CN115618387A - Authentication method, device, equipment and computer readable medium based on ABAC - Google Patents

Authentication method, device, equipment and computer readable medium based on ABAC Download PDF

Info

Publication number
CN115618387A
CN115618387A CN202211293935.4A CN202211293935A CN115618387A CN 115618387 A CN115618387 A CN 115618387A CN 202211293935 A CN202211293935 A CN 202211293935A CN 115618387 A CN115618387 A CN 115618387A
Authority
CN
China
Prior art keywords
authorization
abac
authentication
entry
request information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211293935.4A
Other languages
Chinese (zh)
Other versions
CN115618387B (en
Inventor
蒋仕龙
王磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Hejin Information Technology Co ltd
Original Assignee
Shanghai Hejin Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Hejin Information Technology Co ltd filed Critical Shanghai Hejin Information Technology Co ltd
Priority to CN202211293935.4A priority Critical patent/CN115618387B/en
Publication of CN115618387A publication Critical patent/CN115618387A/en
Application granted granted Critical
Publication of CN115618387B publication Critical patent/CN115618387B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides an authentication method, an authentication device, authentication equipment and a computer readable medium based on ABAC, wherein the authentication method based on ABAC comprises the following steps: receiving request information of a user; authenticating the request information according to a target authorization rule to obtain an authentication result; the target authorization rule is an authorization rule obtained after item expansion is carried out on the basis of the hierarchical relation of the default authorization items of the ABAC; and releasing or intercepting the request information according to the authentication result. The application provides an ABAC-based authentication scheme which can be used for at least solving the technical problem that a great amount of calculation is needed to be consumed in the existing ABAC-based authentication mode.

Description

Authentication method, device, equipment and computer readable medium based on ABAC
Technical Field
The present application relates to the field of information technology, and in particular, to an ABAC-based authentication method, apparatus, device, and computer readable medium.
Background
In an operating system, permissions are a very important mechanism for ensuring that a multi-user operating system works normally. For some files or programs, it has its own attributes that indicate which kind of rights of users can use it to read and write or perform functions. For some general purpose programs, which user runs it, it automatically inherits the rights of that user. For example, in Windows, there are an administeror user and an ordinary user, etuser, and the authority of the administeror user to open a notepad is different from that of the Etuser to open the notepad. Among them, role-based access control and attribute-based access control in a rights management system are two rights models widely adopted.
The Access Control based on attributes, which is called Attribute-based Access Control in english, is an Access Control model proposed for solving the credible relationship of industry distributed application, and the Access Control based on the attributes uses a group of features called attributes to perform Access Control, which include a subject Attribute (also called user Attribute), an object Attribute (also called resource Attribute) and an environment Attribute of an entity.
Role-Based Access Control, which is called Role-Based Access Control (RBAC) for short, is an Access Control mode for enterprise security policy implementation. The basic idea is that various permissions for system operation are not directly granted to specific users, but a role set is established between the user set and the permission set, and each role corresponds to a group of corresponding permissions. Once a user is assigned the appropriate role, the user has all the operational rights for that role. A role here generally refers to a group of people having some common characteristics, such as department, location, seniority, level, job function, etc.
Compared with the RBAC, the ABAC can authorize resources in a fine-grained manner and execute dynamically according to the context, and has stronger flexibility and dynamics.
In practical applications, the ABAC and RBAC are often used in a scenario where permission inheritance is required, that is, which user executes a command to automatically inherit the permission of the current user, and when a file without the permission of the current user is operated, the operating system can automatically interrupt and prompt the command.
The inventors found that there are at least the following technical problems in the related art:
in a scenario requiring permission inheritance, since the RBAC has a characteristic that permissions are associated with roles, hierarchical inheritance relationships can be implemented by authorization logic of the roles. However, logic of the ABAC authorization is usually fragmented and depends on context attributes, which makes the ABAC-based permission inheritance generally implicit and coupled with business logic, however, the permission inheritance under the implicit authorization needs to consume a large amount of computation, i.e. has high loss on the computation performance of the system.
Disclosure of Invention
An object of the present application is to provide an ABAC-based authentication method, apparatus, device and computer readable medium, which are used to at least solve the technical problem that the existing ABAC-based authentication method needs to consume a large amount of computation.
To achieve the above object, some embodiments of the present application provide an ABAC-based authentication method, the method including: receiving request information of a user; authenticating the request information according to a target authorization rule to obtain an authentication result; the target authorization rule is an authorization rule obtained by carrying out item expansion on the basis of the hierarchical relationship of the default authorization items of the ABAC; and releasing or intercepting the request information according to the authentication result.
Some embodiments of the present application also provide an ABAC-based authentication apparatus, the apparatus including a receiving module, an authentication module, and an output module: the receiving module is used for receiving request information of a user; the authentication module is used for authenticating the request information according to a target authorization rule to obtain an authentication result; the target authorization rule is an authorization rule obtained after item expansion is carried out according to the hierarchical relation of the default authorization items of the ABAC; and the output module is used for releasing or intercepting the request information according to the authentication result.
Some embodiments of the present application further provide an ABAC-based authentication apparatus, the apparatus including: one or more processors; and a memory storing computer program instructions that, when executed, cause the processor to perform the ABAC-based authentication method as described above.
Some embodiments of the present application also provide a computer readable medium having stored thereon computer program instructions executable by a processor to implement the ABAC-based authentication method as described above.
Compared with the prior art, in the scheme provided by the embodiment of the application, after the request information of the user is received, the request information is authenticated according to the target authorization rule to obtain the authentication result, and then the request information is released or intercepted according to the authentication result. The target authorization rule in the embodiment of the application is an authorization rule obtained by expanding the default authorization entry structure of the ABAC according to the hierarchical relationship of the default authorization entry structure of the ABAC, and the hierarchical relationship is further optimized and expanded in nature, so that the calculation permission which cannot be cached in advance in the related technology is transferred to the ABAC, and an ABAC model which can support implicit permission inheritance with lower calculation performance loss is constructed.
Drawings
Fig. 1 is a flowchart of an ABAC-based authentication method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a rights management system in the related art according to an embodiment of the present application;
fig. 3 is a schematic diagram of an application example of an ABAC-based authentication method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an ABAC-based authentication apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an ABAC-based authentication provided in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
The following terms are used herein.
Layering: if the layers are clear and accurate, it can be seen that the two business upper layers have the same abstraction, namely, the top layers are the combination of components and layout, and the mapping functions of screening linkage and data query and mapping from the data model to the primitive relationship belong to additional items which are removed and do not influence the operation of the system.
Fragmenting: the logic is the product of building the fragmentation information together itself.
The algorithm complexity is as follows: there are temporal and spatial complexities. The function is as follows: time complexity refers to the computational effort required to execute the algorithm; and spatial complexity refers to the memory space required to execute this algorithm. (the complexity of an algorithm is represented by how much of the computer resources are needed to run the algorithm, and the computer resources are most importantly time and space (i.e., register) resources, and thus the complexity is divided into time and space complexity.) where time complexity means that the time spent by an algorithm is proportional to the number of executions of statements in the algorithm, which is the number of executions of statements in which algorithm, it takes more time.
A graph, which is a graph of a number of given vertices and edges connecting the vertices, is often used to describe some specific relationship between something. Vertices are used to represent objects, and edges connecting two vertices are used to represent that two objects have such a relationship.
The database, called Data Base for short DB, is a Data set organized according to a certain Data model and stored in the secondary memory.
MongoDB: a database based on distributed file storage aims at providing an extensible high-performance data storage solution for WEB application.
Implicit authorization in the related art is first explained herein.
Implicit authorization, as opposed to explicit authorization, refers to the authority granting logic not having been explicitly declared. Implicit authorization is usually logically associated with interaction between specific scenarios and entities in the service, and dynamic computation is usually required during authentication.
For example, there are two entities, namely an item and a knowledge base, in a certain service, and the authority orientation of the two entities can be authorized to certain users through the ABAC. This explicit authorization action is explicit authorization, in which case the ABAC only needs to determine whether there is a similar (repository a, user a) authorization entry during authentication. But in some business scenarios, the rights of the project and the knowledge base are not independent. For example, if a need exists: the administrator adds an item p to repository a, and user a, who previously had the rights to repository a, should now also be allowed access to item p. In this regard, in the related art, the ABAC would not newly create an explicit (item p, user a) authorization entry. But in the service path, the authority of the user a to the item p is inherited from the parent knowledge base a of the item p, and the indirect authority inheritance mode is implicit authorization.
Then, in the example mentioned in the above related art, why is the ABAC not to create an explicit (item p, user a) authorization entry from the new one, using explicit authorization? In this regard, the inventors have noted that if explicit authorization is to be used, then when a change occurs in any node that depends on a traffic path, the change needs to be updated synchronously to all entries in the ABAC associated with the traffic path. Continuing with the above-described authorization relationships among users, knowledge bases, and projects as an example, a set of entries for all projects and all authorization objects (users) associated with a corresponding task may be pre-constructed by the ABAC: (a 1, an) x (p 1, pn). Then when there is update information to update it, at least the following three scenarios should be considered:
(1) When the authorized object changes, the set of the user a needs to be recalculated, so that the entries of the ABAC are reconstructed;
(2) When the knowledge base associated with the corresponding task changes, the set of items p needs to be recalculated, so as to reconstruct the entries of the ABAC;
(3) When the items inside the knowledge base associated with the corresponding task change, the p-sets need to be recalculated, thereby reconstructing the entries of the ABAC.
From the above, if explicit authorization is adopted, the various events requiring interaction of the ABAC highly bound entities are required to create all the authorization items synchronously, which in turn makes the authorization items sensitive to these changes. Therefore, from the perspective of product logic, it is reasonable to use implicit authorization for permission inheritance, however, the inventors found that there are not small challenges in their concrete technical implementation: the permission inheritance mode under the implicit authorization needs to consume a large amount of calculation.
Specifically, for example, the right management system authenticates (item p, user a), and for explicit authorization, it is sufficient to directly query whether a corresponding entry exists in the database. For implicit authorization, as in the above example (repository a- > item p- > user a in the repository), the authentication logic can be as follows:
Figure BDA0003901735390000061
it can be seen that there is a performance problem (IO 1) in the current authentication logic, that is, it needs to consume a large amount of computation to check the knowledge base a back according to the item P, because the item P may be added to any knowledge base, and the result of checking back the total amount needs to occupy more computation resources (CPU and memory) of the database and network throughput consumed by data transmission. However, in this case, the service scenario is relatively simple, and therefore, in practical application, optimization can be performed in an indexing, caching, or other manner. However, the real business scenario is much more complex, and the hierarchical relationship of adding one layer of "courses" on the basis of the above example is taken as an example to show that the complexity of the authentication algorithm increases exponentially with the increase of the hierarchy.
Specifically, assuming that a new layer of path of "course" entity is added in the current business scenario, course T may be associated with knowledge base a, and course T and knowledge base a may also be directly associated with item p, respectively, then it is determined whether item p of course T may be authorized to user a, and the authentication logic may be as follows:
Figure BDA0003901735390000062
Figure BDA0003901735390000071
it can be seen that the algorithm includes the following 3 strategies:
1. the user is directly authorized to access the item;
2. the item is in a course or a knowledge base which a certain user has access to;
3. the item is in a knowledge base, and the knowledge base is associated with courses which a user has authority;
the algorithm makes judgment in turn according to the above strategies; the more complicated part of the algorithm is that all courses and knowledge bases where the project is located are found first, and then all courses associated with the knowledge bases are inquired, so that whether the project can be accessed can be judged according to whether the user has the listed authority of the entities. It can be seen that, after a layer of path is added, the IO request amount is expanded by several times, and one more calculation of O (n 2) complexity is added. That is, in implicit authorization, as the path hierarchy increases, the complexity of the authentication logic increases geometrically, since the rights management system needs to traverse layer by layer to find a satisfactory entry in the entries of the ABAC. It can be seen that if the method is not optimized, the worst case is IO (n ^ number of hierarchies) calculation accompanied by a large amount of data IO; in addition, in the method, the authority management system can generate deep coupling to the service gradually, and the dynamic calculation of the authority management system depends on the interaction logic of the entity, so that the subsequent test and maintenance iteration is not facilitated.
Moreover, as can be understood by those skilled in the art, no matter the determination of the inherited permission is dynamically processed in the authentication layer of the permission management system or the determination of the inherited permission is dynamically processed in the authorization layer of the permission management system, because the implicit authorization user is not directly authorized to access an entity, whether the user has the permission or not needs to pull out all associated parent entities, and whether the user has the permission of one of the parent entities is judged. Since the association relationship between the entities may change at any time, the authentication algorithm is very dynamic and cannot be cached in advance, which results in the complexity of the processing of the rights management system being increased and the coupling degree with the business logic details being not ideal.
Based on this, the embodiment of the application provides an authentication method based on the ABAC, which authenticates the request information according to the target authorization rule after receiving the request information of the user to obtain an authentication result, and then releases or intercepts the request information according to the authentication result. The target authorization rule in the embodiment of the application is an authorization rule obtained by expanding the default authorization entry structure of the ABAC according to the hierarchical relationship of the default authorization entry structure of the ABAC, and the hierarchical relationship is further optimized and expanded in nature, so that the calculation permission which cannot be cached in advance in the related technology is transferred to the ABAC, and an ABAC model which can support implicit permission inheritance with lower calculation performance loss is constructed.
As shown in fig. 1, the ABAC-based authentication method provided in the embodiment of the present application may include the following steps:
step S101, receiving request information of a user.
And step S102, authenticating the request information according to a target authorization rule to obtain an authentication result. The target authorization rule is an authorization rule obtained after item expansion is carried out on the basis of the hierarchical relationship of the default authorization items of the ABAC.
And step S103, releasing or intercepting the request information according to the authentication result.
Reference may be made to fig. 2, which illustrates the structural connection of the rights management system in some examples of the related art. The authority management system comprises an authorization layer and an authentication layer, wherein after request information of a user is received, the authorization layer can authenticate the request information according to a target authorization rule to obtain an authentication result, and the authentication layer can release or intercept the request information according to the authentication result, so that the calculation complexity of the authentication layer can be reduced.
Specifically, in some examples, the structure of the default authorization entry for an ABAC may be expressed as (object, resource, rights), which means: an authorization act of granting the object a specified operation right specifying the resource. And then, performing item extension on the default authorization item according to the hierarchical relation of the default authorization item to obtain a target authorization rule. Therefore, after the request information of the user is received, the request information can be authenticated according to the target authorization rule to obtain an authentication result, and then the request information is released or intercepted according to the authentication result.
Taking the authentication scenario of (item p, user a) as an example, assuming that the pre-path is (task T, repository a), user a has the read permission of task T (user a, task T, read permission). According to the scheme provided by the embodiment of the application, based on the hierarchical relationship of the default authorization entry of the ABAC, the following extension can be performed: (task T, knowledge base A), (knowledge base A, project p). Then, the authorization rule after entry expansion, that is, the target authorization rule, can be obtained: (user a, task T- > knowledge base A- > item p, read permission read). In this example, assuming that the obtained authentication result is passed, the request information is released, so that the user has a read right for the task T; otherwise, in other examples, if the obtained authentication result is not passed, the request information is intercepted, so that the user does not have the read right of the task T.
In practical applications, the hierarchical relationship of the target authorization rule may be embodied in the form of a hierarchical diagram, for example, a connection (edge) between a point and a point in the hierarchical diagram represents a relationship between two entities. It can be understood that more entity relationships are generated with the expansion of the actual service, and thus, by the method provided by the embodiment of the present application, each node in the hierarchical diagram and the authorization principal can establish a connection relationship through various edges, so that when an authorization query is made, only the edge of the data structure corresponding to the new relationship needs to be mapped.
In addition, it should be noted that the scheme provided by the embodiment of the application can be extended to any scene with a more complex permission system, such as a content collaboration platform.
Compared with the related art, in the embodiment of the application, after the request information of the user is received, the request information is authenticated according to the target authorization rule to obtain the authentication result, and then the request information is released or intercepted according to the authentication result. The target authorization rule in the embodiment of the application is an authorization rule obtained by expanding the default authorization entry structure of the ABAC according to the hierarchical relationship of the default authorization entry structure of the ABAC, and the hierarchical relationship is further optimized and expanded in nature, so that the calculation permission which cannot be cached in advance in the related technology is transferred to the ABAC, and an ABAC model which can support implicit permission inheritance with lower calculation performance loss is constructed, therefore, the calculation complexity of a permission management system is reduced, the consumed calculation amount overhead is reduced, and meanwhile, the authentication efficiency can be improved.
In some embodiments of the present application, the method for generating the target authorization rule may include: acquiring the hierarchical relation of the default authorization entry; determining the authority inheritance relationship of the default authorization entry according to the hierarchy relationship; and performing entry extension on the default authorization entry according to the permission inheritance relationship to obtain the target authorization rule.
Specifically, assuming that an association relationship exists between the item p and the task T and an association relationship exists between the item p and the knowledge base a, and it can be considered that a permission inheritance relationship exists between the task T and the knowledge base a, the default authorization entry can be expanded according to the permission inheritance relationship existing between the task T and the knowledge base a, so as to obtain the target authorization rule.
Compared with the related art, the embodiment of the application provides an implementation way of specifically extending the default authorization entry structure of the ABAC according to the hierarchical relationship of the default authorization entry structure of the ABAC, and is beneficial to flexible and changeable implementation of the embodiment of the application.
In some embodiments of the present application, the performing entry extension on the default authorization entry according to the permission inheritance relationship may include: determining parent resources and child resources of resources in the default authorization entry according to the authority inheritance relationship; acquiring a permission upper limit, wherein the permission upper limit is used for representing an upper limit of an operation permission which can be executed on the resource in the permission inheritance relationship; determining an additional authorization entry according to the parent resource, the child resource and the authority upper limit; and performing entry extension on the default authorization entry according to the additional authorization entry.
The upper limit of the right is explained here with an example. For example, the set of all permissions of a certain user on a certain parent resource is read operation and write operation, which means that the user can read comments or issue comments on the resource. The user's operating rights to the sub-resource cannot exceed the set of rights. For example, the right that the user has to the resource is still a read operation and a write operation, and an operation exceeding the right cannot be performed, for example, the user cannot delete a child resource of the resource.
Specifically, in some examples, the structure of the default authorization entry for an ABAC may be expressed as (object, resource, rights), which means: and granting the authorization behavior of the specified operation authority of the specified resource to the object. In the embodiment of the present application, the item extension may be performed according to the hierarchical relationship of the structure of the default authorization item. For example, the structure of the determined new entry can be represented as: (parent, child, rights cap), meaning: and binding the child resource to the authorization group of the parent resource, wherein the authority of the child resource does not exceed the specified upper limit of the authority. It will be appreciated that the new authorization entry may function as an edge of a hierarchy graph within the rights management system, and based on the new data structure, an authorization graph may be constructed in the entry table to speed up the computation of the authentication result.
To summarize, in the above example, the structure of the default entry for the ABAC is: the object-resource-authority form an authorization, and the structure of an additional authorization entry for entry expansion is as follows: parent-child-rights upper bound. It should be noted that, the embodiment of the present application specifically extends to structural design, and which items to be specifically generated need to be determined according to a specific service authorization scenario, which is not specifically limited in the embodiment of the present application.
Compared with the related art, the embodiment of the application provides an implementation mode for carrying out entry extension on the default authorization entry according to the permission inheritance relationship, and the implementation mode is flexible and changeable.
In some embodiments of the present application, the authenticating the request information according to the target authorization rule to obtain an authentication result may include: determining the number of the levels of the hierarchical relationship according to the hierarchical relationship; determining a data query method executed on the target authorization rule according to the number of the levels; and authenticating the request information according to the data query method and the target authorization rule to obtain an authentication result.
In some examples, for a database similar to MongoDB, mongoDB supports graph computation functionality that computes for graphs after version 3.4, so graph queries within a form can be performed. For example, a $ graph lookup stage of Aggragate is used for graph lookup within a form. Those skilled in the art will appreciate that the figures referred to herein are abstract figures.
For the relational database such as Mysql and the like, the hierarchical number of the hierarchical relationship is determined according to the hierarchical relationship, and when the hierarchical number is small (smaller than a preset threshold value), multiple Left Join can be used for executing data query on the target authorization rule. Otherwise, when the number of the hierarchies is large (greater than or equal to the preset threshold), the data query may be performed on the target authorization rule in a dynamic recursive query manner, for example, the data query may be performed on the target authorization rule in cooperation with a professional graph database such as Neo4j, so that the query performance of the data may be improved.
Compared with the related art, the authentication method based on the ABAC provided by the embodiment of the application executes different data query methods on the target authorization rule according to the number of the hierarchical relations, so that the query performance of data is further improved.
In some embodiments of the present application, the hierarchical relationship of the target authorization rule may be characterized by a hierarchical graph. The contents of this part are mentioned in the foregoing text, and are not described herein again to avoid repetition.
In some embodiments of the present application, the hierarchical graph is managed by a graph database, so that a database engine can be further utilized, which is beneficial to maximize resource utilization.
In some embodiments of the present application, after the authenticating the request information according to the target authorization rule to obtain an authentication result, the method may further include: and if update information is received, updating the target authorization rule according to the update information.
Specifically, only the relationship between adjacent nodes is stored in the embodiment of the application, that is, the hierarchical relationship is the simplest storage mode, so that when the business entity relationship changes, only synchronous edge deletion or tree cutting is needed, and compared with the related technology, a large amount of calculation and updating can be avoided, and the calculation efficiency is improved. The edge can be understood as an entity authorization relationship between a point and a point, and the tree is a vertex and all its subordinate relationships, that is, the inheritance authorization of all child resources of an entity.
In addition, in some embodiments of the present application, in order to ensure that the target authorization rule can be timely and accurately updated synchronously when the entity relationship in the service changes, the accuracy of authorization is ensured. In some examples, business logic and target authorization rules may be bound in the same transaction by using database transactions to ensure consistency of data on both sides; in some other examples, an event-driven manner may also be used to ensure consistency of data on both sides, and it may be determined which manner is adopted according to actual requirements, which is not specifically limited in this embodiment of the present application.
In addition, in some examples, a periodic polling mechanism may be further adopted to check the target authorization rule by periodically comparing the authorization table in the ABAC with the service data, so as to further ensure the correctness of the target authorization rule.
In summary, compared with the related art, the embodiment of the present application provides an authentication method based on the ABAC, where after request information of a user is received, the request information is authenticated according to a target authorization rule to obtain an authentication result, and then the request information is released or intercepted according to the authentication result. The target authorization rule in the embodiment of the application is an authorization rule obtained by expanding the default authorization entry structure of the ABAC according to the hierarchical relationship of the default authorization entry structure of the ABAC, and the hierarchical relationship is further optimized and expanded in nature, so that the calculation permission which cannot be cached in advance in the related technology is transferred to the ABAC, and an ABAC model which can support implicit permission inheritance with lower calculation performance loss is constructed, therefore, the calculation complexity of a permission management system is reduced, the consumed calculation amount overhead is reduced, and meanwhile, the authentication efficiency can be improved.
For convenience of understanding, the scheme provided by the embodiment of the application is described by using an example.
Specifically, a certain platform performs internal document cooperation management in organization units, with the creation, editing, and distribution of online documents as a core. The platform has the following functional characteristics:
within the organization there are two roles, administrator and general member;
the common member has administrative rights (view, edit, delete, manage collaborators) to his own document;
documents within an organization have the concept of "collaborators," who are other members within the organization. The common member can manage the collaborators of the own document, can specify the authority (viewable/editable) of the collaborators;
for convenience of document management, an administrator can create and manage "folders" within an organization; the folder may have added to it the documents of the members of the organization, may create new "subfolders," and may have added to it other external folders as subfolders. Folders allow for any number of levels;
for any folder, the administrator can add organization members to collaborators of the folder. Collaborators have the reading rights for the document in this folder and all subfolders.
If the scheme in the related technology is adopted, the original authority system is designed as follows:
an authorization layer:
because the basic roles of 'administrator' and 'common member' exist in the organization, the authority logic of 'creator' and 'collaborator' and the like is more dynamic for document resources. In this scenario, if the RBAC scheme is adopted, a large number of fine-grained roles are generated and need to be maintained, and the dynamism of the authority system cannot be supported. The platform employs the scheme of ABAC for conventional rights and collaborator authorization entry management.
When a member is added to a collaborator of a document or folder, a corresponding ABAC entry < member, document/folder, authority > is created, the authority details of the member for the resource are stored, and the rest of the authorities such as the administrator and the creator are judged by dynamic attribute calculation at an authentication layer through ABAC.
In a folder collaboration scenario, any document may also be added as a folder may have any hierarchy. If the ABAC authorized entries are automatically established synchronously with all the subfolders and all the subfiles in the folder collaborators, when the content of the folder changes, especially the authority of the root folder changes, slight changes can greatly affect the authorized entries, so that the system is difficult to maintain. Therefore, the related authority of the folder adopts inheritance authorization and needs to be dynamically calculated and judged during authentication.
An authentication layer:
when a certain organization accesses a certain document in the organization, the ABAC authentication module sequentially judges that:
1. judging whether the member is an administrator or a document creator, and granting corresponding authority;
2. determining whether a member's rights to the document exist in the ABAC authorization entry;
3. performing folder authentication:
(1) Inquiring all folders to which the documents belong, and judging whether the current member has the authority of one folder;
(2) And recursively inquiring all the parent-level folders of the folders in sequence until all the top-level folders are found, and judging whether the current member has the authority of one folder.
The original privilege system has the following bottleneck: in an actual service environment, since folders generally have more hierarchies, a large amount of CPU and memory, and database throughput overhead is generated by related authentication calculation, which affects user experience. Therefore, it needs to be optimized using the proposed solution.
As can be seen in connection with fig. 3, the optimization method is as follows:
an authorization layer:
performing folder level authority management on the ABAC authorized entry after the entry expansion by adopting a graph database:
when a new folder B is created or associated within folder a, a < folder a, folder B, collaboration > grant entry (in the form of a relational edge in the graph database) is created, indicating that the member owning the collaboration authority of folder a is also granted the collaboration authority of folder B;
-upon adding a new document C in folder a, creating an < folder a, document C, view > authorization entry indicating that the member owning the collaboration rights of folder a is also granted the view rights of document C
-when a folder B or a document C is deleted in a folder a, the corresponding authorization entry is deleted synchronously
In the implementation of the scheme, the consistency between the authorization entry and the file interlayer relationship needs to be ensured, and the following two schemes can be selected:
1. use database Transaction (Transaction): the item update of the ABAC and the operation statement of adding and deleting data of the folder contents are declared in the same transaction so as to ensure the data consistency of two sides
2. Event driven final consistency is used: and when the content of the folder is changed, issuing a corresponding event, and monitoring the event by the authority management system to update the corresponding ABAC authorization entry. For example, message queue middleware supporting the "At Least one time" feature (At-Least-Once) may be used to ensure that events are successfully sent and processed.
Besides, a periodic polling mechanism can be used for periodically comparing the ABAC authorization table with the service data, checking the correctness of the authorization map and correcting errors in time.
An authentication layer:
the authentication logic is updated to the following flow, taking the organization member U viewing the document C as an example:
1. judging whether the member U is an administrator or a document C creator, and granting corresponding authority
ABAC authorization entry authentication
(1) Assuming member U had permission to document C, then either the collaborator whose permission originated from C added U, or some parent folder collaborator originated from C added U, the authorization entry table would be populated with < folder N, user U, collaboration >, < folder N, folder N-1, collaboration >, >., < folder B, folder A, collaboration >, < folder A, document C, view >
(2) The relationship between U and C can be directly calculated by using the indexing capability of the graph database, and if the association is inquired, the authorization is successful.
By the authentication method provided by the embodiment of the application, the authentication process is reduced to one-time query of the database no matter how deep the file folder and the file are, and the authentication efficiency is obviously improved. Moreover, the authentication method provided by the embodiment of the application has strong expansibility and high adaptability to the iteration of a subsequent service system, and can support various complex implicit authorization schemes.
The embodiment of the present application further provides an authentication apparatus for ABAC, where the apparatus may include a receiving module 11, an authentication module 12, and an output module 13, as shown in fig. 4:
the receiving module 11 is configured to receive request information of a user;
the authentication module 12 is configured to authenticate the request information according to a target authorization rule to obtain an authentication result; the target authorization rule is an authorization rule obtained by carrying out item expansion according to the hierarchical relationship of the default authorization items of the ABAC;
and the output module 13 is configured to release or intercept the request information according to the authentication result.
It is to be understood that the embodiment of the present application may be an apparatus implementation example corresponding to the above embodiment of the authentication method for ABAC, and details of implementation of the above embodiment of the authentication method for ABAC are also applicable to the embodiment of the present application, and are not described herein again to avoid repetition.
In addition, an ABAC-based authentication apparatus is provided in the embodiment of the present application, and the apparatus has a structure as shown in fig. 5, and includes a memory 21 for storing computer-readable instructions and a processor 22 for executing the computer-readable instructions, where when the computer-readable instructions are executed by the processor, the processor is triggered to execute the ABAC-based authentication method.
The methods and/or embodiments of the present application embodiments may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated by the flow chart. The computer program, when executed by a processing unit, performs the above-described functions defined in the method of the present application.
It should be noted that the computer readable medium described herein can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this application, a computer readable medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart or block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
As another aspect, the present application also provides a computer-readable medium, which may be included in the apparatus described in the foregoing embodiments; or may be separate and not assembled into the device. The computer-readable medium carries one or more computer-readable instructions executable by a processor to implement the steps of the method and/or solution of the embodiments of the present application as described above.
In a typical configuration of the present application, the terminal, the device serving the network, each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media include permanent and non-permanent, removable and non-removable media and may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium which can be used to store information and which can be accessed by a computing device.
In addition, the embodiment of the application also provides a computer program, and the computer program is stored in computer equipment, so that the computer equipment executes the method executed by the control code.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, as an Application Specific Integrated Circuit (ASIC), a general purpose computer or any other similar hardware device. In some embodiments, the software programs of the present application may be executed by a processor to implement the above steps or functions. Likewise, the software programs (including associated data structures) of the present application may be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Additionally, some of the steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.

Claims (10)

1. An ABAC-based authentication method, the method comprising:
receiving request information of a user;
authenticating the request information according to a target authorization rule to obtain an authentication result; the target authorization rule is an authorization rule obtained after item expansion is carried out on the basis of the hierarchical relation of the default authorization items of the ABAC;
and releasing or intercepting the request information according to the authentication result.
2. The method according to claim 1, wherein the target authorization rule is generated by a method comprising:
acquiring the hierarchical relation of the default authorization entry;
determining the authority inheritance relationship of the default authorization entry according to the hierarchy relationship;
and performing entry extension on the default authorization entry according to the permission inheritance relationship to obtain the target authorization rule.
3. The method according to claim 2, wherein the performing entry extension on the default authorization entry according to the permission inheritance relationship comprises:
determining parent resources and child resources of resources in the default authorization entry according to the authority inheritance relationship;
acquiring a permission upper limit, wherein the permission upper limit is used for representing the upper limit of the operation permission which can be executed on the resource in the permission inheritance relationship;
determining an additional authorization entry according to the parent resource, the child resource and the authority upper limit;
and performing entry extension on the default authorization entry according to the additional authorization entry.
4. The method of claim 1, wherein the authenticating the request message according to the target authorization rule, and obtaining the authentication result comprises:
determining the number of the levels of the hierarchical relationship according to the hierarchical relationship;
determining a data query method executed on the target authorization rule according to the number of the levels;
and authenticating the request information according to the data query method and the target authorization rule to obtain an authentication result.
5. The method of claim 1, wherein the hierarchical relationship of the target authorization rule is characterized by a hierarchy map.
6. The method according to claim 5, wherein said hierarchical graph is managed through a graph database.
7. The method according to any one of claims 1 to 6, wherein after the authenticating the request message according to the target authorization rule to obtain an authentication result, the method further comprises:
and if update information is received, updating the target authorization rule according to the update information.
8. An ABAC-based authentication apparatus, comprising a receiving module, an authentication module, and an output module:
the receiving module is used for receiving request information of a user;
the authentication module is used for authenticating the request information according to a target authorization rule to obtain an authentication result; the target authorization rule is an authorization rule obtained after item expansion is carried out according to the hierarchical relation of the default authorization items of the ABAC;
and the output module is used for releasing or intercepting the request information according to the authentication result.
9. An ABAC-based authentication apparatus, the apparatus comprising:
one or more processors; and
a memory storing computer program instructions that, when executed, cause the processor to perform the method of any of claims 1 to 7.
10. A computer readable medium having stored thereon computer program instructions executable by a processor to implement the method as claimed in claims 1 to 7.
CN202211293935.4A 2022-10-21 2022-10-21 ABAC-based authentication method, apparatus, device and computer readable medium Active CN115618387B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211293935.4A CN115618387B (en) 2022-10-21 2022-10-21 ABAC-based authentication method, apparatus, device and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211293935.4A CN115618387B (en) 2022-10-21 2022-10-21 ABAC-based authentication method, apparatus, device and computer readable medium

Publications (2)

Publication Number Publication Date
CN115618387A true CN115618387A (en) 2023-01-17
CN115618387B CN115618387B (en) 2024-02-06

Family

ID=84865287

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211293935.4A Active CN115618387B (en) 2022-10-21 2022-10-21 ABAC-based authentication method, apparatus, device and computer readable medium

Country Status (1)

Country Link
CN (1) CN115618387B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130227638A1 (en) * 2012-02-27 2013-08-29 Axiomatics Ab Provisioning authorization claims using attribute-based access-control policies
CN104967620A (en) * 2015-06-17 2015-10-07 中国科学院信息工程研究所 Access control method based on attribute-based access control policy
EP2993606A1 (en) * 2014-09-05 2016-03-09 Axiomatics AB Provisioning system-level permissions using attribute-based access control policies
WO2016095365A1 (en) * 2014-12-18 2016-06-23 中兴通讯股份有限公司 Authorization processing method and apparatus
CN109815654A (en) * 2019-01-23 2019-05-28 山东浪潮通软信息科技有限公司 A kind of data access control method and device
CN110858833A (en) * 2018-08-22 2020-03-03 京东方科技集团股份有限公司 Access control policy configuration method, device and system and storage medium
CN111556005A (en) * 2019-12-31 2020-08-18 远景智能国际私人投资有限公司 Authority management method, device, electronic equipment and storage medium
CN112883390A (en) * 2021-02-18 2021-06-01 腾讯科技(深圳)有限公司 Authority control method and device and storage medium
US20220292211A1 (en) * 2021-03-11 2022-09-15 EMC IP Holding Company LLC Access control rights assignment capabilities utilizing a new context-based hierarchy of data based on new forms of metadata

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130227638A1 (en) * 2012-02-27 2013-08-29 Axiomatics Ab Provisioning authorization claims using attribute-based access-control policies
EP2993606A1 (en) * 2014-09-05 2016-03-09 Axiomatics AB Provisioning system-level permissions using attribute-based access control policies
WO2016095365A1 (en) * 2014-12-18 2016-06-23 中兴通讯股份有限公司 Authorization processing method and apparatus
CN104967620A (en) * 2015-06-17 2015-10-07 中国科学院信息工程研究所 Access control method based on attribute-based access control policy
CN110858833A (en) * 2018-08-22 2020-03-03 京东方科技集团股份有限公司 Access control policy configuration method, device and system and storage medium
CN109815654A (en) * 2019-01-23 2019-05-28 山东浪潮通软信息科技有限公司 A kind of data access control method and device
CN111556005A (en) * 2019-12-31 2020-08-18 远景智能国际私人投资有限公司 Authority management method, device, electronic equipment and storage medium
CN112883390A (en) * 2021-02-18 2021-06-01 腾讯科技(深圳)有限公司 Authority control method and device and storage medium
US20220292211A1 (en) * 2021-03-11 2022-09-15 EMC IP Holding Company LLC Access control rights assignment capabilities utilizing a new context-based hierarchy of data based on new forms of metadata

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DJEBARI NABIL等: "ABAC Conceptual Graph Model for Composite Web Services", 2018 IEEE 5TH INTERNATIONAL CONGRESS ON INFORMATION SCIENCE AND TECHNOLOGY (CIST) *
房梁;殷丽华;郭云川;方滨兴;: "基于属性的访问控制关键技术研究综述", 计算机学报, no. 07 *

Also Published As

Publication number Publication date
CN115618387B (en) 2024-02-06

Similar Documents

Publication Publication Date Title
US11308126B2 (en) Different hierarchies of resource data objects for managing system resources
US11675774B2 (en) Remote policy validation for managing distributed system resources
US11341118B2 (en) Atomic application of multiple updates to a hierarchical data structure
US9460147B1 (en) Partition-based index management in hadoop-like data stores
US10614233B2 (en) Managing access to documents with a file monitor
US10454786B2 (en) Multi-party updates to distributed systems
US11418532B1 (en) Automated threat modeling using machine-readable threat models
US11362997B2 (en) Real-time policy rule evaluation with multistage processing
US11100129B1 (en) Providing a consistent view of associations between independently replicated data objects
US20230055511A1 (en) Optimizing clustered filesystem lock ordering in multi-gateway supported hybrid cloud environment
Aldin et al. Consistency models in distributed systems: A survey on definitions, disciplines, challenges and applications
US11657088B1 (en) Accessible index objects for graph data structures
US10491635B2 (en) Access policies based on HDFS extended attributes
US20220100879A1 (en) Trusted enterprise data assets via data confidence fabrics
US11093628B2 (en) Cross-domain content-lifecycle management
WO2023098433A1 (en) Secure policy distribution in a cloud environment
US20230224304A1 (en) Resource access control in cloud environments
CN115618387B (en) ABAC-based authentication method, apparatus, device and computer readable medium
WO2018057881A1 (en) Different hierarchies of resource data objects for managing system resources
US11500837B1 (en) Automating optimizations for items in a hierarchical data store
CN113076086B (en) Metadata management system and method for modeling model object using the same
US20230004663A1 (en) Classifying data and enforcing data access control using a context-based hierarchical policy
US11010361B1 (en) Executing code associated with objects in a hierarchial data structure
US11663159B2 (en) Deterministic enforcement in data virtualization systems
US20230222240A1 (en) Governed database connectivity (gdbc) through and around data catalog to registered data sources

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant