown in fig. 3, the preset condition in the security configuration information corresponding to the file tag [ data ] is configuration information based on a time policy, that is, the preset condition is based on a time range, and if the target matching condition is the file tag [ data ], the target security configuration information corresponding to the target matching condition is that the file of the file tag [ data ] in the file bucket is protected by the time policy, and the protection period is 3 years. And when the target matching condition is a file prefix, determining target security configuration information corresponding to the target matching condition according to the corresponding relation between the matching condition and the security configuration information. Specifically, as shown in fig. 4, the preset condition in the security configuration information corresponding to the file prefix 123 is configuration information based on a retention policy, that is, the preset condition is based on a restriction condition, and at this time, the determined target security configuration information corresponding to the target file is protected by the retention policy for the file of the file prefix 123 in the file bucket. And when the target matching condition is a file label, determining target security configuration information corresponding to the target matching condition according to the corresponding relation between the matching condition and the security configuration information. Specifically, as shown in fig. 5, the preset condition in the security configuration information corresponding to the file tag [ data ] is configuration information based on a retention policy, that is, the preset condition is based on a restriction condition, and at this time, the determined target security configuration information corresponding to the target file is protected by the retention policy for the file of the file tag [ data ] in the file bucket.

It should be noted that fig. 4 and 5 exemplarily show that the preset condition in the security configuration information of the target file is based on a restriction condition, where the restriction condition is that, by adding a LegalHold policy in the target security configuration information of the target file, when the LegalHold policy is not deleted, none of the files labeled [ data ] in the file bucket is deleted and/or modified, and when the LegalHold policy in the target security configuration information of the target file is deleted, the data in the target file may be deleted and/or modified.

S140, controlling the operation authority of the target file according to the preset condition in the target security configuration information, wherein the operation authority comprises: deletion and/or modification is prohibited.

And controlling the operation authority of the target file according to the preset condition in the target security configuration information after the target security configuration information corresponding to the target matching condition is obtained. Illustratively, when the preset condition in the target security configuration information corresponding to the obtained target matching condition is time policy configuration, the target file is controlled to be prohibited from being deleted and/or modified according to the time policy in the target security configuration information corresponding to the target matching condition, that is, the target file with the target matching condition of the file prefix 123 in the file storage bucket is controlled to be prohibited from being deleted and/or modified within the preset condition. When the obtained target file with the target matching condition of the file prefix 123 in the file storage bucket is the security configuration information based on the time policy, at this time, within the preset time, deletion and/or modification of the target file with the target matching condition of the file prefix 123 in the file storage bucket is controlled to be prohibited, that is, within the set preset time, even if the key for protecting the data is leaked, an operator cannot delete, and/or modify the target file with the target matching condition of the file prefix 123 in the file storage bucket, so that the security of the data is improved, and the loss caused by mistaken deletion or mistaken modification of the leaked data of the key is avoided.

In addition, when the preset condition in the target security configuration information corresponding to the acquired target matching condition is configured by a retention policy, the deletion and/or modification of the target file is prohibited according to the retention policy in the target security configuration information corresponding to the target matching condition. Illustratively, within a preset condition, deletion and/or modification of a target file in the file bucket with a target matching condition of the file prefix 123 is controlled to be prohibited. When the obtained target file with the target matching condition of the file prefix 123 in the file storage bucket is security configuration information based on the retention policy, at this time, when the retention policy is configured, the target file with the target matching condition of the file prefix 123 in the file storage bucket is controlled to be prohibited from being deleted and/or prohibited from being modified, that is, when the target file with the target matching condition of the file prefix 123 in the file storage bucket is configured with the LegalHold policy, even if a key for protecting data is leaked, an operator still cannot delete and/or modify the target file with the target matching condition of the file prefix 123 in the file storage bucket.

The data protection method for object storage provided by the embodiment of the invention comprises the steps of obtaining a target matching condition, determining a target file matched with the target matching condition according to the attribute information of a candidate file, obtaining target security configuration information corresponding to the target matching condition according to the corresponding relation between the matching condition and the security configuration information, and finally controlling the operation authority of the target file according to the preset condition in the target security configuration information, namely controlling the deletion and \ or modification prohibition of target operation according to the preset condition in the target configuration information of the target file, namely, even if a secret key is leaked in the preset condition of the target configuration information of the target file, the target file cannot be deleted and \ or modified, so that the security of data in the target file is improved.

Fig. 6 is a schematic flowchart of another data protection method for object storage according to an embodiment of the present invention, where in this embodiment, an implementable manner of step S130 is shown as step S131 in the following diagram, and an implementable manner of step S140 is shown as step S141 in the following diagram, and the method includes:

s131, according to the corresponding relation between the matching condition and the security configuration information, obtaining the target security configuration information corresponding to the target matching condition, wherein the target security configuration information comprises: presetting conditions; the preset conditions include: deletion and/or modification of the target file is prohibited for a first time frame.

When the preset condition in the target security configuration information corresponding to the obtained target matching condition is that deletion and/or modification of the target file is prohibited in the first time range, that is, the target security configuration information in the target file corresponding to the target matching condition is the configuration information based on the time policy, that is, the preset condition includes the time range, the preset condition in the obtained target security configuration information is that deletion and/or modification of the target file is prohibited in the first time range.

And S141, controlling to prohibit deletion and/or modification of the target file in the first time range.

When the preset condition in the target security configuration information corresponding to the target matching condition includes that deletion and/or modification of the target file is prohibited within the first time range, at this time, the target file is prohibited and/or modification is prohibited according to the preset condition, that is, the target file is prohibited and/or modification is prohibited within the first time range. Illustratively, when the acquired target matching condition in the file bucket is that the preset condition in the target security configuration information corresponding to the file prefix 123 is that deletion and/or modification is prohibited in a first time range, the deletion and/or modification of the target file of the file prefix 123 in the file bucket is controlled to be prohibited in the first time range. The target file is prohibited to be deleted and/or modified within the first time range, namely, the target file cannot be deleted and/or modified within the first time range, so that the safety of the target file is improved.

Optionally, the method further includes: outside the first time range, control allows deletion and/or allows modification of the target file.

In addition, when the preset condition in the target security configuration information corresponding to the target matching condition is out of the first time range, the target file can be deleted and/or modified, the data in the file storage bucket can be updated, and the stacking of excessive useless files is avoided.

It should be noted that, when the preset condition in the target security configuration information corresponding to the target matching condition in the obtained file bucket is to prohibit deletion and/or modification within one year, and the preset condition in the target security configuration information of the target file of the file prefix 123 in the obtained file bucket is to prohibit deletion and/or modification within three years, that is, the file of the file prefix 123 in the file bucket is included in the file, and at this time, the preset condition of the target file of the file prefix 123 includes 1 year and 3 years, protection is performed by preferentially selecting a protection period with a long time, so that the file of the file prefix 123, for example, a picture of 123.png, is automatically protected from its upload time point to 3 years, and then deletion and modification of the file can be performed after 3 years.

Fig. 7 is a schematic flowchart of another data protection method for object storage according to an embodiment of the present invention, where this embodiment is based on the foregoing embodiment, another implementable manner of step S130 is shown as step S132 in the following diagram, and another implementable manner of step S140 is shown as step S142 in the following diagram, and includes:

s132, acquiring target security configuration information corresponding to the target matching condition according to the corresponding relation between the matching condition and the security configuration information, wherein the target security configuration information comprises: presetting conditions; the preset conditions include: and prohibiting the deletion and/or modification of the target file when the first limiting condition exists.

When the preset condition in the target security configuration information corresponding to the acquired target matching condition is that deletion and/or modification of the target file is prohibited when the first limiting condition exists, that is, the target security configuration information of the target file corresponding to the target matching condition is configuration information based on a retention policy, that is, the preset condition includes a condition range, the preset condition in the target security configuration information of the acquired target file is that deletion and/or modification of the target file is prohibited when the first limiting condition exists.

And S142, controlling to prohibit deletion and/or modification of the target file when the first limiting condition exists.

When the preset condition in the target security configuration information corresponding to the target matching condition includes that deletion and/or modification of the target file is prohibited when the first limiting condition exists, at this time, according to the preset condition, prohibition and/or modification of the target file is controlled, that is, when the first limiting condition exists, prohibition and/or modification of the target file is controlled. Illustratively, when the acquired target matching condition in the file bucket is that the preset condition in the target security configuration information corresponding to the file prefix 123 is that deletion and/or modification is prohibited when the first limiting condition exists, and when the first limiting condition exists, deletion and/or modification of the target file of the file prefix 123 in the file bucket is controlled to be prohibited. The target file is prohibited to be deleted and/or modified when the first limiting condition exists, namely, the target file cannot be deleted and/or modified when the first limiting condition exists, and therefore the safety of the target file is improved.

Optionally, the method further includes: and when the first limiting condition does not exist, controlling the deletion and/or modification of the target file to be allowed.

In addition, when the preset condition in the target security configuration information corresponding to the target matching condition does not have the first limiting condition, the target file can be deleted and/or modified, the data in the file storage bucket can be updated, and the stacking of too many useless files is avoided.

It should be noted that, when the preset condition in the target security configuration information of the target file of the file tag [ data ] in the acquired file bucket is to prohibit deletion and/or modification when a first constraint condition exists, and the preset condition in the target security configuration information of the target file of the file prefix 123 in the acquired file bucket is to prohibit deletion and/or modification within three years, that is, to perform protection based on a time policy on the file of the prefix 123 in the file bucket, where the protection time period is 3 years, to perform protection based on a retention policy on the file of the file tag [ data ] in the file bucket, when the 123.png file belongs to both the file of the prefix 123 in the file bucket and the file of the file tag [ data ] in the file bucket, protection is performed on the data by preferentially selecting protection based on the time policy, at this time, the file of the file prefix 123 is as, and after uploading the picture of the png, automatically protecting the picture for 3 years, and deleting and modifying the file after 3 years. If the protection based on the retention strategy is still effective for the file with the file tag [ data ] in the file storage bucket after 3 years, 123.png is continuously protected at this time, and if the protection rule based on the retention strategy is deleted for the file with the file tag [ data ] in the file storage bucket after 3 years, the 123.png file is deleted after 3 years.

Optionally, the security configuration information further includes: the effective conditions comprise: immediate validation, re-determination of validation, and/or delaying validation for a preset time.

Illustratively, with continued reference to fig. 2-5, the target security configuration information further includes an effect condition, specifically, the effect condition includes immediate effect, re-determined effect, and/or delayed preset time effect. And when the effective condition in the target security configuration information is immediate effective, controlling the operation authority for prohibiting deletion and/or modification of the target file to be immediately effective. When the validation condition in the target security configuration information is that the validation condition is determined to be valid again, the operation right for prohibiting deletion and/or modification of the target file can be confirmed again by the validated operation right item, or can be activated by sending an activation link to the verification mailbox, and performing identity authentication by clicking the activation link, so that the operation right determined to be valid again is activated. In addition, when the validation condition in the target security configuration information is that the delay preset time is validated, the operation authority for prohibiting deletion and/or modification of the target file is controlled to be validated after the delay time by setting the delay time, namely when the security configuration information is that the delay preset time is validated.

And after the target security configuration information corresponding to the target matching condition is determined, controlling the operation authority of the target file through the preset condition and the effective condition in the target security configuration information. Specifically, when the target matching condition is a file prefix, as shown in fig. 2, the preset condition in the target security configuration information corresponding to the file prefix 123 is configuration information based on a time policy, that is, the preset condition is based on a time range, and the validation condition in the target security configuration information corresponding to the file prefix 123 is immediately validated, at this time, the determined target security configuration information corresponding to the target file protects the file with the file prefix 123 in the file bucket with the time policy, the protection period is 3 years, and the file takes effect immediately, so that the file controlling the file prefix 123 in the file bucket is prohibited from being deleted and/or modified within 3 years. When the target matching condition is a file tag, as shown in fig. 3, the preset condition in the target security configuration information corresponding to the file tag [ data ] is configuration information based on a time policy, that is, the preset condition is based on a time range, the effective condition in the target security configuration information corresponding to the file tag [ data ] is effective at a delayed preset time, the determined security configuration information corresponding to the target file is that the file of the file tag [ data ] in the file storage bucket is protected by the time policy, the protection period is 3 years, and the file takes effect at the delayed preset time, so that the file of the file tag [ data ] in the file storage bucket is controlled to be effective at the delayed preset time, and deletion and/or modification is prohibited within 3 years from the delayed preset time to the future.

When the target matching condition is a file prefix, as shown in fig. 4, the preset condition in the target security configuration information corresponding to the file prefix 123 is configuration information based on a retention policy, that is, the preset condition is based on a restriction condition, and the effective condition in the target security configuration information corresponding to the file prefix 123 is immediately effective, at this time, the target security configuration information corresponding to the target file is a file of the file prefix 123 in the file bucket, protected by the retention policy, and immediately effective, so that the file controlling the file prefix 123 in the file bucket is prohibited from being deleted and/or prohibited from being modified within the period of the restriction condition. When the target matching condition is a file tag, as shown in fig. 5, the preset condition in the target security configuration information corresponding to the file tag [ data ] is configuration information based on the retention policy, that is, the preset condition is based on the restriction condition, and the validation condition in the target security configuration information corresponding to the file tag [ data ] is determined to be valid again, at this time, the target security configuration information corresponding to the target file is the file of the file tag [ data ] in the file storage bucket and protected by the retention policy, and takes effect after being determined again, so that the file of the file tag [ data ] in the file storage bucket needs to be determined again and then takes effect, and after the file is determined to be valid again by clicking, deletion and/or modification is prohibited in the restriction condition.

In addition, the target security configuration information of the target file also comprises remarks, the remarks are added to the target security configuration information of the target file, the background information description of the target security configuration information is carried out according to the specific application background of the target file, the situation that a user forgets the setting of the security configuration information due to time lapse, personnel alternation and the like after creating rules is prevented, misoperation of data is further prevented, the data acquisition efficiency is improved, and meanwhile the security degree of the security configuration information is improved.

It should be noted that, in each of the above embodiments, the target security configuration information corresponding to the target matching condition is obtained according to the corresponding relationship between the matching condition and the security configuration information, a corresponding target file may include a plurality of matching conditions, and at most, 50 matching conditions are supported to be set, and duplicate setting is not allowed among the plurality of matching conditions.

Referring also to fig. 8, fig. 8 illustrates status information of different target files of fig. 2-5, and the operation rights of the different target files can be determined according to fig. 8.

Optionally, the target file is in a data tape mode.

In the data protection method for object storage provided in the above embodiment, the obtained target file is in a data tape mode (WORM), that is, Write Once Read Many times. By configuring the target file into a data tape mode, after the target security configuration information corresponding to the target file is acquired, the target file is in the preset condition of the corresponding target security configuration information, so that anyone is prohibited from modifying and/or deleting the target file, only authorized operators are allowed to upload the file, and new adding behaviors of files with different names are performed. Because different compliance reservation requirements are provided by various countries for electronic data of the same industry or different industry data of the same country, and requirements of enterprises for the security period of self business data protection are different, the scheme supports that when a client sets a file in a data storage bucket to be in a data tape mode, a preset condition in target file configuration information is selected, and any visitor cannot delete and \ or modify the target file within the preset condition of the target security configuration information, so that the target file is safely stored, the target file is prevented from being deleted and \ or misoperated, in addition, the user can flexibly select the security configuration information of the target file, and the flexible protection of the data is realized.

Optionally, on the basis of the foregoing embodiment, fig. 9 is a schematic structural diagram of a data protection apparatus for object storage according to an embodiment of the present invention, and as shown in fig. 9, the data protection apparatus includes:

a target matching condition obtaining module 510, configured to obtain a target matching condition, where the target matching condition includes: file prefixes, file tags, and/or bucket identifiers;

an object file determining module 520, configured to determine, according to attribute information of the candidate file, an object file matching the object matching condition, where the attribute information includes: file prefix, file label and/or bucket identification, wherein the attribute information of the target file is the same as the target matching condition;

a target security configuration information obtaining module 530, configured to obtain, according to a corresponding relationship between the matching condition and the security configuration information, target security configuration information corresponding to the target matching condition, where the target security configuration information includes: presetting conditions;

an operation authority control module 540, configured to control an operation authority on the target file according to a preset condition in the target security configuration information, where the operation authority includes: deletion and/or modification is prohibited.

In the data protection device for object storage provided in the embodiment of the present invention, a target matching condition obtaining module in the data protection device obtains a target matching condition, a target file determining module determines a target file matched with the target matching condition according to attribute information of a candidate file, a target security configuration information obtaining module obtains target security configuration information corresponding to the target matching condition according to a corresponding relationship between the matching condition and the security configuration information, and an operation authority control module controls an operation authority of the target file according to a preset condition in the target security configuration information, so as to protect data in the target file and avoid loss caused by false deletion and/or false operation.

The data protection device for object storage provided by the embodiment of the invention can execute the data protection method for object storage provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.

Fig. 10 is a schematic structural diagram of a computer device provided in an embodiment of the present disclosure. As shown in fig. 10, the computer apparatus includes a processor 610, a memory 620, an input device 630, and an output device 640; the number of processors 610 in the computer device may be one or more, and one processor 610 is taken as an example in fig. 10; the processor 610, the memory 620, the input device 630 and the output device 640 in the computer apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 10.

The memory 620 is used as a computer-readable storage medium for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the data protection method of the object storage in the embodiment of the present invention. The processor 610 executes various functional applications and data processing of the computer device by executing software programs, instructions and modules stored in the memory 620, that is, implements the data protection method of object storage provided by the embodiment of the present invention.

The memory 620 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 620 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 620 may further include memory located remotely from the processor 610, which may be connected to a computer device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The input device 630 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic device, and may include a keyboard, a mouse, and the like. The output device 640 may include a display device such as a display screen.

The embodiment of the disclosure also provides a storage medium containing computer executable instructions, and the computer executable instructions are used for realizing the data protection method of the object storage provided by the embodiment of the invention when being executed by a computer processor.

Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the method operations described above, and may also perform related operations in the data protection method for data object storage provided by any embodiment of the present invention.

From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.

It should be noted that, in the embodiment of the protection device, each included unit and each included module are only divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.

It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.