CN103004135A - Access control method and access control server - Google Patents

Access control method and access control server Download PDF

Info

Publication number
CN103004135A
CN103004135A CN2011800012361A CN201180001236A CN103004135A CN 103004135 A CN103004135 A CN 103004135A CN 2011800012361 A CN2011800012361 A CN 2011800012361A CN 201180001236 A CN201180001236 A CN 201180001236A CN 103004135 A CN103004135 A CN 103004135A
Authority
CN
China
Prior art keywords
access
main body
access control
operating right
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011800012361A
Other languages
Chinese (zh)
Other versions
CN103004135B (en
Inventor
张彬
李国辉
李岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN103004135A publication Critical patent/CN103004135A/en
Application granted granted Critical
Publication of CN103004135B publication Critical patent/CN103004135B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present invention provides an access control method and an access control server. The method comprises the following steps: the access control server parses the received access request, extracts a subject, an object and a request operation from the access request; looks up the object of the access request in an access control strategy file, and according to the access control label of the found object, determines the operation authority of the subject of the access request to the object of the access request; the access control strategy file is a model tree Extensible Markup Language (XML) document generated based on the XML Schema document, the element of the model tree XML document is the access control object, and the access control label of the element of the model tree XML document defines the subject which is allowed to access the object and the operation authority of the subject to the object; the access control server matches the request operation in the access request to the found operation authority of the subject in the access request, determines an access decision according to the matching result, and returns an access response including the access decision.

Description

Access control method and access control server
Access control method and access control server
Technical field
The present embodiments relate to network technology, more particularly to a kind of access control method and access control server.Background technology
The two class network equipments are included in NMS:NMS and managed device.Network manager manipulates NMS and sends access request, such as the request of query facility state or the request of modification equipment configuration parameter to managed device.Managed device is received after access request, and operation is performed by access request, then to NMS response operation result.Message interaction between NMS and managed device need to defer to network configuration protocol(Network Configuration Protocol, abbreviation NETCONF), NETCONF provides installation, operation and the mechanism for deleting network equipments configuration.
In order to the network equipment safety, it is necessary to be conducted interviews control to the access request for accessing managed device.Heterogeneous networks keeper has different access rights, heterogeneous networks keeper allows the subset of the network management data accessed also different, therefore access control server is received after access request, it need to judge whether the network management request meets pre-defined access strategy, be performed for the access request for meeting strategy.Process referred to as access control of the user to the access of some items of information is limited according to user identity.
NETCONF uses extensible markup language(Extensible Markup Language, referred to as
XML) language describes the access request of NMS and the response message of managed device and network management data.The access control mechanisms on XML document, can not all make NETCONF support the access control of XML document well, processing time is longer during causing access control, and the resource of consumption is more in the terseness and intuitive of access strategy at present.The content of the invention The embodiment of the present invention provides a kind of access control method and access control server, and the access control process processing time to solve existing XML document is longer, the more defect of the resource of consumption.
One side according to embodiments of the present invention, the embodiment of the present invention provides a kind of access control method, including:
The access request that access control server parsing is received, extracts main body, object and the request operation in the access request;
Object in access request described in the access control policy ff, according to the access control label for finding object, determines operating right of the main body in the access request to the object in the access request;The access control policy file is the model tree XML document based on XML Schema document structure trees, the element of the model tree XML document is the object of access control, and the access control tag definition of the element of the model tree XML document has the operating right of the main body for allowing to access the object and the main body to the object;
The access control server is matched the request operation in the access request with the operating right of main body in the access request found, and access decision is determined according to matching result, and return includes the access response of the access decision.
Other side according to embodiments of the present invention, the embodiment of the present invention also provides a kind of access control server, including:
Extraction module, the access request received is parsed for access control server, extracts main body, object and request operation in the access request;
Searching modul, for the object in access request described in the access control policy ff, according to the access control label for finding object, determines operating right of the main body in the access request to the object in the access request;The access control policy file is the model tree XML document based on XML Schema document structure trees, the element of the model tree XML document is the object of access control, and the access control tag definition of the element of the model tree XML document has the operating right of the main body for allowing to access the object and the main body to the object;
Matching module, for the access control server by the access request request operation with The operating right of main body is matched in the access request found;
Decision-making module, includes the access response of the access decision for determining access decision according to matching result, and returning.
Access control method and access control server provided in an embodiment of the present invention, the XML Schema documents for storing network configuration protocol are converted into model tree XML document, with the object of the element definition access control in model tree XML document, by the operating right of the access control tag definition different subjects of element to the object, so as to establish access strategy file for network configuration protocol.Because access strategy file is based on model tree XML document, it is short and small terse for XML document, the object of access control is searched in model tree XML document with the object extracted in access request, can be higher relative to the treatment effeciency that object is searched in XML document.Search in access request after the object, according to the definition content in the access control label of object, the operating right of main body that can be in quick obtaining access request to the object.Therefore, the time of access control server processing access request is shorter, and the resource of consumption is less.Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, the required accompanying drawing used in embodiment or description of the prior art will be briefly described below, apparently, drawings in the following description are some embodiments of the present invention, for those of ordinary skill in the art, without having to pay creative labor, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of access control method flow chart provided in an embodiment of the present invention;
Fig. 2 is a kind of method for building up flow chart of access strategy file provided in an embodiment of the present invention;Fig. 3 is another access control method flow chart provided in an embodiment of the present invention;
Fig. 4 A are a kind of access control server example structure schematic diagram provided in an embodiment of the present invention;
Fig. 4 B are another access control server example structure schematic diagram provided in an embodiment of the present invention; Fig. 5 is the structural representation of searching modul in Fig. 4 A or Fig. 4 B;
Fig. 6 is the structural representation of matching module in Fig. 4 A or Fig. 4 B;
Fig. 7 is the structural representation of decision-making module in Fig. 4 A or Fig. 4 B.Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art are obtained under the premise of creative work is not made belongs to the scope of protection of the invention.
Content in XML files suffers restraints, and these constraints include:Constraint, the constraint of element value and the constraint of file structure of vocabulary.The constraint of vocabulary, that is, constrain the element and attribute that can occur in XML file, for example, can only occur in one XML file of constraint< 6^011>、 <age>、 <name>Element, can not there is other elements in addition;The constraint of element value, for example, describe the age< §6>Element, constraint< §6>The value of element must be integer, and can not be decimal, and can not be less than 0, can not>200;Nest relation between the constraint of file structure, i.e. element(Set membership)The order occurred with daughter element.For example constrain<a>Element must be included<b>Element, is optionally included<c>Element;<b>Element exists<a>At least occur in element 1 time, can at most occur 4 times;<b>、 <c>It is all<a>Daughter element, but<b>Element must come<c>Before element.It is referred to as XML modelings for describing the file of these constraint rules(XML schema) file, an XML file should defer to the constraint of one or more XML schema files.The writing of XML schema files modeling language is formed, and different modeling languages has different grammers and form, and current the more commonly used modeling language has XSD, Relax NG.
In following examples, the function that each step and each module of access control server that access control server is performed are performed can by the equipment such as computer computing device.Fig. 1 is a kind of access control method flow chart provided in an embodiment of the present invention.As shown in figure 1, The access control method includes:
Step 11:The access request that access control server parsing is received, extracts main body, object and the request operation in the access request.
Network manager passes through network configuration protocol client(Client) hold to network configuration protocol service (server) end and send access request.The object of access request can be defined using XPATH expression formulas as defined in NETCONF agreements or subtree filter expression.Positioned at the access request that receives of access control server parsing of network configuration protocol server, with obtain including main body, object and request operation.Wherein, main body is used for the network manager for representing to send access request, and object is used for the network management data for representing to be accessed in service end, and request operation represents the operation that subject requests are carried out to object.
Step 12:Object of the access control server in access request described in the access control policy ff, according to the access control label of the object found, determines operating right of the main body in the access request to the object in the access request.
Need to define the operating right of addressable main body and different subjects to the object for each object in access strategy file.XML Schema documents are converted into including the model tree XML document of element-tree status architecture relation by the embodiment of the present invention, and access strategy file is generated based on model tree XML document.Object is the abstract expression of network management data in access strategy file, rather than actual network management data.Element in model tree XML document is object.I.e. object is usually expressed with the member in model tree XML document.Allow the operating right of each main body and each main body to the object for accessing the object defined in the access control label of each element, definition, which has, allows the main body and main body that access object to be referred to as access strategy file to the model tree XML document of the operating right of the object.
Step 13:Access control server is matched the request operation in the access request with the operating right of the main body found, and the access response of the access request is returned according to matching result.
If the corresponding authority of request operation in access request is identical to the operating right of the object with the main body in the access request defined in access control policy file, or, the request in access request Corresponding authority is operated to be less than the operating right defined in access control policy file, determine that the request operation in access request matches with the operating right defined in access control policy file, the access response for allowing to access is returned, the access response of denied access is otherwise returned.
The access control method that the present embodiment is provided, the XML Schema documents for storing network configuration protocol are converted into model tree XML document, with the object of the element definition access control in model tree XML document, by the operating right of the access control tag definition different subjects of element to the object, so as to establish access strategy file for network configuration protocol.Because access strategy file is based on model tree XML document, it is short and small terse for XML document, the object of access control is searched in model tree XML document with the object extracted in access request, can be higher relative to the treatment effeciency that object is searched in the access strategy file based on XML document.Search in access request after the object, according to the definition content in the access control label of object, the operating right of main body that can be in quick obtaining access request to the object.Therefore, the time of access control server processing access request is shorter, and the resource of consumption is less.
Fig. 2 is a kind of method for building up flow chart of access strategy file provided in an embodiment of the present invention.The present embodiment thinks that NETCONF is illustrated exemplified by setting up access strategy file.As shown in Fig. 2 this method includes:
Step 21:NETCONF XML Schema documents are converted into the model tree XML document of tree.
Table 1 is partial content in XML Schema documents.Table 2 is the XML model documents generated based on table 1.As shown in table 1, the definition of L11 rows has an element " NetConfState " in XML Schema documents, the daughter element " capability " of element " NetConfState " defined in L17 rows, another daughter element " schema " of defined in L25 rows element " NetConfState " as shown in table 2, establishes the element structure relation in XML Schema documents in XML model document.Wherein, element " NetConfState " is elder generation's object of element " capability " and element " schema ".
Partial content in the NETCONF of table 1 XML Schema documents
L 7 < xs:sc ema>The XML model document that table 2 is generated based on table 1
<?XML version=" 1.0" encoding="UTF-8"?>
<mon:monitor XMLns:mon="urn:ietf:params:XML:ns:NetConf:state: 1.0"> < mon:NetConffitate >
< mon: capabilities > < mon: capability />
</ monxapabilities >
< mon:schemas >
< mon:schema/>
</ mon:schemas >
</ mon:NetConffitate >
< mon:monitorInfo/>
</ mon:monitor>Step 22:It is that corresponding object defines the operating right for allowing the main body and the main body that access the object to the object in the access control label of each element using each element of model tree XML document as the object of access control.
The embodiment of the present invention defines new access control label " sbacl ", for defining the operating right for allowing the main body for accessing corresponding object and the main body to the object on the element of XML model document.As shown in table 3A, the embodiment of the present invention uses following form(Object sbacl=" main body:Operator ")Access control policy is defined for object.
The table 3A embodiment of the present invention is the access control policy that an object is defined
< mon: capabilities >
< mon:capability sbacl="priser: Ge"/>
</ monxapabilities >Object in the access control policy that table 3B tables 3A is defined
< mon: capabilities >
< mon: capability />
</ mon capabilities >Object in the access strategy file that content shown in table 3B defines for table 3A, wherein element " capability " represents name of an object.Display, which is defined, in access control policy as shown in table 3A, the access control label " sbacl " of element " capability " allows the main body for accessing " capability " to be priser, and priser operating right is " Ge,.It is that same main body can only be defined on same object Unique operating right.In defining operation authority, multiple operating rights can be merged as needed.
The access strategy file that model XML document based on table 2 is set up is as shown in table 4.As shown in table 4, the operating right that display defines main body " netconfuserl " in the access control label sbacl of element " NetConfState " is " Ge ".Show that the operating right for defining " netconfuser2 " is in the access control label sbacl of the daughter element " capability " of element " NetConfState " " Ge,.Without display defining operation authority in the access control label sbacl of the daughter element " schema " of element " NetConfState ".So, the operating right of daughter element " schema ", can trace back to the operating right defined in the nearest elder generation " NetConfState " for defining " schema " that has operating right.
The access strategy file that model XML document of the table 4 based on table 2 is set up
<?XML version=" 1.0" encoding="UTF-8"?>
<mon:monitor XMLns:mon="urn:ietf:params:XML:ns:NetConf: state: 1.0"
sbacl combination =" Permit-overrides">
< mon:NetConffitate sbacl="netconfuserl: ge">
< mon: capabilities >
< mon: capability sbacl=" netconfuser2:g-"/>
</ monxapabilities >
< mon:schemas >
< mon:schema/>
</ mon:schemas >
</ mon:NetConffitate >
< mon:monitorInfo sbacl=" netconfuser3:g-; image:~"/>
</ mon:monitor>First the operating right that the embodiment of the present invention is defined is illustrated below.Mainly there are get, get-config in NETCONF, edit-config etc. is operated.In order to reduce the string length in access strategy file and convenient use, more than NETCONF is operated and is reduced to G respectively by the embodiment of the present invention, g, the operator such as e, and an operator is defined in addition and represents that refusal carries out any operation.The operator that the embodiment of the present invention is defined is with operating the mapping relations of name as shown in table 5.
The mapping relations of a kind of operator that the embodiment of the present invention of table 5 is defined and operation name Operate name operator operation implication
Get G obtain the operation of the operation get-config g acquisition configuration datas of configuration and status data
The operation that edit-config e edit configuration data is as shown in table 5, NETCONF get are operated and get-config operations, it is two operations that property is identical, range size is different equivalent to the read operation in traditional ACL, in each operating right expression formula, both one can only occur.NETCONF edit-config are operated equivalent to the write operation in traditional ACL.According to NETCONF agreements, when conducting interviews control, edit-config operations can be applied in combination with one of get or get-config.According to being actually needed for network management, there must be get or get-config operating rights when carrying out edit-config operations to data, therefore, edit-config authority is more than get and get-config authority;Further, since get operations can both obtain status data and can also obtain configuration data so that the authority of get operations is more than get-config.So, get, the relation of these three authority sizes of get-config, edit-config is: g<G<e.
Operator includes two placeholders in access strategy file in the embodiment of the present invention, and one is R, another E.R are used to set " reading " operating right, can be set " G/g/-, operation represents to allow get to operate respectively, get-config is operated and do not allowed read operation.E are used to set " editor " operating right, can be set " e/-, operator represents to allow edit-config to operate and do not allow editor respectively.According to above-mentioned definition, there are multiple combination situations in two placeholders.The implication description of two placeholders after combination is as shown in table 6.
The implication description of two placeholders after the combination of table 6
G- allows get-config, but does not allow edit-config to operate
- do not allow get or get-config, edit-config is not allowed to operate in the access strategy file of the present embodiment yet, main body and operating right are reached with simple string table, when handling access request, find after the object of access request, the matching of main body and the matching of operating right are relatively simple.
Fig. 3 is another access control method flow chart provided in an embodiment of the present invention.The executive agent of the access control method is access control server.As shown in figure 3, the access control method includes:Step 31:The access request received is parsed, main body, object and request operation in access request is extracted.
The definition of the object of NETCONF access requests can be defined using XPATH or subtree filtering.NETCONF access requests define an example of the object of request using XPATH as shown in table 7A.Assuming that the main body for sending NETCONF access requests is Netconfuser2.The access request triple parsed from the access request shown in table 7A is as shown in table 7B.
Table 7A defines an example of the object of NETCONF access requests using XPATH
The access request triple that access request shown in table 7B from the A of table 7 is parsed As shown in the A of table 7, in the NETCONF access requests defined using XPATH,<get-config>The request operation of main body is represented, select=" // capability " represents the object of principal access request, and the expression formula that type=" XPATH " expressions access request is used is XPATH.As shown in table 7B, parsed from the access request shown in table 7A, main body Netconfuser2 request operation For get-config, the object of access request is capability.
NETCONF access requests define an example of the object of request using subtree filter expression as shown in table 8A.Assuming that the main body for sending NETCONF access requests is Netconfuserl.The access request triple parsed from the access request shown in table 8A as shown in table 8B
Table 8A defines an example of the object of NETCONF access requests using subtree filter expression
The access request triple that access request shown in table 8B from the A of table 8 is parsed As shown in table 8A, in the NETCONF access requests defined using subtree filter expression,<get >The request operation of main body is represented,<filter type="subtree">The expression formula that uses of access request is represented for subtree filter expression,< mon: schemas />Represent the object of principal access request.Shown in ^ oral thermometers 8B, parsed from the access request shown in table 8A, main body Netconfuserl request operation is get, and the object of access request is schemas.
Step 32:The object in access request is searched in the object of access control policy file.
Step 33:Judge whether the access control label of the object found shows that definition has the operating right of the main body in the access request.If display definition has the operating right of the main body, step is performed
34, otherwise perform step 35. Step 34:If display definition has the operating right of the main body, the operating right for showing definition is regard as operating right of the main body to the object.Afterwards, step 36 is performed.
If the access control label display definition of the object found has the operating right of the main body in access request, the operating right for showing definition is regard as operating right of the main body in access request to the object in access request.
By taking the access request triple that table 7B is parsed as an example, object is searched in all objects of the access strategy file shown in table 4 "capability".The access control label sbacl display definition of " capability " has the operating right " G- " of the main body " Netconfuser2 " in access request, forms the operating right table as shown in table 7C.
The operating right table that table 7C is found according to table 7B Step 35:If not showing the operating right for defining the main body, the nearest elder generation's object for the object for defining the operating right for having the main body is reviewed upwards, and the main body is defined as operating right of the main body to the object to the operating right of nearest elder generation's object.Afterwards, step 36 is performed.
If the access control label of the object found does not show the operating right for defining the main body in access request, then review elder generation's object of the object upwards successively, untill tracing back to elder generation's object of operating right that first display definition has a main body, operating right of the operating right defined using elder generation's object as the object.If tracing back to root element always does not still show that definition has elder generation's object of the public limit of operation, determine that the main body of access request does not access the operating right of the object.
By taking the access request triple that table 8B is parsed as an example, object is searched in all objects of the access strategy file shown in table 4 "schemas".Object " schemas " is without display defining operation authority, elder generation's object of object " schemas " is then traced back to upwards, it was found that nearest elder generation's object that definition has operating right is " NetConf State ", the access-control attributes label sbacl of " NetConfState " is main body 'netconfuserl :" operating right of definition is " Ge ", forms the operating right table as shown in table 8C..
The operating right table that table 8C is found according to table 8B Step 36:Judge the corresponding authority of request operation of the access request whether in the range of the operating right of the main body found.If in the range of, performing step 37, step 38 is otherwise performed.
Step 37:If in the range of, determining that the request operation of the access request is matched with the operating right of the main body found.Afterwards, step 39 is performed.
For example, operating right in table 7C " g-;, represent to allow get-config to operate, do not allow edit-config to operate; the request operation in table 7B is " get-config "; therefore, operating right " g- of the corresponding authority of request operation " get-config " in table 7C in table 7B, in the range of, it is thus determined that the request operation of the access request shown in table 7A matches with the operating right found.
Step 38:If not in the range of, determining that the operating right of the main body of the request operation of the access request with finding is mismatched.Afterwards, step 39 is performed.
For example, operating right " ge " in table 8C represents to allow get-config and edit-config to operate, request operation in table 8B is " get ", get-config operating right is less than get, therefore, request in table 8B operates " get " corresponding authority not in table 8C in the range of operating right " ge ", it is thus determined that the request operation of the access request shown in table 8A is mismatched with the operating right found.
Step 39:According to matching result backward reference response.
The present embodiment is found in access strategy file after the object in access request, preferentially searches operating right of the object for the main body display definition in access request.If not finding operating right of the object for the main body display definition in access request, then review nearest elder generation's object of the object for the subject definition operating right upwards successively, using the operating right found as the operating right of the main body, denied access principal access object is determined if not finding. Further, there may be multiple objects in NETC0NF access requests, access decision can be made for each object, the access decision made for each object can also be integrated, to make final access decision.Access control policy file also defines the authorization decision combinational algorithm used when carrying out authorization decision to access request when having multiple objects in access request.As shown in table 4, authorization decision combination tag is defined on the root element of model tree XML documents(sbacl— combination).Sbacl-combination property value includes:Deny-overrides, Permit-overrides, All-permit and All-deny.
The access request triple including multiple objects parsed from NETCONF access requests is as shown in table 9A, as shown in table 9A, main body " Netconfuserl', needs to access three objects " AAA ", " AA/BB " and " ABC/DDD " in an access request.
What table 9A was parsed includes the access request triple of multiple objects
In access strategy file in look-up table 9A all objects operating right, the operating right that the object in table 9A is found in access strategy file is as shown in table 9B.As shown in table 9B, in access strategy file object " AAA " be the operating rights that define of main body Netconfuserl for " g-;;; object " AA/BB " is that the operating right that main body Netconfuserl is defined is that object " ABC/DDD " is the operating rights that define of main body Netconfuserl for "-- " in " G- ", access strategy file in access strategy file.
The operating right that objects of the table 9B in table 9A is found in access strategy file
When making access decision for single object, " the Netconfuserl'; operated to the request of each object; with each object in table 9B be main body " Netconfuserl' by main body in 9A, the operating right of definition is matched, the access decision for each object as shown in table 9C is made according to the matching result of each object, includes the access decision of each object accessing response.
Table 9C is directed to single object in table 9A and makes access decision
When making final access decision for all objects, after being integrated to the access decisions of all objects, it is determined that final access decision, return includes the access response of the final access decision.Another ll is divided to use authorization decision combinational algorithm:Deny-overrides algorithms, Permit-overrides algorithms, All-permit algorithms and All-deny algorithms, the final access decision formed after being integrated to each access decision in table 9C is as shown in table 9D.
The final access decision table that table 9D is formed after being integrated to each access decision in table 9C
When access request includes multiple objects, Deny-overrides algorithms refer in the access decision of all objects, and it is when refusing, regardless of other access decisions, all to refuse the access request to have an access decision.Permit-overrides algorithms refer to refer in the access decision of all objects, when it is license to have an access decision, regardless of other access decisions, all permit the access request.
All-permit algorithms refer in the access decision of all objects, when whole objects access decision all When being license, just permit the access request.Otherwise the access request is refused.All-deny algorithms refer in the access decision of all objects, when the access decision of whole objects is all refusal, just refuse the access request.Otherwise the access request is permitted.
Fig. 4 A are a kind of access control server example structure schematic diagram provided in an embodiment of the present invention.As shown in Figure 4 A, the present embodiment includes:Extraction module 41, searching modul 42 and matching module 43 and decision-making module 44.
Extraction module 41, the access request received is parsed for access control server, extracts main body, object and request operation in the access request.
Searching modul 42, for the object in access request described in the access control policy ff, according to the access control label for finding object, determines operating right of the main body in the access request to the object in the access request;The access control policy file is the model tree XML document based on XML Schema document structure trees, the element of the model tree XML document is the object of access control, and the access control tag definition of the element of the model tree XML document has the operating right of the main body for allowing to access the object and the main body to the object.
Matching module 43, is matched the request operation in the access request with the operating right of main body in the access request found for the access control server.
Decision-making module 44, includes the access response of the access decision for determining access decision according to matching result, and returning.
The function that each module is realized above can be found in described in Fig. 1 correspondence embodiments, will not be repeated here.The access control server that another embodiment of the present invention is provided as shown in Figure 4 B, can also include on the basis of Fig. 4 A:Model tree generation module 45 and strategy file generation module 46.
Model tree generation module 45, for the XML Schema documents of network configuration protocol to be converted into including the model tree XML document of element structure relation in XML Schema documents.
Strategy file generation module 46, operating right of the main body and the main body for allowing defined in the access control label for the element in the model tree XML document to access the object to the object. The function that each module is realized above can be found in described in Fig. 2 correspondence embodiments, will not be repeated here.The access control server that the present embodiment is provided, the XML Schema documents for storing network configuration protocol are converted into model tree XML document, with the object of the element definition access control in model tree XML document, by the operating right of the access control tag definition different subjects of element to the object, so as to establish access strategy file for network configuration protocol.Because access strategy file is based on model tree XML document, it is short and small terse for XML document, the object of access control is searched in model tree XML documents with the object extracted in access request, can be higher relative to the treatment effeciency that object is searched in the access strategy file based on XML documents.Search in access request after the object, according to the definition content in the access control label of object, the operating right of main body that can be in quick obtaining access request to the object.Therefore, the time of access control server processing access request is shorter, and the resource of consumption is less.
Fig. 5 is the structural representation of searching modul in Fig. 4 A or Fig. 4 B.As shown in figure 5, searching modul 42 includes:Searching unit 421, the determining unit 423 of judging unit 422 and first.
Searching unit 421, for the corresponding element of object in access request described in the access control policy ff.
Whether judging unit 422, the access control label of the object for judging to find shows that definition has the operating right of the main body in the access request.
First determining unit 423, if for showing that definition has the operating right of the main body, the operating right for showing definition is defined as into operating right of the main body to the object.
As shown in figure 5, further, searching modul 42 also includes:Second determining unit 424.
Second determining unit 424, if defining the operating right of the main body for not showing, reviews the nearest elder generation's object for the object for defining the operating right for having the main body upwards;The main body is defined as operating right of the main body to the object to the operating right of nearest elder generation's object.
Fig. 6 is the structural representation of matching module in Fig. 4 A or Fig. 4 B.As shown in fig. 6, matching module 43 includes:Authority judging unit 431, the 3rd determining unit 432 and the 4th determining unit 433.
Authority judging unit 431, the request for judging the access request operates the corresponding authority to be It is no in the range of the operating right of the main body found.
3rd determining unit 432, if in the range of, determining that the request operation of the access request is matched with the operating right of the main body found.
4th determining unit 433, if in the range of, not determining that the operating right of the main body of the request operation of the access request with finding is mismatched.
The present embodiment is found in access strategy file after the object in access request, preferentially searches operating right of the object for the main body display definition in access request.If not finding operating right of the object for the main body display definition in access request, then review nearest elder generation's object of the object for the subject definition operating right upwards successively, using the operating right found as the operating right of the main body, denied access principal access object is determined if not finding.
Fig. 7 is the structural representation of decision-making module in Fig. 4 A or Fig. 4 B.As shown in fig. 7, decision-making module 44 includes:Combinational algorithm determining unit 441 and decision package 442.
Combinational algorithm determining unit 441, for when the access request includes multiple objects, according to the authorization decision combination tag of root element in the access control policy file, determining authorization decision combinational algorithm.
Decision package 442, for according to authorization decision combinational algorithm, being integrated to the matching result of all objects, it is determined that final access decision, return includes the access response of the final access decision.
The function that each module is realized above can be found in described in Fig. 3 correspondence embodiments, will not be repeated here.There may be multiple objects in access request, access decision can be made for each object, the access decision made for each object can also be integrated, to make final access decision.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can be completed by the related hardware of programmed instruction, foregoing program can be stored in a computer read/write memory medium, the program upon execution, performs the step of including above method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or CD etc. are various can be with the medium of store program codes. Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although the present invention is described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It can still modify to the technical scheme described in foregoing embodiments, or carry out equivalent substitution to which part technical characteristic;And these modifications or replacement, the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (12)

  1. Claims
    1st, a kind of access control method, it is characterised in that including:
    The access request that access control server parsing is received, extracts main body, object and the request operation in the access request;
    Object in access request described in access control policy ff, according to the access control label of the object found, determines operating right of the main body in the access request to the object in the access request;The access control policy file is the model tree XML document based on expandable mark language XML Schema document structure trees, the element of the model tree XML document is the object of access control, and the access control tag definition of the element of the model tree XML document has the operating right of the main body for allowing to access the object and the main body to the object;
    The access control server is matched the request operation in the access request with the operating right of main body in the access request found, and access decision is determined according to matching result, and return includes the access response of the access decision.
    2nd, according to claim 1 methods described, it is characterized in that, the object in access request described in the access control policy ff, according to the access control label of the object found, operating right of the main body in the access request to the object in the access request is determined, including:The corresponding element of object in access request described in the access control policy ff;Judge whether the access control label of the object found shows that definition has the operating right of the main body in the access request;
    If display definition has the operating right of the main body, the operating right for showing definition is regard as operating right of the main body to the object.
    3rd, method according to claim 2, it is characterised in that after whether the access control label of the object for judging to find shows the operating right that definition has the main body of the access request, in addition to:
    If not showing the operating right for defining the main body, the nearest elder generation's object for the object for defining the operating right for having the main body is reviewed upwards; The main body is defined as operating right of the main body to the object to the operating right of nearest elder generation's object.
    4th, according to Claims 2 or 3 methods described, it is characterised in that the request operation by the access request is matched with the operating right of main body in the access request found, including:
    Judge the corresponding authority of request operation of the access request whether in the range of the operating right of the main body found;
    If in the range of, determining that the request operation of the access request is matched with the operating right of the main body found;
    If not in the range of, determining that the operating right of the main body of the request operation of the access request with finding is mismatched.
    5th, method according to claim 4, it is characterised in that when the access request includes multiple objects, it is described that access decision is determined according to matching result, and return and include the access response of the access decision, including:
    According to the authorization decision combination tag of root element in the access control policy file, authorization decision combinational algorithm is determined;
    According to authorization decision combinational algorithm, the matching result of all objects is integrated, it is determined that final access decision, return includes the access response of the final access decision.
    6th, according to claim 4,5 or 6 methods describeds, it is characterised in that before the access request for parsing and receiving, in addition to:
    The XML Schema documents of network configuration protocol are converted into including the model tree XML document of element structure relation in XML Schema documents;
    Operating right of the main body and the main body for allowing to access the object defined in the access control label of the element of the model tree XML document to the object.
    7th, a kind of access control server, it is characterised in that including:
    Extraction module, the access request received is parsed for access control server, extracts described visit Ask main body, object and the request operation in request;
    Searching modul, for the object in access request described in access control policy ff, according to the access control label for finding object, determines operating right of the main body in the access request to the object in the access request;The access control policy file is the model tree XML document based on expandable mark language XML Schema document structure trees, the element of the model tree XML document is the object of access control, and the access control tag definition of the element of the model tree XML document has the operating right of the main body for allowing to access the object and the main body to the object;
    Matching module, is matched the request operation in the access request with the operating right of main body in the access request found for the access control server;
    Decision-making module, includes the access response of the access decision for determining access decision according to matching result, and returning.
    8th, access control server according to claim 7, it is characterised in that the searching modul includes:
    Searching unit, the element answered for the object 3 in access request described in the access control policy ff;
    Whether judging unit, the access control label of the object for judging to find shows that definition has the operating right of the main body in the access request;
    First determining unit, if for showing that definition has the operating right of the main body, the operating right for showing definition is defined as into operating right of the main body to the object.
    9th, the access control server according to claim 8, it is characterised in that the searching modul also includes:
    Second determining unit, if defining the operating right of the main body for not showing, reviews the nearest elder generation's object for the object for defining the operating right for having the main body upwards;The main body is defined as operating right of the main body to the object to the operating right of nearest elder generation's object.
    10th, the access control server according to claim 7,8 or 9, it is characterised in that the matching module also includes: Authority judging unit, for judging the corresponding authority of request operation of the access request whether in the range of the operating right of the main body found;
    3rd determining unit, if in the range of, determining that the request operation of the access request is matched with the operating right of the main body found;
    4th determining unit, if in the range of, not determining that the operating right of the main body of the request operation of the access request with finding is mismatched.
    11st, access control server according to claim 8, it is characterised in that the decision-making module includes:
    Combinational algorithm determining unit, for when the access request includes multiple objects, according to the authorization decision combination tag of root element in the access control policy file, determining authorization decision combinational algorithm;
    Decision package, for according to authorization decision combinational algorithm, being integrated to the matching result of all objects, it is determined that final access decision, return includes the access response of the final access decision.
    12nd, the access control server according to any one of claim 7 to 11, it is characterised in that also include:
    Model tree generation module, for the XML Schema documents of network configuration protocol to be converted into including the model tree XML document of element structure relation in XML Schema documents;
    Strategy file generation module, operating right of the main body and the main body for allowing defined in the access control label for the element in the model tree XML document to access the object to the object.
CN201180001236.1A 2011-07-25 2011-07-25 Access control method and access control server Expired - Fee Related CN103004135B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2011/001219 WO2012159231A1 (en) 2011-07-25 2011-07-25 Access control method and access control server

Publications (2)

Publication Number Publication Date
CN103004135A true CN103004135A (en) 2013-03-27
CN103004135B CN103004135B (en) 2015-04-29

Family

ID=47216502

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201180001236.1A Expired - Fee Related CN103004135B (en) 2011-07-25 2011-07-25 Access control method and access control server

Country Status (2)

Country Link
CN (1) CN103004135B (en)
WO (1) WO2012159231A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109902497A (en) * 2019-02-26 2019-06-18 南威软件股份有限公司 A kind of access authority management method and system towards big data cluster
CN112307486A (en) * 2019-07-29 2021-02-02 华为技术有限公司 Authority obtaining method, equipment and system
CN114553750A (en) * 2022-02-24 2022-05-27 杭州迪普科技股份有限公司 Automatic testing method and device based on network configuration protocol
CN115065529A (en) * 2022-06-13 2022-09-16 北京寰宇天穹信息技术有限公司 Access control method based on credible label fusing host and object key information

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104424335A (en) * 2013-09-11 2015-03-18 方正信息产业控股有限公司 Method and device for access control of XML (eXtensible Markup Language) documents
CN111628975B (en) * 2020-05-12 2023-06-27 中国人民银行清算总中心 Method and device for assembling XML message
CN111831992A (en) * 2020-06-29 2020-10-27 万翼科技有限公司 Platform authority management method, electronic equipment and related products

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060288021A1 (en) * 2005-06-20 2006-12-21 Junichi Kojima Information processor, schema definition method and program
CN101582881A (en) * 2008-05-14 2009-11-18 华为技术有限公司 Method and device for controlling access
CN101794312A (en) * 2010-03-08 2010-08-04 上海交通大学 XML (Extensive Makeup Language) access control method based on security view
CN101976249A (en) * 2010-10-12 2011-02-16 中国科学院软件研究所 Access control method for spatial database

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101727545A (en) * 2008-10-10 2010-06-09 中国科学院研究生院 Method for implementing mandatory access control mechanism of security operating system
CN101452397B (en) * 2008-11-27 2012-08-22 上海交通大学 Forced access control method and apparatus in virtual environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060288021A1 (en) * 2005-06-20 2006-12-21 Junichi Kojima Information processor, schema definition method and program
CN101582881A (en) * 2008-05-14 2009-11-18 华为技术有限公司 Method and device for controlling access
CN101794312A (en) * 2010-03-08 2010-08-04 上海交通大学 XML (Extensive Makeup Language) access control method based on security view
CN101976249A (en) * 2010-10-12 2011-02-16 中国科学院软件研究所 Access control method for spatial database

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109902497A (en) * 2019-02-26 2019-06-18 南威软件股份有限公司 A kind of access authority management method and system towards big data cluster
CN112307486A (en) * 2019-07-29 2021-02-02 华为技术有限公司 Authority obtaining method, equipment and system
CN114553750A (en) * 2022-02-24 2022-05-27 杭州迪普科技股份有限公司 Automatic testing method and device based on network configuration protocol
CN114553750B (en) * 2022-02-24 2023-09-22 杭州迪普科技股份有限公司 Automatic test method and device based on network configuration protocol
CN115065529A (en) * 2022-06-13 2022-09-16 北京寰宇天穹信息技术有限公司 Access control method based on credible label fusing host and object key information
CN115065529B (en) * 2022-06-13 2023-11-03 北京寰宇天穹信息技术有限公司 Access control method based on trusted tag fusing key information of host and guest

Also Published As

Publication number Publication date
WO2012159231A1 (en) 2012-11-29
CN103004135B (en) 2015-04-29

Similar Documents

Publication Publication Date Title
CN110958131B (en) GraphQL-based queries supported on a YANG configuration data model
US7599957B2 (en) System and method for high performance template driven metadata schema mapping and data storage for surveillance and sensor devices
CN103004135A (en) Access control method and access control server
US9430662B2 (en) Provisioning authorization claims using attribute-based access-control policies
US8924415B2 (en) Schema mapping and data transformation on the basis of a conceptual model
US7120869B2 (en) Enhanced mechanism for automatically generating a transformation document
US7305414B2 (en) Techniques for efficient integration of text searching with queries over XML data
EP3835968B1 (en) Creating data in a data store using a dynamic ontology
EP3172866B1 (en) System and method for metadata enhanced inventory management of a communications system
US7478100B2 (en) Method and mechanism for efficient storage and query of XML documents based on paths
US7103611B2 (en) Techniques for retaining hierarchical information in mapping between XML documents and relational data
US20110161375A1 (en) Systems, methods and articles for template based generation of markup documents to access back office systems
KR20030048423A (en) A universal output constructor for xml queries
US20080120327A1 (en) Method and system for transforming metadata modeled in the common information model into grid control target metadata
WO2016107397A9 (en) System and method for model-based search and retrieval of networked data
US20140075285A1 (en) Metadata Reuse For Validation Against Decentralized Schemas
US7159171B2 (en) Structured document management system, structured document management method, search device and search method
AU2007275507C1 (en) Semantic aware processing of XML documents
US20110154184A1 (en) Event generation for xml schema components during xml processing in a streaming event model
CN109344306B (en) Method and system for customized online transaction and service of field multi-standard metadata
Barrett et al. A model based approach for policy tool generation and policy analysis
De Virgilio et al. Modeling heterogeneous context information in adaptive web based applications
US20030037031A1 (en) Mechanism for automatically generating a transformation document
CN102299812A (en) Access control method and network equipment
Wahid et al. XML semantic constraint validation for XML updates: A survey

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20150429