CN115618387B - ABAC-based authentication method, apparatus, device and computer readable medium - Google Patents
ABAC-based authentication method, apparatus, device and computer readable medium Download PDFInfo
- Publication number
- CN115618387B CN115618387B CN202211293935.4A CN202211293935A CN115618387B CN 115618387 B CN115618387 B CN 115618387B CN 202211293935 A CN202211293935 A CN 202211293935A CN 115618387 B CN115618387 B CN 115618387B
- Authority
- CN
- China
- Prior art keywords
- authorization
- abac
- authority
- entry
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000013475 authorization Methods 0.000 claims abstract description 163
- 238000004590 computer program Methods 0.000 claims description 11
- 238000004364 calculation method Methods 0.000 abstract description 21
- 239000010410 layer Substances 0.000 description 23
- 238000007726 management method Methods 0.000 description 21
- 238000004422 calculation algorithm Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 12
- 230000008520 organization Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 8
- 230000003287 optical effect Effects 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 4
- 238000013461 design Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000013499 data model Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000003139 buffering effect Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000001627 detrimental effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 239000011229 interlayer Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The application provides an authentication method, device, equipment and computer readable medium based on ABAC, wherein the authentication method based on ABAC comprises the following steps: receiving request information of a user; authenticating the request information according to a target authorization rule to obtain an authentication result; the target authorization rule is an authorization rule obtained after entry expansion based on the hierarchical relationship of the default authorization entry of the ABAC; and releasing or intercepting the request information according to the authentication result. The application provides an ABAC-based authentication scheme which can be at least used for solving the technical problem that the existing ABAC-based authentication mode needs to consume a large amount of calculation.
Description
Technical Field
The present disclosure relates to the field of information technologies, and in particular, to an ABAC-based authentication method, apparatus, device, and computer readable medium.
Background
In an operating system, rights are a very important mechanism to ensure that a multi-user operating system works properly. For some files or programs, it has its own properties that indicate which authorized users can use it to read or write or perform functions. For some general purpose programs, which user runs it will automatically inherit that user's rights. For example, in Windows, there is an Administrator user and a general user Etuser, where the Administrator user opens a notepad and the Etuser user opens the notepad with different rights. Among them, role-based access control and attribute-based access control in the rights management system are two kinds of rights models widely adopted.
Attribute-based Access Control, called "ABAC" for short, is an access control model proposed for solving the trusted relationship of industry distributed applications, and the ABAC access control uses a set of features called "attributes" for access control, which include the subject Attribute (also called user Attribute), object Attribute (also called resource Attribute) and environment Attribute of an entity.
Based on the Role-based access control, english is called roller-Based Access Control, called RBAC for short, and is an access control mode for implementing enterprise security policy. The basic idea is that various rights to the system operation are not directly granted to specific users, but a set of roles is established between the set of users and the set of rights, each role corresponding to a set of corresponding rights. Once a user has been assigned the appropriate role, the user has all the operating rights for that role. Roles herein generally refer to a group of people having some common characteristics, such as departments, places, seniorities, levels, job responsibilities, and the like.
Compared with RBAC, ABAC can grant resources with fine granularity and dynamically execute according to the context, and has stronger flexibility and dynamics.
In practical application, ABAC and RBAC are often used in a scenario where permission is required to be inherited, that is, the commands executed by which users automatically inherit the permissions of the current user, and when the files without the permissions of the current user are involved in operation, the operating system can automatically interrupt and prompt.
The inventor finds that at least the following technical problems exist in the related art:
in a scenario where rights inheritance is required, because the RBAC has the property that rights are associated with roles, hierarchical inheritance can be achieved through the role's authorization logic. However, the logic of ABAC authorization is usually fragmented and depends on the context attribute, so that the authority inheritance based on ABAC is usually implicit and coupled with business logic, however, the authority inheritance manner under the implicit authorization needs to consume a great amount of calculation, i.e. has a high loss on the calculation performance of the system.
Disclosure of Invention
An object of the present application is to provide an ABAC-based authentication method, apparatus, device and computer readable medium, at least for solving the technical problem that the existing ABAC-based authentication method needs to consume a large amount of computation.
To achieve the above object, some embodiments of the present application provide an ABAC-based authentication method, the method including: receiving request information of a user; authenticating the request information according to a target authorization rule to obtain an authentication result; the target authorization rule is an authorization rule obtained after entry expansion based on the hierarchical relationship of the default authorization entry of the ABAC; and releasing or intercepting the request information according to the authentication result.
Some embodiments of the present application further provide an ABAC-based authentication device, where the device includes a receiving module, an authentication module, and an output module: the receiving module is used for receiving the request information of the user; the authentication module is used for authenticating the request information according to a target authorization rule to obtain an authentication result; the target authorization rule is an authorization rule obtained by performing item expansion according to the hierarchical relationship of the default authorization item of the ABAC; and the output module is used for releasing or intercepting the request information according to the authentication result.
Some embodiments of the present application also provide an ABAC-based authentication device, the device comprising: one or more processors; and a memory storing computer program instructions that, when executed, cause the processor to perform an ABAC-based authentication method as described above.
Some embodiments of the present application also provide a computer readable medium having stored thereon computer program instructions executable by a processor to implement an ABAC based authentication method as described above.
Compared with the prior art, in the scheme provided by the embodiment of the application, after the request information of the user is received, the request information is authenticated according to the target authorization rule to obtain an authentication result, and then the request information is released or intercepted according to the authentication result. The target authorization rule in the embodiment of the application is an authorization rule obtained by expanding the default authorization entry structure of the ABAC according to the hierarchical relationship of the default authorization entry structure of the ABAC, and basically further optimizes and expands the hierarchical relationship, so that the authority which cannot be cached in advance in the related technology is transferred to the ABAC, and an ABAC model which can support implicit authority inheritance with lower calculation performance loss is constructed, therefore, the calculation complexity of an authority management system is reduced, the cost of consumed calculation amount is further reduced, and meanwhile, the authentication efficiency is also improved.
Drawings
Fig. 1 is a flowchart of an ABAC-based authentication method provided in an embodiment of the present application;
FIG. 2 is a schematic structural diagram of a rights management system according to the related art according to an embodiment of the present application;
fig. 3 is a schematic diagram of an application example of an ABAC-based authentication method according to the embodiments of the present application;
fig. 4 is a schematic structural diagram of an ABAC-based authentication device according to the embodiments of the present application;
fig. 5 is a schematic structural diagram of ABAC-based authentication according to the embodiments of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The following terms are used herein.
Layering: if layering is clear and accurate, it can be seen that the two business upper layers have the same abstraction, i.e. the uppermost layer is the combination of components and layout, and the mapping functions of screening linkage and data query and mapping from the data model to primitive relationships all belong to additional items, and the items are removed and do not affect the operation of the system.
Fragmenting: logic is the product of itself building the fragmentation information together.
Algorithm complexity: split into temporal complexity and spatial complexity. The function is as follows: the time complexity refers to the computational effort required to execute the algorithm; and spatial complexity refers to the memory space required to perform this algorithm. (the complexity of an algorithm is reflected in how much of the computer's resources are needed to run the algorithm, the computer's resources are most important being time and space (i.e., registers) resources, and thus the complexity is divided into time and space complexity.) where time complexity refers to the time an algorithm spends in direct proportion to the number of executions of a statement in an algorithm, and which algorithm takes more statements to execute.
A figure is a graph consisting of a number of given vertices and edges connecting the vertices, which is commonly used to describe a particular relationship between something. Vertices are used to represent things, and edges connecting the vertices are used to represent the relationship between two things.
The database, english full name Data Base, is called DB for short, is organized according to a certain Data model and stores Data sets in a secondary memory.
MongoDB: a database based on distributed file storage is aimed at providing an extensible high-performance data storage solution for WEB applications.
Implicit authorization in the related art will be first described herein.
Implicit grants are in contrast to explicit grants, meaning that no explicitly declared rights granting logic is made. Implicit authorization is typically logically associated with the interaction of specific scenarios and entities in the service, and dynamic computation is typically required for authentication.
For example, there are two entities in a business, namely an item and a knowledge base, and the rights of the two entities can be targeted and authorized to some users through ABAC. The explicit authorization action is explicit authorization, in which case ABAC only needs to determine whether there is a similar authorization entry (knowledge base a, user a) during authentication. In some business scenarios, however, the permissions of the items and the knowledge base are not independent. There is a demand as follows: the administrator adds an item p to the knowledge base a and then the user a who had previously had the right to the knowledge base a should now also be allowed to access the item p. In contrast, in the related art, ABAC does not tend to newly create an explicit (item p, user a) authorization entry. But rather, in this traffic path, the rights of the user a to the item p are inherited from the parent knowledge base a of the item p, in an indirect manner, i.e. implicit authorization.
Then, in the example mentioned in the above related art, why is ABAC not creating an explicit (item p, user a) authorization entry from new, using explicit authorization? In this regard, the inventors have noted that if an explicit authorization approach were to be used, then when a change occurs depending on any node on a traffic path, the change would need to be synchronously updated to all entries in the ABAC associated with that traffic path. Continuing with the above-described authorization relationship among the user, the knowledge base, and the items, for example, a set of entries for all items associated with the corresponding task and all authorized objects (users) may be pre-constructed by ABAC: (a 1, an) x (p 1, pn). Then when there is update information to update it, at least the following three scenarios should be considered:
(1) When the authorized object changes, the set of the user a needs to be recalculated, so that the entry of the ABAC is reconstructed;
(2) When the knowledge base associated with the corresponding task changes, the set of items p need to be recalculated, thereby reconstructing the entries of the ABAC;
(3) When an item within the knowledge base associated with the corresponding task changes, the p-set needs to be recalculated, thereby reconstructing the entry of the ABAC.
From the foregoing, it will be apparent that if explicit authorization is used, the ABAC highly binding entity needs to interact with various events to create all authorization entries simultaneously, which in turn results in authorization entries being very sensitive to these variations, and obviously, such a pulling and moving the whole body is not reasonable in design, since the user will often not accept that the content loaded therein will be repeatedly authorized one by one after the other after the knowledge base is authorized to someone or an organization. Thus, from a product logic perspective, it is reasonable to use implicit authorization to inherit rights, however, the inventors have found that there are challenges in its implementation of specific techniques: the rights inheritance mode under implicit authorization needs to consume a great amount of calculation.
Specifically, taking authentication of (item p, user a) by the rights management system as an example, for explicit authorization, it is only necessary to directly query whether a corresponding entry exists in the database. For implicit authorization, as in the example above (knowledge base a- > item p- > user a in knowledge base), its authentication logic may be as follows:
it can be seen that there is a performance problem (IO 1) in the current authentication logic, that is, it needs to consume a larger amount of calculation to check the knowledge base a according to the item P, because the item P may be added to any knowledge base, and the result of checking the total amount needs to occupy more database computing resources (CPU and memory) and network throughput consumed by data transmission. However, in this case, the service scenario is relatively simple, so that in practical application, the service scenario can be optimized by means of indexing, buffering and the like. However, the real traffic scenario is much more complex, and the above example is taken as an example of adding a layer of "course" to the hierarchical relationship, so as to indicate that the complexity of the authentication algorithm increases exponentially with the increase of the hierarchy.
Specifically, assuming that a path of a layer of "course" entity is newly added in the current business scenario, course T may be associated with knowledge base a, course T and knowledge base a may also be directly associated with item p respectively, then it is determined whether item p of course T may be authorized to user a, and the authentication logic thereof may be as follows:
it can be seen that the algorithm includes the following 3 strategies:
1. the user is directly authorized to access the item;
2. the item is in a course or knowledge base that a certain user has permission to access;
3. the item is in a knowledge base which is associated with courses for which a user has rights;
the algorithm judges sequentially according to the above strategies; the complex part in the middle of the algorithm is to find all courses and knowledge bases of the project, and then to inquire all courses related to the knowledge bases, so that whether the project can be accessed can be judged according to whether the user has the listed authority of the entities. It can be seen that the number of IO requests is several times greater than the number of O (n 2) complexity calculations after adding a layer of paths. That is, in implicit authorization, as the path level increases, the complexity of the authentication logic increases geometrically, as the rights management system needs to traverse layer by layer to find a satisfactory entry among the entries of the ABAC. It can be seen that if the method is not optimized, the worst case is IO (n++level number) computation, and is accompanied by a large amount of data IO; furthermore, in this approach, the rights management system gradually generates deep coupling to the service, whose dynamic computation is very dependent on the entity's interaction logic, which is detrimental to subsequent testing and maintenance iterations.
Moreover, it can be understood by those skilled in the art that whether the determination of inherited rights is dynamically processed at the authentication layer of the rights management system or the determination of inherited rights is dynamically processed at the authorization layer of the rights management system, whether the user has rights and needs to pull out all associated parent entities is determined whether the user has rights of a parent entity because the user is not directly authorized to access the entity in implicit authorization. Since the association relationship between entities may change at any time, the authentication algorithm which is very dynamic cannot be cached in advance, which results in the complexity of processing of the rights management system being increased, and the coupling degree between the rights management system and the business logic details is also not ideal.
Based on the above, the embodiment of the application provides an ABAC-based authentication method, which is implemented by authenticating request information according to a target authorization rule after receiving the request information of a user to obtain an authentication result, and then releasing or intercepting the request information according to the authentication result. The target authorization rule in the embodiment of the application is an authorization rule obtained by expanding the default authorization entry structure of the ABAC according to the hierarchical relationship of the default authorization entry structure of the ABAC, and basically further optimizes and expands the hierarchical relationship, so that the authority which cannot be cached in advance in the related technology is transferred to the ABAC, and an ABAC model which can support implicit authority inheritance with lower calculation performance loss is constructed, therefore, the calculation complexity of an authority management system is reduced, the cost of consumed calculation amount is further reduced, and meanwhile, the authentication efficiency is also improved.
As shown in fig. 1, the ABAC-based authentication method provided in the embodiment of the present application may include the following steps:
step S101, receiving request information of a user.
Step S102, the request information is authenticated according to the target authorization rule, and an authentication result is obtained. The target authorization rule is an authorization rule obtained after entry expansion based on the hierarchical relationship of the default authorization entry of the ABAC.
Step S103, according to the authentication result, the request information is released or intercepted.
Reference may be made to fig. 2, which illustrates the structural connection relationship of the rights management system in some examples of the related art. The authority management system comprises an authorization layer and an authentication layer, wherein after receiving request information of a user, the authorization layer can authenticate the request information according to a target authorization rule to obtain an authentication result, and the authentication layer passes or intercepts the request information according to the authentication result, so that the calculation complexity of the authentication layer can be reduced.
Specifically, in some examples, the structure of the default authorization entry of ABAC may be expressed as (object, resource, rights), which means: and granting the object an authorization action of the specified operation authority of the specified resource. And then, according to the hierarchical relationship of the default authorization entry, performing entry expansion on the default authorization entry to obtain the target authorization rule. Thus, after receiving the request information of the user, the request information can be authenticated according to the target authorization rule to obtain an authentication result, and then the request information is released or intercepted according to the authentication result.
Taking the authentication scenario of (item p, user a) as an example, assume that the pre-path is (task T, knowledge base a), user a has the read right of task T (user a, task T, read right). According to the scheme provided by the embodiment of the application, based on the hierarchical relationship of the default authorization entry of the ABAC, the following expansion can be further performed: (task T, knowledge base A), (knowledge base A, project p). Then, the authorization rule after the entry expansion, namely the target authorization rule, can be obtained: (user a, task T- > knowledge base A- > project p, read rights read). In this example, assuming that the obtained authentication result is passed, the request information is released, so that the user has the read right to the task T; otherwise, in other examples, if the obtained authentication result is not passed, the request information is intercepted, so that the user does not have the read right to the task T.
In practical applications, the hierarchical relationship of the target authorization rule may be embodied in the form of a hierarchical graph, such as a point in the hierarchical graph and a connection (edge) between points representing a relationship between two entities. It can be understood that, with the expansion of the actual service, more entity relationships are generated, so, by using the method provided by the embodiment of the application, the connection relationship between each node in the hierarchical graph and the authorized entity can be established through various edges, and thus, when query is authorized, only the edges of the data structure corresponding to the new relationship need to be mapped.
In addition, it should be noted that the scheme provided by the embodiment of the application can be expanded to a scene with more complex authority systems such as any content collaboration platform.
It is not difficult to find that, compared with the related art, in the embodiment of the present application, after receiving the request information of the user, the request information is authenticated according to the target authorization rule, so as to obtain an authentication result, and then the request information is released or intercepted according to the authentication result. The target authorization rule in the embodiment of the application is an authorization rule obtained by expanding the default authorization entry structure of the ABAC according to the hierarchical relationship of the default authorization entry structure of the ABAC, and basically further optimizes and expands the hierarchical relationship, so that the authority which cannot be cached in advance in the related technology is transferred to the ABAC, and an ABAC model which can support implicit authority inheritance with lower calculation performance loss is constructed, therefore, the calculation complexity of an authority management system is reduced, the cost of consumed calculation amount is further reduced, and meanwhile, the authentication efficiency is also improved.
In some embodiments of the present application, the method for generating the target authorization rule may include: acquiring the hierarchical relationship of the default authorization entry; determining the authority inheritance relationship of the default authorization item according to the hierarchical relationship; and carrying out item expansion on the default authorization item according to the permission inheritance relationship so as to obtain the target authorization rule.
Specifically, assuming that the item p and the task T have an association relationship, the item p and the knowledge base a have an association relationship, and it can be considered that a permission inheritance relationship exists between the task T and the knowledge base a, and the default authorization entry can be expanded according to the permission inheritance relationship existing between the task T and the knowledge base a, so as to obtain the target authorization rule.
Compared with the related art, the embodiment of the application provides an implementation way of expanding the default authorized entry structure of the ABAC according to the hierarchical relation of the default authorized entry structure of the ABAC, which is beneficial to flexible and changeable implementation of the embodiment of the application.
In some embodiments of the present application, the performing, according to the permission inheritance relationship, an entry extension on the default authorization entry may include: determining parent resources and child resources of the resources in the default authorization entry according to the permission inheritance relationship; acquiring an upper limit of authority, wherein the upper limit of authority is used for representing the upper limit of operation authority which can be executed on the resource in the authority inheritance relationship; determining an additional authorization entry according to the parent resource, the child resource and the upper limit of authority; and according to the additional authorization item, carrying out item expansion on the default authorization item.
The upper limit of rights is explained here in an example. For example, the set of all rights of a certain user to a certain parent resource is a read operation and a write operation, which means that the user can read comments on the resource and can issue comments. The user's operating rights to the sub-resource cannot exceed the set of rights. For example, the authority of the user to the resource is still a read operation and a write operation, and an operation exceeding the authority cannot be performed, for example, the user cannot delete the sub-resource of the resource.
Specifically, in some examples, the structure of the default authorization entry of ABAC may be expressed as (object, resource, rights), which means: and granting the object an authorization action of the specified operation authority of the specified resource. In the embodiment of the application, the entry expansion can be performed according to the hierarchical relationship of the structure of the default authorization entry. For example, the structure of a determined new entry may be expressed as: (parent, child, upper limit of authority), meaning: binding the child resource to the authorized group of the parent resource, wherein the authority of the child resource does not exceed the upper limit of the appointed authority. It will be appreciated that the new authorization entry may function as an edge of a hierarchy in the rights management system, and that based on the new data structure, an authorization graph may be constructed in the entry table to speed up the computation of the authentication result.
To sum up, in the above example, the structure of the default entry of ABAC is: the object-resource-authority constitutes an authority, and the structure of the additional authority item for item expansion is as follows: parent-child-authority upper bound. It should be noted that, in the embodiment of the present application, the specific structure design is specifically extended, and which entries to be specifically generated need to be determined according to the specific service authorization scenario, which is not specifically limited in the embodiment of the present application.
Compared with the related art, the embodiment of the application provides an implementation mode for carrying out item expansion on the default authorized item according to the permission inheritance relation, which is beneficial to flexible and changeable implementation of the embodiment of the application.
In some embodiments of the present application, the authenticating the request information according to the target authorization rule may include: determining the number of layers of the layer relation according to the layer relation; determining a data query method executed on the target authorization rule according to the number of the layers; and authenticating the request information according to the data query method and the target authorization rule to obtain an authentication result.
In some examples, for a database similar to MongoDB, mongoDB supports graph computation functions that compute graphs after version 3.4, so graph queries within a form can be made. For example, $ graphLookup stage using the aggrate to make a graph query within a form. Those skilled in the art will appreciate that the figures referred to herein are abstract figures.
For a relational database such as Mysql, determining the number of levels of the level relation according to the level relation, and executing data query on the target authorization rule by using multiple Left Join when the number of levels is small (smaller than a preset threshold). Otherwise, when the number of the levels is large (when the number of the levels is greater than or equal to a preset threshold value), a dynamic recursion query mode can be used for executing data query on the target authorization rule, for example, the data query is executed on the target authorization rule by matching with a professional graph database such as Neo4j, so that the query performance of the data can be improved.
Compared with the related art, the ABAC-based authentication method provided by the embodiment of the application executes different data query methods on the target authorization rule according to the number of the hierarchical relationships, which is beneficial to further improving the query performance of the data.
In some embodiments of the present application, the hierarchical relationship of the target authorization rule may be characterized by a hierarchical graph. In this section, the foregoing is mentioned, and in order to avoid repetition, the description is omitted here.
In some embodiments of the present application, the hierarchical graph is managed by the graph database, so that the database engine can be further utilized, which is beneficial to maximizing resource utilization.
In some embodiments of the present application, after the authentication is performed on the request information according to the target authorization rule, the method may further include: and if the updating information is received, updating the target authorization rule according to the updating information.
Specifically, in the embodiment of the present application, only the relationship between adjacent nodes is saved, that is, the hierarchical relationship is the simplest storage manner, so that when the business entity relationship changes, only synchronous edge deletion or tree cutting is required, and compared with the related technology, a large amount of computation and update can be avoided, and the computation efficiency is improved. Wherein the edge is understood as an entity authorization relationship between points, and the tree is a vertex and all its subordinate relationships, that is, inheritance authorization of all sub-resources of an entity.
In addition, in some embodiments of the present application, in order to ensure that the target authorization rule can be timely and accurately updated synchronously when the entity relationship in the service changes, thereby ensuring the accuracy of authorization. In some examples, business logic and target authorization rules may be bound in the same transaction by using database transactions to ensure consistency of data on both sides; in some other examples, an event driven manner may be used to ensure consistency of data on two sides, and specifically, which manner may be used may be determined according to actual needs, which embodiments of the present application are not limited in particular.
In addition, in some examples, a periodic polling mechanism may be further adopted to check the target authorization rule by periodically comparing the ABAC ground authorization table with the service data, so that the correctness of the target authorization rule may be further ensured.
In summary, compared with the related art, the embodiment of the application provides an ABAC-based authentication method, which is implemented by authenticating request information according to a target authorization rule after receiving the request information of a user to obtain an authentication result, and then releasing or intercepting the request information according to the authentication result. The target authorization rule in the embodiment of the application is an authorization rule obtained by expanding the default authorization entry structure of the ABAC according to the hierarchical relationship of the default authorization entry structure of the ABAC, and basically further optimizes and expands the hierarchical relationship, so that the authority which cannot be cached in advance in the related technology is transferred to the ABAC, and an ABAC model which can support implicit authority inheritance with lower calculation performance loss is constructed, therefore, the calculation complexity of an authority management system is reduced, the cost of consumed calculation amount is further reduced, and meanwhile, the authentication efficiency is also improved.
For ease of understanding, the schemes provided in the embodiments of the present application are described herein by way of example.
Specifically, a platform performs internal document collaborative management by taking creation, editing and release of an online document as a core and taking an organization as a unit. The platform has the following functional characteristics:
-there are two roles within the organization, an administrator and a common member;
common members have administrative rights to their own documents (view, edit, delete, manage collaborators);
documents within an organization have a "collaborator" concept, which is the other member within the organization. Ordinary members can manage collaborators of own documents, and can specify rights (viewable/editable) of the collaborators;
to facilitate document management, an administrator can create and manage "folders" within an organization; documents of members in an organization can be added in the folder, a new 'subfolder' can be created, and other external folders can be added as subfolders. Folders allow for any number of tiers;
for any folder, the administrator can add organization members to the collaborators of the folder. The collaborators have the reading rights of the documents in the folder and all subfolders.
If the scheme in the related art is adopted, the design of the original right system is as follows:
an authorization layer:
because the basic roles of an administrator and a common member exist in the organization, authority logic such as a creator, a collaborator and the like which are dynamic for document resources exist. In this scenario, if the RBAC scheme is adopted, a large number of fine-grained roles are generated, which need to be maintained, and the dynamics of the rights system cannot be supported. The platform adopts ABAC scheme for conventional rights and collaborator authorization entry management.
When a member is added to a collaborator of a document or a folder, a corresponding ABAC entry < member, document/folder, authority > is created, the authority details of the member for the resource are stored, and the authorities such as the rest of the administrator, creator and the like do dynamic attribute calculation judgment at an authentication layer through ABAC.
In the folder collaboration scenario, any document may be added because the folder may have any hierarchy. If the folder collaborators are synchronously and automatically established with all subfolders and all sub-documents in the folder collaborators, when the content of the folder changes, especially the authority of the root folder changes, slight changes can have great influence on the authority entries, so that the system is difficult to maintain. Therefore, the authority related to the folder adopts inherited authorization, and calculation and judgment are required to be dynamically carried out during authentication.
Authentication layer:
when a certain organization member accesses a certain document in the organization, the ABAC authentication module sequentially judges that:
1. judging whether the member is an administrator or a document creator, and granting corresponding rights;
2. judging whether the authority of the member for the document exists in an ABAC authorization entry or not;
3. and (4) carrying out folder authentication:
(1) Inquiring all folders to which the document belongs, and judging whether the current member has the authority of one folder;
(2) And sequentially recursively inquiring all parent folders of the folders until all top-level folders are found out, and judging whether the current member has the authority of one folder.
The design of the original right system has the following bottlenecks: in an actual service environment, since folders generally have more levels, related authentication computation generates a large amount of CPU and memory, and database throughput overhead, which affects user experience. Thus, there is a need to optimize this using the solution proposed in the present application.
The optimization method can be combined with that shown in fig. 3 as follows:
an authorization layer:
and carrying out folder-level authority management on the ABAC authorized items after the items are expanded by adopting a graph database:
creating < folder a, folder B, collaboration > authorization entries (in the form of relationship edges in the graph database) when creating or associating a new folder B within folder a, indicating that members owning folder a's collaboration rights are also granted the collaboration rights of folder B;
-upon addition of a new document C within folder a, creating a < folder a, document C, view > authorization entry indicating that the member owning the collaboration right of folder a is also granted view rights of document C
-when folder B or document C is deleted in folder a, synchronously deleting the corresponding authorization entry
In the implementation of the scheme, the consistency of the relation between the authorization item and the file interlayer level is required to be ensured, and the following two schemes can be selected:
1. database Transaction (Transaction) is used: the entry update of the ABAC and the data adding and deleting operation of the content of the folder are declared in the same transaction so as to ensure the data consistency of two sides
2. Final consistency using event driven: and when the content of the folder is changed, a corresponding event is issued, and the authority management system monitors the event to update the corresponding ABAC authorization entry. For example, message queuing middleware that supports the "At Least one time" feature (At-Least-Once-on) may be used to ensure successful transmission and processing of events.
In addition, a periodic polling mechanism can be used, the ABAC authorization table is periodically compared with service data, the correctness of the authorization diagram is checked, and error correction is timely carried out.
Authentication layer:
the authentication logic is updated to take the following process as an example, where organization member U views document C:
1. Judging whether the member U is an administrator or a document C creator, and granting corresponding rights
Abac authorization entry authentication
(1) Assuming that member U if there is rights to document C, then either the rights originate from the C collaborator some parent folder collaborator originating from C adds U, the rights will be reviewed in the authorization entry table in < folder N, user U, collaboration >, < folder N, folder N-1, collaboration >,..
(2) The index capability of the graph database can be used for directly calculating the relation between U and C, and if the association is inquired, the authorization is successful.
It is not difficult to find out that by using the authentication method provided by the embodiment of the application, no matter how deep the file folder and the document are, the authentication flow is reduced to one query of the database, and the authentication efficiency is remarkably improved. In addition, the authentication method provided by the embodiment of the application has stronger expansibility and higher adaptability to subsequent service system iteration, and can support various complex implicit authorization schemes.
The embodiment of the application also provides an ABAC authentication device, which may include a receiving module 11, an authentication module 12 and an output module 13, as shown in fig. 4:
The receiving module 11 is configured to receive request information of a user;
the authentication module 12 is configured to authenticate the request information according to a target authorization rule, and obtain an authentication result; the target authorization rule is an authorization rule obtained by performing item expansion according to the hierarchical relationship of the default authorization item of the ABAC;
and the output module 13 is used for releasing or intercepting the request information according to the authentication result.
It is not difficult to find that the embodiment of the present application may be an apparatus implementation example corresponding to the embodiment of the foregoing ABAC authentication method, and implementation details of the embodiment of the foregoing ABAC authentication method are applicable to the embodiment of the present application, which is not repeated herein for the sake of avoiding repetition.
In addition, the embodiment of the application further provides an ABAC-based authentication device, the structure of which is shown in fig. 5, and the device includes a memory 21 for storing computer readable instructions and a processor 22 for executing the computer readable instructions, where the computer readable instructions, when executed by the processor, trigger the processor to execute the ABAC-based authentication method.
The methods and/or embodiments of the present application may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. The above-described functions defined in the method of the present application are performed when the computer program is executed by a processing unit.
It should be noted that, the computer readable medium described in the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
In the present application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present application may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowchart or block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of devices, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
As another aspect, the present application also provides a computer-readable medium, which may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more computer readable instructions executable by a processor to implement the steps of the methods and/or techniques of the various embodiments of the present application described above.
In a typical configuration of the present application, the terminals, the devices of the services network each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer-readable media include both permanent and non-permanent, removable and non-removable media, and information storage may be implemented by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape storage or other magnetic storage devices, or any other non-transmission medium which can be used to store information that can be accessed by a computing device.
In addition, the embodiment of the application also provides a computer program which is stored in the computer equipment, so that the computer equipment executes the method for executing the control code.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, using Application Specific Integrated Circuits (ASIC), a general purpose computer or any other similar hardware device. In some embodiments, the software programs of the present application may be executed by a processor to implement the above steps or functions. Likewise, the software programs of the present application (including associated data structures) may be stored on a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. In addition, some steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. A plurality of units or means recited in the apparatus claims can also be implemented by means of one unit or means in software or hardware. The terms first, second, etc. are used to denote a name, but not any particular order.
Claims (7)
1. An ABAC-based authentication method, the method comprising:
receiving request information of a user;
authenticating the request information according to a target authorization rule to obtain an authentication result; the target authorization rule is an authorization rule obtained after entry expansion based on the hierarchical relationship of the default authorization entry of the ABAC;
releasing or intercepting the request information according to the authentication result;
the method for generating the target authorization rule comprises the following steps: acquiring the hierarchical relationship of the default authorization entry; determining the authority inheritance relationship of the default authorization item according to the hierarchical relationship; performing item expansion on the default authorization item according to the permission inheritance relationship to obtain the target authorization rule;
wherein, according to the permission inheritance relationship, performing entry expansion on the default authorization entry includes: determining parent resources and child resources of the resources in the default authorization entry according to the permission inheritance relationship; acquiring an upper limit of authority, wherein the upper limit of authority is used for representing the upper limit of operation authority which can be executed on the resource in the authority inheritance relationship; determining an additional authorization entry according to the parent resource, the child resource and the upper limit of authority; performing item expansion on the default authorization item according to the additional authorization item;
The step of authenticating the request information according to the target authorization rule to obtain an authentication result comprises the following steps: determining the number of layers of the layer relation according to the layer relation; determining a data query method executed on the target authorization rule according to the number of the layers; and authenticating the request information according to the data query method and the target authorization rule to obtain an authentication result.
2. The method of claim 1, wherein the hierarchical relationship of the target authorization rule is characterized by a hierarchical graph.
3. The method of claim 2, wherein the hierarchical graph is managed by a graph database.
4. A method according to any one of claims 1 to 3, wherein after said authenticating said request message according to a target authorization rule, the method further comprises:
and if the updating information is received, updating the target authorization rule according to the updating information.
5. ABAC-based authentication device, characterized in that the device comprises a receiving module, an authentication module and an output module:
The receiving module is used for receiving the request information of the user;
the authentication module is used for authenticating the request information according to a target authorization rule to obtain an authentication result; the target authorization rule is an authorization rule obtained by performing item expansion according to the hierarchical relationship of the default authorization item of the ABAC;
the output module is used for releasing or intercepting the request information according to the authentication result;
the device is further used for acquiring the hierarchical relationship of the default authorization entry; determining the authority inheritance relationship of the default authorization item according to the hierarchical relationship; performing item expansion on the default authorization item according to the permission inheritance relationship to obtain the target authorization rule;
the device is specifically configured to determine a parent resource and a child resource of the resource in the default authorization entry according to the permission inheritance relationship; acquiring an upper limit of authority, wherein the upper limit of authority is used for representing the upper limit of operation authority which can be executed on the resource in the authority inheritance relationship; determining an additional authorization entry according to the parent resource, the child resource and the upper limit of authority; performing item expansion on the default authorization item according to the additional authorization item;
The authentication module is specifically configured to determine, according to the hierarchical relationship, the number of levels of the hierarchical relationship; determining a data query method executed on the target authorization rule according to the number of the layers; and authenticating the request information according to the data query method and the target authorization rule to obtain an authentication result.
6. ABAC-based authentication device, characterized in that the device comprises:
one or more processors; and
a memory storing computer program instructions that, when executed, cause the processor to perform the method of any of claims 1 to 4.
7. A computer readable medium having stored thereon computer program instructions executable by a processor to implement the method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211293935.4A CN115618387B (en) | 2022-10-21 | 2022-10-21 | ABAC-based authentication method, apparatus, device and computer readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211293935.4A CN115618387B (en) | 2022-10-21 | 2022-10-21 | ABAC-based authentication method, apparatus, device and computer readable medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115618387A CN115618387A (en) | 2023-01-17 |
| CN115618387B true CN115618387B (en) | 2024-02-06 |
Family
ID=84865287
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211293935.4A Active CN115618387B (en) | 2022-10-21 | 2022-10-21 | ABAC-based authentication method, apparatus, device and computer readable medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115618387B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104967620A (en) * | 2015-06-17 | 2015-10-07 | 中国科学院信息工程研究所 | Access control method based on attribute-based access control policy |
| EP2993606A1 (en) * | 2014-09-05 | 2016-03-09 | Axiomatics AB | Provisioning system-level permissions using attribute-based access control policies |
| WO2016095365A1 (en) * | 2014-12-18 | 2016-06-23 | 中兴通讯股份有限公司 | Authorization processing method and apparatus |
| CN109815654A (en) * | 2019-01-23 | 2019-05-28 | 山东浪潮通软信息科技有限公司 | A kind of data access control method and device |
| CN110858833A (en) * | 2018-08-22 | 2020-03-03 | 京东方科技集团股份有限公司 | Access control policy configuration method, device and system and storage medium |
| CN111556005A (en) * | 2019-12-31 | 2020-08-18 | 远景智能国际私人投资有限公司 | Authority management method, device, electronic equipment and storage medium |
| CN112883390A (en) * | 2021-02-18 | 2021-06-01 | 腾讯科技(深圳)有限公司 | Authority control method and device and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8955040B2 (en) * | 2012-02-27 | 2015-02-10 | Axiomatics Ab | Provisioning authorization claims using attribute-based access-control policies |
| US11797702B2 (en) * | 2021-03-11 | 2023-10-24 | EMC IP Holding Company LLC | Access control rights assignment capabilities utilizing a new context-based hierarchy of data based on new forms of metadata |
-
2022
- 2022-10-21 CN CN202211293935.4A patent/CN115618387B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2993606A1 (en) * | 2014-09-05 | 2016-03-09 | Axiomatics AB | Provisioning system-level permissions using attribute-based access control policies |
| WO2016095365A1 (en) * | 2014-12-18 | 2016-06-23 | 中兴通讯股份有限公司 | Authorization processing method and apparatus |
| CN104967620A (en) * | 2015-06-17 | 2015-10-07 | 中国科学院信息工程研究所 | Access control method based on attribute-based access control policy |
| CN110858833A (en) * | 2018-08-22 | 2020-03-03 | 京东方科技集团股份有限公司 | Access control policy configuration method, device and system and storage medium |
| CN109815654A (en) * | 2019-01-23 | 2019-05-28 | 山东浪潮通软信息科技有限公司 | A kind of data access control method and device |
| CN111556005A (en) * | 2019-12-31 | 2020-08-18 | 远景智能国际私人投资有限公司 | Authority management method, device, electronic equipment and storage medium |
| CN112883390A (en) * | 2021-02-18 | 2021-06-01 | 腾讯科技(深圳)有限公司 | Authority control method and device and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| ABAC Conceptual Graph Model for Composite Web Services;Djebari Nabil等;2018 IEEE 5th International Congress on Information Science and Technology (CiSt);全文 * |
| 基于属性的访问控制关键技术研究综述;房梁;殷丽华;郭云川;方滨兴;;计算机学报(第07期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115618387A (en) | 2023-01-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11308126B2 (en) | Different hierarchies of resource data objects for managing system resources | |
| US11574070B2 (en) | Application specific schema extensions for a hierarchical data structure | |
| US20210109907A1 (en) | Versioning schemas for hierarchical data structures | |
| US11675774B2 (en) | Remote policy validation for managing distributed system resources | |
| US11341118B2 (en) | Atomic application of multiple updates to a hierarchical data structure | |
| US9959306B2 (en) | Partition-based index management in hadoop-like data stores | |
| US10454786B2 (en) | Multi-party updates to distributed systems | |
| US11334593B2 (en) | Automated ETL workflow generation | |
| US20100319067A1 (en) | Method and System for Managing Object Level Security Using an Object Definition Hierarchy | |
| CN111858615B (en) | Database table generation method, system, computer system and readable storage medium | |
| JP2009507275A (en) | Dual layer access control list | |
| US11210410B2 (en) | Serving data assets based on security policies by applying space-time optimized inline data transformations | |
| US9454592B2 (en) | Managing, importing, and exporting teamspace templates and teamspaces in content repositories | |
| US11157467B2 (en) | Reducing response time for queries directed to domain-specific knowledge graph using property graph schema optimization | |
| US11657088B1 (en) | Accessible index objects for graph data structures | |
| Solanki et al. | Resource and role hierarchy based access control for resourceful systems | |
| US10491635B2 (en) | Access policies based on HDFS extended attributes | |
| CN115618387B (en) | ABAC-based authentication method, apparatus, device and computer readable medium | |
| WO2023098433A1 (en) | Secure policy distribution in a cloud environment | |
| US20230224304A1 (en) | Resource access control in cloud environments | |
| US20230153300A1 (en) | Building cross table index in relational database | |
| WO2018057881A1 (en) | Different hierarchies of resource data objects for managing system resources | |
| US11500837B1 (en) | Automating optimizations for items in a hierarchical data store | |
| US20120216240A1 (en) | Providing data security through declarative modeling of queries | |
| US11663159B2 (en) | Deterministic enforcement in data virtualization systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |