Data security for a database in a multi-nodal environment
Abstract
A security mechanism in a database management system enforces processing restrictions stored as metadata to control how different pieces of a multi-nodal application are allowed to access database data to provide data security. The security mechanism preferably checks the data security restrictions for security violations when an execution unit attempts to access the data to insure the nodal conditions are appropriate for access. When the security mechanism determines there is a security violation by a query from an execution unit based on the security restrictions, the security mechanism may send, delay or retry to maintain data security. Nodal conditions herein include time restrictions and relationships with other columns, rows or pieces of information. For example, multiple processing units may be allowed to execute together, but the security mechanism would prohibit these processing units to access specific pieces of information at the same time through the use of metadata in the database.
Claims
exact text as granted — not AI-modified1 . An apparatus comprising:
a multi-nodal computer system comprising a plurality of compute nodes, each with a processor and a memory coupled to the processor; a plurality of execution units in the memory of the compute nodes and executed by the processors of the compute nodes; a database connected to the computer system; security restrictions metadata residing in a database table that indicate security relationships of data in the database and execution units; and a security mechanism that enforces security of the data in the database by restricting access to the database from the plurality of execution units of the computer system according to the security restrictions metadata.
2 . The apparatus of claim 1 wherein the security restrictions metadata are stored in a database table residing in the database.
3 . The apparatus of claim 1 wherein the security restrictions metadata specifies that a first execution unit cannot run concurrently with a second execution unit.
4 . The apparatus of claim 1 wherein the security restrictions metadata specifies that a query to a first table is restricted when an execution unit has accessed a second table within a specified time period.
5 . The apparatus of claim 1 wherein the security restrictions metadata specifies that a query to some database data is restricted when a specified number of execution units accessing the first database table exceeds a specified threshold number of execution units.
6 . The apparatus of claim 1 wherein the security restrictions metadata specifies that a query to some database data is restricted when an execution unit has a specific value in the query being processed.
7 . The apparatus of claim 1 wherein the security restrictions metadata specifies that a query to some database data is restricted when a specified connection of an execution unit to a resource is open.
8 . A computer-implemented method for data security in a multi-nodal computer system, the method comprising the steps of:
(A) retrieving an incoming query from one of one of a plurality of execution units on a plurality of compute nodes; (B) providing security restrictions stored as database metadata; (C) parsing the query and comparing the query to the security restrictions; (D) asking the multi-nodal computer system for status information; (E) determining whether to execute the query based on the query, the security restrictions metadata and the status information; (F) where it is determined in step (E) to execute the query, executing the query and returning results of the query; (G) where it is determined in step (E) not to execute the query, determining to wait a period of time and returning to step D above; (H) wherein the method steps are implemented in a computer software program stored in computer memory and executed by a computer processor.
9 . The method of claim 8 further comprising the steps of:
where it is determined in step (E) not to execute the query, determining not to wait a period of time, setting a results to null and returning the query results.
10 . The method of claim 8 further comprising the steps of:
after executing the query above, again asking the multi-nodal computer system for status information, and where the status indicates there is still no security restriction, then returning the query results in step F.
11 . The method of claim 8 wherein the security restrictions metadata indicates that a query to a first table is restricted when an execution unit has accessed a second table within a specified time period.
12 . The method of claim 8 wherein the security restrictions metadata indicates that a query to some database data is restricted when a specified number of execution units accessing the first database table exceeds a specified threshold number of execution units.
13 . A computer-implemented method for data security in a multi-nodal computer system, the method comprising the steps of:
(A) retrieving an incoming query from one of one of a plurality of execution units on a plurality of compute nodes; (B) providing security restrictions stored as database metadata; (C) parsing the query and comparing the query to the security restrictions; (D) asking the multi-nodal computer system for status information; (E) determining whether to execute the query based on the query, the security restrictions metadata and the status information; (F) where it is determined in step (E) to execute the query, executing the query and returning results of the query; (G) where it is determined in step (E) not to execute the query, determining to wait a period of time and returning to step D above; (H) where it is determined in step (E) not to execute the query, determining not to wait a period of time, setting query results to null and returning the query results; (I) after executing the query in step (F), asking the multi-nodal computer system for status information, and where the status information indicates there is still no security restriction, then returning the query results in step (F); and (J) wherein the security restrictions metadata indicates that a query to a first table is restricted when an execution unit has accessed a second table within a specified time period; and (K) wherein the method steps are implemented in a computer software program stored in computer memory and executed by a computer processor.
14 . An article of manufacture comprising software stored on tangible computer readable storage medium, the software comprising:
a security mechanism that enforces security of data in a database connected to a computer system by restricting access to the database from a plurality of execution units of the computer system depending on security restrictions metadata in the database; wherein the security restrictions metadata reside in a database table of the database and indicate security relationships of data in the database and execution units.
15 . The article of manufacture of claim 14 wherein the security mechanism executes on one of a plurality of compute nodes that together comprise a multi-nodal computer system, and where each compute nodes has a processor and a memory coupled to the processor.
16 . The article of manufacture of claim 14 wherein the security restrictions metadata is a database table residing in the database.
17 . The article of manufacture of claim 14 wherein the security restrictions metadata indicates that a first execution unit cannot run concurrently with a second execution unit.
18 . The article of manufacture of claim 14 wherein the security restrictions metadata indicates that a query to a first table is restricted when an execution unit has accessed a second table within a specified time period.
19 . The article of manufacture of claim 14 wherein the security restrictions metadata indicates that a query to some database data is restricted when a specified number of execution units accessing the first database table exceeds a specified threshold number of execution units.
20 . The article of manufacture of claim 14 wherein the security restrictions metadata indicates that a query to some database data is restricted when an execution unit has a specific value in the query being processed.
21 . The article of manufacture of claim 14 wherein the security restrictions metadata indicates that a query to some database data is restricted when a specified connection of an execution unit to a resource is open.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.