A safe multi-user memory system needs performing authorization control such that a user can only access files which he/she has the authorization to access. The access here is a broad concept, including any operation to a file, such as read, write, copy, delete, etc. In a traditional multi-user memory system, the file system maintains authorization information so as to record which files a user or user group may access, or which user or user group may access the file. The authorization information is generally saved in the memory system in a form of access control list, the access control list comprising a triple including user ID-file ID-access authorization. When a user attempts to access a file, the file system searches the access control list based on the user ID and file ID to obtain corresponding authorization, thereby determining whether the user has a right to perform the access operation to the file. Besides the abovementioned online authorization control, offline authorization control may also be performed. Any access to the file by the user is recorded in an access log, and the offline authorization control is to determine whether an access violating the access authorization has occurred by checking the access log.
Different from storing a file on a physical memory node in a traditional multi-user memory system, the cloud storage system divides a file into a plurality of file blocks which may be stored on different physical memory nodes constituting the cloud storage system. A management node of the cloud storage system, for example, a name node, records how many file blocks a file is divided into and storage locations of these file blocks. This information is called mapping information. An administrator of the cloud storage system may generally retrieve the mapping information. For a user of cloud storage, the storage locations of the file blocks are shielded. In other words, a user of cloud storage only knows that the file has been stored in the cloud storage system. When a user needs accessing the file, the management node of the cloud storage system retrieves these file blocks from the storage locations of the file blocks that constitute the file to provide them to the user based on the records. If the user needs to access the whole file, the management node of the cloud storage system merges these file blocks into one file and then provides the file to the user; and if the user needs to access a part of the file, then the cloud storage management system may retrieve only file blocks corresponding to the part and provide them to the user. It is seen that the cloud storage system is different from a traditional memory system. Therefore, a solution is desired for performing authorization control that considers characteristics of the cloud storage system.